* [PATCH 4.4 000/241] 4.4.181-stable review
@ 2019-06-09 16:39 Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 001/241] x86/speculation/mds: Revert CPU buffer clear on double fault exit Greg Kroah-Hartman
` (245 more replies)
0 siblings, 246 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah, patches,
ben.hutchings, lkft-triage, stable
This is the start of the stable review cycle for the 4.4.181 release.
There are 241 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Tue 11 Jun 2019 04:39:53 PM UTC.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.181-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 4.4.181-rc1
Kirill Smelkov <kirr@nexedi.com>
fuse: Add FOPEN_STREAM to use stream_open()
Kirill Smelkov <kirr@nexedi.com>
fs: stream_open - opener for stream-like files so that read and write can run simultaneously without deadlock
Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
drm/gma500/cdv: Check vbt config bits when detecting lvds panels
Dan Carpenter <dan.carpenter@oracle.com>
genwqe: Prevent an integer overflow in the ioctl
Paul Burton <paul.burton@mips.com>
MIPS: pistachio: Build uImage.gz by default
Miklos Szeredi <mszeredi@redhat.com>
fuse: fallocate: fix return with locked inode
John David Anglin <dave.anglin@bell.net>
parisc: Use implicit space register selection for loading the coherence index of I/O pdirs
Linus Torvalds <torvalds@linux-foundation.org>
rcu: locking and unlocking need to always be at least barriers
Paolo Abeni <pabeni@redhat.com>
pktgen: do not sleep with the thread lock held.
Zhu Yanjun <yanjun.zhu@oracle.com>
net: rds: fix memory leak in rds_ib_flush_mr_pool
Erez Alfasi <ereza@mellanox.com>
net/mlx4_en: ethtool, Remove unsupported SFP EEPROM high pages query
David Ahern <dsahern@gmail.com>
neighbor: Call __ipv4_neigh_lookup_noref in neigh_xmit
Vivien Didelot <vivien.didelot@gmail.com>
ethtool: fix potential userspace buffer overflow
Nadav Amit <namit@vmware.com>
media: uvcvideo: Fix uvc_alloc_entity() allocation alignment
Peter Chen <peter.chen@nxp.com>
usb: gadget: fix request length error for isoc transfer
Bjørn Mork <bjorn@mork.no>
net: cdc_ncm: GetNtbFormat endian fix
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Revert "x86/build: Move _etext to actual end of .text"
Oleg Nesterov <oleg@redhat.com>
userfaultfd: don't pin the user memory in userfaultfd_file_create()
Arend van Spriel <arend.vanspriel@broadcom.com>
brcmfmac: add subtype check for event handling in data path
Arend Van Spriel <arend.vanspriel@broadcom.com>
brcmfmac: add length checks in scheduled scan result handler
Gavin Li <git@thegavinli.com>
brcmfmac: fix incorrect event channel deduction
Arend van Spriel <arend@broadcom.com>
brcmfmac: revise handling events in receive path
Franky Lin <franky.lin@broadcom.com>
brcmfmac: screening firmware event packet
Hante Meuleman <meuleman@broadcom.com>
brcmfmac: Add length checks on firmware events
Daniel Axtens <dja@axtens.net>
bnx2x: disable GSO where gso_size is too big for hardware
Daniel Axtens <dja@axtens.net>
net: create skb_gso_validate_mac_len()
Todd Kjos <tkjos@android.com>
binder: replace "%p" with "%pK"
Ben Hutchings <ben.hutchings@codethink.co.uk>
binder: Replace "%p" with "%pK" for stable
Roberto Bergantinos Corpas <rbergant@redhat.com>
CIFS: cifs_read_allocate_pages: don't iterate through whole page array on ENOMEM
Zhenliang Wei <weizhenliang@huawei.com>
kernel/signal.c: trace_signal_deliver when signal_group_exit
Jiri Slaby <jslaby@suse.cz>
memcg: make it work on sparse non-0-node systems
Joe Burmeister <joe.burmeister@devtank.co.uk>
tty: max310x: Fix external crystal register setup
Jorge Ramirez-Ortiz <jorge.ramirez-ortiz@linaro.org>
tty: serial: msm_serial: Fix XON/XOFF
Lyude Paul <lyude@redhat.com>
drm/nouveau/i2c: Disable i2c bus access after ->fini()
Kailang Yang <kailang@realtek.com>
ALSA: hda/realtek - Set default power save node to 0
Filipe Manana <fdmanana@suse.com>
Btrfs: fix race updating log root item during fsync
Steffen Maier <maier@linux.ibm.com>
scsi: zfcp: fix to prevent port_remove with pure auto scan LUNs (only sdevs)
Steffen Maier <maier@linux.ibm.com>
scsi: zfcp: fix missing zfcp_port reference put on -EBUSY from port_remove
Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
media: smsusb: better handle optional alignment
Alan Stern <stern@rowland.harvard.edu>
media: usb: siano: Fix false-positive "uninitialized variable" warning
Alan Stern <stern@rowland.harvard.edu>
media: usb: siano: Fix general protection fault in smsusb
Oliver Neukum <oneukum@suse.com>
USB: rio500: fix memory leak in close after disconnect
Oliver Neukum <oneukum@suse.com>
USB: rio500: refuse more than one device at a time
Maximilian Luz <luzmaximilian@gmail.com>
USB: Add LPM quirk for Surface Dock GigE adapter
Oliver Neukum <oneukum@suse.com>
USB: sisusbvga: fix oops in error path of sisusb_probe
Alan Stern <stern@rowland.harvard.edu>
USB: Fix slab-out-of-bounds write in usb_get_bos_descriptor
Carsten Schmid <carsten_schmid@mentor.com>
usb: xhci: avoid null pointer deref when bos field is NULL
Andrey Smirnov <andrew.smirnov@gmail.com>
xhci: Convert xhci_handshake() to use readl_poll_timeout_atomic()
Rasmus Villemoes <linux@rasmusvillemoes.dk>
include/linux/bitops.h: sanitize rotate primitives
James Clarke <jrtc27@jrtc27.com>
sparc64: Fix regression in non-hypervisor TLB flush xcall
Junwei Hu <hujunwei4@huawei.com>
tipc: fix modprobe tipc failed after switch order of device registration -v2
David S. Miller <davem@davemloft.net>
Revert "tipc: fix modprobe tipc failed after switch order of device registration"
Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
xen/pciback: Don't disable PCI_COMMAND on PCI device reset.
Daniel Axtens <dja@axtens.net>
crypto: vmx - ghash: do nosimd fallback manually
Antoine Tenart <antoine.tenart@bootlin.com>
net: mvpp2: fix bad MVPP2_TXQ_SCHED_TOKEN_CNTR_REG queue value
Michael Chan <michael.chan@broadcom.com>
bnxt_en: Fix aggregation buffer leak under OOM condition.
Chris Packham <chris.packham@alliedtelesis.co.nz>
tipc: Avoid copying bytes beyond the supplied data
Kloetzke Jan <Jan.Kloetzke@preh.de>
usbnet: fix kernel crash after disconnect
Jisheng Zhang <Jisheng.Zhang@synaptics.com>
net: stmmac: fix reset gpio free missing
Eric Dumazet <edumazet@google.com>
net-gro: fix use-after-free read in napi_gro_frags()
Eric Dumazet <edumazet@google.com>
llc: fix skb leak in llc_build_and_send_ui_pkt()
Mike Manning <mmanning@vyatta.att-mail.com>
ipv6: Consider sk_bound_dev_if when binding a raw socket to an address
Arnd Bergmann <arnd@arndb.de>
ASoC: davinci-mcasp: Fix clang warning without CONFIG_PM
Chris Lesiak <chris.lesiak@licor.com>
spi: Fix zero length xfer bug
Geert Uytterhoeven <geert+renesas@glider.be>
spi: rspi: Fix sequencer reset during initialization
Aditya Pakki <pakki001@umn.edu>
spi : spi-topcliff-pch: Fix to handle empty DMA buffers
James Smart <jsmart2021@gmail.com>
scsi: lpfc: Fix SLI3 commands being issued on SLI4 devices
Arnd Bergmann <arnd@arndb.de>
media: saa7146: avoid high stack usage with clang
Arnd Bergmann <arnd@arndb.de>
media: go7007: avoid clang frame overflow warning with KASAN
James Hutchinson <jahutchinson99@googlemail.com>
media: m88ds3103: serialize reset messages in m88ds3103_set_frontend
Arnd Bergmann <arnd@arndb.de>
scsi: qla4xxx: avoid freeing unallocated dma memory
Tony Lindgren <tony@atomide.com>
usb: core: Add PM runtime calls to usb_hcd_platform_shutdown
Paul E. McKenney <paulmck@linux.ibm.com>
rcutorture: Fix cleanup path for invalid torture_type strings
Kangjie Lu <kjlu@umn.edu>
tty: ipwireless: fix missing checks for ioremap
Pankaj Gupta <pagupta@redhat.com>
virtio_console: initialize vtermno value for ports
Dan Carpenter <dan.carpenter@oracle.com>
media: wl128x: prevent two potential buffer overflows
Sowjanya Komatineni <skomatineni@nvidia.com>
spi: tegra114: reset controller on probe
Gustavo A. R. Silva <gustavo@embeddedor.com>
cxgb3/l2t: Fix undefined behaviour
Wen Yang <wen.yang99@zte.com.cn>
ASoC: fsl_utils: fix a leaked reference by adding missing of_node_put
Wen Yang <wen.yang99@zte.com.cn>
ASoC: eukrea-tlv320: fix a leaked reference by adding missing of_node_put
Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
HID: core: move Usage Page concatenation to Main item
Chengguang Xu <cgxu519@gmx.com>
chardev: add additional check for minor range overlap
Peter Zijlstra <peterz@infradead.org>
x86/ia32: Fix ia32_restore_sigcontext() AC leak
Wen Yang <wen.yang99@zte.com.cn>
arm64: cpu_ops: fix a leaked reference by adding missing of_node_put
Stanley Chu <stanley.chu@mediatek.com>
scsi: ufs: Avoid configuring regulator with undefined voltage range
Stanley Chu <stanley.chu@mediatek.com>
scsi: ufs: Fix regulator load and icc-level configuration
Piotr Figiel <p.figiel@camlintechnologies.com>
brcmfmac: fix race during disconnect when USB completion is in progress
Piotr Figiel <p.figiel@camlintechnologies.com>
brcmfmac: convert dev_init_lock mutex to completion
Arnd Bergmann <arnd@arndb.de>
b43: shut up clang -Wuninitialized variable warning
Kangjie Lu <kjlu@umn.edu>
brcmfmac: fix missing checks for kmemdup
Kangjie Lu <kjlu@umn.edu>
rtlwifi: fix a potential NULL pointer dereference
Nathan Chancellor <natechancellor@gmail.com>
iio: common: ssp_sensors: Initialize calculated_time in ssp_common_process_data
Kangjie Lu <kjlu@umn.edu>
iio: hmc5843: fix potential NULL pointer dereferences
Lars-Peter Clausen <lars@metafoo.de>
iio: ad_sigma_delta: Properly handle SPI bus locking vs CS assertion
Kees Cook <keescook@chromium.org>
x86/build: Keep local relocations with ld.lld
Wen Yang <wen.yang99@zte.com.cn>
cpufreq: pmac32: fix possible object reference leak
Wen Yang <wen.yang99@zte.com.cn>
cpufreq/pasemi: fix possible object reference leak
Wen Yang <wen.yang99@zte.com.cn>
cpufreq: ppc_cbe: fix possible object reference leak
Arnd Bergmann <arnd@arndb.de>
s390: cio: fix cio_irb declaration
Charles Keepax <ckeepax@opensource.cirrus.com>
extcon: arizona: Disable mic detect if running when driver is removed
Ulf Hansson <ulf.hansson@linaro.org>
PM / core: Propagate dev->power.wakeup_path when no callbacks
Yinbo Zhu <yinbo.zhu@nxp.com>
mmc: sdhci-of-esdhc: add erratum eSDHC-A001 and A-008358 support
Yinbo Zhu <yinbo.zhu@nxp.com>
mmc: sdhci-of-esdhc: add erratum eSDHC5 support
Kangjie Lu <kjlu@umn.edu>
mmc_spi: add a status check for spi_sync_locked
John Garry <john.garry@huawei.com>
scsi: libsas: Do discovery on empty PHY to update PHY info
Guenter Roeck <linux@roeck-us.net>
hwmon: (f71805f) Use request_muxed_region for Super-IO accesses
Guenter Roeck <linux@roeck-us.net>
hwmon: (pc87427) Use request_muxed_region for Super-IO accesses
Guenter Roeck <linux@roeck-us.net>
hwmon: (smsc47b397) Use request_muxed_region for Super-IO accesses
Guenter Roeck <linux@roeck-us.net>
hwmon: (smsc47m1) Use request_muxed_region for Super-IO accesses
Guenter Roeck <linux@roeck-us.net>
hwmon: (vt1211) Use request_muxed_region for Super-IO accesses
Colin Ian King <colin.king@canonical.com>
RDMA/cxgb4: Fix null pointer dereference on alloc_skb failure
Nicholas Nunley <nicholas.d.nunley@intel.com>
i40e: don't allow changes to HW VLAN stripping on active port VLANs
Thomas Gleixner <tglx@linutronix.de>
x86/irq/64: Limit IST stack overflow check to #DB stack
Alan Stern <stern@rowland.harvard.edu>
USB: core: Don't unbind interfaces following device reset failure
Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
sched/core: Handle overflow in cpu_shares_write_u64
Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
sched/core: Check quota and period overflow at usec to nsec conversion
Nathan Lynch <nathanl@linux.ibm.com>
powerpc/numa: improve control of topology updates
Dan Carpenter <dan.carpenter@oracle.com>
media: pvrusb2: Prevent a buffer overflow
Shuah Khan <shuah@kernel.org>
media: au0828: Fix NULL pointer dereference in au0828_analog_stream_enable()
Wenwen Wang <wang6495@umn.edu>
audit: fix a memory leak bug
Akinobu Mita <akinobu.mita@gmail.com>
media: ov2659: make S_FMT succeed even if requested format doesn't match
Hans Verkuil <hverkuil@xs4all.nl>
media: au0828: stop video streaming only when last user stops
Janusz Krzysztofik <jmkrzyszt@gmail.com>
media: ov6650: Move v4l2_clk_get() to ov6650_video_probe() helper
Philipp Zabel <p.zabel@pengutronix.de>
media: coda: clear error return value before picture run
Nicolas Ferre <nicolas.ferre@microchip.com>
dmaengine: at_xdmac: remove BUG_ON macro in tasklet
Wen Yang <wen.yang99@zte.com.cn>
pinctrl: pistachio: fix leaked of_node references
Hans de Goede <hdegoede@redhat.com>
HID: logitech-hidpp: use RAP instead of FAP to get the protocol version
Peter Zijlstra <peterz@infradead.org>
mm/uaccess: Use 'unsigned long' to placate UBSAN warnings on older GCC versions
Jiri Kosina <jkosina@suse.cz>
x86/mm: Remove in_nmi() warning from 64-bit implementation of vmalloc_fault()
Sebastian Andrzej Siewior <bigeasy@linutronix.de>
smpboot: Place the __percpu annotation correctly
Kees Cook <keescook@chromium.org>
x86/build: Move _etext to actual end of .text
Arnd Bergmann <arnd@arndb.de>
bcache: avoid clang -Wunintialized warning
Coly Li <colyli@suse.de>
bcache: add failure check to run_cache_set() for journal replay
Tang Junhui <tang.junhui.linux@gmail.com>
bcache: fix failure in journal relplay
Coly Li <colyli@suse.de>
bcache: return error immediately in bch_journal_replay()
Kangjie Lu <kjlu@umn.edu>
net: cw1200: fix a NULL pointer dereference
Dan Carpenter <dan.carpenter@oracle.com>
mwifiex: prevent an array overflow
Daniel Baluta <daniel.baluta@nxp.com>
ASoC: fsl_sai: Update is_slave_mode with correct value
Sergey Matyukevich <sergey.matyukevich.os@quantenna.com>
mac80211/cfg80211: update bss channel on channel switch
Sugar Zhang <sugar.zhang@rock-chips.com>
dmaengine: pl330: _stop: clear interrupt status
Mariusz Bialonczyk <manio@skyboo.net>
w1: fix the resume command API
Sven Van Asbroeck <thesven73@gmail.com>
rtc: 88pm860x: prevent use-after-free on device remove
Dan Carpenter <dan.carpenter@oracle.com>
brcm80211: potential NULL dereference in brcmf_cfg80211_vndr_cmds_dcmd_handler()
Flavio Suligoi <f.suligoi@asem.it>
spi: pxa2xx: fix SCR (divisor) calculation
Arnd Bergmann <arnd@arndb.de>
ASoC: imx: fix fiq dependencies
Bo YU <tsu.yubo@gmail.com>
powerpc/boot: Fix missing check of lseek() return value
Raul E Rangel <rrangel@chromium.org>
mmc: core: Verify SD bus width
YueHaibing <yuehaibing@huawei.com>
cxgb4: Fix error path in cxgb4_init_module
Ross Lagerwall <ross.lagerwall@citrix.com>
gfs2: Fix lru_count going negative
Arnaldo Carvalho de Melo <acme@redhat.com>
tools include: Adopt linux/bits.h
Arnaldo Carvalho de Melo <acme@redhat.com>
perf tools: No need to include bitops.h in util.h
YueHaibing <yuehaibing@huawei.com>
at76c50x-usb: Don't register led_trigger if usb_register_driver failed
YueHaibing <yuehaibing@huawei.com>
ssb: Fix possible NULL pointer dereference in ssb_host_pcmcia_exit
Alexander Potapenko <glider@google.com>
media: vivid: use vfree() instead of kfree() for dev->bitmap_cap
YueHaibing <yuehaibing@huawei.com>
media: cpia2: Fix use-after-free in cpia2_exit
Jiufei Xue <jiufei.xue@linux.alibaba.com>
fbdev: fix WARNING in __alloc_pages_nodemask bug
Mike Kravetz <mike.kravetz@oracle.com>
hugetlb: use same fault hash key for shared and private mappings
Shile Zhang <shile.zhang@linux.alibaba.com>
fbdev: fix divide error in fb_var_to_videomode
Tobin C. Harding <tobin@kernel.org>
btrfs: sysfs: don't leak memory when failing add fsid
Filipe Manana <fdmanana@suse.com>
Btrfs: fix race between ranged fsync and writeback of adjacent ranges
Andreas Gruenbacher <agruenba@redhat.com>
gfs2: Fix sign extension bug in gfs2_update_stats
Daniel Axtens <dja@axtens.net>
crypto: vmx - CTR: always increment IV as quadword
Martin K. Petersen <martin.petersen@oracle.com>
Revert "scsi: sd: Keep disk read-only when re-reading partition"
Andrea Parri <andrea.parri@amarulasolutions.com>
bio: fix improper use of smp_mb__before_atomic()
Paolo Bonzini <pbonzini@redhat.com>
KVM: x86: fix return value for reserved EFER
Jan Kara <jack@suse.cz>
ext4: do not delete unlinked inode from orphan list on failed truncate
Yifeng Li <tomli@tomli.me>
fbdev: sm712fb: fix memory frequency by avoiding a switch/case fallthrough
Nikolay Borisov <nborisov@suse.com>
btrfs: Honour FITRIM range constraints during free space trim
Nigel Croxon <ncroxon@redhat.com>
md/raid: raid5 preserve the writeback action after the parity check
Song Liu <songliubraving@fb.com>
Revert "Don't jump to compute_result state from check_result state"
Arnaldo Carvalho de Melo <acme@redhat.com>
perf bench numa: Add define for RUSAGE_THREAD if not present
Al Viro <viro@zeniv.linux.org.uk>
ufs: fix braino in ufs_get_inode_gid() for solaris UFS flavour
Andrey Smirnov <andrew.smirnov@gmail.com>
power: supply: sysfs: prevent endless uevent loop with CONFIG_POWER_SUPPLY_DEBUG
Andrew Jones <drjones@redhat.com>
KVM: arm/arm64: Ensure vcpu target is unset on reset failure
Steffen Klassert <steffen.klassert@secunet.com>
xfrm4: Fix uninitialized memory read in _decode_session4
Jeremy Sowden <jeremy@azazel.net>
vti4: ipip tunnel deregistration fixes.
Su Yanjun <suyj.fnst@cn.fujitsu.com>
xfrm6_tunnel: Fix potential panic when unloading xfrm6_tunnel module
YueHaibing <yuehaibing@huawei.com>
xfrm: policy: Fix out-of-bound array accesses in __xfrm_policy_unlink
Mikulas Patocka <mpatocka@redhat.com>
dm delay: fix a crash when invalid device is specified
James Prestwood <james.prestwood@linux.intel.com>
PCI: Mark Atheros AR9462 to avoid bus reset
Yifeng Li <tomli@tomli.me>
fbdev: sm712fb: fix crashes and garbled display during DPMS modesetting
Yifeng Li <tomli@tomli.me>
fbdev: sm712fb: use 1024x768 by default on non-MIPS, fix garbled display
Yifeng Li <tomli@tomli.me>
fbdev: sm712fb: fix support for 1024x768-16 mode
Yifeng Li <tomli@tomli.me>
fbdev: sm712fb: fix crashes during framebuffer writes by correctly mapping VRAM
Yifeng Li <tomli@tomli.me>
fbdev: sm712fb: fix boot screen glitch when sm712fb replaces VGA
Yifeng Li <tomli@tomli.me>
fbdev: sm712fb: fix white screen of death on reboot, don't set CR3B-CR3F
Yifeng Li <tomli@tomli.me>
fbdev: sm712fb: fix VRAM detection, don't set SR70/71/74/75
Yifeng Li <tomli@tomli.me>
fbdev: sm712fb: fix brightness control on reboot, don't set SR30
Adrian Hunter <adrian.hunter@intel.com>
perf intel-pt: Fix sample timestamp wrt non-taken branches
Adrian Hunter <adrian.hunter@intel.com>
perf intel-pt: Fix improved sample timestamp
Adrian Hunter <adrian.hunter@intel.com>
perf intel-pt: Fix instructions sampling rate
Dmitry Osipenko <digetx@gmail.com>
memory: tegra: Fix integer overflow on tick value calculation
Elazar Leibovich <elazar@lightbitslabs.com>
tracing: Fix partial reading of trace event's id file
Jeff Layton <jlayton@kernel.org>
ceph: flush dirty inodes before proceeding with remount
Dmitry Osipenko <digetx@gmail.com>
iommu/tegra-smmu: Fix invalid ASID bits on Tegra30/114
Liu Bo <bo.liu@linux.alibaba.com>
fuse: honor RLIMIT_FSIZE in fuse_file_fallocate
Miklos Szeredi <mszeredi@redhat.com>
fuse: fix writepages on 32bit
Dmitry Osipenko <digetx@gmail.com>
clk: tegra: Fix PLLM programming on Tegra124+ when PMC overrides divider
ZhangXiaoxu <zhangxiaoxu5@huawei.com>
NFS4: Fix v4.0 client state corruption when mount
Janusz Krzysztofik <jmkrzyszt@gmail.com>
media: ov6650: Fix sensor possibly not detected on probe
Christoph Probst <kernel@probst.it>
cifs: fix strcat buffer overflow and reduce raciness in smb21_set_oplock_level()
Phong Tran <tranmanphong@gmail.com>
of: fix clang -Wunsequenced for be32_to_cpu()
Alexander Shishkin <alexander.shishkin@linux.intel.com>
intel_th: msu: Fix single mode with IOMMU
Yufen Yu <yuyufen@huawei.com>
md: add mddev->pers to avoid potential NULL pointer dereference
Tingwei Zhang <tingwei@codeaurora.org>
stm class: Fix channel free in stm output free path
Junwei Hu <hujunwei4@huawei.com>
tipc: fix modprobe tipc failed after switch order of device registration
Junwei Hu <hujunwei4@huawei.com>
tipc: switch order of device registration to fix a crash
YueHaibing <yuehaibing@huawei.com>
ppp: deflate: Fix possible crash in deflate_init
Yunjian Wang <wangyunjian@huawei.com>
net/mlx4_core: Change the error print to info print
Eric Dumazet <edumazet@google.com>
net: avoid weird emergency message
Sean Christopherson <sean.j.christopherson@intel.com>
KVM: x86: Skip EFER vs. guest CPUID checks for host-initiated writes
Michał Wadowski <wadosm@gmail.com>
ALSA: hda/realtek - Fix for Lenovo B50-70 inverted internal microphone bug
Sriram Rajagopalan <sriramr@arista.com>
ext4: zero out the unused memory region in the extent tree block
Jiufei Xue <jiufei.xue@linux.alibaba.com>
fs/writeback.c: use rcu_barrier() to wait for inflight wb switches going into workqueue when umount
Tejun Heo <tj@kernel.org>
writeback: synchronize sync(2) against cgroup writeback membership switches
Eric Biggers <ebiggers@google.com>
crypto: arm/aes-neonbs - don't access already-freed walk.iv
Eric Biggers <ebiggers@google.com>
crypto: salsa20 - don't access already-freed walk.iv
Eric Biggers <ebiggers@google.com>
crypto: chacha20poly1305 - set cra_name correctly
Eric Biggers <ebiggers@google.com>
crypto: gcm - fix incompatibility between "gcm" and "gcm_base"
Wei Yongjun <weiyongjun1@huawei.com>
crypto: gcm - Fix error return code in crypto_gcm_create_common()
Kamlakant Patel <kamlakantp@marvell.com>
ipmi:ssif: compare block number correctly for multi-part return messages
Coly Li <colyli@suse.de>
bcache: never set KEY_PTRS of journal key to 0 in journal_reclaim()
Liang Chen <liangchen.linux@gmail.com>
bcache: fix a race between cache register and cacheset unregister
Filipe Manana <fdmanana@suse.com>
Btrfs: do not start a transaction at iterate_extent_inodes()
Debabrata Banerjee <dbanerje@akamai.com>
ext4: fix ext4_show_options for file systems w/o journal
Kirill Tkhai <ktkhai@virtuozzo.com>
ext4: actually request zeroing of inode table after grow
Sergei Trofimovich <slyfox@gentoo.org>
tty/vt: fix write/write race in ioctl(KDSKBSENT) handler
Steve Twiss <stwiss.opensource@diasemi.com>
mfd: da9063: Fix OTP control register names to match datasheets for DA9063/63L
Shuning Zhang <sunny.s.zhang@oracle.com>
ocfs2: fix ocfs2 read inode data panic in ocfs2_iget
Jiri Kosina <jkosina@suse.cz>
mm/mincore.c: make mincore() more conservative
Curtis Malainey <cujomalainey@chromium.org>
ASoC: RT5677-SPI: Disable 16Bit SPI Transfers
Jon Hunter <jonathanh@nvidia.com>
ASoC: max98090: Fix restore of DAPM Muxes
Kailang Yang <kailang@realtek.com>
ALSA: hda/realtek - EAPD turn on later
Hui Wang <hui.wang@canonical.com>
ALSA: hda/hdmi - Consider eld_valid when reporting jack event
Wenwen Wang <wang6495@umn.edu>
ALSA: usb-audio: Fix a memory leak bug
Eric Biggers <ebiggers@google.com>
crypto: x86/crct10dif-pcl - fix use via crypto_shash_digest()
Eric Biggers <ebiggers@google.com>
crypto: crct10dif-generic - fix use via crypto_shash_digest()
Daniel Axtens <dja@axtens.net>
crypto: vmx - fix copy-paste error in CTR mode
Wen Yang <wen.yang99@zte.com.cn>
ARM: exynos: Fix a leaked reference by adding missing of_node_put
Andy Lutomirski <luto@kernel.org>
x86/speculation/mds: Improve CPU buffer clear documentation
Andy Lutomirski <luto@kernel.org>
x86/speculation/mds: Revert CPU buffer clear on double fault exit
-------------
Diffstat:
Documentation/x86/mds.rst | 44 +--
Makefile | 4 +-
arch/arm/crypto/aesbs-glue.c | 4 +
arch/arm/kvm/arm.c | 11 +-
arch/arm/mach-exynos/firmware.c | 1 +
arch/arm/mach-exynos/suspend.c | 2 +
arch/arm64/kernel/cpu_ops.c | 1 +
arch/mips/pistachio/Platform | 1 +
arch/powerpc/boot/addnote.c | 6 +-
arch/powerpc/mm/numa.c | 18 +-
arch/sparc/mm/ultra.S | 4 +-
arch/x86/Makefile | 2 +-
arch/x86/crypto/crct10dif-pclmul_glue.c | 13 +-
arch/x86/ia32/ia32_signal.c | 29 +-
arch/x86/kernel/irq_64.c | 19 +-
arch/x86/kernel/traps.c | 8 -
arch/x86/kvm/x86.c | 31 +-
arch/x86/mm/fault.c | 2 -
crypto/chacha20poly1305.c | 4 +-
crypto/crct10dif_generic.c | 11 +-
crypto/gcm.c | 36 +-
crypto/salsa20_generic.c | 2 +-
drivers/android/binder.c | 36 +-
drivers/base/power/main.c | 4 +
drivers/char/ipmi/ipmi_ssif.c | 6 +-
drivers/char/virtio_console.c | 3 +-
drivers/clk/tegra/clk-pll.c | 4 +-
drivers/cpufreq/pasemi-cpufreq.c | 1 +
drivers/cpufreq/pmac32-cpufreq.c | 2 +
drivers/cpufreq/ppc_cbe_cpufreq.c | 1 +
drivers/crypto/vmx/aesp8-ppc.pl | 6 +-
drivers/crypto/vmx/ghash.c | 218 +++++--------
drivers/dma/at_xdmac.c | 6 +-
drivers/dma/pl330.c | 10 +-
drivers/extcon/extcon-arizona.c | 10 +
drivers/gpu/drm/gma500/cdv_intel_lvds.c | 3 +
drivers/gpu/drm/gma500/intel_bios.c | 3 +
drivers/gpu/drm/gma500/psb_drv.h | 1 +
drivers/gpu/drm/nouveau/include/nvkm/subdev/i2c.h | 2 +
drivers/gpu/drm/nouveau/nvkm/subdev/i2c/aux.c | 26 +-
drivers/gpu/drm/nouveau/nvkm/subdev/i2c/aux.h | 2 +
drivers/gpu/drm/nouveau/nvkm/subdev/i2c/base.c | 15 +
drivers/gpu/drm/nouveau/nvkm/subdev/i2c/bus.c | 21 +-
drivers/gpu/drm/nouveau/nvkm/subdev/i2c/bus.h | 1 +
drivers/hid/hid-core.c | 36 +-
drivers/hid/hid-logitech-hidpp.c | 17 +-
drivers/hwmon/f71805f.c | 15 +-
drivers/hwmon/pc87427.c | 14 +-
drivers/hwmon/smsc47b397.c | 13 +-
drivers/hwmon/smsc47m1.c | 28 +-
drivers/hwmon/vt1211.c | 15 +-
drivers/hwtracing/intel_th/msu.c | 35 +-
drivers/hwtracing/stm/core.c | 2 +-
drivers/iio/adc/ad_sigma_delta.c | 16 +-
drivers/iio/common/ssp_sensors/ssp_iio.c | 2 +-
drivers/infiniband/hw/cxgb4/cm.c | 2 +
drivers/iommu/tegra-smmu.c | 25 +-
drivers/md/bcache/alloc.c | 5 +-
drivers/md/bcache/journal.c | 37 ++-
drivers/md/bcache/super.c | 19 +-
drivers/md/dm-delay.c | 3 +-
drivers/md/md.c | 6 +-
drivers/md/raid5.c | 29 +-
drivers/media/dvb-frontends/m88ds3103.c | 9 +-
drivers/media/i2c/ov2659.c | 6 +-
drivers/media/i2c/soc_camera/ov6650.c | 27 +-
drivers/media/pci/saa7146/hexium_gemini.c | 5 +-
drivers/media/pci/saa7146/hexium_orion.c | 5 +-
drivers/media/platform/coda/coda-bit.c | 3 +
drivers/media/platform/vivid/vivid-vid-cap.c | 2 +-
drivers/media/radio/wl128x/fmdrv_common.c | 7 +-
drivers/media/usb/au0828/au0828-video.c | 16 +-
drivers/media/usb/cpia2/cpia2_v4l.c | 3 +-
drivers/media/usb/go7007/go7007-fw.c | 4 +-
drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 2 +
drivers/media/usb/pvrusb2/pvrusb2-hdw.h | 1 +
drivers/media/usb/siano/smsusb.c | 33 +-
drivers/media/usb/uvc/uvc_driver.c | 2 +-
drivers/memory/tegra/mc.c | 2 +-
drivers/misc/genwqe/card_dev.c | 2 +
drivers/misc/genwqe/card_utils.c | 4 +
drivers/mmc/core/sd.c | 8 +
drivers/mmc/host/mmc_spi.c | 4 +
drivers/mmc/host/sdhci-of-esdhc.c | 5 +
drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 18 +
drivers/net/ethernet/broadcom/bnxt/bnxt.c | 2 +
drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +-
drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 15 +-
drivers/net/ethernet/intel/i40e/i40e_main.c | 8 +
drivers/net/ethernet/marvell/mvpp2.c | 10 +-
drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 4 +-
drivers/net/ethernet/mellanox/mlx4/mcg.c | 2 +-
drivers/net/ethernet/mellanox/mlx4/port.c | 5 -
drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c | 3 +-
drivers/net/ppp/ppp_deflate.c | 20 +-
drivers/net/usb/cdc_ncm.c | 4 +-
drivers/net/usb/usbnet.c | 6 +
drivers/net/wireless/at76c50x-usb.c | 4 +-
drivers/net/wireless/b43/phy_lp.c | 6 +-
drivers/net/wireless/brcm80211/brcmfmac/bus.h | 4 +-
drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c | 23 +-
drivers/net/wireless/brcm80211/brcmfmac/core.c | 45 ++-
drivers/net/wireless/brcm80211/brcmfmac/fweh.c | 57 +---
drivers/net/wireless/brcm80211/brcmfmac/fweh.h | 82 ++++-
drivers/net/wireless/brcm80211/brcmfmac/msgbuf.c | 42 ++-
drivers/net/wireless/brcm80211/brcmfmac/p2p.c | 10 +
drivers/net/wireless/brcm80211/brcmfmac/sdio.c | 32 +-
drivers/net/wireless/brcm80211/brcmfmac/usb.c | 29 +-
drivers/net/wireless/brcm80211/brcmfmac/vendor.c | 5 +-
drivers/net/wireless/cw1200/main.c | 5 +
drivers/net/wireless/mwifiex/cfp.c | 3 +
drivers/net/wireless/realtek/rtlwifi/base.c | 5 +
drivers/parisc/ccio-dma.c | 4 +-
drivers/parisc/sba_iommu.c | 3 +-
drivers/pci/quirks.c | 1 +
drivers/pinctrl/pinctrl-pistachio.c | 2 +
drivers/power/power_supply_sysfs.c | 6 -
drivers/rtc/rtc-88pm860x.c | 2 +-
drivers/s390/cio/cio.h | 2 +-
drivers/s390/scsi/zfcp_ext.h | 1 +
drivers/s390/scsi/zfcp_scsi.c | 9 +
drivers/s390/scsi/zfcp_sysfs.c | 55 +++-
drivers/s390/scsi/zfcp_unit.c | 8 +-
drivers/scsi/libsas/sas_expander.c | 5 +
drivers/scsi/lpfc/lpfc_hbadisc.c | 11 +-
drivers/scsi/qla4xxx/ql4_os.c | 2 +-
drivers/scsi/sd.c | 3 +-
drivers/scsi/ufs/ufshcd.c | 28 +-
drivers/spi/spi-pxa2xx.c | 8 +-
drivers/spi/spi-rspi.c | 9 +-
drivers/spi/spi-tegra114.c | 32 +-
drivers/spi/spi-topcliff-pch.c | 15 +-
drivers/spi/spi.c | 2 +
drivers/ssb/bridge_pcmcia_80211.c | 9 +-
drivers/staging/iio/magnetometer/hmc5843_i2c.c | 7 +-
drivers/staging/iio/magnetometer/hmc5843_spi.c | 7 +-
drivers/tty/ipwireless/main.c | 8 +
drivers/tty/serial/max310x.c | 2 +-
drivers/tty/serial/msm_serial.c | 5 +-
drivers/tty/vt/keyboard.c | 33 +-
drivers/usb/core/config.c | 4 +-
drivers/usb/core/hcd.c | 3 +
drivers/usb/core/hub.c | 5 +-
drivers/usb/core/quirks.c | 3 +
drivers/usb/host/xhci.c | 24 +-
drivers/usb/misc/rio500.c | 41 ++-
drivers/usb/misc/sisusbvga/sisusb.c | 15 +-
drivers/video/fbdev/core/fbcmap.c | 2 +
drivers/video/fbdev/core/modedb.c | 3 +
drivers/video/fbdev/sm712.h | 12 +-
drivers/video/fbdev/sm712fb.c | 243 +++++++++++---
drivers/w1/w1_io.c | 3 +-
drivers/xen/xen-pciback/pciback_ops.c | 2 -
drivers/xen/xenbus/xenbus_dev_frontend.c | 2 +-
fs/btrfs/backref.c | 18 +-
fs/btrfs/extent-tree.c | 25 +-
fs/btrfs/file.c | 12 +
fs/btrfs/sysfs.c | 7 +-
fs/btrfs/tree-log.c | 8 +-
fs/ceph/super.c | 7 +
fs/char_dev.c | 6 +
fs/cifs/file.c | 4 +-
fs/cifs/smb2ops.c | 14 +-
fs/ext4/extents.c | 17 +-
fs/ext4/inode.c | 2 +-
fs/ext4/ioctl.c | 2 +-
fs/ext4/super.c | 2 +-
fs/fs-writeback.c | 51 ++-
fs/fuse/file.c | 13 +-
fs/gfs2/glock.c | 22 +-
fs/gfs2/lock_dlm.c | 9 +-
fs/hugetlbfs/inode.c | 8 +-
fs/nfs/nfs4state.c | 4 +
fs/ocfs2/export.c | 30 +-
fs/open.c | 18 +
fs/read_write.c | 5 +-
fs/ufs/util.h | 2 +-
fs/userfaultfd.c | 41 ++-
include/linux/backing-dev-defs.h | 1 +
include/linux/bio.h | 2 +-
include/linux/bitops.h | 16 +-
include/linux/fs.h | 4 +
include/linux/hid.h | 1 +
include/linux/hugetlb.h | 4 +-
include/linux/iio/adc/ad_sigma_delta.h | 1 +
include/linux/list_lru.h | 1 +
include/linux/mfd/da9063/registers.h | 6 +-
include/linux/of.h | 4 +-
include/linux/rcupdate.h | 6 +-
include/linux/sched.h | 7 +-
include/linux/skbuff.h | 30 ++
include/linux/smpboot.h | 2 +-
include/linux/usb/gadget.h | 4 +-
include/uapi/linux/fuse.h | 2 +
include/uapi/linux/tipc_config.h | 10 +-
kernel/auditfilter.c | 12 +-
kernel/rcu/rcutorture.c | 5 +
kernel/sched/core.c | 9 +-
kernel/signal.c | 2 +
kernel/trace/trace_events.c | 3 -
lib/strncpy_from_user.c | 5 +-
lib/strnlen_user.c | 4 +-
mm/backing-dev.c | 1 +
mm/hugetlb.c | 19 +-
mm/list_lru.c | 8 +-
mm/mincore.c | 23 +-
net/core/dev.c | 4 +-
net/core/ethtool.c | 5 +-
net/core/neighbour.c | 9 +-
net/core/pktgen.c | 11 +
net/ipv4/ip_vti.c | 5 +-
net/ipv4/xfrm4_policy.c | 24 +-
net/ipv6/raw.c | 2 +
net/ipv6/xfrm6_tunnel.c | 4 +
net/llc/llc_output.c | 2 +
net/mac80211/mlme.c | 3 -
net/rds/ib_rdma.c | 10 +-
net/sched/sch_tbf.c | 10 -
net/tipc/core.c | 32 +-
net/tipc/subscr.c | 14 +-
net/tipc/subscr.h | 5 +-
net/wireless/nl80211.c | 5 +
net/xfrm/xfrm_user.c | 2 +-
scripts/coccinelle/api/stream_open.cocci | 363 +++++++++++++++++++++
sound/pci/hda/patch_hdmi.c | 6 +-
sound/pci/hda/patch_realtek.c | 7 +-
sound/soc/codecs/max98090.c | 12 +-
sound/soc/codecs/rt5677-spi.c | 35 +-
sound/soc/davinci/davinci-mcasp.c | 2 +
sound/soc/fsl/Kconfig | 9 +-
sound/soc/fsl/eukrea-tlv320.c | 4 +-
sound/soc/fsl/fsl_sai.c | 2 +
sound/soc/fsl/fsl_utils.c | 1 +
sound/usb/mixer.c | 2 +
tools/include/linux/bitops.h | 7 +-
tools/include/linux/bits.h | 26 ++
tools/perf/bench/numa.c | 4 +
.../perf/util/intel-pt-decoder/intel-pt-decoder.c | 31 +-
tools/perf/util/string.c | 1 +
tools/perf/util/util.h | 1 -
240 files changed, 2424 insertions(+), 950 deletions(-)
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 001/241] x86/speculation/mds: Revert CPU buffer clear on double fault exit
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
@ 2019-06-09 16:39 ` Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 002/241] x86/speculation/mds: Improve CPU buffer clear documentation Greg Kroah-Hartman
` (244 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Andy Lutomirski, Borislav Petkov,
Frederic Weisbecker, Jon Masters, Linus Torvalds, Peter Zijlstra,
Thomas Gleixner, Ingo Molnar
From: Andy Lutomirski <luto@kernel.org>
commit 88640e1dcd089879530a49a8d212d1814678dfe7 upstream.
The double fault ESPFIX path doesn't return to user mode at all --
it returns back to the kernel by simulating a #GP fault.
prepare_exit_to_usermode() will run on the way out of
general_protection before running user code.
Signed-off-by: Andy Lutomirski <luto@kernel.org>
Cc: Borislav Petkov <bp@suse.de>
Cc: Frederic Weisbecker <frederic@kernel.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Jon Masters <jcm@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
Fixes: 04dcbdb80578 ("x86/speculation/mds: Clear CPU buffers on exit to user")
Link: http://lkml.kernel.org/r/ac97612445c0a44ee10374f6ea79c222fe22a5c4.1557865329.git.luto@kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/x86/mds.rst | 7 -------
arch/x86/kernel/traps.c | 8 --------
2 files changed, 15 deletions(-)
--- a/Documentation/x86/mds.rst
+++ b/Documentation/x86/mds.rst
@@ -158,13 +158,6 @@ Mitigation points
mitigated on the return from do_nmi() to provide almost complete
coverage.
- - Double fault (#DF):
-
- A double fault is usually fatal, but the ESPFIX workaround, which can
- be triggered from user space through modify_ldt(2) is a recoverable
- double fault. #DF uses the paranoid exit path, so explicit mitigation
- in the double fault handler is required.
-
- Machine Check Exception (#MC):
Another corner case is a #MC which hits between the CPU buffer clear
--- a/arch/x86/kernel/traps.c
+++ b/arch/x86/kernel/traps.c
@@ -61,7 +61,6 @@
#include <asm/alternative.h>
#include <asm/fpu/xstate.h>
#include <asm/trace/mpx.h>
-#include <asm/nospec-branch.h>
#include <asm/mpx.h>
#include <asm/vm86.h>
@@ -338,13 +337,6 @@ dotraplinkage void do_double_fault(struc
regs->ip = (unsigned long)general_protection;
regs->sp = (unsigned long)&normal_regs->orig_ax;
- /*
- * This situation can be triggered by userspace via
- * modify_ldt(2) and the return does not take the regular
- * user space exit, so a CPU buffer clear is required when
- * MDS mitigation is enabled.
- */
- mds_user_clear_cpu_buffers();
return;
}
#endif
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 002/241] x86/speculation/mds: Improve CPU buffer clear documentation
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 001/241] x86/speculation/mds: Revert CPU buffer clear on double fault exit Greg Kroah-Hartman
@ 2019-06-09 16:39 ` Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 003/241] ARM: exynos: Fix a leaked reference by adding missing of_node_put Greg Kroah-Hartman
` (243 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Andy Lutomirski, Borislav Petkov,
Frederic Weisbecker, Jon Masters, Linus Torvalds, Peter Zijlstra,
Thomas Gleixner, Ingo Molnar
From: Andy Lutomirski <luto@kernel.org>
commit 9d8d0294e78a164d407133dea05caf4b84247d6a upstream.
On x86_64, all returns to usermode go through
prepare_exit_to_usermode(), with the sole exception of do_nmi().
This even includes machine checks -- this was added several years
ago to support MCE recovery. Update the documentation.
Signed-off-by: Andy Lutomirski <luto@kernel.org>
Cc: Borislav Petkov <bp@suse.de>
Cc: Frederic Weisbecker <frederic@kernel.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Jon Masters <jcm@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
Fixes: 04dcbdb80578 ("x86/speculation/mds: Clear CPU buffers on exit to user")
Link: http://lkml.kernel.org/r/999fa9e126ba6a48e9d214d2f18dbde5c62ac55c.1557865329.git.luto@kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/x86/mds.rst | 39 +++++++--------------------------------
1 file changed, 7 insertions(+), 32 deletions(-)
--- a/Documentation/x86/mds.rst
+++ b/Documentation/x86/mds.rst
@@ -142,38 +142,13 @@ Mitigation points
mds_user_clear.
The mitigation is invoked in prepare_exit_to_usermode() which covers
- most of the kernel to user space transitions. There are a few exceptions
- which are not invoking prepare_exit_to_usermode() on return to user
- space. These exceptions use the paranoid exit code.
-
- - Non Maskable Interrupt (NMI):
-
- Access to sensible data like keys, credentials in the NMI context is
- mostly theoretical: The CPU can do prefetching or execute a
- misspeculated code path and thereby fetching data which might end up
- leaking through a buffer.
-
- But for mounting other attacks the kernel stack address of the task is
- already valuable information. So in full mitigation mode, the NMI is
- mitigated on the return from do_nmi() to provide almost complete
- coverage.
-
- - Machine Check Exception (#MC):
-
- Another corner case is a #MC which hits between the CPU buffer clear
- invocation and the actual return to user. As this still is in kernel
- space it takes the paranoid exit path which does not clear the CPU
- buffers. So the #MC handler repopulates the buffers to some
- extent. Machine checks are not reliably controllable and the window is
- extremly small so mitigation would just tick a checkbox that this
- theoretical corner case is covered. To keep the amount of special
- cases small, ignore #MC.
-
- - Debug Exception (#DB):
-
- This takes the paranoid exit path only when the INT1 breakpoint is in
- kernel space. #DB on a user space address takes the regular exit path,
- so no extra mitigation required.
+ all but one of the kernel to user space transitions. The exception
+ is when we return from a Non Maskable Interrupt (NMI), which is
+ handled directly in do_nmi().
+
+ (The reason that NMI is special is that prepare_exit_to_usermode() can
+ enable IRQs. In NMI context, NMIs are blocked, and we don't want to
+ enable IRQs with NMIs blocked.)
2. C-State transition
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 003/241] ARM: exynos: Fix a leaked reference by adding missing of_node_put
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 001/241] x86/speculation/mds: Revert CPU buffer clear on double fault exit Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 002/241] x86/speculation/mds: Improve CPU buffer clear documentation Greg Kroah-Hartman
@ 2019-06-09 16:39 ` Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 004/241] crypto: vmx - fix copy-paste error in CTR mode Greg Kroah-Hartman
` (242 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:39 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Wen Yang, Krzysztof Kozlowski
From: Wen Yang <wen.yang99@zte.com.cn>
commit 629266bf7229cd6a550075f5961f95607b823b59 upstream.
The call to of_get_next_child returns a node pointer with refcount
incremented thus it must be explicitly decremented after the last
usage.
Detected by coccinelle with warnings like:
arch/arm/mach-exynos/firmware.c:201:2-8: ERROR: missing of_node_put;
acquired a node pointer with refcount incremented on line 193,
but without a corresponding object release within this function.
Cc: stable@vger.kernel.org
Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/mach-exynos/firmware.c | 1 +
arch/arm/mach-exynos/suspend.c | 2 ++
2 files changed, 3 insertions(+)
--- a/arch/arm/mach-exynos/firmware.c
+++ b/arch/arm/mach-exynos/firmware.c
@@ -207,6 +207,7 @@ void __init exynos_firmware_init(void)
return;
addr = of_get_address(nd, 0, NULL, NULL);
+ of_node_put(nd);
if (!addr) {
pr_err("%s: No address specified.\n", __func__);
return;
--- a/arch/arm/mach-exynos/suspend.c
+++ b/arch/arm/mach-exynos/suspend.c
@@ -725,8 +725,10 @@ void __init exynos_pm_init(void)
if (WARN_ON(!of_find_property(np, "interrupt-controller", NULL))) {
pr_warn("Outdated DT detected, suspend/resume will NOT work\n");
+ of_node_put(np);
return;
}
+ of_node_put(np);
pm_data = (const struct exynos_pm_data *) match->data;
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 004/241] crypto: vmx - fix copy-paste error in CTR mode
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (2 preceding siblings ...)
2019-06-09 16:39 ` [PATCH 4.4 003/241] ARM: exynos: Fix a leaked reference by adding missing of_node_put Greg Kroah-Hartman
@ 2019-06-09 16:39 ` Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 005/241] crypto: crct10dif-generic - fix use via crypto_shash_digest() Greg Kroah-Hartman
` (241 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Ondrej Mosnáček,
Daniel Axtens, Michael Ellerman, Herbert Xu
From: Daniel Axtens <dja@axtens.net>
commit dcf7b48212c0fab7df69e84fab22d6cb7c8c0fb9 upstream.
The original assembly imported from OpenSSL has two copy-paste
errors in handling CTR mode. When dealing with a 2 or 3 block tail,
the code branches to the CBC decryption exit path, rather than to
the CTR exit path.
This leads to corruption of the IV, which leads to subsequent blocks
being corrupted.
This can be detected with libkcapi test suite, which is available at
https://github.com/smuellerDD/libkcapi
Reported-by: Ondrej Mosnáček <omosnacek@gmail.com>
Fixes: 5c380d623ed3 ("crypto: vmx - Add support for VMS instructions by ASM")
Cc: stable@vger.kernel.org
Signed-off-by: Daniel Axtens <dja@axtens.net>
Tested-by: Michael Ellerman <mpe@ellerman.id.au>
Tested-by: Ondrej Mosnacek <omosnacek@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/vmx/aesp8-ppc.pl | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/crypto/vmx/aesp8-ppc.pl
+++ b/drivers/crypto/vmx/aesp8-ppc.pl
@@ -1795,7 +1795,7 @@ Lctr32_enc8x_three:
stvx_u $out1,$x10,$out
stvx_u $out2,$x20,$out
addi $out,$out,0x30
- b Lcbc_dec8x_done
+ b Lctr32_enc8x_done
.align 5
Lctr32_enc8x_two:
@@ -1807,7 +1807,7 @@ Lctr32_enc8x_two:
stvx_u $out0,$x00,$out
stvx_u $out1,$x10,$out
addi $out,$out,0x20
- b Lcbc_dec8x_done
+ b Lctr32_enc8x_done
.align 5
Lctr32_enc8x_one:
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 005/241] crypto: crct10dif-generic - fix use via crypto_shash_digest()
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (3 preceding siblings ...)
2019-06-09 16:39 ` [PATCH 4.4 004/241] crypto: vmx - fix copy-paste error in CTR mode Greg Kroah-Hartman
@ 2019-06-09 16:39 ` Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 006/241] crypto: x86/crct10dif-pcl " Greg Kroah-Hartman
` (240 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Tim Chen, Eric Biggers, Herbert Xu
From: Eric Biggers <ebiggers@google.com>
commit 307508d1072979f4435416f87936f87eaeb82054 upstream.
The ->digest() method of crct10dif-generic reads the current CRC value
from the shash_desc context. But this value is uninitialized, causing
crypto_shash_digest() to compute the wrong result. Fix it.
Probably this wasn't noticed before because lib/crc-t10dif.c only uses
crypto_shash_update(), not crypto_shash_digest(). Likewise,
crypto_shash_digest() is not yet tested by the crypto self-tests because
those only test the ahash API which only uses shash init/update/final.
This bug was detected by my patches that improve testmgr to fuzz
algorithms against their generic implementation.
Fixes: 2d31e518a428 ("crypto: crct10dif - Wrap crc_t10dif function all to use crypto transform framework")
Cc: <stable@vger.kernel.org> # v3.11+
Cc: Tim Chen <tim.c.chen@linux.intel.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
crypto/crct10dif_generic.c | 11 ++++-------
1 file changed, 4 insertions(+), 7 deletions(-)
--- a/crypto/crct10dif_generic.c
+++ b/crypto/crct10dif_generic.c
@@ -65,10 +65,9 @@ static int chksum_final(struct shash_des
return 0;
}
-static int __chksum_finup(__u16 *crcp, const u8 *data, unsigned int len,
- u8 *out)
+static int __chksum_finup(__u16 crc, const u8 *data, unsigned int len, u8 *out)
{
- *(__u16 *)out = crc_t10dif_generic(*crcp, data, len);
+ *(__u16 *)out = crc_t10dif_generic(crc, data, len);
return 0;
}
@@ -77,15 +76,13 @@ static int chksum_finup(struct shash_des
{
struct chksum_desc_ctx *ctx = shash_desc_ctx(desc);
- return __chksum_finup(&ctx->crc, data, len, out);
+ return __chksum_finup(ctx->crc, data, len, out);
}
static int chksum_digest(struct shash_desc *desc, const u8 *data,
unsigned int length, u8 *out)
{
- struct chksum_desc_ctx *ctx = shash_desc_ctx(desc);
-
- return __chksum_finup(&ctx->crc, data, length, out);
+ return __chksum_finup(0, data, length, out);
}
static struct shash_alg alg = {
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 006/241] crypto: x86/crct10dif-pcl - fix use via crypto_shash_digest()
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (4 preceding siblings ...)
2019-06-09 16:39 ` [PATCH 4.4 005/241] crypto: crct10dif-generic - fix use via crypto_shash_digest() Greg Kroah-Hartman
@ 2019-06-09 16:39 ` Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 007/241] ALSA: usb-audio: Fix a memory leak bug Greg Kroah-Hartman
` (239 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Tim Chen, Eric Biggers, Herbert Xu
From: Eric Biggers <ebiggers@google.com>
commit dec3d0b1071a0f3194e66a83d26ecf4aa8c5910e upstream.
The ->digest() method of crct10dif-pclmul reads the current CRC value
from the shash_desc context. But this value is uninitialized, causing
crypto_shash_digest() to compute the wrong result. Fix it.
Probably this wasn't noticed before because lib/crc-t10dif.c only uses
crypto_shash_update(), not crypto_shash_digest(). Likewise,
crypto_shash_digest() is not yet tested by the crypto self-tests because
those only test the ahash API which only uses shash init/update/final.
Fixes: 0b95a7f85718 ("crypto: crct10dif - Glue code to cast accelerated CRCT10DIF assembly as a crypto transform")
Cc: <stable@vger.kernel.org> # v3.11+
Cc: Tim Chen <tim.c.chen@linux.intel.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/crypto/crct10dif-pclmul_glue.c | 13 +++++--------
1 file changed, 5 insertions(+), 8 deletions(-)
--- a/arch/x86/crypto/crct10dif-pclmul_glue.c
+++ b/arch/x86/crypto/crct10dif-pclmul_glue.c
@@ -76,15 +76,14 @@ static int chksum_final(struct shash_des
return 0;
}
-static int __chksum_finup(__u16 *crcp, const u8 *data, unsigned int len,
- u8 *out)
+static int __chksum_finup(__u16 crc, const u8 *data, unsigned int len, u8 *out)
{
if (irq_fpu_usable()) {
kernel_fpu_begin();
- *(__u16 *)out = crc_t10dif_pcl(*crcp, data, len);
+ *(__u16 *)out = crc_t10dif_pcl(crc, data, len);
kernel_fpu_end();
} else
- *(__u16 *)out = crc_t10dif_generic(*crcp, data, len);
+ *(__u16 *)out = crc_t10dif_generic(crc, data, len);
return 0;
}
@@ -93,15 +92,13 @@ static int chksum_finup(struct shash_des
{
struct chksum_desc_ctx *ctx = shash_desc_ctx(desc);
- return __chksum_finup(&ctx->crc, data, len, out);
+ return __chksum_finup(ctx->crc, data, len, out);
}
static int chksum_digest(struct shash_desc *desc, const u8 *data,
unsigned int length, u8 *out)
{
- struct chksum_desc_ctx *ctx = shash_desc_ctx(desc);
-
- return __chksum_finup(&ctx->crc, data, length, out);
+ return __chksum_finup(0, data, length, out);
}
static struct shash_alg alg = {
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 007/241] ALSA: usb-audio: Fix a memory leak bug
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (5 preceding siblings ...)
2019-06-09 16:39 ` [PATCH 4.4 006/241] crypto: x86/crct10dif-pcl " Greg Kroah-Hartman
@ 2019-06-09 16:39 ` Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 008/241] ALSA: hda/hdmi - Consider eld_valid when reporting jack event Greg Kroah-Hartman
` (238 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:39 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Wenwen Wang, Takashi Iwai
From: Wenwen Wang <wang6495@umn.edu>
commit cb5173594d50c72b7bfa14113dfc5084b4d2f726 upstream.
In parse_audio_selector_unit(), the string array 'namelist' is allocated
through kmalloc_array(), and each string pointer in this array, i.e.,
'namelist[]', is allocated through kmalloc() in the following for loop.
Then, a control instance 'kctl' is created by invoking snd_ctl_new1(). If
an error occurs during the creation process, the string array 'namelist',
including all string pointers in the array 'namelist[]', should be freed,
before the error code ENOMEM is returned. However, the current code does
not free 'namelist[]', resulting in memory leaks.
To fix the above issue, free all string pointers 'namelist[]' in a loop.
Signed-off-by: Wenwen Wang <wang6495@umn.edu>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/mixer.c | 2 ++
1 file changed, 2 insertions(+)
--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -2112,6 +2112,8 @@ static int parse_audio_selector_unit(str
kctl = snd_ctl_new1(&mixer_selectunit_ctl, cval);
if (! kctl) {
usb_audio_err(state->chip, "cannot malloc kcontrol\n");
+ for (i = 0; i < desc->bNrInPins; i++)
+ kfree(namelist[i]);
kfree(namelist);
kfree(cval);
return -ENOMEM;
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 008/241] ALSA: hda/hdmi - Consider eld_valid when reporting jack event
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (6 preceding siblings ...)
2019-06-09 16:39 ` [PATCH 4.4 007/241] ALSA: usb-audio: Fix a memory leak bug Greg Kroah-Hartman
@ 2019-06-09 16:39 ` Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 009/241] ALSA: hda/realtek - EAPD turn on later Greg Kroah-Hartman
` (237 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:39 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Hui Wang, Takashi Iwai
From: Hui Wang <hui.wang@canonical.com>
commit 7f641e26a6df9269cb25dd7a4b0a91d6586ed441 upstream.
On the machines with AMD GPU or Nvidia GPU, we often meet this issue:
after s3, there are 4 HDMI/DP audio devices in the gnome-sound-setting
even there is no any monitors plugged.
When this problem happens, we check the /proc/asound/cardX/eld#N.M, we
will find the monitor_present=1, eld_valid=0.
The root cause is BIOS or GPU driver makes the PRESENCE valid even no
monitor plugged, and of course the driver will not get the valid
eld_data subsequently.
In this situation, we should not report the jack_plugged event, to do
so, let us change the function hdmi_present_sense_via_verbs(). In this
function, it reads the pin_sense via snd_hda_pin_sense(), after
calling this function, the jack_dirty is 0, and before exiting
via_verbs(), we change the shadow pin_sense according to both
monitor_present and eld_valid, then in the snd_hda_jack_report_sync(),
since the jack_dirty is still 0, it will report jack event according
to this modified shadow pin_sense.
After this change, the driver will not report Jack_is_plugged event
through hdmi_present_sense_via_verbs() if monitor_present is 1 and
eld_valid is 0.
Signed-off-by: Hui Wang <hui.wang@canonical.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/patch_hdmi.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/sound/pci/hda/patch_hdmi.c
+++ b/sound/pci/hda/patch_hdmi.c
@@ -1636,9 +1636,11 @@ static bool hdmi_present_sense(struct hd
ret = !repoll || !pin_eld->monitor_present || pin_eld->eld_valid;
jack = snd_hda_jack_tbl_get(codec, pin_nid);
- if (jack)
+ if (jack) {
jack->block_report = !ret;
-
+ jack->pin_sense = (eld->monitor_present && eld->eld_valid) ?
+ AC_PINSENSE_PRESENCE : 0;
+ }
mutex_unlock(&per_pin->lock);
snd_hda_power_down_pm(codec);
return ret;
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 009/241] ALSA: hda/realtek - EAPD turn on later
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (7 preceding siblings ...)
2019-06-09 16:39 ` [PATCH 4.4 008/241] ALSA: hda/hdmi - Consider eld_valid when reporting jack event Greg Kroah-Hartman
@ 2019-06-09 16:39 ` Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 010/241] ASoC: max98090: Fix restore of DAPM Muxes Greg Kroah-Hartman
` (236 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:39 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Kailang Yang, Takashi Iwai
From: Kailang Yang <kailang@realtek.com>
commit 607ca3bd220f4022e6f5356026b19dafc363863a upstream.
Let EAPD turn on after set pin output.
[ NOTE: This change is supposed to reduce the possible click noises at
(runtime) PM resume. The functionality should be same (i.e. the
verbs are executed correctly) no matter which order is, so this
should be safe to apply for all codecs -- tiwai ]
Signed-off-by: Kailang Yang <kailang@realtek.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/patch_realtek.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -772,11 +772,10 @@ static int alc_init(struct hda_codec *co
if (spec->init_hook)
spec->init_hook(codec);
+ snd_hda_gen_init(codec);
alc_fix_pll(codec);
alc_auto_init_amp(codec, spec->init_amp);
- snd_hda_gen_init(codec);
-
snd_hda_apply_fixup(codec, HDA_FIXUP_ACT_INIT);
return 0;
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 010/241] ASoC: max98090: Fix restore of DAPM Muxes
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (8 preceding siblings ...)
2019-06-09 16:39 ` [PATCH 4.4 009/241] ALSA: hda/realtek - EAPD turn on later Greg Kroah-Hartman
@ 2019-06-09 16:39 ` Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 011/241] ASoC: RT5677-SPI: Disable 16Bit SPI Transfers Greg Kroah-Hartman
` (235 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:39 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jon Hunter, Mark Brown
From: Jon Hunter <jonathanh@nvidia.com>
commit ecb2795c08bc825ebd604997e5be440b060c5b18 upstream.
The max98090 driver defines 3 DAPM muxes; one for the right line output
(LINMOD Mux), one for the left headphone mixer source (MIXHPLSEL Mux)
and one for the right headphone mixer source (MIXHPRSEL Mux). The same
bit is used for the mux as well as the DAPM enable, and although the mux
can be correctly configured, after playback has completed, the mux will
be reset during the disable phase. This is preventing the state of these
muxes from being saved and restored correctly on system reboot. Fix this
by marking these muxes as SND_SOC_NOPM.
Note this has been verified this on the Tegra124 Nyan Big which features
the MAX98090 codec.
Signed-off-by: Jon Hunter <jonathanh@nvidia.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/codecs/max98090.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--- a/sound/soc/codecs/max98090.c
+++ b/sound/soc/codecs/max98090.c
@@ -1209,14 +1209,14 @@ static const struct snd_soc_dapm_widget
&max98090_right_rcv_mixer_controls[0],
ARRAY_SIZE(max98090_right_rcv_mixer_controls)),
- SND_SOC_DAPM_MUX("LINMOD Mux", M98090_REG_LOUTR_MIXER,
- M98090_LINMOD_SHIFT, 0, &max98090_linmod_mux),
+ SND_SOC_DAPM_MUX("LINMOD Mux", SND_SOC_NOPM, 0, 0,
+ &max98090_linmod_mux),
- SND_SOC_DAPM_MUX("MIXHPLSEL Mux", M98090_REG_HP_CONTROL,
- M98090_MIXHPLSEL_SHIFT, 0, &max98090_mixhplsel_mux),
+ SND_SOC_DAPM_MUX("MIXHPLSEL Mux", SND_SOC_NOPM, 0, 0,
+ &max98090_mixhplsel_mux),
- SND_SOC_DAPM_MUX("MIXHPRSEL Mux", M98090_REG_HP_CONTROL,
- M98090_MIXHPRSEL_SHIFT, 0, &max98090_mixhprsel_mux),
+ SND_SOC_DAPM_MUX("MIXHPRSEL Mux", SND_SOC_NOPM, 0, 0,
+ &max98090_mixhprsel_mux),
SND_SOC_DAPM_PGA("HP Left Out", M98090_REG_OUTPUT_ENABLE,
M98090_HPLEN_SHIFT, 0, NULL, 0),
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 011/241] ASoC: RT5677-SPI: Disable 16Bit SPI Transfers
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (9 preceding siblings ...)
2019-06-09 16:39 ` [PATCH 4.4 010/241] ASoC: max98090: Fix restore of DAPM Muxes Greg Kroah-Hartman
@ 2019-06-09 16:39 ` Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 012/241] mm/mincore.c: make mincore() more conservative Greg Kroah-Hartman
` (234 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Curtis Malainey, Ben Zhang, Mark Brown
From: Curtis Malainey <cujomalainey@chromium.org>
commit a46eb523220e242affb9a6bc9bb8efc05f4f7459 upstream.
The current algorithm allows 3 types of transfers, 16bit, 32bit and
burst. According to Realtek, 16bit transfers have a special restriction
in that it is restricted to the memory region of
0x18020000 ~ 0x18021000. This region is the memory location of the I2C
registers. The current algorithm does not uphold this restriction and
therefore fails to complete writes.
Since this has been broken for some time it likely no one is using it.
Better to simply disable the 16 bit writes. This will allow users to
properly load firmware over SPI without data corruption.
Signed-off-by: Curtis Malainey <cujomalainey@chromium.org>
Reviewed-by: Ben Zhang <benzh@chromium.org>
Signed-off-by: Mark Brown <broonie@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/codecs/rt5677-spi.c | 35 ++++++++++++++++-------------------
1 file changed, 16 insertions(+), 19 deletions(-)
--- a/sound/soc/codecs/rt5677-spi.c
+++ b/sound/soc/codecs/rt5677-spi.c
@@ -60,13 +60,15 @@ static DEFINE_MUTEX(spi_mutex);
* RT5677_SPI_READ/WRITE_32: Transfer 4 bytes
* RT5677_SPI_READ/WRITE_BURST: Transfer any multiples of 8 bytes
*
- * For example, reading 260 bytes at 0x60030002 uses the following commands:
- * 0x60030002 RT5677_SPI_READ_16 2 bytes
+ * Note:
+ * 16 Bit writes and reads are restricted to the address range
+ * 0x18020000 ~ 0x18021000
+ *
+ * For example, reading 256 bytes at 0x60030004 uses the following commands:
* 0x60030004 RT5677_SPI_READ_32 4 bytes
* 0x60030008 RT5677_SPI_READ_BURST 240 bytes
* 0x600300F8 RT5677_SPI_READ_BURST 8 bytes
* 0x60030100 RT5677_SPI_READ_32 4 bytes
- * 0x60030104 RT5677_SPI_READ_16 2 bytes
*
* Input:
* @read: true for read commands; false for write commands
@@ -81,15 +83,13 @@ static u8 rt5677_spi_select_cmd(bool rea
{
u8 cmd;
- if (align == 2 || align == 6 || remain == 2) {
- cmd = RT5677_SPI_READ_16;
- *len = 2;
- } else if (align == 4 || remain <= 6) {
+ if (align == 4 || remain <= 4) {
cmd = RT5677_SPI_READ_32;
*len = 4;
} else {
cmd = RT5677_SPI_READ_BURST;
- *len = min_t(u32, remain & ~7, RT5677_SPI_BURST_LEN);
+ *len = (((remain - 1) >> 3) + 1) << 3;
+ *len = min_t(u32, *len, RT5677_SPI_BURST_LEN);
}
return read ? cmd : cmd + 1;
}
@@ -110,7 +110,7 @@ static void rt5677_spi_reverse(u8 *dst,
}
}
-/* Read DSP address space using SPI. addr and len have to be 2-byte aligned. */
+/* Read DSP address space using SPI. addr and len have to be 4-byte aligned. */
int rt5677_spi_read(u32 addr, void *rxbuf, size_t len)
{
u32 offset;
@@ -126,7 +126,7 @@ int rt5677_spi_read(u32 addr, void *rxbu
if (!g_spi)
return -ENODEV;
- if ((addr & 1) || (len & 1)) {
+ if ((addr & 3) || (len & 3)) {
dev_err(&g_spi->dev, "Bad read align 0x%x(%zu)\n", addr, len);
return -EACCES;
}
@@ -161,13 +161,13 @@ int rt5677_spi_read(u32 addr, void *rxbu
}
EXPORT_SYMBOL_GPL(rt5677_spi_read);
-/* Write DSP address space using SPI. addr has to be 2-byte aligned.
- * If len is not 2-byte aligned, an extra byte of zero is written at the end
+/* Write DSP address space using SPI. addr has to be 4-byte aligned.
+ * If len is not 4-byte aligned, then extra zeros are written at the end
* as padding.
*/
int rt5677_spi_write(u32 addr, const void *txbuf, size_t len)
{
- u32 offset, len_with_pad = len;
+ u32 offset;
int status = 0;
struct spi_transfer t;
struct spi_message m;
@@ -180,22 +180,19 @@ int rt5677_spi_write(u32 addr, const voi
if (!g_spi)
return -ENODEV;
- if (addr & 1) {
+ if (addr & 3) {
dev_err(&g_spi->dev, "Bad write align 0x%x(%zu)\n", addr, len);
return -EACCES;
}
- if (len & 1)
- len_with_pad = len + 1;
-
memset(&t, 0, sizeof(t));
t.tx_buf = buf;
t.speed_hz = RT5677_SPI_FREQ;
spi_message_init_with_transfers(&m, &t, 1);
- for (offset = 0; offset < len_with_pad;) {
+ for (offset = 0; offset < len;) {
spi_cmd = rt5677_spi_select_cmd(false, (addr + offset) & 7,
- len_with_pad - offset, &t.len);
+ len - offset, &t.len);
/* Construct SPI message header */
buf[0] = spi_cmd;
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 012/241] mm/mincore.c: make mincore() more conservative
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (10 preceding siblings ...)
2019-06-09 16:39 ` [PATCH 4.4 011/241] ASoC: RT5677-SPI: Disable 16Bit SPI Transfers Greg Kroah-Hartman
@ 2019-06-09 16:39 ` Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 013/241] ocfs2: fix ocfs2 read inode data panic in ocfs2_iget Greg Kroah-Hartman
` (233 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Jiri Kosina, Vlastimil Babka,
Josh Snyder, Michal Hocko, Andy Lutomirski, Dave Chinner,
Kevin Easton, Matthew Wilcox, Cyril Hrubis, Tejun Heo,
Kirill A. Shutemov, Daniel Gruss, Andrew Morton, Linus Torvalds,
Dominique Martinet
From: Jiri Kosina <jkosina@suse.cz>
commit 134fca9063ad4851de767d1768180e5dede9a881 upstream.
The semantics of what mincore() considers to be resident is not
completely clear, but Linux has always (since 2.3.52, which is when
mincore() was initially done) treated it as "page is available in page
cache".
That's potentially a problem, as that [in]directly exposes
meta-information about pagecache / memory mapping state even about
memory not strictly belonging to the process executing the syscall,
opening possibilities for sidechannel attacks.
Change the semantics of mincore() so that it only reveals pagecache
information for non-anonymous mappings that belog to files that the
calling process could (if it tried to) successfully open for writing;
otherwise we'd be including shared non-exclusive mappings, which
- is the sidechannel
- is not the usecase for mincore(), as that's primarily used for data,
not (shared) text
[jkosina@suse.cz: v2]
Link: http://lkml.kernel.org/r/20190312141708.6652-2-vbabka@suse.cz
[mhocko@suse.com: restructure can_do_mincore() conditions]
Link: http://lkml.kernel.org/r/nycvar.YFH.7.76.1903062342020.19912@cbobk.fhfr.pm
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
Acked-by: Josh Snyder <joshs@netflix.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Originally-by: Linus Torvalds <torvalds@linux-foundation.org>
Originally-by: Dominique Martinet <asmadeus@codewreck.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Dave Chinner <david@fromorbit.com>
Cc: Kevin Easton <kevin@guarana.org>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: Cyril Hrubis <chrubis@suse.cz>
Cc: Tejun Heo <tj@kernel.org>
Cc: Kirill A. Shutemov <kirill@shutemov.name>
Cc: Daniel Gruss <daniel@gruss.cc>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/mincore.c | 23 ++++++++++++++++++++++-
1 file changed, 22 insertions(+), 1 deletion(-)
--- a/mm/mincore.c
+++ b/mm/mincore.c
@@ -165,6 +165,22 @@ out:
return 0;
}
+static inline bool can_do_mincore(struct vm_area_struct *vma)
+{
+ if (vma_is_anonymous(vma))
+ return true;
+ if (!vma->vm_file)
+ return false;
+ /*
+ * Reveal pagecache information only for non-anonymous mappings that
+ * correspond to the files the calling process could (if tried) open
+ * for writing; otherwise we'd be including shared non-exclusive
+ * mappings, which opens a side channel.
+ */
+ return inode_owner_or_capable(file_inode(vma->vm_file)) ||
+ inode_permission(file_inode(vma->vm_file), MAY_WRITE) == 0;
+}
+
/*
* Do a chunk of "sys_mincore()". We've already checked
* all the arguments, we hold the mmap semaphore: we should
@@ -185,8 +201,13 @@ static long do_mincore(unsigned long add
vma = find_vma(current->mm, addr);
if (!vma || addr < vma->vm_start)
return -ENOMEM;
- mincore_walk.mm = vma->vm_mm;
end = min(vma->vm_end, addr + (pages << PAGE_SHIFT));
+ if (!can_do_mincore(vma)) {
+ unsigned long pages = DIV_ROUND_UP(end - addr, PAGE_SIZE);
+ memset(vec, 1, pages);
+ return pages;
+ }
+ mincore_walk.mm = vma->vm_mm;
err = walk_page_range(addr, end, &mincore_walk);
if (err < 0)
return err;
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 013/241] ocfs2: fix ocfs2 read inode data panic in ocfs2_iget
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (11 preceding siblings ...)
2019-06-09 16:39 ` [PATCH 4.4 012/241] mm/mincore.c: make mincore() more conservative Greg Kroah-Hartman
@ 2019-06-09 16:39 ` Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 014/241] mfd: da9063: Fix OTP control register names to match datasheets for DA9063/63L Greg Kroah-Hartman
` (232 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Shuning Zhang, Joseph Qi,
Mark Fasheh, Joel Becker, Junxiao Bi, Changwei Ge, piaojun,
Gang He, Andrew Morton, Linus Torvalds
From: Shuning Zhang <sunny.s.zhang@oracle.com>
commit e091eab028f9253eac5c04f9141bbc9d170acab3 upstream.
In some cases, ocfs2_iget() reads the data of inode, which has been
deleted for some reason. That will make the system panic. So We should
judge whether this inode has been deleted, and tell the caller that the
inode is a bad inode.
For example, the ocfs2 is used as the backed of nfs, and the client is
nfsv3. This issue can be reproduced by the following steps.
on the nfs server side,
..../patha/pathb
Step 1: The process A was scheduled before calling the function fh_verify.
Step 2: The process B is removing the 'pathb', and just completed the call
to function dput. Then the dentry of 'pathb' has been deleted from the
dcache, and all ancestors have been deleted also. The relationship of
dentry and inode was deleted through the function hlist_del_init. The
following is the call stack.
dentry_iput->hlist_del_init(&dentry->d_u.d_alias)
At this time, the inode is still in the dcache.
Step 3: The process A call the function ocfs2_get_dentry, which get the
inode from dcache. Then the refcount of inode is 1. The following is the
call stack.
nfsd3_proc_getacl->fh_verify->exportfs_decode_fh->fh_to_dentry(ocfs2_get_dentry)
Step 4: Dirty pages are flushed by bdi threads. So the inode of 'patha'
is evicted, and this directory was deleted. But the inode of 'pathb'
can't be evicted, because the refcount of the inode was 1.
Step 5: The process A keep running, and call the function
reconnect_path(in exportfs_decode_fh), which call function
ocfs2_get_parent of ocfs2. Get the block number of parent
directory(patha) by the name of ... Then read the data from disk by the
block number. But this inode has been deleted, so the system panic.
Process A Process B
1. in nfsd3_proc_getacl |
2. | dput
3. fh_to_dentry(ocfs2_get_dentry) |
4. bdi flush dirty cache |
5. ocfs2_iget |
[283465.542049] OCFS2: ERROR (device sdp): ocfs2_validate_inode_block:
Invalid dinode #580640: OCFS2_VALID_FL not set
[283465.545490] Kernel panic - not syncing: OCFS2: (device sdp): panic forced
after error
[283465.546889] CPU: 5 PID: 12416 Comm: nfsd Tainted: G W
4.1.12-124.18.6.el6uek.bug28762940v3.x86_64 #2
[283465.548382] Hardware name: VMware, Inc. VMware Virtual Platform/440BX
Desktop Reference Platform, BIOS 6.00 09/21/2015
[283465.549657] 0000000000000000 ffff8800a56fb7b8 ffffffff816e839c
ffffffffa0514758
[283465.550392] 000000000008dc20 ffff8800a56fb838 ffffffff816e62d3
0000000000000008
[283465.551056] ffff880000000010 ffff8800a56fb848 ffff8800a56fb7e8
ffff88005df9f000
[283465.551710] Call Trace:
[283465.552516] [<ffffffff816e839c>] dump_stack+0x63/0x81
[283465.553291] [<ffffffff816e62d3>] panic+0xcb/0x21b
[283465.554037] [<ffffffffa04e66b0>] ocfs2_handle_error+0xf0/0xf0 [ocfs2]
[283465.554882] [<ffffffffa04e7737>] __ocfs2_error+0x67/0x70 [ocfs2]
[283465.555768] [<ffffffffa049c0f9>] ocfs2_validate_inode_block+0x229/0x230
[ocfs2]
[283465.556683] [<ffffffffa047bcbc>] ocfs2_read_blocks+0x46c/0x7b0 [ocfs2]
[283465.557408] [<ffffffffa049bed0>] ? ocfs2_inode_cache_io_unlock+0x20/0x20
[ocfs2]
[283465.557973] [<ffffffffa049f0eb>] ocfs2_read_inode_block_full+0x3b/0x60
[ocfs2]
[283465.558525] [<ffffffffa049f5ba>] ocfs2_iget+0x4aa/0x880 [ocfs2]
[283465.559082] [<ffffffffa049146e>] ocfs2_get_parent+0x9e/0x220 [ocfs2]
[283465.559622] [<ffffffff81297c05>] reconnect_path+0xb5/0x300
[283465.560156] [<ffffffff81297f46>] exportfs_decode_fh+0xf6/0x2b0
[283465.560708] [<ffffffffa062faf0>] ? nfsd_proc_getattr+0xa0/0xa0 [nfsd]
[283465.561262] [<ffffffff810a8196>] ? prepare_creds+0x26/0x110
[283465.561932] [<ffffffffa0630860>] fh_verify+0x350/0x660 [nfsd]
[283465.562862] [<ffffffffa0637804>] ? nfsd_cache_lookup+0x44/0x630 [nfsd]
[283465.563697] [<ffffffffa063a8b9>] nfsd3_proc_getattr+0x69/0xf0 [nfsd]
[283465.564510] [<ffffffffa062cf60>] nfsd_dispatch+0xe0/0x290 [nfsd]
[283465.565358] [<ffffffffa05eb892>] ? svc_tcp_adjust_wspace+0x12/0x30
[sunrpc]
[283465.566272] [<ffffffffa05ea652>] svc_process_common+0x412/0x6a0 [sunrpc]
[283465.567155] [<ffffffffa05eaa03>] svc_process+0x123/0x210 [sunrpc]
[283465.568020] [<ffffffffa062c90f>] nfsd+0xff/0x170 [nfsd]
[283465.568962] [<ffffffffa062c810>] ? nfsd_destroy+0x80/0x80 [nfsd]
[283465.570112] [<ffffffff810a622b>] kthread+0xcb/0xf0
[283465.571099] [<ffffffff810a6160>] ? kthread_create_on_node+0x180/0x180
[283465.572114] [<ffffffff816f11b8>] ret_from_fork+0x58/0x90
[283465.573156] [<ffffffff810a6160>] ? kthread_create_on_node+0x180/0x180
Link: http://lkml.kernel.org/r/1554185919-3010-1-git-send-email-sunny.s.zhang@oracle.com
Signed-off-by: Shuning Zhang <sunny.s.zhang@oracle.com>
Reviewed-by: Joseph Qi <jiangqi903@gmail.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: piaojun <piaojun@huawei.com>
Cc: "Gang He" <ghe@suse.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ocfs2/export.c | 30 +++++++++++++++++++++++++++++-
1 file changed, 29 insertions(+), 1 deletion(-)
--- a/fs/ocfs2/export.c
+++ b/fs/ocfs2/export.c
@@ -148,16 +148,24 @@ static struct dentry *ocfs2_get_parent(s
u64 blkno;
struct dentry *parent;
struct inode *dir = d_inode(child);
+ int set;
trace_ocfs2_get_parent(child, child->d_name.len, child->d_name.name,
(unsigned long long)OCFS2_I(dir)->ip_blkno);
+ status = ocfs2_nfs_sync_lock(OCFS2_SB(dir->i_sb), 1);
+ if (status < 0) {
+ mlog(ML_ERROR, "getting nfs sync lock(EX) failed %d\n", status);
+ parent = ERR_PTR(status);
+ goto bail;
+ }
+
status = ocfs2_inode_lock(dir, NULL, 0);
if (status < 0) {
if (status != -ENOENT)
mlog_errno(status);
parent = ERR_PTR(status);
- goto bail;
+ goto unlock_nfs_sync;
}
status = ocfs2_lookup_ino_from_name(dir, "..", 2, &blkno);
@@ -166,11 +174,31 @@ static struct dentry *ocfs2_get_parent(s
goto bail_unlock;
}
+ status = ocfs2_test_inode_bit(OCFS2_SB(dir->i_sb), blkno, &set);
+ if (status < 0) {
+ if (status == -EINVAL) {
+ status = -ESTALE;
+ } else
+ mlog(ML_ERROR, "test inode bit failed %d\n", status);
+ parent = ERR_PTR(status);
+ goto bail_unlock;
+ }
+
+ trace_ocfs2_get_dentry_test_bit(status, set);
+ if (!set) {
+ status = -ESTALE;
+ parent = ERR_PTR(status);
+ goto bail_unlock;
+ }
+
parent = d_obtain_alias(ocfs2_iget(OCFS2_SB(dir->i_sb), blkno, 0, 0));
bail_unlock:
ocfs2_inode_unlock(dir, 0);
+unlock_nfs_sync:
+ ocfs2_nfs_sync_unlock(OCFS2_SB(dir->i_sb), 1);
+
bail:
trace_ocfs2_get_parent_end(parent);
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 014/241] mfd: da9063: Fix OTP control register names to match datasheets for DA9063/63L
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (12 preceding siblings ...)
2019-06-09 16:39 ` [PATCH 4.4 013/241] ocfs2: fix ocfs2 read inode data panic in ocfs2_iget Greg Kroah-Hartman
@ 2019-06-09 16:39 ` Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 015/241] tty/vt: fix write/write race in ioctl(KDSKBSENT) handler Greg Kroah-Hartman
` (231 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:39 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Steve Twiss, Lee Jones
From: Steve Twiss <stwiss.opensource@diasemi.com>
commit 6b4814a9451add06d457e198be418bf6a3e6a990 upstream.
Mismatch between what is found in the Datasheets for DA9063 and DA9063L
provided by Dialog Semiconductor, and the register names provided in the
MFD registers file. The changes are for the OTP (one-time-programming)
control registers. The two naming errors are OPT instead of OTP, and
COUNT instead of CONT (i.e. control).
Cc: Stable <stable@vger.kernel.org>
Signed-off-by: Steve Twiss <stwiss.opensource@diasemi.com>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/mfd/da9063/registers.h | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/include/linux/mfd/da9063/registers.h
+++ b/include/linux/mfd/da9063/registers.h
@@ -215,9 +215,9 @@
/* DA9063 Configuration registers */
/* OTP */
-#define DA9063_REG_OPT_COUNT 0x101
-#define DA9063_REG_OPT_ADDR 0x102
-#define DA9063_REG_OPT_DATA 0x103
+#define DA9063_REG_OTP_CONT 0x101
+#define DA9063_REG_OTP_ADDR 0x102
+#define DA9063_REG_OTP_DATA 0x103
/* Customer Trim and Configuration */
#define DA9063_REG_T_OFFSET 0x104
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 015/241] tty/vt: fix write/write race in ioctl(KDSKBSENT) handler
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (13 preceding siblings ...)
2019-06-09 16:39 ` [PATCH 4.4 014/241] mfd: da9063: Fix OTP control register names to match datasheets for DA9063/63L Greg Kroah-Hartman
@ 2019-06-09 16:39 ` Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 016/241] ext4: actually request zeroing of inode table after grow Greg Kroah-Hartman
` (230 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:39 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jiri Slaby, Sergei Trofimovich
From: Sergei Trofimovich <slyfox@gentoo.org>
commit 46ca3f735f345c9d87383dd3a09fa5d43870770e upstream.
The bug manifests as an attempt to access deallocated memory:
BUG: unable to handle kernel paging request at ffff9c8735448000
#PF error: [PROT] [WRITE]
PGD 288a05067 P4D 288a05067 PUD 288a07067 PMD 7f60c2063 PTE 80000007f5448161
Oops: 0003 [#1] PREEMPT SMP
CPU: 6 PID: 388 Comm: loadkeys Tainted: G C 5.0.0-rc6-00153-g5ded5871030e #91
Hardware name: Gigabyte Technology Co., Ltd. To be filled by O.E.M./H77M-D3H, BIOS F12 11/14/2013
RIP: 0010:__memmove+0x81/0x1a0
Code: 4c 89 4f 10 4c 89 47 18 48 8d 7f 20 73 d4 48 83 c2 20 e9 a2 00 00 00 66 90 48 89 d1 4c 8b 5c 16 f8 4c 8d 54 17 f8 48 c1 e9 03 <f3> 48 a5 4d 89 1a e9 0c 01 00 00 0f 1f 40 00 48 89 d1 4c 8b 1e 49
RSP: 0018:ffffa1b9002d7d08 EFLAGS: 00010203
RAX: ffff9c873541af43 RBX: ffff9c873541af43 RCX: 00000c6f105cd6bf
RDX: 0000637882e986b6 RSI: ffff9c8735447ffb RDI: ffff9c8735447ffb
RBP: ffff9c8739cd3800 R08: ffff9c873b802f00 R09: 00000000fffff73b
R10: ffffffffb82b35f1 R11: 00505b1b004d5b1b R12: 0000000000000000
R13: ffff9c873541af3d R14: 000000000000000b R15: 000000000000000c
FS: 00007f450c390580(0000) GS:ffff9c873f180000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff9c8735448000 CR3: 00000007e213c002 CR4: 00000000000606e0
Call Trace:
vt_do_kdgkb_ioctl+0x34d/0x440
vt_ioctl+0xba3/0x1190
? __bpf_prog_run32+0x39/0x60
? mem_cgroup_commit_charge+0x7b/0x4e0
tty_ioctl+0x23f/0x920
? preempt_count_sub+0x98/0xe0
? __seccomp_filter+0x67/0x600
do_vfs_ioctl+0xa2/0x6a0
? syscall_trace_enter+0x192/0x2d0
ksys_ioctl+0x3a/0x70
__x64_sys_ioctl+0x16/0x20
do_syscall_64+0x54/0xe0
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The bug manifests on systemd systems with multiple vtcon devices:
# cat /sys/devices/virtual/vtconsole/vtcon0/name
(S) dummy device
# cat /sys/devices/virtual/vtconsole/vtcon1/name
(M) frame buffer device
There systemd runs 'loadkeys' tool in tapallel for each vtcon
instance. This causes two parallel ioctl(KDSKBSENT) calls to
race into adding the same entry into 'func_table' array at:
drivers/tty/vt/keyboard.c:vt_do_kdgkb_ioctl()
The function has no locking around writes to 'func_table'.
The simplest reproducer is to have initrams with the following
init on a 8-CPU machine x86_64:
#!/bin/sh
loadkeys -q windowkeys ru4 &
loadkeys -q windowkeys ru4 &
loadkeys -q windowkeys ru4 &
loadkeys -q windowkeys ru4 &
loadkeys -q windowkeys ru4 &
loadkeys -q windowkeys ru4 &
loadkeys -q windowkeys ru4 &
loadkeys -q windowkeys ru4 &
wait
The change adds lock on write path only. Reads are still racy.
CC: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
CC: Jiri Slaby <jslaby@suse.com>
Link: https://lkml.org/lkml/2019/2/17/256
Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/vt/keyboard.c | 33 +++++++++++++++++++++++++++------
1 file changed, 27 insertions(+), 6 deletions(-)
--- a/drivers/tty/vt/keyboard.c
+++ b/drivers/tty/vt/keyboard.c
@@ -121,6 +121,7 @@ static const int NR_TYPES = ARRAY_SIZE(m
static struct input_handler kbd_handler;
static DEFINE_SPINLOCK(kbd_event_lock);
static DEFINE_SPINLOCK(led_lock);
+static DEFINE_SPINLOCK(func_buf_lock); /* guard 'func_buf' and friends */
static unsigned long key_down[BITS_TO_LONGS(KEY_CNT)]; /* keyboard key bitmap */
static unsigned char shift_down[NR_SHIFT]; /* shift state counters.. */
static bool dead_key_next;
@@ -1969,11 +1970,12 @@ int vt_do_kdgkb_ioctl(int cmd, struct kb
char *p;
u_char *q;
u_char __user *up;
- int sz;
+ int sz, fnw_sz;
int delta;
char *first_free, *fj, *fnw;
int i, j, k;
int ret;
+ unsigned long flags;
if (!capable(CAP_SYS_TTY_CONFIG))
perm = 0;
@@ -2016,7 +2018,14 @@ int vt_do_kdgkb_ioctl(int cmd, struct kb
goto reterr;
}
+ fnw = NULL;
+ fnw_sz = 0;
+ /* race aginst other writers */
+ again:
+ spin_lock_irqsave(&func_buf_lock, flags);
q = func_table[i];
+
+ /* fj pointer to next entry after 'q' */
first_free = funcbufptr + (funcbufsize - funcbufleft);
for (j = i+1; j < MAX_NR_FUNC && !func_table[j]; j++)
;
@@ -2024,10 +2033,12 @@ int vt_do_kdgkb_ioctl(int cmd, struct kb
fj = func_table[j];
else
fj = first_free;
-
+ /* buffer usage increase by new entry */
delta = (q ? -strlen(q) : 1) + strlen(kbs->kb_string);
+
if (delta <= funcbufleft) { /* it fits in current buf */
if (j < MAX_NR_FUNC) {
+ /* make enough space for new entry at 'fj' */
memmove(fj + delta, fj, first_free - fj);
for (k = j; k < MAX_NR_FUNC; k++)
if (func_table[k])
@@ -2040,20 +2051,28 @@ int vt_do_kdgkb_ioctl(int cmd, struct kb
sz = 256;
while (sz < funcbufsize - funcbufleft + delta)
sz <<= 1;
- fnw = kmalloc(sz, GFP_KERNEL);
- if(!fnw) {
- ret = -ENOMEM;
- goto reterr;
+ if (fnw_sz != sz) {
+ spin_unlock_irqrestore(&func_buf_lock, flags);
+ kfree(fnw);
+ fnw = kmalloc(sz, GFP_KERNEL);
+ fnw_sz = sz;
+ if (!fnw) {
+ ret = -ENOMEM;
+ goto reterr;
+ }
+ goto again;
}
if (!q)
func_table[i] = fj;
+ /* copy data before insertion point to new location */
if (fj > funcbufptr)
memmove(fnw, funcbufptr, fj - funcbufptr);
for (k = 0; k < j; k++)
if (func_table[k])
func_table[k] = fnw + (func_table[k] - funcbufptr);
+ /* copy data after insertion point to new location */
if (first_free > fj) {
memmove(fnw + (fj - funcbufptr) + delta, fj, first_free - fj);
for (k = j; k < MAX_NR_FUNC; k++)
@@ -2066,7 +2085,9 @@ int vt_do_kdgkb_ioctl(int cmd, struct kb
funcbufleft = funcbufleft - delta + sz - funcbufsize;
funcbufsize = sz;
}
+ /* finally insert item itself */
strcpy(func_table[i], kbs->kb_string);
+ spin_unlock_irqrestore(&func_buf_lock, flags);
break;
}
ret = 0;
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 016/241] ext4: actually request zeroing of inode table after grow
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (14 preceding siblings ...)
2019-06-09 16:39 ` [PATCH 4.4 015/241] tty/vt: fix write/write race in ioctl(KDSKBSENT) handler Greg Kroah-Hartman
@ 2019-06-09 16:39 ` Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 017/241] ext4: fix ext4_show_options for file systems w/o journal Greg Kroah-Hartman
` (229 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Kirill Tkhai, Theodore Tso, Jan Kara, stable
From: Kirill Tkhai <ktkhai@virtuozzo.com>
commit 310a997fd74de778b9a4848a64be9cda9f18764a upstream.
It is never possible, that number of block groups decreases,
since only online grow is supported.
But after a growing occured, we have to zero inode tables
for just created new block groups.
Fixes: 19c5246d2516 ("ext4: add new online resize interface")
Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Jan Kara <jack@suse.cz>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/ioctl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/ext4/ioctl.c
+++ b/fs/ext4/ioctl.c
@@ -577,7 +577,7 @@ group_add_out:
if (err == 0)
err = err2;
mnt_drop_write_file(filp);
- if (!err && (o_group > EXT4_SB(sb)->s_groups_count) &&
+ if (!err && (o_group < EXT4_SB(sb)->s_groups_count) &&
ext4_has_group_desc_csum(sb) &&
test_opt(sb, INIT_INODE_TABLE))
err = ext4_register_li_request(sb, o_group);
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 017/241] ext4: fix ext4_show_options for file systems w/o journal
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (15 preceding siblings ...)
2019-06-09 16:39 ` [PATCH 4.4 016/241] ext4: actually request zeroing of inode table after grow Greg Kroah-Hartman
@ 2019-06-09 16:39 ` Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 018/241] Btrfs: do not start a transaction at iterate_extent_inodes() Greg Kroah-Hartman
` (228 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Debabrata Banerjee, Theodore Tso,
Jan Kara, stable
From: Debabrata Banerjee <dbanerje@akamai.com>
commit 50b29d8f033a7c88c5bc011abc2068b1691ab755 upstream.
Instead of removing EXT4_MOUNT_JOURNAL_CHECKSUM from s_def_mount_opt as
I assume was intended, all other options were blown away leading to
_ext4_show_options() output being incorrect.
Fixes: 1e381f60dad9 ("ext4: do not allow journal_opts for fs w/o journal")
Signed-off-by: Debabrata Banerjee <dbanerje@akamai.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Jan Kara <jack@suse.cz>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/super.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -3867,7 +3867,7 @@ static int ext4_fill_super(struct super_
"data=, fs mounted w/o journal");
goto failed_mount_wq;
}
- sbi->s_def_mount_opt &= EXT4_MOUNT_JOURNAL_CHECKSUM;
+ sbi->s_def_mount_opt &= ~EXT4_MOUNT_JOURNAL_CHECKSUM;
clear_opt(sb, JOURNAL_CHECKSUM);
clear_opt(sb, DATA_FLAGS);
sbi->s_journal = NULL;
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 018/241] Btrfs: do not start a transaction at iterate_extent_inodes()
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (16 preceding siblings ...)
2019-06-09 16:39 ` [PATCH 4.4 017/241] ext4: fix ext4_show_options for file systems w/o journal Greg Kroah-Hartman
@ 2019-06-09 16:39 ` Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 019/241] bcache: fix a race between cache register and cacheset unregister Greg Kroah-Hartman
` (227 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Zygo Blaxell, Filipe Manana, David Sterba
From: Filipe Manana <fdmanana@suse.com>
commit bfc61c36260ca990937539cd648ede3cd749bc10 upstream.
When finding out which inodes have references on a particular extent, done
by backref.c:iterate_extent_inodes(), from the BTRFS_IOC_LOGICAL_INO (both
v1 and v2) ioctl and from scrub we use the transaction join API to grab a
reference on the currently running transaction, since in order to give
accurate results we need to inspect the delayed references of the currently
running transaction.
However, if there is currently no running transaction, the join operation
will create a new transaction. This is inefficient as the transaction will
eventually be committed, doing unnecessary IO and introducing a potential
point of failure that will lead to a transaction abort due to -ENOSPC, as
recently reported [1].
That's because the join, creates the transaction but does not reserve any
space, so when attempting to update the root item of the root passed to
btrfs_join_transaction(), during the transaction commit, we can end up
failling with -ENOSPC. Users of a join operation are supposed to actually
do some filesystem changes and reserve space by some means, which is not
the case of iterate_extent_inodes(), it is a read-only operation for all
contextes from which it is called.
The reported [1] -ENOSPC failure stack trace is the following:
heisenberg kernel: ------------[ cut here ]------------
heisenberg kernel: BTRFS: Transaction aborted (error -28)
heisenberg kernel: WARNING: CPU: 0 PID: 7137 at fs/btrfs/root-tree.c:136 btrfs_update_root+0x22b/0x320 [btrfs]
(...)
heisenberg kernel: CPU: 0 PID: 7137 Comm: btrfs-transacti Not tainted 4.19.0-4-amd64 #1 Debian 4.19.28-2
heisenberg kernel: Hardware name: FUJITSU LIFEBOOK U757/FJNB2A5, BIOS Version 1.21 03/19/2018
heisenberg kernel: RIP: 0010:btrfs_update_root+0x22b/0x320 [btrfs]
(...)
heisenberg kernel: RSP: 0018:ffffb5448828bd40 EFLAGS: 00010286
heisenberg kernel: RAX: 0000000000000000 RBX: ffff8ed56bccef50 RCX: 0000000000000006
heisenberg kernel: RDX: 0000000000000007 RSI: 0000000000000092 RDI: ffff8ed6bda166a0
heisenberg kernel: RBP: 00000000ffffffe4 R08: 00000000000003df R09: 0000000000000007
heisenberg kernel: R10: 0000000000000000 R11: 0000000000000001 R12: ffff8ed63396a078
heisenberg kernel: R13: ffff8ed092d7c800 R14: ffff8ed64f5db028 R15: ffff8ed6bd03d068
heisenberg kernel: FS: 0000000000000000(0000) GS:ffff8ed6bda00000(0000) knlGS:0000000000000000
heisenberg kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
heisenberg kernel: CR2: 00007f46f75f8000 CR3: 0000000310a0a002 CR4: 00000000003606f0
heisenberg kernel: DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
heisenberg kernel: DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
heisenberg kernel: Call Trace:
heisenberg kernel: commit_fs_roots+0x166/0x1d0 [btrfs]
heisenberg kernel: ? _cond_resched+0x15/0x30
heisenberg kernel: ? btrfs_run_delayed_refs+0xac/0x180 [btrfs]
heisenberg kernel: btrfs_commit_transaction+0x2bd/0x870 [btrfs]
heisenberg kernel: ? start_transaction+0x9d/0x3f0 [btrfs]
heisenberg kernel: transaction_kthread+0x147/0x180 [btrfs]
heisenberg kernel: ? btrfs_cleanup_transaction+0x530/0x530 [btrfs]
heisenberg kernel: kthread+0x112/0x130
heisenberg kernel: ? kthread_bind+0x30/0x30
heisenberg kernel: ret_from_fork+0x35/0x40
heisenberg kernel: ---[ end trace 05de912e30e012d9 ]---
So fix that by using the attach API, which does not create a transaction
when there is currently no running transaction.
[1] https://lore.kernel.org/linux-btrfs/b2a668d7124f1d3e410367f587926f622b3f03a4.camel@scientia.net/
Reported-by: Zygo Blaxell <ce3g8jdj@umail.furryterror.org>
CC: stable@vger.kernel.org # 4.4+
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/backref.c | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
--- a/fs/btrfs/backref.c
+++ b/fs/btrfs/backref.c
@@ -1685,13 +1685,19 @@ int iterate_extent_inodes(struct btrfs_f
extent_item_objectid);
if (!search_commit_root) {
- trans = btrfs_join_transaction(fs_info->extent_root);
- if (IS_ERR(trans))
- return PTR_ERR(trans);
+ trans = btrfs_attach_transaction(fs_info->extent_root);
+ if (IS_ERR(trans)) {
+ if (PTR_ERR(trans) != -ENOENT &&
+ PTR_ERR(trans) != -EROFS)
+ return PTR_ERR(trans);
+ trans = NULL;
+ }
+ }
+
+ if (trans)
btrfs_get_tree_mod_seq(fs_info, &tree_mod_seq_elem);
- } else {
+ else
down_read(&fs_info->commit_root_sem);
- }
ret = btrfs_find_all_leafs(trans, fs_info, extent_item_objectid,
tree_mod_seq_elem.seq, &refs,
@@ -1721,7 +1727,7 @@ int iterate_extent_inodes(struct btrfs_f
free_leaf_list(refs);
out:
- if (!search_commit_root) {
+ if (trans) {
btrfs_put_tree_mod_seq(fs_info, &tree_mod_seq_elem);
btrfs_end_transaction(trans, fs_info->extent_root);
} else {
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 019/241] bcache: fix a race between cache register and cacheset unregister
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (17 preceding siblings ...)
2019-06-09 16:39 ` [PATCH 4.4 018/241] Btrfs: do not start a transaction at iterate_extent_inodes() Greg Kroah-Hartman
@ 2019-06-09 16:39 ` Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 020/241] bcache: never set KEY_PTRS of journal key to 0 in journal_reclaim() Greg Kroah-Hartman
` (226 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:39 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Liang Chen, Coly Li, Jens Axboe
From: Liang Chen <liangchen.linux@gmail.com>
commit a4b732a248d12cbdb46999daf0bf288c011335eb upstream.
There is a race between cache device register and cache set unregister.
For an already registered cache device, register_bcache will call
bch_is_open to iterate through all cachesets and check every cache
there. The race occurs if cache_set_free executes at the same time and
clears the caches right before ca is dereferenced in bch_is_open_cache.
To close the race, let's make sure the clean up work is protected by
the bch_register_lock as well.
This issue can be reproduced as follows,
while true; do echo /dev/XXX> /sys/fs/bcache/register ; done&
while true; do echo 1> /sys/block/XXX/bcache/set/unregister ; done &
and results in the following oops,
[ +0.000053] BUG: unable to handle kernel NULL pointer dereference at 0000000000000998
[ +0.000457] #PF error: [normal kernel read fault]
[ +0.000464] PGD 800000003ca9d067 P4D 800000003ca9d067 PUD 3ca9c067 PMD 0
[ +0.000388] Oops: 0000 [#1] SMP PTI
[ +0.000269] CPU: 1 PID: 3266 Comm: bash Not tainted 5.0.0+ #6
[ +0.000346] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.fc28 04/01/2014
[ +0.000472] RIP: 0010:register_bcache+0x1829/0x1990 [bcache]
[ +0.000344] Code: b0 48 83 e8 50 48 81 fa e0 e1 10 c0 0f 84 a9 00 00 00 48 89 c6 48 89 ca 0f b7 ba 54 04 00 00 4c 8b 82 60 0c 00 00 85 ff 74 2f <49> 3b a8 98 09 00 00 74 4e 44 8d 47 ff 31 ff 49 c1 e0 03 eb 0d
[ +0.000839] RSP: 0018:ffff92ee804cbd88 EFLAGS: 00010202
[ +0.000328] RAX: ffffffffc010e190 RBX: ffff918b5c6b5000 RCX: ffff918b7d8e0000
[ +0.000399] RDX: ffff918b7d8e0000 RSI: ffffffffc010e190 RDI: 0000000000000001
[ +0.000398] RBP: ffff918b7d318340 R08: 0000000000000000 R09: ffffffffb9bd2d7a
[ +0.000385] R10: ffff918b7eb253c0 R11: ffffb95980f51200 R12: ffffffffc010e1a0
[ +0.000411] R13: fffffffffffffff2 R14: 000000000000000b R15: ffff918b7e232620
[ +0.000384] FS: 00007f955bec2740(0000) GS:ffff918b7eb00000(0000) knlGS:0000000000000000
[ +0.000420] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ +0.000801] CR2: 0000000000000998 CR3: 000000003cad6000 CR4: 00000000001406e0
[ +0.000837] Call Trace:
[ +0.000682] ? _cond_resched+0x10/0x20
[ +0.000691] ? __kmalloc+0x131/0x1b0
[ +0.000710] kernfs_fop_write+0xfa/0x170
[ +0.000733] __vfs_write+0x2e/0x190
[ +0.000688] ? inode_security+0x10/0x30
[ +0.000698] ? selinux_file_permission+0xd2/0x120
[ +0.000752] ? security_file_permission+0x2b/0x100
[ +0.000753] vfs_write+0xa8/0x1a0
[ +0.000676] ksys_write+0x4d/0xb0
[ +0.000699] do_syscall_64+0x3a/0xf0
[ +0.000692] entry_SYSCALL_64_after_hwframe+0x44/0xa9
Signed-off-by: Liang Chen <liangchen.linux@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Coly Li <colyli@suse.de>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/bcache/super.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/md/bcache/super.c
+++ b/drivers/md/bcache/super.c
@@ -1355,6 +1355,7 @@ static void cache_set_free(struct closur
bch_btree_cache_free(c);
bch_journal_free(c);
+ mutex_lock(&bch_register_lock);
for_each_cache(ca, c, i)
if (ca) {
ca->set = NULL;
@@ -1377,7 +1378,6 @@ static void cache_set_free(struct closur
mempool_destroy(c->search);
kfree(c->devices);
- mutex_lock(&bch_register_lock);
list_del(&c->list);
mutex_unlock(&bch_register_lock);
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 020/241] bcache: never set KEY_PTRS of journal key to 0 in journal_reclaim()
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (18 preceding siblings ...)
2019-06-09 16:39 ` [PATCH 4.4 019/241] bcache: fix a race between cache register and cacheset unregister Greg Kroah-Hartman
@ 2019-06-09 16:39 ` Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 021/241] ipmi:ssif: compare block number correctly for multi-part return messages Greg Kroah-Hartman
` (225 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Coly Li, Hannes Reinecke, Jens Axboe
From: Coly Li <colyli@suse.de>
commit 1bee2addc0c8470c8aaa65ef0599eeae96dd88bc upstream.
In journal_reclaim() ja->cur_idx of each cache will be update to
reclaim available journal buckets. Variable 'int n' is used to count how
many cache is successfully reclaimed, then n is set to c->journal.key
by SET_KEY_PTRS(). Later in journal_write_unlocked(), a for_each_cache()
loop will write the jset data onto each cache.
The problem is, if all jouranl buckets on each cache is full, the
following code in journal_reclaim(),
529 for_each_cache(ca, c, iter) {
530 struct journal_device *ja = &ca->journal;
531 unsigned int next = (ja->cur_idx + 1) % ca->sb.njournal_buckets;
532
533 /* No space available on this device */
534 if (next == ja->discard_idx)
535 continue;
536
537 ja->cur_idx = next;
538 k->ptr[n++] = MAKE_PTR(0,
539 bucket_to_sector(c, ca->sb.d[ja->cur_idx]),
540 ca->sb.nr_this_dev);
541 }
542
543 bkey_init(k);
544 SET_KEY_PTRS(k, n);
If there is no available bucket to reclaim, the if() condition at line
534 will always true, and n remains 0. Then at line 544, SET_KEY_PTRS()
will set KEY_PTRS field of c->journal.key to 0.
Setting KEY_PTRS field of c->journal.key to 0 is wrong. Because in
journal_write_unlocked() the journal data is written in following loop,
649 for (i = 0; i < KEY_PTRS(k); i++) {
650-671 submit journal data to cache device
672 }
If KEY_PTRS field is set to 0 in jouranl_reclaim(), the journal data
won't be written to cache device here. If system crahed or rebooted
before bkeys of the lost journal entries written into btree nodes, data
corruption will be reported during bcache reload after rebooting the
system.
Indeed there is only one cache in a cache set, there is no need to set
KEY_PTRS field in journal_reclaim() at all. But in order to keep the
for_each_cache() logic consistent for now, this patch fixes the above
problem by not setting 0 KEY_PTRS of journal key, if there is no bucket
available to reclaim.
Signed-off-by: Coly Li <colyli@suse.de>
Reviewed-by: Hannes Reinecke <hare@suse.com>
Cc: stable@vger.kernel.org
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/bcache/journal.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
--- a/drivers/md/bcache/journal.c
+++ b/drivers/md/bcache/journal.c
@@ -513,11 +513,11 @@ static void journal_reclaim(struct cache
ca->sb.nr_this_dev);
}
- bkey_init(k);
- SET_KEY_PTRS(k, n);
-
- if (n)
+ if (n) {
+ bkey_init(k);
+ SET_KEY_PTRS(k, n);
c->journal.blocks_free = c->sb.bucket_size >> c->block_bits;
+ }
out:
if (!journal_full(&c->journal))
__closure_wake_up(&c->journal.wait);
@@ -641,6 +641,9 @@ static void journal_write_unlocked(struc
ca->journal.seq[ca->journal.cur_idx] = w->data->seq;
}
+ /* If KEY_PTRS(k) == 0, this jset gets lost in air */
+ BUG_ON(i == 0);
+
atomic_dec_bug(&fifo_back(&c->journal.pin));
bch_journal_next(&c->journal);
journal_reclaim(c);
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 021/241] ipmi:ssif: compare block number correctly for multi-part return messages
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (19 preceding siblings ...)
2019-06-09 16:39 ` [PATCH 4.4 020/241] bcache: never set KEY_PTRS of journal key to 0 in journal_reclaim() Greg Kroah-Hartman
@ 2019-06-09 16:39 ` Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 022/241] crypto: gcm - Fix error return code in crypto_gcm_create_common() Greg Kroah-Hartman
` (224 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Kiran Kolukuluru, Kamlakant Patel,
Corey Minyard
From: Kamlakant Patel <kamlakantp@marvell.com>
commit 55be8658c7e2feb11a5b5b33ee031791dbd23a69 upstream.
According to ipmi spec, block number is a number that is incremented,
starting with 0, for each new block of message data returned using the
middle transaction.
Here, the 'blocknum' is data[0] which always starts from zero(0) and
'ssif_info->multi_pos' starts from 1.
So, we need to add +1 to blocknum while comparing with multi_pos.
Fixes: 7d6380cd40f79 ("ipmi:ssif: Fix handling of multi-part return messages").
Reported-by: Kiran Kolukuluru <kirank@ami.com>
Signed-off-by: Kamlakant Patel <kamlakantp@marvell.com>
Message-Id: <1556106615-18722-1-git-send-email-kamlakantp@marvell.com>
[Also added a debug log if the block numbers don't match.]
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Cc: stable@vger.kernel.org # 4.4
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/ipmi/ipmi_ssif.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/char/ipmi/ipmi_ssif.c
+++ b/drivers/char/ipmi/ipmi_ssif.c
@@ -695,12 +695,16 @@ static void msg_done_handler(struct ssif
/* End of read */
len = ssif_info->multi_len;
data = ssif_info->data;
- } else if (blocknum != ssif_info->multi_pos) {
+ } else if (blocknum + 1 != ssif_info->multi_pos) {
/*
* Out of sequence block, just abort. Block
* numbers start at zero for the second block,
* but multi_pos starts at one, so the +1.
*/
+ if (ssif_info->ssif_debug & SSIF_DEBUG_MSG)
+ dev_dbg(&ssif_info->client->dev,
+ "Received message out of sequence, expected %u, got %u\n",
+ ssif_info->multi_pos - 1, blocknum);
result = -EIO;
} else {
ssif_inc_stat(ssif_info, received_message_parts);
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 022/241] crypto: gcm - Fix error return code in crypto_gcm_create_common()
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (20 preceding siblings ...)
2019-06-09 16:39 ` [PATCH 4.4 021/241] ipmi:ssif: compare block number correctly for multi-part return messages Greg Kroah-Hartman
@ 2019-06-09 16:39 ` Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 023/241] crypto: gcm - fix incompatibility between "gcm" and "gcm_base" Greg Kroah-Hartman
` (223 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Wei Yongjun, Herbert Xu, Eric Biggers
From: Wei Yongjun <weiyongjun1@huawei.com>
commit 9b40f79c08e81234d759f188b233980d7e81df6c upstream.
Fix to return error code -EINVAL from the invalid alg ivsize error
handling case instead of 0, as done elsewhere in this function.
Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
crypto/gcm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/crypto/gcm.c
+++ b/crypto/gcm.c
@@ -670,11 +670,11 @@ static int crypto_gcm_create_common(stru
ctr = crypto_skcipher_spawn_alg(&ctx->ctr);
/* We only support 16-byte blocks. */
+ err = -EINVAL;
if (ctr->cra_ablkcipher.ivsize != 16)
goto out_put_ctr;
/* Not a stream cipher? */
- err = -EINVAL;
if (ctr->cra_blocksize != 1)
goto out_put_ctr;
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 023/241] crypto: gcm - fix incompatibility between "gcm" and "gcm_base"
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (21 preceding siblings ...)
2019-06-09 16:39 ` [PATCH 4.4 022/241] crypto: gcm - Fix error return code in crypto_gcm_create_common() Greg Kroah-Hartman
@ 2019-06-09 16:39 ` Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 024/241] crypto: chacha20poly1305 - set cra_name correctly Greg Kroah-Hartman
` (222 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:39 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Eric Biggers, Herbert Xu
From: Eric Biggers <ebiggers@google.com>
commit f699594d436960160f6d5ba84ed4a222f20d11cd upstream.
GCM instances can be created by either the "gcm" template, which only
allows choosing the block cipher, e.g. "gcm(aes)"; or by "gcm_base",
which allows choosing the ctr and ghash implementations, e.g.
"gcm_base(ctr(aes-generic),ghash-generic)".
However, a "gcm_base" instance prevents a "gcm" instance from being
registered using the same implementations. Nor will the instance be
found by lookups of "gcm". This can be used as a denial of service.
Moreover, "gcm_base" instances are never tested by the crypto
self-tests, even if there are compatible "gcm" tests.
The root cause of these problems is that instances of the two templates
use different cra_names. Therefore, fix these problems by making
"gcm_base" instances set the same cra_name as "gcm" instances, e.g.
"gcm(aes)" instead of "gcm_base(ctr(aes-generic),ghash-generic)".
This requires extracting the block cipher name from the name of the ctr
algorithm. It also requires starting to verify that the algorithms are
really ctr and ghash, not something else entirely. But it would be
bizarre if anyone were actually using non-gcm-compatible algorithms with
gcm_base, so this shouldn't break anyone in practice.
Fixes: d00aa19b507b ("[CRYPTO] gcm: Allow block cipher parameter")
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
crypto/gcm.c | 34 +++++++++++-----------------------
1 file changed, 11 insertions(+), 23 deletions(-)
--- a/crypto/gcm.c
+++ b/crypto/gcm.c
@@ -616,7 +616,6 @@ static void crypto_gcm_free(struct aead_
static int crypto_gcm_create_common(struct crypto_template *tmpl,
struct rtattr **tb,
- const char *full_name,
const char *ctr_name,
const char *ghash_name)
{
@@ -657,7 +656,8 @@ static int crypto_gcm_create_common(stru
goto err_free_inst;
err = -EINVAL;
- if (ghash->digestsize != 16)
+ if (strcmp(ghash->base.cra_name, "ghash") != 0 ||
+ ghash->digestsize != 16)
goto err_drop_ghash;
crypto_set_skcipher_spawn(&ctx->ctr, aead_crypto_instance(inst));
@@ -669,24 +669,24 @@ static int crypto_gcm_create_common(stru
ctr = crypto_skcipher_spawn_alg(&ctx->ctr);
- /* We only support 16-byte blocks. */
+ /* The skcipher algorithm must be CTR mode, using 16-byte blocks. */
err = -EINVAL;
- if (ctr->cra_ablkcipher.ivsize != 16)
+ if (strncmp(ctr->cra_name, "ctr(", 4) != 0 ||
+ ctr->cra_ablkcipher.ivsize != 16 ||
+ ctr->cra_blocksize != 1)
goto out_put_ctr;
- /* Not a stream cipher? */
- if (ctr->cra_blocksize != 1)
+ err = -ENAMETOOLONG;
+ if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME,
+ "gcm(%s", ctr->cra_name + 4) >= CRYPTO_MAX_ALG_NAME)
goto out_put_ctr;
- err = -ENAMETOOLONG;
if (snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME,
"gcm_base(%s,%s)", ctr->cra_driver_name,
ghash_alg->cra_driver_name) >=
CRYPTO_MAX_ALG_NAME)
goto out_put_ctr;
- memcpy(inst->alg.base.cra_name, full_name, CRYPTO_MAX_ALG_NAME);
-
inst->alg.base.cra_flags = (ghash->base.cra_flags | ctr->cra_flags) &
CRYPTO_ALG_ASYNC;
inst->alg.base.cra_priority = (ghash->base.cra_priority +
@@ -727,7 +727,6 @@ static int crypto_gcm_create(struct cryp
{
const char *cipher_name;
char ctr_name[CRYPTO_MAX_ALG_NAME];
- char full_name[CRYPTO_MAX_ALG_NAME];
cipher_name = crypto_attr_alg_name(tb[1]);
if (IS_ERR(cipher_name))
@@ -737,12 +736,7 @@ static int crypto_gcm_create(struct cryp
CRYPTO_MAX_ALG_NAME)
return -ENAMETOOLONG;
- if (snprintf(full_name, CRYPTO_MAX_ALG_NAME, "gcm(%s)", cipher_name) >=
- CRYPTO_MAX_ALG_NAME)
- return -ENAMETOOLONG;
-
- return crypto_gcm_create_common(tmpl, tb, full_name,
- ctr_name, "ghash");
+ return crypto_gcm_create_common(tmpl, tb, ctr_name, "ghash");
}
static struct crypto_template crypto_gcm_tmpl = {
@@ -756,7 +750,6 @@ static int crypto_gcm_base_create(struct
{
const char *ctr_name;
const char *ghash_name;
- char full_name[CRYPTO_MAX_ALG_NAME];
ctr_name = crypto_attr_alg_name(tb[1]);
if (IS_ERR(ctr_name))
@@ -766,12 +759,7 @@ static int crypto_gcm_base_create(struct
if (IS_ERR(ghash_name))
return PTR_ERR(ghash_name);
- if (snprintf(full_name, CRYPTO_MAX_ALG_NAME, "gcm_base(%s,%s)",
- ctr_name, ghash_name) >= CRYPTO_MAX_ALG_NAME)
- return -ENAMETOOLONG;
-
- return crypto_gcm_create_common(tmpl, tb, full_name,
- ctr_name, ghash_name);
+ return crypto_gcm_create_common(tmpl, tb, ctr_name, ghash_name);
}
static struct crypto_template crypto_gcm_base_tmpl = {
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 024/241] crypto: chacha20poly1305 - set cra_name correctly
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (22 preceding siblings ...)
2019-06-09 16:39 ` [PATCH 4.4 023/241] crypto: gcm - fix incompatibility between "gcm" and "gcm_base" Greg Kroah-Hartman
@ 2019-06-09 16:39 ` Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 025/241] crypto: salsa20 - dont access already-freed walk.iv Greg Kroah-Hartman
` (221 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Martin Willi, Eric Biggers, Herbert Xu
From: Eric Biggers <ebiggers@google.com>
commit 5e27f38f1f3f45a0c938299c3a34a2d2db77165a upstream.
If the rfc7539 template is instantiated with specific implementations,
e.g. "rfc7539(chacha20-generic,poly1305-generic)" rather than
"rfc7539(chacha20,poly1305)", then the implementation names end up
included in the instance's cra_name. This is incorrect because it then
prevents all users from allocating "rfc7539(chacha20,poly1305)", if the
highest priority implementations of chacha20 and poly1305 were selected.
Also, the self-tests aren't run on an instance allocated in this way.
Fix it by setting the instance's cra_name from the underlying
algorithms' actual cra_names, rather than from the requested names.
This matches what other templates do.
Fixes: 71ebc4d1b27d ("crypto: chacha20poly1305 - Add a ChaCha20-Poly1305 AEAD construction, RFC7539")
Cc: <stable@vger.kernel.org> # v4.2+
Cc: Martin Willi <martin@strongswan.org>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Reviewed-by: Martin Willi <martin@strongswan.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
crypto/chacha20poly1305.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/crypto/chacha20poly1305.c
+++ b/crypto/chacha20poly1305.c
@@ -637,8 +637,8 @@ static int chachapoly_create(struct cryp
err = -ENAMETOOLONG;
if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME,
- "%s(%s,%s)", name, chacha_name,
- poly_name) >= CRYPTO_MAX_ALG_NAME)
+ "%s(%s,%s)", name, chacha->cra_name,
+ poly->cra_name) >= CRYPTO_MAX_ALG_NAME)
goto out_drop_chacha;
if (snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME,
"%s(%s,%s)", name, chacha->cra_driver_name,
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 025/241] crypto: salsa20 - dont access already-freed walk.iv
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (23 preceding siblings ...)
2019-06-09 16:39 ` [PATCH 4.4 024/241] crypto: chacha20poly1305 - set cra_name correctly Greg Kroah-Hartman
@ 2019-06-09 16:39 ` Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 026/241] crypto: arm/aes-neonbs " Greg Kroah-Hartman
` (220 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:39 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Eric Biggers, Herbert Xu
From: Eric Biggers <ebiggers@google.com>
commit edaf28e996af69222b2cb40455dbb5459c2b875a upstream.
If the user-provided IV needs to be aligned to the algorithm's
alignmask, then skcipher_walk_virt() copies the IV into a new aligned
buffer walk.iv. But skcipher_walk_virt() can fail afterwards, and then
if the caller unconditionally accesses walk.iv, it's a use-after-free.
salsa20-generic doesn't set an alignmask, so currently it isn't affected
by this despite unconditionally accessing walk.iv. However this is more
subtle than desired, and it was actually broken prior to the alignmask
being removed by commit b62b3db76f73 ("crypto: salsa20-generic - cleanup
and convert to skcipher API").
Since salsa20-generic does not update the IV and does not need any IV
alignment, update it to use req->iv instead of walk.iv.
Fixes: 2407d60872dd ("[CRYPTO] salsa20: Salsa20 stream cipher")
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
crypto/salsa20_generic.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/crypto/salsa20_generic.c
+++ b/crypto/salsa20_generic.c
@@ -186,7 +186,7 @@ static int encrypt(struct blkcipher_desc
blkcipher_walk_init(&walk, dst, src, nbytes);
err = blkcipher_walk_virt_block(desc, &walk, 64);
- salsa20_ivsetup(ctx, walk.iv);
+ salsa20_ivsetup(ctx, desc->info);
while (walk.nbytes >= 64) {
salsa20_encrypt_bytes(ctx, walk.dst.virt.addr,
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 026/241] crypto: arm/aes-neonbs - dont access already-freed walk.iv
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (24 preceding siblings ...)
2019-06-09 16:39 ` [PATCH 4.4 025/241] crypto: salsa20 - dont access already-freed walk.iv Greg Kroah-Hartman
@ 2019-06-09 16:39 ` Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 027/241] writeback: synchronize sync(2) against cgroup writeback membership switches Greg Kroah-Hartman
` (219 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:39 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Eric Biggers, Herbert Xu
From: Eric Biggers <ebiggers@google.com>
commit 767f015ea0b7ab9d60432ff6cd06b664fd71f50f upstream.
If the user-provided IV needs to be aligned to the algorithm's
alignmask, then skcipher_walk_virt() copies the IV into a new aligned
buffer walk.iv. But skcipher_walk_virt() can fail afterwards, and then
if the caller unconditionally accesses walk.iv, it's a use-after-free.
arm32 xts-aes-neonbs doesn't set an alignmask, so currently it isn't
affected by this despite unconditionally accessing walk.iv. However
this is more subtle than desired, and it was actually broken prior to
the alignmask being removed by commit cc477bf64573 ("crypto: arm/aes -
replace bit-sliced OpenSSL NEON code"). Thus, update xts-aes-neonbs to
start checking the return value of skcipher_walk_virt().
Fixes: e4e7f10bfc40 ("ARM: add support for bit sliced AES using NEON instructions")
Cc: <stable@vger.kernel.org> # v3.13+
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/crypto/aesbs-glue.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/arch/arm/crypto/aesbs-glue.c
+++ b/arch/arm/crypto/aesbs-glue.c
@@ -259,6 +259,8 @@ static int aesbs_xts_encrypt(struct blkc
blkcipher_walk_init(&walk, dst, src, nbytes);
err = blkcipher_walk_virt_block(desc, &walk, 8 * AES_BLOCK_SIZE);
+ if (err)
+ return err;
/* generate the initial tweak */
AES_encrypt(walk.iv, walk.iv, &ctx->twkey);
@@ -283,6 +285,8 @@ static int aesbs_xts_decrypt(struct blkc
blkcipher_walk_init(&walk, dst, src, nbytes);
err = blkcipher_walk_virt_block(desc, &walk, 8 * AES_BLOCK_SIZE);
+ if (err)
+ return err;
/* generate the initial tweak */
AES_encrypt(walk.iv, walk.iv, &ctx->twkey);
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 027/241] writeback: synchronize sync(2) against cgroup writeback membership switches
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (25 preceding siblings ...)
2019-06-09 16:39 ` [PATCH 4.4 026/241] crypto: arm/aes-neonbs " Greg Kroah-Hartman
@ 2019-06-09 16:39 ` Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 028/241] fs/writeback.c: use rcu_barrier() to wait for inflight wb switches going into workqueue when umount Greg Kroah-Hartman
` (218 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Tejun Heo, Jiufei Xue, Jan Kara, Jens Axboe
From: Tejun Heo <tj@kernel.org>
commit 7fc5854f8c6efae9e7624970ab49a1eac2faefb1 upstream.
sync_inodes_sb() can race against cgwb (cgroup writeback) membership
switches and fail to writeback some inodes. For example, if an inode
switches to another wb while sync_inodes_sb() is in progress, the new
wb might not be visible to bdi_split_work_to_wbs() at all or the inode
might jump from a wb which hasn't issued writebacks yet to one which
already has.
This patch adds backing_dev_info->wb_switch_rwsem to synchronize cgwb
switch path against sync_inodes_sb() so that sync_inodes_sb() is
guaranteed to see all the target wbs and inodes can't jump wbs to
escape syncing.
v2: Fixed misplaced rwsem init. Spotted by Jiufei.
Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-by: Jiufei Xue <xuejiufei@gmail.com>
Link: http://lkml.kernel.org/r/dc694ae2-f07f-61e1-7097-7c8411cee12d@gmail.com
Acked-by: Jan Kara <jack@suse.cz>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/fs-writeback.c | 40 +++++++++++++++++++++++++++++++++++++--
include/linux/backing-dev-defs.h | 1
mm/backing-dev.c | 1
3 files changed, 40 insertions(+), 2 deletions(-)
--- a/fs/fs-writeback.c
+++ b/fs/fs-writeback.c
@@ -331,11 +331,22 @@ struct inode_switch_wbs_context {
struct work_struct work;
};
+static void bdi_down_write_wb_switch_rwsem(struct backing_dev_info *bdi)
+{
+ down_write(&bdi->wb_switch_rwsem);
+}
+
+static void bdi_up_write_wb_switch_rwsem(struct backing_dev_info *bdi)
+{
+ up_write(&bdi->wb_switch_rwsem);
+}
+
static void inode_switch_wbs_work_fn(struct work_struct *work)
{
struct inode_switch_wbs_context *isw =
container_of(work, struct inode_switch_wbs_context, work);
struct inode *inode = isw->inode;
+ struct backing_dev_info *bdi = inode_to_bdi(inode);
struct address_space *mapping = inode->i_mapping;
struct bdi_writeback *old_wb = inode->i_wb;
struct bdi_writeback *new_wb = isw->new_wb;
@@ -344,6 +355,12 @@ static void inode_switch_wbs_work_fn(str
void **slot;
/*
+ * If @inode switches cgwb membership while sync_inodes_sb() is
+ * being issued, sync_inodes_sb() might miss it. Synchronize.
+ */
+ down_read(&bdi->wb_switch_rwsem);
+
+ /*
* By the time control reaches here, RCU grace period has passed
* since I_WB_SWITCH assertion and all wb stat update transactions
* between unlocked_inode_to_wb_begin/end() are guaranteed to be
@@ -435,6 +452,8 @@ skip_switch:
spin_unlock(&new_wb->list_lock);
spin_unlock(&old_wb->list_lock);
+ up_read(&bdi->wb_switch_rwsem);
+
if (switched) {
wb_wakeup(new_wb);
wb_put(old_wb);
@@ -475,9 +494,18 @@ static void inode_switch_wbs(struct inod
if (inode->i_state & I_WB_SWITCH)
return;
+ /*
+ * Avoid starting new switches while sync_inodes_sb() is in
+ * progress. Otherwise, if the down_write protected issue path
+ * blocks heavily, we might end up starting a large number of
+ * switches which will block on the rwsem.
+ */
+ if (!down_read_trylock(&bdi->wb_switch_rwsem))
+ return;
+
isw = kzalloc(sizeof(*isw), GFP_ATOMIC);
if (!isw)
- return;
+ goto out_unlock;
/* find and pin the new wb */
rcu_read_lock();
@@ -511,12 +539,14 @@ static void inode_switch_wbs(struct inod
* Let's continue after I_WB_SWITCH is guaranteed to be visible.
*/
call_rcu(&isw->rcu_head, inode_switch_wbs_rcu_fn);
- return;
+ goto out_unlock;
out_free:
if (isw->new_wb)
wb_put(isw->new_wb);
kfree(isw);
+out_unlock:
+ up_read(&bdi->wb_switch_rwsem);
}
/**
@@ -896,6 +926,9 @@ fs_initcall(cgroup_writeback_init);
#else /* CONFIG_CGROUP_WRITEBACK */
+static void bdi_down_write_wb_switch_rwsem(struct backing_dev_info *bdi) { }
+static void bdi_up_write_wb_switch_rwsem(struct backing_dev_info *bdi) { }
+
static struct bdi_writeback *
locked_inode_to_wb_and_lock_list(struct inode *inode)
__releases(&inode->i_lock)
@@ -2341,8 +2374,11 @@ void sync_inodes_sb(struct super_block *
return;
WARN_ON(!rwsem_is_locked(&sb->s_umount));
+ /* protect against inode wb switch, see inode_switch_wbs_work_fn() */
+ bdi_down_write_wb_switch_rwsem(bdi);
bdi_split_work_to_wbs(bdi, &work, false);
wb_wait_for_completion(bdi, &done);
+ bdi_up_write_wb_switch_rwsem(bdi);
wait_sb_inodes(sb);
}
--- a/include/linux/backing-dev-defs.h
+++ b/include/linux/backing-dev-defs.h
@@ -157,6 +157,7 @@ struct backing_dev_info {
struct radix_tree_root cgwb_tree; /* radix tree of active cgroup wbs */
struct rb_root cgwb_congested_tree; /* their congested states */
atomic_t usage_cnt; /* counts both cgwbs and cgwb_contested's */
+ struct rw_semaphore wb_switch_rwsem; /* no cgwb switch while syncing */
#else
struct bdi_writeback_congested *wb_congested;
#endif
--- a/mm/backing-dev.c
+++ b/mm/backing-dev.c
@@ -669,6 +669,7 @@ static int cgwb_bdi_init(struct backing_
INIT_RADIX_TREE(&bdi->cgwb_tree, GFP_ATOMIC);
bdi->cgwb_congested_tree = RB_ROOT;
atomic_set(&bdi->usage_cnt, 1);
+ init_rwsem(&bdi->wb_switch_rwsem);
ret = wb_init(&bdi->wb, bdi, 1, GFP_KERNEL);
if (!ret) {
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 028/241] fs/writeback.c: use rcu_barrier() to wait for inflight wb switches going into workqueue when umount
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (26 preceding siblings ...)
2019-06-09 16:39 ` [PATCH 4.4 027/241] writeback: synchronize sync(2) against cgroup writeback membership switches Greg Kroah-Hartman
@ 2019-06-09 16:39 ` Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 029/241] ext4: zero out the unused memory region in the extent tree block Greg Kroah-Hartman
` (217 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Jiufei Xue, Tejun Heo, Andrew Morton,
Linus Torvalds
From: Jiufei Xue <jiufei.xue@linux.alibaba.com>
commit ec084de929e419e51bcdafaafe567d9e7d0273b7 upstream.
synchronize_rcu() didn't wait for call_rcu() callbacks, so inode wb
switch may not go to the workqueue after synchronize_rcu(). Thus
previous scheduled switches was not finished even flushing the
workqueue, which will cause a NULL pointer dereferenced followed below.
VFS: Busy inodes after unmount of vdd. Self-destruct in 5 seconds. Have a nice day...
BUG: unable to handle kernel NULL pointer dereference at 0000000000000278
evict+0xb3/0x180
iput+0x1b0/0x230
inode_switch_wbs_work_fn+0x3c0/0x6a0
worker_thread+0x4e/0x490
? process_one_work+0x410/0x410
kthread+0xe6/0x100
ret_from_fork+0x39/0x50
Replace the synchronize_rcu() call with a rcu_barrier() to wait for all
pending callbacks to finish. And inc isw_nr_in_flight after call_rcu()
in inode_switch_wbs() to make more sense.
Link: http://lkml.kernel.org/r/20190429024108.54150-1-jiufei.xue@linux.alibaba.com
Signed-off-by: Jiufei Xue <jiufei.xue@linux.alibaba.com>
Acked-by: Tejun Heo <tj@kernel.org>
Suggested-by: Tejun Heo <tj@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/fs-writeback.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
--- a/fs/fs-writeback.c
+++ b/fs/fs-writeback.c
@@ -530,8 +530,6 @@ static void inode_switch_wbs(struct inod
ihold(inode);
isw->inode = inode;
- atomic_inc(&isw_nr_in_flight);
-
/*
* In addition to synchronizing among switchers, I_WB_SWITCH tells
* the RCU protected stat update paths to grab the mapping's
@@ -539,6 +537,9 @@ static void inode_switch_wbs(struct inod
* Let's continue after I_WB_SWITCH is guaranteed to be visible.
*/
call_rcu(&isw->rcu_head, inode_switch_wbs_rcu_fn);
+
+ atomic_inc(&isw_nr_in_flight);
+
goto out_unlock;
out_free:
@@ -910,7 +911,11 @@ restart:
void cgroup_writeback_umount(void)
{
if (atomic_read(&isw_nr_in_flight)) {
- synchronize_rcu();
+ /*
+ * Use rcu_barrier() to wait for all pending callbacks to
+ * ensure that all in-flight wb switches are in the workqueue.
+ */
+ rcu_barrier();
flush_workqueue(isw_wq);
}
}
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 029/241] ext4: zero out the unused memory region in the extent tree block
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (27 preceding siblings ...)
2019-06-09 16:39 ` [PATCH 4.4 028/241] fs/writeback.c: use rcu_barrier() to wait for inflight wb switches going into workqueue when umount Greg Kroah-Hartman
@ 2019-06-09 16:39 ` Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 030/241] ALSA: hda/realtek - Fix for Lenovo B50-70 inverted internal microphone bug Greg Kroah-Hartman
` (216 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Sriram Rajagopalan, Theodore Tso, stable
From: Sriram Rajagopalan <sriramr@arista.com>
commit 592acbf16821288ecdc4192c47e3774a4c48bb64 upstream.
This commit zeroes out the unused memory region in the buffer_head
corresponding to the extent metablock after writing the extent header
and the corresponding extent node entries.
This is done to prevent random uninitialized data from getting into
the filesystem when the extent block is synced.
This fixes CVE-2019-11833.
Signed-off-by: Sriram Rajagopalan <sriramr@arista.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/extents.c | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -1049,6 +1049,7 @@ static int ext4_ext_split(handle_t *hand
__le32 border;
ext4_fsblk_t *ablocks = NULL; /* array of allocated blocks */
int err = 0;
+ size_t ext_size = 0;
/* make decision: where to split? */
/* FIXME: now decision is simplest: at current extent */
@@ -1140,6 +1141,10 @@ static int ext4_ext_split(handle_t *hand
le16_add_cpu(&neh->eh_entries, m);
}
+ /* zero out unused area in the extent block */
+ ext_size = sizeof(struct ext4_extent_header) +
+ sizeof(struct ext4_extent) * le16_to_cpu(neh->eh_entries);
+ memset(bh->b_data + ext_size, 0, inode->i_sb->s_blocksize - ext_size);
ext4_extent_block_csum_set(inode, neh);
set_buffer_uptodate(bh);
unlock_buffer(bh);
@@ -1219,6 +1224,11 @@ static int ext4_ext_split(handle_t *hand
sizeof(struct ext4_extent_idx) * m);
le16_add_cpu(&neh->eh_entries, m);
}
+ /* zero out unused area in the extent block */
+ ext_size = sizeof(struct ext4_extent_header) +
+ (sizeof(struct ext4_extent) * le16_to_cpu(neh->eh_entries));
+ memset(bh->b_data + ext_size, 0,
+ inode->i_sb->s_blocksize - ext_size);
ext4_extent_block_csum_set(inode, neh);
set_buffer_uptodate(bh);
unlock_buffer(bh);
@@ -1284,6 +1294,7 @@ static int ext4_ext_grow_indepth(handle_
ext4_fsblk_t newblock, goal = 0;
struct ext4_super_block *es = EXT4_SB(inode->i_sb)->s_es;
int err = 0;
+ size_t ext_size = 0;
/* Try to prepend new index to old one */
if (ext_depth(inode))
@@ -1309,9 +1320,11 @@ static int ext4_ext_grow_indepth(handle_
goto out;
}
+ ext_size = sizeof(EXT4_I(inode)->i_data);
/* move top-level index/leaf into new block */
- memmove(bh->b_data, EXT4_I(inode)->i_data,
- sizeof(EXT4_I(inode)->i_data));
+ memmove(bh->b_data, EXT4_I(inode)->i_data, ext_size);
+ /* zero out unused area in the extent block */
+ memset(bh->b_data + ext_size, 0, inode->i_sb->s_blocksize - ext_size);
/* set size of new block */
neh = ext_block_hdr(bh);
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 030/241] ALSA: hda/realtek - Fix for Lenovo B50-70 inverted internal microphone bug
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (28 preceding siblings ...)
2019-06-09 16:39 ` [PATCH 4.4 029/241] ext4: zero out the unused memory region in the extent tree block Greg Kroah-Hartman
@ 2019-06-09 16:39 ` Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 031/241] KVM: x86: Skip EFER vs. guest CPUID checks for host-initiated writes Greg Kroah-Hartman
` (215 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Michał Wadowski, Takashi Iwai
From: Michał Wadowski <wadosm@gmail.com>
commit 56df90b631fc027fe28b70d41352d820797239bb upstream.
Add patch for realtek codec in Lenovo B50-70 that fixes inverted
internal microphone channel.
Device IdeaPad Y410P has the same PCI SSID as Lenovo B50-70,
but first one is about fix the noise and it didn't seem help in a
later kernel version.
So I replaced IdeaPad Y410P device description with B50-70 and apply
inverted microphone fix.
Bugzilla: https://bugs.launchpad.net/ubuntu/+source/alsa-driver/+bug/1524215
Signed-off-by: Michał Wadowski <wadosm@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/patch_realtek.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -5778,7 +5778,7 @@ static const struct snd_pci_quirk alc269
SND_PCI_QUIRK(0x17aa, 0x3112, "ThinkCentre AIO", ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY),
SND_PCI_QUIRK(0x17aa, 0x3902, "Lenovo E50-80", ALC269_FIXUP_DMIC_THINKPAD_ACPI),
SND_PCI_QUIRK(0x17aa, 0x3977, "IdeaPad S210", ALC283_FIXUP_INT_MIC),
- SND_PCI_QUIRK(0x17aa, 0x3978, "IdeaPad Y410P", ALC269_FIXUP_NO_SHUTUP),
+ SND_PCI_QUIRK(0x17aa, 0x3978, "Lenovo B50-70", ALC269_FIXUP_DMIC_THINKPAD_ACPI),
SND_PCI_QUIRK(0x17aa, 0x5013, "Thinkpad", ALC269_FIXUP_LIMIT_INT_MIC_BOOST),
SND_PCI_QUIRK(0x17aa, 0x501a, "Thinkpad", ALC283_FIXUP_INT_MIC),
SND_PCI_QUIRK(0x17aa, 0x501e, "Thinkpad L440", ALC292_FIXUP_TPT440_DOCK),
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 031/241] KVM: x86: Skip EFER vs. guest CPUID checks for host-initiated writes
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (29 preceding siblings ...)
2019-06-09 16:39 ` [PATCH 4.4 030/241] ALSA: hda/realtek - Fix for Lenovo B50-70 inverted internal microphone bug Greg Kroah-Hartman
@ 2019-06-09 16:39 ` Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 032/241] net: avoid weird emergency message Greg Kroah-Hartman
` (214 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Sean Christopherson, Paolo Bonzini
From: Sean Christopherson <sean.j.christopherson@intel.com>
commit 11988499e62b310f3bf6f6d0a807a06d3f9ccc96 upstream.
KVM allows userspace to violate consistency checks related to the
guest's CPUID model to some degree. Generally speaking, userspace has
carte blanche when it comes to guest state so long as jamming invalid
state won't negatively affect the host.
Currently this is seems to be a non-issue as most of the interesting
EFER checks are missing, e.g. NX and LME, but those will be added
shortly. Proactively exempt userspace from the CPUID checks so as not
to break userspace.
Note, the efer_reserved_bits check still applies to userspace writes as
that mask reflects the host's capabilities, e.g. KVM shouldn't allow a
guest to run with NX=1 if it has been disabled in the host.
Fixes: d80174745ba39 ("KVM: SVM: Only allow setting of EFER_SVME when CPUID SVM is set")
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/x86.c | 33 ++++++++++++++++++++++-----------
1 file changed, 22 insertions(+), 11 deletions(-)
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -990,11 +990,8 @@ static u32 emulated_msrs[] = {
static unsigned num_emulated_msrs;
-bool kvm_valid_efer(struct kvm_vcpu *vcpu, u64 efer)
+static bool __kvm_valid_efer(struct kvm_vcpu *vcpu, u64 efer)
{
- if (efer & efer_reserved_bits)
- return false;
-
if (efer & EFER_FFXSR) {
struct kvm_cpuid_entry2 *feat;
@@ -1012,19 +1009,33 @@ bool kvm_valid_efer(struct kvm_vcpu *vcp
}
return true;
+
+}
+bool kvm_valid_efer(struct kvm_vcpu *vcpu, u64 efer)
+{
+ if (efer & efer_reserved_bits)
+ return false;
+
+ return __kvm_valid_efer(vcpu, efer);
}
EXPORT_SYMBOL_GPL(kvm_valid_efer);
-static int set_efer(struct kvm_vcpu *vcpu, u64 efer)
+static int set_efer(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
{
u64 old_efer = vcpu->arch.efer;
+ u64 efer = msr_info->data;
- if (!kvm_valid_efer(vcpu, efer))
- return 1;
+ if (efer & efer_reserved_bits)
+ return false;
- if (is_paging(vcpu)
- && (vcpu->arch.efer & EFER_LME) != (efer & EFER_LME))
- return 1;
+ if (!msr_info->host_initiated) {
+ if (!__kvm_valid_efer(vcpu, efer))
+ return 1;
+
+ if (is_paging(vcpu) &&
+ (vcpu->arch.efer & EFER_LME) != (efer & EFER_LME))
+ return 1;
+ }
efer &= ~EFER_LMA;
efer |= vcpu->arch.efer & EFER_LMA;
@@ -2055,7 +2066,7 @@ int kvm_set_msr_common(struct kvm_vcpu *
break;
case MSR_EFER:
- return set_efer(vcpu, data);
+ return set_efer(vcpu, msr_info);
case MSR_K7_HWCR:
data &= ~(u64)0x40; /* ignore flush filter disable */
data &= ~(u64)0x100; /* ignore ignne emulation enable */
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 032/241] net: avoid weird emergency message
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (30 preceding siblings ...)
2019-06-09 16:39 ` [PATCH 4.4 031/241] KVM: x86: Skip EFER vs. guest CPUID checks for host-initiated writes Greg Kroah-Hartman
@ 2019-06-09 16:39 ` Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 033/241] net/mlx4_core: Change the error print to info print Greg Kroah-Hartman
` (213 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Eric Dumazet, syzbot, David S. Miller
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit d7c04b05c9ca14c55309eb139430283a45c4c25f ]
When host is under high stress, it is very possible thread
running netdev_wait_allrefs() returns from msleep(250)
10 seconds late.
This leads to these messages in the syslog :
[...] unregister_netdevice: waiting for syz_tun to become free. Usage count = 0
If the device refcount is zero, the wait is over.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/core/dev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -6986,7 +6986,7 @@ static void netdev_wait_allrefs(struct n
refcnt = netdev_refcnt_read(dev);
- if (time_after(jiffies, warning_time + 10 * HZ)) {
+ if (refcnt && time_after(jiffies, warning_time + 10 * HZ)) {
pr_emerg("unregister_netdevice: waiting for %s to become free. Usage count = %d\n",
dev->name, refcnt);
warning_time = jiffies;
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 033/241] net/mlx4_core: Change the error print to info print
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (31 preceding siblings ...)
2019-06-09 16:39 ` [PATCH 4.4 032/241] net: avoid weird emergency message Greg Kroah-Hartman
@ 2019-06-09 16:39 ` Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 034/241] ppp: deflate: Fix possible crash in deflate_init Greg Kroah-Hartman
` (212 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Yunjian Wang, Tariq Toukan, David S. Miller
From: Yunjian Wang <wangyunjian@huawei.com>
[ Upstream commit 00f9fec48157f3734e52130a119846e67a12314b ]
The error print within mlx4_flow_steer_promisc_add() should
be a info print.
Fixes: 592e49dda812 ('net/mlx4: Implement promiscuous mode with device managed flow-steering')
Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
Reviewed-by: Tariq Toukan <tariqt@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/mellanox/mlx4/mcg.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/ethernet/mellanox/mlx4/mcg.c
+++ b/drivers/net/ethernet/mellanox/mlx4/mcg.c
@@ -1485,7 +1485,7 @@ int mlx4_flow_steer_promisc_add(struct m
rule.port = port;
rule.qpn = qpn;
INIT_LIST_HEAD(&rule.list);
- mlx4_err(dev, "going promisc on %x\n", port);
+ mlx4_info(dev, "going promisc on %x\n", port);
return mlx4_flow_attach(dev, &rule, regid_p);
}
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 034/241] ppp: deflate: Fix possible crash in deflate_init
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (32 preceding siblings ...)
2019-06-09 16:39 ` [PATCH 4.4 033/241] net/mlx4_core: Change the error print to info print Greg Kroah-Hartman
@ 2019-06-09 16:39 ` Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 035/241] tipc: switch order of device registration to fix a crash Greg Kroah-Hartman
` (211 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Hulk Robot, YueHaibing,
Guillaume Nault, David S. Miller
From: YueHaibing <yuehaibing@huawei.com>
[ Upstream commit 3ebe1bca58c85325c97a22d4fc3f5b5420752e6f ]
BUG: unable to handle kernel paging request at ffffffffa018f000
PGD 3270067 P4D 3270067 PUD 3271063 PMD 2307eb067 PTE 0
Oops: 0000 [#1] PREEMPT SMP
CPU: 0 PID: 4138 Comm: modprobe Not tainted 5.1.0-rc7+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
RIP: 0010:ppp_register_compressor+0x3e/0xd0 [ppp_generic]
Code: 98 4a 3f e2 48 8b 15 c1 67 00 00 41 8b 0c 24 48 81 fa 40 f0 19 a0
75 0e eb 35 48 8b 12 48 81 fa 40 f0 19 a0 74
RSP: 0018:ffffc90000d93c68 EFLAGS: 00010287
RAX: ffffffffa018f000 RBX: ffffffffa01a3000 RCX: 000000000000001a
RDX: ffff888230c750a0 RSI: 0000000000000000 RDI: ffffffffa019f000
RBP: ffffc90000d93c80 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffa0194080
R13: ffff88822ee1a700 R14: 0000000000000000 R15: ffffc90000d93e78
FS: 00007f2339557540(0000) GS:ffff888237a00000(0000)
knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffa018f000 CR3: 000000022bde4000 CR4: 00000000000006f0
Call Trace:
? 0xffffffffa01a3000
deflate_init+0x11/0x1000 [ppp_deflate]
? 0xffffffffa01a3000
do_one_initcall+0x6c/0x3cc
? kmem_cache_alloc_trace+0x248/0x3b0
do_init_module+0x5b/0x1f1
load_module+0x1db1/0x2690
? m_show+0x1d0/0x1d0
__do_sys_finit_module+0xc5/0xd0
__x64_sys_finit_module+0x15/0x20
do_syscall_64+0x6b/0x1d0
entry_SYSCALL_64_after_hwframe+0x49/0xbe
If ppp_deflate fails to register in deflate_init,
module initialization failed out, however
ppp_deflate_draft may has been regiestred and not
unregistered before return.
Then the seconed modprobe will trigger crash like this.
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Acked-by: Guillaume Nault <gnault@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ppp/ppp_deflate.c | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
--- a/drivers/net/ppp/ppp_deflate.c
+++ b/drivers/net/ppp/ppp_deflate.c
@@ -610,12 +610,20 @@ static struct compressor ppp_deflate_dra
static int __init deflate_init(void)
{
- int answer = ppp_register_compressor(&ppp_deflate);
- if (answer == 0)
- printk(KERN_INFO
- "PPP Deflate Compression module registered\n");
- ppp_register_compressor(&ppp_deflate_draft);
- return answer;
+ int rc;
+
+ rc = ppp_register_compressor(&ppp_deflate);
+ if (rc)
+ return rc;
+
+ rc = ppp_register_compressor(&ppp_deflate_draft);
+ if (rc) {
+ ppp_unregister_compressor(&ppp_deflate);
+ return rc;
+ }
+
+ pr_info("PPP Deflate Compression module registered\n");
+ return 0;
}
static void __exit deflate_cleanup(void)
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 035/241] tipc: switch order of device registration to fix a crash
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (33 preceding siblings ...)
2019-06-09 16:39 ` [PATCH 4.4 034/241] ppp: deflate: Fix possible crash in deflate_init Greg Kroah-Hartman
@ 2019-06-09 16:39 ` Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 036/241] tipc: fix modprobe tipc failed after switch order of device registration Greg Kroah-Hartman
` (210 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Junwei Hu, Wang Wang, Xiaogang Wang,
David S. Miller
From: Junwei Hu <hujunwei4@huawei.com>
[ Upstream commit 7e27e8d6130c5e88fac9ddec4249f7f2337fe7f8 ]
When tipc is loaded while many processes try to create a TIPC socket,
a crash occurs:
PANIC: Unable to handle kernel paging request at virtual
address "dfff20000000021d"
pc : tipc_sk_create+0x374/0x1180 [tipc]
lr : tipc_sk_create+0x374/0x1180 [tipc]
Exception class = DABT (current EL), IL = 32 bits
Call trace:
tipc_sk_create+0x374/0x1180 [tipc]
__sock_create+0x1cc/0x408
__sys_socket+0xec/0x1f0
__arm64_sys_socket+0x74/0xa8
...
This is due to race between sock_create and unfinished
register_pernet_device. tipc_sk_insert tries to do
"net_generic(net, tipc_net_id)".
but tipc_net_id is not initialized yet.
So switch the order of the two to close the race.
This can be reproduced with multiple processes doing socket(AF_TIPC, ...)
and one process doing module removal.
Fixes: a62fbccecd62 ("tipc: make subscriber server support net namespace")
Signed-off-by: Junwei Hu <hujunwei4@huawei.com>
Reported-by: Wang Wang <wangwang2@huawei.com>
Reviewed-by: Xiaogang Wang <wangxiaogang3@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/tipc/core.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
--- a/net/tipc/core.c
+++ b/net/tipc/core.c
@@ -126,10 +126,6 @@ static int __init tipc_init(void)
if (err)
goto out_netlink_compat;
- err = tipc_socket_init();
- if (err)
- goto out_socket;
-
err = tipc_register_sysctl();
if (err)
goto out_sysctl;
@@ -138,6 +134,10 @@ static int __init tipc_init(void)
if (err)
goto out_pernet;
+ err = tipc_socket_init();
+ if (err)
+ goto out_socket;
+
err = tipc_bearer_setup();
if (err)
goto out_bearer;
@@ -145,12 +145,12 @@ static int __init tipc_init(void)
pr_info("Started in single node mode\n");
return 0;
out_bearer:
+ tipc_socket_stop();
+out_socket:
unregister_pernet_subsys(&tipc_net_ops);
out_pernet:
tipc_unregister_sysctl();
out_sysctl:
- tipc_socket_stop();
-out_socket:
tipc_netlink_compat_stop();
out_netlink_compat:
tipc_netlink_stop();
@@ -162,10 +162,10 @@ out_netlink:
static void __exit tipc_exit(void)
{
tipc_bearer_cleanup();
+ tipc_socket_stop();
unregister_pernet_subsys(&tipc_net_ops);
tipc_netlink_stop();
tipc_netlink_compat_stop();
- tipc_socket_stop();
tipc_unregister_sysctl();
pr_info("Deactivated\n");
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 036/241] tipc: fix modprobe tipc failed after switch order of device registration
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (34 preceding siblings ...)
2019-06-09 16:39 ` [PATCH 4.4 035/241] tipc: switch order of device registration to fix a crash Greg Kroah-Hartman
@ 2019-06-09 16:39 ` Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 037/241] stm class: Fix channel free in stm output free path Greg Kroah-Hartman
` (209 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Junwei Hu, Wang Wang, Kang Zhou,
Suanming Mou, David S. Miller
From: Junwei Hu <hujunwei4@huawei.com>
[ Upstream commit 532b0f7ece4cb2ffd24dc723ddf55242d1188e5e ]
Error message printed:
modprobe: ERROR: could not insert 'tipc': Address family not
supported by protocol.
when modprobe tipc after the following patch: switch order of
device registration, commit 7e27e8d6130c
("tipc: switch order of device registration to fix a crash")
Because sock_create_kern(net, AF_TIPC, ...) is called by
tipc_topsrv_create_listener() in the initialization process
of tipc_net_ops, tipc_socket_init() must be execute before that.
I move tipc_socket_init() into function tipc_init_net().
Fixes: 7e27e8d6130c
("tipc: switch order of device registration to fix a crash")
Signed-off-by: Junwei Hu <hujunwei4@huawei.com>
Reported-by: Wang Wang <wangwang2@huawei.com>
Reviewed-by: Kang Zhou <zhoukang7@huawei.com>
Reviewed-by: Suanming Mou <mousuanming@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/tipc/core.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
--- a/net/tipc/core.c
+++ b/net/tipc/core.c
@@ -61,6 +61,10 @@ static int __net_init tipc_init_net(stru
INIT_LIST_HEAD(&tn->node_list);
spin_lock_init(&tn->node_list_lock);
+ err = tipc_socket_init();
+ if (err)
+ goto out_socket;
+
err = tipc_sk_rht_init(net);
if (err)
goto out_sk_rht;
@@ -87,6 +91,8 @@ out_subscr:
out_nametbl:
tipc_sk_rht_destroy(net);
out_sk_rht:
+ tipc_socket_stop();
+out_socket:
return err;
}
@@ -97,6 +103,7 @@ static void __net_exit tipc_exit_net(str
tipc_bcast_stop(net);
tipc_nametbl_stop(net);
tipc_sk_rht_destroy(net);
+ tipc_socket_stop();
}
static struct pernet_operations tipc_net_ops = {
@@ -134,10 +141,6 @@ static int __init tipc_init(void)
if (err)
goto out_pernet;
- err = tipc_socket_init();
- if (err)
- goto out_socket;
-
err = tipc_bearer_setup();
if (err)
goto out_bearer;
@@ -145,8 +148,6 @@ static int __init tipc_init(void)
pr_info("Started in single node mode\n");
return 0;
out_bearer:
- tipc_socket_stop();
-out_socket:
unregister_pernet_subsys(&tipc_net_ops);
out_pernet:
tipc_unregister_sysctl();
@@ -162,7 +163,6 @@ out_netlink:
static void __exit tipc_exit(void)
{
tipc_bearer_cleanup();
- tipc_socket_stop();
unregister_pernet_subsys(&tipc_net_ops);
tipc_netlink_stop();
tipc_netlink_compat_stop();
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 037/241] stm class: Fix channel free in stm output free path
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (35 preceding siblings ...)
2019-06-09 16:39 ` [PATCH 4.4 036/241] tipc: fix modprobe tipc failed after switch order of device registration Greg Kroah-Hartman
@ 2019-06-09 16:39 ` Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 038/241] md: add mddev->pers to avoid potential NULL pointer dereference Greg Kroah-Hartman
` (208 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Tingwei Zhang, Sai Prakash Ranjan,
Alexander Shishkin
From: Tingwei Zhang <tingwei@codeaurora.org>
commit ee496da4c3915de3232b5f5cd20e21ae3e46fe8d upstream.
Number of free masters is not set correctly in stm
free path. Fix this by properly adding the number
of output channels before setting them to 0 in
stm_output_disclaim().
Currently it is equivalent to doing nothing since
master->nr_free is incremented by 0.
Fixes: 7bd1d4093c2f ("stm class: Introduce an abstraction for System Trace Module devices")
Signed-off-by: Tingwei Zhang <tingwei@codeaurora.org>
Signed-off-by: Sai Prakash Ranjan <saiprakash.ranjan@codeaurora.org>
Cc: stable@vger.kernel.org # v4.4
Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwtracing/stm/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/hwtracing/stm/core.c
+++ b/drivers/hwtracing/stm/core.c
@@ -210,8 +210,8 @@ stm_output_disclaim(struct stm_device *s
bitmap_release_region(&master->chan_map[0], output->channel,
ilog2(output->nr_chans));
- output->nr_chans = 0;
master->nr_free += output->nr_chans;
+ output->nr_chans = 0;
}
/*
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 038/241] md: add mddev->pers to avoid potential NULL pointer dereference
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (36 preceding siblings ...)
2019-06-09 16:39 ` [PATCH 4.4 037/241] stm class: Fix channel free in stm output free path Greg Kroah-Hartman
@ 2019-06-09 16:39 ` Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 039/241] intel_th: msu: Fix single mode with IOMMU Greg Kroah-Hartman
` (207 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Xiao Ni, NeilBrown, Yufen Yu, Song Liu
From: Yufen Yu <yuyufen@huawei.com>
commit ee37e62191a59d253fc916b9fc763deb777211e2 upstream.
When doing re-add, we need to ensure rdev->mddev->pers is not NULL,
which can avoid potential NULL pointer derefence in fallowing
add_bound_rdev().
Fixes: a6da4ef85cef ("md: re-add a failed disk")
Cc: Xiao Ni <xni@redhat.com>
Cc: NeilBrown <neilb@suse.com>
Cc: <stable@vger.kernel.org> # 4.4+
Reviewed-by: NeilBrown <neilb@suse.com>
Signed-off-by: Yufen Yu <yuyufen@huawei.com>
Signed-off-by: Song Liu <songliubraving@fb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/md.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/md/md.c
+++ b/drivers/md/md.c
@@ -2690,8 +2690,10 @@ state_store(struct md_rdev *rdev, const
err = 0;
}
} else if (cmd_match(buf, "re-add")) {
- if (test_bit(Faulty, &rdev->flags) && (rdev->raid_disk == -1) &&
- rdev->saved_raid_disk >= 0) {
+ if (!rdev->mddev->pers)
+ err = -EINVAL;
+ else if (test_bit(Faulty, &rdev->flags) && (rdev->raid_disk == -1) &&
+ rdev->saved_raid_disk >= 0) {
/* clear_bit is performed _after_ all the devices
* have their local Faulty bit cleared. If any writes
* happen in the meantime in the local node, they
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 039/241] intel_th: msu: Fix single mode with IOMMU
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (37 preceding siblings ...)
2019-06-09 16:39 ` [PATCH 4.4 038/241] md: add mddev->pers to avoid potential NULL pointer dereference Greg Kroah-Hartman
@ 2019-06-09 16:39 ` Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 040/241] of: fix clang -Wunsequenced for be32_to_cpu() Greg Kroah-Hartman
` (206 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:39 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alexander Shishkin
From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
commit 4e0eaf239fb33ebc671303e2b736fa043462e2f4 upstream.
Currently, the pages that are allocated for the single mode of MSC are not
mapped into the device's dma space and the code is incorrectly using
*_to_phys() in place of a dma address. This fails with IOMMU enabled and
is otherwise bad practice.
Fix the single mode buffer allocation to map the pages into the device's
DMA space.
Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Fixes: ba82664c134e ("intel_th: Add Memory Storage Unit driver")
Cc: stable@vger.kernel.org # v4.4+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwtracing/intel_th/msu.c | 35 ++++++++++++++++++++++++++++++++---
1 file changed, 32 insertions(+), 3 deletions(-)
--- a/drivers/hwtracing/intel_th/msu.c
+++ b/drivers/hwtracing/intel_th/msu.c
@@ -90,6 +90,7 @@ struct msc_iter {
* @reg_base: register window base address
* @thdev: intel_th_device pointer
* @win_list: list of windows in multiblock mode
+ * @single_sgt: single mode buffer
* @nr_pages: total number of pages allocated for this buffer
* @single_sz: amount of data in single mode
* @single_wrap: single mode wrap occurred
@@ -110,6 +111,7 @@ struct msc {
struct intel_th_device *thdev;
struct list_head win_list;
+ struct sg_table single_sgt;
unsigned long nr_pages;
unsigned long single_sz;
unsigned int single_wrap : 1;
@@ -610,22 +612,45 @@ static void intel_th_msc_deactivate(stru
*/
static int msc_buffer_contig_alloc(struct msc *msc, unsigned long size)
{
+ unsigned long nr_pages = size >> PAGE_SHIFT;
unsigned int order = get_order(size);
struct page *page;
+ int ret;
if (!size)
return 0;
+ ret = sg_alloc_table(&msc->single_sgt, 1, GFP_KERNEL);
+ if (ret)
+ goto err_out;
+
+ ret = -ENOMEM;
page = alloc_pages(GFP_KERNEL | __GFP_ZERO, order);
if (!page)
- return -ENOMEM;
+ goto err_free_sgt;
split_page(page, order);
- msc->nr_pages = size >> PAGE_SHIFT;
+ sg_set_buf(msc->single_sgt.sgl, page_address(page), size);
+
+ ret = dma_map_sg(msc_dev(msc)->parent->parent, msc->single_sgt.sgl, 1,
+ DMA_FROM_DEVICE);
+ if (ret < 0)
+ goto err_free_pages;
+
+ msc->nr_pages = nr_pages;
msc->base = page_address(page);
- msc->base_addr = page_to_phys(page);
+ msc->base_addr = sg_dma_address(msc->single_sgt.sgl);
return 0;
+
+err_free_pages:
+ __free_pages(page, order);
+
+err_free_sgt:
+ sg_free_table(&msc->single_sgt);
+
+err_out:
+ return ret;
}
/**
@@ -636,6 +661,10 @@ static void msc_buffer_contig_free(struc
{
unsigned long off;
+ dma_unmap_sg(msc_dev(msc)->parent->parent, msc->single_sgt.sgl,
+ 1, DMA_FROM_DEVICE);
+ sg_free_table(&msc->single_sgt);
+
for (off = 0; off < msc->nr_pages << PAGE_SHIFT; off += PAGE_SIZE) {
struct page *page = virt_to_page(msc->base + off);
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 040/241] of: fix clang -Wunsequenced for be32_to_cpu()
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (38 preceding siblings ...)
2019-06-09 16:39 ` [PATCH 4.4 039/241] intel_th: msu: Fix single mode with IOMMU Greg Kroah-Hartman
@ 2019-06-09 16:39 ` Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 041/241] cifs: fix strcat buffer overflow and reduce raciness in smb21_set_oplock_level() Greg Kroah-Hartman
` (205 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Phong Tran, Nick Desaulniers,
David Laight, Rob Herring
From: Phong Tran <tranmanphong@gmail.com>
commit 440868661f36071886ed360d91de83bd67c73b4f upstream.
Now, make the loop explicit to avoid clang warning.
./include/linux/of.h:238:37: warning: multiple unsequenced modifications
to 'cell' [-Wunsequenced]
r = (r << 32) | be32_to_cpu(*(cell++));
^~
./include/linux/byteorder/generic.h:95:21: note: expanded from macro
'be32_to_cpu'
^
./include/uapi/linux/byteorder/little_endian.h:40:59: note: expanded
from macro '__be32_to_cpu'
^
./include/uapi/linux/swab.h:118:21: note: expanded from macro '__swab32'
___constant_swab32(x) : \
^
./include/uapi/linux/swab.h:18:12: note: expanded from macro
'___constant_swab32'
(((__u32)(x) & (__u32)0x000000ffUL) << 24) | \
^
Signed-off-by: Phong Tran <tranmanphong@gmail.com>
Reported-by: Nick Desaulniers <ndesaulniers@google.com>
Link: https://github.com/ClangBuiltLinux/linux/issues/460
Suggested-by: David Laight <David.Laight@ACULAB.COM>
Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
Cc: stable@vger.kernel.org
[robh: fix up whitespace]
Signed-off-by: Rob Herring <robh@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/of.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/include/linux/of.h
+++ b/include/linux/of.h
@@ -199,8 +199,8 @@ extern struct device_node *of_find_all_n
static inline u64 of_read_number(const __be32 *cell, int size)
{
u64 r = 0;
- while (size--)
- r = (r << 32) | be32_to_cpu(*(cell++));
+ for (; size--; cell++)
+ r = (r << 32) | be32_to_cpu(*cell);
return r;
}
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 041/241] cifs: fix strcat buffer overflow and reduce raciness in smb21_set_oplock_level()
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (39 preceding siblings ...)
2019-06-09 16:39 ` [PATCH 4.4 040/241] of: fix clang -Wunsequenced for be32_to_cpu() Greg Kroah-Hartman
@ 2019-06-09 16:39 ` Greg Kroah-Hartman
2019-06-10 19:13 ` Pavel Shilovskiy
2019-06-09 16:39 ` [PATCH 4.4 042/241] media: ov6650: Fix sensor possibly not detected on probe Greg Kroah-Hartman
` (204 subsequent siblings)
245 siblings, 1 reply; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Christoph Probst, Pavel Shilovsky,
Steve French
From: Christoph Probst <kernel@probst.it>
commit 6a54b2e002c9d00b398d35724c79f9fe0d9b38fb upstream.
Change strcat to strncpy in the "None" case to fix a buffer overflow
when cinode->oplock is reset to 0 by another thread accessing the same
cinode. It is never valid to append "None" to any other message.
Consolidate multiple writes to cinode->oplock to reduce raciness.
Signed-off-by: Christoph Probst <kernel@probst.it>
Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
CC: Stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/cifs/smb2ops.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
--- a/fs/cifs/smb2ops.c
+++ b/fs/cifs/smb2ops.c
@@ -1329,26 +1329,28 @@ smb21_set_oplock_level(struct cifsInodeI
unsigned int epoch, bool *purge_cache)
{
char message[5] = {0};
+ unsigned int new_oplock = 0;
oplock &= 0xFF;
if (oplock == SMB2_OPLOCK_LEVEL_NOCHANGE)
return;
- cinode->oplock = 0;
if (oplock & SMB2_LEASE_READ_CACHING_HE) {
- cinode->oplock |= CIFS_CACHE_READ_FLG;
+ new_oplock |= CIFS_CACHE_READ_FLG;
strcat(message, "R");
}
if (oplock & SMB2_LEASE_HANDLE_CACHING_HE) {
- cinode->oplock |= CIFS_CACHE_HANDLE_FLG;
+ new_oplock |= CIFS_CACHE_HANDLE_FLG;
strcat(message, "H");
}
if (oplock & SMB2_LEASE_WRITE_CACHING_HE) {
- cinode->oplock |= CIFS_CACHE_WRITE_FLG;
+ new_oplock |= CIFS_CACHE_WRITE_FLG;
strcat(message, "W");
}
- if (!cinode->oplock)
- strcat(message, "None");
+ if (!new_oplock)
+ strncpy(message, "None", sizeof(message));
+
+ cinode->oplock = new_oplock;
cifs_dbg(FYI, "%s Lease granted on inode %p\n", message,
&cinode->vfs_inode);
}
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 042/241] media: ov6650: Fix sensor possibly not detected on probe
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (40 preceding siblings ...)
2019-06-09 16:39 ` [PATCH 4.4 041/241] cifs: fix strcat buffer overflow and reduce raciness in smb21_set_oplock_level() Greg Kroah-Hartman
@ 2019-06-09 16:39 ` Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 043/241] NFS4: Fix v4.0 client state corruption when mount Greg Kroah-Hartman
` (203 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Janusz Krzysztofik, Sakari Ailus,
Mauro Carvalho Chehab
From: Janusz Krzysztofik <jmkrzyszt@gmail.com>
commit 933c1320847f5ed6b61a7d10f0a948aa98ccd7b0 upstream.
After removal of clock_start() from before soc_camera_init_i2c() in
soc_camera_probe() by commit 9aea470b399d ("[media] soc-camera: switch
I2C subdevice drivers to use v4l2-clk") introduced in v3.11, the ov6650
driver could no longer probe the sensor successfully because its clock
was no longer turned on in advance. The issue was initially worked
around by adding that missing clock_start() equivalent to OMAP1 camera
interface driver - the only user of this sensor - but a propoer fix
should be rather implemented in the sensor driver code itself.
Fix the issue by inserting a delay between the clock is turned on and
the sensor I2C registers are read for the first time.
Tested on Amstrad Delta with now out of tree but still locally
maintained omap1_camera host driver.
Fixes: 9aea470b399d ("[media] soc-camera: switch I2C subdevice drivers to use v4l2-clk")
Signed-off-by: Janusz Krzysztofik <jmkrzyszt@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/soc_camera/ov6650.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/media/i2c/soc_camera/ov6650.c
+++ b/drivers/media/i2c/soc_camera/ov6650.c
@@ -843,6 +843,8 @@ static int ov6650_video_probe(struct i2c
if (ret < 0)
return ret;
+ msleep(20);
+
/*
* check and show product ID and manufacturer ID
*/
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 043/241] NFS4: Fix v4.0 client state corruption when mount
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (41 preceding siblings ...)
2019-06-09 16:39 ` [PATCH 4.4 042/241] media: ov6650: Fix sensor possibly not detected on probe Greg Kroah-Hartman
@ 2019-06-09 16:39 ` Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 044/241] clk: tegra: Fix PLLM programming on Tegra124+ when PMC overrides divider Greg Kroah-Hartman
` (202 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:39 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, ZhangXiaoxu, Anna Schumaker
From: ZhangXiaoxu <zhangxiaoxu5@huawei.com>
commit f02f3755dbd14fb935d24b14650fff9ba92243b8 upstream.
stat command with soft mount never return after server is stopped.
When alloc a new client, the state of the client will be set to
NFS4CLNT_LEASE_EXPIRED.
When the server is stopped, the state manager will work, and accord
the state to recover. But the state is NFS4CLNT_LEASE_EXPIRED, it
will drain the slot table and lead other task to wait queue, until
the client recovered. Then the stat command is hung.
When discover server trunking, the client will renew the lease,
but check the client state, it lead the client state corruption.
So, we need to call state manager to recover it when detect server
ip trunking.
Signed-off-by: ZhangXiaoxu <zhangxiaoxu5@huawei.com>
Cc: stable@vger.kernel.org
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfs/nfs4state.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/fs/nfs/nfs4state.c
+++ b/fs/nfs/nfs4state.c
@@ -140,6 +140,10 @@ int nfs40_discover_server_trunking(struc
/* Sustain the lease, even if it's empty. If the clientid4
* goes stale it's of no use for trunking discovery. */
nfs4_schedule_state_renewal(*result);
+
+ /* If the client state need to recover, do it. */
+ if (clp->cl_state)
+ nfs4_schedule_state_manager(clp);
}
out:
return status;
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 044/241] clk: tegra: Fix PLLM programming on Tegra124+ when PMC overrides divider
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (42 preceding siblings ...)
2019-06-09 16:39 ` [PATCH 4.4 043/241] NFS4: Fix v4.0 client state corruption when mount Greg Kroah-Hartman
@ 2019-06-09 16:39 ` Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 045/241] fuse: fix writepages on 32bit Greg Kroah-Hartman
` (201 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Steev Klimaszewski, Dmitry Osipenko,
Peter De Schrijver, Stephen Boyd
From: Dmitry Osipenko <digetx@gmail.com>
commit 40db569d6769ffa3864fd1b89616b1a7323568a8 upstream.
There are wrongly set parenthesis in the code that are resulting in a
wrong configuration being programmed for PLLM. The original fix was made
by Danny Huang in the downstream kernel. The patch was tested on Nyan Big
Tegra124 chromebook, PLLM rate changing works correctly now and system
doesn't lock up after changing the PLLM rate due to EMC scaling.
Cc: <stable@vger.kernel.org>
Tested-by: Steev Klimaszewski <steev@kali.org>
Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
Acked-By: Peter De Schrijver <pdeschrijver@nvidia.com>
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/clk/tegra/clk-pll.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/clk/tegra/clk-pll.c
+++ b/drivers/clk/tegra/clk-pll.c
@@ -492,8 +492,8 @@ static void _update_pll_mnp(struct tegra
pll_override_writel(val, params->pmc_divp_reg, pll);
val = pll_override_readl(params->pmc_divnm_reg, pll);
- val &= ~(divm_mask(pll) << div_nmp->override_divm_shift) |
- ~(divn_mask(pll) << div_nmp->override_divn_shift);
+ val &= ~((divm_mask(pll) << div_nmp->override_divm_shift) |
+ (divn_mask(pll) << div_nmp->override_divn_shift));
val |= (cfg->m << div_nmp->override_divm_shift) |
(cfg->n << div_nmp->override_divn_shift);
pll_override_writel(val, params->pmc_divnm_reg, pll);
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 045/241] fuse: fix writepages on 32bit
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (43 preceding siblings ...)
2019-06-09 16:39 ` [PATCH 4.4 044/241] clk: tegra: Fix PLLM programming on Tegra124+ when PMC overrides divider Greg Kroah-Hartman
@ 2019-06-09 16:39 ` Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 046/241] fuse: honor RLIMIT_FSIZE in fuse_file_fallocate Greg Kroah-Hartman
` (200 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Antonio SJ Musumeci, Miklos Szeredi
From: Miklos Szeredi <mszeredi@redhat.com>
commit 9de5be06d0a89ca97b5ab902694d42dfd2bb77d2 upstream.
Writepage requests were cropped to i_size & 0xffffffff, which meant that
mmaped writes to any file larger than 4G might be silently discarded.
Fix by storing the file size in a properly sized variable (loff_t instead
of size_t).
Reported-by: Antonio SJ Musumeci <trapexit@spawn.link>
Fixes: 6eaf4782eb09 ("fuse: writepages: crop secondary requests")
Cc: <stable@vger.kernel.org> # v3.13
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/fuse/file.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -1533,7 +1533,7 @@ __acquires(fc->lock)
{
struct fuse_conn *fc = get_fuse_conn(inode);
struct fuse_inode *fi = get_fuse_inode(inode);
- size_t crop = i_size_read(inode);
+ loff_t crop = i_size_read(inode);
struct fuse_req *req;
while (fi->writectr >= 0 && !list_empty(&fi->queued_writes)) {
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 046/241] fuse: honor RLIMIT_FSIZE in fuse_file_fallocate
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (44 preceding siblings ...)
2019-06-09 16:39 ` [PATCH 4.4 045/241] fuse: fix writepages on 32bit Greg Kroah-Hartman
@ 2019-06-09 16:39 ` Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 047/241] iommu/tegra-smmu: Fix invalid ASID bits on Tegra30/114 Greg Kroah-Hartman
` (199 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:39 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Liu Bo, Miklos Szeredi
From: Liu Bo <bo.liu@linux.alibaba.com>
commit 0cbade024ba501313da3b7e5dd2a188a6bc491b5 upstream.
fstests generic/228 reported this failure that fuse fallocate does not
honor what 'ulimit -f' has set.
This adds the necessary inode_newsize_ok() check.
Signed-off-by: Liu Bo <bo.liu@linux.alibaba.com>
Fixes: 05ba1f082300 ("fuse: add FALLOCATE operation")
Cc: <stable@vger.kernel.org> # v3.5
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/fuse/file.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -2947,6 +2947,13 @@ static long fuse_file_fallocate(struct f
}
}
+ if (!(mode & FALLOC_FL_KEEP_SIZE) &&
+ offset + length > i_size_read(inode)) {
+ err = inode_newsize_ok(inode, offset + length);
+ if (err)
+ return err;
+ }
+
if (!(mode & FALLOC_FL_KEEP_SIZE))
set_bit(FUSE_I_SIZE_UNSTABLE, &fi->state);
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 047/241] iommu/tegra-smmu: Fix invalid ASID bits on Tegra30/114
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (45 preceding siblings ...)
2019-06-09 16:39 ` [PATCH 4.4 046/241] fuse: honor RLIMIT_FSIZE in fuse_file_fallocate Greg Kroah-Hartman
@ 2019-06-09 16:39 ` Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 048/241] ceph: flush dirty inodes before proceeding with remount Greg Kroah-Hartman
` (198 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Dmitry Osipenko, Thierry Reding,
Joerg Roedel
From: Dmitry Osipenko <digetx@gmail.com>
commit 43a0541e312f7136e081e6bf58f6c8a2e9672688 upstream.
Both Tegra30 and Tegra114 have 4 ASID's and the corresponding bitfield of
the TLB_FLUSH register differs from later Tegra generations that have 128
ASID's.
In a result the PTE's are now flushed correctly from TLB and this fixes
problems with graphics (randomly failing tests) on Tegra30.
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
Acked-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/tegra-smmu.c | 25 ++++++++++++++++++-------
1 file changed, 18 insertions(+), 7 deletions(-)
--- a/drivers/iommu/tegra-smmu.c
+++ b/drivers/iommu/tegra-smmu.c
@@ -91,7 +91,6 @@ static inline u32 smmu_readl(struct tegr
#define SMMU_TLB_FLUSH_VA_MATCH_ALL (0 << 0)
#define SMMU_TLB_FLUSH_VA_MATCH_SECTION (2 << 0)
#define SMMU_TLB_FLUSH_VA_MATCH_GROUP (3 << 0)
-#define SMMU_TLB_FLUSH_ASID(x) (((x) & 0x7f) << 24)
#define SMMU_TLB_FLUSH_VA_SECTION(addr) ((((addr) & 0xffc00000) >> 12) | \
SMMU_TLB_FLUSH_VA_MATCH_SECTION)
#define SMMU_TLB_FLUSH_VA_GROUP(addr) ((((addr) & 0xffffc000) >> 12) | \
@@ -194,8 +193,12 @@ static inline void smmu_flush_tlb_asid(s
{
u32 value;
- value = SMMU_TLB_FLUSH_ASID_MATCH | SMMU_TLB_FLUSH_ASID(asid) |
- SMMU_TLB_FLUSH_VA_MATCH_ALL;
+ if (smmu->soc->num_asids == 4)
+ value = (asid & 0x3) << 29;
+ else
+ value = (asid & 0x7f) << 24;
+
+ value |= SMMU_TLB_FLUSH_ASID_MATCH | SMMU_TLB_FLUSH_VA_MATCH_ALL;
smmu_writel(smmu, value, SMMU_TLB_FLUSH);
}
@@ -205,8 +208,12 @@ static inline void smmu_flush_tlb_sectio
{
u32 value;
- value = SMMU_TLB_FLUSH_ASID_MATCH | SMMU_TLB_FLUSH_ASID(asid) |
- SMMU_TLB_FLUSH_VA_SECTION(iova);
+ if (smmu->soc->num_asids == 4)
+ value = (asid & 0x3) << 29;
+ else
+ value = (asid & 0x7f) << 24;
+
+ value |= SMMU_TLB_FLUSH_ASID_MATCH | SMMU_TLB_FLUSH_VA_SECTION(iova);
smmu_writel(smmu, value, SMMU_TLB_FLUSH);
}
@@ -216,8 +223,12 @@ static inline void smmu_flush_tlb_group(
{
u32 value;
- value = SMMU_TLB_FLUSH_ASID_MATCH | SMMU_TLB_FLUSH_ASID(asid) |
- SMMU_TLB_FLUSH_VA_GROUP(iova);
+ if (smmu->soc->num_asids == 4)
+ value = (asid & 0x3) << 29;
+ else
+ value = (asid & 0x7f) << 24;
+
+ value |= SMMU_TLB_FLUSH_ASID_MATCH | SMMU_TLB_FLUSH_VA_GROUP(iova);
smmu_writel(smmu, value, SMMU_TLB_FLUSH);
}
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 048/241] ceph: flush dirty inodes before proceeding with remount
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (46 preceding siblings ...)
2019-06-09 16:39 ` [PATCH 4.4 047/241] iommu/tegra-smmu: Fix invalid ASID bits on Tegra30/114 Greg Kroah-Hartman
@ 2019-06-09 16:39 ` Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 049/241] tracing: Fix partial reading of trace events id file Greg Kroah-Hartman
` (197 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Jeff Layton, Yan, Zheng, Ilya Dryomov
From: Jeff Layton <jlayton@kernel.org>
commit 00abf69dd24f4444d185982379c5cc3bb7b6d1fc upstream.
xfstest generic/452 was triggering a "Busy inodes after umount" warning.
ceph was allowing the mount to go read-only without first flushing out
dirty inodes in the cache. Ensure we sync out the filesystem before
allowing a remount to proceed.
Cc: stable@vger.kernel.org
Link: http://tracker.ceph.com/issues/39571
Signed-off-by: Jeff Layton <jlayton@kernel.org>
Reviewed-by: "Yan, Zheng" <zyan@redhat.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ceph/super.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/fs/ceph/super.c
+++ b/fs/ceph/super.c
@@ -712,6 +712,12 @@ static void ceph_umount_begin(struct sup
return;
}
+static int ceph_remount(struct super_block *sb, int *flags, char *data)
+{
+ sync_filesystem(sb);
+ return 0;
+}
+
static const struct super_operations ceph_super_ops = {
.alloc_inode = ceph_alloc_inode,
.destroy_inode = ceph_destroy_inode,
@@ -719,6 +725,7 @@ static const struct super_operations cep
.drop_inode = ceph_drop_inode,
.sync_fs = ceph_sync_fs,
.put_super = ceph_put_super,
+ .remount_fs = ceph_remount,
.show_options = ceph_show_options,
.statfs = ceph_statfs,
.umount_begin = ceph_umount_begin,
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 049/241] tracing: Fix partial reading of trace events id file
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (47 preceding siblings ...)
2019-06-09 16:39 ` [PATCH 4.4 048/241] ceph: flush dirty inodes before proceeding with remount Greg Kroah-Hartman
@ 2019-06-09 16:39 ` Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 050/241] memory: tegra: Fix integer overflow on tick value calculation Greg Kroah-Hartman
` (196 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Orit Wasserman, Oleg Nesterov,
Ingo Molnar, Elazar Leibovich, Steven Rostedt (VMware)
From: Elazar Leibovich <elazar@lightbitslabs.com>
commit cbe08bcbbe787315c425dde284dcb715cfbf3f39 upstream.
When reading only part of the id file, the ppos isn't tracked correctly.
This is taken care by simple_read_from_buffer.
Reading a single byte, and then the next byte would result EOF.
While this seems like not a big deal, this breaks abstractions that
reads information from files unbuffered. See for example
https://github.com/golang/go/issues/29399
This code was mentioned as problematic in
commit cd458ba9d5a5
("tracing: Do not (ab)use trace_seq in event_id_read()")
An example C code that show this bug is:
#include <stdio.h>
#include <stdint.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
int main(int argc, char **argv) {
if (argc < 2)
return 1;
int fd = open(argv[1], O_RDONLY);
char c;
read(fd, &c, 1);
printf("First %c\n", c);
read(fd, &c, 1);
printf("Second %c\n", c);
}
Then run with, e.g.
sudo ./a.out /sys/kernel/debug/tracing/events/tcp/tcp_set_state/id
You'll notice you're getting the first character twice, instead of the
first two characters in the id file.
Link: http://lkml.kernel.org/r/20181231115837.4932-1-elazar@lightbitslabs.com
Cc: Orit Wasserman <orit.was@gmail.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: stable@vger.kernel.org
Fixes: 23725aeeab10b ("ftrace: provide an id file for each event")
Signed-off-by: Elazar Leibovich <elazar@lightbitslabs.com>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace_events.c | 3 ---
1 file changed, 3 deletions(-)
--- a/kernel/trace/trace_events.c
+++ b/kernel/trace/trace_events.c
@@ -1288,9 +1288,6 @@ event_id_read(struct file *filp, char __
char buf[32];
int len;
- if (*ppos)
- return 0;
-
if (unlikely(!id))
return -ENODEV;
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 050/241] memory: tegra: Fix integer overflow on tick value calculation
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (48 preceding siblings ...)
2019-06-09 16:39 ` [PATCH 4.4 049/241] tracing: Fix partial reading of trace events id file Greg Kroah-Hartman
@ 2019-06-09 16:39 ` Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 051/241] perf intel-pt: Fix instructions sampling rate Greg Kroah-Hartman
` (195 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:39 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dmitry Osipenko, Thierry Reding
From: Dmitry Osipenko <digetx@gmail.com>
commit b906c056b6023c390f18347169071193fda57dde upstream.
Multiplying the Memory Controller clock rate by the tick count results
in an integer overflow and in result the truncated tick value is being
programmed into hardware, such that the GR3D memory client performance is
reduced by two times.
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
Signed-off-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/memory/tegra/mc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/memory/tegra/mc.c
+++ b/drivers/memory/tegra/mc.c
@@ -72,7 +72,7 @@ static int tegra_mc_setup_latency_allowa
u32 value;
/* compute the number of MC clock cycles per tick */
- tick = mc->tick * clk_get_rate(mc->clk);
+ tick = (unsigned long long)mc->tick * clk_get_rate(mc->clk);
do_div(tick, NSEC_PER_SEC);
value = readl(mc->regs + MC_EMEM_ARB_CFG);
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 051/241] perf intel-pt: Fix instructions sampling rate
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (49 preceding siblings ...)
2019-06-09 16:39 ` [PATCH 4.4 050/241] memory: tegra: Fix integer overflow on tick value calculation Greg Kroah-Hartman
@ 2019-06-09 16:39 ` Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 052/241] perf intel-pt: Fix improved sample timestamp Greg Kroah-Hartman
` (194 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Adrian Hunter, Jiri Olsa,
Arnaldo Carvalho de Melo
From: Adrian Hunter <adrian.hunter@intel.com>
commit 7ba8fa20e26eb3c0c04d747f7fd2223694eac4d5 upstream.
The timestamp used to determine if an instruction sample is made, is an
estimate based on the number of instructions since the last known
timestamp. A consequence is that it might go backwards, which results in
extra samples. Change it so that a sample is only made when the
timestamp goes forwards.
Note this does not affect a sampling period of 0 or sampling periods
specified as a count of instructions.
Example:
Before:
$ perf script --itrace=i10us
ls 13812 [003] 2167315.222583: 3270 instructions:u: 7fac71e2e494 __GI___tunables_init+0xf4 (/lib/x86_64-linux-gnu/ld-2.28.so)
ls 13812 [003] 2167315.222667: 30902 instructions:u: 7fac71e2da0f _dl_cache_libcmp+0x2f (/lib/x86_64-linux-gnu/ld-2.28.so)
ls 13812 [003] 2167315.222667: 10 instructions:u: 7fac71e2d9ff _dl_cache_libcmp+0x1f (/lib/x86_64-linux-gnu/ld-2.28.so)
ls 13812 [003] 2167315.222667: 8 instructions:u: 7fac71e2d9ea _dl_cache_libcmp+0xa (/lib/x86_64-linux-gnu/ld-2.28.so)
ls 13812 [003] 2167315.222667: 14 instructions:u: 7fac71e2d9ea _dl_cache_libcmp+0xa (/lib/x86_64-linux-gnu/ld-2.28.so)
ls 13812 [003] 2167315.222667: 6 instructions:u: 7fac71e2d9ff _dl_cache_libcmp+0x1f (/lib/x86_64-linux-gnu/ld-2.28.so)
ls 13812 [003] 2167315.222667: 14 instructions:u: 7fac71e2d9ff _dl_cache_libcmp+0x1f (/lib/x86_64-linux-gnu/ld-2.28.so)
ls 13812 [003] 2167315.222667: 4 instructions:u: 7fac71e2dab2 _dl_cache_libcmp+0xd2 (/lib/x86_64-linux-gnu/ld-2.28.so)
ls 13812 [003] 2167315.222728: 16423 instructions:u: 7fac71e2477a _dl_map_object_deps+0x1ba (/lib/x86_64-linux-gnu/ld-2.28.so)
ls 13812 [003] 2167315.222734: 12731 instructions:u: 7fac71e27938 _dl_name_match_p+0x68 (/lib/x86_64-linux-gnu/ld-2.28.so)
...
After:
$ perf script --itrace=i10us
ls 13812 [003] 2167315.222583: 3270 instructions:u: 7fac71e2e494 __GI___tunables_init+0xf4 (/lib/x86_64-linux-gnu/ld-2.28.so)
ls 13812 [003] 2167315.222667: 30902 instructions:u: 7fac71e2da0f _dl_cache_libcmp+0x2f (/lib/x86_64-linux-gnu/ld-2.28.so)
ls 13812 [003] 2167315.222728: 16479 instructions:u: 7fac71e2477a _dl_map_object_deps+0x1ba (/lib/x86_64-linux-gnu/ld-2.28.so)
...
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: stable@vger.kernel.org
Fixes: f4aa081949e7b ("perf tools: Add Intel PT decoder")
Link: http://lkml.kernel.org/r/20190510124143.27054-2-adrian.hunter@intel.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/perf/util/intel-pt-decoder/intel-pt-decoder.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
--- a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
+++ b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
@@ -854,16 +854,20 @@ static uint64_t intel_pt_next_period(str
timestamp = decoder->timestamp + decoder->timestamp_insn_cnt;
masked_timestamp = timestamp & decoder->period_mask;
if (decoder->continuous_period) {
- if (masked_timestamp != decoder->last_masked_timestamp)
+ if (masked_timestamp > decoder->last_masked_timestamp)
return 1;
} else {
timestamp += 1;
masked_timestamp = timestamp & decoder->period_mask;
- if (masked_timestamp != decoder->last_masked_timestamp) {
+ if (masked_timestamp > decoder->last_masked_timestamp) {
decoder->last_masked_timestamp = masked_timestamp;
decoder->continuous_period = true;
}
}
+
+ if (masked_timestamp < decoder->last_masked_timestamp)
+ return decoder->period_ticks;
+
return decoder->period_ticks - (timestamp - masked_timestamp);
}
@@ -892,7 +896,10 @@ static void intel_pt_sample_insn(struct
case INTEL_PT_PERIOD_TICKS:
timestamp = decoder->timestamp + decoder->timestamp_insn_cnt;
masked_timestamp = timestamp & decoder->period_mask;
- decoder->last_masked_timestamp = masked_timestamp;
+ if (masked_timestamp > decoder->last_masked_timestamp)
+ decoder->last_masked_timestamp = masked_timestamp;
+ else
+ decoder->last_masked_timestamp += decoder->period_ticks;
break;
case INTEL_PT_PERIOD_NONE:
case INTEL_PT_PERIOD_MTC:
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 052/241] perf intel-pt: Fix improved sample timestamp
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (50 preceding siblings ...)
2019-06-09 16:39 ` [PATCH 4.4 051/241] perf intel-pt: Fix instructions sampling rate Greg Kroah-Hartman
@ 2019-06-09 16:39 ` Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 053/241] perf intel-pt: Fix sample timestamp wrt non-taken branches Greg Kroah-Hartman
` (193 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Adrian Hunter, Jiri Olsa,
Arnaldo Carvalho de Melo
From: Adrian Hunter <adrian.hunter@intel.com>
commit 61b6e08dc8e3ea80b7485c9b3f875ddd45c8466b upstream.
The decoder uses its current timestamp in samples. Usually that is a
timestamp that has already passed, but in some cases it is a timestamp
for a branch that the decoder is walking towards, and consequently
hasn't reached.
The intel_pt_sample_time() function decides which is which, but was not
handling TNT packets exactly correctly.
In the case of TNT, the timestamp applies to the first branch, so the
decoder must first walk to that branch.
That means intel_pt_sample_time() should return true for TNT, and this
patch makes that change. However, if the first branch is a non-taken
branch (i.e. a 'N'), then intel_pt_sample_time() needs to return false
for subsequent taken branches in the same TNT packet.
To handle that, introduce a new state INTEL_PT_STATE_TNT_CONT to
distinguish the cases.
Note that commit 3f04d98e972b5 ("perf intel-pt: Improve sample
timestamp") was also a stable fix and appears, for example, in v4.4
stable tree as commit a4ebb58fd124 ("perf intel-pt: Improve sample
timestamp").
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: stable@vger.kernel.org # v4.4+
Fixes: 3f04d98e972b5 ("perf intel-pt: Improve sample timestamp")
Link: http://lkml.kernel.org/r/20190510124143.27054-3-adrian.hunter@intel.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/perf/util/intel-pt-decoder/intel-pt-decoder.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
--- a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
+++ b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
@@ -58,6 +58,7 @@ enum intel_pt_pkt_state {
INTEL_PT_STATE_NO_IP,
INTEL_PT_STATE_ERR_RESYNC,
INTEL_PT_STATE_IN_SYNC,
+ INTEL_PT_STATE_TNT_CONT,
INTEL_PT_STATE_TNT,
INTEL_PT_STATE_TIP,
INTEL_PT_STATE_TIP_PGD,
@@ -72,8 +73,9 @@ static inline bool intel_pt_sample_time(
case INTEL_PT_STATE_NO_IP:
case INTEL_PT_STATE_ERR_RESYNC:
case INTEL_PT_STATE_IN_SYNC:
- case INTEL_PT_STATE_TNT:
+ case INTEL_PT_STATE_TNT_CONT:
return true;
+ case INTEL_PT_STATE_TNT:
case INTEL_PT_STATE_TIP:
case INTEL_PT_STATE_TIP_PGD:
case INTEL_PT_STATE_FUP:
@@ -1148,7 +1150,9 @@ static int intel_pt_walk_tnt(struct inte
return -ENOENT;
}
decoder->tnt.count -= 1;
- if (!decoder->tnt.count)
+ if (decoder->tnt.count)
+ decoder->pkt_state = INTEL_PT_STATE_TNT_CONT;
+ else
decoder->pkt_state = INTEL_PT_STATE_IN_SYNC;
decoder->tnt.payload <<= 1;
decoder->state.from_ip = decoder->ip;
@@ -1179,7 +1183,9 @@ static int intel_pt_walk_tnt(struct inte
if (intel_pt_insn.branch == INTEL_PT_BR_CONDITIONAL) {
decoder->tnt.count -= 1;
- if (!decoder->tnt.count)
+ if (decoder->tnt.count)
+ decoder->pkt_state = INTEL_PT_STATE_TNT_CONT;
+ else
decoder->pkt_state = INTEL_PT_STATE_IN_SYNC;
if (decoder->tnt.payload & BIT63) {
decoder->tnt.payload <<= 1;
@@ -2123,6 +2129,7 @@ const struct intel_pt_state *intel_pt_de
err = intel_pt_walk_trace(decoder);
break;
case INTEL_PT_STATE_TNT:
+ case INTEL_PT_STATE_TNT_CONT:
err = intel_pt_walk_tnt(decoder);
if (err == -EAGAIN)
err = intel_pt_walk_trace(decoder);
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 053/241] perf intel-pt: Fix sample timestamp wrt non-taken branches
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (51 preceding siblings ...)
2019-06-09 16:39 ` [PATCH 4.4 052/241] perf intel-pt: Fix improved sample timestamp Greg Kroah-Hartman
@ 2019-06-09 16:39 ` Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 054/241] fbdev: sm712fb: fix brightness control on reboot, dont set SR30 Greg Kroah-Hartman
` (192 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Adrian Hunter, Jiri Olsa,
Arnaldo Carvalho de Melo
From: Adrian Hunter <adrian.hunter@intel.com>
commit 1b6599a9d8e6c9f7e9b0476012383b1777f7fc93 upstream.
The sample timestamp is updated to ensure that the timestamp represents
the time of the sample and not a branch that the decoder is still
walking towards. The sample timestamp is updated when the decoder
returns, but the decoder does not return for non-taken branches. Update
the sample timestamp then also.
Note that commit 3f04d98e972b5 ("perf intel-pt: Improve sample
timestamp") was also a stable fix and appears, for example, in v4.4
stable tree as commit a4ebb58fd124 ("perf intel-pt: Improve sample
timestamp").
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: stable@vger.kernel.org # v4.4+
Fixes: 3f04d98e972b ("perf intel-pt: Improve sample timestamp")
Link: http://lkml.kernel.org/r/20190510124143.27054-4-adrian.hunter@intel.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/perf/util/intel-pt-decoder/intel-pt-decoder.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
+++ b/tools/perf/util/intel-pt-decoder/intel-pt-decoder.c
@@ -1205,8 +1205,11 @@ static int intel_pt_walk_tnt(struct inte
return 0;
}
decoder->ip += intel_pt_insn.length;
- if (!decoder->tnt.count)
+ if (!decoder->tnt.count) {
+ decoder->sample_timestamp = decoder->timestamp;
+ decoder->sample_insn_cnt = decoder->timestamp_insn_cnt;
return -EAGAIN;
+ }
decoder->tnt.payload <<= 1;
continue;
}
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 054/241] fbdev: sm712fb: fix brightness control on reboot, dont set SR30
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (52 preceding siblings ...)
2019-06-09 16:39 ` [PATCH 4.4 053/241] perf intel-pt: Fix sample timestamp wrt non-taken branches Greg Kroah-Hartman
@ 2019-06-09 16:39 ` Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 055/241] fbdev: sm712fb: fix VRAM detection, dont set SR70/71/74/75 Greg Kroah-Hartman
` (191 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Yifeng Li, Sudip Mukherjee,
Teddy Wang, Bartlomiej Zolnierkiewicz
From: Yifeng Li <tomli@tomli.me>
commit 5481115e25e42b9215f2619452aa99c95f08492f upstream.
On a Thinkpad s30 (Pentium III / i440MX, Lynx3DM), rebooting with
sm712fb framebuffer driver would cause the role of brightness up/down
button to swap.
Experiments showed the FPR30 register caused this behavior. Moreover,
even if this register don't have side-effect on other systems, over-
writing it is also highly questionable, since it was originally
configurated by the motherboard manufacturer by hardwiring pull-down
resistors to indicate the type of LCD panel. We should not mess with
it.
Stop writing to the SR30 (a.k.a FPR30) register.
Signed-off-by: Yifeng Li <tomli@tomli.me>
Tested-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Cc: Teddy Wang <teddy.wang@siliconmotion.com>
Cc: <stable@vger.kernel.org> # v4.4+
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/video/fbdev/sm712fb.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/video/fbdev/sm712fb.c
+++ b/drivers/video/fbdev/sm712fb.c
@@ -1144,8 +1144,8 @@ static void sm7xx_set_timing(struct smtc
/* init SEQ register SR30 - SR75 */
for (i = 0; i < SIZE_SR30_SR75; i++)
- if ((i + 0x30) != 0x62 && (i + 0x30) != 0x6a &&
- (i + 0x30) != 0x6b)
+ if ((i + 0x30) != 0x30 && (i + 0x30) != 0x62 &&
+ (i + 0x30) != 0x6a && (i + 0x30) != 0x6b)
smtc_seqw(i + 0x30,
vgamode[j].init_sr30_sr75[i]);
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 055/241] fbdev: sm712fb: fix VRAM detection, dont set SR70/71/74/75
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (53 preceding siblings ...)
2019-06-09 16:39 ` [PATCH 4.4 054/241] fbdev: sm712fb: fix brightness control on reboot, dont set SR30 Greg Kroah-Hartman
@ 2019-06-09 16:39 ` Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 056/241] fbdev: sm712fb: fix white screen of death on reboot, dont set CR3B-CR3F Greg Kroah-Hartman
` (190 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Yifeng Li, Sudip Mukherjee,
Teddy Wang, Bartlomiej Zolnierkiewicz
From: Yifeng Li <tomli@tomli.me>
commit dcf9070595e100942c539e229dde4770aaeaa4e9 upstream.
On a Thinkpad s30 (Pentium III / i440MX, Lynx3DM), the amount of Video
RAM is not detected correctly by the xf86-video-siliconmotion driver.
This is because sm712fb overwrites the GPR71 Scratch Pad Register, which
is set by BIOS on x86 and used to indicate amount of VRAM.
Other Scratch Pad Registers, including GPR70/74/75, don't have the same
side-effect, but overwriting to them is still questionable, as they are
not related to modesetting.
Stop writing to SR70/71/74/75 (a.k.a GPR70/71/74/75).
Signed-off-by: Yifeng Li <tomli@tomli.me>
Tested-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Cc: Teddy Wang <teddy.wang@siliconmotion.com>
Cc: <stable@vger.kernel.org> # v4.4+
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/video/fbdev/sm712fb.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/video/fbdev/sm712fb.c
+++ b/drivers/video/fbdev/sm712fb.c
@@ -1145,7 +1145,9 @@ static void sm7xx_set_timing(struct smtc
/* init SEQ register SR30 - SR75 */
for (i = 0; i < SIZE_SR30_SR75; i++)
if ((i + 0x30) != 0x30 && (i + 0x30) != 0x62 &&
- (i + 0x30) != 0x6a && (i + 0x30) != 0x6b)
+ (i + 0x30) != 0x6a && (i + 0x30) != 0x6b &&
+ (i + 0x30) != 0x70 && (i + 0x30) != 0x71 &&
+ (i + 0x30) != 0x74 && (i + 0x30) != 0x75)
smtc_seqw(i + 0x30,
vgamode[j].init_sr30_sr75[i]);
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 056/241] fbdev: sm712fb: fix white screen of death on reboot, dont set CR3B-CR3F
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (54 preceding siblings ...)
2019-06-09 16:39 ` [PATCH 4.4 055/241] fbdev: sm712fb: fix VRAM detection, dont set SR70/71/74/75 Greg Kroah-Hartman
@ 2019-06-09 16:39 ` Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 057/241] fbdev: sm712fb: fix boot screen glitch when sm712fb replaces VGA Greg Kroah-Hartman
` (189 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Yifeng Li, Sudip Mukherjee,
Teddy Wang, Bartlomiej Zolnierkiewicz
From: Yifeng Li <tomli@tomli.me>
commit 8069053880e0ee3a75fd6d7e0a30293265fe3de4 upstream.
On a Thinkpad s30 (Pentium III / i440MX, Lynx3DM), rebooting with
sm712fb framebuffer driver would cause a white screen of death on
the next POST, presumably the proper timings for the LCD panel was
not reprogrammed properly by the BIOS.
Experiments showed a few CRTC Scratch Registers, including CRT3D,
CRT3E and CRT3F may be used internally by BIOS as some flags. CRT3B is
a hardware testing register, we shouldn't mess with it. CRT3C has
blanking signal and line compare control, which is not needed for this
driver.
Stop writing to CR3B-CR3F (a.k.a CRT3B-CRT3F) registers. Even if these
registers don't have side-effect on other systems, writing to them is
also highly questionable.
Signed-off-by: Yifeng Li <tomli@tomli.me>
Tested-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Cc: Teddy Wang <teddy.wang@siliconmotion.com>
Cc: <stable@vger.kernel.org> # v4.4+
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/video/fbdev/sm712fb.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/video/fbdev/sm712fb.c
+++ b/drivers/video/fbdev/sm712fb.c
@@ -1172,8 +1172,12 @@ static void sm7xx_set_timing(struct smtc
smtc_crtcw(i, vgamode[j].init_cr00_cr18[i]);
/* init CRTC register CR30 - CR4D */
- for (i = 0; i < SIZE_CR30_CR4D; i++)
+ for (i = 0; i < SIZE_CR30_CR4D; i++) {
+ if ((i + 0x30) >= 0x3B && (i + 0x30) <= 0x3F)
+ /* side-effect, don't write to CR3B-CR3F */
+ continue;
smtc_crtcw(i + 0x30, vgamode[j].init_cr30_cr4d[i]);
+ }
/* init CRTC register CR90 - CRA7 */
for (i = 0; i < SIZE_CR90_CRA7; i++)
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 057/241] fbdev: sm712fb: fix boot screen glitch when sm712fb replaces VGA
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (55 preceding siblings ...)
2019-06-09 16:39 ` [PATCH 4.4 056/241] fbdev: sm712fb: fix white screen of death on reboot, dont set CR3B-CR3F Greg Kroah-Hartman
@ 2019-06-09 16:39 ` Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 058/241] fbdev: sm712fb: fix crashes during framebuffer writes by correctly mapping VRAM Greg Kroah-Hartman
` (188 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:39 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Yifeng Li, Sudip Mukherjee,
Teddy Wang, Bartlomiej Zolnierkiewicz
From: Yifeng Li <tomli@tomli.me>
commit ec1587d5073f29820e358f3a383850d61601d981 upstream.
When the machine is booted in VGA mode, loading sm712fb would cause
a glitch of random pixels shown on the screen. To prevent it from
happening, we first clear the entire framebuffer, and we also need
to stop calling smtcfb_setmode() during initialization, the fbdev
layer will call it for us later when it's ready.
Signed-off-by: Yifeng Li <tomli@tomli.me>
Tested-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Cc: Teddy Wang <teddy.wang@siliconmotion.com>
Cc: <stable@vger.kernel.org> # v4.4+
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/video/fbdev/sm712fb.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/video/fbdev/sm712fb.c
+++ b/drivers/video/fbdev/sm712fb.c
@@ -1492,7 +1492,11 @@ static int smtcfb_pci_probe(struct pci_d
if (err)
goto failed;
- smtcfb_setmode(sfb);
+ /*
+ * The screen would be temporarily garbled when sm712fb takes over
+ * vesafb or VGA text mode. Zero the framebuffer.
+ */
+ memset_io(sfb->lfb, 0, sfb->fb->fix.smem_len);
err = register_framebuffer(info);
if (err < 0)
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 058/241] fbdev: sm712fb: fix crashes during framebuffer writes by correctly mapping VRAM
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (56 preceding siblings ...)
2019-06-09 16:39 ` [PATCH 4.4 057/241] fbdev: sm712fb: fix boot screen glitch when sm712fb replaces VGA Greg Kroah-Hartman
@ 2019-06-09 16:40 ` Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 059/241] fbdev: sm712fb: fix support for 1024x768-16 mode Greg Kroah-Hartman
` (187 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Yifeng Li, Sudip Mukherjee,
Teddy Wang, Bartlomiej Zolnierkiewicz
From: Yifeng Li <tomli@tomli.me>
commit 9e0e59993df0601cddb95c4f6c61aa3d5e753c00 upstream.
On a Thinkpad s30 (Pentium III / i440MX, Lynx3DM), running fbtest or X
will crash the machine instantly, because the VRAM/framebuffer is not
mapped correctly.
On SM712, the framebuffer starts at the beginning of address space, but
SM720's framebuffer starts at the 1 MiB offset from the beginning. However,
sm712fb fails to take this into account, as a result, writing to the
framebuffer will destroy all the registers and kill the system immediately.
Another problem is the driver assumes 8 MiB of VRAM for SM720, but some
SM720 system, such as this IBM Thinkpad, only has 4 MiB of VRAM.
Fix this problem by removing the hardcoded VRAM size, adding a function to
query the amount of VRAM from register MCR76 on SM720, and adding proper
framebuffer offset.
Please note that the memory map may have additional problems on Big-Endian
system, which is not available for testing by myself. But I highly suspect
that the original code is also broken on Big-Endian machines for SM720, so
at least we are not making the problem worse. More, the driver also assumed
SM710/SM712 has 4 MiB of VRAM, but it has a 2 MiB version as well, and used
in earlier laptops, such as IBM Thinkpad 240X, the driver would probably
crash on them. I've never seen one of those machines and cannot fix it, but
I have documented these problems in the comments.
Signed-off-by: Yifeng Li <tomli@tomli.me>
Tested-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Cc: Teddy Wang <teddy.wang@siliconmotion.com>
Cc: <stable@vger.kernel.org> # v4.4+
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/video/fbdev/sm712.h | 5 ----
drivers/video/fbdev/sm712fb.c | 48 ++++++++++++++++++++++++++++++++++++++----
2 files changed, 44 insertions(+), 9 deletions(-)
--- a/drivers/video/fbdev/sm712.h
+++ b/drivers/video/fbdev/sm712.h
@@ -19,11 +19,6 @@
#define SCREEN_Y_RES 600
#define SCREEN_BPP 16
-/*Assume SM712 graphics chip has 4MB VRAM */
-#define SM712_VIDEOMEMORYSIZE 0x00400000
-/*Assume SM722 graphics chip has 8MB VRAM */
-#define SM722_VIDEOMEMORYSIZE 0x00800000
-
#define dac_reg (0x3c8)
#define dac_val (0x3c9)
--- a/drivers/video/fbdev/sm712fb.c
+++ b/drivers/video/fbdev/sm712fb.c
@@ -1328,6 +1328,11 @@ static int smtc_map_smem(struct smtcfb_i
{
sfb->fb->fix.smem_start = pci_resource_start(pdev, 0);
+ if (sfb->chip_id == 0x720)
+ /* on SM720, the framebuffer starts at the 1 MB offset */
+ sfb->fb->fix.smem_start += 0x00200000;
+
+ /* XXX: is it safe for SM720 on Big-Endian? */
if (sfb->fb->var.bits_per_pixel == 32)
sfb->fb->fix.smem_start += big_addr;
@@ -1365,12 +1370,45 @@ static inline void sm7xx_init_hw(void)
outb_p(0x11, 0x3c5);
}
+static u_long sm7xx_vram_probe(struct smtcfb_info *sfb)
+{
+ u8 vram;
+
+ switch (sfb->chip_id) {
+ case 0x710:
+ case 0x712:
+ /*
+ * Assume SM712 graphics chip has 4MB VRAM.
+ *
+ * FIXME: SM712 can have 2MB VRAM, which is used on earlier
+ * laptops, such as IBM Thinkpad 240X. This driver would
+ * probably crash on those machines. If anyone gets one of
+ * those and is willing to help, run "git blame" and send me
+ * an E-mail.
+ */
+ return 0x00400000;
+ case 0x720:
+ outb_p(0x76, 0x3c4);
+ vram = inb_p(0x3c5) >> 6;
+
+ if (vram == 0x00)
+ return 0x00800000; /* 8 MB */
+ else if (vram == 0x01)
+ return 0x01000000; /* 16 MB */
+ else if (vram == 0x02)
+ return 0x00400000; /* illegal, fallback to 4 MB */
+ else if (vram == 0x03)
+ return 0x00400000; /* 4 MB */
+ }
+ return 0; /* unknown hardware */
+}
+
static int smtcfb_pci_probe(struct pci_dev *pdev,
const struct pci_device_id *ent)
{
struct smtcfb_info *sfb;
struct fb_info *info;
- u_long smem_size = 0x00800000; /* default 8MB */
+ u_long smem_size;
int err;
unsigned long mmio_base;
@@ -1427,12 +1465,15 @@ static int smtcfb_pci_probe(struct pci_d
mmio_base = pci_resource_start(pdev, 0);
pci_read_config_byte(pdev, PCI_REVISION_ID, &sfb->chip_rev_id);
+ smem_size = sm7xx_vram_probe(sfb);
+ dev_info(&pdev->dev, "%lu MiB of VRAM detected.\n",
+ smem_size / 1048576);
+
switch (sfb->chip_id) {
case 0x710:
case 0x712:
sfb->fb->fix.mmio_start = mmio_base + 0x00400000;
sfb->fb->fix.mmio_len = 0x00400000;
- smem_size = SM712_VIDEOMEMORYSIZE;
sfb->lfb = ioremap(mmio_base, mmio_addr);
if (!sfb->lfb) {
dev_err(&pdev->dev,
@@ -1464,8 +1505,7 @@ static int smtcfb_pci_probe(struct pci_d
case 0x720:
sfb->fb->fix.mmio_start = mmio_base;
sfb->fb->fix.mmio_len = 0x00200000;
- smem_size = SM722_VIDEOMEMORYSIZE;
- sfb->dp_regs = ioremap(mmio_base, 0x00a00000);
+ sfb->dp_regs = ioremap(mmio_base, 0x00200000 + smem_size);
sfb->lfb = sfb->dp_regs + 0x00200000;
sfb->mmio = (smtc_regbaseaddress =
sfb->dp_regs + 0x000c0000);
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 059/241] fbdev: sm712fb: fix support for 1024x768-16 mode
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (57 preceding siblings ...)
2019-06-09 16:40 ` [PATCH 4.4 058/241] fbdev: sm712fb: fix crashes during framebuffer writes by correctly mapping VRAM Greg Kroah-Hartman
@ 2019-06-09 16:40 ` Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 060/241] fbdev: sm712fb: use 1024x768 by default on non-MIPS, fix garbled display Greg Kroah-Hartman
` (186 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Yifeng Li, Sudip Mukherjee,
Teddy Wang, Bartlomiej Zolnierkiewicz
From: Yifeng Li <tomli@tomli.me>
commit 6053d3a4793e5bde6299ac5388e76a3bf679ff65 upstream.
In order to support the 1024x600 panel on Yeeloong Loongson MIPS
laptop, the original 1024x768-16 table was modified to 1024x600-16,
without leaving the original. It causes problem on x86 laptop as
the 1024x768-16 support was still claimed but not working.
Fix it by introducing the 1024x768-16 mode.
Signed-off-by: Yifeng Li <tomli@tomli.me>
Tested-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Cc: Teddy Wang <teddy.wang@siliconmotion.com>
Cc: <stable@vger.kernel.org> # v4.4+
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/video/fbdev/sm712fb.c | 59 ++++++++++++++++++++++++++++++++++++++++++
1 file changed, 59 insertions(+)
--- a/drivers/video/fbdev/sm712fb.c
+++ b/drivers/video/fbdev/sm712fb.c
@@ -530,6 +530,65 @@ static const struct modeinit vgamode[] =
0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x15, 0x03,
},
},
+ { /* 1024 x 768 16Bpp 60Hz */
+ 1024, 768, 16, 60,
+ /* Init_MISC */
+ 0xEB,
+ { /* Init_SR0_SR4 */
+ 0x03, 0x01, 0x0F, 0x03, 0x0E,
+ },
+ { /* Init_SR10_SR24 */
+ 0xF3, 0xB6, 0xC0, 0xDD, 0x00, 0x0E, 0x17, 0x2C,
+ 0x99, 0x02, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0xC4, 0x30, 0x02, 0x01, 0x01,
+ },
+ { /* Init_SR30_SR75 */
+ 0x38, 0x03, 0x20, 0x09, 0xC0, 0x3A, 0x3A, 0x3A,
+ 0x3A, 0x3A, 0x3A, 0x3A, 0x00, 0x00, 0x03, 0xFF,
+ 0x00, 0xFC, 0x00, 0x00, 0x20, 0x18, 0x00, 0xFC,
+ 0x20, 0x0C, 0x44, 0x20, 0x00, 0x00, 0x00, 0x3A,
+ 0x06, 0x68, 0xA7, 0x7F, 0x83, 0x24, 0xFF, 0x03,
+ 0x0F, 0x60, 0x59, 0x3A, 0x3A, 0x00, 0x00, 0x3A,
+ 0x01, 0x80, 0x7E, 0x1A, 0x1A, 0x00, 0x00, 0x00,
+ 0x50, 0x03, 0x74, 0x14, 0x3B, 0x0D, 0x09, 0x02,
+ 0x04, 0x45, 0x30, 0x30, 0x40, 0x20,
+ },
+ { /* Init_SR80_SR93 */
+ 0xFF, 0x07, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0x3A,
+ 0xF7, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0x3A, 0x3A,
+ 0x00, 0x00, 0x00, 0x00,
+ },
+ { /* Init_SRA0_SRAF */
+ 0x00, 0xFB, 0x9F, 0x01, 0x00, 0xED, 0xED, 0xED,
+ 0x7B, 0xFB, 0xFF, 0xFF, 0x97, 0xEF, 0xBF, 0xDF,
+ },
+ { /* Init_GR00_GR08 */
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x05, 0x0F,
+ 0xFF,
+ },
+ { /* Init_AR00_AR14 */
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+ 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
+ 0x41, 0x00, 0x0F, 0x00, 0x00,
+ },
+ { /* Init_CR00_CR18 */
+ 0xA3, 0x7F, 0x7F, 0x00, 0x85, 0x16, 0x24, 0xF5,
+ 0x00, 0x60, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x03, 0x09, 0xFF, 0x80, 0x40, 0xFF, 0x00, 0xE3,
+ 0xFF,
+ },
+ { /* Init_CR30_CR4D */
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x02, 0x20,
+ 0x00, 0x00, 0x00, 0x40, 0x00, 0xFF, 0xBF, 0xFF,
+ 0xA3, 0x7F, 0x00, 0x86, 0x15, 0x24, 0xFF, 0x00,
+ 0x01, 0x07, 0xE5, 0x20, 0x7F, 0xFF,
+ },
+ { /* Init_CR90_CRA7 */
+ 0x55, 0xD9, 0x5D, 0xE1, 0x86, 0x1B, 0x8E, 0x26,
+ 0xDA, 0x8D, 0xDE, 0x94, 0x00, 0x00, 0x18, 0x00,
+ 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x15, 0x03,
+ },
+ },
{ /* mode#5: 1024 x 768 24Bpp 60Hz */
1024, 768, 24, 60,
/* Init_MISC */
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 060/241] fbdev: sm712fb: use 1024x768 by default on non-MIPS, fix garbled display
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (58 preceding siblings ...)
2019-06-09 16:40 ` [PATCH 4.4 059/241] fbdev: sm712fb: fix support for 1024x768-16 mode Greg Kroah-Hartman
@ 2019-06-09 16:40 ` Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 061/241] fbdev: sm712fb: fix crashes and garbled display during DPMS modesetting Greg Kroah-Hartman
` (185 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Yifeng Li, Sudip Mukherjee,
Teddy Wang, Bartlomiej Zolnierkiewicz
From: Yifeng Li <tomli@tomli.me>
commit 4ed7d2ccb7684510ec5f7a8f7ef534bc6a3d55b2 upstream.
Loongson MIPS netbooks use 1024x600 LCD panels, which is the original
target platform of this driver, but nearly all old x86 laptops have
1024x768. Lighting 768 panels using 600's timings would partially
garble the display. Since it's not possible to distinguish them reliably,
we change the default to 768, but keep 600 as-is on MIPS.
Further, earlier laptops, such as IBM Thinkpad 240X, has a 800x600 LCD
panel, this driver would probably garbled those display. As we don't
have one for testing, the original behavior of the driver is kept as-is,
but the problem has been documented is the comments.
Signed-off-by: Yifeng Li <tomli@tomli.me>
Tested-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Cc: Teddy Wang <teddy.wang@siliconmotion.com>
Cc: <stable@vger.kernel.org> # v4.4+
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/video/fbdev/sm712.h | 7 +++--
drivers/video/fbdev/sm712fb.c | 53 +++++++++++++++++++++++++++++++-----------
2 files changed, 44 insertions(+), 16 deletions(-)
--- a/drivers/video/fbdev/sm712.h
+++ b/drivers/video/fbdev/sm712.h
@@ -15,9 +15,10 @@
#define FB_ACCEL_SMI_LYNX 88
-#define SCREEN_X_RES 1024
-#define SCREEN_Y_RES 600
-#define SCREEN_BPP 16
+#define SCREEN_X_RES 1024
+#define SCREEN_Y_RES_PC 768
+#define SCREEN_Y_RES_NETBOOK 600
+#define SCREEN_BPP 16
#define dac_reg (0x3c8)
#define dac_val (0x3c9)
--- a/drivers/video/fbdev/sm712fb.c
+++ b/drivers/video/fbdev/sm712fb.c
@@ -1462,6 +1462,43 @@ static u_long sm7xx_vram_probe(struct sm
return 0; /* unknown hardware */
}
+static void sm7xx_resolution_probe(struct smtcfb_info *sfb)
+{
+ /* get mode parameter from smtc_scr_info */
+ if (smtc_scr_info.lfb_width != 0) {
+ sfb->fb->var.xres = smtc_scr_info.lfb_width;
+ sfb->fb->var.yres = smtc_scr_info.lfb_height;
+ sfb->fb->var.bits_per_pixel = smtc_scr_info.lfb_depth;
+ goto final;
+ }
+
+ /*
+ * No parameter, default resolution is 1024x768-16.
+ *
+ * FIXME: earlier laptops, such as IBM Thinkpad 240X, has a 800x600
+ * panel, also see the comments about Thinkpad 240X above.
+ */
+ sfb->fb->var.xres = SCREEN_X_RES;
+ sfb->fb->var.yres = SCREEN_Y_RES_PC;
+ sfb->fb->var.bits_per_pixel = SCREEN_BPP;
+
+#ifdef CONFIG_MIPS
+ /*
+ * Loongson MIPS netbooks use 1024x600 LCD panels, which is the original
+ * target platform of this driver, but nearly all old x86 laptops have
+ * 1024x768. Lighting 768 panels using 600's timings would partially
+ * garble the display, so we don't want that. But it's not possible to
+ * distinguish them reliably.
+ *
+ * So we change the default to 768, but keep 600 as-is on MIPS.
+ */
+ sfb->fb->var.yres = SCREEN_Y_RES_NETBOOK;
+#endif
+
+final:
+ big_pixel_depth(sfb->fb->var.bits_per_pixel, smtc_scr_info.lfb_depth);
+}
+
static int smtcfb_pci_probe(struct pci_dev *pdev,
const struct pci_device_id *ent)
{
@@ -1507,19 +1544,6 @@ static int smtcfb_pci_probe(struct pci_d
sm7xx_init_hw();
- /* get mode parameter from smtc_scr_info */
- if (smtc_scr_info.lfb_width != 0) {
- sfb->fb->var.xres = smtc_scr_info.lfb_width;
- sfb->fb->var.yres = smtc_scr_info.lfb_height;
- sfb->fb->var.bits_per_pixel = smtc_scr_info.lfb_depth;
- } else {
- /* default resolution 1024x600 16bit mode */
- sfb->fb->var.xres = SCREEN_X_RES;
- sfb->fb->var.yres = SCREEN_Y_RES;
- sfb->fb->var.bits_per_pixel = SCREEN_BPP;
- }
-
- big_pixel_depth(sfb->fb->var.bits_per_pixel, smtc_scr_info.lfb_depth);
/* Map address and memory detection */
mmio_base = pci_resource_start(pdev, 0);
pci_read_config_byte(pdev, PCI_REVISION_ID, &sfb->chip_rev_id);
@@ -1581,6 +1605,9 @@ static int smtcfb_pci_probe(struct pci_d
goto failed_fb;
}
+ /* probe and decide resolution */
+ sm7xx_resolution_probe(sfb);
+
/* can support 32 bpp */
if (15 == sfb->fb->var.bits_per_pixel)
sfb->fb->var.bits_per_pixel = 16;
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 061/241] fbdev: sm712fb: fix crashes and garbled display during DPMS modesetting
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (59 preceding siblings ...)
2019-06-09 16:40 ` [PATCH 4.4 060/241] fbdev: sm712fb: use 1024x768 by default on non-MIPS, fix garbled display Greg Kroah-Hartman
@ 2019-06-09 16:40 ` Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 062/241] PCI: Mark Atheros AR9462 to avoid bus reset Greg Kroah-Hartman
` (184 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Yifeng Li, Sudip Mukherjee,
Teddy Wang, Bartlomiej Zolnierkiewicz
From: Yifeng Li <tomli@tomli.me>
commit f627caf55b8e735dcec8fa6538e9668632b55276 upstream.
On a Thinkpad s30 (Pentium III / i440MX, Lynx3DM), blanking the display
or starting the X server will crash and freeze the system, or garble the
display.
Experiments showed this problem can mostly be solved by adjusting the
order of register writes. Also, sm712fb failed to consider the difference
of clock frequency when unblanking the display, and programs the clock for
SM712 to SM720.
Fix them by adjusting the order of register writes, and adding an
additional check for SM720 for programming the clock frequency.
Signed-off-by: Yifeng Li <tomli@tomli.me>
Tested-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Cc: Teddy Wang <teddy.wang@siliconmotion.com>
Cc: <stable@vger.kernel.org> # v4.4+
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/video/fbdev/sm712fb.c | 64 ++++++++++++++++++++++++------------------
1 file changed, 38 insertions(+), 26 deletions(-)
--- a/drivers/video/fbdev/sm712fb.c
+++ b/drivers/video/fbdev/sm712fb.c
@@ -886,67 +886,79 @@ static inline unsigned int chan_to_field
static int smtc_blank(int blank_mode, struct fb_info *info)
{
+ struct smtcfb_info *sfb = info->par;
+
/* clear DPMS setting */
switch (blank_mode) {
case FB_BLANK_UNBLANK:
/* Screen On: HSync: On, VSync : On */
+
+ switch (sfb->chip_id) {
+ case 0x710:
+ case 0x712:
+ smtc_seqw(0x6a, 0x16);
+ smtc_seqw(0x6b, 0x02);
+ case 0x720:
+ smtc_seqw(0x6a, 0x0d);
+ smtc_seqw(0x6b, 0x02);
+ break;
+ }
+
+ smtc_seqw(0x23, (smtc_seqr(0x23) & (~0xc0)));
smtc_seqw(0x01, (smtc_seqr(0x01) & (~0x20)));
- smtc_seqw(0x6a, 0x16);
- smtc_seqw(0x6b, 0x02);
smtc_seqw(0x21, (smtc_seqr(0x21) & 0x77));
smtc_seqw(0x22, (smtc_seqr(0x22) & (~0x30)));
- smtc_seqw(0x23, (smtc_seqr(0x23) & (~0xc0)));
- smtc_seqw(0x24, (smtc_seqr(0x24) | 0x01));
smtc_seqw(0x31, (smtc_seqr(0x31) | 0x03));
+ smtc_seqw(0x24, (smtc_seqr(0x24) | 0x01));
break;
case FB_BLANK_NORMAL:
/* Screen Off: HSync: On, VSync : On Soft blank */
+ smtc_seqw(0x24, (smtc_seqr(0x24) | 0x01));
+ smtc_seqw(0x31, ((smtc_seqr(0x31) & (~0x07)) | 0x00));
+ smtc_seqw(0x23, (smtc_seqr(0x23) & (~0xc0)));
smtc_seqw(0x01, (smtc_seqr(0x01) & (~0x20)));
+ smtc_seqw(0x22, (smtc_seqr(0x22) & (~0x30)));
smtc_seqw(0x6a, 0x16);
smtc_seqw(0x6b, 0x02);
- smtc_seqw(0x22, (smtc_seqr(0x22) & (~0x30)));
- smtc_seqw(0x23, (smtc_seqr(0x23) & (~0xc0)));
- smtc_seqw(0x24, (smtc_seqr(0x24) | 0x01));
- smtc_seqw(0x31, ((smtc_seqr(0x31) & (~0x07)) | 0x00));
break;
case FB_BLANK_VSYNC_SUSPEND:
/* Screen On: HSync: On, VSync : Off */
+ smtc_seqw(0x24, (smtc_seqr(0x24) & (~0x01)));
+ smtc_seqw(0x31, ((smtc_seqr(0x31) & (~0x07)) | 0x00));
+ smtc_seqw(0x23, ((smtc_seqr(0x23) & (~0xc0)) | 0x20));
smtc_seqw(0x01, (smtc_seqr(0x01) | 0x20));
- smtc_seqw(0x20, (smtc_seqr(0x20) & (~0xB0)));
- smtc_seqw(0x6a, 0x0c);
- smtc_seqw(0x6b, 0x02);
smtc_seqw(0x21, (smtc_seqr(0x21) | 0x88));
+ smtc_seqw(0x20, (smtc_seqr(0x20) & (~0xB0)));
smtc_seqw(0x22, ((smtc_seqr(0x22) & (~0x30)) | 0x20));
- smtc_seqw(0x23, ((smtc_seqr(0x23) & (~0xc0)) | 0x20));
- smtc_seqw(0x24, (smtc_seqr(0x24) & (~0x01)));
- smtc_seqw(0x31, ((smtc_seqr(0x31) & (~0x07)) | 0x00));
smtc_seqw(0x34, (smtc_seqr(0x34) | 0x80));
+ smtc_seqw(0x6a, 0x0c);
+ smtc_seqw(0x6b, 0x02);
break;
case FB_BLANK_HSYNC_SUSPEND:
/* Screen On: HSync: Off, VSync : On */
+ smtc_seqw(0x24, (smtc_seqr(0x24) & (~0x01)));
+ smtc_seqw(0x31, ((smtc_seqr(0x31) & (~0x07)) | 0x00));
+ smtc_seqw(0x23, ((smtc_seqr(0x23) & (~0xc0)) | 0xD8));
smtc_seqw(0x01, (smtc_seqr(0x01) | 0x20));
- smtc_seqw(0x20, (smtc_seqr(0x20) & (~0xB0)));
- smtc_seqw(0x6a, 0x0c);
- smtc_seqw(0x6b, 0x02);
smtc_seqw(0x21, (smtc_seqr(0x21) | 0x88));
+ smtc_seqw(0x20, (smtc_seqr(0x20) & (~0xB0)));
smtc_seqw(0x22, ((smtc_seqr(0x22) & (~0x30)) | 0x10));
- smtc_seqw(0x23, ((smtc_seqr(0x23) & (~0xc0)) | 0xD8));
- smtc_seqw(0x24, (smtc_seqr(0x24) & (~0x01)));
- smtc_seqw(0x31, ((smtc_seqr(0x31) & (~0x07)) | 0x00));
smtc_seqw(0x34, (smtc_seqr(0x34) | 0x80));
+ smtc_seqw(0x6a, 0x0c);
+ smtc_seqw(0x6b, 0x02);
break;
case FB_BLANK_POWERDOWN:
/* Screen On: HSync: Off, VSync : Off */
+ smtc_seqw(0x24, (smtc_seqr(0x24) & (~0x01)));
+ smtc_seqw(0x31, ((smtc_seqr(0x31) & (~0x07)) | 0x00));
+ smtc_seqw(0x23, ((smtc_seqr(0x23) & (~0xc0)) | 0xD8));
smtc_seqw(0x01, (smtc_seqr(0x01) | 0x20));
- smtc_seqw(0x20, (smtc_seqr(0x20) & (~0xB0)));
- smtc_seqw(0x6a, 0x0c);
- smtc_seqw(0x6b, 0x02);
smtc_seqw(0x21, (smtc_seqr(0x21) | 0x88));
+ smtc_seqw(0x20, (smtc_seqr(0x20) & (~0xB0)));
smtc_seqw(0x22, ((smtc_seqr(0x22) & (~0x30)) | 0x30));
- smtc_seqw(0x23, ((smtc_seqr(0x23) & (~0xc0)) | 0xD8));
- smtc_seqw(0x24, (smtc_seqr(0x24) & (~0x01)));
- smtc_seqw(0x31, ((smtc_seqr(0x31) & (~0x07)) | 0x00));
smtc_seqw(0x34, (smtc_seqr(0x34) | 0x80));
+ smtc_seqw(0x6a, 0x0c);
+ smtc_seqw(0x6b, 0x02);
break;
default:
return -EINVAL;
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 062/241] PCI: Mark Atheros AR9462 to avoid bus reset
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (60 preceding siblings ...)
2019-06-09 16:40 ` [PATCH 4.4 061/241] fbdev: sm712fb: fix crashes and garbled display during DPMS modesetting Greg Kroah-Hartman
@ 2019-06-09 16:40 ` Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 063/241] dm delay: fix a crash when invalid device is specified Greg Kroah-Hartman
` (183 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:40 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, James Prestwood, Bjorn Helgaas
From: James Prestwood <james.prestwood@linux.intel.com>
commit 6afb7e26978da5e86e57e540fdce65c8b04f398a upstream.
When using PCI passthrough with this device, the host machine locks up
completely when starting the VM, requiring a hard reboot. Add a quirk to
avoid bus resets on this device.
Fixes: c3e59ee4e766 ("PCI: Mark Atheros AR93xx to avoid bus reset")
Link: https://lore.kernel.org/linux-pci/20190107213248.3034-1-james.prestwood@linux.intel.com
Signed-off-by: James Prestwood <james.prestwood@linux.intel.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
CC: stable@vger.kernel.org # v3.14+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/quirks.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/pci/quirks.c
+++ b/drivers/pci/quirks.c
@@ -3141,6 +3141,7 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_A
DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x0032, quirk_no_bus_reset);
DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x003c, quirk_no_bus_reset);
DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x0033, quirk_no_bus_reset);
+DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_ATHEROS, 0x0034, quirk_no_bus_reset);
static void quirk_no_pm_reset(struct pci_dev *dev)
{
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 063/241] dm delay: fix a crash when invalid device is specified
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (61 preceding siblings ...)
2019-06-09 16:40 ` [PATCH 4.4 062/241] PCI: Mark Atheros AR9462 to avoid bus reset Greg Kroah-Hartman
@ 2019-06-09 16:40 ` Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 064/241] xfrm: policy: Fix out-of-bound array accesses in __xfrm_policy_unlink Greg Kroah-Hartman
` (182 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:40 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mikulas Patocka, Mike Snitzer
From: Mikulas Patocka <mpatocka@redhat.com>
commit 81bc6d150ace6250503b825d9d0c10f7bbd24095 upstream.
When the target line contains an invalid device, delay_ctr() will call
delay_dtr() with NULL workqueue. Attempting to destroy the NULL
workqueue causes a crash.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm-delay.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/md/dm-delay.c
+++ b/drivers/md/dm-delay.c
@@ -222,7 +222,8 @@ static void delay_dtr(struct dm_target *
{
struct delay_c *dc = ti->private;
- destroy_workqueue(dc->kdelayd_wq);
+ if (dc->kdelayd_wq)
+ destroy_workqueue(dc->kdelayd_wq);
dm_put_device(ti, dc->dev_read);
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 064/241] xfrm: policy: Fix out-of-bound array accesses in __xfrm_policy_unlink
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (62 preceding siblings ...)
2019-06-09 16:40 ` [PATCH 4.4 063/241] dm delay: fix a crash when invalid device is specified Greg Kroah-Hartman
@ 2019-06-09 16:40 ` Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 065/241] xfrm6_tunnel: Fix potential panic when unloading xfrm6_tunnel module Greg Kroah-Hartman
` (181 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Hulk Robot, YueHaibing, Herbert Xu,
Steffen Klassert, Sasha Levin
[ Upstream commit b805d78d300bcf2c83d6df7da0c818b0fee41427 ]
UBSAN report this:
UBSAN: Undefined behaviour in net/xfrm/xfrm_policy.c:1289:24
index 6 is out of range for type 'unsigned int [6]'
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.4.162-514.55.6.9.x86_64+ #13
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
0000000000000000 1466cf39b41b23c9 ffff8801f6b07a58 ffffffff81cb35f4
0000000041b58ab3 ffffffff83230f9c ffffffff81cb34e0 ffff8801f6b07a80
ffff8801f6b07a20 1466cf39b41b23c9 ffffffff851706e0 ffff8801f6b07ae8
Call Trace:
<IRQ> [<ffffffff81cb35f4>] __dump_stack lib/dump_stack.c:15 [inline]
<IRQ> [<ffffffff81cb35f4>] dump_stack+0x114/0x1a0 lib/dump_stack.c:51
[<ffffffff81d94225>] ubsan_epilogue+0x12/0x8f lib/ubsan.c:164
[<ffffffff81d954db>] __ubsan_handle_out_of_bounds+0x16e/0x1b2 lib/ubsan.c:382
[<ffffffff82a25acd>] __xfrm_policy_unlink+0x3dd/0x5b0 net/xfrm/xfrm_policy.c:1289
[<ffffffff82a2e572>] xfrm_policy_delete+0x52/0xb0 net/xfrm/xfrm_policy.c:1309
[<ffffffff82a3319b>] xfrm_policy_timer+0x30b/0x590 net/xfrm/xfrm_policy.c:243
[<ffffffff813d3927>] call_timer_fn+0x237/0x990 kernel/time/timer.c:1144
[<ffffffff813d8e7e>] __run_timers kernel/time/timer.c:1218 [inline]
[<ffffffff813d8e7e>] run_timer_softirq+0x6ce/0xb80 kernel/time/timer.c:1401
[<ffffffff8120d6f9>] __do_softirq+0x299/0xe10 kernel/softirq.c:273
[<ffffffff8120e676>] invoke_softirq kernel/softirq.c:350 [inline]
[<ffffffff8120e676>] irq_exit+0x216/0x2c0 kernel/softirq.c:391
[<ffffffff82c5edab>] exiting_irq arch/x86/include/asm/apic.h:652 [inline]
[<ffffffff82c5edab>] smp_apic_timer_interrupt+0x8b/0xc0 arch/x86/kernel/apic/apic.c:926
[<ffffffff82c5c985>] apic_timer_interrupt+0xa5/0xb0 arch/x86/entry/entry_64.S:735
<EOI> [<ffffffff81188096>] ? native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:52
[<ffffffff810834d7>] arch_safe_halt arch/x86/include/asm/paravirt.h:111 [inline]
[<ffffffff810834d7>] default_idle+0x27/0x430 arch/x86/kernel/process.c:446
[<ffffffff81085f05>] arch_cpu_idle+0x15/0x20 arch/x86/kernel/process.c:437
[<ffffffff8132abc3>] default_idle_call+0x53/0x90 kernel/sched/idle.c:92
[<ffffffff8132b32d>] cpuidle_idle_call kernel/sched/idle.c:156 [inline]
[<ffffffff8132b32d>] cpu_idle_loop kernel/sched/idle.c:251 [inline]
[<ffffffff8132b32d>] cpu_startup_entry+0x60d/0x9a0 kernel/sched/idle.c:299
[<ffffffff8113e119>] start_secondary+0x3c9/0x560 arch/x86/kernel/smpboot.c:245
The issue is triggered as this:
xfrm_add_policy
-->verify_newpolicy_info //check the index provided by user with XFRM_POLICY_MAX
//In my case, the index is 0x6E6BB6, so it pass the check.
-->xfrm_policy_construct //copy the user's policy and set xfrm_policy_timer
-->xfrm_policy_insert
--> __xfrm_policy_link //use the orgin dir, in my case is 2
--> xfrm_gen_index //generate policy index, there is 0x6E6BB6
then xfrm_policy_timer be fired
xfrm_policy_timer
--> xfrm_policy_id2dir //get dir from (policy index & 7), in my case is 6
--> xfrm_policy_delete
--> __xfrm_policy_unlink //access policy_count[dir], trigger out of range access
Add xfrm_policy_id2dir check in verify_newpolicy_info, make sure the computed dir is
valid, to fix the issue.
Reported-by: Hulk Robot <hulkci@huawei.com>
Fixes: e682adf021be ("xfrm: Try to honor policy index if it's supplied by user")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/xfrm/xfrm_user.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -1340,7 +1340,7 @@ static int verify_newpolicy_info(struct
ret = verify_policy_dir(p->dir);
if (ret)
return ret;
- if (p->index && ((p->index & XFRM_POLICY_MAX) != p->dir))
+ if (p->index && (xfrm_policy_id2dir(p->index) != p->dir))
return -EINVAL;
return 0;
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 065/241] xfrm6_tunnel: Fix potential panic when unloading xfrm6_tunnel module
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (63 preceding siblings ...)
2019-06-09 16:40 ` [PATCH 4.4 064/241] xfrm: policy: Fix out-of-bound array accesses in __xfrm_policy_unlink Greg Kroah-Hartman
@ 2019-06-09 16:40 ` Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 066/241] vti4: ipip tunnel deregistration fixes Greg Kroah-Hartman
` (180 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Su Yanjun, Herbert Xu,
Steffen Klassert, Sasha Levin
[ Upstream commit 6ee02a54ef990a71bf542b6f0a4e3321de9d9c66 ]
When unloading xfrm6_tunnel module, xfrm6_tunnel_fini directly
frees the xfrm6_tunnel_spi_kmem. Maybe someone has gotten the
xfrm6_tunnel_spi, so need to wait it.
Fixes: 91cc3bb0b04ff("xfrm6_tunnel: RCU conversion")
Signed-off-by: Su Yanjun <suyj.fnst@cn.fujitsu.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/xfrm6_tunnel.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/net/ipv6/xfrm6_tunnel.c
+++ b/net/ipv6/xfrm6_tunnel.c
@@ -391,6 +391,10 @@ static void __exit xfrm6_tunnel_fini(voi
xfrm6_tunnel_deregister(&xfrm6_tunnel_handler, AF_INET6);
xfrm_unregister_type(&xfrm6_tunnel_type, AF_INET6);
unregister_pernet_subsys(&xfrm6_tunnel_net_ops);
+ /* Someone maybe has gotten the xfrm6_tunnel_spi.
+ * So need to wait it.
+ */
+ rcu_barrier();
kmem_cache_destroy(xfrm6_tunnel_spi_kmem);
}
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 066/241] vti4: ipip tunnel deregistration fixes.
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (64 preceding siblings ...)
2019-06-09 16:40 ` [PATCH 4.4 065/241] xfrm6_tunnel: Fix potential panic when unloading xfrm6_tunnel module Greg Kroah-Hartman
@ 2019-06-09 16:40 ` Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 067/241] xfrm4: Fix uninitialized memory read in _decode_session4 Greg Kroah-Hartman
` (179 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Jeremy Sowden, Steffen Klassert, Sasha Levin
[ Upstream commit 5483844c3fc18474de29f5d6733003526e0a9f78 ]
If tunnel registration failed during module initialization, the module
would fail to deregister the IPPROTO_COMP protocol and would attempt to
deregister the tunnel.
The tunnel was not deregistered during module-exit.
Fixes: dd9ee3444014e ("vti4: Fix a ipip packet processing bug in 'IPCOMP' virtual tunnel")
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/ip_vti.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/net/ipv4/ip_vti.c
+++ b/net/ipv4/ip_vti.c
@@ -648,9 +648,9 @@ static int __init vti_init(void)
return err;
rtnl_link_failed:
- xfrm4_protocol_deregister(&vti_ipcomp4_protocol, IPPROTO_COMP);
-xfrm_tunnel_failed:
xfrm4_tunnel_deregister(&ipip_handler, AF_INET);
+xfrm_tunnel_failed:
+ xfrm4_protocol_deregister(&vti_ipcomp4_protocol, IPPROTO_COMP);
xfrm_proto_comp_failed:
xfrm4_protocol_deregister(&vti_ah4_protocol, IPPROTO_AH);
xfrm_proto_ah_failed:
@@ -666,6 +666,7 @@ pernet_dev_failed:
static void __exit vti_fini(void)
{
rtnl_link_unregister(&vti_link_ops);
+ xfrm4_tunnel_deregister(&ipip_handler, AF_INET);
xfrm4_protocol_deregister(&vti_ipcomp4_protocol, IPPROTO_COMP);
xfrm4_protocol_deregister(&vti_ah4_protocol, IPPROTO_AH);
xfrm4_protocol_deregister(&vti_esp4_protocol, IPPROTO_ESP);
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 067/241] xfrm4: Fix uninitialized memory read in _decode_session4
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (65 preceding siblings ...)
2019-06-09 16:40 ` [PATCH 4.4 066/241] vti4: ipip tunnel deregistration fixes Greg Kroah-Hartman
@ 2019-06-09 16:40 ` Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 068/241] KVM: arm/arm64: Ensure vcpu target is unset on reset failure Greg Kroah-Hartman
` (178 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:40 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Steffen Klassert, Sasha Levin
[ Upstream commit 8742dc86d0c7a9628117a989c11f04a9b6b898f3 ]
We currently don't reload pointers pointing into skb header
after doing pskb_may_pull() in _decode_session4(). So in case
pskb_may_pull() changed the pointers, we read from random
memory. Fix this by putting all the needed infos on the
stack, so that we don't need to access the header pointers
after doing pskb_may_pull().
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/xfrm4_policy.c | 24 +++++++++++++-----------
1 file changed, 13 insertions(+), 11 deletions(-)
diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c
index fddae0164b918..d9758ecdcba6a 100644
--- a/net/ipv4/xfrm4_policy.c
+++ b/net/ipv4/xfrm4_policy.c
@@ -108,7 +108,8 @@ static void
_decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
{
const struct iphdr *iph = ip_hdr(skb);
- u8 *xprth = skb_network_header(skb) + iph->ihl * 4;
+ int ihl = iph->ihl;
+ u8 *xprth = skb_network_header(skb) + ihl * 4;
struct flowi4 *fl4 = &fl->u.ip4;
int oif = 0;
@@ -119,6 +120,11 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
fl4->flowi4_mark = skb->mark;
fl4->flowi4_oif = reverse ? skb->skb_iif : oif;
+ fl4->flowi4_proto = iph->protocol;
+ fl4->daddr = reverse ? iph->saddr : iph->daddr;
+ fl4->saddr = reverse ? iph->daddr : iph->saddr;
+ fl4->flowi4_tos = iph->tos;
+
if (!ip_is_fragment(iph)) {
switch (iph->protocol) {
case IPPROTO_UDP:
@@ -130,7 +136,7 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
pskb_may_pull(skb, xprth + 4 - skb->data)) {
__be16 *ports;
- xprth = skb_network_header(skb) + iph->ihl * 4;
+ xprth = skb_network_header(skb) + ihl * 4;
ports = (__be16 *)xprth;
fl4->fl4_sport = ports[!!reverse];
@@ -143,7 +149,7 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
pskb_may_pull(skb, xprth + 2 - skb->data)) {
u8 *icmp;
- xprth = skb_network_header(skb) + iph->ihl * 4;
+ xprth = skb_network_header(skb) + ihl * 4;
icmp = xprth;
fl4->fl4_icmp_type = icmp[0];
@@ -156,7 +162,7 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
pskb_may_pull(skb, xprth + 4 - skb->data)) {
__be32 *ehdr;
- xprth = skb_network_header(skb) + iph->ihl * 4;
+ xprth = skb_network_header(skb) + ihl * 4;
ehdr = (__be32 *)xprth;
fl4->fl4_ipsec_spi = ehdr[0];
@@ -168,7 +174,7 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
pskb_may_pull(skb, xprth + 8 - skb->data)) {
__be32 *ah_hdr;
- xprth = skb_network_header(skb) + iph->ihl * 4;
+ xprth = skb_network_header(skb) + ihl * 4;
ah_hdr = (__be32 *)xprth;
fl4->fl4_ipsec_spi = ah_hdr[1];
@@ -180,7 +186,7 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
pskb_may_pull(skb, xprth + 4 - skb->data)) {
__be16 *ipcomp_hdr;
- xprth = skb_network_header(skb) + iph->ihl * 4;
+ xprth = skb_network_header(skb) + ihl * 4;
ipcomp_hdr = (__be16 *)xprth;
fl4->fl4_ipsec_spi = htonl(ntohs(ipcomp_hdr[1]));
@@ -193,7 +199,7 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
__be16 *greflags;
__be32 *gre_hdr;
- xprth = skb_network_header(skb) + iph->ihl * 4;
+ xprth = skb_network_header(skb) + ihl * 4;
greflags = (__be16 *)xprth;
gre_hdr = (__be32 *)xprth;
@@ -210,10 +216,6 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
break;
}
}
- fl4->flowi4_proto = iph->protocol;
- fl4->daddr = reverse ? iph->saddr : iph->daddr;
- fl4->saddr = reverse ? iph->daddr : iph->saddr;
- fl4->flowi4_tos = iph->tos;
}
static inline int xfrm4_garbage_collect(struct dst_ops *ops)
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 068/241] KVM: arm/arm64: Ensure vcpu target is unset on reset failure
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (66 preceding siblings ...)
2019-06-09 16:40 ` [PATCH 4.4 067/241] xfrm4: Fix uninitialized memory read in _decode_session4 Greg Kroah-Hartman
@ 2019-06-09 16:40 ` Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 069/241] power: supply: sysfs: prevent endless uevent loop with CONFIG_POWER_SUPPLY_DEBUG Greg Kroah-Hartman
` (177 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Andrew Jones, Marc Zyngier, Sasha Levin
[ Upstream commit 811328fc3222f7b55846de0cd0404339e2e1e6d7 ]
A failed KVM_ARM_VCPU_INIT should not set the vcpu target,
as the vcpu target is used by kvm_vcpu_initialized() to
determine if other vcpu ioctls may proceed. We need to set
the target before calling kvm_reset_vcpu(), but if that call
fails, we should then unset it and clear the feature bitmap
while we're at it.
Signed-off-by: Andrew Jones <drjones@redhat.com>
[maz: Simplified patch, completed commit message]
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/kvm/arm.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
--- a/arch/arm/kvm/arm.c
+++ b/arch/arm/kvm/arm.c
@@ -744,7 +744,7 @@ int kvm_vm_ioctl_irq_line(struct kvm *kv
static int kvm_vcpu_set_target(struct kvm_vcpu *vcpu,
const struct kvm_vcpu_init *init)
{
- unsigned int i;
+ unsigned int i, ret;
int phys_target = kvm_target_cpu();
if (init->target != phys_target)
@@ -779,9 +779,14 @@ static int kvm_vcpu_set_target(struct kv
vcpu->arch.target = phys_target;
/* Now we know what it is, we can reset it. */
- return kvm_reset_vcpu(vcpu);
-}
+ ret = kvm_reset_vcpu(vcpu);
+ if (ret) {
+ vcpu->arch.target = -1;
+ bitmap_zero(vcpu->arch.features, KVM_VCPU_MAX_FEATURES);
+ }
+ return ret;
+}
static int kvm_arch_vcpu_ioctl_vcpu_init(struct kvm_vcpu *vcpu,
struct kvm_vcpu_init *init)
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 069/241] power: supply: sysfs: prevent endless uevent loop with CONFIG_POWER_SUPPLY_DEBUG
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (67 preceding siblings ...)
2019-06-09 16:40 ` [PATCH 4.4 068/241] KVM: arm/arm64: Ensure vcpu target is unset on reset failure Greg Kroah-Hartman
@ 2019-06-09 16:40 ` Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 070/241] ufs: fix braino in ufs_get_inode_gid() for solaris UFS flavour Greg Kroah-Hartman
` (176 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Andrey Smirnov, Chris Healy,
linux-pm, Sebastian Reichel, Sasha Levin
[ Upstream commit 349ced9984ff540ce74ca8a0b2e9b03dc434b9dd ]
Fix a similar endless event loop as was done in commit
8dcf32175b4e ("i2c: prevent endless uevent loop with
CONFIG_I2C_DEBUG_CORE"):
The culprit is the dev_dbg printk in the i2c uevent handler. If
this is activated (for instance by CONFIG_I2C_DEBUG_CORE) it results
in an endless loop with systemd-journald.
This happens if user-space scans the system log and reads the uevent
file to get information about a newly created device, which seems
fair use to me. Unfortunately reading the "uevent" file uses the
same function that runs for creating the uevent for a new device,
generating the next syslog entry
Both CONFIG_I2C_DEBUG_CORE and CONFIG_POWER_SUPPLY_DEBUG were reported
in https://bugs.freedesktop.org/show_bug.cgi?id=76886 but only former
seems to have been fixed. Drop debug prints as it was done in I2C
subsystem to resolve the issue.
Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Cc: Chris Healy <cphealy@gmail.com>
Cc: linux-pm@vger.kernel.org
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/power/power_supply_sysfs.c | 6 ------
1 file changed, 6 deletions(-)
diff --git a/drivers/power/power_supply_sysfs.c b/drivers/power/power_supply_sysfs.c
index ed2d7fd0c734d..488dd7eb0aeb7 100644
--- a/drivers/power/power_supply_sysfs.c
+++ b/drivers/power/power_supply_sysfs.c
@@ -277,15 +277,11 @@ int power_supply_uevent(struct device *dev, struct kobj_uevent_env *env)
char *prop_buf;
char *attrname;
- dev_dbg(dev, "uevent\n");
-
if (!psy || !psy->desc) {
dev_dbg(dev, "No power supply yet\n");
return ret;
}
- dev_dbg(dev, "POWER_SUPPLY_NAME=%s\n", psy->desc->name);
-
ret = add_uevent_var(env, "POWER_SUPPLY_NAME=%s", psy->desc->name);
if (ret)
return ret;
@@ -321,8 +317,6 @@ int power_supply_uevent(struct device *dev, struct kobj_uevent_env *env)
goto out;
}
- dev_dbg(dev, "prop %s=%s\n", attrname, prop_buf);
-
ret = add_uevent_var(env, "POWER_SUPPLY_%s=%s", attrname, prop_buf);
kfree(attrname);
if (ret)
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 070/241] ufs: fix braino in ufs_get_inode_gid() for solaris UFS flavour
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (68 preceding siblings ...)
2019-06-09 16:40 ` [PATCH 4.4 069/241] power: supply: sysfs: prevent endless uevent loop with CONFIG_POWER_SUPPLY_DEBUG Greg Kroah-Hartman
@ 2019-06-09 16:40 ` Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 071/241] perf bench numa: Add define for RUSAGE_THREAD if not present Greg Kroah-Hartman
` (175 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:40 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Al Viro, Sasha Levin
[ Upstream commit 4e9036042fedaffcd868d7f7aa948756c48c637d ]
To choose whether to pick the GID from the old (16bit) or new (32bit)
field, we should check if the old gid field is set to 0xffff. Mainline
checks the old *UID* field instead - cut'n'paste from the corresponding
code in ufs_get_inode_uid().
Fixes: 252e211e90ce
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ufs/util.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/ufs/util.h b/fs/ufs/util.h
index 3f9463f8cf2fa..f877d5cadd981 100644
--- a/fs/ufs/util.h
+++ b/fs/ufs/util.h
@@ -228,7 +228,7 @@ ufs_get_inode_gid(struct super_block *sb, struct ufs_inode *inode)
case UFS_UID_44BSD:
return fs32_to_cpu(sb, inode->ui_u3.ui_44.ui_gid);
case UFS_UID_EFT:
- if (inode->ui_u1.oldids.ui_suid == 0xFFFF)
+ if (inode->ui_u1.oldids.ui_sgid == 0xFFFF)
return fs32_to_cpu(sb, inode->ui_u3.ui_sun.ui_gid);
/* Fall through */
default:
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 071/241] perf bench numa: Add define for RUSAGE_THREAD if not present
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (69 preceding siblings ...)
2019-06-09 16:40 ` [PATCH 4.4 070/241] ufs: fix braino in ufs_get_inode_gid() for solaris UFS flavour Greg Kroah-Hartman
@ 2019-06-09 16:40 ` Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 072/241] Revert "Dont jump to compute_result state from check_result state" Greg Kroah-Hartman
` (174 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Arnd Bergmann, Jiri Olsa,
linux-snps-arc, Namhyung Kim, Vineet Gupta,
Arnaldo Carvalho de Melo, Sasha Levin
[ Upstream commit bf561d3c13423fc54daa19b5d49dc15fafdb7acc ]
While cross building perf to the ARC architecture on a fedora 30 host,
we were failing with:
CC /tmp/build/perf/bench/numa.o
bench/numa.c: In function ‘worker_thread’:
bench/numa.c:1261:12: error: ‘RUSAGE_THREAD’ undeclared (first use in this function); did you mean ‘SIGEV_THREAD’?
getrusage(RUSAGE_THREAD, &rusage);
^~~~~~~~~~~~~
SIGEV_THREAD
bench/numa.c:1261:12: note: each undeclared identifier is reported only once for each function it appears in
[perfbuilder@60d5802468f6 perf]$ /arc_gnu_2019.03-rc1_prebuilt_uclibc_le_archs_linux_install/bin/arc-linux-gcc --version | head -1
arc-linux-gcc (ARCv2 ISA Linux uClibc toolchain 2019.03-rc1) 8.3.1 20190225
[perfbuilder@60d5802468f6 perf]$
Trying to reproduce a report by Vineet, I noticed that, with just
cross-built zlib and numactl libraries, I ended up with the above
failure.
So, since RUSAGE_THREAD is available as a define, check for that and
numactl libraries, I ended up with the above failure.
So, since RUSAGE_THREAD is available as a define in the system headers,
check if it is defined in the 'perf bench numa' sources and define it if
not.
Now it builds and I have to figure out if the problem reported by Vineet
only takes place if we have libelf or some other library available.
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: linux-snps-arc@lists.infradead.org
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Vineet Gupta <Vineet.Gupta1@synopsys.com>
Link: https://lkml.kernel.org/n/tip-2wb4r1gir9xrevbpq7qp0amk@git.kernel.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/bench/numa.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/tools/perf/bench/numa.c b/tools/perf/bench/numa.c
index 73d192f57dc34..df41deed0320e 100644
--- a/tools/perf/bench/numa.c
+++ b/tools/perf/bench/numa.c
@@ -32,6 +32,10 @@
#include <numa.h>
#include <numaif.h>
+#ifndef RUSAGE_THREAD
+# define RUSAGE_THREAD 1
+#endif
+
/*
* Regular printout to the terminal, supressed if -q is specified:
*/
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 072/241] Revert "Dont jump to compute_result state from check_result state"
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (70 preceding siblings ...)
2019-06-09 16:40 ` [PATCH 4.4 071/241] perf bench numa: Add define for RUSAGE_THREAD if not present Greg Kroah-Hartman
@ 2019-06-09 16:40 ` Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 073/241] md/raid: raid5 preserve the writeback action after the parity check Greg Kroah-Hartman
` (173 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Dan Williams, Nigel Croxon, Xiao Ni,
Song Liu
From: Song Liu <songliubraving@fb.com>
commit a25d8c327bb41742dbd59f8c545f59f3b9c39983 upstream.
This reverts commit 4f4fd7c5798bbdd5a03a60f6269cf1177fbd11ef.
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: Nigel Croxon <ncroxon@redhat.com>
Cc: Xiao Ni <xni@redhat.com>
Signed-off-by: Song Liu <songliubraving@fb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/raid5.c | 19 +++++++++++++++----
1 file changed, 15 insertions(+), 4 deletions(-)
--- a/drivers/md/raid5.c
+++ b/drivers/md/raid5.c
@@ -3897,15 +3897,26 @@ static void handle_parity_checks6(struct
case check_state_check_result:
sh->check_state = check_state_idle;
- if (s->failed > 1)
- break;
/* handle a successful check operation, if parity is correct
* we are done. Otherwise update the mismatch count and repair
* parity if !MD_RECOVERY_CHECK
*/
if (sh->ops.zero_sum_result == 0) {
- /* Any parity checked was correct */
- set_bit(STRIPE_INSYNC, &sh->state);
+ /* both parities are correct */
+ if (!s->failed)
+ set_bit(STRIPE_INSYNC, &sh->state);
+ else {
+ /* in contrast to the raid5 case we can validate
+ * parity, but still have a failure to write
+ * back
+ */
+ sh->check_state = check_state_compute_result;
+ /* Returning at this point means that we may go
+ * off and bring p and/or q uptodate again so
+ * we make sure to check zero_sum_result again
+ * to verify if p or q need writeback
+ */
+ }
} else {
atomic64_add(STRIPE_SECTORS, &conf->mddev->resync_mismatches);
if (test_bit(MD_RECOVERY_CHECK, &conf->mddev->recovery))
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 073/241] md/raid: raid5 preserve the writeback action after the parity check
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (71 preceding siblings ...)
2019-06-09 16:40 ` [PATCH 4.4 072/241] Revert "Dont jump to compute_result state from check_result state" Greg Kroah-Hartman
@ 2019-06-09 16:40 ` Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 074/241] btrfs: Honour FITRIM range constraints during free space trim Greg Kroah-Hartman
` (172 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Dan Williams, Nigel Croxon, Song Liu
From: Nigel Croxon <ncroxon@redhat.com>
commit b2176a1dfb518d870ee073445d27055fea64dfb8 upstream.
The problem is that any 'uptodate' vs 'disks' check is not precise
in this path. Put a "WARN_ON(!test_bit(R5_UPTODATE, &dev->flags)" on the
device that might try to kick off writes and then skip the action.
Better to prevent the raid driver from taking unexpected action *and* keep
the system alive vs killing the machine with BUG_ON.
Note: fixed warning reported by kbuild test robot <lkp@intel.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Nigel Croxon <ncroxon@redhat.com>
Signed-off-by: Song Liu <songliubraving@fb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/raid5.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
--- a/drivers/md/raid5.c
+++ b/drivers/md/raid5.c
@@ -3861,7 +3861,7 @@ static void handle_parity_checks6(struct
/* now write out any block on a failed drive,
* or P or Q if they were recomputed
*/
- BUG_ON(s->uptodate < disks - 1); /* We don't need Q to recover */
+ dev = NULL;
if (s->failed == 2) {
dev = &sh->dev[s->failed_num[1]];
s->locked++;
@@ -3886,6 +3886,14 @@ static void handle_parity_checks6(struct
set_bit(R5_LOCKED, &dev->flags);
set_bit(R5_Wantwrite, &dev->flags);
}
+ if (WARN_ONCE(dev && !test_bit(R5_UPTODATE, &dev->flags),
+ "%s: disk%td not up to date\n",
+ mdname(conf->mddev),
+ dev - (struct r5dev *) &sh->dev)) {
+ clear_bit(R5_LOCKED, &dev->flags);
+ clear_bit(R5_Wantwrite, &dev->flags);
+ s->locked--;
+ }
clear_bit(STRIPE_DEGRADED, &sh->state);
set_bit(STRIPE_INSYNC, &sh->state);
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 074/241] btrfs: Honour FITRIM range constraints during free space trim
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (72 preceding siblings ...)
2019-06-09 16:40 ` [PATCH 4.4 073/241] md/raid: raid5 preserve the writeback action after the parity check Greg Kroah-Hartman
@ 2019-06-09 16:40 ` Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 075/241] fbdev: sm712fb: fix memory frequency by avoiding a switch/case fallthrough Greg Kroah-Hartman
` (171 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:40 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Nikolay Borisov, David Sterba
From: Nikolay Borisov <nborisov@suse.com>
commit c2d1b3aae33605a61cbab445d8ae1c708ccd2698 upstream.
Up until now trimming the freespace was done irrespective of what the
arguments of the FITRIM ioctl were. For example fstrim's -o/-l arguments
will be entirely ignored. Fix it by correctly handling those paramter.
This requires breaking if the found freespace extent is after the end of
the passed range as well as completing trim after trimming
fstrim_range::len bytes.
Fixes: 499f377f49f0 ("btrfs: iterate over unused chunk space in FITRIM")
CC: stable@vger.kernel.org # 4.4+
Signed-off-by: Nikolay Borisov <nborisov@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/extent-tree.c | 25 +++++++++++++++++++------
1 file changed, 19 insertions(+), 6 deletions(-)
--- a/fs/btrfs/extent-tree.c
+++ b/fs/btrfs/extent-tree.c
@@ -10730,9 +10730,9 @@ int btrfs_error_unpin_extent_range(struc
* transaction.
*/
static int btrfs_trim_free_extents(struct btrfs_device *device,
- u64 minlen, u64 *trimmed)
+ struct fstrim_range *range, u64 *trimmed)
{
- u64 start = 0, len = 0;
+ u64 start = range->start, len = 0;
int ret;
*trimmed = 0;
@@ -10768,8 +10768,8 @@ static int btrfs_trim_free_extents(struc
atomic_inc(&trans->use_count);
spin_unlock(&fs_info->trans_lock);
- ret = find_free_dev_extent_start(trans, device, minlen, start,
- &start, &len);
+ ret = find_free_dev_extent_start(trans, device, range->minlen,
+ start, &start, &len);
if (trans)
btrfs_put_transaction(trans);
@@ -10781,6 +10781,16 @@ static int btrfs_trim_free_extents(struc
break;
}
+ /* If we are out of the passed range break */
+ if (start > range->start + range->len - 1) {
+ mutex_unlock(&fs_info->chunk_mutex);
+ ret = 0;
+ break;
+ }
+
+ start = max(range->start, start);
+ len = min(range->len, len);
+
ret = btrfs_issue_discard(device->bdev, start, len, &bytes);
up_read(&fs_info->commit_root_sem);
mutex_unlock(&fs_info->chunk_mutex);
@@ -10791,6 +10801,10 @@ static int btrfs_trim_free_extents(struc
start += len;
*trimmed += bytes;
+ /* We've trimmed enough */
+ if (*trimmed >= range->len)
+ break;
+
if (fatal_signal_pending(current)) {
ret = -ERESTARTSYS;
break;
@@ -10857,8 +10871,7 @@ int btrfs_trim_fs(struct btrfs_root *roo
mutex_lock(&root->fs_info->fs_devices->device_list_mutex);
devices = &root->fs_info->fs_devices->devices;
list_for_each_entry(device, devices, dev_list) {
- ret = btrfs_trim_free_extents(device, range->minlen,
- &group_trimmed);
+ ret = btrfs_trim_free_extents(device, range, &group_trimmed);
if (ret)
break;
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 075/241] fbdev: sm712fb: fix memory frequency by avoiding a switch/case fallthrough
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (73 preceding siblings ...)
2019-06-09 16:40 ` [PATCH 4.4 074/241] btrfs: Honour FITRIM range constraints during free space trim Greg Kroah-Hartman
@ 2019-06-09 16:40 ` Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 076/241] ext4: do not delete unlinked inode from orphan list on failed truncate Greg Kroah-Hartman
` (170 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Stephen Rothwell, Yifeng Li,
Sudip Mukherjee, Gustavo A. R. Silva, Kees Cook,
Bartlomiej Zolnierkiewicz
From: Yifeng Li <tomli@tomli.me>
commit 9dc20113988b9a75ea6b3abd68dc45e2d73ccdab upstream.
A fallthrough in switch/case was introduced in f627caf55b8e ("fbdev:
sm712fb: fix crashes and garbled display during DPMS modesetting"),
due to my copy-paste error, which would cause the memory clock frequency
for SM720 to be programmed to SM712.
Since it only reprograms the clock to a different frequency, it's only
a benign issue without visible side-effect, so it also evaded Sudip
Mukherjee's code review and regression tests. scripts/checkpatch.pl
also failed to discover the issue, possibly due to nested switch
statements.
This issue was found by Stephen Rothwell by building linux-next with
-Wimplicit-fallthrough.
Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
Fixes: f627caf55b8e ("fbdev: sm712fb: fix crashes and garbled display during DPMS modesetting")
Signed-off-by: Yifeng Li <tomli@tomli.me>
Cc: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Cc: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
Cc: Kees Cook <keescook@chromium.org>
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/video/fbdev/sm712fb.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/video/fbdev/sm712fb.c
+++ b/drivers/video/fbdev/sm712fb.c
@@ -898,6 +898,7 @@ static int smtc_blank(int blank_mode, st
case 0x712:
smtc_seqw(0x6a, 0x16);
smtc_seqw(0x6b, 0x02);
+ break;
case 0x720:
smtc_seqw(0x6a, 0x0d);
smtc_seqw(0x6b, 0x02);
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 076/241] ext4: do not delete unlinked inode from orphan list on failed truncate
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (74 preceding siblings ...)
2019-06-09 16:40 ` [PATCH 4.4 075/241] fbdev: sm712fb: fix memory frequency by avoiding a switch/case fallthrough Greg Kroah-Hartman
@ 2019-06-09 16:40 ` Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 077/241] KVM: x86: fix return value for reserved EFER Greg Kroah-Hartman
` (169 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Ira Weiny, Jan Kara, Theodore Tso, stable
From: Jan Kara <jack@suse.cz>
commit ee0ed02ca93ef1ecf8963ad96638795d55af2c14 upstream.
It is possible that unlinked inode enters ext4_setattr() (e.g. if
somebody calls ftruncate(2) on unlinked but still open file). In such
case we should not delete the inode from the orphan list if truncate
fails. Note that this is mostly a theoretical concern as filesystem is
corrupted if we reach this path anyway but let's be consistent in our
orphan handling.
Reviewed-by: Ira Weiny <ira.weiny@intel.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/inode.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -4944,7 +4944,7 @@ int ext4_setattr(struct dentry *dentry,
up_write(&EXT4_I(inode)->i_data_sem);
ext4_journal_stop(handle);
if (error) {
- if (orphan)
+ if (orphan && inode->i_nlink)
ext4_orphan_del(NULL, inode);
goto err_out;
}
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 077/241] KVM: x86: fix return value for reserved EFER
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (75 preceding siblings ...)
2019-06-09 16:40 ` [PATCH 4.4 076/241] ext4: do not delete unlinked inode from orphan list on failed truncate Greg Kroah-Hartman
@ 2019-06-09 16:40 ` Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 078/241] bio: fix improper use of smp_mb__before_atomic() Greg Kroah-Hartman
` (168 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Pavel Machek, Sean Christopherson,
Paolo Bonzini
From: Paolo Bonzini <pbonzini@redhat.com>
commit 66f61c92889ff3ca365161fb29dd36d6354682ba upstream.
Commit 11988499e62b ("KVM: x86: Skip EFER vs. guest CPUID checks for
host-initiated writes", 2019-04-02) introduced a "return false" in a
function returning int, and anyway set_efer has a "nonzero on error"
conventon so it should be returning 1.
Reported-by: Pavel Machek <pavel@denx.de>
Fixes: 11988499e62b ("KVM: x86: Skip EFER vs. guest CPUID checks for host-initiated writes")
Cc: Sean Christopherson <sean.j.christopherson@intel.com>
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/x86.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -1026,7 +1026,7 @@ static int set_efer(struct kvm_vcpu *vcp
u64 efer = msr_info->data;
if (efer & efer_reserved_bits)
- return false;
+ return 1;
if (!msr_info->host_initiated) {
if (!__kvm_valid_efer(vcpu, efer))
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 078/241] bio: fix improper use of smp_mb__before_atomic()
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (76 preceding siblings ...)
2019-06-09 16:40 ` [PATCH 4.4 077/241] KVM: x86: fix return value for reserved EFER Greg Kroah-Hartman
@ 2019-06-09 16:40 ` Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 079/241] Revert "scsi: sd: Keep disk read-only when re-reading partition" Greg Kroah-Hartman
` (167 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Paul E. McKenney, Peter Zijlstra,
Andrea Parri, Ming Lei, Jens Axboe, linux-block
From: Andrea Parri <andrea.parri@amarulasolutions.com>
commit f381c6a4bd0ae0fde2d6340f1b9bb0f58d915de6 upstream.
This barrier only applies to the read-modify-write operations; in
particular, it does not apply to the atomic_set() primitive.
Replace the barrier with an smp_mb().
Fixes: dac56212e8127 ("bio: skip atomic inc/dec of ->bi_cnt for most use cases")
Cc: stable@vger.kernel.org
Reported-by: "Paul E. McKenney" <paulmck@linux.ibm.com>
Reported-by: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Andrea Parri <andrea.parri@amarulasolutions.com>
Reviewed-by: Ming Lei <ming.lei@redhat.com>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: Ming Lei <ming.lei@redhat.com>
Cc: linux-block@vger.kernel.org
Cc: "Paul E. McKenney" <paulmck@linux.ibm.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/bio.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/include/linux/bio.h
+++ b/include/linux/bio.h
@@ -290,7 +290,7 @@ static inline void bio_cnt_set(struct bi
{
if (count != 1) {
bio->bi_flags |= (1 << BIO_REFFED);
- smp_mb__before_atomic();
+ smp_mb();
}
atomic_set(&bio->__bi_cnt, count);
}
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 079/241] Revert "scsi: sd: Keep disk read-only when re-reading partition"
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (77 preceding siblings ...)
2019-06-09 16:40 ` [PATCH 4.4 078/241] bio: fix improper use of smp_mb__before_atomic() Greg Kroah-Hartman
@ 2019-06-09 16:40 ` Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 080/241] crypto: vmx - CTR: always increment IV as quadword Greg Kroah-Hartman
` (166 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:40 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Martin K. Petersen
From: Martin K. Petersen <martin.petersen@oracle.com>
commit 8acf608e602f6ec38b7cc37b04c80f1ce9a1a6cc upstream.
This reverts commit 20bd1d026aacc5399464f8328f305985c493cde3.
This patch introduced regressions for devices that come online in
read-only state and subsequently switch to read-write.
Given how the partition code is currently implemented it is not
possible to persist the read-only flag across a device revalidate
call. This may need to get addressed in the future since it is common
for user applications to proactively call BLKRRPART.
Reverting this commit will re-introduce a regression where a
device-initiated revalidate event will cause the admin state to be
forgotten. A separate patch will address this issue.
Fixes: 20bd1d026aac ("scsi: sd: Keep disk read-only when re-reading partition")
Cc: <stable@vger.kernel.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/sd.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -2396,7 +2396,6 @@ sd_read_write_protect_flag(struct scsi_d
int res;
struct scsi_device *sdp = sdkp->device;
struct scsi_mode_data data;
- int disk_ro = get_disk_ro(sdkp->disk);
int old_wp = sdkp->write_prot;
set_disk_ro(sdkp->disk, 0);
@@ -2437,7 +2436,7 @@ sd_read_write_protect_flag(struct scsi_d
"Test WP failed, assume Write Enabled\n");
} else {
sdkp->write_prot = ((data.device_specific & 0x80) != 0);
- set_disk_ro(sdkp->disk, sdkp->write_prot || disk_ro);
+ set_disk_ro(sdkp->disk, sdkp->write_prot);
if (sdkp->first_scan || old_wp != sdkp->write_prot) {
sd_printk(KERN_NOTICE, sdkp, "Write Protect is %s\n",
sdkp->write_prot ? "on" : "off");
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 080/241] crypto: vmx - CTR: always increment IV as quadword
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (78 preceding siblings ...)
2019-06-09 16:40 ` [PATCH 4.4 079/241] Revert "scsi: sd: Keep disk read-only when re-reading partition" Greg Kroah-Hartman
@ 2019-06-09 16:40 ` Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 081/241] gfs2: Fix sign extension bug in gfs2_update_stats Greg Kroah-Hartman
` (165 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Daniel Axtens, Nayna Jain, Herbert Xu
From: Daniel Axtens <dja@axtens.net>
commit 009b30ac7444c17fae34c4f435ebce8e8e2b3250 upstream.
The kernel self-tests picked up an issue with CTR mode:
alg: skcipher: p8_aes_ctr encryption test failed (wrong result) on test vector 3, cfg="uneven misaligned splits, may sleep"
Test vector 3 has an IV of FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD, so
after 3 increments it should wrap around to 0.
In the aesp8-ppc code from OpenSSL, there are two paths that
increment IVs: the bulk (8 at a time) path, and the individual
path which is used when there are fewer than 8 AES blocks to
process.
In the bulk path, the IV is incremented with vadduqm: "Vector
Add Unsigned Quadword Modulo", which does 128-bit addition.
In the individual path, however, the IV is incremented with
vadduwm: "Vector Add Unsigned Word Modulo", which instead
does 4 32-bit additions. Thus the IV would instead become
FFFFFFFFFFFFFFFFFFFFFFFF00000000, throwing off the result.
Use vadduqm.
This was probably a typo originally, what with q and w being
adjacent. It is a pretty narrow edge case: I am really
impressed by the quality of the kernel self-tests!
Fixes: 5c380d623ed3 ("crypto: vmx - Add support for VMS instructions by ASM")
Cc: stable@vger.kernel.org
Signed-off-by: Daniel Axtens <dja@axtens.net>
Acked-by: Nayna Jain <nayna@linux.ibm.com>
Tested-by: Nayna Jain <nayna@linux.ibm.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/vmx/aesp8-ppc.pl | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/crypto/vmx/aesp8-ppc.pl
+++ b/drivers/crypto/vmx/aesp8-ppc.pl
@@ -1298,7 +1298,7 @@ Loop_ctr32_enc:
addi $idx,$idx,16
bdnz Loop_ctr32_enc
- vadduwm $ivec,$ivec,$one
+ vadduqm $ivec,$ivec,$one
vmr $dat,$inptail
lvx $inptail,0,$inp
addi $inp,$inp,16
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 081/241] gfs2: Fix sign extension bug in gfs2_update_stats
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (79 preceding siblings ...)
2019-06-09 16:40 ` [PATCH 4.4 080/241] crypto: vmx - CTR: always increment IV as quadword Greg Kroah-Hartman
@ 2019-06-09 16:40 ` Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 082/241] Btrfs: fix race between ranged fsync and writeback of adjacent ranges Greg Kroah-Hartman
` (164 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:40 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Andreas Gruenbacher
From: Andreas Gruenbacher <agruenba@redhat.com>
commit 5a5ec83d6ac974b12085cd99b196795f14079037 upstream.
Commit 4d207133e9c3 changed the types of the statistic values in struct
gfs2_lkstats from s64 to u64. Because of that, what should be a signed
value in gfs2_update_stats turned into an unsigned value. When shifted
right, we end up with a large positive value instead of a small negative
value, which results in an incorrect variance estimate.
Fixes: 4d207133e9c3 ("gfs2: Make statistics unsigned, suitable for use with do_div()")
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Cc: stable@vger.kernel.org # v4.4+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/gfs2/lock_dlm.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/fs/gfs2/lock_dlm.c
+++ b/fs/gfs2/lock_dlm.c
@@ -32,9 +32,10 @@ extern struct workqueue_struct *gfs2_con
* @delta is the difference between the current rtt sample and the
* running average srtt. We add 1/8 of that to the srtt in order to
* update the current srtt estimate. The variance estimate is a bit
- * more complicated. We subtract the abs value of the @delta from
- * the current variance estimate and add 1/4 of that to the running
- * total.
+ * more complicated. We subtract the current variance estimate from
+ * the abs value of the @delta and add 1/4 of that to the running
+ * total. That's equivalent to 3/4 of the current variance
+ * estimate plus 1/4 of the abs of @delta.
*
* Note that the index points at the array entry containing the smoothed
* mean value, and the variance is always in the following entry
@@ -50,7 +51,7 @@ static inline void gfs2_update_stats(str
s64 delta = sample - s->stats[index];
s->stats[index] += (delta >> 3);
index++;
- s->stats[index] += ((abs(delta) - s->stats[index]) >> 2);
+ s->stats[index] += (s64)(abs(delta) - s->stats[index]) >> 2;
}
/**
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 082/241] Btrfs: fix race between ranged fsync and writeback of adjacent ranges
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (80 preceding siblings ...)
2019-06-09 16:40 ` [PATCH 4.4 081/241] gfs2: Fix sign extension bug in gfs2_update_stats Greg Kroah-Hartman
@ 2019-06-09 16:40 ` Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 083/241] btrfs: sysfs: dont leak memory when failing add fsid Greg Kroah-Hartman
` (163 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Josef Bacik, Filipe Manana, David Sterba
From: Filipe Manana <fdmanana@suse.com>
commit 0c713cbab6200b0ab6473b50435e450a6e1de85d upstream.
When we do a full fsync (the bit BTRFS_INODE_NEEDS_FULL_SYNC is set in the
inode) that happens to be ranged, which happens during a msync() or writes
for files opened with O_SYNC for example, we can end up with a corrupt log,
due to different file extent items representing ranges that overlap with
each other, or hit some assertion failures.
When doing a ranged fsync we only flush delalloc and wait for ordered
exents within that range. If while we are logging items from our inode
ordered extents for adjacent ranges complete, we end up in a race that can
make us insert the file extent items that overlap with others we logged
previously and the assertion failures.
For example, if tree-log.c:copy_items() receives a leaf that has the
following file extents items, all with a length of 4K and therefore there
is an implicit hole in the range 68K to 72K - 1:
(257 EXTENT_ITEM 64K), (257 EXTENT_ITEM 72K), (257 EXTENT_ITEM 76K), ...
It copies them to the log tree. However due to the need to detect implicit
holes, it may release the path, in order to look at the previous leaf to
detect an implicit hole, and then later it will search again in the tree
for the first file extent item key, with the goal of locking again the
leaf (which might have changed due to concurrent changes to other inodes).
However when it locks again the leaf containing the first key, the key
corresponding to the extent at offset 72K may not be there anymore since
there is an ordered extent for that range that is finishing (that is,
somewhere in the middle of btrfs_finish_ordered_io()), and it just
removed the file extent item but has not yet replaced it with a new file
extent item, so the part of copy_items() that does hole detection will
decide that there is a hole in the range starting from 68K to 76K - 1,
and therefore insert a file extent item to represent that hole, having
a key offset of 68K. After that we now have a log tree with 2 different
extent items that have overlapping ranges:
1) The file extent item copied before copy_items() released the path,
which has a key offset of 72K and a length of 4K, representing the
file range 72K to 76K - 1.
2) And a file extent item representing a hole that has a key offset of
68K and a length of 8K, representing the range 68K to 76K - 1. This
item was inserted after releasing the path, and overlaps with the
extent item inserted before.
The overlapping extent items can cause all sorts of unpredictable and
incorrect behaviour, either when replayed or if a fast (non full) fsync
happens later, which can trigger a BUG_ON() when calling
btrfs_set_item_key_safe() through __btrfs_drop_extents(), producing a
trace like the following:
[61666.783269] ------------[ cut here ]------------
[61666.783943] kernel BUG at fs/btrfs/ctree.c:3182!
[61666.784644] invalid opcode: 0000 [#1] PREEMPT SMP
(...)
[61666.786253] task: ffff880117b88c40 task.stack: ffffc90008168000
[61666.786253] RIP: 0010:btrfs_set_item_key_safe+0x7c/0xd2 [btrfs]
[61666.786253] RSP: 0018:ffffc9000816b958 EFLAGS: 00010246
[61666.786253] RAX: 0000000000000000 RBX: 000000000000000f RCX: 0000000000030000
[61666.786253] RDX: 0000000000000000 RSI: ffffc9000816ba4f RDI: ffffc9000816b937
[61666.786253] RBP: ffffc9000816b998 R08: ffff88011dae2428 R09: 0000000000001000
[61666.786253] R10: 0000160000000000 R11: 6db6db6db6db6db7 R12: ffff88011dae2418
[61666.786253] R13: ffffc9000816ba4f R14: ffff8801e10c4118 R15: ffff8801e715c000
[61666.786253] FS: 00007f6060a18700(0000) GS:ffff88023f5c0000(0000) knlGS:0000000000000000
[61666.786253] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[61666.786253] CR2: 00007f6060a28000 CR3: 0000000213e69000 CR4: 00000000000006e0
[61666.786253] Call Trace:
[61666.786253] __btrfs_drop_extents+0x5e3/0xaad [btrfs]
[61666.786253] ? time_hardirqs_on+0x9/0x14
[61666.786253] btrfs_log_changed_extents+0x294/0x4e0 [btrfs]
[61666.786253] ? release_extent_buffer+0x38/0xb4 [btrfs]
[61666.786253] btrfs_log_inode+0xb6e/0xcdc [btrfs]
[61666.786253] ? lock_acquire+0x131/0x1c5
[61666.786253] ? btrfs_log_inode_parent+0xee/0x659 [btrfs]
[61666.786253] ? arch_local_irq_save+0x9/0xc
[61666.786253] ? btrfs_log_inode_parent+0x1f5/0x659 [btrfs]
[61666.786253] btrfs_log_inode_parent+0x223/0x659 [btrfs]
[61666.786253] ? arch_local_irq_save+0x9/0xc
[61666.786253] ? lockref_get_not_zero+0x2c/0x34
[61666.786253] ? rcu_read_unlock+0x3e/0x5d
[61666.786253] btrfs_log_dentry_safe+0x60/0x7b [btrfs]
[61666.786253] btrfs_sync_file+0x317/0x42c [btrfs]
[61666.786253] vfs_fsync_range+0x8c/0x9e
[61666.786253] SyS_msync+0x13c/0x1c9
[61666.786253] entry_SYSCALL_64_fastpath+0x18/0xad
A sample of a corrupt log tree leaf with overlapping extents I got from
running btrfs/072:
item 14 key (295 108 200704) itemoff 2599 itemsize 53
extent data disk bytenr 0 nr 0
extent data offset 0 nr 458752 ram 458752
item 15 key (295 108 659456) itemoff 2546 itemsize 53
extent data disk bytenr 4343541760 nr 770048
extent data offset 606208 nr 163840 ram 770048
item 16 key (295 108 663552) itemoff 2493 itemsize 53
extent data disk bytenr 4343541760 nr 770048
extent data offset 610304 nr 155648 ram 770048
item 17 key (295 108 819200) itemoff 2440 itemsize 53
extent data disk bytenr 4334788608 nr 4096
extent data offset 0 nr 4096 ram 4096
The file extent item at offset 659456 (item 15) ends at offset 823296
(659456 + 163840) while the next file extent item (item 16) starts at
offset 663552.
Another different problem that the race can trigger is a failure in the
assertions at tree-log.c:copy_items(), which expect that the first file
extent item key we found before releasing the path exists after we have
released path and that the last key we found before releasing the path
also exists after releasing the path:
$ cat -n fs/btrfs/tree-log.c
4080 if (need_find_last_extent) {
4081 /* btrfs_prev_leaf could return 1 without releasing the path */
4082 btrfs_release_path(src_path);
4083 ret = btrfs_search_slot(NULL, inode->root, &first_key,
4084 src_path, 0, 0);
4085 if (ret < 0)
4086 return ret;
4087 ASSERT(ret == 0);
(...)
4103 if (i >= btrfs_header_nritems(src_path->nodes[0])) {
4104 ret = btrfs_next_leaf(inode->root, src_path);
4105 if (ret < 0)
4106 return ret;
4107 ASSERT(ret == 0);
4108 src = src_path->nodes[0];
4109 i = 0;
4110 need_find_last_extent = true;
4111 }
(...)
The second assertion implicitly expects that the last key before the path
release still exists, because the surrounding while loop only stops after
we have found that key. When this assertion fails it produces a stack like
this:
[139590.037075] assertion failed: ret == 0, file: fs/btrfs/tree-log.c, line: 4107
[139590.037406] ------------[ cut here ]------------
[139590.037707] kernel BUG at fs/btrfs/ctree.h:3546!
[139590.038034] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC PTI
[139590.038340] CPU: 1 PID: 31841 Comm: fsstress Tainted: G W 5.0.0-btrfs-next-46 #1
(...)
[139590.039354] RIP: 0010:assfail.constprop.24+0x18/0x1a [btrfs]
(...)
[139590.040397] RSP: 0018:ffffa27f48f2b9b0 EFLAGS: 00010282
[139590.040730] RAX: 0000000000000041 RBX: ffff897c635d92c8 RCX: 0000000000000000
[139590.041105] RDX: 0000000000000000 RSI: ffff897d36a96868 RDI: ffff897d36a96868
[139590.041470] RBP: ffff897d1b9a0708 R08: 0000000000000000 R09: 0000000000000000
[139590.041815] R10: 0000000000000008 R11: 0000000000000000 R12: 0000000000000013
[139590.042159] R13: 0000000000000227 R14: ffff897cffcbba88 R15: 0000000000000001
[139590.042501] FS: 00007f2efc8dee80(0000) GS:ffff897d36a80000(0000) knlGS:0000000000000000
[139590.042847] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[139590.043199] CR2: 00007f8c064935e0 CR3: 0000000232252002 CR4: 00000000003606e0
[139590.043547] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[139590.043899] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[139590.044250] Call Trace:
[139590.044631] copy_items+0xa3f/0x1000 [btrfs]
[139590.045009] ? generic_bin_search.constprop.32+0x61/0x200 [btrfs]
[139590.045396] btrfs_log_inode+0x7b3/0xd70 [btrfs]
[139590.045773] btrfs_log_inode_parent+0x2b3/0xce0 [btrfs]
[139590.046143] ? do_raw_spin_unlock+0x49/0xc0
[139590.046510] btrfs_log_dentry_safe+0x4a/0x70 [btrfs]
[139590.046872] btrfs_sync_file+0x3b6/0x440 [btrfs]
[139590.047243] btrfs_file_write_iter+0x45b/0x5c0 [btrfs]
[139590.047592] __vfs_write+0x129/0x1c0
[139590.047932] vfs_write+0xc2/0x1b0
[139590.048270] ksys_write+0x55/0xc0
[139590.048608] do_syscall_64+0x60/0x1b0
[139590.048946] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[139590.049287] RIP: 0033:0x7f2efc4be190
(...)
[139590.050342] RSP: 002b:00007ffe743243a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[139590.050701] RAX: ffffffffffffffda RBX: 0000000000008d58 RCX: 00007f2efc4be190
[139590.051067] RDX: 0000000000008d58 RSI: 00005567eca0f370 RDI: 0000000000000003
[139590.051459] RBP: 0000000000000024 R08: 0000000000000003 R09: 0000000000008d60
[139590.051863] R10: 0000000000000078 R11: 0000000000000246 R12: 0000000000000003
[139590.052252] R13: 00000000003d3507 R14: 00005567eca0f370 R15: 0000000000000000
(...)
[139590.055128] ---[ end trace 193f35d0215cdeeb ]---
So fix this race between a full ranged fsync and writeback of adjacent
ranges by flushing all delalloc and waiting for all ordered extents to
complete before logging the inode. This is the simplest way to solve the
problem because currently the full fsync path does not deal with ranges
at all (it assumes a full range from 0 to LLONG_MAX) and it always needs
to look at adjacent ranges for hole detection. For use cases of ranged
fsyncs this can make a few fsyncs slower but on the other hand it can
make some following fsyncs to other ranges do less work or no need to do
anything at all. A full fsync is rare anyway and happens only once after
loading/creating an inode and once after less common operations such as a
shrinking truncate.
This is an issue that exists for a long time, and was often triggered by
generic/127, because it does mmap'ed writes and msync (which triggers a
ranged fsync). Adding support for the tree checker to detect overlapping
extents (next patch in the series) and trigger a WARN() when such cases
are found, and then calling btrfs_check_leaf_full() at the end of
btrfs_insert_file_extent() made the issue much easier to detect. Running
btrfs/072 with that change to the tree checker and making fsstress open
files always with O_SYNC made it much easier to trigger the issue (as
triggering it with generic/127 is very rare).
CC: stable@vger.kernel.org # 3.16+
Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/file.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
--- a/fs/btrfs/file.c
+++ b/fs/btrfs/file.c
@@ -1901,6 +1901,18 @@ int btrfs_sync_file(struct file *file, l
u64 len;
/*
+ * If the inode needs a full sync, make sure we use a full range to
+ * avoid log tree corruption, due to hole detection racing with ordered
+ * extent completion for adjacent ranges, and assertion failures during
+ * hole detection.
+ */
+ if (test_bit(BTRFS_INODE_NEEDS_FULL_SYNC,
+ &BTRFS_I(inode)->runtime_flags)) {
+ start = 0;
+ end = LLONG_MAX;
+ }
+
+ /*
* The range length can be represented by u64, we have to do the typecasts
* to avoid signed overflow if it's [0, LLONG_MAX] eg. from fsync()
*/
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 083/241] btrfs: sysfs: dont leak memory when failing add fsid
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (81 preceding siblings ...)
2019-06-09 16:40 ` [PATCH 4.4 082/241] Btrfs: fix race between ranged fsync and writeback of adjacent ranges Greg Kroah-Hartman
@ 2019-06-09 16:40 ` Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 084/241] fbdev: fix divide error in fb_var_to_videomode Greg Kroah-Hartman
` (162 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:40 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Tobin C. Harding, David Sterba
From: Tobin C. Harding <tobin@kernel.org>
commit e32773357d5cc271b1d23550b3ed026eb5c2a468 upstream.
A failed call to kobject_init_and_add() must be followed by a call to
kobject_put(). Currently in the error path when adding fs_devices we
are missing this call. This could be fixed by calling
btrfs_sysfs_remove_fsid() if btrfs_sysfs_add_fsid() returns an error or
by adding a call to kobject_put() directly in btrfs_sysfs_add_fsid().
Here we choose the second option because it prevents the slightly
unusual error path handling requirements of kobject from leaking out
into btrfs functions.
Add a call to kobject_put() in the error path of kobject_add_and_init().
This causes the release method to be called if kobject_init_and_add()
fails. open_tree() is the function that calls btrfs_sysfs_add_fsid()
and the error code in this function is already written with the
assumption that the release method is called during the error path of
open_tree() (as seen by the call to btrfs_sysfs_remove_fsid() under the
fail_fsdev_sysfs label).
Cc: stable@vger.kernel.org # v4.4+
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tobin C. Harding <tobin@kernel.org>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/sysfs.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/fs/btrfs/sysfs.c
+++ b/fs/btrfs/sysfs.c
@@ -733,7 +733,12 @@ int btrfs_sysfs_add_fsid(struct btrfs_fs
fs_devs->fsid_kobj.kset = btrfs_kset;
error = kobject_init_and_add(&fs_devs->fsid_kobj,
&btrfs_ktype, parent, "%pU", fs_devs->fsid);
- return error;
+ if (error) {
+ kobject_put(&fs_devs->fsid_kobj);
+ return error;
+ }
+
+ return 0;
}
int btrfs_sysfs_add_mounted(struct btrfs_fs_info *fs_info)
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 084/241] fbdev: fix divide error in fb_var_to_videomode
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (82 preceding siblings ...)
2019-06-09 16:40 ` [PATCH 4.4 083/241] btrfs: sysfs: dont leak memory when failing add fsid Greg Kroah-Hartman
@ 2019-06-09 16:40 ` Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 085/241] hugetlb: use same fault hash key for shared and private mappings Greg Kroah-Hartman
` (161 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Shile Zhang, Fredrik Noring,
Daniel Vetter, Mukesh Ojha, Bartlomiej Zolnierkiewicz
From: Shile Zhang <shile.zhang@linux.alibaba.com>
commit cf84807f6dd0be5214378e66460cfc9187f532f9 upstream.
To fix following divide-by-zero error found by Syzkaller:
divide error: 0000 [#1] SMP PTI
CPU: 7 PID: 8447 Comm: test Kdump: loaded Not tainted 4.19.24-8.al7.x86_64 #1
Hardware name: Alibaba Cloud Alibaba Cloud ECS, BIOS rel-1.12.0-0-ga698c8995f-prebuilt.qemu.org 04/01/2014
RIP: 0010:fb_var_to_videomode+0xae/0xc0
Code: 04 44 03 46 78 03 4e 7c 44 03 46 68 03 4e 70 89 ce d1 ee 69 c0 e8 03 00 00 f6 c2 01 0f 45 ce 83 e2 02 8d 34 09 0f 45 ce 31 d2 <41> f7 f0 31 d2 f7 f1 89 47 08 f3 c3 66 0f 1f 44 00 00 0f 1f 44 00
RSP: 0018:ffffb7e189347bf0 EFLAGS: 00010246
RAX: 00000000e1692410 RBX: ffffb7e189347d60 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffb7e189347c10
RBP: ffff99972a091c00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000100
R13: 0000000000010000 R14: 00007ffd66baf6d0 R15: 0000000000000000
FS: 00007f2054d11740(0000) GS:ffff99972fbc0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f205481fd20 CR3: 00000004288a0001 CR4: 00000000001606a0
Call Trace:
fb_set_var+0x257/0x390
? lookup_fast+0xbb/0x2b0
? fb_open+0xc0/0x140
? chrdev_open+0xa6/0x1a0
do_fb_ioctl+0x445/0x5a0
do_vfs_ioctl+0x92/0x5f0
? __alloc_fd+0x3d/0x160
ksys_ioctl+0x60/0x90
__x64_sys_ioctl+0x16/0x20
do_syscall_64+0x5b/0x190
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f20548258d7
Code: 44 00 00 48 8b 05 b9 15 2d 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 89 15 2d 00 f7 d8 64 89 01 48
It can be triggered easily with following test code:
#include <linux/fb.h>
#include <fcntl.h>
#include <sys/ioctl.h>
int main(void)
{
struct fb_var_screeninfo var = {.activate = 0x100, .pixclock = 60};
int fd = open("/dev/fb0", O_RDWR);
if (fd < 0)
return 1;
if (ioctl(fd, FBIOPUT_VSCREENINFO, &var))
return 1;
return 0;
}
Signed-off-by: Shile Zhang <shile.zhang@linux.alibaba.com>
Cc: Fredrik Noring <noring@nocrew.org>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Reviewed-by: Mukesh Ojha <mojha@codeaurora.org>
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/video/fbdev/core/modedb.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/video/fbdev/core/modedb.c
+++ b/drivers/video/fbdev/core/modedb.c
@@ -933,6 +933,9 @@ void fb_var_to_videomode(struct fb_video
if (var->vmode & FB_VMODE_DOUBLE)
vtotal *= 2;
+ if (!htotal || !vtotal)
+ return;
+
hfreq = pixclock/htotal;
mode->refresh = hfreq/vtotal;
}
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 085/241] hugetlb: use same fault hash key for shared and private mappings
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (83 preceding siblings ...)
2019-06-09 16:40 ` [PATCH 4.4 084/241] fbdev: fix divide error in fb_var_to_videomode Greg Kroah-Hartman
@ 2019-06-09 16:40 ` Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 086/241] fbdev: fix WARNING in __alloc_pages_nodemask bug Greg Kroah-Hartman
` (160 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Mike Kravetz, Naoya Horiguchi,
Davidlohr Bueso, Joonsoo Kim, Kirill A . Shutemov, Michal Hocko,
Andrew Morton, Linus Torvalds
From: Mike Kravetz <mike.kravetz@oracle.com>
commit 1b426bac66e6cc83c9f2d92b96e4e72acf43419a upstream.
hugetlb uses a fault mutex hash table to prevent page faults of the
same pages concurrently. The key for shared and private mappings is
different. Shared keys off address_space and file index. Private keys
off mm and virtual address. Consider a private mappings of a populated
hugetlbfs file. A fault will map the page from the file and if needed
do a COW to map a writable page.
Hugetlbfs hole punch uses the fault mutex to prevent mappings of file
pages. It uses the address_space file index key. However, private
mappings will use a different key and could race with this code to map
the file page. This causes problems (BUG) for the page cache remove
code as it expects the page to be unmapped. A sample stack is:
page dumped because: VM_BUG_ON_PAGE(page_mapped(page))
kernel BUG at mm/filemap.c:169!
...
RIP: 0010:unaccount_page_cache_page+0x1b8/0x200
...
Call Trace:
__delete_from_page_cache+0x39/0x220
delete_from_page_cache+0x45/0x70
remove_inode_hugepages+0x13c/0x380
? __add_to_page_cache_locked+0x162/0x380
hugetlbfs_fallocate+0x403/0x540
? _cond_resched+0x15/0x30
? __inode_security_revalidate+0x5d/0x70
? selinux_file_permission+0x100/0x130
vfs_fallocate+0x13f/0x270
ksys_fallocate+0x3c/0x80
__x64_sys_fallocate+0x1a/0x20
do_syscall_64+0x5b/0x180
entry_SYSCALL_64_after_hwframe+0x44/0xa9
There seems to be another potential COW issue/race with this approach
of different private and shared keys as noted in commit 8382d914ebf7
("mm, hugetlb: improve page-fault scalability").
Since every hugetlb mapping (even anon and private) is actually a file
mapping, just use the address_space index key for all mappings. This
results in potentially more hash collisions. However, this should not
be the common case.
Link: http://lkml.kernel.org/r/20190328234704.27083-3-mike.kravetz@oracle.com
Link: http://lkml.kernel.org/r/20190412165235.t4sscoujczfhuiyt@linux-r8p5
Fixes: b5cec28d36f5 ("hugetlbfs: truncate_hugepages() takes a range of pages")
Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
Reviewed-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Reviewed-by: Davidlohr Bueso <dbueso@suse.de>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/hugetlbfs/inode.c | 8 ++------
include/linux/hugetlb.h | 4 +---
mm/hugetlb.c | 19 +++++--------------
3 files changed, 8 insertions(+), 23 deletions(-)
--- a/fs/hugetlbfs/inode.c
+++ b/fs/hugetlbfs/inode.c
@@ -414,9 +414,7 @@ static void remove_inode_hugepages(struc
if (next >= end)
break;
- hash = hugetlb_fault_mutex_hash(h, current->mm,
- &pseudo_vma,
- mapping, next, 0);
+ hash = hugetlb_fault_mutex_hash(h, mapping, next, 0);
mutex_lock(&hugetlb_fault_mutex_table[hash]);
lock_page(page);
@@ -569,7 +567,6 @@ static long hugetlbfs_fallocate(struct f
struct address_space *mapping = inode->i_mapping;
struct hstate *h = hstate_inode(inode);
struct vm_area_struct pseudo_vma;
- struct mm_struct *mm = current->mm;
loff_t hpage_size = huge_page_size(h);
unsigned long hpage_shift = huge_page_shift(h);
pgoff_t start, index, end;
@@ -633,8 +630,7 @@ static long hugetlbfs_fallocate(struct f
addr = index * hpage_size;
/* mutex taken here, fault path and hole punch */
- hash = hugetlb_fault_mutex_hash(h, mm, &pseudo_vma, mapping,
- index, addr);
+ hash = hugetlb_fault_mutex_hash(h, mapping, index, addr);
mutex_lock(&hugetlb_fault_mutex_table[hash]);
/* See if already present in mapping to avoid alloc/free */
--- a/include/linux/hugetlb.h
+++ b/include/linux/hugetlb.h
@@ -91,9 +91,7 @@ void putback_active_hugepage(struct page
void free_huge_page(struct page *page);
void hugetlb_fix_reserve_counts(struct inode *inode, bool restore_reserve);
extern struct mutex *hugetlb_fault_mutex_table;
-u32 hugetlb_fault_mutex_hash(struct hstate *h, struct mm_struct *mm,
- struct vm_area_struct *vma,
- struct address_space *mapping,
+u32 hugetlb_fault_mutex_hash(struct hstate *h, struct address_space *mapping,
pgoff_t idx, unsigned long address);
#ifdef CONFIG_ARCH_WANT_HUGE_PMD_SHARE
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -3703,21 +3703,14 @@ backout_unlocked:
}
#ifdef CONFIG_SMP
-u32 hugetlb_fault_mutex_hash(struct hstate *h, struct mm_struct *mm,
- struct vm_area_struct *vma,
- struct address_space *mapping,
+u32 hugetlb_fault_mutex_hash(struct hstate *h, struct address_space *mapping,
pgoff_t idx, unsigned long address)
{
unsigned long key[2];
u32 hash;
- if (vma->vm_flags & VM_SHARED) {
- key[0] = (unsigned long) mapping;
- key[1] = idx;
- } else {
- key[0] = (unsigned long) mm;
- key[1] = address >> huge_page_shift(h);
- }
+ key[0] = (unsigned long) mapping;
+ key[1] = idx;
hash = jhash2((u32 *)&key, sizeof(key)/sizeof(u32), 0);
@@ -3728,9 +3721,7 @@ u32 hugetlb_fault_mutex_hash(struct hsta
* For uniprocesor systems we always use a single mutex, so just
* return 0 and avoid the hashing overhead.
*/
-u32 hugetlb_fault_mutex_hash(struct hstate *h, struct mm_struct *mm,
- struct vm_area_struct *vma,
- struct address_space *mapping,
+u32 hugetlb_fault_mutex_hash(struct hstate *h, struct address_space *mapping,
pgoff_t idx, unsigned long address)
{
return 0;
@@ -3776,7 +3767,7 @@ int hugetlb_fault(struct mm_struct *mm,
* get spurious allocation failures if two CPUs race to instantiate
* the same page in the page cache.
*/
- hash = hugetlb_fault_mutex_hash(h, mm, vma, mapping, idx, address);
+ hash = hugetlb_fault_mutex_hash(h, mapping, idx, address);
mutex_lock(&hugetlb_fault_mutex_table[hash]);
entry = huge_ptep_get(ptep);
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 086/241] fbdev: fix WARNING in __alloc_pages_nodemask bug
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (84 preceding siblings ...)
2019-06-09 16:40 ` [PATCH 4.4 085/241] hugetlb: use same fault hash key for shared and private mappings Greg Kroah-Hartman
@ 2019-06-09 16:40 ` Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 087/241] media: cpia2: Fix use-after-free in cpia2_exit Greg Kroah-Hartman
` (159 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Jiufei Xue, Bartlomiej Zolnierkiewicz
From: Jiufei Xue <jiufei.xue@linux.alibaba.com>
commit 8c40292be9169a9cbe19aadd1a6fc60cbd1af82f upstream.
Syzkaller hit 'WARNING in __alloc_pages_nodemask' bug.
WARNING: CPU: 1 PID: 1473 at mm/page_alloc.c:4377
__alloc_pages_nodemask+0x4da/0x2130
Kernel panic - not syncing: panic_on_warn set ...
Call Trace:
alloc_pages_current+0xb1/0x1e0
kmalloc_order+0x1f/0x60
kmalloc_order_trace+0x1d/0x120
fb_alloc_cmap_gfp+0x85/0x2b0
fb_set_user_cmap+0xff/0x370
do_fb_ioctl+0x949/0xa20
fb_ioctl+0xdd/0x120
do_vfs_ioctl+0x186/0x1070
ksys_ioctl+0x89/0xa0
__x64_sys_ioctl+0x74/0xb0
do_syscall_64+0xc8/0x550
entry_SYSCALL_64_after_hwframe+0x49/0xbe
This is a warning about order >= MAX_ORDER and the order is from
userspace ioctl. Add flag __NOWARN to silence this warning.
Signed-off-by: Jiufei Xue <jiufei.xue@linux.alibaba.com>
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/video/fbdev/core/fbcmap.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/video/fbdev/core/fbcmap.c
+++ b/drivers/video/fbdev/core/fbcmap.c
@@ -94,6 +94,8 @@ int fb_alloc_cmap_gfp(struct fb_cmap *cm
int size = len * sizeof(u16);
int ret = -ENOMEM;
+ flags |= __GFP_NOWARN;
+
if (cmap->len != len) {
fb_dealloc_cmap(cmap);
if (!len)
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 087/241] media: cpia2: Fix use-after-free in cpia2_exit
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (85 preceding siblings ...)
2019-06-09 16:40 ` [PATCH 4.4 086/241] fbdev: fix WARNING in __alloc_pages_nodemask bug Greg Kroah-Hartman
@ 2019-06-09 16:40 ` Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 088/241] media: vivid: use vfree() instead of kfree() for dev->bitmap_cap Greg Kroah-Hartman
` (158 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Hulk Robot, YueHaibing, Hans Verkuil,
Mauro Carvalho Chehab
From: YueHaibing <yuehaibing@huawei.com>
commit dea37a97265588da604c6ba80160a287b72c7bfd upstream.
Syzkaller report this:
BUG: KASAN: use-after-free in sysfs_remove_file_ns+0x5f/0x70 fs/sysfs/file.c:468
Read of size 8 at addr ffff8881f59a6b70 by task syz-executor.0/8363
CPU: 0 PID: 8363 Comm: syz-executor.0 Not tainted 5.0.0-rc8+ #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xfa/0x1ce lib/dump_stack.c:113
print_address_description+0x65/0x270 mm/kasan/report.c:187
kasan_report+0x149/0x18d mm/kasan/report.c:317
sysfs_remove_file_ns+0x5f/0x70 fs/sysfs/file.c:468
sysfs_remove_file include/linux/sysfs.h:519 [inline]
driver_remove_file+0x40/0x50 drivers/base/driver.c:122
usb_remove_newid_files drivers/usb/core/driver.c:212 [inline]
usb_deregister+0x12a/0x3b0 drivers/usb/core/driver.c:1005
cpia2_exit+0xa/0x16 [cpia2]
__do_sys_delete_module kernel/module.c:1018 [inline]
__se_sys_delete_module kernel/module.c:961 [inline]
__x64_sys_delete_module+0x3dc/0x5e0 kernel/module.c:961
do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x462e99
Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f86f3754c58 EFLAGS: 00000246 ORIG_RAX: 00000000000000b0
RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000300
RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f86f37556bc
R13: 00000000004bcca9 R14: 00000000006f6b48 R15: 00000000ffffffff
Allocated by task 8363:
set_track mm/kasan/common.c:85 [inline]
__kasan_kmalloc.constprop.3+0xa0/0xd0 mm/kasan/common.c:495
kmalloc include/linux/slab.h:545 [inline]
kzalloc include/linux/slab.h:740 [inline]
bus_add_driver+0xc0/0x610 drivers/base/bus.c:651
driver_register+0x1bb/0x3f0 drivers/base/driver.c:170
usb_register_driver+0x267/0x520 drivers/usb/core/driver.c:965
0xffffffffc1b4817c
do_one_initcall+0xfa/0x5ca init/main.c:887
do_init_module+0x204/0x5f6 kernel/module.c:3460
load_module+0x66b2/0x8570 kernel/module.c:3808
__do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 8363:
set_track mm/kasan/common.c:85 [inline]
__kasan_slab_free+0x130/0x180 mm/kasan/common.c:457
slab_free_hook mm/slub.c:1430 [inline]
slab_free_freelist_hook mm/slub.c:1457 [inline]
slab_free mm/slub.c:3005 [inline]
kfree+0xe1/0x270 mm/slub.c:3957
kobject_cleanup lib/kobject.c:662 [inline]
kobject_release lib/kobject.c:691 [inline]
kref_put include/linux/kref.h:67 [inline]
kobject_put+0x146/0x240 lib/kobject.c:708
bus_remove_driver+0x10e/0x220 drivers/base/bus.c:732
driver_unregister+0x6c/0xa0 drivers/base/driver.c:197
usb_register_driver+0x341/0x520 drivers/usb/core/driver.c:980
0xffffffffc1b4817c
do_one_initcall+0xfa/0x5ca init/main.c:887
do_init_module+0x204/0x5f6 kernel/module.c:3460
load_module+0x66b2/0x8570 kernel/module.c:3808
__do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8881f59a6b40
which belongs to the cache kmalloc-256 of size 256
The buggy address is located 48 bytes inside of
256-byte region [ffff8881f59a6b40, ffff8881f59a6c40)
The buggy address belongs to the page:
page:ffffea0007d66980 count:1 mapcount:0 mapping:ffff8881f6c02e00 index:0x0
flags: 0x2fffc0000000200(slab)
raw: 02fffc0000000200 dead000000000100 dead000000000200 ffff8881f6c02e00
raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881f59a6a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8881f59a6a80: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
>ffff8881f59a6b00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
^
ffff8881f59a6b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8881f59a6c00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
cpia2_init does not check return value of cpia2_init, if it failed
in usb_register_driver, there is already cleanup using driver_unregister.
No need call cpia2_usb_cleanup on module exit.
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/usb/cpia2/cpia2_v4l.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/media/usb/cpia2/cpia2_v4l.c
+++ b/drivers/media/usb/cpia2/cpia2_v4l.c
@@ -1248,8 +1248,7 @@ static int __init cpia2_init(void)
LOG("%s v%s\n",
ABOUT, CPIA_VERSION);
check_parameters();
- cpia2_usb_init();
- return 0;
+ return cpia2_usb_init();
}
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 088/241] media: vivid: use vfree() instead of kfree() for dev->bitmap_cap
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (86 preceding siblings ...)
2019-06-09 16:40 ` [PATCH 4.4 087/241] media: cpia2: Fix use-after-free in cpia2_exit Greg Kroah-Hartman
@ 2019-06-09 16:40 ` Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 089/241] ssb: Fix possible NULL pointer dereference in ssb_host_pcmcia_exit Greg Kroah-Hartman
` (157 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Alexander Potapenko, Syzbot,
Hans Verkuil, Mauro Carvalho Chehab
From: Alexander Potapenko <glider@google.com>
commit dad7e270ba712ba1c99cd2d91018af6044447a06 upstream.
syzkaller reported crashes on kfree() called from
vivid_vid_cap_s_selection(). This looks like a simple typo, as
dev->bitmap_cap is allocated with vzalloc() throughout the file.
Fixes: ef834f7836ec0 ("[media] vivid: add the video capture and output
parts")
Signed-off-by: Alexander Potapenko <glider@google.com>
Reported-by: Syzbot <syzbot+6c0effb5877f6b0344e2@syzkaller.appspotmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/vivid/vivid-vid-cap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/media/platform/vivid/vivid-vid-cap.c
+++ b/drivers/media/platform/vivid/vivid-vid-cap.c
@@ -993,7 +993,7 @@ int vivid_vid_cap_s_selection(struct fil
rect_map_inside(&s->r, &dev->fmt_cap_rect);
if (dev->bitmap_cap && (compose->width != s->r.width ||
compose->height != s->r.height)) {
- kfree(dev->bitmap_cap);
+ vfree(dev->bitmap_cap);
dev->bitmap_cap = NULL;
}
*compose = s->r;
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 089/241] ssb: Fix possible NULL pointer dereference in ssb_host_pcmcia_exit
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (87 preceding siblings ...)
2019-06-09 16:40 ` [PATCH 4.4 088/241] media: vivid: use vfree() instead of kfree() for dev->bitmap_cap Greg Kroah-Hartman
@ 2019-06-09 16:40 ` Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 090/241] at76c50x-usb: Dont register led_trigger if usb_register_driver failed Greg Kroah-Hartman
` (156 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Hulk Robot, YueHaibing, Kalle Valo
From: YueHaibing <yuehaibing@huawei.com>
commit b2c01aab9646ed8ffb7c549afe55d5349c482425 upstream.
Syzkaller report this:
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN PTI
CPU: 0 PID: 4492 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ #45
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
RIP: 0010:sysfs_remove_file_ns+0x27/0x70 fs/sysfs/file.c:468
Code: 00 00 00 41 54 55 48 89 fd 53 49 89 d4 48 89 f3 e8 ee 76 9c ff 48 8d 7d 30 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 75 2d 48 89 da 48 b8 00 00 00 00 00 fc ff df 48 8b 6d
RSP: 0018:ffff8881e9d9fc00 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffffffff900367e0 RCX: ffffffff81a95952
RDX: 0000000000000006 RSI: ffffc90001405000 RDI: 0000000000000030
RBP: 0000000000000000 R08: fffffbfff1fa22ed R09: fffffbfff1fa22ed
R10: 0000000000000001 R11: fffffbfff1fa22ec R12: 0000000000000000
R13: ffffffffc1abdac0 R14: 1ffff1103d3b3f8b R15: 0000000000000000
FS: 00007fe409dc1700(0000) GS:ffff8881f1200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b2d721000 CR3: 00000001e98b6005 CR4: 00000000007606f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
sysfs_remove_file include/linux/sysfs.h:519 [inline]
driver_remove_file+0x40/0x50 drivers/base/driver.c:122
pcmcia_remove_newid_file drivers/pcmcia/ds.c:163 [inline]
pcmcia_unregister_driver+0x7d/0x2b0 drivers/pcmcia/ds.c:209
ssb_modexit+0xa/0x1b [ssb]
__do_sys_delete_module kernel/module.c:1018 [inline]
__se_sys_delete_module kernel/module.c:961 [inline]
__x64_sys_delete_module+0x3dc/0x5e0 kernel/module.c:961
do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x462e99
Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fe409dc0c58 EFLAGS: 00000246 ORIG_RAX: 00000000000000b0
RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000200000c0
RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe409dc16bc
R13: 00000000004bccaa R14: 00000000006f6bc8 R15: 00000000ffffffff
Modules linked in: ssb(-) 3c59x nvme_core macvlan tap pata_hpt3x3 rt2x00pci null_blk tsc40 pm_notifier_error_inject notifier_error_inject mdio cdc_wdm nf_reject_ipv4 ath9k_common ath9k_hw ath pppox ppp_generic slhc ehci_platform wl12xx wlcore tps6507x_ts ioc4 nf_synproxy_core ide_gd_mod ax25 can_dev iwlwifi can_raw atm tm2_touchkey can_gw can sundance adp5588_keys rt2800mmio rt2800lib rt2x00mmio rt2x00lib eeprom_93cx6 pn533 lru_cache elants_i2c ip_set nfnetlink gameport tipc hampshire nhc_ipv6 nhc_hop nhc_udp nhc_fragment nhc_routing nhc_mobility nhc_dest 6lowpan silead brcmutil nfc mt76_usb mt76 mac80211 iptable_security iptable_raw iptable_mangle iptable_nat nf_nat_ipv4 nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter bpfilter ip6_vti ip_gre sit hsr veth vxcan batman_adv cfg80211 rfkill chnl_net caif nlmon vcan bridge stp llc ip6_gre ip6_tunnel tunnel6 tun joydev mousedev serio_raw ide_pci_generic piix floppy ide_core sch_fq_codel ip_tables x_tables ipv6
[last unloaded: 3c59x]
Dumping ftrace buffer:
(ftrace buffer empty)
---[ end trace 3913cbf8011e1c05 ]---
In ssb_modinit, it does not fail SSB init when ssb_host_pcmcia_init failed,
however in ssb_modexit, ssb_host_pcmcia_exit calls pcmcia_unregister_driver
unconditionally, which may tigger a NULL pointer dereference issue as above.
Reported-by: Hulk Robot <hulkci@huawei.com>
Fixes: 399500da18f7 ("ssb: pick PCMCIA host code support from b43 driver")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/ssb/bridge_pcmcia_80211.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/drivers/ssb/bridge_pcmcia_80211.c
+++ b/drivers/ssb/bridge_pcmcia_80211.c
@@ -113,16 +113,21 @@ static struct pcmcia_driver ssb_host_pcm
.resume = ssb_host_pcmcia_resume,
};
+static int pcmcia_init_failed;
+
/*
* These are not module init/exit functions!
* The module_pcmcia_driver() helper cannot be used here.
*/
int ssb_host_pcmcia_init(void)
{
- return pcmcia_register_driver(&ssb_host_pcmcia_driver);
+ pcmcia_init_failed = pcmcia_register_driver(&ssb_host_pcmcia_driver);
+
+ return pcmcia_init_failed;
}
void ssb_host_pcmcia_exit(void)
{
- pcmcia_unregister_driver(&ssb_host_pcmcia_driver);
+ if (!pcmcia_init_failed)
+ pcmcia_unregister_driver(&ssb_host_pcmcia_driver);
}
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 090/241] at76c50x-usb: Dont register led_trigger if usb_register_driver failed
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (88 preceding siblings ...)
2019-06-09 16:40 ` [PATCH 4.4 089/241] ssb: Fix possible NULL pointer dereference in ssb_host_pcmcia_exit Greg Kroah-Hartman
@ 2019-06-09 16:40 ` Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 091/241] perf tools: No need to include bitops.h in util.h Greg Kroah-Hartman
` (155 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Hulk Robot, YueHaibing, Kalle Valo
From: YueHaibing <yuehaibing@huawei.com>
commit 09ac2694b0475f96be895848687ebcbba97eeecf upstream.
Syzkaller report this:
[ 1213.468581] BUG: unable to handle kernel paging request at fffffbfff83bf338
[ 1213.469530] #PF error: [normal kernel read fault]
[ 1213.469530] PGD 237fe4067 P4D 237fe4067 PUD 237e60067 PMD 1c868b067 PTE 0
[ 1213.473514] Oops: 0000 [#1] SMP KASAN PTI
[ 1213.473514] CPU: 0 PID: 6321 Comm: syz-executor.0 Tainted: G C 5.1.0-rc3+ #8
[ 1213.473514] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
[ 1213.473514] RIP: 0010:strcmp+0x31/0xa0
[ 1213.473514] Code: 00 00 00 00 fc ff df 55 53 48 83 ec 08 eb 0a 84 db 48 89 ef 74 5a 4c 89 e6 48 89 f8 48 89 fa 48 8d 6f 01 48 c1 e8 03 83 e2 07 <42> 0f b6 04 28 38 d0 7f 04 84 c0 75 50 48 89 f0 48 89 f2 0f b6 5d
[ 1213.473514] RSP: 0018:ffff8881f2b7f950 EFLAGS: 00010246
[ 1213.473514] RAX: 1ffffffff83bf338 RBX: ffff8881ea6f7240 RCX: ffffffff825350c6
[ 1213.473514] RDX: 0000000000000000 RSI: ffffffffc1ee19c0 RDI: ffffffffc1df99c0
[ 1213.473514] RBP: ffffffffc1df99c1 R08: 0000000000000001 R09: 0000000000000004
[ 1213.473514] R10: 0000000000000000 R11: ffff8881de353f00 R12: ffff8881ee727900
[ 1213.473514] R13: dffffc0000000000 R14: 0000000000000001 R15: ffffffffc1eeaaf0
[ 1213.473514] FS: 00007fa66fa01700(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
[ 1213.473514] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1213.473514] CR2: fffffbfff83bf338 CR3: 00000001ebb9e005 CR4: 00000000007606f0
[ 1213.473514] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 1213.473514] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 1213.473514] PKRU: 55555554
[ 1213.473514] Call Trace:
[ 1213.473514] led_trigger_register+0x112/0x3f0
[ 1213.473514] led_trigger_register_simple+0x7a/0x110
[ 1213.473514] ? 0xffffffffc1c10000
[ 1213.473514] at76_mod_init+0x77/0x1000 [at76c50x_usb]
[ 1213.473514] do_one_initcall+0xbc/0x47d
[ 1213.473514] ? perf_trace_initcall_level+0x3a0/0x3a0
[ 1213.473514] ? kasan_unpoison_shadow+0x30/0x40
[ 1213.473514] ? kasan_unpoison_shadow+0x30/0x40
[ 1213.473514] do_init_module+0x1b5/0x547
[ 1213.473514] load_module+0x6405/0x8c10
[ 1213.473514] ? module_frob_arch_sections+0x20/0x20
[ 1213.473514] ? kernel_read_file+0x1e6/0x5d0
[ 1213.473514] ? find_held_lock+0x32/0x1c0
[ 1213.473514] ? cap_capable+0x1ae/0x210
[ 1213.473514] ? __do_sys_finit_module+0x162/0x190
[ 1213.473514] __do_sys_finit_module+0x162/0x190
[ 1213.473514] ? __ia32_sys_init_module+0xa0/0xa0
[ 1213.473514] ? __mutex_unlock_slowpath+0xdc/0x690
[ 1213.473514] ? wait_for_completion+0x370/0x370
[ 1213.473514] ? vfs_write+0x204/0x4a0
[ 1213.473514] ? do_syscall_64+0x18/0x450
[ 1213.473514] do_syscall_64+0x9f/0x450
[ 1213.473514] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[ 1213.473514] RIP: 0033:0x462e99
[ 1213.473514] Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
[ 1213.473514] RSP: 002b:00007fa66fa00c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
[ 1213.473514] RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
[ 1213.473514] RDX: 0000000000000000 RSI: 0000000020000300 RDI: 0000000000000003
[ 1213.473514] RBP: 00007fa66fa00c70 R08: 0000000000000000 R09: 0000000000000000
[ 1213.473514] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fa66fa016bc
[ 1213.473514] R13: 00000000004bcefa R14: 00000000006f6fb0 R15: 0000000000000004
If usb_register failed, no need to call led_trigger_register_simple.
Reported-by: Hulk Robot <hulkci@huawei.com>
Fixes: 1264b951463a ("at76c50x-usb: add driver")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/at76c50x-usb.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/net/wireless/at76c50x-usb.c
+++ b/drivers/net/wireless/at76c50x-usb.c
@@ -2582,8 +2582,8 @@ static int __init at76_mod_init(void)
if (result < 0)
printk(KERN_ERR DRIVER_NAME
": usb_register failed (status %d)\n", result);
-
- led_trigger_register_simple("at76_usb-tx", &ledtrig_tx);
+ else
+ led_trigger_register_simple("at76_usb-tx", &ledtrig_tx);
return result;
}
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 091/241] perf tools: No need to include bitops.h in util.h
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (89 preceding siblings ...)
2019-06-09 16:40 ` [PATCH 4.4 090/241] at76c50x-usb: Dont register led_trigger if usb_register_driver failed Greg Kroah-Hartman
@ 2019-06-09 16:40 ` Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 092/241] tools include: Adopt linux/bits.h Greg Kroah-Hartman
` (154 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Adrian Hunter, David Ahern,
Jiri Olsa, Namhyung Kim, Wang Nan, Arnaldo Carvalho de Melo,
Ben Hutchings
From: Arnaldo Carvalho de Melo <acme@redhat.com>
commit 6dcca6df4b73d409628c7b4464c63d4eb9d4d13a upstream.
When we switched to the kernel's roundup_pow_of_two we forgot to remove
this include from util.h, do it now.
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: David Ahern <dsahern@gmail.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Wang Nan <wangnan0@huawei.com>
Fixes: 91529834d1de ("perf evlist: Use roundup_pow_of_two")
Link: http://lkml.kernel.org/n/tip-kfye5rxivib6155cltx0bw4h@git.kernel.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
[bwh: Backported to 4.4 as dependency of "tools include: Adopt linux/bits.h":
- Include <linux/compiler.h> in util/string.c to avoid build regression
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/perf/util/string.c | 1 +
tools/perf/util/util.h | 1 -
2 files changed, 1 insertion(+), 1 deletion(-)
--- a/tools/perf/util/string.c
+++ b/tools/perf/util/string.c
@@ -1,4 +1,5 @@
#include "util.h"
+#include <linux/compiler.h>
#include "linux/string.h"
#define K 1024LL
--- a/tools/perf/util/util.h
+++ b/tools/perf/util/util.h
@@ -76,7 +76,6 @@
#include <sys/ttydefaults.h>
#include <api/fs/tracing_path.h>
#include <termios.h>
-#include <linux/bitops.h>
#include <termios.h>
extern const char *graph_line;
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 092/241] tools include: Adopt linux/bits.h
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (90 preceding siblings ...)
2019-06-09 16:40 ` [PATCH 4.4 091/241] perf tools: No need to include bitops.h in util.h Greg Kroah-Hartman
@ 2019-06-09 16:40 ` Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 093/241] gfs2: Fix lru_count going negative Greg Kroah-Hartman
` (153 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Adrian Hunter, Alexander Sverdlin,
David Ahern, Jiri Olsa, Namhyung Kim, Wang Nan,
Arnaldo Carvalho de Melo, Ben Hutchings
From: Arnaldo Carvalho de Melo <acme@redhat.com>
commit ba4aa02b417f08a0bee5e7b8ed70cac788a7c854 upstream.
So that we reduce the difference of tools/include/linux/bitops.h to the
original kernel file, include/linux/bitops.h, trying to remove the need
to define BITS_PER_LONG, to avoid clashes with asm/bitsperlong.h.
And the things removed from tools/include/linux/bitops.h are really in
linux/bits.h, so that we can have a copy and then
tools/perf/check_headers.sh will tell us when new stuff gets added to
linux/bits.h so that we can check if it is useful and if any adjustment
needs to be done to the tools/{include,arch}/ copies.
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Sverdlin <alexander.sverdlin@nokia.com>
Cc: David Ahern <dsahern@gmail.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Wang Nan <wangnan0@huawei.com>
Link: https://lkml.kernel.org/n/tip-y1sqyydvfzo0bjjoj4zsl562@git.kernel.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
[bwh: Backported to 4.4 as dependency of "x86/msr-index: Cleanup bit defines":
- Drop change in check-headers.sh
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/include/linux/bitops.h | 7 ++-----
tools/include/linux/bits.h | 26 ++++++++++++++++++++++++++
2 files changed, 28 insertions(+), 5 deletions(-)
create mode 100644 tools/include/linux/bits.h
--- a/tools/include/linux/bitops.h
+++ b/tools/include/linux/bitops.h
@@ -3,17 +3,14 @@
#include <asm/types.h>
#include <linux/kernel.h>
-#include <linux/compiler.h>
-
#ifndef __WORDSIZE
#define __WORDSIZE (__SIZEOF_LONG__ * 8)
#endif
#define BITS_PER_LONG __WORDSIZE
+#include <linux/bits.h>
+#include <linux/compiler.h>
-#define BIT_MASK(nr) (1UL << ((nr) % BITS_PER_LONG))
-#define BIT_WORD(nr) ((nr) / BITS_PER_LONG)
-#define BITS_PER_BYTE 8
#define BITS_TO_LONGS(nr) DIV_ROUND_UP(nr, BITS_PER_BYTE * sizeof(long))
#define BITS_TO_U64(nr) DIV_ROUND_UP(nr, BITS_PER_BYTE * sizeof(u64))
#define BITS_TO_U32(nr) DIV_ROUND_UP(nr, BITS_PER_BYTE * sizeof(u32))
--- /dev/null
+++ b/tools/include/linux/bits.h
@@ -0,0 +1,26 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+#ifndef __LINUX_BITS_H
+#define __LINUX_BITS_H
+#include <asm/bitsperlong.h>
+
+#define BIT(nr) (1UL << (nr))
+#define BIT_ULL(nr) (1ULL << (nr))
+#define BIT_MASK(nr) (1UL << ((nr) % BITS_PER_LONG))
+#define BIT_WORD(nr) ((nr) / BITS_PER_LONG)
+#define BIT_ULL_MASK(nr) (1ULL << ((nr) % BITS_PER_LONG_LONG))
+#define BIT_ULL_WORD(nr) ((nr) / BITS_PER_LONG_LONG)
+#define BITS_PER_BYTE 8
+
+/*
+ * Create a contiguous bitmask starting at bit position @l and ending at
+ * position @h. For example
+ * GENMASK_ULL(39, 21) gives us the 64bit vector 0x000000ffffe00000.
+ */
+#define GENMASK(h, l) \
+ (((~0UL) - (1UL << (l)) + 1) & (~0UL >> (BITS_PER_LONG - 1 - (h))))
+
+#define GENMASK_ULL(h, l) \
+ (((~0ULL) - (1ULL << (l)) + 1) & \
+ (~0ULL >> (BITS_PER_LONG_LONG - 1 - (h))))
+
+#endif /* __LINUX_BITS_H */
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 093/241] gfs2: Fix lru_count going negative
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (91 preceding siblings ...)
2019-06-09 16:40 ` [PATCH 4.4 092/241] tools include: Adopt linux/bits.h Greg Kroah-Hartman
@ 2019-06-09 16:40 ` Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 094/241] cxgb4: Fix error path in cxgb4_init_module Greg Kroah-Hartman
` (152 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Ross Lagerwall, Andreas Gruenbacher,
Sasha Levin
[ Upstream commit 7881ef3f33bb80f459ea6020d1e021fc524a6348 ]
Under certain conditions, lru_count may drop below zero resulting in
a large amount of log spam like this:
vmscan: shrink_slab: gfs2_dump_glock+0x3b0/0x630 [gfs2] \
negative objects to delete nr=-1
This happens as follows:
1) A glock is moved from lru_list to the dispose list and lru_count is
decremented.
2) The dispose function calls cond_resched() and drops the lru lock.
3) Another thread takes the lru lock and tries to add the same glock to
lru_list, checking if the glock is on an lru list.
4) It is on a list (actually the dispose list) and so it avoids
incrementing lru_count.
5) The glock is moved to lru_list.
5) The original thread doesn't dispose it because it has been re-added
to the lru list but the lru_count has still decreased by one.
Fix by checking if the LRU flag is set on the glock rather than checking
if the glock is on some list and rearrange the code so that the LRU flag
is added/removed precisely when the glock is added/removed from lru_list.
Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/gfs2/glock.c | 22 +++++++++++++---------
1 file changed, 13 insertions(+), 9 deletions(-)
diff --git a/fs/gfs2/glock.c b/fs/gfs2/glock.c
index 09a0cf5f3dd86..1eb737c466ddc 100644
--- a/fs/gfs2/glock.c
+++ b/fs/gfs2/glock.c
@@ -136,22 +136,26 @@ static int demote_ok(const struct gfs2_glock *gl)
void gfs2_glock_add_to_lru(struct gfs2_glock *gl)
{
+ if (!(gl->gl_ops->go_flags & GLOF_LRU))
+ return;
+
spin_lock(&lru_lock);
- if (!list_empty(&gl->gl_lru))
- list_del_init(&gl->gl_lru);
- else
+ list_del(&gl->gl_lru);
+ list_add_tail(&gl->gl_lru, &lru_list);
+
+ if (!test_bit(GLF_LRU, &gl->gl_flags)) {
+ set_bit(GLF_LRU, &gl->gl_flags);
atomic_inc(&lru_count);
+ }
- list_add_tail(&gl->gl_lru, &lru_list);
- set_bit(GLF_LRU, &gl->gl_flags);
spin_unlock(&lru_lock);
}
static void gfs2_glock_remove_from_lru(struct gfs2_glock *gl)
{
spin_lock(&lru_lock);
- if (!list_empty(&gl->gl_lru)) {
+ if (test_bit(GLF_LRU, &gl->gl_flags)) {
list_del_init(&gl->gl_lru);
atomic_dec(&lru_count);
clear_bit(GLF_LRU, &gl->gl_flags);
@@ -1040,8 +1044,7 @@ void gfs2_glock_dq(struct gfs2_holder *gh)
!test_bit(GLF_DEMOTE, &gl->gl_flags))
fast_path = 1;
}
- if (!test_bit(GLF_LFLUSH, &gl->gl_flags) && demote_ok(gl) &&
- (glops->go_flags & GLOF_LRU))
+ if (!test_bit(GLF_LFLUSH, &gl->gl_flags) && demote_ok(gl))
gfs2_glock_add_to_lru(gl);
trace_gfs2_glock_queue(gh, 0);
@@ -1341,6 +1344,7 @@ __acquires(&lru_lock)
if (!spin_trylock(&gl->gl_lockref.lock)) {
add_back_to_lru:
list_add(&gl->gl_lru, &lru_list);
+ set_bit(GLF_LRU, &gl->gl_flags);
atomic_inc(&lru_count);
continue;
}
@@ -1348,7 +1352,6 @@ __acquires(&lru_lock)
spin_unlock(&gl->gl_lockref.lock);
goto add_back_to_lru;
}
- clear_bit(GLF_LRU, &gl->gl_flags);
gl->gl_lockref.count++;
if (demote_ok(gl))
handle_callback(gl, LM_ST_UNLOCKED, 0, false);
@@ -1384,6 +1387,7 @@ static long gfs2_scan_glock_lru(int nr)
if (!test_bit(GLF_LOCK, &gl->gl_flags)) {
list_move(&gl->gl_lru, &dispose);
atomic_dec(&lru_count);
+ clear_bit(GLF_LRU, &gl->gl_flags);
freed++;
continue;
}
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 094/241] cxgb4: Fix error path in cxgb4_init_module
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (92 preceding siblings ...)
2019-06-09 16:40 ` [PATCH 4.4 093/241] gfs2: Fix lru_count going negative Greg Kroah-Hartman
@ 2019-06-09 16:40 ` Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 095/241] mmc: core: Verify SD bus width Greg Kroah-Hartman
` (151 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, YueHaibing, David S. Miller, Sasha Levin
[ Upstream commit a3147770bea76c8dbad73eca3a24c2118da5e719 ]
BUG: unable to handle kernel paging request at ffffffffa016a270
PGD 3270067 P4D 3270067 PUD 3271063 PMD 230bbd067 PTE 0
Oops: 0000 [#1
CPU: 0 PID: 6134 Comm: modprobe Not tainted 5.1.0+ #33
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
RIP: 0010:atomic_notifier_chain_register+0x24/0x60
Code: 1f 80 00 00 00 00 55 48 89 e5 41 54 49 89 f4 53 48 89 fb e8 ae b4 38 01 48 8b 53 38 48 8d 4b 38 48 85 d2 74 20 45 8b 44 24 10 <44> 3b 42 10 7e 08 eb 13 44 39 42 10 7c 0d 48 8d 4a 08 48 8b 52 08
RSP: 0018:ffffc90000e2bc60 EFLAGS: 00010086
RAX: 0000000000000292 RBX: ffffffff83467240 RCX: ffffffff83467278
RDX: ffffffffa016a260 RSI: ffffffff83752140 RDI: ffffffff83467240
RBP: ffffc90000e2bc70 R08: 0000000000000000 R09: 0000000000000001
R10: 0000000000000000 R11: 00000000014fa61f R12: ffffffffa01c8260
R13: ffff888231091e00 R14: 0000000000000000 R15: ffffc90000e2be78
FS: 00007fbd8d7cd540(0000) GS:ffff888237a00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffa016a270 CR3: 000000022c7e3000 CR4: 00000000000006f0
Call Trace:
register_inet6addr_notifier+0x13/0x20
cxgb4_init_module+0x6c/0x1000 [cxgb4
? 0xffffffffa01d7000
do_one_initcall+0x6c/0x3cc
? do_init_module+0x22/0x1f1
? rcu_read_lock_sched_held+0x97/0xb0
? kmem_cache_alloc_trace+0x325/0x3b0
do_init_module+0x5b/0x1f1
load_module+0x1db1/0x2690
? m_show+0x1d0/0x1d0
__do_sys_finit_module+0xc5/0xd0
__x64_sys_finit_module+0x15/0x20
do_syscall_64+0x6b/0x1d0
entry_SYSCALL_64_after_hwframe+0x49/0xbe
If pci_register_driver fails, register inet6addr_notifier is
pointless. This patch fix the error path in cxgb4_init_module.
Fixes: b5a02f503caa ("cxgb4 : Update ipv6 address handling api")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c
index a3e1498ca67ce..3b96622de8ff2 100644
--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c
+++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c
@@ -5061,15 +5061,24 @@ static int __init cxgb4_init_module(void)
ret = pci_register_driver(&cxgb4_driver);
if (ret < 0)
- debugfs_remove(cxgb4_debugfs_root);
+ goto err_pci;
#if IS_ENABLED(CONFIG_IPV6)
if (!inet6addr_registered) {
- register_inet6addr_notifier(&cxgb4_inet6addr_notifier);
- inet6addr_registered = true;
+ ret = register_inet6addr_notifier(&cxgb4_inet6addr_notifier);
+ if (ret)
+ pci_unregister_driver(&cxgb4_driver);
+ else
+ inet6addr_registered = true;
}
#endif
+ if (ret == 0)
+ return ret;
+
+err_pci:
+ debugfs_remove(cxgb4_debugfs_root);
+
return ret;
}
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 095/241] mmc: core: Verify SD bus width
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (93 preceding siblings ...)
2019-06-09 16:40 ` [PATCH 4.4 094/241] cxgb4: Fix error path in cxgb4_init_module Greg Kroah-Hartman
@ 2019-06-09 16:40 ` Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 096/241] powerpc/boot: Fix missing check of lseek() return value Greg Kroah-Hartman
` (150 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Avri Altman, Raul E Rangel,
Ulf Hansson, Sasha Levin
[ Upstream commit 9e4be8d03f50d1b25c38e2b59e73b194c130df7d ]
The SD Physical Layer Spec says the following: Since the SD Memory Card
shall support at least the two bus modes 1-bit or 4-bit width, then any SD
Card shall set at least bits 0 and 2 (SD_BUS_WIDTH="0101").
This change verifies the card has specified a bus width.
AMD SDHC Device 7806 can get into a bad state after a card disconnect
where anything transferred via the DATA lines will always result in a
zero filled buffer. Currently the driver will continue without error if
the HC is in this condition. A block device will be created, but reading
from it will result in a zero buffer. This makes it seem like the SD
device has been erased, when in actuality the data is never getting
copied from the DATA lines to the data buffer.
SCR is the first command in the SD initialization sequence that uses the
DATA lines. By checking that the response was invalid, we can abort
mounting the card.
Reviewed-by: Avri Altman <avri.altman@wdc.com>
Signed-off-by: Raul E Rangel <rrangel@chromium.org>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mmc/core/sd.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/mmc/core/sd.c b/drivers/mmc/core/sd.c
index 967535d76e346..fb8741f18c1f5 100644
--- a/drivers/mmc/core/sd.c
+++ b/drivers/mmc/core/sd.c
@@ -216,6 +216,14 @@ static int mmc_decode_scr(struct mmc_card *card)
if (scr->sda_spec3)
scr->cmds = UNSTUFF_BITS(resp, 32, 2);
+
+ /* SD Spec says: any SD Card shall set at least bits 0 and 2 */
+ if (!(scr->bus_widths & SD_SCR_BUS_WIDTH_1) ||
+ !(scr->bus_widths & SD_SCR_BUS_WIDTH_4)) {
+ pr_err("%s: invalid bus width\n", mmc_hostname(card->host));
+ return -EINVAL;
+ }
+
return 0;
}
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 096/241] powerpc/boot: Fix missing check of lseek() return value
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (94 preceding siblings ...)
2019-06-09 16:40 ` [PATCH 4.4 095/241] mmc: core: Verify SD bus width Greg Kroah-Hartman
@ 2019-06-09 16:40 ` Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 097/241] ASoC: imx: fix fiq dependencies Greg Kroah-Hartman
` (149 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Bo YU, Michael Ellerman, Sasha Levin
[ Upstream commit 5d085ec04a000fefb5182d3b03ee46ca96d8389b ]
This is detected by Coverity scan: CID: 1440481
Signed-off-by: Bo YU <tsu.yubo@gmail.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/boot/addnote.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/arch/powerpc/boot/addnote.c b/arch/powerpc/boot/addnote.c
index 9d9f6f334d3cc..3da3e2b1b51bc 100644
--- a/arch/powerpc/boot/addnote.c
+++ b/arch/powerpc/boot/addnote.c
@@ -223,7 +223,11 @@ main(int ac, char **av)
PUT_16(E_PHNUM, np + 2);
/* write back */
- lseek(fd, (long) 0, SEEK_SET);
+ i = lseek(fd, (long) 0, SEEK_SET);
+ if (i < 0) {
+ perror("lseek");
+ exit(1);
+ }
i = write(fd, buf, n);
if (i < 0) {
perror("write");
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 097/241] ASoC: imx: fix fiq dependencies
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (95 preceding siblings ...)
2019-06-09 16:40 ` [PATCH 4.4 096/241] powerpc/boot: Fix missing check of lseek() return value Greg Kroah-Hartman
@ 2019-06-09 16:40 ` Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 098/241] spi: pxa2xx: fix SCR (divisor) calculation Greg Kroah-Hartman
` (148 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Arnd Bergmann, Mark Brown, Sasha Levin
[ Upstream commit ea751227c813ab833609afecfeedaf0aa26f327e ]
During randconfig builds, I occasionally run into an invalid configuration
of the freescale FIQ sound support:
WARNING: unmet direct dependencies detected for SND_SOC_IMX_PCM_FIQ
Depends on [m]: SOUND [=y] && !UML && SND [=y] && SND_SOC [=y] && SND_IMX_SOC [=m]
Selected by [y]:
- SND_SOC_FSL_SPDIF [=y] && SOUND [=y] && !UML && SND [=y] && SND_SOC [=y] && SND_IMX_SOC [=m]!=n && (MXC_TZIC [=n] || MXC_AVIC [=y])
sound/soc/fsl/imx-ssi.o: In function `imx_ssi_remove':
imx-ssi.c:(.text+0x28): undefined reference to `imx_pcm_fiq_exit'
sound/soc/fsl/imx-ssi.o: In function `imx_ssi_probe':
imx-ssi.c:(.text+0xa64): undefined reference to `imx_pcm_fiq_init'
The Kconfig warning is a result of the symbol being defined inside of
the "if SND_IMX_SOC" block, and is otherwise harmless. The link error
is more tricky and happens with SND_SOC_IMX_SSI=y, which may or may not
imply FIQ support. However, if SND_SOC_FSL_SSI is set to =m at the same
time, that selects SND_SOC_IMX_PCM_FIQ as a loadable module dependency,
which then causes a link failure from imx-ssi.
The solution here is to make SND_SOC_IMX_PCM_FIQ built-in whenever
one of its potential users is built-in.
Fixes: ff40260f79dc ("ASoC: fsl: refine DMA/FIQ dependencies")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/fsl/Kconfig | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/sound/soc/fsl/Kconfig b/sound/soc/fsl/Kconfig
index 3066e068aae5c..d420995ed45bf 100644
--- a/sound/soc/fsl/Kconfig
+++ b/sound/soc/fsl/Kconfig
@@ -171,16 +171,17 @@ config SND_MPC52xx_SOC_EFIKA
endif # SND_POWERPC_SOC
+config SND_SOC_IMX_PCM_FIQ
+ tristate
+ default y if SND_SOC_IMX_SSI=y && (SND_SOC_FSL_SSI=m || SND_SOC_FSL_SPDIF=m) && (MXC_TZIC || MXC_AVIC)
+ select FIQ
+
if SND_IMX_SOC
config SND_SOC_IMX_SSI
tristate
select SND_SOC_FSL_UTILS
-config SND_SOC_IMX_PCM_FIQ
- tristate
- select FIQ
-
comment "SoC Audio support for Freescale i.MX boards:"
config SND_MXC_SOC_WM1133_EV1
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 098/241] spi: pxa2xx: fix SCR (divisor) calculation
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (96 preceding siblings ...)
2019-06-09 16:40 ` [PATCH 4.4 097/241] ASoC: imx: fix fiq dependencies Greg Kroah-Hartman
@ 2019-06-09 16:40 ` Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 099/241] brcm80211: potential NULL dereference in brcmf_cfg80211_vndr_cmds_dcmd_handler() Greg Kroah-Hartman
` (147 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Flavio Suligoi, Jarkko Nikula,
Mark Brown, Sasha Levin
[ Upstream commit 29f2133717c527f492933b0622a4aafe0b3cbe9e ]
Calculate the divisor for the SCR (Serial Clock Rate), avoiding
that the SSP transmission rate can be greater than the device rate.
When the division between the SSP clock and the device rate generates
a reminder, we have to increment by one the divisor.
In this way the resulting SSP clock will never be greater than the
device SPI max frequency.
For example, with:
- ssp_clk = 50 MHz
- dev freq = 15 MHz
without this patch the SSP clock will be greater than 15 MHz:
- 25 MHz for PXA25x_SSP and CE4100_SSP
- 16,56 MHz for the others
Instead, with this patch, we have in both case an SSP clock of 12.5MHz,
so the max rate of the SPI device clock is respected.
Signed-off-by: Flavio Suligoi <f.suligoi@asem.it>
Reviewed-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>
Reviewed-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-pxa2xx.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/spi/spi-pxa2xx.c b/drivers/spi/spi-pxa2xx.c
index 3cac73e4c3e4a..e87b6fc9f4c63 100644
--- a/drivers/spi/spi-pxa2xx.c
+++ b/drivers/spi/spi-pxa2xx.c
@@ -859,10 +859,14 @@ static unsigned int ssp_get_clk_div(struct driver_data *drv_data, int rate)
rate = min_t(int, ssp_clk, rate);
+ /*
+ * Calculate the divisor for the SCR (Serial Clock Rate), avoiding
+ * that the SSP transmission rate can be greater than the device rate
+ */
if (ssp->type == PXA25x_SSP || ssp->type == CE4100_SSP)
- return (ssp_clk / (2 * rate) - 1) & 0xff;
+ return (DIV_ROUND_UP(ssp_clk, 2 * rate) - 1) & 0xff;
else
- return (ssp_clk / rate - 1) & 0xfff;
+ return (DIV_ROUND_UP(ssp_clk, rate) - 1) & 0xfff;
}
static unsigned int pxa2xx_ssp_get_clk_div(struct driver_data *drv_data,
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 099/241] brcm80211: potential NULL dereference in brcmf_cfg80211_vndr_cmds_dcmd_handler()
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (97 preceding siblings ...)
2019-06-09 16:40 ` [PATCH 4.4 098/241] spi: pxa2xx: fix SCR (divisor) calculation Greg Kroah-Hartman
@ 2019-06-09 16:40 ` Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 100/241] rtc: 88pm860x: prevent use-after-free on device remove Greg Kroah-Hartman
` (146 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Kalle Valo, Sasha Levin
[ Upstream commit e025da3d7aa4770bb1d1b3b0aa7cc4da1744852d ]
If "ret_len" is negative then it could lead to a NULL dereference.
The "ret_len" value comes from nl80211_vendor_cmd(), if it's negative
then we don't allocate the "dcmd_buf" buffer. Then we pass "ret_len" to
brcmf_fil_cmd_data_set() where it is cast to a very high u32 value.
Most of the functions in that call tree check whether the buffer we pass
is NULL but there are at least a couple places which don't such as
brcmf_dbg_hex_dump() and brcmf_msgbuf_query_dcmd(). We memcpy() to and
from the buffer so it would result in a NULL dereference.
The fix is to change the types so that "ret_len" can't be negative. (If
we memcpy() zero bytes to NULL, that's a no-op and doesn't cause an
issue).
Fixes: 1bacb0487d0e ("brcmfmac: replace cfg80211 testmode with vendor command")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/brcm80211/brcmfmac/vendor.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/brcm80211/brcmfmac/vendor.c b/drivers/net/wireless/brcm80211/brcmfmac/vendor.c
index 8eff2753abade..d493021f60318 100644
--- a/drivers/net/wireless/brcm80211/brcmfmac/vendor.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/vendor.c
@@ -35,9 +35,10 @@ static int brcmf_cfg80211_vndr_cmds_dcmd_handler(struct wiphy *wiphy,
struct brcmf_if *ifp;
const struct brcmf_vndr_dcmd_hdr *cmdhdr = data;
struct sk_buff *reply;
- int ret, payload, ret_len;
+ unsigned int payload, ret_len;
void *dcmd_buf = NULL, *wr_pointer;
u16 msglen, maxmsglen = PAGE_SIZE - 0x100;
+ int ret;
if (len < sizeof(*cmdhdr)) {
brcmf_err("vendor command too short: %d\n", len);
@@ -65,7 +66,7 @@ static int brcmf_cfg80211_vndr_cmds_dcmd_handler(struct wiphy *wiphy,
brcmf_err("oversize return buffer %d\n", ret_len);
ret_len = BRCMF_DCMD_MAXLEN;
}
- payload = max(ret_len, len) + 1;
+ payload = max_t(unsigned int, ret_len, len) + 1;
dcmd_buf = vzalloc(payload);
if (NULL == dcmd_buf)
return -ENOMEM;
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 100/241] rtc: 88pm860x: prevent use-after-free on device remove
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (98 preceding siblings ...)
2019-06-09 16:40 ` [PATCH 4.4 099/241] brcm80211: potential NULL dereference in brcmf_cfg80211_vndr_cmds_dcmd_handler() Greg Kroah-Hartman
@ 2019-06-09 16:40 ` Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 101/241] w1: fix the resume command API Greg Kroah-Hartman
` (145 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Sven Van Asbroeck, Alexandre Belloni,
Sasha Levin
[ Upstream commit f22b1ba15ee5785aa028384ebf77dd39e8e47b70 ]
The device's remove() attempts to shut down the delayed_work scheduled
on the kernel-global workqueue by calling flush_scheduled_work().
Unfortunately, flush_scheduled_work() does not prevent the delayed_work
from re-scheduling itself. The delayed_work might run after the device
has been removed, and touch the already de-allocated info structure.
This is a potential use-after-free.
Fix by calling cancel_delayed_work_sync() during remove(): this ensures
that the delayed work is properly cancelled, is no longer running, and
is not able to re-schedule itself.
This issue was detected with the help of Coccinelle.
Signed-off-by: Sven Van Asbroeck <TheSven73@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/rtc/rtc-88pm860x.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/rtc/rtc-88pm860x.c b/drivers/rtc/rtc-88pm860x.c
index 19e53b3b8e005..166faae3a59cd 100644
--- a/drivers/rtc/rtc-88pm860x.c
+++ b/drivers/rtc/rtc-88pm860x.c
@@ -414,7 +414,7 @@ static int pm860x_rtc_remove(struct platform_device *pdev)
struct pm860x_rtc_info *info = platform_get_drvdata(pdev);
#ifdef VRTC_CALIBRATION
- flush_scheduled_work();
+ cancel_delayed_work_sync(&info->calib_work);
/* disable measurement */
pm860x_set_bits(info->i2c, PM8607_MEAS_EN2, MEAS2_VRTC, 0);
#endif /* VRTC_CALIBRATION */
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 101/241] w1: fix the resume command API
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (99 preceding siblings ...)
2019-06-09 16:40 ` [PATCH 4.4 100/241] rtc: 88pm860x: prevent use-after-free on device remove Greg Kroah-Hartman
@ 2019-06-09 16:40 ` Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 102/241] dmaengine: pl330: _stop: clear interrupt status Greg Kroah-Hartman
` (144 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Mariusz Bialonczyk,
Jean-Francois Dagenais, Sasha Levin
[ Upstream commit 62909da8aca048ecf9fbd7e484e5100608f40a63 ]
>From the DS2408 datasheet [1]:
"Resume Command function checks the status of the RC flag and, if it is set,
directly transfers control to the control functions, similar to a Skip ROM
command. The only way to set the RC flag is through successfully executing
the Match ROM, Search ROM, Conditional Search ROM, or Overdrive-Match ROM
command"
The function currently works perfectly fine in a multidrop bus, but when we
have only a single slave connected, then only a Skip ROM is used and Match
ROM is not called at all. This is leading to problems e.g. with single one
DS2408 connected, as the Resume Command is not working properly and the
device is responding with failing results after the Resume Command.
This commit is fixing this by using a Skip ROM instead in those cases.
The bandwidth / performance advantage is exactly the same.
Refs:
[1] https://datasheets.maximintegrated.com/en/ds/DS2408.pdf
Signed-off-by: Mariusz Bialonczyk <manio@skyboo.net>
Reviewed-by: Jean-Francois Dagenais <jeff.dagenais@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/w1/w1_io.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/w1/w1_io.c b/drivers/w1/w1_io.c
index 282092421cc9e..1a9d9ec8db4df 100644
--- a/drivers/w1/w1_io.c
+++ b/drivers/w1/w1_io.c
@@ -437,8 +437,7 @@ int w1_reset_resume_command(struct w1_master *dev)
if (w1_reset_bus(dev))
return -1;
- /* This will make only the last matched slave perform a skip ROM. */
- w1_write_8(dev, W1_RESUME_CMD);
+ w1_write_8(dev, dev->slave_count > 1 ? W1_RESUME_CMD : W1_SKIP_ROM);
return 0;
}
EXPORT_SYMBOL_GPL(w1_reset_resume_command);
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 102/241] dmaengine: pl330: _stop: clear interrupt status
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (100 preceding siblings ...)
2019-06-09 16:40 ` [PATCH 4.4 101/241] w1: fix the resume command API Greg Kroah-Hartman
@ 2019-06-09 16:40 ` Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 103/241] mac80211/cfg80211: update bss channel on channel switch Greg Kroah-Hartman
` (143 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Sugar Zhang, Vinod Koul, Sasha Levin
[ Upstream commit 2da254cc7908105a60a6bb219d18e8dced03dcb9 ]
This patch kill instructs the DMAC to immediately terminate
execution of a thread. and then clear the interrupt status,
at last, stop generating interrupts for DMA_SEV. to guarantee
the next dma start is clean. otherwise, one interrupt maybe leave
to next start and make some mistake.
we can reporduce the problem as follows:
DMASEV: modify the event-interrupt resource, and if the INTEN sets
function as interrupt, the DMAC will set irq<event_num> HIGH to
generate interrupt. write INTCLR to clear interrupt.
DMA EXECUTING INSTRUCTS DMA TERMINATE
| |
| |
... _stop
| |
| spin_lock_irqsave
DMASEV |
| |
| mask INTEN
| |
| DMAKILL
| |
| spin_unlock_irqrestore
in above case, a interrupt was left, and if we unmask INTEN, the DMAC
will set irq<event_num> HIGH to generate interrupt.
to fix this, do as follows:
DMA EXECUTING INSTRUCTS DMA TERMINATE
| |
| |
... _stop
| |
| spin_lock_irqsave
DMASEV |
| |
| DMAKILL
| |
| clear INTCLR
| mask INTEN
| |
| spin_unlock_irqrestore
Signed-off-by: Sugar Zhang <sugar.zhang@rock-chips.com>
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma/pl330.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/drivers/dma/pl330.c b/drivers/dma/pl330.c
index 95619ee33112c..799c182c3eacc 100644
--- a/drivers/dma/pl330.c
+++ b/drivers/dma/pl330.c
@@ -1006,6 +1006,7 @@ static void _stop(struct pl330_thread *thrd)
{
void __iomem *regs = thrd->dmac->base;
u8 insn[6] = {0, 0, 0, 0, 0, 0};
+ u32 inten = readl(regs + INTEN);
if (_state(thrd) == PL330_STATE_FAULT_COMPLETING)
UNTIL(thrd, PL330_STATE_FAULTING | PL330_STATE_KILLING);
@@ -1018,10 +1019,13 @@ static void _stop(struct pl330_thread *thrd)
_emit_KILL(0, insn);
- /* Stop generating interrupts for SEV */
- writel(readl(regs + INTEN) & ~(1 << thrd->ev), regs + INTEN);
-
_execute_DBGINSN(thrd, insn, is_manager(thrd));
+
+ /* clear the event */
+ if (inten & (1 << thrd->ev))
+ writel(1 << thrd->ev, regs + INTCLR);
+ /* Stop generating interrupts for SEV */
+ writel(inten & ~(1 << thrd->ev), regs + INTEN);
}
/* Start doing req 'idx' of thread 'thrd' */
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 103/241] mac80211/cfg80211: update bss channel on channel switch
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (101 preceding siblings ...)
2019-06-09 16:40 ` [PATCH 4.4 102/241] dmaengine: pl330: _stop: clear interrupt status Greg Kroah-Hartman
@ 2019-06-09 16:40 ` Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 104/241] ASoC: fsl_sai: Update is_slave_mode with correct value Greg Kroah-Hartman
` (142 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Sergey Matyukevich, Johannes Berg,
Sasha Levin
[ Upstream commit 5dc8cdce1d722c733f8c7af14c5fb595cfedbfa8 ]
FullMAC STAs have no way to update bss channel after CSA channel switch
completion. As a result, user-space tools may provide inconsistent
channel info. For instance, consider the following two commands:
$ sudo iw dev wlan0 link
$ sudo iw dev wlan0 info
The latter command gets channel info from the hardware, so most probably
its output will be correct. However the former command gets channel info
from scan cache, so its output will contain outdated channel info.
In fact, current bss channel info will not be updated until the
next [re-]connect.
Note that mac80211 STAs have a workaround for this, but it requires
access to internal cfg80211 data, see ieee80211_chswitch_work:
/* XXX: shouldn't really modify cfg80211-owned data! */
ifmgd->associated->channel = sdata->csa_chandef.chan;
This patch suggests to convert mac80211 workaround into cfg80211 behavior
and to update current bss channel in cfg80211_ch_switch_notify.
Signed-off-by: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mac80211/mlme.c | 3 ---
net/wireless/nl80211.c | 5 +++++
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index ed4fef32b394f..08384dbf426c8 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -1104,9 +1104,6 @@ static void ieee80211_chswitch_work(struct work_struct *work)
goto out;
}
- /* XXX: shouldn't really modify cfg80211-owned data! */
- ifmgd->associated->channel = sdata->csa_chandef.chan;
-
ifmgd->csa_waiting_bcn = true;
ieee80211_sta_reset_beacon_monitor(sdata);
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 81013490a99f4..1968998e6c6c2 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -12788,6 +12788,11 @@ void cfg80211_ch_switch_notify(struct net_device *dev,
wdev->chandef = *chandef;
wdev->preset_chandef = *chandef;
+
+ if (wdev->iftype == NL80211_IFTYPE_STATION &&
+ !WARN_ON(!wdev->current_bss))
+ wdev->current_bss->pub.channel = chandef->chan;
+
nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL,
NL80211_CMD_CH_SWITCH_NOTIFY, 0);
}
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 104/241] ASoC: fsl_sai: Update is_slave_mode with correct value
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (102 preceding siblings ...)
2019-06-09 16:40 ` [PATCH 4.4 103/241] mac80211/cfg80211: update bss channel on channel switch Greg Kroah-Hartman
@ 2019-06-09 16:40 ` Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 105/241] mwifiex: prevent an array overflow Greg Kroah-Hartman
` (141 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Daniel Baluta, Nicolin Chen,
Mark Brown, Sasha Levin
[ Upstream commit ddb351145a967ee791a0fb0156852ec2fcb746ba ]
is_slave_mode defaults to false because sai structure
that contains it is kzalloc'ed.
Anyhow, if we decide to set the following configuration
SAI slave -> SAI master, is_slave_mode will remain set on true
although SAI being master it should be set to false.
Fix this by updating is_slave_mode for each call of
fsl_sai_set_dai_fmt.
Signed-off-by: Daniel Baluta <daniel.baluta@nxp.com>
Acked-by: Nicolin Chen <nicoleotsuka@gmail.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/fsl/fsl_sai.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/sound/soc/fsl/fsl_sai.c b/sound/soc/fsl/fsl_sai.c
index 08b460ba06efc..61d2d955f26a6 100644
--- a/sound/soc/fsl/fsl_sai.c
+++ b/sound/soc/fsl/fsl_sai.c
@@ -260,12 +260,14 @@ static int fsl_sai_set_dai_fmt_tr(struct snd_soc_dai *cpu_dai,
case SND_SOC_DAIFMT_CBS_CFS:
val_cr2 |= FSL_SAI_CR2_BCD_MSTR;
val_cr4 |= FSL_SAI_CR4_FSD_MSTR;
+ sai->is_slave_mode = false;
break;
case SND_SOC_DAIFMT_CBM_CFM:
sai->is_slave_mode = true;
break;
case SND_SOC_DAIFMT_CBS_CFM:
val_cr2 |= FSL_SAI_CR2_BCD_MSTR;
+ sai->is_slave_mode = false;
break;
case SND_SOC_DAIFMT_CBM_CFS:
val_cr4 |= FSL_SAI_CR4_FSD_MSTR;
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 105/241] mwifiex: prevent an array overflow
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (103 preceding siblings ...)
2019-06-09 16:40 ` [PATCH 4.4 104/241] ASoC: fsl_sai: Update is_slave_mode with correct value Greg Kroah-Hartman
@ 2019-06-09 16:40 ` Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 106/241] net: cw1200: fix a NULL pointer dereference Greg Kroah-Hartman
` (140 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Kalle Valo, Sasha Levin
[ Upstream commit b4c35c17227fe437ded17ce683a6927845f8c4a4 ]
The "rate_index" is only used as an index into the phist_data->rx_rate[]
array in the mwifiex_hist_data_set() function. That array has
MWIFIEX_MAX_AC_RX_RATES (74) elements and it's used to generate some
debugfs information. The "rate_index" variable comes from the network
skb->data[] and it is a u8 so it's in the 0-255 range. We need to cap
it to prevent an array overflow.
Fixes: cbf6e05527a7 ("mwifiex: add rx histogram statistics support")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mwifiex/cfp.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/wireless/mwifiex/cfp.c b/drivers/net/wireless/mwifiex/cfp.c
index 3ddb8ec676ed3..6dd331dfb5179 100644
--- a/drivers/net/wireless/mwifiex/cfp.c
+++ b/drivers/net/wireless/mwifiex/cfp.c
@@ -533,5 +533,8 @@ u8 mwifiex_adjust_data_rate(struct mwifiex_private *priv,
rate_index = (rx_rate > MWIFIEX_RATE_INDEX_OFDM0) ?
rx_rate - 1 : rx_rate;
+ if (rate_index >= MWIFIEX_MAX_AC_RX_RATES)
+ rate_index = MWIFIEX_MAX_AC_RX_RATES - 1;
+
return rate_index;
}
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 106/241] net: cw1200: fix a NULL pointer dereference
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (104 preceding siblings ...)
2019-06-09 16:40 ` [PATCH 4.4 105/241] mwifiex: prevent an array overflow Greg Kroah-Hartman
@ 2019-06-09 16:40 ` Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 107/241] bcache: return error immediately in bch_journal_replay() Greg Kroah-Hartman
` (139 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Kangjie Lu, Kalle Valo, Sasha Levin
[ Upstream commit 0ed2a005347400500a39ea7c7318f1fea57fb3ca ]
In case create_singlethread_workqueue fails, the fix free the
hardware and returns NULL to avoid NULL pointer dereference.
Signed-off-by: Kangjie Lu <kjlu@umn.edu>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/cw1200/main.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/net/wireless/cw1200/main.c b/drivers/net/wireless/cw1200/main.c
index 0e51e27d2e3f1..317daa968e037 100644
--- a/drivers/net/wireless/cw1200/main.c
+++ b/drivers/net/wireless/cw1200/main.c
@@ -345,6 +345,11 @@ static struct ieee80211_hw *cw1200_init_common(const u8 *macaddr,
mutex_init(&priv->wsm_cmd_mux);
mutex_init(&priv->conf_mutex);
priv->workqueue = create_singlethread_workqueue("cw1200_wq");
+ if (!priv->workqueue) {
+ ieee80211_free_hw(hw);
+ return NULL;
+ }
+
sema_init(&priv->scan.lock, 1);
INIT_WORK(&priv->scan.work, cw1200_scan_work);
INIT_DELAYED_WORK(&priv->scan.probe_work, cw1200_probe_work);
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 107/241] bcache: return error immediately in bch_journal_replay()
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (105 preceding siblings ...)
2019-06-09 16:40 ` [PATCH 4.4 106/241] net: cw1200: fix a NULL pointer dereference Greg Kroah-Hartman
@ 2019-06-09 16:40 ` Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 108/241] bcache: fix failure in journal relplay Greg Kroah-Hartman
` (138 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Coly Li, Hannes Reinecke, Jens Axboe,
Sasha Levin
[ Upstream commit 68d10e6979a3b59e3cd2e90bfcafed79c4cf180a ]
When failure happens inside bch_journal_replay(), calling
cache_set_err_on() and handling the failure in async way is not a good
idea. Because after bch_journal_replay() returns, registering code will
continue to execute following steps, and unregistering code triggered
by cache_set_err_on() is running in same time. First it is unnecessary
to handle failure and unregister cache set in an async way, second there
might be potential race condition to run register and unregister code
for same cache set.
So in this patch, if failure happens in bch_journal_replay(), we don't
call cache_set_err_on(), and just print out the same error message to
kernel message buffer, then return -EIO immediately caller. Then caller
can detect such failure and handle it in synchrnozied way.
Signed-off-by: Coly Li <colyli@suse.de>
Reviewed-by: Hannes Reinecke <hare@suse.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/bcache/journal.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/md/bcache/journal.c b/drivers/md/bcache/journal.c
index e9d9333940deb..3a102f88eb326 100644
--- a/drivers/md/bcache/journal.c
+++ b/drivers/md/bcache/journal.c
@@ -322,9 +322,12 @@ int bch_journal_replay(struct cache_set *s, struct list_head *list)
list_for_each_entry(i, list, list) {
BUG_ON(i->pin && atomic_read(i->pin) != 1);
- cache_set_err_on(n != i->j.seq, s,
-"bcache: journal entries %llu-%llu missing! (replaying %llu-%llu)",
- n, i->j.seq - 1, start, end);
+ if (n != i->j.seq) {
+ pr_err("bcache: journal entries %llu-%llu missing! (replaying %llu-%llu)",
+ n, i->j.seq - 1, start, end);
+ ret = -EIO;
+ goto err;
+ }
for (k = i->j.start;
k < bset_bkey_last(&i->j);
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 108/241] bcache: fix failure in journal relplay
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (106 preceding siblings ...)
2019-06-09 16:40 ` [PATCH 4.4 107/241] bcache: return error immediately in bch_journal_replay() Greg Kroah-Hartman
@ 2019-06-09 16:40 ` Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 109/241] bcache: add failure check to run_cache_set() for journal replay Greg Kroah-Hartman
` (137 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Tang Junhui, Dennis Schridde,
Coly Li, Jens Axboe, Sasha Levin
[ Upstream commit 631207314d88e9091be02fbdd1fdadb1ae2ed79a ]
journal replay failed with messages:
Sep 10 19:10:43 ceph kernel: bcache: error on
bb379a64-e44e-4812-b91d-a5599871a3b1: bcache: journal entries
2057493-2057567 missing! (replaying 2057493-2076601), disabling
caching
The reason is in journal_reclaim(), when discard is enabled, we send
discard command and reclaim those journal buckets whose seq is old
than the last_seq_now, but before we write a journal with last_seq_now,
the machine is restarted, so the journal with the last_seq_now is not
written to the journal bucket, and the last_seq_wrote in the newest
journal is old than last_seq_now which we expect to be, so when we doing
replay, journals from last_seq_wrote to last_seq_now are missing.
It's hard to write a journal immediately after journal_reclaim(),
and it harmless if those missed journal are caused by discarding
since those journals are already wrote to btree node. So, if miss
seqs are started from the beginning journal, we treat it as normal,
and only print a message to show the miss journal, and point out
it maybe caused by discarding.
Patch v2 add a judgement condition to ignore the missed journal
only when discard enabled as Coly suggested.
(Coly Li: rebase the patch with other changes in bch_journal_replay())
Signed-off-by: Tang Junhui <tang.junhui.linux@gmail.com>
Tested-by: Dennis Schridde <devurandom@gmx.net>
Signed-off-by: Coly Li <colyli@suse.de>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/bcache/journal.c | 25 +++++++++++++++++++++----
1 file changed, 21 insertions(+), 4 deletions(-)
diff --git a/drivers/md/bcache/journal.c b/drivers/md/bcache/journal.c
index 3a102f88eb326..6f9db98f2dfd7 100644
--- a/drivers/md/bcache/journal.c
+++ b/drivers/md/bcache/journal.c
@@ -309,6 +309,18 @@ void bch_journal_mark(struct cache_set *c, struct list_head *list)
}
}
+bool is_discard_enabled(struct cache_set *s)
+{
+ struct cache *ca;
+ unsigned int i;
+
+ for_each_cache(ca, s, i)
+ if (ca->discard)
+ return true;
+
+ return false;
+}
+
int bch_journal_replay(struct cache_set *s, struct list_head *list)
{
int ret = 0, keys = 0, entries = 0;
@@ -323,10 +335,15 @@ int bch_journal_replay(struct cache_set *s, struct list_head *list)
BUG_ON(i->pin && atomic_read(i->pin) != 1);
if (n != i->j.seq) {
- pr_err("bcache: journal entries %llu-%llu missing! (replaying %llu-%llu)",
- n, i->j.seq - 1, start, end);
- ret = -EIO;
- goto err;
+ if (n == start && is_discard_enabled(s))
+ pr_info("bcache: journal entries %llu-%llu may be discarded! (replaying %llu-%llu)",
+ n, i->j.seq - 1, start, end);
+ else {
+ pr_err("bcache: journal entries %llu-%llu missing! (replaying %llu-%llu)",
+ n, i->j.seq - 1, start, end);
+ ret = -EIO;
+ goto err;
+ }
}
for (k = i->j.start;
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 109/241] bcache: add failure check to run_cache_set() for journal replay
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (107 preceding siblings ...)
2019-06-09 16:40 ` [PATCH 4.4 108/241] bcache: fix failure in journal relplay Greg Kroah-Hartman
@ 2019-06-09 16:40 ` Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 110/241] bcache: avoid clang -Wunintialized warning Greg Kroah-Hartman
` (136 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:40 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Coly Li, Jens Axboe, Sasha Levin
[ Upstream commit ce3e4cfb59cb382f8e5ce359238aa580d4ae7778 ]
Currently run_cache_set() has no return value, if there is failure in
bch_journal_replay(), the caller of run_cache_set() has no idea about
such failure and just continue to execute following code after
run_cache_set(). The internal failure is triggered inside
bch_journal_replay() and being handled in async way. This behavior is
inefficient, while failure handling inside bch_journal_replay(), cache
register code is still running to start the cache set. Registering and
unregistering code running as same time may introduce some rare race
condition, and make the code to be more hard to be understood.
This patch adds return value to run_cache_set(), and returns -EIO if
bch_journal_rreplay() fails. Then caller of run_cache_set() may detect
such failure and stop registering code flow immedidately inside
register_cache_set().
If journal replay fails, run_cache_set() can report error immediately
to register_cache_set(). This patch makes the failure handling for
bch_journal_replay() be in synchronized way, easier to understand and
debug, and avoid poetential race condition for register-and-unregister
in same time.
Signed-off-by: Coly Li <colyli@suse.de>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/bcache/super.c | 17 ++++++++++++-----
1 file changed, 12 insertions(+), 5 deletions(-)
diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c
index 2140c5b48b511..02757b90e4029 100644
--- a/drivers/md/bcache/super.c
+++ b/drivers/md/bcache/super.c
@@ -1558,7 +1558,7 @@ struct cache_set *bch_cache_set_alloc(struct cache_sb *sb)
return NULL;
}
-static void run_cache_set(struct cache_set *c)
+static int run_cache_set(struct cache_set *c)
{
const char *err = "cannot allocate memory";
struct cached_dev *dc, *t;
@@ -1650,7 +1650,9 @@ static void run_cache_set(struct cache_set *c)
if (j->version < BCACHE_JSET_VERSION_UUID)
__uuid_write(c);
- bch_journal_replay(c, &journal);
+ err = "bcache: replay journal failed";
+ if (bch_journal_replay(c, &journal))
+ goto err;
} else {
pr_notice("invalidating existing data");
@@ -1718,11 +1720,13 @@ static void run_cache_set(struct cache_set *c)
flash_devs_run(c);
set_bit(CACHE_SET_RUNNING, &c->flags);
- return;
+ return 0;
err:
closure_sync(&cl);
/* XXX: test this, it's broken */
bch_cache_set_error(c, "%s", err);
+
+ return -EIO;
}
static bool can_attach_cache(struct cache *ca, struct cache_set *c)
@@ -1786,8 +1790,11 @@ static const char *register_cache_set(struct cache *ca)
ca->set->cache[ca->sb.nr_this_dev] = ca;
c->cache_by_alloc[c->caches_loaded++] = ca;
- if (c->caches_loaded == c->sb.nr_in_set)
- run_cache_set(c);
+ if (c->caches_loaded == c->sb.nr_in_set) {
+ err = "failed to run cache set";
+ if (run_cache_set(c) < 0)
+ goto err;
+ }
return NULL;
err:
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 110/241] bcache: avoid clang -Wunintialized warning
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (108 preceding siblings ...)
2019-06-09 16:40 ` [PATCH 4.4 109/241] bcache: add failure check to run_cache_set() for journal replay Greg Kroah-Hartman
@ 2019-06-09 16:40 ` Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 111/241] x86/build: Move _etext to actual end of .text Greg Kroah-Hartman
` (135 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Arnd Bergmann, Nathan Chancellor,
Coly Li, Jens Axboe, Sasha Levin
[ Upstream commit 78d4eb8ad9e1d413449d1b7a060f50b6efa81ebd ]
clang has identified a code path in which it thinks a
variable may be unused:
drivers/md/bcache/alloc.c:333:4: error: variable 'bucket' is used uninitialized whenever 'if' condition is false
[-Werror,-Wsometimes-uninitialized]
fifo_pop(&ca->free_inc, bucket);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/md/bcache/util.h:219:27: note: expanded from macro 'fifo_pop'
#define fifo_pop(fifo, i) fifo_pop_front(fifo, (i))
^~~~~~~~~~~~~~~~~~~~~~~~~
drivers/md/bcache/util.h:189:6: note: expanded from macro 'fifo_pop_front'
if (_r) { \
^~
drivers/md/bcache/alloc.c:343:46: note: uninitialized use occurs here
allocator_wait(ca, bch_allocator_push(ca, bucket));
^~~~~~
drivers/md/bcache/alloc.c:287:7: note: expanded from macro 'allocator_wait'
if (cond) \
^~~~
drivers/md/bcache/alloc.c:333:4: note: remove the 'if' if its condition is always true
fifo_pop(&ca->free_inc, bucket);
^
drivers/md/bcache/util.h:219:27: note: expanded from macro 'fifo_pop'
#define fifo_pop(fifo, i) fifo_pop_front(fifo, (i))
^
drivers/md/bcache/util.h:189:2: note: expanded from macro 'fifo_pop_front'
if (_r) { \
^
drivers/md/bcache/alloc.c:331:15: note: initialize the variable 'bucket' to silence this warning
long bucket;
^
This cannot happen in practice because we only enter the loop
if there is at least one element in the list.
Slightly rearranging the code makes this clearer to both the
reader and the compiler, which avoids the warning.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: Coly Li <colyli@suse.de>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/bcache/alloc.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/md/bcache/alloc.c b/drivers/md/bcache/alloc.c
index 16c3390e5d9f3..d82ae445c9ee3 100644
--- a/drivers/md/bcache/alloc.c
+++ b/drivers/md/bcache/alloc.c
@@ -324,10 +324,11 @@ static int bch_allocator_thread(void *arg)
* possibly issue discards to them, then we add the bucket to
* the free list:
*/
- while (!fifo_empty(&ca->free_inc)) {
+ while (1) {
long bucket;
- fifo_pop(&ca->free_inc, bucket);
+ if (!fifo_pop(&ca->free_inc, bucket))
+ break;
if (ca->discard) {
mutex_unlock(&ca->set->bucket_lock);
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 111/241] x86/build: Move _etext to actual end of .text
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (109 preceding siblings ...)
2019-06-09 16:40 ` [PATCH 4.4 110/241] bcache: avoid clang -Wunintialized warning Greg Kroah-Hartman
@ 2019-06-09 16:40 ` Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 112/241] smpboot: Place the __percpu annotation correctly Greg Kroah-Hartman
` (134 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Kees Cook, Borislav Petkov,
Linus Torvalds, Peter Zijlstra, Thomas Gleixner, Ingo Molnar,
Sasha Levin, Sami Tolvanen
[ Upstream commit 392bef709659abea614abfe53cf228e7a59876a4 ]
When building x86 with Clang LTO and CFI, CFI jump regions are
automatically added to the end of the .text section late in linking. As a
result, the _etext position was being labelled before the appended jump
regions, causing confusion about where the boundaries of the executable
region actually are in the running kernel, and broke at least the fault
injection code. This moves the _etext mark to outside (and immediately
after) the .text area, as it already the case on other architectures
(e.g. arm64, arm).
Reported-and-tested-by: Sami Tolvanen <samitolvanen@google.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: Borislav Petkov <bp@suse.de>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/20190423183827.GA4012@beast
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kernel/vmlinux.lds.S | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S
index 17e1e60b6b400..68dd72248919b 100644
--- a/arch/x86/kernel/vmlinux.lds.S
+++ b/arch/x86/kernel/vmlinux.lds.S
@@ -110,11 +110,11 @@ SECTIONS
*(.text.__x86.indirect_thunk)
__indirect_thunk_end = .;
#endif
-
- /* End of text section */
- _etext = .;
} :text = 0x9090
+ /* End of text section */
+ _etext = .;
+
NOTES :text :note
EXCEPTION_TABLE(16) :text = 0x9090
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 112/241] smpboot: Place the __percpu annotation correctly
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (110 preceding siblings ...)
2019-06-09 16:40 ` [PATCH 4.4 111/241] x86/build: Move _etext to actual end of .text Greg Kroah-Hartman
@ 2019-06-09 16:40 ` Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 113/241] x86/mm: Remove in_nmi() warning from 64-bit implementation of vmalloc_fault() Greg Kroah-Hartman
` (133 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, kbuild test robot,
Sebastian Andrzej Siewior, Linus Torvalds, Paul E. McKenney,
Peter Zijlstra, Thomas Gleixner, Ingo Molnar, Sasha Levin
[ Upstream commit d4645d30b50d1691c26ff0f8fa4e718b08f8d3bb ]
The test robot reported a wrong assignment of a per-CPU variable which
it detected by using sparse and sent a report. The assignment itself is
correct. The annotation for sparse was wrong and hence the report.
The first pointer is a "normal" pointer and points to the per-CPU memory
area. That means that the __percpu annotation has to be moved.
Move the __percpu annotation to pointer which points to the per-CPU
area. This change affects only the sparse tool (and is ignored by the
compiler).
Reported-by: kbuild test robot <lkp@intel.com>
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Paul E. McKenney <paulmck@linux.ibm.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Fixes: f97f8f06a49fe ("smpboot: Provide infrastructure for percpu hotplug threads")
Link: http://lkml.kernel.org/r/20190424085253.12178-1-bigeasy@linutronix.de
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/smpboot.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/linux/smpboot.h b/include/linux/smpboot.h
index 12910cf19869c..12a4b09f4d08b 100644
--- a/include/linux/smpboot.h
+++ b/include/linux/smpboot.h
@@ -30,7 +30,7 @@ struct smpboot_thread_data;
* @thread_comm: The base name of the thread
*/
struct smp_hotplug_thread {
- struct task_struct __percpu **store;
+ struct task_struct * __percpu *store;
struct list_head list;
int (*thread_should_run)(unsigned int cpu);
void (*thread_fn)(unsigned int cpu);
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 113/241] x86/mm: Remove in_nmi() warning from 64-bit implementation of vmalloc_fault()
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (111 preceding siblings ...)
2019-06-09 16:40 ` [PATCH 4.4 112/241] smpboot: Place the __percpu annotation correctly Greg Kroah-Hartman
@ 2019-06-09 16:40 ` Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 114/241] mm/uaccess: Use unsigned long to placate UBSAN warnings on older GCC versions Greg Kroah-Hartman
` (132 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Nicolai Stange, Jiri Kosina,
Peter Zijlstra (Intel),
Andy Lutomirski, Borislav Petkov, Dave Hansen,
Frederic Weisbecker, Joerg Roedel, Linus Torvalds,
Thomas Gleixner, Ingo Molnar, Sasha Levin
[ Upstream commit a65c88e16f32aa9ef2e8caa68ea5c29bd5eb0ff0 ]
In-NMI warnings have been added to vmalloc_fault() via:
ebc8827f75 ("x86: Barf when vmalloc and kmemcheck faults happen in NMI")
back in the time when our NMI entry code could not cope with nested NMIs.
These days, it's perfectly fine to take a fault in NMI context and we
don't have to care about the fact that IRET from the fault handler might
cause NMI nesting.
This warning has already been removed from 32-bit implementation of
vmalloc_fault() in:
6863ea0cda8 ("x86/mm: Remove in_nmi() warning from vmalloc_fault()")
but the 64-bit version was omitted.
Remove the bogus warning also from 64-bit implementation of vmalloc_fault().
Reported-by: Nicolai Stange <nstange@suse.de>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Joerg Roedel <jroedel@suse.de>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Fixes: 6863ea0cda8 ("x86/mm: Remove in_nmi() warning from vmalloc_fault()")
Link: http://lkml.kernel.org/r/nycvar.YFH.7.76.1904240902280.9803@cbobk.fhfr.pm
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/mm/fault.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
index c4dffae5d9390..462c5c30b9a21 100644
--- a/arch/x86/mm/fault.c
+++ b/arch/x86/mm/fault.c
@@ -373,8 +373,6 @@ static noinline int vmalloc_fault(unsigned long address)
if (!(address >= VMALLOC_START && address < VMALLOC_END))
return -1;
- WARN_ON_ONCE(in_nmi());
-
/*
* Copy kernel mappings over when needed. This can also
* happen within a race in page table update. In the later
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 114/241] mm/uaccess: Use unsigned long to placate UBSAN warnings on older GCC versions
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (112 preceding siblings ...)
2019-06-09 16:40 ` [PATCH 4.4 113/241] x86/mm: Remove in_nmi() warning from 64-bit implementation of vmalloc_fault() Greg Kroah-Hartman
@ 2019-06-09 16:40 ` Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 115/241] HID: logitech-hidpp: use RAP instead of FAP to get the protocol version Greg Kroah-Hartman
` (131 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Randy Dunlap, Peter Zijlstra (Intel),
Linus Torvalds, Thomas Gleixner, luto, Ingo Molnar, Sasha Levin
[ Upstream commit 29da93fea3ea39ab9b12270cc6be1b70ef201c9e ]
Randy reported objtool triggered on his (GCC-7.4) build:
lib/strncpy_from_user.o: warning: objtool: strncpy_from_user()+0x315: call to __ubsan_handle_add_overflow() with UACCESS enabled
lib/strnlen_user.o: warning: objtool: strnlen_user()+0x337: call to __ubsan_handle_sub_overflow() with UACCESS enabled
This is due to UBSAN generating signed-overflow-UB warnings where it
should not. Prior to GCC-8 UBSAN ignored -fwrapv (which the kernel
uses through -fno-strict-overflow).
Make the functions use 'unsigned long' throughout.
Reported-by: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Acked-by: Randy Dunlap <rdunlap@infradead.org> # build-tested
Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: luto@kernel.org
Link: http://lkml.kernel.org/r/20190424072208.754094071@infradead.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
lib/strncpy_from_user.c | 5 +++--
lib/strnlen_user.c | 4 ++--
2 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/lib/strncpy_from_user.c b/lib/strncpy_from_user.c
index e0af6ff73d146..f8b1e3cb716b9 100644
--- a/lib/strncpy_from_user.c
+++ b/lib/strncpy_from_user.c
@@ -20,10 +20,11 @@
* hit it), 'max' is the address space maximum (and we return
* -EFAULT if we hit it).
*/
-static inline long do_strncpy_from_user(char *dst, const char __user *src, long count, unsigned long max)
+static inline long do_strncpy_from_user(char *dst, const char __user *src,
+ unsigned long count, unsigned long max)
{
const struct word_at_a_time constants = WORD_AT_A_TIME_CONSTANTS;
- long res = 0;
+ unsigned long res = 0;
/*
* Truncate 'max' to the user-specified limit, so that
diff --git a/lib/strnlen_user.c b/lib/strnlen_user.c
index 3a5f2b366d84e..1c87bfa63db7f 100644
--- a/lib/strnlen_user.c
+++ b/lib/strnlen_user.c
@@ -27,7 +27,7 @@
static inline long do_strnlen_user(const char __user *src, unsigned long count, unsigned long max)
{
const struct word_at_a_time constants = WORD_AT_A_TIME_CONSTANTS;
- long align, res = 0;
+ unsigned long align, res = 0;
unsigned long c;
/*
@@ -41,7 +41,7 @@ static inline long do_strnlen_user(const char __user *src, unsigned long count,
* Do everything aligned. But that means that we
* need to also expand the maximum..
*/
- align = (sizeof(long) - 1) & (unsigned long)src;
+ align = (sizeof(unsigned long) - 1) & (unsigned long)src;
src -= align;
max += align;
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 115/241] HID: logitech-hidpp: use RAP instead of FAP to get the protocol version
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (113 preceding siblings ...)
2019-06-09 16:40 ` [PATCH 4.4 114/241] mm/uaccess: Use unsigned long to placate UBSAN warnings on older GCC versions Greg Kroah-Hartman
@ 2019-06-09 16:40 ` Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 116/241] pinctrl: pistachio: fix leaked of_node references Greg Kroah-Hartman
` (130 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Hans de Goede, Benjamin Tissoires,
Sasha Levin
[ Upstream commit 096377525cdb8251e4656085efc988bdf733fb4c ]
According to the logitech_hidpp_2.0_specification_draft_2012-06-04.pdf doc:
https://lekensteyn.nl/files/logitech/logitech_hidpp_2.0_specification_draft_2012-06-04.pdf
We should use a register-access-protocol request using the short input /
output report ids. This is necessary because 27MHz HID++ receivers have
a max-packetsize on their HIP++ endpoint of 8, so they cannot support
long reports. Using a feature-access-protocol request (which is always
long or very-long) with these will cause a timeout error, followed by
the hidpp driver treating the device as not being HID++ capable.
This commit fixes this by switching to using a rap request to get the
protocol version.
Besides being tested with a (046d:c517) 27MHz receiver with various
27MHz keyboards and mice, this has also been tested to not cause
regressions on a non-unifying dual-HID++ nano receiver (046d:c534) with
k270 and m185 HID++-2.0 devices connected and on a unifying/dj receiver
(046d:c52b) with a HID++-2.0 Logitech Rechargeable Touchpad T650.
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-logitech-hidpp.c | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)
diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c
index 5fd97860aec4d..3666e5064d0d3 100644
--- a/drivers/hid/hid-logitech-hidpp.c
+++ b/drivers/hid/hid-logitech-hidpp.c
@@ -414,13 +414,16 @@ static int hidpp_root_get_feature(struct hidpp_device *hidpp, u16 feature,
static int hidpp_root_get_protocol_version(struct hidpp_device *hidpp)
{
+ const u8 ping_byte = 0x5a;
+ u8 ping_data[3] = { 0, 0, ping_byte };
struct hidpp_report response;
int ret;
- ret = hidpp_send_fap_command_sync(hidpp,
+ ret = hidpp_send_rap_command_sync(hidpp,
+ REPORT_ID_HIDPP_SHORT,
HIDPP_PAGE_ROOT_IDX,
CMD_ROOT_GET_PROTOCOL_VERSION,
- NULL, 0, &response);
+ ping_data, sizeof(ping_data), &response);
if (ret == HIDPP_ERROR_INVALID_SUBID) {
hidpp->protocol_major = 1;
@@ -440,8 +443,14 @@ static int hidpp_root_get_protocol_version(struct hidpp_device *hidpp)
if (ret)
return ret;
- hidpp->protocol_major = response.fap.params[0];
- hidpp->protocol_minor = response.fap.params[1];
+ if (response.rap.params[2] != ping_byte) {
+ hid_err(hidpp->hid_dev, "%s: ping mismatch 0x%02x != 0x%02x\n",
+ __func__, response.rap.params[2], ping_byte);
+ return -EPROTO;
+ }
+
+ hidpp->protocol_major = response.rap.params[0];
+ hidpp->protocol_minor = response.rap.params[1];
return ret;
}
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 116/241] pinctrl: pistachio: fix leaked of_node references
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (114 preceding siblings ...)
2019-06-09 16:40 ` [PATCH 4.4 115/241] HID: logitech-hidpp: use RAP instead of FAP to get the protocol version Greg Kroah-Hartman
@ 2019-06-09 16:40 ` Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 117/241] dmaengine: at_xdmac: remove BUG_ON macro in tasklet Greg Kroah-Hartman
` (129 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Wen Yang, Linus Walleij, linux-gpio,
Sasha Levin
[ Upstream commit 44a4455ac2c6b0981eace683a2b6eccf47689022 ]
The call to of_get_child_by_name returns a node pointer with refcount
incremented thus it must be explicitly decremented after the last
usage.
Detected by coccinelle with the following warnings:
./drivers/pinctrl/pinctrl-pistachio.c:1422:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 1360, but without a corresponding object release within this function.
Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
Cc: Linus Walleij <linus.walleij@linaro.org>
Cc: linux-gpio@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/pinctrl-pistachio.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/pinctrl/pinctrl-pistachio.c b/drivers/pinctrl/pinctrl-pistachio.c
index 98a459b1c095a..86e8d989092c8 100644
--- a/drivers/pinctrl/pinctrl-pistachio.c
+++ b/drivers/pinctrl/pinctrl-pistachio.c
@@ -1373,6 +1373,7 @@ static int pistachio_gpio_register(struct pistachio_pinctrl *pctl)
if (!of_find_property(child, "gpio-controller", NULL)) {
dev_err(pctl->dev,
"No gpio-controller property for bank %u\n", i);
+ of_node_put(child);
ret = -ENODEV;
goto err;
}
@@ -1380,6 +1381,7 @@ static int pistachio_gpio_register(struct pistachio_pinctrl *pctl)
irq = irq_of_parse_and_map(child, 0);
if (irq < 0) {
dev_err(pctl->dev, "No IRQ for bank %u: %d\n", i, irq);
+ of_node_put(child);
ret = irq;
goto err;
}
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 117/241] dmaengine: at_xdmac: remove BUG_ON macro in tasklet
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (115 preceding siblings ...)
2019-06-09 16:40 ` [PATCH 4.4 116/241] pinctrl: pistachio: fix leaked of_node references Greg Kroah-Hartman
@ 2019-06-09 16:40 ` Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 118/241] media: coda: clear error return value before picture run Greg Kroah-Hartman
` (128 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:40 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Nicolas Ferre, Ludovic Desroches,
Vinod Koul, Sasha Levin
[ Upstream commit e2c114c06da2d9ffad5b16690abf008d6696f689 ]
Even if this case shouldn't happen when controller is properly programmed,
it's still better to avoid dumping a kernel Oops for this.
As the sequence may happen only for debugging purposes, log the error and
just finish the tasklet call.
Signed-off-by: Nicolas Ferre <nicolas.ferre@microchip.com>
Acked-by: Ludovic Desroches <ludovic.desroches@microchip.com>
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma/at_xdmac.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/dma/at_xdmac.c b/drivers/dma/at_xdmac.c
index af24c5bf32d69..8aa3ccf42e55a 100644
--- a/drivers/dma/at_xdmac.c
+++ b/drivers/dma/at_xdmac.c
@@ -1608,7 +1608,11 @@ static void at_xdmac_tasklet(unsigned long data)
struct at_xdmac_desc,
xfer_node);
dev_vdbg(chan2dev(&atchan->chan), "%s: desc 0x%p\n", __func__, desc);
- BUG_ON(!desc->active_xfer);
+ if (!desc->active_xfer) {
+ dev_err(chan2dev(&atchan->chan), "Xfer not active: exiting");
+ spin_unlock_bh(&atchan->lock);
+ return;
+ }
txd = &desc->tx_dma_desc;
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 118/241] media: coda: clear error return value before picture run
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (116 preceding siblings ...)
2019-06-09 16:40 ` [PATCH 4.4 117/241] dmaengine: at_xdmac: remove BUG_ON macro in tasklet Greg Kroah-Hartman
@ 2019-06-09 16:41 ` Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 119/241] media: ov6650: Move v4l2_clk_get() to ov6650_video_probe() helper Greg Kroah-Hartman
` (127 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Philipp Zabel, Hans Verkuil,
Mauro Carvalho Chehab, Sasha Levin
[ Upstream commit bbeefa7357a648afe70e7183914c87c3878d528d ]
The error return value is not written by some firmware codecs, such as
MPEG-2 decode on CodaHx4. Clear the error return value before starting
the picture run to avoid misinterpreting unrelated values returned by
sequence initialization as error return value.
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/platform/coda/coda-bit.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/media/platform/coda/coda-bit.c b/drivers/media/platform/coda/coda-bit.c
index d76511c1c1e3f..a4639813cf35d 100644
--- a/drivers/media/platform/coda/coda-bit.c
+++ b/drivers/media/platform/coda/coda-bit.c
@@ -1829,6 +1829,9 @@ static int coda_prepare_decode(struct coda_ctx *ctx)
/* Clear decode success flag */
coda_write(dev, 0, CODA_RET_DEC_PIC_SUCCESS);
+ /* Clear error return value */
+ coda_write(dev, 0, CODA_RET_DEC_PIC_ERR_MB);
+
trace_coda_dec_pic_run(ctx, meta);
coda_command_async(ctx, CODA_COMMAND_PIC_RUN);
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 119/241] media: ov6650: Move v4l2_clk_get() to ov6650_video_probe() helper
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (117 preceding siblings ...)
2019-06-09 16:41 ` [PATCH 4.4 118/241] media: coda: clear error return value before picture run Greg Kroah-Hartman
@ 2019-06-09 16:41 ` Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 120/241] media: au0828: stop video streaming only when last user stops Greg Kroah-Hartman
` (126 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Janusz Krzysztofik, Sakari Ailus,
Mauro Carvalho Chehab, Sasha Levin
[ Upstream commit ccdd85d518d8b9320ace1d87271f0ba2175f21fa ]
In preparation for adding asynchronous subdevice support to the driver,
don't acquire v4l2_clk from the driver .probe() callback as that may
fail if the clock is provided by a bridge driver which may be not yet
initialized. Move the v4l2_clk_get() to ov6650_video_probe() helper
which is going to be converted to v4l2_subdev_internal_ops.registered()
callback, executed only when the bridge driver is ready.
Signed-off-by: Janusz Krzysztofik <jmkrzyszt@gmail.com>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/i2c/soc_camera/ov6650.c | 25 ++++++++++++++-----------
1 file changed, 14 insertions(+), 11 deletions(-)
diff --git a/drivers/media/i2c/soc_camera/ov6650.c b/drivers/media/i2c/soc_camera/ov6650.c
index 1e9ebfda25525..4e19f5e5d8cf7 100644
--- a/drivers/media/i2c/soc_camera/ov6650.c
+++ b/drivers/media/i2c/soc_camera/ov6650.c
@@ -839,9 +839,16 @@ static int ov6650_video_probe(struct i2c_client *client)
u8 pidh, pidl, midh, midl;
int ret;
+ priv->clk = v4l2_clk_get(&client->dev, NULL);
+ if (IS_ERR(priv->clk)) {
+ ret = PTR_ERR(priv->clk);
+ dev_err(&client->dev, "v4l2_clk request err: %d\n", ret);
+ return ret;
+ }
+
ret = ov6650_s_power(&priv->subdev, 1);
if (ret < 0)
- return ret;
+ goto eclkput;
msleep(20);
@@ -878,6 +885,11 @@ static int ov6650_video_probe(struct i2c_client *client)
done:
ov6650_s_power(&priv->subdev, 0);
+ if (!ret)
+ return 0;
+eclkput:
+ v4l2_clk_put(priv->clk);
+
return ret;
}
@@ -1035,18 +1047,9 @@ static int ov6650_probe(struct i2c_client *client,
priv->code = MEDIA_BUS_FMT_YUYV8_2X8;
priv->colorspace = V4L2_COLORSPACE_JPEG;
- priv->clk = v4l2_clk_get(&client->dev, NULL);
- if (IS_ERR(priv->clk)) {
- ret = PTR_ERR(priv->clk);
- goto eclkget;
- }
-
ret = ov6650_video_probe(client);
- if (ret) {
- v4l2_clk_put(priv->clk);
-eclkget:
+ if (ret)
v4l2_ctrl_handler_free(&priv->hdl);
- }
return ret;
}
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 120/241] media: au0828: stop video streaming only when last user stops
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (118 preceding siblings ...)
2019-06-09 16:41 ` [PATCH 4.4 119/241] media: ov6650: Move v4l2_clk_get() to ov6650_video_probe() helper Greg Kroah-Hartman
@ 2019-06-09 16:41 ` Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 121/241] media: ov2659: make S_FMT succeed even if requested format doesnt match Greg Kroah-Hartman
` (125 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Hans Verkuil, Shuah Khan,
Mauro Carvalho Chehab, Sasha Levin
[ Upstream commit f604f0f5afb88045944567f604409951b5eb6af8 ]
If the application was streaming from both videoX and vbiX, and streaming
from videoX was stopped, then the vbi streaming also stopped.
The cause being that stop_streaming for video stopped the subdevs as well,
instead of only doing that if dev->streaming_users reached 0.
au0828_stop_vbi_streaming was also wrong since it didn't stop the subdevs
at all when dev->streaming_users reached 0.
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Tested-by: Shuah Khan <shuah@kernel.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/usb/au0828/au0828-video.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/drivers/media/usb/au0828/au0828-video.c b/drivers/media/usb/au0828/au0828-video.c
index 7b2fe1b56039e..1ff66e7e26a81 100644
--- a/drivers/media/usb/au0828/au0828-video.c
+++ b/drivers/media/usb/au0828/au0828-video.c
@@ -799,9 +799,9 @@ int au0828_start_analog_streaming(struct vb2_queue *vq, unsigned int count)
return rc;
}
+ v4l2_device_call_all(&dev->v4l2_dev, 0, video, s_stream, 1);
+
if (vq->type == V4L2_BUF_TYPE_VIDEO_CAPTURE) {
- v4l2_device_call_all(&dev->v4l2_dev, 0, video,
- s_stream, 1);
dev->vid_timeout_running = 1;
mod_timer(&dev->vid_timeout, jiffies + (HZ / 10));
} else if (vq->type == V4L2_BUF_TYPE_VBI_CAPTURE) {
@@ -821,10 +821,11 @@ static void au0828_stop_streaming(struct vb2_queue *vq)
dprintk(1, "au0828_stop_streaming called %d\n", dev->streaming_users);
- if (dev->streaming_users-- == 1)
+ if (dev->streaming_users-- == 1) {
au0828_uninit_isoc(dev);
+ v4l2_device_call_all(&dev->v4l2_dev, 0, video, s_stream, 0);
+ }
- v4l2_device_call_all(&dev->v4l2_dev, 0, video, s_stream, 0);
dev->vid_timeout_running = 0;
del_timer_sync(&dev->vid_timeout);
@@ -853,8 +854,10 @@ void au0828_stop_vbi_streaming(struct vb2_queue *vq)
dprintk(1, "au0828_stop_vbi_streaming called %d\n",
dev->streaming_users);
- if (dev->streaming_users-- == 1)
+ if (dev->streaming_users-- == 1) {
au0828_uninit_isoc(dev);
+ v4l2_device_call_all(&dev->v4l2_dev, 0, video, s_stream, 0);
+ }
spin_lock_irqsave(&dev->slock, flags);
if (dev->isoc_ctl.vbi_buf != NULL) {
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 121/241] media: ov2659: make S_FMT succeed even if requested format doesnt match
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (119 preceding siblings ...)
2019-06-09 16:41 ` [PATCH 4.4 120/241] media: au0828: stop video streaming only when last user stops Greg Kroah-Hartman
@ 2019-06-09 16:41 ` Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 122/241] audit: fix a memory leak bug Greg Kroah-Hartman
` (124 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Lad, Prabhakar, Akinobu Mita,
Sakari Ailus, Mauro Carvalho Chehab, Sasha Levin
[ Upstream commit bccb89cf9cd07a0690d519696a00c00a973b3fe4 ]
This driver returns an error if unsupported media bus pixel code is
requested by VIDIOC_SUBDEV_S_FMT.
But according to Documentation/media/uapi/v4l/vidioc-subdev-g-fmt.rst,
Drivers must not return an error solely because the requested format
doesn't match the device capabilities. They must instead modify the
format to match what the hardware can provide.
So select default format code and return success in that case.
This is detected by v4l2-compliance.
Cc: "Lad, Prabhakar" <prabhakar.csengg@gmail.com>
Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
Acked-by: Lad, Prabhakar <prabhakar.csengg@gmail.com>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/i2c/ov2659.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/media/i2c/ov2659.c b/drivers/media/i2c/ov2659.c
index 49109f4f5bb4a..fadec1d705829 100644
--- a/drivers/media/i2c/ov2659.c
+++ b/drivers/media/i2c/ov2659.c
@@ -1117,8 +1117,10 @@ static int ov2659_set_fmt(struct v4l2_subdev *sd,
if (ov2659_formats[index].code == mf->code)
break;
- if (index < 0)
- return -EINVAL;
+ if (index < 0) {
+ index = 0;
+ mf->code = ov2659_formats[index].code;
+ }
mf->colorspace = V4L2_COLORSPACE_SRGB;
mf->code = ov2659_formats[index].code;
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 122/241] audit: fix a memory leak bug
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (120 preceding siblings ...)
2019-06-09 16:41 ` [PATCH 4.4 121/241] media: ov2659: make S_FMT succeed even if requested format doesnt match Greg Kroah-Hartman
@ 2019-06-09 16:41 ` Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 123/241] media: au0828: Fix NULL pointer dereference in au0828_analog_stream_enable() Greg Kroah-Hartman
` (123 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Wenwen Wang, Richard Guy Briggs,
Paul Moore, Sasha Levin
[ Upstream commit 70c4cf17e445264453bc5323db3e50aa0ac9e81f ]
In audit_rule_change(), audit_data_to_entry() is firstly invoked to
translate the payload data to the kernel's rule representation. In
audit_data_to_entry(), depending on the audit field type, an audit tree may
be created in audit_make_tree(), which eventually invokes kmalloc() to
allocate the tree. Since this tree is a temporary tree, it will be then
freed in the following execution, e.g., audit_add_rule() if the message
type is AUDIT_ADD_RULE or audit_del_rule() if the message type is
AUDIT_DEL_RULE. However, if the message type is neither AUDIT_ADD_RULE nor
AUDIT_DEL_RULE, i.e., the default case of the switch statement, this
temporary tree is not freed.
To fix this issue, only allocate the tree when the type is AUDIT_ADD_RULE
or AUDIT_DEL_RULE.
Signed-off-by: Wenwen Wang <wang6495@umn.edu>
Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/auditfilter.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index b57f929f1b468..cf7aa656b308b 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -1095,22 +1095,24 @@ int audit_rule_change(int type, __u32 portid, int seq, void *data,
int err = 0;
struct audit_entry *entry;
- entry = audit_data_to_entry(data, datasz);
- if (IS_ERR(entry))
- return PTR_ERR(entry);
-
switch (type) {
case AUDIT_ADD_RULE:
+ entry = audit_data_to_entry(data, datasz);
+ if (IS_ERR(entry))
+ return PTR_ERR(entry);
err = audit_add_rule(entry);
audit_log_rule_change("add_rule", &entry->rule, !err);
break;
case AUDIT_DEL_RULE:
+ entry = audit_data_to_entry(data, datasz);
+ if (IS_ERR(entry))
+ return PTR_ERR(entry);
err = audit_del_rule(entry);
audit_log_rule_change("remove_rule", &entry->rule, !err);
break;
default:
- err = -EINVAL;
WARN_ON(1);
+ return -EINVAL;
}
if (err || type == AUDIT_DEL_RULE) {
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 123/241] media: au0828: Fix NULL pointer dereference in au0828_analog_stream_enable()
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (121 preceding siblings ...)
2019-06-09 16:41 ` [PATCH 4.4 122/241] audit: fix a memory leak bug Greg Kroah-Hartman
@ 2019-06-09 16:41 ` Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 124/241] media: pvrusb2: Prevent a buffer overflow Greg Kroah-Hartman
` (122 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Shuah Khan, Hans Verkuil,
Mauro Carvalho Chehab, Sasha Levin
[ Upstream commit 898bc40bfcc26abb6e06e960d6d4754c36c58b50 ]
Fix au0828_analog_stream_enable() to check if device is in the right
state first. When unbind happens while bind is in progress, usbdev
pointer could be invalid in au0828_analog_stream_enable() and a call
to usb_ifnum_to_if() will result in the null pointer dereference.
This problem is found with the new media_dev_allocator.sh test.
kernel: [ 590.359623] BUG: unable to handle kernel NULL pointer dereference at 00000000000004e8
kernel: [ 590.359627] #PF error: [normal kernel read fault]
kernel: [ 590.359629] PGD 0 P4D 0
kernel: [ 590.359632] Oops: 0000 [#1] SMP PTI
kernel: [ 590.359634] CPU: 3 PID: 1458 Comm: v4l_id Not tainted 5.1.0-rc2+ #30
kernel: [ 590.359636] Hardware name: Dell Inc. OptiPlex 7 90/0HY9JP, BIOS A18 09/24/2013
kernel: [ 590.359641] RIP: 0010:usb_ifnum_to_if+0x6/0x60
kernel: [ 590.359643] Code: 5d 41 5e 41 5f 5d c3 48 83 c4
10 b8 fa ff ff ff 5b 41 5c 41 5d 41 5e 41 5f 5d c3 b8 fa ff ff ff c3 0f 1f 00 6
6 66 66 66 90 55 <48> 8b 97 e8 04 00 00 48 89 e5 48 85 d2 74 41 0f b6 4a 04 84 c
9 74
kernel: [ 590.359645] RSP: 0018:ffffad3cc3c1fc00 EFLAGS: 00010246
kernel: [ 590.359646] RAX: 0000000000000000 RBX: ffff8ded b1f3c000 RCX: 1f377e4500000000
kernel: [ 590.359648] RDX: ffff8dedfa3a6b50 RSI: 00000000 00000000 RDI: 0000000000000000
kernel: [ 590.359649] RBP: ffffad3cc3c1fc28 R08: 00000000 8574acc2 R09: ffff8dedfa3a6b50
kernel: [ 590.359650] R10: 0000000000000001 R11: 00000000 00000000 R12: 0000000000000000
kernel: [ 590.359652] R13: ffff8dedb1f3f0f0 R14: ffffffff adcf7ec0 R15: 0000000000000000
kernel: [ 590.359654] FS: 00007f7917198540(0000) GS:ffff 8dee258c0000(0000) knlGS:0000000000000000
kernel: [ 590.359655] CS: 0010 DS: 0000 ES: 0000 CR0: 00 00000080050033
kernel: [ 590.359657] CR2: 00000000000004e8 CR3: 00000001 a388e002 CR4: 00000000000606e0
kernel: [ 590.359658] Call Trace:
kernel: [ 590.359664] ? au0828_analog_stream_enable+0x2c/0x180
kernel: [ 590.359666] au0828_v4l2_open+0xa4/0x110
kernel: [ 590.359670] v4l2_open+0x8b/0x120
kernel: [ 590.359674] chrdev_open+0xa6/0x1c0
kernel: [ 590.359676] ? cdev_put.part.3+0x20/0x20
kernel: [ 590.359678] do_dentry_open+0x1f6/0x360
kernel: [ 590.359681] vfs_open+0x2f/0x40
kernel: [ 590.359684] path_openat+0x299/0xc20
kernel: [ 590.359688] do_filp_open+0x9b/0x110
kernel: [ 590.359695] ? _raw_spin_unlock+0x27/0x40
kernel: [ 590.359697] ? __alloc_fd+0xb2/0x160
kernel: [ 590.359700] do_sys_open+0x1ba/0x260
kernel: [ 590.359702] ? do_sys_open+0x1ba/0x260
kernel: [ 590.359712] __x64_sys_openat+0x20/0x30
kernel: [ 590.359715] do_syscall_64+0x5a/0x120
kernel: [ 590.359718] entry_SYSCALL_64_after_hwframe+0x44/0xa9
Signed-off-by: Shuah Khan <shuah@kernel.org>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/usb/au0828/au0828-video.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/media/usb/au0828/au0828-video.c b/drivers/media/usb/au0828/au0828-video.c
index 1ff66e7e26a81..1df23c01ad374 100644
--- a/drivers/media/usb/au0828/au0828-video.c
+++ b/drivers/media/usb/au0828/au0828-video.c
@@ -711,6 +711,9 @@ static int au0828_analog_stream_enable(struct au0828_dev *d)
dprintk(1, "au0828_analog_stream_enable called\n");
+ if (test_bit(DEV_DISCONNECTED, &d->dev_state))
+ return -ENODEV;
+
iface = usb_ifnum_to_if(d->usbdev, 0);
if (iface && iface->cur_altsetting->desc.bAlternateSetting != 5) {
dprintk(1, "Changing intf#0 to alt 5\n");
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 124/241] media: pvrusb2: Prevent a buffer overflow
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (122 preceding siblings ...)
2019-06-09 16:41 ` [PATCH 4.4 123/241] media: au0828: Fix NULL pointer dereference in au0828_analog_stream_enable() Greg Kroah-Hartman
@ 2019-06-09 16:41 ` Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 125/241] powerpc/numa: improve control of topology updates Greg Kroah-Hartman
` (121 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Hans Verkuil,
Mauro Carvalho Chehab, Sasha Levin
[ Upstream commit c1ced46c7b49ad7bc064e68d966e0ad303f917fb ]
The ctrl_check_input() function is called from pvr2_ctrl_range_check().
It's supposed to validate user supplied input and return true or false
depending on whether the input is valid or not. The problem is that
negative shifts or shifts greater than 31 are undefined in C. In
practice with GCC they result in shift wrapping so this function returns
true for some inputs which are not valid and this could result in a
buffer overflow:
drivers/media/usb/pvrusb2/pvrusb2-ctrl.c:205 pvr2_ctrl_get_valname()
warn: uncapped user index 'names[val]'
The cptr->hdw->input_allowed_mask mask is configured in pvr2_hdw_create()
and the highest valid bit is BIT(4).
Fixes: 7fb20fa38caa ("V4L/DVB (7299): pvrusb2: Improve logic which handles input choice availability")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 2 ++
drivers/media/usb/pvrusb2/pvrusb2-hdw.h | 1 +
2 files changed, 3 insertions(+)
diff --git a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
index 0533ef20decfe..232b0fd3e4784 100644
--- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
+++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
@@ -670,6 +670,8 @@ static int ctrl_get_input(struct pvr2_ctrl *cptr,int *vp)
static int ctrl_check_input(struct pvr2_ctrl *cptr,int v)
{
+ if (v < 0 || v > PVR2_CVAL_INPUT_MAX)
+ return 0;
return ((1 << v) & cptr->hdw->input_allowed_mask) != 0;
}
diff --git a/drivers/media/usb/pvrusb2/pvrusb2-hdw.h b/drivers/media/usb/pvrusb2/pvrusb2-hdw.h
index a82a00dd73293..80869990ffbbb 100644
--- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.h
+++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.h
@@ -54,6 +54,7 @@
#define PVR2_CVAL_INPUT_COMPOSITE 2
#define PVR2_CVAL_INPUT_SVIDEO 3
#define PVR2_CVAL_INPUT_RADIO 4
+#define PVR2_CVAL_INPUT_MAX PVR2_CVAL_INPUT_RADIO
enum pvr2_config {
pvr2_config_empty, /* No configuration */
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 125/241] powerpc/numa: improve control of topology updates
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (123 preceding siblings ...)
2019-06-09 16:41 ` [PATCH 4.4 124/241] media: pvrusb2: Prevent a buffer overflow Greg Kroah-Hartman
@ 2019-06-09 16:41 ` Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 126/241] sched/core: Check quota and period overflow at usec to nsec conversion Greg Kroah-Hartman
` (120 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Nathan Lynch, Michael Ellerman, Sasha Levin
[ Upstream commit 2d4d9b308f8f8dec68f6dbbff18c68ec7c6bd26f ]
When booted with "topology_updates=no", or when "off" is written to
/proc/powerpc/topology_updates, NUMA reassignments are inhibited for
PRRN and VPHN events. However, migration and suspend unconditionally
re-enable reassignments via start_topology_update(). This is
incoherent.
Check the topology_updates_enabled flag in
start/stop_topology_update() so that callers of those APIs need not be
aware of whether reassignments are enabled. This allows the
administrative decision on reassignments to remain in force across
migrations and suspensions.
Signed-off-by: Nathan Lynch <nathanl@linux.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/mm/numa.c | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
diff --git a/arch/powerpc/mm/numa.c b/arch/powerpc/mm/numa.c
index bb3df222ae71f..215bff2b84703 100644
--- a/arch/powerpc/mm/numa.c
+++ b/arch/powerpc/mm/numa.c
@@ -1611,6 +1611,9 @@ int start_topology_update(void)
{
int rc = 0;
+ if (!topology_updates_enabled)
+ return 0;
+
if (firmware_has_feature(FW_FEATURE_PRRN)) {
if (!prrn_enabled) {
prrn_enabled = 1;
@@ -1640,6 +1643,9 @@ int stop_topology_update(void)
{
int rc = 0;
+ if (!topology_updates_enabled)
+ return 0;
+
if (prrn_enabled) {
prrn_enabled = 0;
#ifdef CONFIG_SMP
@@ -1685,11 +1691,13 @@ static ssize_t topology_write(struct file *file, const char __user *buf,
kbuf[read_len] = '\0';
- if (!strncmp(kbuf, "on", 2))
+ if (!strncmp(kbuf, "on", 2)) {
+ topology_updates_enabled = true;
start_topology_update();
- else if (!strncmp(kbuf, "off", 3))
+ } else if (!strncmp(kbuf, "off", 3)) {
stop_topology_update();
- else
+ topology_updates_enabled = false;
+ } else
return -EINVAL;
return count;
@@ -1704,9 +1712,7 @@ static const struct file_operations topology_ops = {
static int topology_update_init(void)
{
- /* Do not poll for changes if disabled at boot */
- if (topology_updates_enabled)
- start_topology_update();
+ start_topology_update();
if (!proc_create("powerpc/topology_updates", 0644, NULL, &topology_ops))
return -ENOMEM;
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 126/241] sched/core: Check quota and period overflow at usec to nsec conversion
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (124 preceding siblings ...)
2019-06-09 16:41 ` [PATCH 4.4 125/241] powerpc/numa: improve control of topology updates Greg Kroah-Hartman
@ 2019-06-09 16:41 ` Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 127/241] sched/core: Handle overflow in cpu_shares_write_u64 Greg Kroah-Hartman
` (119 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Konstantin Khlebnikov,
Peter Zijlstra, Linus Torvalds, Peter Zijlstra, Thomas Gleixner,
Ingo Molnar, Sasha Levin
[ Upstream commit 1a8b4540db732ca16c9e43ac7c08b1b8f0b252d8 ]
Large values could overflow u64 and pass following sanity checks.
# echo 18446744073750000 > cpu.cfs_period_us
# cat cpu.cfs_period_us
40448
# echo 18446744073750000 > cpu.cfs_quota_us
# cat cpu.cfs_quota_us
40448
After this patch they will fail with -EINVAL.
Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/155125502079.293431.3947497929372138600.stgit@buzz
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/sched/core.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/kernel/sched/core.c b/kernel/sched/core.c
index d35a7d528ea66..1ef2fb4bbd6bd 100644
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -8460,8 +8460,10 @@ int tg_set_cfs_quota(struct task_group *tg, long cfs_quota_us)
period = ktime_to_ns(tg->cfs_bandwidth.period);
if (cfs_quota_us < 0)
quota = RUNTIME_INF;
- else
+ else if ((u64)cfs_quota_us <= U64_MAX / NSEC_PER_USEC)
quota = (u64)cfs_quota_us * NSEC_PER_USEC;
+ else
+ return -EINVAL;
return tg_set_cfs_bandwidth(tg, period, quota);
}
@@ -8483,6 +8485,9 @@ int tg_set_cfs_period(struct task_group *tg, long cfs_period_us)
{
u64 quota, period;
+ if ((u64)cfs_period_us > U64_MAX / NSEC_PER_USEC)
+ return -EINVAL;
+
period = (u64)cfs_period_us * NSEC_PER_USEC;
quota = tg->cfs_bandwidth.quota;
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 127/241] sched/core: Handle overflow in cpu_shares_write_u64
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (125 preceding siblings ...)
2019-06-09 16:41 ` [PATCH 4.4 126/241] sched/core: Check quota and period overflow at usec to nsec conversion Greg Kroah-Hartman
@ 2019-06-09 16:41 ` Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 128/241] USB: core: Dont unbind interfaces following device reset failure Greg Kroah-Hartman
` (118 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Konstantin Khlebnikov,
Peter Zijlstra, Linus Torvalds, Peter Zijlstra, Thomas Gleixner,
Ingo Molnar, Sasha Levin
[ Upstream commit 5b61d50ab4ef590f5e1d4df15cd2cea5f5715308 ]
Bit shift in scale_load() could overflow shares. This patch saturates
it to MAX_SHARES like following sched_group_set_shares().
Example:
# echo 9223372036854776832 > cpu.shares
# cat cpu.shares
Before patch: 1024
After pattch: 262144
Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/155125501891.293431.3345233332801109696.stgit@buzz
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/sched/core.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/kernel/sched/core.c b/kernel/sched/core.c
index 1ef2fb4bbd6bd..0e70bfeded7fd 100644
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -8361,6 +8361,8 @@ static void cpu_cgroup_attach(struct cgroup_taskset *tset)
static int cpu_shares_write_u64(struct cgroup_subsys_state *css,
struct cftype *cftype, u64 shareval)
{
+ if (shareval > scale_load_down(ULONG_MAX))
+ shareval = MAX_SHARES;
return sched_group_set_shares(css_tg(css), scale_load(shareval));
}
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 128/241] USB: core: Dont unbind interfaces following device reset failure
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (126 preceding siblings ...)
2019-06-09 16:41 ` [PATCH 4.4 127/241] sched/core: Handle overflow in cpu_shares_write_u64 Greg Kroah-Hartman
@ 2019-06-09 16:41 ` Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 129/241] x86/irq/64: Limit IST stack overflow check to #DB stack Greg Kroah-Hartman
` (117 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Alan Stern, Kento Kobayashi,
Bart Van Assche, Martin K. Petersen, Jacky Cao, Sasha Levin
[ Upstream commit 381419fa720060ba48b7bbc483be787d5b1dca6f ]
The SCSI core does not like to have devices or hosts unregistered
while error recovery is in progress. Trying to do so can lead to
self-deadlock: Part of the removal code tries to obtain a lock already
held by the error handler.
This can cause problems for the usb-storage and uas drivers, because
their error handler routines perform a USB reset, and if the reset
fails then the USB core automatically goes on to unbind all drivers
from the device's interfaces -- all while still in the context of the
SCSI error handler.
As it turns out, practically all the scenarios leading to a USB reset
failure end up causing a device disconnect (the main error pathway in
usb_reset_and_verify_device(), at the end of the routine, calls
hub_port_logical_disconnect() before returning). As a result, the
hub_wq thread will soon become aware of the problem and will unbind
all the device's drivers in its own context, not in the
error-handler's context.
This means that usb_reset_device() does not need to call
usb_unbind_and_rebind_marked_interfaces() in cases where
usb_reset_and_verify_device() has returned an error, because hub_wq
will take care of everything anyway.
This particular problem was observed in somewhat artificial
circumstances, by using usbfs to tell a hub to power-down a port
connected to a USB-3 mass storage device using the UAS protocol. With
the port turned off, the currently executing command timed out and the
error handler started running. The USB reset naturally failed,
because the hub port was off, and the error handler deadlocked as
described above. Not carrying out the call to
usb_unbind_and_rebind_marked_interfaces() fixes this issue.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Kento Kobayashi <Kento.A.Kobayashi@sony.com>
Tested-by: Kento Kobayashi <Kento.A.Kobayashi@sony.com>
CC: Bart Van Assche <bvanassche@acm.org>
CC: Martin K. Petersen <martin.petersen@oracle.com>
CC: Jacky Cao <Jacky.Cao@sony.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/core/hub.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
index 7c87c0b38bcfa..6e307de251630 100644
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -5637,7 +5637,10 @@ int usb_reset_device(struct usb_device *udev)
cintf->needs_binding = 1;
}
}
- usb_unbind_and_rebind_marked_interfaces(udev);
+
+ /* If the reset failed, hub_wq will unbind drivers later */
+ if (ret == 0)
+ usb_unbind_and_rebind_marked_interfaces(udev);
}
usb_autosuspend_device(udev);
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 129/241] x86/irq/64: Limit IST stack overflow check to #DB stack
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (127 preceding siblings ...)
2019-06-09 16:41 ` [PATCH 4.4 128/241] USB: core: Dont unbind interfaces following device reset failure Greg Kroah-Hartman
@ 2019-06-09 16:41 ` Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 130/241] i40e: dont allow changes to HW VLAN stripping on active port VLANs Greg Kroah-Hartman
` (116 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Thomas Gleixner, Borislav Petkov,
Andy Lutomirski, H. Peter Anvin, Ingo Molnar, Josh Poimboeuf,
Mitsuo Hayasaka, Nicolai Stange, Sean Christopherson, x86-ml,
Sasha Levin
[ Upstream commit 7dbcf2b0b770eeb803a416ee8dcbef78e6389d40 ]
Commit
37fe6a42b343 ("x86: Check stack overflow in detail")
added a broad check for the full exception stack area, i.e. it considers
the full exception stack area as valid.
That's wrong in two aspects:
1) It does not check the individual areas one by one
2) #DF, NMI and #MCE are not enabling interrupts which means that a
regular device interrupt cannot happen in their context. In fact if a
device interrupt hits one of those IST stacks that's a bug because some
code path enabled interrupts while handling the exception.
Limit the check to the #DB stack and consider all other IST stacks as
'overflow' or invalid.
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Borislav Petkov <bp@suse.de>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Mitsuo Hayasaka <mitsuo.hayasaka.hu@hitachi.com>
Cc: Nicolai Stange <nstange@suse.de>
Cc: Sean Christopherson <sean.j.christopherson@intel.com>
Cc: x86-ml <x86@kernel.org>
Link: https://lkml.kernel.org/r/20190414160143.682135110@linutronix.de
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kernel/irq_64.c | 19 ++++++++++++++-----
1 file changed, 14 insertions(+), 5 deletions(-)
diff --git a/arch/x86/kernel/irq_64.c b/arch/x86/kernel/irq_64.c
index 206d0b90a3ab1..e39d7197f9fb2 100644
--- a/arch/x86/kernel/irq_64.c
+++ b/arch/x86/kernel/irq_64.c
@@ -25,9 +25,18 @@ int sysctl_panic_on_stackoverflow;
/*
* Probabilistic stack overflow check:
*
- * Only check the stack in process context, because everything else
- * runs on the big interrupt stacks. Checking reliably is too expensive,
- * so we just check from interrupts.
+ * Regular device interrupts can enter on the following stacks:
+ *
+ * - User stack
+ *
+ * - Kernel task stack
+ *
+ * - Interrupt stack if a device driver reenables interrupts
+ * which should only happen in really old drivers.
+ *
+ * - Debug IST stack
+ *
+ * All other contexts are invalid.
*/
static inline void stack_overflow_check(struct pt_regs *regs)
{
@@ -53,8 +62,8 @@ static inline void stack_overflow_check(struct pt_regs *regs)
return;
oist = this_cpu_ptr(&orig_ist);
- estack_top = (u64)oist->ist[0] - EXCEPTION_STKSZ + STACK_TOP_MARGIN;
- estack_bottom = (u64)oist->ist[N_EXCEPTION_STACKS - 1];
+ estack_bottom = (u64)oist->ist[DEBUG_STACK];
+ estack_top = estack_bottom - DEBUG_STKSZ + STACK_TOP_MARGIN;
if (regs->sp >= estack_top && regs->sp <= estack_bottom)
return;
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 130/241] i40e: dont allow changes to HW VLAN stripping on active port VLANs
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (128 preceding siblings ...)
2019-06-09 16:41 ` [PATCH 4.4 129/241] x86/irq/64: Limit IST stack overflow check to #DB stack Greg Kroah-Hartman
@ 2019-06-09 16:41 ` Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 131/241] RDMA/cxgb4: Fix null pointer dereference on alloc_skb failure Greg Kroah-Hartman
` (115 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Nicholas Nunley, Jeff Kirsher, Sasha Levin
[ Upstream commit bfb0ebed53857cfc57f11c63fa3689940d71c1c8 ]
Modifying the VLAN stripping options when a port VLAN is configured
will break traffic for the VSI, and conceptually doesn't make sense,
so don't allow this.
Signed-off-by: Nicholas Nunley <nicholas.d.nunley@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/i40e/i40e_main.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
index 06b38f50980c5..22c43a776c6cd 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
@@ -2263,6 +2263,10 @@ void i40e_vlan_stripping_enable(struct i40e_vsi *vsi)
struct i40e_vsi_context ctxt;
i40e_status ret;
+ /* Don't modify stripping options if a port VLAN is active */
+ if (vsi->info.pvid)
+ return;
+
if ((vsi->info.valid_sections &
cpu_to_le16(I40E_AQ_VSI_PROP_VLAN_VALID)) &&
((vsi->info.port_vlan_flags & I40E_AQ_VSI_PVLAN_MODE_MASK) == 0))
@@ -2293,6 +2297,10 @@ void i40e_vlan_stripping_disable(struct i40e_vsi *vsi)
struct i40e_vsi_context ctxt;
i40e_status ret;
+ /* Don't modify stripping options if a port VLAN is active */
+ if (vsi->info.pvid)
+ return;
+
if ((vsi->info.valid_sections &
cpu_to_le16(I40E_AQ_VSI_PROP_VLAN_VALID)) &&
((vsi->info.port_vlan_flags & I40E_AQ_VSI_PVLAN_EMOD_MASK) ==
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 131/241] RDMA/cxgb4: Fix null pointer dereference on alloc_skb failure
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (129 preceding siblings ...)
2019-06-09 16:41 ` [PATCH 4.4 130/241] i40e: dont allow changes to HW VLAN stripping on active port VLANs Greg Kroah-Hartman
@ 2019-06-09 16:41 ` Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 132/241] hwmon: (vt1211) Use request_muxed_region for Super-IO accesses Greg Kroah-Hartman
` (114 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Colin Ian King, Potnuri Bharat Teja,
Jason Gunthorpe, Sasha Levin
[ Upstream commit a6d2a5a92e67d151c98886babdc86d530d27111c ]
Currently if alloc_skb fails to allocate the skb a null skb is passed to
t4_set_arp_err_handler and this ends up dereferencing the null skb. Avoid
the NULL pointer dereference by checking for a NULL skb and returning
early.
Addresses-Coverity: ("Dereference null return")
Fixes: b38a0ad8ec11 ("RDMA/cxgb4: Set arp error handler for PASS_ACCEPT_RPL messages")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Acked-by: Potnuri Bharat Teja <bharat@chelsio.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/cxgb4/cm.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/infiniband/hw/cxgb4/cm.c b/drivers/infiniband/hw/cxgb4/cm.c
index c9cffced00ca1..54fd4d81a3f1f 100644
--- a/drivers/infiniband/hw/cxgb4/cm.c
+++ b/drivers/infiniband/hw/cxgb4/cm.c
@@ -360,6 +360,8 @@ static struct sk_buff *get_skb(struct sk_buff *skb, int len, gfp_t gfp)
skb_reset_transport_header(skb);
} else {
skb = alloc_skb(len, gfp);
+ if (!skb)
+ return NULL;
}
t4_set_arp_err_handler(skb, NULL, NULL);
return skb;
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 132/241] hwmon: (vt1211) Use request_muxed_region for Super-IO accesses
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (130 preceding siblings ...)
2019-06-09 16:41 ` [PATCH 4.4 131/241] RDMA/cxgb4: Fix null pointer dereference on alloc_skb failure Greg Kroah-Hartman
@ 2019-06-09 16:41 ` Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 133/241] hwmon: (smsc47m1) " Greg Kroah-Hartman
` (113 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:41 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Guenter Roeck, Sasha Levin
[ Upstream commit 14b97ba5c20056102b3dd22696bf17b057e60976 ]
Super-IO accesses may fail on a system with no or unmapped LPC bus.
Also, other drivers may attempt to access the LPC bus at the same time,
resulting in undefined behavior.
Use request_muxed_region() to ensure that IO access on the requested
address space is supported, and to ensure that access by multiple drivers
is synchronized.
Fixes: 2219cd81a6cd ("hwmon/vt1211: Add probing of alternate config index port")
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hwmon/vt1211.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/drivers/hwmon/vt1211.c b/drivers/hwmon/vt1211.c
index 3a6bfa51cb94f..95d5e8ec8b7fc 100644
--- a/drivers/hwmon/vt1211.c
+++ b/drivers/hwmon/vt1211.c
@@ -226,15 +226,21 @@ static inline void superio_select(int sio_cip, int ldn)
outb(ldn, sio_cip + 1);
}
-static inline void superio_enter(int sio_cip)
+static inline int superio_enter(int sio_cip)
{
+ if (!request_muxed_region(sio_cip, 2, DRVNAME))
+ return -EBUSY;
+
outb(0x87, sio_cip);
outb(0x87, sio_cip);
+
+ return 0;
}
static inline void superio_exit(int sio_cip)
{
outb(0xaa, sio_cip);
+ release_region(sio_cip, 2);
}
/* ---------------------------------------------------------------------
@@ -1282,11 +1288,14 @@ static int __init vt1211_device_add(unsigned short address)
static int __init vt1211_find(int sio_cip, unsigned short *address)
{
- int err = -ENODEV;
+ int err;
int devid;
- superio_enter(sio_cip);
+ err = superio_enter(sio_cip);
+ if (err)
+ return err;
+ err = -ENODEV;
devid = force_id ? force_id : superio_inb(sio_cip, SIO_VT1211_DEVID);
if (devid != SIO_VT1211_ID)
goto EXIT;
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 133/241] hwmon: (smsc47m1) Use request_muxed_region for Super-IO accesses
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (131 preceding siblings ...)
2019-06-09 16:41 ` [PATCH 4.4 132/241] hwmon: (vt1211) Use request_muxed_region for Super-IO accesses Greg Kroah-Hartman
@ 2019-06-09 16:41 ` Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 134/241] hwmon: (smsc47b397) " Greg Kroah-Hartman
` (112 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Kefeng Wang, John Garry,
Guenter Roeck, Sasha Levin
[ Upstream commit d6410408ad2a798c4cc685252c1baa713be0ad69 ]
Super-IO accesses may fail on a system with no or unmapped LPC bus.
Also, other drivers may attempt to access the LPC bus at the same time,
resulting in undefined behavior.
Use request_muxed_region() to ensure that IO access on the requested
address space is supported, and to ensure that access by multiple drivers
is synchronized.
Fixes: 8d5d45fb1468 ("I2C: Move hwmon drivers (2/3)")
Reported-by: Kefeng Wang <wangkefeng.wang@huawei.com>
Reported-by: John Garry <john.garry@huawei.com>
Cc: John Garry <john.garry@huawei.com>
Acked-by: John Garry <john.garry@huawei.com>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hwmon/smsc47m1.c | 28 +++++++++++++++++++---------
1 file changed, 19 insertions(+), 9 deletions(-)
diff --git a/drivers/hwmon/smsc47m1.c b/drivers/hwmon/smsc47m1.c
index 5d323186d2c10..d24df0c50bea4 100644
--- a/drivers/hwmon/smsc47m1.c
+++ b/drivers/hwmon/smsc47m1.c
@@ -73,16 +73,21 @@ superio_inb(int reg)
/* logical device for fans is 0x0A */
#define superio_select() superio_outb(0x07, 0x0A)
-static inline void
+static inline int
superio_enter(void)
{
+ if (!request_muxed_region(REG, 2, DRVNAME))
+ return -EBUSY;
+
outb(0x55, REG);
+ return 0;
}
static inline void
superio_exit(void)
{
outb(0xAA, REG);
+ release_region(REG, 2);
}
#define SUPERIO_REG_ACT 0x30
@@ -531,8 +536,12 @@ static int __init smsc47m1_find(struct smsc47m1_sio_data *sio_data)
{
u8 val;
unsigned short addr;
+ int err;
+
+ err = superio_enter();
+ if (err)
+ return err;
- superio_enter();
val = force_id ? force_id : superio_inb(SUPERIO_REG_DEVID);
/*
@@ -608,13 +617,14 @@ static int __init smsc47m1_find(struct smsc47m1_sio_data *sio_data)
static void smsc47m1_restore(const struct smsc47m1_sio_data *sio_data)
{
if ((sio_data->activate & 0x01) == 0) {
- superio_enter();
- superio_select();
-
- pr_info("Disabling device\n");
- superio_outb(SUPERIO_REG_ACT, sio_data->activate);
-
- superio_exit();
+ if (!superio_enter()) {
+ superio_select();
+ pr_info("Disabling device\n");
+ superio_outb(SUPERIO_REG_ACT, sio_data->activate);
+ superio_exit();
+ } else {
+ pr_warn("Failed to disable device\n");
+ }
}
}
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 134/241] hwmon: (smsc47b397) Use request_muxed_region for Super-IO accesses
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (132 preceding siblings ...)
2019-06-09 16:41 ` [PATCH 4.4 133/241] hwmon: (smsc47m1) " Greg Kroah-Hartman
@ 2019-06-09 16:41 ` Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 135/241] hwmon: (pc87427) " Greg Kroah-Hartman
` (111 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Kefeng Wang, John Garry,
Guenter Roeck, Sasha Levin
[ Upstream commit 8c0826756744c0ac1df600a5e4cca1a341b13101 ]
Super-IO accesses may fail on a system with no or unmapped LPC bus.
Also, other drivers may attempt to access the LPC bus at the same time,
resulting in undefined behavior.
Use request_muxed_region() to ensure that IO access on the requested
address space is supported, and to ensure that access by multiple drivers
is synchronized.
Fixes: 8d5d45fb1468 ("I2C: Move hwmon drivers (2/3)")
Reported-by: Kefeng Wang <wangkefeng.wang@huawei.com>
Reported-by: John Garry <john.garry@huawei.com>
Cc: John Garry <john.garry@huawei.com>
Acked-by: John Garry <john.garry@huawei.com>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hwmon/smsc47b397.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/drivers/hwmon/smsc47b397.c b/drivers/hwmon/smsc47b397.c
index 6bd2007565603..cbdb5c4991ae3 100644
--- a/drivers/hwmon/smsc47b397.c
+++ b/drivers/hwmon/smsc47b397.c
@@ -72,14 +72,19 @@ static inline void superio_select(int ld)
superio_outb(0x07, ld);
}
-static inline void superio_enter(void)
+static inline int superio_enter(void)
{
+ if (!request_muxed_region(REG, 2, DRVNAME))
+ return -EBUSY;
+
outb(0x55, REG);
+ return 0;
}
static inline void superio_exit(void)
{
outb(0xAA, REG);
+ release_region(REG, 2);
}
#define SUPERIO_REG_DEVID 0x20
@@ -300,8 +305,12 @@ static int __init smsc47b397_find(void)
u8 id, rev;
char *name;
unsigned short addr;
+ int err;
+
+ err = superio_enter();
+ if (err)
+ return err;
- superio_enter();
id = force_id ? force_id : superio_inb(SUPERIO_REG_DEVID);
switch (id) {
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 135/241] hwmon: (pc87427) Use request_muxed_region for Super-IO accesses
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (133 preceding siblings ...)
2019-06-09 16:41 ` [PATCH 4.4 134/241] hwmon: (smsc47b397) " Greg Kroah-Hartman
@ 2019-06-09 16:41 ` Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 136/241] hwmon: (f71805f) " Greg Kroah-Hartman
` (110 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Kefeng Wang, John Garry,
Guenter Roeck, Sasha Levin
[ Upstream commit 755a9b0f8aaa5639ba5671ca50080852babb89ce ]
Super-IO accesses may fail on a system with no or unmapped LPC bus.
Also, other drivers may attempt to access the LPC bus at the same time,
resulting in undefined behavior.
Use request_muxed_region() to ensure that IO access on the requested
address space is supported, and to ensure that access by multiple drivers
is synchronized.
Fixes: ba224e2c4f0a7 ("hwmon: New PC87427 hardware monitoring driver")
Reported-by: Kefeng Wang <wangkefeng.wang@huawei.com>
Reported-by: John Garry <john.garry@huawei.com>
Cc: John Garry <john.garry@huawei.com>
Acked-by: John Garry <john.garry@huawei.com>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hwmon/pc87427.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/drivers/hwmon/pc87427.c b/drivers/hwmon/pc87427.c
index cb9fdd37bd0d9..2b5b8c3de8fce 100644
--- a/drivers/hwmon/pc87427.c
+++ b/drivers/hwmon/pc87427.c
@@ -106,6 +106,13 @@ static const char *logdev_str[2] = { DRVNAME " FMC", DRVNAME " HMC" };
#define LD_IN 1
#define LD_TEMP 1
+static inline int superio_enter(int sioaddr)
+{
+ if (!request_muxed_region(sioaddr, 2, DRVNAME))
+ return -EBUSY;
+ return 0;
+}
+
static inline void superio_outb(int sioaddr, int reg, int val)
{
outb(reg, sioaddr);
@@ -122,6 +129,7 @@ static inline void superio_exit(int sioaddr)
{
outb(0x02, sioaddr);
outb(0x02, sioaddr + 1);
+ release_region(sioaddr, 2);
}
/*
@@ -1220,7 +1228,11 @@ static int __init pc87427_find(int sioaddr, struct pc87427_sio_data *sio_data)
{
u16 val;
u8 cfg, cfg_b;
- int i, err = 0;
+ int i, err;
+
+ err = superio_enter(sioaddr);
+ if (err)
+ return err;
/* Identify device */
val = force_id ? force_id : superio_inb(sioaddr, SIOREG_DEVID);
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 136/241] hwmon: (f71805f) Use request_muxed_region for Super-IO accesses
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (134 preceding siblings ...)
2019-06-09 16:41 ` [PATCH 4.4 135/241] hwmon: (pc87427) " Greg Kroah-Hartman
@ 2019-06-09 16:41 ` Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 137/241] scsi: libsas: Do discovery on empty PHY to update PHY info Greg Kroah-Hartman
` (109 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Kefeng Wang, John Garry,
Guenter Roeck, Sasha Levin
[ Upstream commit 73e6ff71a7ea924fb7121d576a2d41e3be3fc6b5 ]
Super-IO accesses may fail on a system with no or unmapped LPC bus.
Unable to handle kernel paging request at virtual address ffffffbffee0002e
pgd = ffffffc1d68d4000
[ffffffbffee0002e] *pgd=0000000000000000, *pud=0000000000000000
Internal error: Oops: 94000046 [#1] PREEMPT SMP
Modules linked in: f71805f(+) hwmon
CPU: 3 PID: 1659 Comm: insmod Not tainted 4.5.0+ #88
Hardware name: linux,dummy-virt (DT)
task: ffffffc1f6665400 ti: ffffffc1d6418000 task.ti: ffffffc1d6418000
PC is at f71805f_find+0x6c/0x358 [f71805f]
Also, other drivers may attempt to access the LPC bus at the same time,
resulting in undefined behavior.
Use request_muxed_region() to ensure that IO access on the requested
address space is supported, and to ensure that access by multiple
drivers is synchronized.
Fixes: e53004e20a58e ("hwmon: New f71805f driver")
Reported-by: Kefeng Wang <wangkefeng.wang@huawei.com>
Reported-by: John Garry <john.garry@huawei.com>
Cc: John Garry <john.garry@huawei.com>
Acked-by: John Garry <john.garry@huawei.com>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hwmon/f71805f.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/drivers/hwmon/f71805f.c b/drivers/hwmon/f71805f.c
index facd05cda26da..e8c0898864277 100644
--- a/drivers/hwmon/f71805f.c
+++ b/drivers/hwmon/f71805f.c
@@ -96,17 +96,23 @@ superio_select(int base, int ld)
outb(ld, base + 1);
}
-static inline void
+static inline int
superio_enter(int base)
{
+ if (!request_muxed_region(base, 2, DRVNAME))
+ return -EBUSY;
+
outb(0x87, base);
outb(0x87, base);
+
+ return 0;
}
static inline void
superio_exit(int base)
{
outb(0xaa, base);
+ release_region(base, 2);
}
/*
@@ -1561,7 +1567,7 @@ static int __init f71805f_device_add(unsigned short address,
static int __init f71805f_find(int sioaddr, unsigned short *address,
struct f71805f_sio_data *sio_data)
{
- int err = -ENODEV;
+ int err;
u16 devid;
static const char * const names[] = {
@@ -1569,8 +1575,11 @@ static int __init f71805f_find(int sioaddr, unsigned short *address,
"F71872F/FG or F71806F/FG",
};
- superio_enter(sioaddr);
+ err = superio_enter(sioaddr);
+ if (err)
+ return err;
+ err = -ENODEV;
devid = superio_inw(sioaddr, SIO_REG_MANID);
if (devid != SIO_FINTEK_ID)
goto exit;
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 137/241] scsi: libsas: Do discovery on empty PHY to update PHY info
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (135 preceding siblings ...)
2019-06-09 16:41 ` [PATCH 4.4 136/241] hwmon: (f71805f) " Greg Kroah-Hartman
@ 2019-06-09 16:41 ` Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 138/241] mmc_spi: add a status check for spi_sync_locked Greg Kroah-Hartman
` (108 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, John Garry, Martin K. Petersen, Sasha Levin
[ Upstream commit d8649fc1c5e40e691d589ed825998c36a947491c ]
When we discover the PHY is empty in sas_rediscover_dev(), the PHY
information (like negotiated linkrate) is not updated.
As such, for a user examining sysfs for that PHY, they would see
incorrect values:
root@(none)$ cd /sys/class/sas_phy/phy-0:0:20
root@(none)$ more negotiated_linkrate
3.0 Gbit
root@(none)$ echo 0 > enable
root@(none)$ more negotiated_linkrate
3.0 Gbit
So fix this, simply discover the PHY again, even though we know it's empty;
in the above example, this gives us:
root@(none)$ more negotiated_linkrate
Phy disabled
We must do this after unregistering the device associated with the PHY
(in sas_unregister_devs_sas_addr()).
Signed-off-by: John Garry <john.garry@huawei.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/libsas/sas_expander.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c
index 1a6f65db615e8..ee1f9ee995e53 100644
--- a/drivers/scsi/libsas/sas_expander.c
+++ b/drivers/scsi/libsas/sas_expander.c
@@ -2027,6 +2027,11 @@ static int sas_rediscover_dev(struct domain_device *dev, int phy_id, bool last)
if ((SAS_ADDR(sas_addr) == 0) || (res == -ECOMM)) {
phy->phy_state = PHY_EMPTY;
sas_unregister_devs_sas_addr(dev, phy_id, last);
+ /*
+ * Even though the PHY is empty, for convenience we discover
+ * the PHY to update the PHY info, like negotiated linkrate.
+ */
+ sas_ex_phy_discover(dev, phy_id);
return res;
} else if (SAS_ADDR(sas_addr) == SAS_ADDR(phy->attached_sas_addr) &&
dev_type_flutter(type, phy->attached_dev_type)) {
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 138/241] mmc_spi: add a status check for spi_sync_locked
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (136 preceding siblings ...)
2019-06-09 16:41 ` [PATCH 4.4 137/241] scsi: libsas: Do discovery on empty PHY to update PHY info Greg Kroah-Hartman
@ 2019-06-09 16:41 ` Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 139/241] mmc: sdhci-of-esdhc: add erratum eSDHC5 support Greg Kroah-Hartman
` (107 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Kangjie Lu, Laurent Pinchart,
Ulf Hansson, Sasha Levin
[ Upstream commit 611025983b7976df0183390a63a2166411d177f1 ]
In case spi_sync_locked fails, the fix reports the error and
returns the error code upstream.
Signed-off-by: Kangjie Lu <kjlu@umn.edu>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mmc/host/mmc_spi.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/mmc/host/mmc_spi.c b/drivers/mmc/host/mmc_spi.c
index e03ec74f3fb08..40a369c7005a8 100644
--- a/drivers/mmc/host/mmc_spi.c
+++ b/drivers/mmc/host/mmc_spi.c
@@ -819,6 +819,10 @@ mmc_spi_readblock(struct mmc_spi_host *host, struct spi_transfer *t,
}
status = spi_sync_locked(spi, &host->m);
+ if (status < 0) {
+ dev_dbg(&spi->dev, "read error %d\n", status);
+ return status;
+ }
if (host->dma_dev) {
dma_sync_single_for_cpu(host->dma_dev,
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 139/241] mmc: sdhci-of-esdhc: add erratum eSDHC5 support
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (137 preceding siblings ...)
2019-06-09 16:41 ` [PATCH 4.4 138/241] mmc_spi: add a status check for spi_sync_locked Greg Kroah-Hartman
@ 2019-06-09 16:41 ` Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 140/241] mmc: sdhci-of-esdhc: add erratum eSDHC-A001 and A-008358 support Greg Kroah-Hartman
` (106 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Yinbo Zhu, Adrian Hunter,
Ulf Hansson, Sasha Levin
[ Upstream commit a46e42712596b51874f04c73f1cdf1017f88df52 ]
Software writing to the Transfer Type configuration register
(system clock domain) can cause a setup/hold violation in the
CRC flops (card clock domain), which can cause write accesses
to be sent with corrupt CRC values. This issue occurs only for
write preceded by read. this erratum is to fix this issue.
Signed-off-by: Yinbo Zhu <yinbo.zhu@nxp.com>
Acked-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mmc/host/sdhci-of-esdhc.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/mmc/host/sdhci-of-esdhc.c b/drivers/mmc/host/sdhci-of-esdhc.c
index ac66c61d9433c..a5a11e7ab53b4 100644
--- a/drivers/mmc/host/sdhci-of-esdhc.c
+++ b/drivers/mmc/host/sdhci-of-esdhc.c
@@ -624,6 +624,9 @@ static int sdhci_esdhc_probe(struct platform_device *pdev)
if (esdhc->vendor_ver > VENDOR_V_22)
host->quirks &= ~SDHCI_QUIRK_NO_BUSY_IRQ;
+ if (of_find_compatible_node(NULL, NULL, "fsl,p2020-esdhc"))
+ host->quirks2 |= SDHCI_QUIRK_RESET_AFTER_REQUEST;
+
if (of_device_is_compatible(np, "fsl,p5040-esdhc") ||
of_device_is_compatible(np, "fsl,p5020-esdhc") ||
of_device_is_compatible(np, "fsl,p4080-esdhc") ||
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 140/241] mmc: sdhci-of-esdhc: add erratum eSDHC-A001 and A-008358 support
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (138 preceding siblings ...)
2019-06-09 16:41 ` [PATCH 4.4 139/241] mmc: sdhci-of-esdhc: add erratum eSDHC5 support Greg Kroah-Hartman
@ 2019-06-09 16:41 ` Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 141/241] PM / core: Propagate dev->power.wakeup_path when no callbacks Greg Kroah-Hartman
` (105 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Yinbo Zhu, Adrian Hunter,
Ulf Hansson, Sasha Levin
[ Upstream commit 05cb6b2a66fa7837211a060878e91be5eb10cb07 ]
eSDHC-A001: The data timeout counter (SYSCTL[DTOCV]) is not
reliable for DTOCV values 0x4(2^17 SD clock), 0x8(2^21 SD clock),
and 0xC(2^25 SD clock). The data timeout counter can count from
2^13–2^27, but for values 2^17, 2^21, and 2^25, the timeout
counter counts for only 2^13 SD clocks.
A-008358: The data timeout counter value loaded into the timeout
counter is less than expected and can result into early timeout
error in case of eSDHC data transactions. The table below shows
the expected vs actual timeout period for different values of
SYSCTL[DTOCV]:
these two erratum has the same quirk to control it, and set
SDHCI_QUIRK_RESET_AFTER_REQUEST to fix above issue.
Signed-off-by: Yinbo Zhu <yinbo.zhu@nxp.com>
Acked-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mmc/host/sdhci-of-esdhc.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/mmc/host/sdhci-of-esdhc.c b/drivers/mmc/host/sdhci-of-esdhc.c
index a5a11e7ab53b4..356b294c93c9e 100644
--- a/drivers/mmc/host/sdhci-of-esdhc.c
+++ b/drivers/mmc/host/sdhci-of-esdhc.c
@@ -624,8 +624,10 @@ static int sdhci_esdhc_probe(struct platform_device *pdev)
if (esdhc->vendor_ver > VENDOR_V_22)
host->quirks &= ~SDHCI_QUIRK_NO_BUSY_IRQ;
- if (of_find_compatible_node(NULL, NULL, "fsl,p2020-esdhc"))
+ if (of_find_compatible_node(NULL, NULL, "fsl,p2020-esdhc")) {
host->quirks2 |= SDHCI_QUIRK_RESET_AFTER_REQUEST;
+ host->quirks2 |= SDHCI_QUIRK_BROKEN_TIMEOUT_VAL;
+ }
if (of_device_is_compatible(np, "fsl,p5040-esdhc") ||
of_device_is_compatible(np, "fsl,p5020-esdhc") ||
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 141/241] PM / core: Propagate dev->power.wakeup_path when no callbacks
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (139 preceding siblings ...)
2019-06-09 16:41 ` [PATCH 4.4 140/241] mmc: sdhci-of-esdhc: add erratum eSDHC-A001 and A-008358 support Greg Kroah-Hartman
@ 2019-06-09 16:41 ` Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 142/241] extcon: arizona: Disable mic detect if running when driver is removed Greg Kroah-Hartman
` (104 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Loic Pallardy, Ulf Hansson,
Rafael J. Wysocki, Sasha Levin
[ Upstream commit dc351d4c5f4fe4d0f274d6d660227be0c3a03317 ]
The dev->power.direct_complete flag may become set in device_prepare() in
case the device don't have any PM callbacks (dev->power.no_pm_callbacks is
set). This leads to a broken behaviour, when there is child having wakeup
enabled and relies on its parent to be used in the wakeup path.
More precisely, when the direct complete path becomes selected for the
child in __device_suspend(), the propagation of the dev->power.wakeup_path
becomes skipped as well.
Let's address this problem, by checking if the device is a part the wakeup
path or has wakeup enabled, then prevent the direct complete path from
being used.
Reported-by: Loic Pallardy <loic.pallardy@st.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
[ rjw: Comment cleanup ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/base/power/main.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/base/power/main.c b/drivers/base/power/main.c
index 05409141ec077..8efdb823826c8 100644
--- a/drivers/base/power/main.c
+++ b/drivers/base/power/main.c
@@ -1378,6 +1378,10 @@ static int __device_suspend(struct device *dev, pm_message_t state, bool async)
if (dev->power.syscore)
goto Complete;
+ /* Avoid direct_complete to let wakeup_path propagate. */
+ if (device_may_wakeup(dev) || dev->power.wakeup_path)
+ dev->power.direct_complete = false;
+
if (dev->power.direct_complete) {
if (pm_runtime_status_suspended(dev)) {
pm_runtime_disable(dev);
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 142/241] extcon: arizona: Disable mic detect if running when driver is removed
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (140 preceding siblings ...)
2019-06-09 16:41 ` [PATCH 4.4 141/241] PM / core: Propagate dev->power.wakeup_path when no callbacks Greg Kroah-Hartman
@ 2019-06-09 16:41 ` Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 143/241] s390: cio: fix cio_irb declaration Greg Kroah-Hartman
` (103 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Charles Keepax, Chanwoo Choi, Sasha Levin
[ Upstream commit 00053de52231117ddc154042549f2256183ffb86 ]
Microphone detection provides the button detection features on the
Arizona CODECs as such it will be running if the jack is currently
inserted. If the driver is unbound whilst the jack is still inserted
this will cause warnings from the regulator framework as the MICVDD
regulator is put but was never disabled.
Correct this by disabling microphone detection on driver removal and if
the microphone detection was running disable the regulator and put the
runtime reference that was currently held.
Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com>
Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/extcon/extcon-arizona.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/drivers/extcon/extcon-arizona.c b/drivers/extcon/extcon-arizona.c
index e4890dd4fefd6..38fb212e58ee8 100644
--- a/drivers/extcon/extcon-arizona.c
+++ b/drivers/extcon/extcon-arizona.c
@@ -1616,6 +1616,16 @@ static int arizona_extcon_remove(struct platform_device *pdev)
struct arizona_extcon_info *info = platform_get_drvdata(pdev);
struct arizona *arizona = info->arizona;
int jack_irq_rise, jack_irq_fall;
+ bool change;
+
+ regmap_update_bits_check(arizona->regmap, ARIZONA_MIC_DETECT_1,
+ ARIZONA_MICD_ENA, 0,
+ &change);
+
+ if (change) {
+ regulator_disable(info->micvdd);
+ pm_runtime_put(info->dev);
+ }
gpiod_put(info->micd_pol_gpio);
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 143/241] s390: cio: fix cio_irb declaration
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (141 preceding siblings ...)
2019-06-09 16:41 ` [PATCH 4.4 142/241] extcon: arizona: Disable mic detect if running when driver is removed Greg Kroah-Hartman
@ 2019-06-09 16:41 ` Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 144/241] cpufreq: ppc_cbe: fix possible object reference leak Greg Kroah-Hartman
` (102 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Arnd Bergmann, Nathan Chancellor,
Sebastian Ott, Martin Schwidefsky, Sasha Levin
[ Upstream commit e91012ee855ad9f5ef2ab106a3de51db93fe4d0c ]
clang points out that the declaration of cio_irb does not match the
definition exactly, it is missing the alignment attribute:
../drivers/s390/cio/cio.c:50:1: warning: section does not match previous declaration [-Wsection]
DEFINE_PER_CPU_ALIGNED(struct irb, cio_irb);
^
../include/linux/percpu-defs.h:150:2: note: expanded from macro 'DEFINE_PER_CPU_ALIGNED'
DEFINE_PER_CPU_SECTION(type, name, PER_CPU_ALIGNED_SECTION) \
^
../include/linux/percpu-defs.h:93:9: note: expanded from macro 'DEFINE_PER_CPU_SECTION'
extern __PCPU_ATTRS(sec) __typeof__(type) name; \
^
../include/linux/percpu-defs.h:49:26: note: expanded from macro '__PCPU_ATTRS'
__percpu __attribute__((section(PER_CPU_BASE_SECTION sec))) \
^
../drivers/s390/cio/cio.h:118:1: note: previous attribute is here
DECLARE_PER_CPU(struct irb, cio_irb);
^
../include/linux/percpu-defs.h:111:2: note: expanded from macro 'DECLARE_PER_CPU'
DECLARE_PER_CPU_SECTION(type, name, "")
^
../include/linux/percpu-defs.h:87:9: note: expanded from macro 'DECLARE_PER_CPU_SECTION'
extern __PCPU_ATTRS(sec) __typeof__(type) name
^
../include/linux/percpu-defs.h:49:26: note: expanded from macro '__PCPU_ATTRS'
__percpu __attribute__((section(PER_CPU_BASE_SECTION sec))) \
^
Use DECLARE_PER_CPU_ALIGNED() here, to make the two match.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: Sebastian Ott <sebott@linux.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/s390/cio/cio.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/s390/cio/cio.h b/drivers/s390/cio/cio.h
index a01376ae17493..fdb87520543fe 100644
--- a/drivers/s390/cio/cio.h
+++ b/drivers/s390/cio/cio.h
@@ -102,7 +102,7 @@ struct subchannel {
struct schib_config config;
} __attribute__ ((aligned(8)));
-DECLARE_PER_CPU(struct irb, cio_irb);
+DECLARE_PER_CPU_ALIGNED(struct irb, cio_irb);
#define to_subchannel(n) container_of(n, struct subchannel, dev)
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 144/241] cpufreq: ppc_cbe: fix possible object reference leak
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (142 preceding siblings ...)
2019-06-09 16:41 ` [PATCH 4.4 143/241] s390: cio: fix cio_irb declaration Greg Kroah-Hartman
@ 2019-06-09 16:41 ` Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 145/241] cpufreq/pasemi: " Greg Kroah-Hartman
` (101 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Wen Yang, Rafael J. Wysocki,
Viresh Kumar, linux-pm, Sasha Levin
[ Upstream commit 233298032803f2802fe99892d0de4ab653bfece4 ]
The call to of_get_cpu_node returns a node pointer with refcount
incremented thus it must be explicitly decremented after the last
usage.
Detected by coccinelle with the following warnings:
./drivers/cpufreq/ppc_cbe_cpufreq.c:89:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 76, but without a corresponding object release within this function.
./drivers/cpufreq/ppc_cbe_cpufreq.c:89:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 76, but without a corresponding object release within this function.
Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net>
Cc: Viresh Kumar <viresh.kumar@linaro.org>
Cc: linux-pm@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/cpufreq/ppc_cbe_cpufreq.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/cpufreq/ppc_cbe_cpufreq.c b/drivers/cpufreq/ppc_cbe_cpufreq.c
index 5a4c5a639f618..2eaeebcc93afe 100644
--- a/drivers/cpufreq/ppc_cbe_cpufreq.c
+++ b/drivers/cpufreq/ppc_cbe_cpufreq.c
@@ -86,6 +86,7 @@ static int cbe_cpufreq_cpu_init(struct cpufreq_policy *policy)
if (!cbe_get_cpu_pmd_regs(policy->cpu) ||
!cbe_get_cpu_mic_tm_regs(policy->cpu)) {
pr_info("invalid CBE regs pointers for cpufreq\n");
+ of_node_put(cpu);
return -EINVAL;
}
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 145/241] cpufreq/pasemi: fix possible object reference leak
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (143 preceding siblings ...)
2019-06-09 16:41 ` [PATCH 4.4 144/241] cpufreq: ppc_cbe: fix possible object reference leak Greg Kroah-Hartman
@ 2019-06-09 16:41 ` Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 146/241] cpufreq: pmac32: " Greg Kroah-Hartman
` (100 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Wen Yang, Rafael J. Wysocki,
Viresh Kumar, linuxppc-dev, linux-pm, Sasha Levin
[ Upstream commit a9acc26b75f652f697e02a9febe2ab0da648a571 ]
The call to of_get_cpu_node returns a node pointer with refcount
incremented thus it must be explicitly decremented after the last
usage.
Detected by coccinelle with the following warnings:
./drivers/cpufreq/pasemi-cpufreq.c:212:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 147, but without a corresponding object release within this function.
./drivers/cpufreq/pasemi-cpufreq.c:220:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 147, but without a corresponding object release within this function.
Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net>
Cc: Viresh Kumar <viresh.kumar@linaro.org>
Cc: linuxppc-dev@lists.ozlabs.org
Cc: linux-pm@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/cpufreq/pasemi-cpufreq.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/cpufreq/pasemi-cpufreq.c b/drivers/cpufreq/pasemi-cpufreq.c
index 35dd4d7ffee08..58c933f483004 100644
--- a/drivers/cpufreq/pasemi-cpufreq.c
+++ b/drivers/cpufreq/pasemi-cpufreq.c
@@ -146,6 +146,7 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy *policy)
cpu = of_get_cpu_node(policy->cpu, NULL);
+ of_node_put(cpu);
if (!cpu)
goto out;
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 146/241] cpufreq: pmac32: fix possible object reference leak
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (144 preceding siblings ...)
2019-06-09 16:41 ` [PATCH 4.4 145/241] cpufreq/pasemi: " Greg Kroah-Hartman
@ 2019-06-09 16:41 ` Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 147/241] x86/build: Keep local relocations with ld.lld Greg Kroah-Hartman
` (99 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Wen Yang, Rafael J. Wysocki,
Viresh Kumar, Benjamin Herrenschmidt, Paul Mackerras,
Michael Ellerman, linux-pm, linuxppc-dev, Sasha Levin
[ Upstream commit 8d10dc28a9ea6e8c02e825dab28699f3c72b02d9 ]
The call to of_find_node_by_name returns a node pointer with refcount
incremented thus it must be explicitly decremented after the last
usage.
Detected by coccinelle with the following warnings:
./drivers/cpufreq/pmac32-cpufreq.c:557:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 552, but without a corresponding object release within this function.
./drivers/cpufreq/pmac32-cpufreq.c:569:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 552, but without a corresponding object release within this function.
./drivers/cpufreq/pmac32-cpufreq.c:598:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 587, but without a corresponding object release within this function.
Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net>
Cc: Viresh Kumar <viresh.kumar@linaro.org>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Paul Mackerras <paulus@samba.org>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: linux-pm@vger.kernel.org
Cc: linuxppc-dev@lists.ozlabs.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/cpufreq/pmac32-cpufreq.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/cpufreq/pmac32-cpufreq.c b/drivers/cpufreq/pmac32-cpufreq.c
index 1f49d97a70ea1..14928e0dc3265 100644
--- a/drivers/cpufreq/pmac32-cpufreq.c
+++ b/drivers/cpufreq/pmac32-cpufreq.c
@@ -549,6 +549,7 @@ static int pmac_cpufreq_init_7447A(struct device_node *cpunode)
volt_gpio_np = of_find_node_by_name(NULL, "cpu-vcore-select");
if (volt_gpio_np)
voltage_gpio = read_gpio(volt_gpio_np);
+ of_node_put(volt_gpio_np);
if (!voltage_gpio){
printk(KERN_ERR "cpufreq: missing cpu-vcore-select gpio\n");
return 1;
@@ -585,6 +586,7 @@ static int pmac_cpufreq_init_750FX(struct device_node *cpunode)
if (volt_gpio_np)
voltage_gpio = read_gpio(volt_gpio_np);
+ of_node_put(volt_gpio_np);
pvr = mfspr(SPRN_PVR);
has_cpu_l2lve = !((pvr & 0xf00) == 0x100);
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 147/241] x86/build: Keep local relocations with ld.lld
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (145 preceding siblings ...)
2019-06-09 16:41 ` [PATCH 4.4 146/241] cpufreq: pmac32: " Greg Kroah-Hartman
@ 2019-06-09 16:41 ` Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 148/241] iio: ad_sigma_delta: Properly handle SPI bus locking vs CS assertion Greg Kroah-Hartman
` (98 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Kees Cook, Borislav Petkov,
H. Peter Anvin, Ingo Molnar, Nick Desaulniers, Thomas Gleixner,
clang-built-linux, x86-ml, Sasha Levin
[ Upstream commit 7c21383f3429dd70da39c0c7f1efa12377a47ab6 ]
The LLVM linker (ld.lld) defaults to removing local relocations, which
causes KASLR boot failures. ld.bfd and ld.gold already handle this
correctly. This adds the explicit instruction "--discard-none" during
the link phase. There is no change in output for ld.bfd and ld.gold,
but ld.lld now produces an image with all the needed relocations.
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Borislav Petkov <bp@suse.de>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Nick Desaulniers <ndesaulniers@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: clang-built-linux@googlegroups.com
Cc: x86-ml <x86@kernel.org>
Link: https://lkml.kernel.org/r/20190404214027.GA7324@beast
Link: https://github.com/ClangBuiltLinux/linux/issues/404
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x86/Makefile b/arch/x86/Makefile
index e26560cd18444..00e0226634fa9 100644
--- a/arch/x86/Makefile
+++ b/arch/x86/Makefile
@@ -47,7 +47,7 @@ export REALMODE_CFLAGS
export BITS
ifdef CONFIG_X86_NEED_RELOCS
- LDFLAGS_vmlinux := --emit-relocs
+ LDFLAGS_vmlinux := --emit-relocs --discard-none
endif
#
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 148/241] iio: ad_sigma_delta: Properly handle SPI bus locking vs CS assertion
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (146 preceding siblings ...)
2019-06-09 16:41 ` [PATCH 4.4 147/241] x86/build: Keep local relocations with ld.lld Greg Kroah-Hartman
@ 2019-06-09 16:41 ` Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 149/241] iio: hmc5843: fix potential NULL pointer dereferences Greg Kroah-Hartman
` (97 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Lars-Peter Clausen,
Alexandru Ardelean, Jonathan Cameron, Sasha Levin
[ Upstream commit df1d80aee963480c5c2938c64ec0ac3e4a0df2e0 ]
For devices from the SigmaDelta family we need to keep CS low when doing a
conversion, since the device will use the MISO line as a interrupt to
indicate that the conversion is complete.
This is why the driver locks the SPI bus and when the SPI bus is locked
keeps as long as a conversion is going on. The current implementation gets
one small detail wrong though. CS is only de-asserted after the SPI bus is
unlocked. This means it is possible for a different SPI device on the same
bus to send a message which would be wrongfully be addressed to the
SigmaDelta device as well. Make sure that the last SPI transfer that is
done while holding the SPI bus lock de-asserts the CS signal.
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Alexandru Ardelean <Alexandru.Ardelean@analog.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iio/adc/ad_sigma_delta.c | 16 +++++++++++-----
include/linux/iio/adc/ad_sigma_delta.h | 1 +
2 files changed, 12 insertions(+), 5 deletions(-)
diff --git a/drivers/iio/adc/ad_sigma_delta.c b/drivers/iio/adc/ad_sigma_delta.c
index a1d072ecb7171..30f200ad6b978 100644
--- a/drivers/iio/adc/ad_sigma_delta.c
+++ b/drivers/iio/adc/ad_sigma_delta.c
@@ -62,7 +62,7 @@ int ad_sd_write_reg(struct ad_sigma_delta *sigma_delta, unsigned int reg,
struct spi_transfer t = {
.tx_buf = data,
.len = size + 1,
- .cs_change = sigma_delta->bus_locked,
+ .cs_change = sigma_delta->keep_cs_asserted,
};
struct spi_message m;
int ret;
@@ -217,6 +217,7 @@ static int ad_sd_calibrate(struct ad_sigma_delta *sigma_delta,
spi_bus_lock(sigma_delta->spi->master);
sigma_delta->bus_locked = true;
+ sigma_delta->keep_cs_asserted = true;
reinit_completion(&sigma_delta->completion);
ret = ad_sigma_delta_set_mode(sigma_delta, mode);
@@ -234,9 +235,10 @@ static int ad_sd_calibrate(struct ad_sigma_delta *sigma_delta,
ret = 0;
}
out:
+ sigma_delta->keep_cs_asserted = false;
+ ad_sigma_delta_set_mode(sigma_delta, AD_SD_MODE_IDLE);
sigma_delta->bus_locked = false;
spi_bus_unlock(sigma_delta->spi->master);
- ad_sigma_delta_set_mode(sigma_delta, AD_SD_MODE_IDLE);
return ret;
}
@@ -288,6 +290,7 @@ int ad_sigma_delta_single_conversion(struct iio_dev *indio_dev,
spi_bus_lock(sigma_delta->spi->master);
sigma_delta->bus_locked = true;
+ sigma_delta->keep_cs_asserted = true;
reinit_completion(&sigma_delta->completion);
ad_sigma_delta_set_mode(sigma_delta, AD_SD_MODE_SINGLE);
@@ -297,9 +300,6 @@ int ad_sigma_delta_single_conversion(struct iio_dev *indio_dev,
ret = wait_for_completion_interruptible_timeout(
&sigma_delta->completion, HZ);
- sigma_delta->bus_locked = false;
- spi_bus_unlock(sigma_delta->spi->master);
-
if (ret == 0)
ret = -EIO;
if (ret < 0)
@@ -315,7 +315,10 @@ int ad_sigma_delta_single_conversion(struct iio_dev *indio_dev,
sigma_delta->irq_dis = true;
}
+ sigma_delta->keep_cs_asserted = false;
ad_sigma_delta_set_mode(sigma_delta, AD_SD_MODE_IDLE);
+ sigma_delta->bus_locked = false;
+ spi_bus_unlock(sigma_delta->spi->master);
mutex_unlock(&indio_dev->mlock);
if (ret)
@@ -352,6 +355,8 @@ static int ad_sd_buffer_postenable(struct iio_dev *indio_dev)
spi_bus_lock(sigma_delta->spi->master);
sigma_delta->bus_locked = true;
+ sigma_delta->keep_cs_asserted = true;
+
ret = ad_sigma_delta_set_mode(sigma_delta, AD_SD_MODE_CONTINUOUS);
if (ret)
goto err_unlock;
@@ -380,6 +385,7 @@ static int ad_sd_buffer_postdisable(struct iio_dev *indio_dev)
sigma_delta->irq_dis = true;
}
+ sigma_delta->keep_cs_asserted = false;
ad_sigma_delta_set_mode(sigma_delta, AD_SD_MODE_IDLE);
sigma_delta->bus_locked = false;
diff --git a/include/linux/iio/adc/ad_sigma_delta.h b/include/linux/iio/adc/ad_sigma_delta.h
index 6cc48ac55fd2a..40b14736c73de 100644
--- a/include/linux/iio/adc/ad_sigma_delta.h
+++ b/include/linux/iio/adc/ad_sigma_delta.h
@@ -66,6 +66,7 @@ struct ad_sigma_delta {
bool irq_dis;
bool bus_locked;
+ bool keep_cs_asserted;
uint8_t comm;
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 149/241] iio: hmc5843: fix potential NULL pointer dereferences
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (147 preceding siblings ...)
2019-06-09 16:41 ` [PATCH 4.4 148/241] iio: ad_sigma_delta: Properly handle SPI bus locking vs CS assertion Greg Kroah-Hartman
@ 2019-06-09 16:41 ` Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 150/241] iio: common: ssp_sensors: Initialize calculated_time in ssp_common_process_data Greg Kroah-Hartman
` (96 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Kangjie Lu, Jonathan Cameron, Sasha Levin
[ Upstream commit 536cc27deade8f1ec3c1beefa60d5fbe0f6fcb28 ]
devm_regmap_init_i2c may fail and return NULL. The fix returns
the error when it fails.
Signed-off-by: Kangjie Lu <kjlu@umn.edu>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/staging/iio/magnetometer/hmc5843_i2c.c | 7 ++++++-
drivers/staging/iio/magnetometer/hmc5843_spi.c | 7 ++++++-
2 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/drivers/staging/iio/magnetometer/hmc5843_i2c.c b/drivers/staging/iio/magnetometer/hmc5843_i2c.c
index 3e06ceb320596..676a8e329eeb6 100644
--- a/drivers/staging/iio/magnetometer/hmc5843_i2c.c
+++ b/drivers/staging/iio/magnetometer/hmc5843_i2c.c
@@ -59,8 +59,13 @@ static const struct regmap_config hmc5843_i2c_regmap_config = {
static int hmc5843_i2c_probe(struct i2c_client *cli,
const struct i2c_device_id *id)
{
+ struct regmap *regmap = devm_regmap_init_i2c(cli,
+ &hmc5843_i2c_regmap_config);
+ if (IS_ERR(regmap))
+ return PTR_ERR(regmap);
+
return hmc5843_common_probe(&cli->dev,
- devm_regmap_init_i2c(cli, &hmc5843_i2c_regmap_config),
+ regmap,
id->driver_data, id->name);
}
diff --git a/drivers/staging/iio/magnetometer/hmc5843_spi.c b/drivers/staging/iio/magnetometer/hmc5843_spi.c
index 8be198058ea20..fded442a3c1d1 100644
--- a/drivers/staging/iio/magnetometer/hmc5843_spi.c
+++ b/drivers/staging/iio/magnetometer/hmc5843_spi.c
@@ -59,6 +59,7 @@ static const struct regmap_config hmc5843_spi_regmap_config = {
static int hmc5843_spi_probe(struct spi_device *spi)
{
int ret;
+ struct regmap *regmap;
const struct spi_device_id *id = spi_get_device_id(spi);
spi->mode = SPI_MODE_3;
@@ -68,8 +69,12 @@ static int hmc5843_spi_probe(struct spi_device *spi)
if (ret)
return ret;
+ regmap = devm_regmap_init_spi(spi, &hmc5843_spi_regmap_config);
+ if (IS_ERR(regmap))
+ return PTR_ERR(regmap);
+
return hmc5843_common_probe(&spi->dev,
- devm_regmap_init_spi(spi, &hmc5843_spi_regmap_config),
+ regmap,
id->driver_data, id->name);
}
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 150/241] iio: common: ssp_sensors: Initialize calculated_time in ssp_common_process_data
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (148 preceding siblings ...)
2019-06-09 16:41 ` [PATCH 4.4 149/241] iio: hmc5843: fix potential NULL pointer dereferences Greg Kroah-Hartman
@ 2019-06-09 16:41 ` Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 151/241] rtlwifi: fix a potential NULL pointer dereference Greg Kroah-Hartman
` (95 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Nathan Chancellor, Nick Desaulniers,
Jonathan Cameron, Sasha Levin
[ Upstream commit 6f9ca1d3eb74b81f811a87002de2d51640d135b1 ]
When building with -Wsometimes-uninitialized, Clang warns:
drivers/iio/common/ssp_sensors/ssp_iio.c:95:6: warning: variable
'calculated_time' is used uninitialized whenever 'if' condition is false
[-Wsometimes-uninitialized]
While it isn't wrong, this will never be a problem because
iio_push_to_buffers_with_timestamp only uses calculated_time
on the same condition that it is assigned (when scan_timestamp
is not zero). While iio_push_to_buffers_with_timestamp is marked
as inline, Clang does inlining in the optimization stage, which
happens after the semantic analysis phase (plus inline is merely
a hint to the compiler).
Fix this by just zero initializing calculated_time.
Link: https://github.com/ClangBuiltLinux/linux/issues/394
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iio/common/ssp_sensors/ssp_iio.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/iio/common/ssp_sensors/ssp_iio.c b/drivers/iio/common/ssp_sensors/ssp_iio.c
index a3ae165f8d9f3..16180e6321bd4 100644
--- a/drivers/iio/common/ssp_sensors/ssp_iio.c
+++ b/drivers/iio/common/ssp_sensors/ssp_iio.c
@@ -80,7 +80,7 @@ int ssp_common_process_data(struct iio_dev *indio_dev, void *buf,
unsigned int len, int64_t timestamp)
{
__le32 time;
- int64_t calculated_time;
+ int64_t calculated_time = 0;
struct ssp_sensor_data *spd = iio_priv(indio_dev);
if (indio_dev->scan_bytes == 0)
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 151/241] rtlwifi: fix a potential NULL pointer dereference
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (149 preceding siblings ...)
2019-06-09 16:41 ` [PATCH 4.4 150/241] iio: common: ssp_sensors: Initialize calculated_time in ssp_common_process_data Greg Kroah-Hartman
@ 2019-06-09 16:41 ` Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 152/241] brcmfmac: fix missing checks for kmemdup Greg Kroah-Hartman
` (94 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Kangjie Lu, Kalle Valo, Sasha Levin
[ Upstream commit 765976285a8c8db3f0eb7f033829a899d0c2786e ]
In case alloc_workqueue fails, the fix reports the error and
returns to avoid NULL pointer dereference.
Signed-off-by: Kangjie Lu <kjlu@umn.edu>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtlwifi/base.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/net/wireless/realtek/rtlwifi/base.c b/drivers/net/wireless/realtek/rtlwifi/base.c
index aab752328c269..5013d8c1d4a60 100644
--- a/drivers/net/wireless/realtek/rtlwifi/base.c
+++ b/drivers/net/wireless/realtek/rtlwifi/base.c
@@ -466,6 +466,11 @@ static void _rtl_init_deferred_work(struct ieee80211_hw *hw)
/* <2> work queue */
rtlpriv->works.hw = hw;
rtlpriv->works.rtl_wq = alloc_workqueue("%s", 0, 0, rtlpriv->cfg->name);
+ if (unlikely(!rtlpriv->works.rtl_wq)) {
+ pr_err("Failed to allocate work queue\n");
+ return;
+ }
+
INIT_DELAYED_WORK(&rtlpriv->works.watchdog_wq,
(void *)rtl_watchdog_wq_callback);
INIT_DELAYED_WORK(&rtlpriv->works.ips_nic_off_wq,
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 152/241] brcmfmac: fix missing checks for kmemdup
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (150 preceding siblings ...)
2019-06-09 16:41 ` [PATCH 4.4 151/241] rtlwifi: fix a potential NULL pointer dereference Greg Kroah-Hartman
@ 2019-06-09 16:41 ` Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 153/241] b43: shut up clang -Wuninitialized variable warning Greg Kroah-Hartman
` (93 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Kangjie Lu, Arend van Spriel,
Kalle Valo, Sasha Levin
[ Upstream commit 46953f97224d56a12ccbe9c6acaa84ca0dab2780 ]
In case kmemdup fails, the fix sets conn_info->req_ie_len and
conn_info->resp_ie_len to zero to avoid buffer overflows.
Signed-off-by: Kangjie Lu <kjlu@umn.edu>
Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c
index ad35e760ed3f0..e3f5dacd918d7 100644
--- a/drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c
@@ -4836,6 +4836,8 @@ static s32 brcmf_get_assoc_ies(struct brcmf_cfg80211_info *cfg,
conn_info->req_ie =
kmemdup(cfg->extra_buf, conn_info->req_ie_len,
GFP_KERNEL);
+ if (!conn_info->req_ie)
+ conn_info->req_ie_len = 0;
} else {
conn_info->req_ie_len = 0;
conn_info->req_ie = NULL;
@@ -4852,6 +4854,8 @@ static s32 brcmf_get_assoc_ies(struct brcmf_cfg80211_info *cfg,
conn_info->resp_ie =
kmemdup(cfg->extra_buf, conn_info->resp_ie_len,
GFP_KERNEL);
+ if (!conn_info->resp_ie)
+ conn_info->resp_ie_len = 0;
} else {
conn_info->resp_ie_len = 0;
conn_info->resp_ie = NULL;
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 153/241] b43: shut up clang -Wuninitialized variable warning
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (151 preceding siblings ...)
2019-06-09 16:41 ` [PATCH 4.4 152/241] brcmfmac: fix missing checks for kmemdup Greg Kroah-Hartman
@ 2019-06-09 16:41 ` Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 154/241] brcmfmac: convert dev_init_lock mutex to completion Greg Kroah-Hartman
` (92 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Arnd Bergmann, Larry Finger,
Nathan Chancellor, Kalle Valo, Sasha Levin
[ Upstream commit d825db346270dbceef83b7b750dbc29f1d7dcc0e ]
Clang warns about what is clearly a case of passing an uninitalized
variable into a static function:
drivers/net/wireless/broadcom/b43/phy_lp.c:1852:23: error: variable 'gains' is uninitialized when used here
[-Werror,-Wuninitialized]
lpphy_papd_cal(dev, gains, 0, 1, 30);
^~~~~
drivers/net/wireless/broadcom/b43/phy_lp.c:1838:2: note: variable 'gains' is declared here
struct lpphy_tx_gains gains, oldgains;
^
1 error generated.
However, this function is empty, and its arguments are never evaluated,
so gcc in contrast does not warn here. Both compilers behave in a
reasonable way as far as I can tell, so we should change the code
to avoid the warning everywhere.
We could just eliminate the lpphy_papd_cal() function entirely,
given that it has had the TODO comment in it for 10 years now
and is rather unlikely to ever get done. I'm doing a simpler
change here, and just pass the 'oldgains' variable in that has
been initialized, based on the guess that this is what was
originally meant.
Fixes: 2c0d6100da3e ("b43: LP-PHY: Begin implementing calibration & software RFKILL support")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Larry Finger <Larry.Finger@lwfinger.net>
Reviewed-by: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/b43/phy_lp.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/net/wireless/b43/phy_lp.c b/drivers/net/wireless/b43/phy_lp.c
index 058a9f2320503..55cb07693ae80 100644
--- a/drivers/net/wireless/b43/phy_lp.c
+++ b/drivers/net/wireless/b43/phy_lp.c
@@ -1834,7 +1834,7 @@ static void lpphy_papd_cal(struct b43_wldev *dev, struct lpphy_tx_gains gains,
static void lpphy_papd_cal_txpwr(struct b43_wldev *dev)
{
struct b43_phy_lp *lpphy = dev->phy.lp;
- struct lpphy_tx_gains gains, oldgains;
+ struct lpphy_tx_gains oldgains;
int old_txpctl, old_afe_ovr, old_rf, old_bbmult;
lpphy_read_tx_pctl_mode_from_hardware(dev);
@@ -1848,9 +1848,9 @@ static void lpphy_papd_cal_txpwr(struct b43_wldev *dev)
lpphy_set_tx_power_control(dev, B43_LPPHY_TXPCTL_OFF);
if (dev->dev->chip_id == 0x4325 && dev->dev->chip_rev == 0)
- lpphy_papd_cal(dev, gains, 0, 1, 30);
+ lpphy_papd_cal(dev, oldgains, 0, 1, 30);
else
- lpphy_papd_cal(dev, gains, 0, 1, 65);
+ lpphy_papd_cal(dev, oldgains, 0, 1, 65);
if (old_afe_ovr)
lpphy_set_tx_gains(dev, oldgains);
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 154/241] brcmfmac: convert dev_init_lock mutex to completion
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (152 preceding siblings ...)
2019-06-09 16:41 ` [PATCH 4.4 153/241] b43: shut up clang -Wuninitialized variable warning Greg Kroah-Hartman
@ 2019-06-09 16:41 ` Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 155/241] brcmfmac: fix race during disconnect when USB completion is in progress Greg Kroah-Hartman
` (91 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Piotr Figiel, Kalle Valo, Sasha Levin
[ Upstream commit a9fd0953fa4a62887306be28641b4b0809f3b2fd ]
Leaving dev_init_lock mutex locked in probe causes BUG and a WARNING when
kernel is compiled with CONFIG_PROVE_LOCKING. Convert mutex to completion
which silences those warnings and improves code readability.
Fix below errors when connecting the USB WiFi dongle:
brcmfmac: brcmf_fw_alloc_request: using brcm/brcmfmac43143 for chip BCM43143/2
BUG: workqueue leaked lock or atomic: kworker/0:2/0x00000000/434
last function: hub_event
1 lock held by kworker/0:2/434:
#0: 18d5dcdf (&devinfo->dev_init_lock){+.+.}, at: brcmf_usb_probe+0x78/0x550 [brcmfmac]
CPU: 0 PID: 434 Comm: kworker/0:2 Not tainted 4.19.23-00084-g454a789-dirty #123
Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
Workqueue: usb_hub_wq hub_event
[<8011237c>] (unwind_backtrace) from [<8010d74c>] (show_stack+0x10/0x14)
[<8010d74c>] (show_stack) from [<809c4324>] (dump_stack+0xa8/0xd4)
[<809c4324>] (dump_stack) from [<8014195c>] (process_one_work+0x710/0x808)
[<8014195c>] (process_one_work) from [<80141a80>] (worker_thread+0x2c/0x564)
[<80141a80>] (worker_thread) from [<80147bcc>] (kthread+0x13c/0x16c)
[<80147bcc>] (kthread) from [<801010b4>] (ret_from_fork+0x14/0x20)
Exception stack(0xed1d9fb0 to 0xed1d9ff8)
9fa0: 00000000 00000000 00000000 00000000
9fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
9fe0: 00000000 00000000 00000000 00000000 00000013 00000000
======================================================
WARNING: possible circular locking dependency detected
4.19.23-00084-g454a789-dirty #123 Not tainted
------------------------------------------------------
kworker/0:2/434 is trying to acquire lock:
e29cf799 ((wq_completion)"events"){+.+.}, at: process_one_work+0x174/0x808
but task is already holding lock:
18d5dcdf (&devinfo->dev_init_lock){+.+.}, at: brcmf_usb_probe+0x78/0x550 [brcmfmac]
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #2 (&devinfo->dev_init_lock){+.+.}:
mutex_lock_nested+0x1c/0x24
brcmf_usb_probe+0x78/0x550 [brcmfmac]
usb_probe_interface+0xc0/0x1bc
really_probe+0x228/0x2c0
__driver_attach+0xe4/0xe8
bus_for_each_dev+0x68/0xb4
bus_add_driver+0x19c/0x214
driver_register+0x78/0x110
usb_register_driver+0x84/0x148
process_one_work+0x228/0x808
worker_thread+0x2c/0x564
kthread+0x13c/0x16c
ret_from_fork+0x14/0x20
(null)
-> #1 (brcmf_driver_work){+.+.}:
worker_thread+0x2c/0x564
kthread+0x13c/0x16c
ret_from_fork+0x14/0x20
(null)
-> #0 ((wq_completion)"events"){+.+.}:
process_one_work+0x1b8/0x808
worker_thread+0x2c/0x564
kthread+0x13c/0x16c
ret_from_fork+0x14/0x20
(null)
other info that might help us debug this:
Chain exists of:
(wq_completion)"events" --> brcmf_driver_work --> &devinfo->dev_init_lock
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&devinfo->dev_init_lock);
lock(brcmf_driver_work);
lock(&devinfo->dev_init_lock);
lock((wq_completion)"events");
*** DEADLOCK ***
1 lock held by kworker/0:2/434:
#0: 18d5dcdf (&devinfo->dev_init_lock){+.+.}, at: brcmf_usb_probe+0x78/0x550 [brcmfmac]
stack backtrace:
CPU: 0 PID: 434 Comm: kworker/0:2 Not tainted 4.19.23-00084-g454a789-dirty #123
Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
Workqueue: events request_firmware_work_func
[<8011237c>] (unwind_backtrace) from [<8010d74c>] (show_stack+0x10/0x14)
[<8010d74c>] (show_stack) from [<809c4324>] (dump_stack+0xa8/0xd4)
[<809c4324>] (dump_stack) from [<80172838>] (print_circular_bug+0x210/0x330)
[<80172838>] (print_circular_bug) from [<80175940>] (__lock_acquire+0x160c/0x1a30)
[<80175940>] (__lock_acquire) from [<8017671c>] (lock_acquire+0xe0/0x268)
[<8017671c>] (lock_acquire) from [<80141404>] (process_one_work+0x1b8/0x808)
[<80141404>] (process_one_work) from [<80141a80>] (worker_thread+0x2c/0x564)
[<80141a80>] (worker_thread) from [<80147bcc>] (kthread+0x13c/0x16c)
[<80147bcc>] (kthread) from [<801010b4>] (ret_from_fork+0x14/0x20)
Exception stack(0xed1d9fb0 to 0xed1d9ff8)
9fa0: 00000000 00000000 00000000 00000000
9fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
9fe0: 00000000 00000000 00000000 00000000 00000013 00000000
Signed-off-by: Piotr Figiel <p.figiel@camlintechnologies.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/brcm80211/brcmfmac/usb.c | 17 ++++++++---------
1 file changed, 8 insertions(+), 9 deletions(-)
diff --git a/drivers/net/wireless/brcm80211/brcmfmac/usb.c b/drivers/net/wireless/brcm80211/brcmfmac/usb.c
index 689e64d004bc5..32b7b8a8f80c6 100644
--- a/drivers/net/wireless/brcm80211/brcmfmac/usb.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/usb.c
@@ -144,7 +144,7 @@ struct brcmf_usbdev_info {
struct usb_device *usbdev;
struct device *dev;
- struct mutex dev_init_lock;
+ struct completion dev_init_done;
int ctl_in_pipe, ctl_out_pipe;
struct urb *ctl_urb; /* URB for control endpoint */
@@ -1226,11 +1226,11 @@ static void brcmf_usb_probe_phase2(struct device *dev,
if (ret)
goto error;
- mutex_unlock(&devinfo->dev_init_lock);
+ complete(&devinfo->dev_init_done);
return;
error:
brcmf_dbg(TRACE, "failed: dev=%s, err=%d\n", dev_name(dev), ret);
- mutex_unlock(&devinfo->dev_init_lock);
+ complete(&devinfo->dev_init_done);
device_release_driver(dev);
}
@@ -1268,7 +1268,7 @@ static int brcmf_usb_probe_cb(struct brcmf_usbdev_info *devinfo)
if (ret)
goto fail;
/* we are done */
- mutex_unlock(&devinfo->dev_init_lock);
+ complete(&devinfo->dev_init_done);
return 0;
}
bus->chip = bus_pub->devid;
@@ -1322,11 +1322,10 @@ brcmf_usb_probe(struct usb_interface *intf, const struct usb_device_id *id)
devinfo->usbdev = usb;
devinfo->dev = &usb->dev;
- /* Take an init lock, to protect for disconnect while still loading.
+ /* Init completion, to protect for disconnect while still loading.
* Necessary because of the asynchronous firmware load construction
*/
- mutex_init(&devinfo->dev_init_lock);
- mutex_lock(&devinfo->dev_init_lock);
+ init_completion(&devinfo->dev_init_done);
usb_set_intfdata(intf, devinfo);
@@ -1402,7 +1401,7 @@ brcmf_usb_probe(struct usb_interface *intf, const struct usb_device_id *id)
return 0;
fail:
- mutex_unlock(&devinfo->dev_init_lock);
+ complete(&devinfo->dev_init_done);
kfree(devinfo);
usb_set_intfdata(intf, NULL);
return ret;
@@ -1417,7 +1416,7 @@ brcmf_usb_disconnect(struct usb_interface *intf)
devinfo = (struct brcmf_usbdev_info *)usb_get_intfdata(intf);
if (devinfo) {
- mutex_lock(&devinfo->dev_init_lock);
+ wait_for_completion(&devinfo->dev_init_done);
/* Make sure that devinfo still exists. Firmware probe routines
* may have released the device and cleared the intfdata.
*/
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 155/241] brcmfmac: fix race during disconnect when USB completion is in progress
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (153 preceding siblings ...)
2019-06-09 16:41 ` [PATCH 4.4 154/241] brcmfmac: convert dev_init_lock mutex to completion Greg Kroah-Hartman
@ 2019-06-09 16:41 ` Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 156/241] scsi: ufs: Fix regulator load and icc-level configuration Greg Kroah-Hartman
` (90 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Piotr Figiel, Kalle Valo, Sasha Levin
[ Upstream commit db3b9e2e1d58080d0754bdf9293dabf8c6491b67 ]
It was observed that rarely during USB disconnect happening shortly after
connect (before full initialization completes) usb_hub_wq would wait
forever for the dev_init_lock to be unlocked. dev_init_lock would remain
locked though because of infinite wait during usb_kill_urb:
[ 2730.656472] kworker/0:2 D 0 260 2 0x00000000
[ 2730.660700] Workqueue: events request_firmware_work_func
[ 2730.664807] [<809dca20>] (__schedule) from [<809dd164>] (schedule+0x4c/0xac)
[ 2730.670587] [<809dd164>] (schedule) from [<8069af44>] (usb_kill_urb+0xdc/0x114)
[ 2730.676815] [<8069af44>] (usb_kill_urb) from [<7f258b50>] (brcmf_usb_free_q+0x34/0xa8 [brcmfmac])
[ 2730.684833] [<7f258b50>] (brcmf_usb_free_q [brcmfmac]) from [<7f2517d4>] (brcmf_detach+0xa0/0xb8 [brcmfmac])
[ 2730.693557] [<7f2517d4>] (brcmf_detach [brcmfmac]) from [<7f251a34>] (brcmf_attach+0xac/0x3d8 [brcmfmac])
[ 2730.702094] [<7f251a34>] (brcmf_attach [brcmfmac]) from [<7f2587ac>] (brcmf_usb_probe_phase2+0x468/0x4a0 [brcmfmac])
[ 2730.711601] [<7f2587ac>] (brcmf_usb_probe_phase2 [brcmfmac]) from [<7f252888>] (brcmf_fw_request_done+0x194/0x220 [brcmfmac])
[ 2730.721795] [<7f252888>] (brcmf_fw_request_done [brcmfmac]) from [<805748e4>] (request_firmware_work_func+0x4c/0x88)
[ 2730.731125] [<805748e4>] (request_firmware_work_func) from [<80141474>] (process_one_work+0x228/0x808)
[ 2730.739223] [<80141474>] (process_one_work) from [<80141a80>] (worker_thread+0x2c/0x564)
[ 2730.746105] [<80141a80>] (worker_thread) from [<80147bcc>] (kthread+0x13c/0x16c)
[ 2730.752227] [<80147bcc>] (kthread) from [<801010b4>] (ret_from_fork+0x14/0x20)
[ 2733.099695] kworker/0:3 D 0 1065 2 0x00000000
[ 2733.103926] Workqueue: usb_hub_wq hub_event
[ 2733.106914] [<809dca20>] (__schedule) from [<809dd164>] (schedule+0x4c/0xac)
[ 2733.112693] [<809dd164>] (schedule) from [<809e2a8c>] (schedule_timeout+0x214/0x3e4)
[ 2733.119621] [<809e2a8c>] (schedule_timeout) from [<809dde2c>] (wait_for_common+0xc4/0x1c0)
[ 2733.126810] [<809dde2c>] (wait_for_common) from [<7f258d00>] (brcmf_usb_disconnect+0x1c/0x4c [brcmfmac])
[ 2733.135206] [<7f258d00>] (brcmf_usb_disconnect [brcmfmac]) from [<8069e0c8>] (usb_unbind_interface+0x5c/0x1e4)
[ 2733.143943] [<8069e0c8>] (usb_unbind_interface) from [<8056d3e8>] (device_release_driver_internal+0x164/0x1fc)
[ 2733.152769] [<8056d3e8>] (device_release_driver_internal) from [<8056c078>] (bus_remove_device+0xd0/0xfc)
[ 2733.161138] [<8056c078>] (bus_remove_device) from [<8056977c>] (device_del+0x11c/0x310)
[ 2733.167939] [<8056977c>] (device_del) from [<8069cba8>] (usb_disable_device+0xa0/0x1cc)
[ 2733.174743] [<8069cba8>] (usb_disable_device) from [<8069507c>] (usb_disconnect+0x74/0x1dc)
[ 2733.181823] [<8069507c>] (usb_disconnect) from [<80695e88>] (hub_event+0x478/0xf88)
[ 2733.188278] [<80695e88>] (hub_event) from [<80141474>] (process_one_work+0x228/0x808)
[ 2733.194905] [<80141474>] (process_one_work) from [<80141a80>] (worker_thread+0x2c/0x564)
[ 2733.201724] [<80141a80>] (worker_thread) from [<80147bcc>] (kthread+0x13c/0x16c)
[ 2733.207913] [<80147bcc>] (kthread) from [<801010b4>] (ret_from_fork+0x14/0x20)
It was traced down to a case where usb_kill_urb would be called on an URB
structure containing more or less random data, including large number in
its use_count. During the debugging it appeared that in brcmf_usb_free_q()
the traversal over URBs' lists is not synchronized with operations on those
lists in brcmf_usb_rx_complete() leading to handling
brcmf_usbdev_info structure (holding lists' head) as lists' element and in
result causing above problem.
Fix it by walking through all URBs during brcmf_cancel_all_urbs using the
arrays of requests instead of linked lists.
Signed-off-by: Piotr Figiel <p.figiel@camlintechnologies.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/brcm80211/brcmfmac/usb.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/brcm80211/brcmfmac/usb.c b/drivers/net/wireless/brcm80211/brcmfmac/usb.c
index 32b7b8a8f80c6..8a7da04a9ed4b 100644
--- a/drivers/net/wireless/brcm80211/brcmfmac/usb.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/usb.c
@@ -669,12 +669,18 @@ static int brcmf_usb_up(struct device *dev)
static void brcmf_cancel_all_urbs(struct brcmf_usbdev_info *devinfo)
{
+ int i;
+
if (devinfo->ctl_urb)
usb_kill_urb(devinfo->ctl_urb);
if (devinfo->bulk_urb)
usb_kill_urb(devinfo->bulk_urb);
- brcmf_usb_free_q(&devinfo->tx_postq, true);
- brcmf_usb_free_q(&devinfo->rx_postq, true);
+ if (devinfo->tx_reqs)
+ for (i = 0; i < devinfo->bus_pub.ntxq; i++)
+ usb_kill_urb(devinfo->tx_reqs[i].urb);
+ if (devinfo->rx_reqs)
+ for (i = 0; i < devinfo->bus_pub.nrxq; i++)
+ usb_kill_urb(devinfo->rx_reqs[i].urb);
}
static void brcmf_usb_down(struct device *dev)
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 156/241] scsi: ufs: Fix regulator load and icc-level configuration
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (154 preceding siblings ...)
2019-06-09 16:41 ` [PATCH 4.4 155/241] brcmfmac: fix race during disconnect when USB completion is in progress Greg Kroah-Hartman
@ 2019-06-09 16:41 ` Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 157/241] scsi: ufs: Avoid configuring regulator with undefined voltage range Greg Kroah-Hartman
` (89 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Stanley Chu, Avri Altman,
Alim Akhtar, Martin K. Petersen, Sasha Levin
[ Upstream commit 0487fff76632ec023d394a05b82e87a971db8c03 ]
Currently if a regulator has "<name>-fixed-regulator" property in device
tree, it will skip current limit initialization. This lead to a zero
"max_uA" value in struct ufs_vreg.
However, "regulator_set_load" operation shall be required on regulators
which have valid current limits, otherwise a zero "max_uA" set by
"regulator_set_load" may cause unexpected behavior when this regulator is
enabled or set as high power mode.
Similarly, in device's icc_level configuration flow, the target icc_level
shall be updated if regulator also has valid current limit, otherwise a
wrong icc_level will be calculated by zero "max_uA" and thus causes
unexpected results after it is written to device.
Signed-off-by: Stanley Chu <stanley.chu@mediatek.com>
Reviewed-by: Avri Altman <avri.altman@wdc.com>
Acked-by: Alim Akhtar <alim.akhtar@samsung.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/ufs/ufshcd.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
index c94d465de941e..ed76381fce4cc 100644
--- a/drivers/scsi/ufs/ufshcd.c
+++ b/drivers/scsi/ufs/ufshcd.c
@@ -4144,19 +4144,19 @@ static u32 ufshcd_find_max_sup_active_icc_level(struct ufs_hba *hba,
goto out;
}
- if (hba->vreg_info.vcc)
+ if (hba->vreg_info.vcc && hba->vreg_info.vcc->max_uA)
icc_level = ufshcd_get_max_icc_level(
hba->vreg_info.vcc->max_uA,
POWER_DESC_MAX_ACTV_ICC_LVLS - 1,
&desc_buf[PWR_DESC_ACTIVE_LVLS_VCC_0]);
- if (hba->vreg_info.vccq)
+ if (hba->vreg_info.vccq && hba->vreg_info.vccq->max_uA)
icc_level = ufshcd_get_max_icc_level(
hba->vreg_info.vccq->max_uA,
icc_level,
&desc_buf[PWR_DESC_ACTIVE_LVLS_VCCQ_0]);
- if (hba->vreg_info.vccq2)
+ if (hba->vreg_info.vccq2 && hba->vreg_info.vccq2->max_uA)
icc_level = ufshcd_get_max_icc_level(
hba->vreg_info.vccq2->max_uA,
icc_level,
@@ -4390,6 +4390,15 @@ static int ufshcd_config_vreg_load(struct device *dev, struct ufs_vreg *vreg,
if (!vreg)
return 0;
+ /*
+ * "set_load" operation shall be required on those regulators
+ * which specifically configured current limitation. Otherwise
+ * zero max_uA may cause unexpected behavior when regulator is
+ * enabled or set as high power mode.
+ */
+ if (!vreg->max_uA)
+ return 0;
+
ret = regulator_set_load(vreg->reg, ua);
if (ret < 0) {
dev_err(dev, "%s: %s set load (ua=%d) failed, err=%d\n",
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 157/241] scsi: ufs: Avoid configuring regulator with undefined voltage range
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (155 preceding siblings ...)
2019-06-09 16:41 ` [PATCH 4.4 156/241] scsi: ufs: Fix regulator load and icc-level configuration Greg Kroah-Hartman
@ 2019-06-09 16:41 ` Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 158/241] arm64: cpu_ops: fix a leaked reference by adding missing of_node_put Greg Kroah-Hartman
` (88 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Stanley Chu, Avri Altman,
Alim Akhtar, Martin K. Petersen, Sasha Levin
[ Upstream commit 3b141e8cfd54ba3e5c610717295b2a02aab26a05 ]
For regulators used by UFS, vcc, vccq and vccq2 will have voltage range
initialized by ufshcd_populate_vreg(), however other regulators may have
undefined voltage range if dt-bindings have no such definition.
In above undefined case, both "min_uV" and "max_uV" fields in ufs_vreg
struct will be zero values and these values will be configured on
regulators in different power modes.
Currently this may have no harm if both "min_uV" and "max_uV" always keep
"zero values" because regulator_set_voltage() will always bypass such
invalid values and return "good" results.
However improper values shall be fixed to avoid potential bugs. Simply
bypass voltage configuration if voltage range is not defined.
Signed-off-by: Stanley Chu <stanley.chu@mediatek.com>
Reviewed-by: Avri Altman <avri.altman@wdc.com>
Acked-by: Alim Akhtar <alim.akhtar@samsung.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/ufs/ufshcd.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
index ed76381fce4cc..7322a17660d10 100644
--- a/drivers/scsi/ufs/ufshcd.c
+++ b/drivers/scsi/ufs/ufshcd.c
@@ -4434,12 +4434,15 @@ static int ufshcd_config_vreg(struct device *dev,
name = vreg->name;
if (regulator_count_voltages(reg) > 0) {
- min_uV = on ? vreg->min_uV : 0;
- ret = regulator_set_voltage(reg, min_uV, vreg->max_uV);
- if (ret) {
- dev_err(dev, "%s: %s set voltage failed, err=%d\n",
+ if (vreg->min_uV && vreg->max_uV) {
+ min_uV = on ? vreg->min_uV : 0;
+ ret = regulator_set_voltage(reg, min_uV, vreg->max_uV);
+ if (ret) {
+ dev_err(dev,
+ "%s: %s set voltage failed, err=%d\n",
__func__, name, ret);
- goto out;
+ goto out;
+ }
}
uA_load = on ? vreg->max_uA : 0;
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 158/241] arm64: cpu_ops: fix a leaked reference by adding missing of_node_put
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (156 preceding siblings ...)
2019-06-09 16:41 ` [PATCH 4.4 157/241] scsi: ufs: Avoid configuring regulator with undefined voltage range Greg Kroah-Hartman
@ 2019-06-09 16:41 ` Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 159/241] x86/ia32: Fix ia32_restore_sigcontext() AC leak Greg Kroah-Hartman
` (87 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Wen Yang, Florian Fainelli,
Catalin Marinas, Will Deacon, linux-arm-kernel, Sasha Levin
[ Upstream commit 92606ec9285fb84cd9b5943df23f07d741384bfc ]
The call to of_get_next_child returns a node pointer with refcount
incremented thus it must be explicitly decremented after the last
usage.
Detected by coccinelle with the following warnings:
./arch/arm64/kernel/cpu_ops.c:102:1-7: ERROR: missing of_node_put;
acquired a node pointer with refcount incremented on line 69, but
without a corresponding object release within this function.
Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Cc: linux-arm-kernel@lists.infradead.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/kernel/cpu_ops.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/arm64/kernel/cpu_ops.c b/arch/arm64/kernel/cpu_ops.c
index b6bd7d4477683..fbd6aead48e10 100644
--- a/arch/arm64/kernel/cpu_ops.c
+++ b/arch/arm64/kernel/cpu_ops.c
@@ -73,6 +73,7 @@ static const char *__init cpu_read_enable_method(int cpu)
pr_err("%s: missing enable-method property\n",
dn->full_name);
}
+ of_node_put(dn);
} else {
enable_method = acpi_get_enable_method(cpu);
if (!enable_method)
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 159/241] x86/ia32: Fix ia32_restore_sigcontext() AC leak
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (157 preceding siblings ...)
2019-06-09 16:41 ` [PATCH 4.4 158/241] arm64: cpu_ops: fix a leaked reference by adding missing of_node_put Greg Kroah-Hartman
@ 2019-06-09 16:41 ` Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 160/241] chardev: add additional check for minor range overlap Greg Kroah-Hartman
` (86 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Peter Zijlstra (Intel),
Borislav Petkov, Josh Poimboeuf, Linus Torvalds, Thomas Gleixner,
Ingo Molnar, Sasha Levin
[ Upstream commit 67a0514afdbb8b2fc70b771b8c77661a9cb9d3a9 ]
Objtool spotted that we call native_load_gs_index() with AC set.
Re-arrange the code to avoid that.
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/ia32/ia32_signal.c | 29 +++++++++++++++++------------
1 file changed, 17 insertions(+), 12 deletions(-)
diff --git a/arch/x86/ia32/ia32_signal.c b/arch/x86/ia32/ia32_signal.c
index 0552884da18db..a7b9acd709dbc 100644
--- a/arch/x86/ia32/ia32_signal.c
+++ b/arch/x86/ia32/ia32_signal.c
@@ -60,9 +60,8 @@
} while (0)
#define RELOAD_SEG(seg) { \
- unsigned int pre = GET_SEG(seg); \
+ unsigned int pre = (seg) | 3; \
unsigned int cur = get_user_seg(seg); \
- pre |= 3; \
if (pre != cur) \
set_user_seg(seg, pre); \
}
@@ -71,6 +70,7 @@ static int ia32_restore_sigcontext(struct pt_regs *regs,
struct sigcontext_32 __user *sc)
{
unsigned int tmpflags, err = 0;
+ u16 gs, fs, es, ds;
void __user *buf;
u32 tmp;
@@ -78,16 +78,10 @@ static int ia32_restore_sigcontext(struct pt_regs *regs,
current->restart_block.fn = do_no_restart_syscall;
get_user_try {
- /*
- * Reload fs and gs if they have changed in the signal
- * handler. This does not handle long fs/gs base changes in
- * the handler, but does not clobber them at least in the
- * normal case.
- */
- RELOAD_SEG(gs);
- RELOAD_SEG(fs);
- RELOAD_SEG(ds);
- RELOAD_SEG(es);
+ gs = GET_SEG(gs);
+ fs = GET_SEG(fs);
+ ds = GET_SEG(ds);
+ es = GET_SEG(es);
COPY(di); COPY(si); COPY(bp); COPY(sp); COPY(bx);
COPY(dx); COPY(cx); COPY(ip); COPY(ax);
@@ -105,6 +99,17 @@ static int ia32_restore_sigcontext(struct pt_regs *regs,
buf = compat_ptr(tmp);
} get_user_catch(err);
+ /*
+ * Reload fs and gs if they have changed in the signal
+ * handler. This does not handle long fs/gs base changes in
+ * the handler, but does not clobber them at least in the
+ * normal case.
+ */
+ RELOAD_SEG(gs);
+ RELOAD_SEG(fs);
+ RELOAD_SEG(ds);
+ RELOAD_SEG(es);
+
err |= fpu__restore_sig(buf, 1);
force_iret();
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 160/241] chardev: add additional check for minor range overlap
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (158 preceding siblings ...)
2019-06-09 16:41 ` [PATCH 4.4 159/241] x86/ia32: Fix ia32_restore_sigcontext() AC leak Greg Kroah-Hartman
@ 2019-06-09 16:41 ` Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 161/241] HID: core: move Usage Page concatenation to Main item Greg Kroah-Hartman
` (85 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:41 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Chengguang Xu, Sasha Levin
[ Upstream commit de36e16d1557a0b6eb328bc3516359a12ba5c25c ]
Current overlap checking cannot correctly handle
a case which is baseminor < existing baseminor &&
baseminor + minorct > existing baseminor + minorct.
Signed-off-by: Chengguang Xu <cgxu519@gmx.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/char_dev.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/fs/char_dev.c b/fs/char_dev.c
index 24b142569ca9b..d0655ca894816 100644
--- a/fs/char_dev.c
+++ b/fs/char_dev.c
@@ -130,6 +130,12 @@ __register_chrdev_region(unsigned int major, unsigned int baseminor,
ret = -EBUSY;
goto out;
}
+
+ if (new_min < old_min && new_max > old_max) {
+ ret = -EBUSY;
+ goto out;
+ }
+
}
cd->next = *cp;
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 161/241] HID: core: move Usage Page concatenation to Main item
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (159 preceding siblings ...)
2019-06-09 16:41 ` [PATCH 4.4 160/241] chardev: add additional check for minor range overlap Greg Kroah-Hartman
@ 2019-06-09 16:41 ` Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 162/241] ASoC: eukrea-tlv320: fix a leaked reference by adding missing of_node_put Greg Kroah-Hartman
` (84 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Nicolas Saenz Julienne, Terry Junge,
Benjamin Tissoires, Sasha Levin
[ Upstream commit 58e75155009cc800005629955d3482f36a1e0eec ]
As seen on some USB wireless keyboards manufactured by Primax, the HID
parser was using some assumptions that are not always true. In this case
it's s the fact that, inside the scope of a main item, an Usage Page
will always precede an Usage.
The spec is not pretty clear as 6.2.2.7 states "Any usage that follows
is interpreted as a Usage ID and concatenated with the Usage Page".
While 6.2.2.8 states "When the parser encounters a main item it
concatenates the last declared Usage Page with a Usage to form a
complete usage value." Being somewhat contradictory it was decided to
match Window's implementation, which follows 6.2.2.8.
In summary, the patch moves the Usage Page concatenation from the local
item parsing function to the main item parsing function.
Signed-off-by: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
Reviewed-by: Terry Junge <terry.junge@poly.com>
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-core.c | 36 ++++++++++++++++++++++++------------
include/linux/hid.h | 1 +
2 files changed, 25 insertions(+), 12 deletions(-)
diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
index 4564ecf711815..9b2b41d683dea 100644
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -200,13 +200,14 @@ static unsigned hid_lookup_collection(struct hid_parser *parser, unsigned type)
* Add a usage to the temporary parser table.
*/
-static int hid_add_usage(struct hid_parser *parser, unsigned usage)
+static int hid_add_usage(struct hid_parser *parser, unsigned usage, u8 size)
{
if (parser->local.usage_index >= HID_MAX_USAGES) {
hid_err(parser->device, "usage index exceeded\n");
return -1;
}
parser->local.usage[parser->local.usage_index] = usage;
+ parser->local.usage_size[parser->local.usage_index] = size;
parser->local.collection_index[parser->local.usage_index] =
parser->collection_stack_ptr ?
parser->collection_stack[parser->collection_stack_ptr - 1] : 0;
@@ -463,10 +464,7 @@ static int hid_parser_local(struct hid_parser *parser, struct hid_item *item)
return 0;
}
- if (item->size <= 2)
- data = (parser->global.usage_page << 16) + data;
-
- return hid_add_usage(parser, data);
+ return hid_add_usage(parser, data, item->size);
case HID_LOCAL_ITEM_TAG_USAGE_MINIMUM:
@@ -475,9 +473,6 @@ static int hid_parser_local(struct hid_parser *parser, struct hid_item *item)
return 0;
}
- if (item->size <= 2)
- data = (parser->global.usage_page << 16) + data;
-
parser->local.usage_minimum = data;
return 0;
@@ -488,9 +483,6 @@ static int hid_parser_local(struct hid_parser *parser, struct hid_item *item)
return 0;
}
- if (item->size <= 2)
- data = (parser->global.usage_page << 16) + data;
-
count = data - parser->local.usage_minimum;
if (count + parser->local.usage_index >= HID_MAX_USAGES) {
/*
@@ -510,7 +502,7 @@ static int hid_parser_local(struct hid_parser *parser, struct hid_item *item)
}
for (n = parser->local.usage_minimum; n <= data; n++)
- if (hid_add_usage(parser, n)) {
+ if (hid_add_usage(parser, n, item->size)) {
dbg_hid("hid_add_usage failed\n");
return -1;
}
@@ -524,6 +516,22 @@ static int hid_parser_local(struct hid_parser *parser, struct hid_item *item)
return 0;
}
+/*
+ * Concatenate Usage Pages into Usages where relevant:
+ * As per specification, 6.2.2.8: "When the parser encounters a main item it
+ * concatenates the last declared Usage Page with a Usage to form a complete
+ * usage value."
+ */
+
+static void hid_concatenate_usage_page(struct hid_parser *parser)
+{
+ int i;
+
+ for (i = 0; i < parser->local.usage_index; i++)
+ if (parser->local.usage_size[i] <= 2)
+ parser->local.usage[i] += parser->global.usage_page << 16;
+}
+
/*
* Process a main item.
*/
@@ -533,6 +541,8 @@ static int hid_parser_main(struct hid_parser *parser, struct hid_item *item)
__u32 data;
int ret;
+ hid_concatenate_usage_page(parser);
+
data = item_udata(item);
switch (item->tag) {
@@ -746,6 +756,8 @@ static int hid_scan_main(struct hid_parser *parser, struct hid_item *item)
__u32 data;
int i;
+ hid_concatenate_usage_page(parser);
+
data = item_udata(item);
switch (item->tag) {
diff --git a/include/linux/hid.h b/include/linux/hid.h
index fd86687f81196..5f31318851366 100644
--- a/include/linux/hid.h
+++ b/include/linux/hid.h
@@ -372,6 +372,7 @@ struct hid_global {
struct hid_local {
unsigned usage[HID_MAX_USAGES]; /* usage array */
+ u8 usage_size[HID_MAX_USAGES]; /* usage size array */
unsigned collection_index[HID_MAX_USAGES]; /* collection index array */
unsigned usage_index;
unsigned usage_minimum;
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 162/241] ASoC: eukrea-tlv320: fix a leaked reference by adding missing of_node_put
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (160 preceding siblings ...)
2019-06-09 16:41 ` [PATCH 4.4 161/241] HID: core: move Usage Page concatenation to Main item Greg Kroah-Hartman
@ 2019-06-09 16:41 ` Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 163/241] ASoC: fsl_utils: " Greg Kroah-Hartman
` (83 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Wen Yang, Liam Girdwood, Mark Brown,
Jaroslav Kysela, Takashi Iwai, alsa-devel, Sasha Levin
[ Upstream commit b820d52e7eed7b30b2dfef5f4213a2bc3cbea6f3 ]
The call to of_parse_phandle returns a node pointer with refcount
incremented thus it must be explicitly decremented after the last
usage.
Detected by coccinelle with the following warnings:
./sound/soc/fsl/eukrea-tlv320.c:121:3-9: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 102, but without a correspo nding object release within this function.
./sound/soc/fsl/eukrea-tlv320.c:127:3-9: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 102, but without a correspo nding object release within this function.
Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
Cc: Liam Girdwood <lgirdwood@gmail.com>
Cc: Mark Brown <broonie@kernel.org>
Cc: Jaroslav Kysela <perex@perex.cz>
Cc: Takashi Iwai <tiwai@suse.com>
Cc: alsa-devel@alsa-project.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/fsl/eukrea-tlv320.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sound/soc/fsl/eukrea-tlv320.c b/sound/soc/fsl/eukrea-tlv320.c
index 883087f2b092b..38132143b7d5e 100644
--- a/sound/soc/fsl/eukrea-tlv320.c
+++ b/sound/soc/fsl/eukrea-tlv320.c
@@ -119,13 +119,13 @@ static int eukrea_tlv320_probe(struct platform_device *pdev)
if (ret) {
dev_err(&pdev->dev,
"fsl,mux-int-port node missing or invalid.\n");
- return ret;
+ goto err;
}
ret = of_property_read_u32(np, "fsl,mux-ext-port", &ext_port);
if (ret) {
dev_err(&pdev->dev,
"fsl,mux-ext-port node missing or invalid.\n");
- return ret;
+ goto err;
}
/*
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 163/241] ASoC: fsl_utils: fix a leaked reference by adding missing of_node_put
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (161 preceding siblings ...)
2019-06-09 16:41 ` [PATCH 4.4 162/241] ASoC: eukrea-tlv320: fix a leaked reference by adding missing of_node_put Greg Kroah-Hartman
@ 2019-06-09 16:41 ` Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 164/241] cxgb3/l2t: Fix undefined behaviour Greg Kroah-Hartman
` (82 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Wen Yang, Timur Tabi, Nicolin Chen,
Xiubo Li, Fabio Estevam, Liam Girdwood, Mark Brown,
Jaroslav Kysela, Takashi Iwai, alsa-devel, linuxppc-dev,
Sasha Levin
[ Upstream commit c705247136a523488eac806bd357c3e5d79a7acd ]
The call to of_parse_phandle returns a node pointer with refcount
incremented thus it must be explicitly decremented after the last
usage.
Detected by coccinelle with the following warnings:
./sound/soc/fsl/fsl_utils.c:74:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 38, but without a corresponding object release within this function.
Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
Cc: Timur Tabi <timur@kernel.org>
Cc: Nicolin Chen <nicoleotsuka@gmail.com>
Cc: Xiubo Li <Xiubo.Lee@gmail.com>
Cc: Fabio Estevam <festevam@gmail.com>
Cc: Liam Girdwood <lgirdwood@gmail.com>
Cc: Mark Brown <broonie@kernel.org>
Cc: Jaroslav Kysela <perex@perex.cz>
Cc: Takashi Iwai <tiwai@suse.com>
Cc: alsa-devel@alsa-project.org
Cc: linuxppc-dev@lists.ozlabs.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/fsl/fsl_utils.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/soc/fsl/fsl_utils.c b/sound/soc/fsl/fsl_utils.c
index b9e42b503a377..4f8bdb7650e84 100644
--- a/sound/soc/fsl/fsl_utils.c
+++ b/sound/soc/fsl/fsl_utils.c
@@ -75,6 +75,7 @@ int fsl_asoc_get_dma_channel(struct device_node *ssi_np,
iprop = of_get_property(dma_np, "cell-index", NULL);
if (!iprop) {
of_node_put(dma_np);
+ of_node_put(dma_channel_np);
return -EINVAL;
}
*dma_id = be32_to_cpup(iprop);
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 164/241] cxgb3/l2t: Fix undefined behaviour
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (162 preceding siblings ...)
2019-06-09 16:41 ` [PATCH 4.4 163/241] ASoC: fsl_utils: " Greg Kroah-Hartman
@ 2019-06-09 16:41 ` Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 165/241] spi: tegra114: reset controller on probe Greg Kroah-Hartman
` (81 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Gustavo A. R. Silva, David S. Miller,
Sasha Levin
[ Upstream commit 76497732932f15e7323dc805e8ea8dc11bb587cf ]
The use of zero-sized array causes undefined behaviour when it is not
the last member in a structure. As it happens to be in this case.
Also, the current code makes use of a language extension to the C90
standard, but the preferred mechanism to declare variable-length
types such as this one is a flexible array member, introduced in
C99:
struct foo {
int stuff;
struct boo array[];
};
By making use of the mechanism above, we will get a compiler warning
in case the flexible array does not occur last. Which is beneficial
to cultivate a high-quality code.
Fixes: e48f129c2f20 ("[SCSI] cxgb3i: convert cdev->l2opt to use rcu to prevent NULL dereference")
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/chelsio/cxgb3/l2t.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/chelsio/cxgb3/l2t.h b/drivers/net/ethernet/chelsio/cxgb3/l2t.h
index 8cffcdfd56782..38b5858c335a9 100644
--- a/drivers/net/ethernet/chelsio/cxgb3/l2t.h
+++ b/drivers/net/ethernet/chelsio/cxgb3/l2t.h
@@ -75,8 +75,8 @@ struct l2t_data {
struct l2t_entry *rover; /* starting point for next allocation */
atomic_t nfree; /* number of free entries */
rwlock_t lock;
- struct l2t_entry l2tab[0];
struct rcu_head rcu_head; /* to handle rcu cleanup */
+ struct l2t_entry l2tab[];
};
typedef void (*arp_failure_handler_func)(struct t3cdev * dev,
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 165/241] spi: tegra114: reset controller on probe
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (163 preceding siblings ...)
2019-06-09 16:41 ` [PATCH 4.4 164/241] cxgb3/l2t: Fix undefined behaviour Greg Kroah-Hartman
@ 2019-06-09 16:41 ` Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 166/241] media: wl128x: prevent two potential buffer overflows Greg Kroah-Hartman
` (80 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Sowjanya Komatineni, Mark Brown, Sasha Levin
[ Upstream commit 019194933339b3e9b486639c8cb3692020844d65 ]
Fixes: SPI driver can be built as module so perform SPI controller reset
on probe to make sure it is in valid state before initiating transfer.
Signed-off-by: Sowjanya Komatineni <skomatineni@nvidia.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-tegra114.c | 32 ++++++++++++++++++--------------
1 file changed, 18 insertions(+), 14 deletions(-)
diff --git a/drivers/spi/spi-tegra114.c b/drivers/spi/spi-tegra114.c
index 73779cecc3bbc..705f515863d4f 100644
--- a/drivers/spi/spi-tegra114.c
+++ b/drivers/spi/spi-tegra114.c
@@ -1067,27 +1067,19 @@ static int tegra_spi_probe(struct platform_device *pdev)
spi_irq = platform_get_irq(pdev, 0);
tspi->irq = spi_irq;
- ret = request_threaded_irq(tspi->irq, tegra_spi_isr,
- tegra_spi_isr_thread, IRQF_ONESHOT,
- dev_name(&pdev->dev), tspi);
- if (ret < 0) {
- dev_err(&pdev->dev, "Failed to register ISR for IRQ %d\n",
- tspi->irq);
- goto exit_free_master;
- }
tspi->clk = devm_clk_get(&pdev->dev, "spi");
if (IS_ERR(tspi->clk)) {
dev_err(&pdev->dev, "can not get clock\n");
ret = PTR_ERR(tspi->clk);
- goto exit_free_irq;
+ goto exit_free_master;
}
tspi->rst = devm_reset_control_get(&pdev->dev, "spi");
if (IS_ERR(tspi->rst)) {
dev_err(&pdev->dev, "can not get reset\n");
ret = PTR_ERR(tspi->rst);
- goto exit_free_irq;
+ goto exit_free_master;
}
tspi->max_buf_size = SPI_FIFO_DEPTH << 2;
@@ -1095,7 +1087,7 @@ static int tegra_spi_probe(struct platform_device *pdev)
ret = tegra_spi_init_dma_param(tspi, true);
if (ret < 0)
- goto exit_free_irq;
+ goto exit_free_master;
ret = tegra_spi_init_dma_param(tspi, false);
if (ret < 0)
goto exit_rx_dma_free;
@@ -1117,18 +1109,32 @@ static int tegra_spi_probe(struct platform_device *pdev)
dev_err(&pdev->dev, "pm runtime get failed, e = %d\n", ret);
goto exit_pm_disable;
}
+
+ reset_control_assert(tspi->rst);
+ udelay(2);
+ reset_control_deassert(tspi->rst);
tspi->def_command1_reg = SPI_M_S;
tegra_spi_writel(tspi, tspi->def_command1_reg, SPI_COMMAND1);
pm_runtime_put(&pdev->dev);
+ ret = request_threaded_irq(tspi->irq, tegra_spi_isr,
+ tegra_spi_isr_thread, IRQF_ONESHOT,
+ dev_name(&pdev->dev), tspi);
+ if (ret < 0) {
+ dev_err(&pdev->dev, "Failed to register ISR for IRQ %d\n",
+ tspi->irq);
+ goto exit_pm_disable;
+ }
master->dev.of_node = pdev->dev.of_node;
ret = devm_spi_register_master(&pdev->dev, master);
if (ret < 0) {
dev_err(&pdev->dev, "can not register to master err %d\n", ret);
- goto exit_pm_disable;
+ goto exit_free_irq;
}
return ret;
+exit_free_irq:
+ free_irq(spi_irq, tspi);
exit_pm_disable:
pm_runtime_disable(&pdev->dev);
if (!pm_runtime_status_suspended(&pdev->dev))
@@ -1136,8 +1142,6 @@ static int tegra_spi_probe(struct platform_device *pdev)
tegra_spi_deinit_dma_param(tspi, false);
exit_rx_dma_free:
tegra_spi_deinit_dma_param(tspi, true);
-exit_free_irq:
- free_irq(spi_irq, tspi);
exit_free_master:
spi_master_put(master);
return ret;
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 166/241] media: wl128x: prevent two potential buffer overflows
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (164 preceding siblings ...)
2019-06-09 16:41 ` [PATCH 4.4 165/241] spi: tegra114: reset controller on probe Greg Kroah-Hartman
@ 2019-06-09 16:41 ` Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 167/241] virtio_console: initialize vtermno value for ports Greg Kroah-Hartman
` (79 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Hans Verkuil,
Mauro Carvalho Chehab, Sasha Levin
[ Upstream commit 9c2ccc324b3a6cbc865ab8b3e1a09e93d3c8ade9 ]
Smatch marks skb->data as untrusted so it warns that "evt_hdr->dlen"
can copy up to 255 bytes and we only have room for two bytes. Even
if this comes from the firmware and we trust it, the new policy
generally is just to fix it as kernel hardenning.
I can't test this code so I tried to be very conservative. I considered
not allowing "evt_hdr->dlen == 1" because it doesn't initialize the
whole variable but in the end I decided to allow it and manually
initialized "asic_id" and "asic_ver" to zero.
Fixes: e8454ff7b9a4 ("[media] drivers:media:radio: wl128x: FM Driver Common sources")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/radio/wl128x/fmdrv_common.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/media/radio/wl128x/fmdrv_common.c b/drivers/media/radio/wl128x/fmdrv_common.c
index ebc73b0342496..51639a3f7abe4 100644
--- a/drivers/media/radio/wl128x/fmdrv_common.c
+++ b/drivers/media/radio/wl128x/fmdrv_common.c
@@ -494,7 +494,8 @@ int fmc_send_cmd(struct fmdev *fmdev, u8 fm_op, u16 type, void *payload,
return -EIO;
}
/* Send response data to caller */
- if (response != NULL && response_len != NULL && evt_hdr->dlen) {
+ if (response != NULL && response_len != NULL && evt_hdr->dlen &&
+ evt_hdr->dlen <= payload_len) {
/* Skip header info and copy only response data */
skb_pull(skb, sizeof(struct fm_event_msg_hdr));
memcpy(response, skb->data, evt_hdr->dlen);
@@ -590,6 +591,8 @@ static void fm_irq_handle_flag_getcmd_resp(struct fmdev *fmdev)
return;
fm_evt_hdr = (void *)skb->data;
+ if (fm_evt_hdr->dlen > sizeof(fmdev->irq_info.flag))
+ return;
/* Skip header info and copy only response data */
skb_pull(skb, sizeof(struct fm_event_msg_hdr));
@@ -1315,7 +1318,7 @@ static int load_default_rx_configuration(struct fmdev *fmdev)
static int fm_power_up(struct fmdev *fmdev, u8 mode)
{
u16 payload;
- __be16 asic_id, asic_ver;
+ __be16 asic_id = 0, asic_ver = 0;
int resp_len, ret;
u8 fw_name[50];
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 167/241] virtio_console: initialize vtermno value for ports
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (165 preceding siblings ...)
2019-06-09 16:41 ` [PATCH 4.4 166/241] media: wl128x: prevent two potential buffer overflows Greg Kroah-Hartman
@ 2019-06-09 16:41 ` Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 168/241] tty: ipwireless: fix missing checks for ioremap Greg Kroah-Hartman
` (78 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:41 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, siliu, Pankaj Gupta, Sasha Levin
[ Upstream commit 4b0a2c5ff7215206ea6135a405f17c5f6fca7d00 ]
For regular serial ports we do not initialize value of vtermno
variable. A garbage value is assigned for non console ports.
The value can be observed as a random integer with [1].
[1] vim /sys/kernel/debug/virtio-ports/vport*p*
This patch initialize the value of vtermno for console serial
ports to '1' and regular serial ports are initiaized to '0'.
Reported-by: siliu@redhat.com
Signed-off-by: Pankaj Gupta <pagupta@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/char/virtio_console.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c
index 2aca689061e1f..df9eab91c2d25 100644
--- a/drivers/char/virtio_console.c
+++ b/drivers/char/virtio_console.c
@@ -76,7 +76,7 @@ struct ports_driver_data {
/* All the console devices handled by this driver */
struct list_head consoles;
};
-static struct ports_driver_data pdrvdata;
+static struct ports_driver_data pdrvdata = { .next_vtermno = 1};
static DEFINE_SPINLOCK(pdrvdata_lock);
static DECLARE_COMPLETION(early_console_added);
@@ -1419,6 +1419,7 @@ static int add_port(struct ports_device *portdev, u32 id)
port->async_queue = NULL;
port->cons.ws.ws_row = port->cons.ws.ws_col = 0;
+ port->cons.vtermno = 0;
port->host_connected = port->guest_connected = false;
port->stats = (struct port_stats) { 0 };
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 168/241] tty: ipwireless: fix missing checks for ioremap
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (166 preceding siblings ...)
2019-06-09 16:41 ` [PATCH 4.4 167/241] virtio_console: initialize vtermno value for ports Greg Kroah-Hartman
@ 2019-06-09 16:41 ` Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 169/241] rcutorture: Fix cleanup path for invalid torture_type strings Greg Kroah-Hartman
` (77 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Kangjie Lu, David Sterba, Sasha Levin
[ Upstream commit 1bbb1c318cd8a3a39e8c3e2e83d5e90542d6c3e3 ]
ipw->attr_memory and ipw->common_memory are assigned with the
return value of ioremap. ioremap may fail, but no checks
are enforced. The fix inserts the checks to avoid potential
NULL pointer dereferences.
Signed-off-by: Kangjie Lu <kjlu@umn.edu>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tty/ipwireless/main.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/tty/ipwireless/main.c b/drivers/tty/ipwireless/main.c
index 655c7948261c7..2fa4f91234693 100644
--- a/drivers/tty/ipwireless/main.c
+++ b/drivers/tty/ipwireless/main.c
@@ -113,6 +113,10 @@ static int ipwireless_probe(struct pcmcia_device *p_dev, void *priv_data)
ipw->common_memory = ioremap(p_dev->resource[2]->start,
resource_size(p_dev->resource[2]));
+ if (!ipw->common_memory) {
+ ret = -ENOMEM;
+ goto exit1;
+ }
if (!request_mem_region(p_dev->resource[2]->start,
resource_size(p_dev->resource[2]),
IPWIRELESS_PCCARD_NAME)) {
@@ -133,6 +137,10 @@ static int ipwireless_probe(struct pcmcia_device *p_dev, void *priv_data)
ipw->attr_memory = ioremap(p_dev->resource[3]->start,
resource_size(p_dev->resource[3]));
+ if (!ipw->attr_memory) {
+ ret = -ENOMEM;
+ goto exit3;
+ }
if (!request_mem_region(p_dev->resource[3]->start,
resource_size(p_dev->resource[3]),
IPWIRELESS_PCCARD_NAME)) {
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 169/241] rcutorture: Fix cleanup path for invalid torture_type strings
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (167 preceding siblings ...)
2019-06-09 16:41 ` [PATCH 4.4 168/241] tty: ipwireless: fix missing checks for ioremap Greg Kroah-Hartman
@ 2019-06-09 16:41 ` Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 170/241] usb: core: Add PM runtime calls to usb_hcd_platform_shutdown Greg Kroah-Hartman
` (76 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, kernel test robot, Paul E. McKenney,
Sasha Levin
[ Upstream commit b813afae7ab6a5e91b4e16cc567331d9c2ae1f04 ]
If the specified rcutorture.torture_type is not in the rcu_torture_init()
function's torture_ops[] array, rcutorture prints some console messages
and then invokes rcu_torture_cleanup() to set state so that a future
torture test can run. However, rcu_torture_cleanup() also attempts to
end the test that didn't actually start, and in doing so relies on the
value of cur_ops, a value that is not particularly relevant in this case.
This can result in confusing output or even follow-on failures due to
attempts to use facilities that have not been properly initialized.
This commit therefore sets the value of cur_ops to NULL in this case
and inserts a check near the beginning of rcu_torture_cleanup(),
thus avoiding relying on an irrelevant cur_ops value.
Reported-by: kernel test robot <rong.a.chen@intel.com>
Signed-off-by: Paul E. McKenney <paulmck@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/rcu/rcutorture.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/kernel/rcu/rcutorture.c b/kernel/rcu/rcutorture.c
index d89328e260df6..041a02b334d73 100644
--- a/kernel/rcu/rcutorture.c
+++ b/kernel/rcu/rcutorture.c
@@ -1603,6 +1603,10 @@ rcu_torture_cleanup(void)
cur_ops->cb_barrier();
return;
}
+ if (!cur_ops) {
+ torture_cleanup_end();
+ return;
+ }
rcu_torture_barrier_cleanup();
torture_stop_kthread(rcu_torture_stall, stall_task);
@@ -1741,6 +1745,7 @@ rcu_torture_init(void)
pr_alert(" %s", torture_ops[i]->name);
pr_alert("\n");
firsterr = -EINVAL;
+ cur_ops = NULL;
goto unwind;
}
if (cur_ops->fqs == NULL && fqs_duration != 0) {
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 170/241] usb: core: Add PM runtime calls to usb_hcd_platform_shutdown
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (168 preceding siblings ...)
2019-06-09 16:41 ` [PATCH 4.4 169/241] rcutorture: Fix cleanup path for invalid torture_type strings Greg Kroah-Hartman
@ 2019-06-09 16:41 ` Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 171/241] scsi: qla4xxx: avoid freeing unallocated dma memory Greg Kroah-Hartman
` (75 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Tony Lindgren, Alan Stern, Sasha Levin
[ Upstream commit 8ead7e817224d7832fe51a19783cb8fcadc79467 ]
If ohci-platform is runtime suspended, we can currently get an "imprecise
external abort" on reboot with ohci-platform loaded when PM runtime
is implemented for the SoC.
Let's fix this by adding PM runtime support to usb_hcd_platform_shutdown.
Signed-off-by: Tony Lindgren <tony@atomide.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/core/hcd.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c
index 9c4f9b6e57e29..99c146f4b6b51 100644
--- a/drivers/usb/core/hcd.c
+++ b/drivers/usb/core/hcd.c
@@ -3007,6 +3007,9 @@ usb_hcd_platform_shutdown(struct platform_device *dev)
{
struct usb_hcd *hcd = platform_get_drvdata(dev);
+ /* No need for pm_runtime_put(), we're shutting down */
+ pm_runtime_get_sync(&dev->dev);
+
if (hcd->driver->shutdown)
hcd->driver->shutdown(hcd);
}
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 171/241] scsi: qla4xxx: avoid freeing unallocated dma memory
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (169 preceding siblings ...)
2019-06-09 16:41 ` [PATCH 4.4 170/241] usb: core: Add PM runtime calls to usb_hcd_platform_shutdown Greg Kroah-Hartman
@ 2019-06-09 16:41 ` Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 172/241] media: m88ds3103: serialize reset messages in m88ds3103_set_frontend Greg Kroah-Hartman
` (74 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Arnd Bergmann, Nathan Chancellor,
Martin K. Petersen, Sasha Levin
[ Upstream commit 608f729c31d4caf52216ea00d20092a80959256d ]
Clang -Wuninitialized notices that on is_qla40XX we never allocate any DMA
memory in get_fw_boot_info() but attempt to free it anyway:
drivers/scsi/qla4xxx/ql4_os.c:5915:7: error: variable 'buf_dma' is used uninitialized whenever 'if' condition is false
[-Werror,-Wsometimes-uninitialized]
if (!(val & 0x07)) {
^~~~~~~~~~~~~
drivers/scsi/qla4xxx/ql4_os.c:5985:47: note: uninitialized use occurs here
dma_free_coherent(&ha->pdev->dev, size, buf, buf_dma);
^~~~~~~
drivers/scsi/qla4xxx/ql4_os.c:5915:3: note: remove the 'if' if its condition is always true
if (!(val & 0x07)) {
^~~~~~~~~~~~~~~~~~~
drivers/scsi/qla4xxx/ql4_os.c:5885:20: note: initialize the variable 'buf_dma' to silence this warning
dma_addr_t buf_dma;
^
= 0
Skip the call to dma_free_coherent() here.
Fixes: 2a991c215978 ("[SCSI] qla4xxx: Boot from SAN support for open-iscsi")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/qla4xxx/ql4_os.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c
index c158967b59d7b..d220b4f691c77 100644
--- a/drivers/scsi/qla4xxx/ql4_os.c
+++ b/drivers/scsi/qla4xxx/ql4_os.c
@@ -5939,7 +5939,7 @@ static int get_fw_boot_info(struct scsi_qla_host *ha, uint16_t ddb_index[])
val = rd_nvram_byte(ha, sec_addr);
if (val & BIT_7)
ddb_index[1] = (val & 0x7f);
-
+ goto exit_boot_info;
} else if (is_qla80XX(ha)) {
buf = dma_alloc_coherent(&ha->pdev->dev, size,
&buf_dma, GFP_KERNEL);
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 172/241] media: m88ds3103: serialize reset messages in m88ds3103_set_frontend
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (170 preceding siblings ...)
2019-06-09 16:41 ` [PATCH 4.4 171/241] scsi: qla4xxx: avoid freeing unallocated dma memory Greg Kroah-Hartman
@ 2019-06-09 16:41 ` Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 173/241] media: go7007: avoid clang frame overflow warning with KASAN Greg Kroah-Hartman
` (73 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, James Hutchinson, Antti Palosaari,
Sean Young, Mauro Carvalho Chehab, Sasha Levin
[ Upstream commit 981fbe3da20a6f35f17977453bce7dfc1664d74f ]
Ref: https://bugzilla.kernel.org/show_bug.cgi?id=199323
Users are experiencing problems with the DVBSky S960/S960C USB devices
since the following commit:
9d659ae: ("locking/mutex: Add lock handoff to avoid starvation")
The device malfunctions after running for an indeterminable period of
time, and the problem can only be cleared by rebooting the machine.
It is possible to encourage the problem to surface by blocking the
signal to the LNB.
Further debugging revealed the cause of the problem.
In the following capture:
- thread #1325 is running m88ds3103_set_frontend
- thread #42 is running ts2020_stat_work
a> [1325] usb 1-1: dvb_usb_v2_generic_io: >>> 08 68 02 07 80
[1325] usb 1-1: dvb_usb_v2_generic_io: <<< 08
[42] usb 1-1: dvb_usb_v2_generic_io: >>> 09 01 01 68 3f
[42] usb 1-1: dvb_usb_v2_generic_io: <<< 08 ff
[42] usb 1-1: dvb_usb_v2_generic_io: >>> 08 68 02 03 11
[42] usb 1-1: dvb_usb_v2_generic_io: <<< 07
[42] usb 1-1: dvb_usb_v2_generic_io: >>> 09 01 01 60 3d
[42] usb 1-1: dvb_usb_v2_generic_io: <<< 07 ff
b> [1325] usb 1-1: dvb_usb_v2_generic_io: >>> 08 68 02 07 00
[1325] usb 1-1: dvb_usb_v2_generic_io: <<< 07
[42] usb 1-1: dvb_usb_v2_generic_io: >>> 08 68 02 03 11
[42] usb 1-1: dvb_usb_v2_generic_io: <<< 07
[42] usb 1-1: dvb_usb_v2_generic_io: >>> 09 01 01 60 21
[42] usb 1-1: dvb_usb_v2_generic_io: <<< 07 ff
[42] usb 1-1: dvb_usb_v2_generic_io: >>> 08 68 02 03 11
[42] usb 1-1: dvb_usb_v2_generic_io: <<< 07
[42] usb 1-1: dvb_usb_v2_generic_io: >>> 09 01 01 60 66
[42] usb 1-1: dvb_usb_v2_generic_io: <<< 07 ff
[1325] usb 1-1: dvb_usb_v2_generic_io: >>> 08 68 02 03 11
[1325] usb 1-1: dvb_usb_v2_generic_io: <<< 07
[1325] usb 1-1: dvb_usb_v2_generic_io: >>> 08 60 02 10 0b
[1325] usb 1-1: dvb_usb_v2_generic_io: <<< 07
Two i2c messages are sent to perform a reset in m88ds3103_set_frontend:
a. 0x07, 0x80
b. 0x07, 0x00
However, as shown in the capture, the regmap mutex is being handed over
to another thread (ts2020_stat_work) in between these two messages.
>From here, the device responds to every i2c message with an 07 message,
and will only return to normal operation following a power cycle.
Use regmap_multi_reg_write to group the two reset messages, ensuring
both are processed before the regmap mutex is unlocked.
Signed-off-by: James Hutchinson <jahutchinson99@googlemail.com>
Reviewed-by: Antti Palosaari <crope@iki.fi>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/dvb-frontends/m88ds3103.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/drivers/media/dvb-frontends/m88ds3103.c b/drivers/media/dvb-frontends/m88ds3103.c
index d14d075ab1d63..9f0956e739a45 100644
--- a/drivers/media/dvb-frontends/m88ds3103.c
+++ b/drivers/media/dvb-frontends/m88ds3103.c
@@ -309,6 +309,9 @@ static int m88ds3103_set_frontend(struct dvb_frontend *fe)
u16 u16tmp, divide_ratio = 0;
u32 tuner_frequency, target_mclk;
s32 s32tmp;
+ static const struct reg_sequence reset_buf[] = {
+ {0x07, 0x80}, {0x07, 0x00}
+ };
dev_dbg(&client->dev,
"delivery_system=%d modulation=%d frequency=%u symbol_rate=%d inversion=%d pilot=%d rolloff=%d\n",
@@ -321,11 +324,7 @@ static int m88ds3103_set_frontend(struct dvb_frontend *fe)
}
/* reset */
- ret = regmap_write(dev->regmap, 0x07, 0x80);
- if (ret)
- goto err;
-
- ret = regmap_write(dev->regmap, 0x07, 0x00);
+ ret = regmap_multi_reg_write(dev->regmap, reset_buf, 2);
if (ret)
goto err;
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 173/241] media: go7007: avoid clang frame overflow warning with KASAN
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (171 preceding siblings ...)
2019-06-09 16:41 ` [PATCH 4.4 172/241] media: m88ds3103: serialize reset messages in m88ds3103_set_frontend Greg Kroah-Hartman
@ 2019-06-09 16:41 ` Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 174/241] media: saa7146: avoid high stack usage with clang Greg Kroah-Hartman
` (72 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Arnd Bergmann, Hans Verkuil,
Mauro Carvalho Chehab, Sasha Levin
[ Upstream commit ed713a4a1367aca5c0f2f329579465db00c17995 ]
clang-8 warns about one function here when KASAN is enabled, even
without the 'asan-stack' option:
drivers/media/usb/go7007/go7007-fw.c:1551:5: warning: stack frame size of 2656 bytes in function
I have reported this issue in the llvm bugzilla, but to make
it work with the clang-8 release, a small annotation is still
needed.
Link: https://bugs.llvm.org/show_bug.cgi?id=38809
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
[hverkuil-cisco@xs4all.nl: fix checkpatch warning]
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/usb/go7007/go7007-fw.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/media/usb/go7007/go7007-fw.c b/drivers/media/usb/go7007/go7007-fw.c
index 60bf5f0644d11..a5efcd4f7b4f5 100644
--- a/drivers/media/usb/go7007/go7007-fw.c
+++ b/drivers/media/usb/go7007/go7007-fw.c
@@ -1499,8 +1499,8 @@ static int modet_to_package(struct go7007 *go, __le16 *code, int space)
return cnt;
}
-static int do_special(struct go7007 *go, u16 type, __le16 *code, int space,
- int *framelen)
+static noinline_for_stack int do_special(struct go7007 *go, u16 type,
+ __le16 *code, int space, int *framelen)
{
switch (type) {
case SPECIAL_FRM_HEAD:
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 174/241] media: saa7146: avoid high stack usage with clang
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (172 preceding siblings ...)
2019-06-09 16:41 ` [PATCH 4.4 173/241] media: go7007: avoid clang frame overflow warning with KASAN Greg Kroah-Hartman
@ 2019-06-09 16:41 ` Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 175/241] scsi: lpfc: Fix SLI3 commands being issued on SLI4 devices Greg Kroah-Hartman
` (71 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Arnd Bergmann, Nick Desaulniers,
Hans Verkuil, Mauro Carvalho Chehab, Sasha Levin
[ Upstream commit 03aa4f191a36f33fce015387f84efa0eee94408e ]
Two saa7146/hexium files contain a construct that causes a warning
when built with clang:
drivers/media/pci/saa7146/hexium_orion.c:210:12: error: stack frame size of 2272 bytes in function 'hexium_probe'
[-Werror,-Wframe-larger-than=]
static int hexium_probe(struct saa7146_dev *dev)
^
drivers/media/pci/saa7146/hexium_gemini.c:257:12: error: stack frame size of 2304 bytes in function 'hexium_attach'
[-Werror,-Wframe-larger-than=]
static int hexium_attach(struct saa7146_dev *dev, struct saa7146_pci_extension_data *info)
^
This one happens regardless of KASAN, and the problem is that a
constructor to initialize a dynamically allocated structure leads
to a copy of that structure on the stack, whereas gcc initializes
it in place.
Link: https://bugs.llvm.org/show_bug.cgi?id=40776
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
[hverkuil-cisco@xs4all.nl: fix checkpatch warnings]
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/pci/saa7146/hexium_gemini.c | 5 ++---
drivers/media/pci/saa7146/hexium_orion.c | 5 ++---
2 files changed, 4 insertions(+), 6 deletions(-)
diff --git a/drivers/media/pci/saa7146/hexium_gemini.c b/drivers/media/pci/saa7146/hexium_gemini.c
index 03cbcd2095c6e..d4b3ce8282856 100644
--- a/drivers/media/pci/saa7146/hexium_gemini.c
+++ b/drivers/media/pci/saa7146/hexium_gemini.c
@@ -270,9 +270,8 @@ static int hexium_attach(struct saa7146_dev *dev, struct saa7146_pci_extension_d
/* enable i2c-port pins */
saa7146_write(dev, MC1, (MASK_08 | MASK_24 | MASK_10 | MASK_26));
- hexium->i2c_adapter = (struct i2c_adapter) {
- .name = "hexium gemini",
- };
+ strscpy(hexium->i2c_adapter.name, "hexium gemini",
+ sizeof(hexium->i2c_adapter.name));
saa7146_i2c_adapter_prepare(dev, &hexium->i2c_adapter, SAA7146_I2C_BUS_BIT_RATE_480);
if (i2c_add_adapter(&hexium->i2c_adapter) < 0) {
DEB_S("cannot register i2c-device. skipping.\n");
diff --git a/drivers/media/pci/saa7146/hexium_orion.c b/drivers/media/pci/saa7146/hexium_orion.c
index 15f0d66ff78a2..214396b1ca73c 100644
--- a/drivers/media/pci/saa7146/hexium_orion.c
+++ b/drivers/media/pci/saa7146/hexium_orion.c
@@ -232,9 +232,8 @@ static int hexium_probe(struct saa7146_dev *dev)
saa7146_write(dev, DD1_STREAM_B, 0x00000000);
saa7146_write(dev, MC2, (MASK_09 | MASK_25 | MASK_10 | MASK_26));
- hexium->i2c_adapter = (struct i2c_adapter) {
- .name = "hexium orion",
- };
+ strscpy(hexium->i2c_adapter.name, "hexium orion",
+ sizeof(hexium->i2c_adapter.name));
saa7146_i2c_adapter_prepare(dev, &hexium->i2c_adapter, SAA7146_I2C_BUS_BIT_RATE_480);
if (i2c_add_adapter(&hexium->i2c_adapter) < 0) {
DEB_S("cannot register i2c-device. skipping.\n");
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 175/241] scsi: lpfc: Fix SLI3 commands being issued on SLI4 devices
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (173 preceding siblings ...)
2019-06-09 16:41 ` [PATCH 4.4 174/241] media: saa7146: avoid high stack usage with clang Greg Kroah-Hartman
@ 2019-06-09 16:41 ` Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 176/241] spi : spi-topcliff-pch: Fix to handle empty DMA buffers Greg Kroah-Hartman
` (70 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Dick Kennedy, James Smart,
Martin K. Petersen, Sasha Levin
[ Upstream commit c95a3b4b0fb8d351e2329a96f87c4fc96a149505 ]
During debug, it was seen that the driver is issuing commands specific to
SLI3 on SLI4 devices. Although the adapter correctly rejected the command,
this should not be done.
Revise the code to stop sending these commands on a SLI4 adapter.
Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
Signed-off-by: James Smart <jsmart2021@gmail.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/lpfc/lpfc_hbadisc.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/drivers/scsi/lpfc/lpfc_hbadisc.c b/drivers/scsi/lpfc/lpfc_hbadisc.c
index 4131addfb8729..a67950908db17 100644
--- a/drivers/scsi/lpfc/lpfc_hbadisc.c
+++ b/drivers/scsi/lpfc/lpfc_hbadisc.c
@@ -902,7 +902,11 @@ lpfc_linkdown(struct lpfc_hba *phba)
lpfc_linkdown_port(vports[i]);
}
lpfc_destroy_vport_work_array(phba, vports);
- /* Clean up any firmware default rpi's */
+
+ /* Clean up any SLI3 firmware default rpi's */
+ if (phba->sli_rev > LPFC_SLI_REV3)
+ goto skip_unreg_did;
+
mb = mempool_alloc(phba->mbox_mem_pool, GFP_KERNEL);
if (mb) {
lpfc_unreg_did(phba, 0xffff, LPFC_UNREG_ALL_DFLT_RPIS, mb);
@@ -914,6 +918,7 @@ lpfc_linkdown(struct lpfc_hba *phba)
}
}
+ skip_unreg_did:
/* Setup myDID for link up if we are in pt2pt mode */
if (phba->pport->fc_flag & FC_PT2PT) {
phba->pport->fc_myDID = 0;
@@ -4647,6 +4652,10 @@ lpfc_unreg_default_rpis(struct lpfc_vport *vport)
LPFC_MBOXQ_t *mbox;
int rc;
+ /* Unreg DID is an SLI3 operation. */
+ if (phba->sli_rev > LPFC_SLI_REV3)
+ return;
+
mbox = mempool_alloc(phba->mbox_mem_pool, GFP_KERNEL);
if (mbox) {
lpfc_unreg_did(phba, vport->vpi, LPFC_UNREG_ALL_DFLT_RPIS,
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 176/241] spi : spi-topcliff-pch: Fix to handle empty DMA buffers
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (174 preceding siblings ...)
2019-06-09 16:41 ` [PATCH 4.4 175/241] scsi: lpfc: Fix SLI3 commands being issued on SLI4 devices Greg Kroah-Hartman
@ 2019-06-09 16:41 ` Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 177/241] spi: rspi: Fix sequencer reset during initialization Greg Kroah-Hartman
` (69 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Aditya Pakki, Mark Brown, Sasha Levin
[ Upstream commit f37d8e67f39e6d3eaf4cc5471e8a3d21209843c6 ]
pch_alloc_dma_buf allocated tx, rx DMA buffers which can fail. Further,
these buffers are used without a check. The patch checks for these
failures and sends the error upstream.
Signed-off-by: Aditya Pakki <pakki001@umn.edu>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-topcliff-pch.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
diff --git a/drivers/spi/spi-topcliff-pch.c b/drivers/spi/spi-topcliff-pch.c
index 93dfcee0f987b..9f30a4ab2004a 100644
--- a/drivers/spi/spi-topcliff-pch.c
+++ b/drivers/spi/spi-topcliff-pch.c
@@ -1326,18 +1326,27 @@ static void pch_free_dma_buf(struct pch_spi_board_data *board_dat,
return;
}
-static void pch_alloc_dma_buf(struct pch_spi_board_data *board_dat,
+static int pch_alloc_dma_buf(struct pch_spi_board_data *board_dat,
struct pch_spi_data *data)
{
struct pch_spi_dma_ctrl *dma;
+ int ret;
dma = &data->dma;
+ ret = 0;
/* Get Consistent memory for Tx DMA */
dma->tx_buf_virt = dma_alloc_coherent(&board_dat->pdev->dev,
PCH_BUF_SIZE, &dma->tx_buf_dma, GFP_KERNEL);
+ if (!dma->tx_buf_virt)
+ ret = -ENOMEM;
+
/* Get Consistent memory for Rx DMA */
dma->rx_buf_virt = dma_alloc_coherent(&board_dat->pdev->dev,
PCH_BUF_SIZE, &dma->rx_buf_dma, GFP_KERNEL);
+ if (!dma->rx_buf_virt)
+ ret = -ENOMEM;
+
+ return ret;
}
static int pch_spi_pd_probe(struct platform_device *plat_dev)
@@ -1414,7 +1423,9 @@ static int pch_spi_pd_probe(struct platform_device *plat_dev)
if (use_dma) {
dev_info(&plat_dev->dev, "Use DMA for data transfers\n");
- pch_alloc_dma_buf(board_dat, data);
+ ret = pch_alloc_dma_buf(board_dat, data);
+ if (ret)
+ goto err_spi_register_master;
}
ret = spi_register_master(master);
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 177/241] spi: rspi: Fix sequencer reset during initialization
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (175 preceding siblings ...)
2019-06-09 16:41 ` [PATCH 4.4 176/241] spi : spi-topcliff-pch: Fix to handle empty DMA buffers Greg Kroah-Hartman
@ 2019-06-09 16:41 ` Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 178/241] spi: Fix zero length xfer bug Greg Kroah-Hartman
` (68 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Geert Uytterhoeven, Mark Brown, Sasha Levin
[ Upstream commit 26843bb128590edd7eba1ad7ce22e4b9f1066ce3 ]
While the sequencer is reset after each SPI message since commit
880c6d114fd79a69 ("spi: rspi: Add support for Quad and Dual SPI
Transfers on QSPI"), it was never reset for the first message, thus
relying on reset state or bootloader settings.
Fix this by initializing it explicitly during configuration.
Fixes: 0b2182ddac4b8837 ("spi: add support for Renesas RSPI")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-rspi.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/spi/spi-rspi.c b/drivers/spi/spi-rspi.c
index 9882d93e7566d..0556259377f77 100644
--- a/drivers/spi/spi-rspi.c
+++ b/drivers/spi/spi-rspi.c
@@ -279,7 +279,8 @@ static int rspi_set_config_register(struct rspi_data *rspi, int access_size)
/* Sets parity, interrupt mask */
rspi_write8(rspi, 0x00, RSPI_SPCR2);
- /* Sets SPCMD */
+ /* Resets sequencer */
+ rspi_write8(rspi, 0, RSPI_SPSCR);
rspi->spcmd |= SPCMD_SPB_8_TO_16(access_size);
rspi_write16(rspi, rspi->spcmd, RSPI_SPCMD0);
@@ -313,7 +314,8 @@ static int rspi_rz_set_config_register(struct rspi_data *rspi, int access_size)
rspi_write8(rspi, 0x00, RSPI_SSLND);
rspi_write8(rspi, 0x00, RSPI_SPND);
- /* Sets SPCMD */
+ /* Resets sequencer */
+ rspi_write8(rspi, 0, RSPI_SPSCR);
rspi->spcmd |= SPCMD_SPB_8_TO_16(access_size);
rspi_write16(rspi, rspi->spcmd, RSPI_SPCMD0);
@@ -364,7 +366,8 @@ static int qspi_set_config_register(struct rspi_data *rspi, int access_size)
/* Sets buffer to allow normal operation */
rspi_write8(rspi, 0x00, QSPI_SPBFCR);
- /* Sets SPCMD */
+ /* Resets sequencer */
+ rspi_write8(rspi, 0, RSPI_SPSCR);
rspi_write16(rspi, rspi->spcmd, RSPI_SPCMD0);
/* Enables SPI function in master mode */
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 178/241] spi: Fix zero length xfer bug
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (176 preceding siblings ...)
2019-06-09 16:41 ` [PATCH 4.4 177/241] spi: rspi: Fix sequencer reset during initialization Greg Kroah-Hartman
@ 2019-06-09 16:42 ` Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 179/241] ASoC: davinci-mcasp: Fix clang warning without CONFIG_PM Greg Kroah-Hartman
` (67 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:42 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Chris Lesiak, Mark Brown, Sasha Levin
[ Upstream commit 5442dcaa0d90fc376bdfc179a018931a8f43dea4 ]
This fixes a bug for messages containing both zero length and
unidirectional xfers.
The function spi_map_msg will allocate dummy tx and/or rx buffers
for use with unidirectional transfers when the hardware can only do
a bidirectional transfer. That dummy buffer will be used in place
of a NULL buffer even when the xfer length is 0.
Then in the function __spi_map_msg, if he hardware can dma,
the zero length xfer will have spi_map_buf called on the dummy
buffer.
Eventually, __sg_alloc_table is called and returns -EINVAL
because nents == 0.
This fix prevents the error by not using the dummy buffer when
the xfer length is zero.
Signed-off-by: Chris Lesiak <chris.lesiak@licor.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c
index 04fd651f9e3e3..c132c676df3a6 100644
--- a/drivers/spi/spi.c
+++ b/drivers/spi/spi.c
@@ -903,6 +903,8 @@ static int spi_map_msg(struct spi_master *master, struct spi_message *msg)
if (max_tx || max_rx) {
list_for_each_entry(xfer, &msg->transfers,
transfer_list) {
+ if (!xfer->len)
+ continue;
if (!xfer->tx_buf)
xfer->tx_buf = master->dummy_tx;
if (!xfer->rx_buf)
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 179/241] ASoC: davinci-mcasp: Fix clang warning without CONFIG_PM
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (177 preceding siblings ...)
2019-06-09 16:42 ` [PATCH 4.4 178/241] spi: Fix zero length xfer bug Greg Kroah-Hartman
@ 2019-06-09 16:42 ` Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 180/241] ipv6: Consider sk_bound_dev_if when binding a raw socket to an address Greg Kroah-Hartman
` (66 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:42 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Arnd Bergmann, Peter Ujfalusi,
Nathan Chancellor, Mark Brown, Sasha Levin
[ Upstream commit 8ca5104715cfd14254ea5aecc390ae583b707607 ]
Building with clang shows a variable that is only used by the
suspend/resume functions but defined outside of their #ifdef block:
sound/soc/ti/davinci-mcasp.c:48:12: error: variable 'context_regs' is not needed and will not be emitted
We commonly fix these by marking the PM functions as __maybe_unused,
but here that would grow the davinci_mcasp structure, so instead
add another #ifdef here.
Fixes: 1cc0c054f380 ("ASoC: davinci-mcasp: Convert the context save/restore to use array")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
Reviewed-by: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/davinci/davinci-mcasp.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/sound/soc/davinci/davinci-mcasp.c b/sound/soc/davinci/davinci-mcasp.c
index 2ccb8bccc9d4c..512ec25c9ead1 100644
--- a/sound/soc/davinci/davinci-mcasp.c
+++ b/sound/soc/davinci/davinci-mcasp.c
@@ -43,6 +43,7 @@
#define MCASP_MAX_AFIFO_DEPTH 64
+#ifdef CONFIG_PM
static u32 context_regs[] = {
DAVINCI_MCASP_TXFMCTL_REG,
DAVINCI_MCASP_RXFMCTL_REG,
@@ -65,6 +66,7 @@ struct davinci_mcasp_context {
u32 *xrsr_regs; /* for serializer configuration */
bool pm_state;
};
+#endif
struct davinci_mcasp_ruledata {
struct davinci_mcasp *mcasp;
--
2.20.1
^ permalink raw reply related [flat|nested] 250+ messages in thread
* [PATCH 4.4 180/241] ipv6: Consider sk_bound_dev_if when binding a raw socket to an address
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (178 preceding siblings ...)
2019-06-09 16:42 ` [PATCH 4.4 179/241] ASoC: davinci-mcasp: Fix clang warning without CONFIG_PM Greg Kroah-Hartman
@ 2019-06-09 16:42 ` Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 181/241] llc: fix skb leak in llc_build_and_send_ui_pkt() Greg Kroah-Hartman
` (65 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:42 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Mike Manning, David Ahern, David S. Miller
From: Mike Manning <mmanning@vyatta.att-mail.com>
[ Upstream commit 72f7cfab6f93a8ea825fab8ccfb016d064269f7f ]
IPv6 does not consider if the socket is bound to a device when binding
to an address. The result is that a socket can be bound to eth0 and
then bound to the address of eth1. If the device is a VRF, the result
is that a socket can only be bound to an address in the default VRF.
Resolve by considering the device if sk_bound_dev_if is set.
Signed-off-by: Mike Manning <mmanning@vyatta.att-mail.com>
Reviewed-by: David Ahern <dsahern@gmail.com>
Tested-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/raw.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/ipv6/raw.c
+++ b/net/ipv6/raw.c
@@ -283,7 +283,9 @@ static int rawv6_bind(struct sock *sk, s
/* Binding to link-local address requires an interface */
if (!sk->sk_bound_dev_if)
goto out_unlock;
+ }
+ if (sk->sk_bound_dev_if) {
err = -ENODEV;
dev = dev_get_by_index_rcu(sock_net(sk),
sk->sk_bound_dev_if);
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 181/241] llc: fix skb leak in llc_build_and_send_ui_pkt()
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (179 preceding siblings ...)
2019-06-09 16:42 ` [PATCH 4.4 180/241] ipv6: Consider sk_bound_dev_if when binding a raw socket to an address Greg Kroah-Hartman
@ 2019-06-09 16:42 ` Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 182/241] net-gro: fix use-after-free read in napi_gro_frags() Greg Kroah-Hartman
` (64 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:42 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Eric Dumazet, syzbot, David S. Miller
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 8fb44d60d4142cd2a440620cd291d346e23c131e ]
If llc_mac_hdr_init() returns an error, we must drop the skb
since no llc_build_and_send_ui_pkt() caller will take care of this.
BUG: memory leak
unreferenced object 0xffff8881202b6800 (size 2048):
comm "syz-executor907", pid 7074, jiffies 4294943781 (age 8.590s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
1a 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 ...@............
backtrace:
[<00000000e25b5abe>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline]
[<00000000e25b5abe>] slab_post_alloc_hook mm/slab.h:439 [inline]
[<00000000e25b5abe>] slab_alloc mm/slab.c:3326 [inline]
[<00000000e25b5abe>] __do_kmalloc mm/slab.c:3658 [inline]
[<00000000e25b5abe>] __kmalloc+0x161/0x2c0 mm/slab.c:3669
[<00000000a1ae188a>] kmalloc include/linux/slab.h:552 [inline]
[<00000000a1ae188a>] sk_prot_alloc+0xd6/0x170 net/core/sock.c:1608
[<00000000ded25bbe>] sk_alloc+0x35/0x2f0 net/core/sock.c:1662
[<000000002ecae075>] llc_sk_alloc+0x35/0x170 net/llc/llc_conn.c:950
[<00000000551f7c47>] llc_ui_create+0x7b/0x140 net/llc/af_llc.c:173
[<0000000029027f0e>] __sock_create+0x164/0x250 net/socket.c:1430
[<000000008bdec225>] sock_create net/socket.c:1481 [inline]
[<000000008bdec225>] __sys_socket+0x69/0x110 net/socket.c:1523
[<00000000b6439228>] __do_sys_socket net/socket.c:1532 [inline]
[<00000000b6439228>] __se_sys_socket net/socket.c:1530 [inline]
[<00000000b6439228>] __x64_sys_socket+0x1e/0x30 net/socket.c:1530
[<00000000cec820c1>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
[<000000000c32554f>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
BUG: memory leak
unreferenced object 0xffff88811d750d00 (size 224):
comm "syz-executor907", pid 7074, jiffies 4294943781 (age 8.600s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 f0 0c 24 81 88 ff ff 00 68 2b 20 81 88 ff ff ...$.....h+ ....
backtrace:
[<0000000053026172>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline]
[<0000000053026172>] slab_post_alloc_hook mm/slab.h:439 [inline]
[<0000000053026172>] slab_alloc_node mm/slab.c:3269 [inline]
[<0000000053026172>] kmem_cache_alloc_node+0x153/0x2a0 mm/slab.c:3579
[<00000000fa8f3c30>] __alloc_skb+0x6e/0x210 net/core/skbuff.c:198
[<00000000d96fdafb>] alloc_skb include/linux/skbuff.h:1058 [inline]
[<00000000d96fdafb>] alloc_skb_with_frags+0x5f/0x250 net/core/skbuff.c:5327
[<000000000a34a2e7>] sock_alloc_send_pskb+0x269/0x2a0 net/core/sock.c:2225
[<00000000ee39999b>] sock_alloc_send_skb+0x32/0x40 net/core/sock.c:2242
[<00000000e034d810>] llc_ui_sendmsg+0x10a/0x540 net/llc/af_llc.c:933
[<00000000c0bc8445>] sock_sendmsg_nosec net/socket.c:652 [inline]
[<00000000c0bc8445>] sock_sendmsg+0x54/0x70 net/socket.c:671
[<000000003b687167>] __sys_sendto+0x148/0x1f0 net/socket.c:1964
[<00000000922d78d9>] __do_sys_sendto net/socket.c:1976 [inline]
[<00000000922d78d9>] __se_sys_sendto net/socket.c:1972 [inline]
[<00000000922d78d9>] __x64_sys_sendto+0x2a/0x30 net/socket.c:1972
[<00000000cec820c1>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
[<000000000c32554f>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/llc/llc_output.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/llc/llc_output.c
+++ b/net/llc/llc_output.c
@@ -72,6 +72,8 @@ int llc_build_and_send_ui_pkt(struct llc
rc = llc_mac_hdr_init(skb, skb->dev->dev_addr, dmac);
if (likely(!rc))
rc = dev_queue_xmit(skb);
+ else
+ kfree_skb(skb);
return rc;
}
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 182/241] net-gro: fix use-after-free read in napi_gro_frags()
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (180 preceding siblings ...)
2019-06-09 16:42 ` [PATCH 4.4 181/241] llc: fix skb leak in llc_build_and_send_ui_pkt() Greg Kroah-Hartman
@ 2019-06-09 16:42 ` Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 183/241] net: stmmac: fix reset gpio free missing Greg Kroah-Hartman
` (63 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:42 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Eric Dumazet, syzbot, David S. Miller
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit a4270d6795b0580287453ea55974d948393e66ef ]
If a network driver provides to napi_gro_frags() an
skb with a page fragment of exactly 14 bytes, the call
to gro_pull_from_frag0() will 'consume' the fragment
by calling skb_frag_unref(skb, 0), and the page might
be freed and reused.
Reading eth->h_proto at the end of napi_frags_skb() might
read mangled data, or crash under specific debugging features.
BUG: KASAN: use-after-free in napi_frags_skb net/core/dev.c:5833 [inline]
BUG: KASAN: use-after-free in napi_gro_frags+0xc6f/0xd10 net/core/dev.c:5841
Read of size 2 at addr ffff88809366840c by task syz-executor599/8957
CPU: 1 PID: 8957 Comm: syz-executor599 Not tainted 5.2.0-rc1+ #32
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
print_address_description.cold+0x7c/0x20d mm/kasan/report.c:188
__kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
kasan_report+0x12/0x20 mm/kasan/common.c:614
__asan_report_load_n_noabort+0xf/0x20 mm/kasan/generic_report.c:142
napi_frags_skb net/core/dev.c:5833 [inline]
napi_gro_frags+0xc6f/0xd10 net/core/dev.c:5841
tun_get_user+0x2f3c/0x3ff0 drivers/net/tun.c:1991
tun_chr_write_iter+0xbd/0x156 drivers/net/tun.c:2037
call_write_iter include/linux/fs.h:1872 [inline]
do_iter_readv_writev+0x5f8/0x8f0 fs/read_write.c:693
do_iter_write fs/read_write.c:970 [inline]
do_iter_write+0x184/0x610 fs/read_write.c:951
vfs_writev+0x1b3/0x2f0 fs/read_write.c:1015
do_writev+0x15b/0x330 fs/read_write.c:1058
Fixes: a50e233c50db ("net-gro: restore frag0 optimization")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/core/dev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -4550,7 +4550,6 @@ static struct sk_buff *napi_frags_skb(st
skb_reset_mac_header(skb);
skb_gro_reset_offset(skb);
- eth = skb_gro_header_fast(skb, 0);
if (unlikely(skb_gro_header_hard(skb, hlen))) {
eth = skb_gro_header_slow(skb, hlen, 0);
if (unlikely(!eth)) {
@@ -4558,6 +4557,7 @@ static struct sk_buff *napi_frags_skb(st
return NULL;
}
} else {
+ eth = (const struct ethhdr *)skb->data;
gro_pull_from_frag0(skb, hlen);
NAPI_GRO_CB(skb)->frag0 += hlen;
NAPI_GRO_CB(skb)->frag0_len -= hlen;
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 183/241] net: stmmac: fix reset gpio free missing
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (181 preceding siblings ...)
2019-06-09 16:42 ` [PATCH 4.4 182/241] net-gro: fix use-after-free read in napi_gro_frags() Greg Kroah-Hartman
@ 2019-06-09 16:42 ` Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 184/241] usbnet: fix kernel crash after disconnect Greg Kroah-Hartman
` (62 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:42 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jisheng Zhang, David S. Miller
From: Jisheng Zhang <Jisheng.Zhang@synaptics.com>
[ Upstream commit 49ce881c0d4c4a7a35358d9dccd5f26d0e56fc61 ]
Commit 984203ceff27 ("net: stmmac: mdio: remove reset gpio free")
removed the reset gpio free, when the driver is unbinded or rmmod,
we miss the gpio free.
This patch uses managed API to request the reset gpio, so that the
gpio could be freed properly.
Fixes: 984203ceff27 ("net: stmmac: mdio: remove reset gpio free")
Signed-off-by: Jisheng Zhang <Jisheng.Zhang@synaptics.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c
@@ -154,7 +154,8 @@ int stmmac_mdio_reset(struct mii_bus *bu
of_property_read_u32_array(np,
"snps,reset-delays-us", data->delays, 3);
- if (gpio_request(data->reset_gpio, "mdio-reset"))
+ if (devm_gpio_request(priv->device, data->reset_gpio,
+ "mdio-reset"))
return 0;
}
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 184/241] usbnet: fix kernel crash after disconnect
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (182 preceding siblings ...)
2019-06-09 16:42 ` [PATCH 4.4 183/241] net: stmmac: fix reset gpio free missing Greg Kroah-Hartman
@ 2019-06-09 16:42 ` Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 185/241] tipc: Avoid copying bytes beyond the supplied data Greg Kroah-Hartman
` (61 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:42 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Jan Klötzke, David S. Miller
From: Kloetzke Jan <Jan.Kloetzke@preh.de>
[ Upstream commit ad70411a978d1e6e97b1e341a7bde9a79af0c93d ]
When disconnecting cdc_ncm the kernel sporadically crashes shortly
after the disconnect:
[ 57.868812] Unable to handle kernel NULL pointer dereference at virtual address 00000000
...
[ 58.006653] PC is at 0x0
[ 58.009202] LR is at call_timer_fn+0xec/0x1b4
[ 58.013567] pc : [<0000000000000000>] lr : [<ffffff80080f5130>] pstate: 00000145
[ 58.020976] sp : ffffff8008003da0
[ 58.024295] x29: ffffff8008003da0 x28: 0000000000000001
[ 58.029618] x27: 000000000000000a x26: 0000000000000100
[ 58.034941] x25: 0000000000000000 x24: ffffff8008003e68
[ 58.040263] x23: 0000000000000000 x22: 0000000000000000
[ 58.045587] x21: 0000000000000000 x20: ffffffc68fac1808
[ 58.050910] x19: 0000000000000100 x18: 0000000000000000
[ 58.056232] x17: 0000007f885aff8c x16: 0000007f883a9f10
[ 58.061556] x15: 0000000000000001 x14: 000000000000006e
[ 58.066878] x13: 0000000000000000 x12: 00000000000000ba
[ 58.072201] x11: ffffffc69ff1db30 x10: 0000000000000020
[ 58.077524] x9 : 8000100008001000 x8 : 0000000000000001
[ 58.082847] x7 : 0000000000000800 x6 : ffffff8008003e70
[ 58.088169] x5 : ffffffc69ff17a28 x4 : 00000000ffff138b
[ 58.093492] x3 : 0000000000000000 x2 : 0000000000000000
[ 58.098814] x1 : 0000000000000000 x0 : 0000000000000000
...
[ 58.205800] [< (null)>] (null)
[ 58.210521] [<ffffff80080f5298>] expire_timers+0xa0/0x14c
[ 58.215937] [<ffffff80080f542c>] run_timer_softirq+0xe8/0x128
[ 58.221702] [<ffffff8008081120>] __do_softirq+0x298/0x348
[ 58.227118] [<ffffff80080a6304>] irq_exit+0x74/0xbc
[ 58.232009] [<ffffff80080e17dc>] __handle_domain_irq+0x78/0xac
[ 58.237857] [<ffffff8008080cf4>] gic_handle_irq+0x80/0xac
...
The crash happens roughly 125..130ms after the disconnect. This
correlates with the 'delay' timer that is started on certain USB tx/rx
errors in the URB completion handler.
The problem is a race of usbnet_stop() with usbnet_start_xmit(). In
usbnet_stop() we call usbnet_terminate_urbs() to cancel all URBs in
flight. This only makes sense if no new URBs are submitted
concurrently, though. But the usbnet_start_xmit() can run at the same
time on another CPU which almost unconditionally submits an URB. The
error callback of the new URB will then schedule the timer after it was
already stopped.
The fix adds a check if the tx queue is stopped after the tx list lock
has been taken. This should reliably prevent the submission of new URBs
while usbnet_terminate_urbs() does its job. The same thing is done on
the rx side even though it might be safe due to other flags that are
checked there.
Signed-off-by: Jan Klötzke <Jan.Kloetzke@preh.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/usb/usbnet.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/net/usb/usbnet.c
+++ b/drivers/net/usb/usbnet.c
@@ -499,6 +499,7 @@ static int rx_submit (struct usbnet *dev
if (netif_running (dev->net) &&
netif_device_present (dev->net) &&
+ test_bit(EVENT_DEV_OPEN, &dev->flags) &&
!test_bit (EVENT_RX_HALT, &dev->flags) &&
!test_bit (EVENT_DEV_ASLEEP, &dev->flags)) {
switch (retval = usb_submit_urb (urb, GFP_ATOMIC)) {
@@ -1385,6 +1386,11 @@ netdev_tx_t usbnet_start_xmit (struct sk
spin_unlock_irqrestore(&dev->txq.lock, flags);
goto drop;
}
+ if (netif_queue_stopped(net)) {
+ usb_autopm_put_interface_async(dev->intf);
+ spin_unlock_irqrestore(&dev->txq.lock, flags);
+ goto drop;
+ }
#ifdef CONFIG_PM
/* if this triggers the device is still a sleep */
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 185/241] tipc: Avoid copying bytes beyond the supplied data
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (183 preceding siblings ...)
2019-06-09 16:42 ` [PATCH 4.4 184/241] usbnet: fix kernel crash after disconnect Greg Kroah-Hartman
@ 2019-06-09 16:42 ` Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 186/241] bnxt_en: Fix aggregation buffer leak under OOM condition Greg Kroah-Hartman
` (60 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:42 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Chris Packham, David S. Miller
From: Chris Packham <chris.packham@alliedtelesis.co.nz>
TLV_SET is called with a data pointer and a len parameter that tells us
how many bytes are pointed to by data. When invoking memcpy() we need
to careful to only copy len bytes.
Previously we would copy TLV_LENGTH(len) bytes which would copy an extra
4 bytes past the end of the data pointer which newer GCC versions
complain about.
In file included from test.c:17:
In function 'TLV_SET',
inlined from 'test' at test.c:186:5:
/usr/include/linux/tipc_config.h:317:3:
warning: 'memcpy' forming offset [33, 36] is out of the bounds [0, 32]
of object 'bearer_name' with type 'char[32]' [-Warray-bounds]
memcpy(TLV_DATA(tlv_ptr), data, tlv_len);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
test.c: In function 'test':
test.c::161:10: note:
'bearer_name' declared here
char bearer_name[TIPC_MAX_BEARER_NAME];
^~~~~~~~~~~
We still want to ensure any padding bytes at the end are initialised, do
this with a explicit memset() rather than copy bytes past the end of
data. Apply the same logic to TCM_SET.
Signed-off-by: Chris Packham <chris.packham@alliedtelesis.co.nz>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/uapi/linux/tipc_config.h | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
--- a/include/uapi/linux/tipc_config.h
+++ b/include/uapi/linux/tipc_config.h
@@ -301,8 +301,10 @@ static inline int TLV_SET(void *tlv, __u
tlv_ptr = (struct tlv_desc *)tlv;
tlv_ptr->tlv_type = htons(type);
tlv_ptr->tlv_len = htons(tlv_len);
- if (len && data)
- memcpy(TLV_DATA(tlv_ptr), data, tlv_len);
+ if (len && data) {
+ memcpy(TLV_DATA(tlv_ptr), data, len);
+ memset(TLV_DATA(tlv_ptr) + len, 0, TLV_SPACE(len) - tlv_len);
+ }
return TLV_SPACE(len);
}
@@ -399,8 +401,10 @@ static inline int TCM_SET(void *msg, __u
tcm_hdr->tcm_len = htonl(msg_len);
tcm_hdr->tcm_type = htons(cmd);
tcm_hdr->tcm_flags = htons(flags);
- if (data_len && data)
+ if (data_len && data) {
memcpy(TCM_DATA(msg), data, data_len);
+ memset(TCM_DATA(msg) + data_len, 0, TCM_SPACE(data_len) - msg_len);
+ }
return TCM_SPACE(data_len);
}
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 186/241] bnxt_en: Fix aggregation buffer leak under OOM condition.
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (184 preceding siblings ...)
2019-06-09 16:42 ` [PATCH 4.4 185/241] tipc: Avoid copying bytes beyond the supplied data Greg Kroah-Hartman
@ 2019-06-09 16:42 ` Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 187/241] net: mvpp2: fix bad MVPP2_TXQ_SCHED_TOKEN_CNTR_REG queue value Greg Kroah-Hartman
` (59 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:42 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Rakesh Hemnani, Michael Chan,
David S. Miller
From: Michael Chan <michael.chan@broadcom.com>
[ Upstream commit 296d5b54163964b7ae536b8b57dfbd21d4e868e1 ]
For every RX packet, the driver replenishes all buffers used for that
packet and puts them back into the RX ring and RX aggregation ring.
In one code path where the RX packet has one RX buffer and one or more
aggregation buffers, we missed recycling the aggregation buffer(s) if
we are unable to allocate a new SKB buffer. This leads to the
aggregation ring slowly running out of buffers over time. Fix it
by properly recycling the aggregation buffers.
Fixes: c0c050c58d84 ("bnxt_en: New Broadcom ethernet driver.")
Reported-by: Rakesh Hemnani <rhemnani@fb.com>
Signed-off-by: Michael Chan <michael.chan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/broadcom/bnxt/bnxt.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
@@ -1140,6 +1140,8 @@ static int bnxt_rx_pkt(struct bnxt *bp,
skb = bnxt_copy_skb(bnapi, data, len, dma_addr);
bnxt_reuse_rx_data(rxr, cons, data);
if (!skb) {
+ if (agg_bufs)
+ bnxt_reuse_rx_agg_bufs(bnapi, cp_cons, agg_bufs);
rc = -ENOMEM;
goto next_rx;
}
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 187/241] net: mvpp2: fix bad MVPP2_TXQ_SCHED_TOKEN_CNTR_REG queue value
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (185 preceding siblings ...)
2019-06-09 16:42 ` [PATCH 4.4 186/241] bnxt_en: Fix aggregation buffer leak under OOM condition Greg Kroah-Hartman
@ 2019-06-09 16:42 ` Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 188/241] crypto: vmx - ghash: do nosimd fallback manually Greg Kroah-Hartman
` (58 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:42 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Antoine Tenart, David S. Miller
From: Antoine Tenart <antoine.tenart@bootlin.com>
[ Upstream commit 21808437214637952b61beaba6034d97880fbeb3 ]
MVPP2_TXQ_SCHED_TOKEN_CNTR_REG() expects the logical queue id but
the current code is passing the global tx queue offset, so it ends
up writing to unknown registers (between 0x8280 and 0x82fc, which
seemed to be unused by the hardware). This fixes the issue by using
the logical queue id instead.
Fixes: 3f518509dedc ("ethernet: Add new driver for Marvell Armada 375 network unit")
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/marvell/mvpp2.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
--- a/drivers/net/ethernet/marvell/mvpp2.c
+++ b/drivers/net/ethernet/marvell/mvpp2.c
@@ -3940,7 +3940,7 @@ static inline void mvpp2_gmac_max_rx_siz
/* Set defaults to the MVPP2 port */
static void mvpp2_defaults_set(struct mvpp2_port *port)
{
- int tx_port_num, val, queue, ptxq, lrxq;
+ int tx_port_num, val, queue, lrxq;
/* Configure port to loopback if needed */
if (port->flags & MVPP2_F_LOOPBACK)
@@ -3960,11 +3960,9 @@ static void mvpp2_defaults_set(struct mv
mvpp2_write(port->priv, MVPP2_TXP_SCHED_CMD_1_REG, 0);
/* Close bandwidth for all queues */
- for (queue = 0; queue < MVPP2_MAX_TXQ; queue++) {
- ptxq = mvpp2_txq_phys(port->id, queue);
+ for (queue = 0; queue < MVPP2_MAX_TXQ; queue++)
mvpp2_write(port->priv,
- MVPP2_TXQ_SCHED_TOKEN_CNTR_REG(ptxq), 0);
- }
+ MVPP2_TXQ_SCHED_TOKEN_CNTR_REG(queue), 0);
/* Set refill period to 1 usec, refill tokens
* and bucket size to maximum
@@ -4722,7 +4720,7 @@ static void mvpp2_txq_deinit(struct mvpp
txq->descs_phys = 0;
/* Set minimum bandwidth for disabled TXQs */
- mvpp2_write(port->priv, MVPP2_TXQ_SCHED_TOKEN_CNTR_REG(txq->id), 0);
+ mvpp2_write(port->priv, MVPP2_TXQ_SCHED_TOKEN_CNTR_REG(txq->log_id), 0);
/* Set Tx descriptors queue starting address and size */
mvpp2_write(port->priv, MVPP2_TXQ_NUM_REG, txq->id);
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 188/241] crypto: vmx - ghash: do nosimd fallback manually
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (186 preceding siblings ...)
2019-06-09 16:42 ` [PATCH 4.4 187/241] net: mvpp2: fix bad MVPP2_TXQ_SCHED_TOKEN_CNTR_REG queue value Greg Kroah-Hartman
@ 2019-06-09 16:42 ` Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 189/241] xen/pciback: Dont disable PCI_COMMAND on PCI device reset Greg Kroah-Hartman
` (57 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:42 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Eric Biggers, Daniel Axtens,
Ard Biesheuvel, Michael Ellerman, Herbert Xu
From: Daniel Axtens <dja@axtens.net>
commit 357d065a44cdd77ed5ff35155a989f2a763e96ef upstream.
VMX ghash was using a fallback that did not support interleaving simd
and nosimd operations, leading to failures in the extended test suite.
If I understood correctly, Eric's suggestion was to use the same
data format that the generic code uses, allowing us to call into it
with the same contexts. I wasn't able to get that to work - I think
there's a very different key structure and data layout being used.
So instead steal the arm64 approach and perform the fallback
operations directly if required.
Fixes: cc333cd68dfa ("crypto: vmx - Adding GHASH routines for VMX module")
Cc: stable@vger.kernel.org # v4.1+
Reported-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Daniel Axtens <dja@axtens.net>
Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Tested-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/vmx/ghash.c | 218 ++++++++++++++++++---------------------------
1 file changed, 89 insertions(+), 129 deletions(-)
--- a/drivers/crypto/vmx/ghash.c
+++ b/drivers/crypto/vmx/ghash.c
@@ -1,22 +1,14 @@
+// SPDX-License-Identifier: GPL-2.0
/**
* GHASH routines supporting VMX instructions on the Power 8
*
- * Copyright (C) 2015 International Business Machines Inc.
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; version 2 only.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ * Copyright (C) 2015, 2019 International Business Machines Inc.
*
* Author: Marcelo Henrique Cerri <mhcerri@br.ibm.com>
+ *
+ * Extended by Daniel Axtens <dja@axtens.net> to replace the fallback
+ * mechanism. The new approach is based on arm64 code, which is:
+ * Copyright (C) 2014 - 2018 Linaro Ltd. <ard.biesheuvel@linaro.org>
*/
#include <linux/types.h>
@@ -39,71 +31,25 @@ void gcm_ghash_p8(u64 Xi[2], const u128
const u8 *in, size_t len);
struct p8_ghash_ctx {
+ /* key used by vector asm */
u128 htable[16];
- struct crypto_shash *fallback;
+ /* key used by software fallback */
+ be128 key;
};
struct p8_ghash_desc_ctx {
u64 shash[2];
u8 buffer[GHASH_DIGEST_SIZE];
int bytes;
- struct shash_desc fallback_desc;
};
-static int p8_ghash_init_tfm(struct crypto_tfm *tfm)
-{
- const char *alg = "ghash-generic";
- struct crypto_shash *fallback;
- struct crypto_shash *shash_tfm = __crypto_shash_cast(tfm);
- struct p8_ghash_ctx *ctx = crypto_tfm_ctx(tfm);
-
- fallback = crypto_alloc_shash(alg, 0, CRYPTO_ALG_NEED_FALLBACK);
- if (IS_ERR(fallback)) {
- printk(KERN_ERR
- "Failed to allocate transformation for '%s': %ld\n",
- alg, PTR_ERR(fallback));
- return PTR_ERR(fallback);
- }
-
- crypto_shash_set_flags(fallback,
- crypto_shash_get_flags((struct crypto_shash
- *) tfm));
-
- /* Check if the descsize defined in the algorithm is still enough. */
- if (shash_tfm->descsize < sizeof(struct p8_ghash_desc_ctx)
- + crypto_shash_descsize(fallback)) {
- printk(KERN_ERR
- "Desc size of the fallback implementation (%s) does not match the expected value: %lu vs %u\n",
- alg,
- shash_tfm->descsize - sizeof(struct p8_ghash_desc_ctx),
- crypto_shash_descsize(fallback));
- return -EINVAL;
- }
- ctx->fallback = fallback;
-
- return 0;
-}
-
-static void p8_ghash_exit_tfm(struct crypto_tfm *tfm)
-{
- struct p8_ghash_ctx *ctx = crypto_tfm_ctx(tfm);
-
- if (ctx->fallback) {
- crypto_free_shash(ctx->fallback);
- ctx->fallback = NULL;
- }
-}
-
static int p8_ghash_init(struct shash_desc *desc)
{
- struct p8_ghash_ctx *ctx = crypto_tfm_ctx(crypto_shash_tfm(desc->tfm));
struct p8_ghash_desc_ctx *dctx = shash_desc_ctx(desc);
dctx->bytes = 0;
memset(dctx->shash, 0, GHASH_DIGEST_SIZE);
- dctx->fallback_desc.tfm = ctx->fallback;
- dctx->fallback_desc.flags = desc->flags;
- return crypto_shash_init(&dctx->fallback_desc);
+ return 0;
}
static int p8_ghash_setkey(struct crypto_shash *tfm, const u8 *key,
@@ -122,7 +68,53 @@ static int p8_ghash_setkey(struct crypto
gcm_init_p8(ctx->htable, (const u64 *) key);
pagefault_enable();
preempt_enable();
- return crypto_shash_setkey(ctx->fallback, key, keylen);
+
+ memcpy(&ctx->key, key, GHASH_BLOCK_SIZE);
+
+ return 0;
+}
+
+static inline void __ghash_block(struct p8_ghash_ctx *ctx,
+ struct p8_ghash_desc_ctx *dctx)
+{
+ if (!IN_INTERRUPT) {
+ preempt_disable();
+ pagefault_disable();
+ enable_kernel_altivec();
+ enable_kernel_vsx();
+ enable_kernel_fp();
+ gcm_ghash_p8(dctx->shash, ctx->htable,
+ dctx->buffer, GHASH_DIGEST_SIZE);
+ pagefault_enable();
+ preempt_enable();
+ } else {
+ crypto_xor((u8 *)dctx->shash, dctx->buffer, GHASH_BLOCK_SIZE);
+ gf128mul_lle((be128 *)dctx->shash, &ctx->key);
+ }
+}
+
+static inline void __ghash_blocks(struct p8_ghash_ctx *ctx,
+ struct p8_ghash_desc_ctx *dctx,
+ const u8 *src, unsigned int srclen)
+{
+ if (!IN_INTERRUPT) {
+ preempt_disable();
+ pagefault_disable();
+ enable_kernel_altivec();
+ enable_kernel_vsx();
+ enable_kernel_fp();
+ gcm_ghash_p8(dctx->shash, ctx->htable,
+ src, srclen);
+ pagefault_enable();
+ preempt_enable();
+ } else {
+ while (srclen >= GHASH_BLOCK_SIZE) {
+ crypto_xor((u8 *)dctx->shash, src, GHASH_BLOCK_SIZE);
+ gf128mul_lle((be128 *)dctx->shash, &ctx->key);
+ srclen -= GHASH_BLOCK_SIZE;
+ src += GHASH_BLOCK_SIZE;
+ }
+ }
}
static int p8_ghash_update(struct shash_desc *desc,
@@ -132,51 +124,33 @@ static int p8_ghash_update(struct shash_
struct p8_ghash_ctx *ctx = crypto_tfm_ctx(crypto_shash_tfm(desc->tfm));
struct p8_ghash_desc_ctx *dctx = shash_desc_ctx(desc);
- if (IN_INTERRUPT) {
- return crypto_shash_update(&dctx->fallback_desc, src,
- srclen);
- } else {
- if (dctx->bytes) {
- if (dctx->bytes + srclen < GHASH_DIGEST_SIZE) {
- memcpy(dctx->buffer + dctx->bytes, src,
- srclen);
- dctx->bytes += srclen;
- return 0;
- }
+ if (dctx->bytes) {
+ if (dctx->bytes + srclen < GHASH_DIGEST_SIZE) {
memcpy(dctx->buffer + dctx->bytes, src,
- GHASH_DIGEST_SIZE - dctx->bytes);
- preempt_disable();
- pagefault_disable();
- enable_kernel_altivec();
- enable_kernel_vsx();
- enable_kernel_fp();
- gcm_ghash_p8(dctx->shash, ctx->htable,
- dctx->buffer, GHASH_DIGEST_SIZE);
- pagefault_enable();
- preempt_enable();
- src += GHASH_DIGEST_SIZE - dctx->bytes;
- srclen -= GHASH_DIGEST_SIZE - dctx->bytes;
- dctx->bytes = 0;
+ srclen);
+ dctx->bytes += srclen;
+ return 0;
}
- len = srclen & ~(GHASH_DIGEST_SIZE - 1);
- if (len) {
- preempt_disable();
- pagefault_disable();
- enable_kernel_altivec();
- enable_kernel_vsx();
- enable_kernel_fp();
- gcm_ghash_p8(dctx->shash, ctx->htable, src, len);
- pagefault_enable();
- preempt_enable();
- src += len;
- srclen -= len;
- }
- if (srclen) {
- memcpy(dctx->buffer, src, srclen);
- dctx->bytes = srclen;
- }
- return 0;
+ memcpy(dctx->buffer + dctx->bytes, src,
+ GHASH_DIGEST_SIZE - dctx->bytes);
+
+ __ghash_block(ctx, dctx);
+
+ src += GHASH_DIGEST_SIZE - dctx->bytes;
+ srclen -= GHASH_DIGEST_SIZE - dctx->bytes;
+ dctx->bytes = 0;
+ }
+ len = srclen & ~(GHASH_DIGEST_SIZE - 1);
+ if (len) {
+ __ghash_blocks(ctx, dctx, src, len);
+ src += len;
+ srclen -= len;
}
+ if (srclen) {
+ memcpy(dctx->buffer, src, srclen);
+ dctx->bytes = srclen;
+ }
+ return 0;
}
static int p8_ghash_final(struct shash_desc *desc, u8 *out)
@@ -185,26 +159,14 @@ static int p8_ghash_final(struct shash_d
struct p8_ghash_ctx *ctx = crypto_tfm_ctx(crypto_shash_tfm(desc->tfm));
struct p8_ghash_desc_ctx *dctx = shash_desc_ctx(desc);
- if (IN_INTERRUPT) {
- return crypto_shash_final(&dctx->fallback_desc, out);
- } else {
- if (dctx->bytes) {
- for (i = dctx->bytes; i < GHASH_DIGEST_SIZE; i++)
- dctx->buffer[i] = 0;
- preempt_disable();
- pagefault_disable();
- enable_kernel_altivec();
- enable_kernel_vsx();
- enable_kernel_fp();
- gcm_ghash_p8(dctx->shash, ctx->htable,
- dctx->buffer, GHASH_DIGEST_SIZE);
- pagefault_enable();
- preempt_enable();
- dctx->bytes = 0;
- }
- memcpy(out, dctx->shash, GHASH_DIGEST_SIZE);
- return 0;
+ if (dctx->bytes) {
+ for (i = dctx->bytes; i < GHASH_DIGEST_SIZE; i++)
+ dctx->buffer[i] = 0;
+ __ghash_block(ctx, dctx);
+ dctx->bytes = 0;
}
+ memcpy(out, dctx->shash, GHASH_DIGEST_SIZE);
+ return 0;
}
struct shash_alg p8_ghash_alg = {
@@ -219,11 +181,9 @@ struct shash_alg p8_ghash_alg = {
.cra_name = "ghash",
.cra_driver_name = "p8_ghash",
.cra_priority = 1000,
- .cra_flags = CRYPTO_ALG_TYPE_SHASH | CRYPTO_ALG_NEED_FALLBACK,
+ .cra_flags = CRYPTO_ALG_TYPE_SHASH,
.cra_blocksize = GHASH_BLOCK_SIZE,
.cra_ctxsize = sizeof(struct p8_ghash_ctx),
.cra_module = THIS_MODULE,
- .cra_init = p8_ghash_init_tfm,
- .cra_exit = p8_ghash_exit_tfm,
},
};
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 189/241] xen/pciback: Dont disable PCI_COMMAND on PCI device reset.
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (187 preceding siblings ...)
2019-06-09 16:42 ` [PATCH 4.4 188/241] crypto: vmx - ghash: do nosimd fallback manually Greg Kroah-Hartman
@ 2019-06-09 16:42 ` Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 190/241] Revert "tipc: fix modprobe tipc failed after switch order of device registration" Greg Kroah-Hartman
` (56 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:42 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Jan Beulich, Konrad Rzeszutek Wilk,
Prarit Bhargava, Juergen Gross, Ben Hutchings
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
commit 7681f31ec9cdacab4fd10570be924f2cef6669ba upstream.
There is no need for this at all. Worst it means that if
the guest tries to write to BARs it could lead (on certain
platforms) to PCI SERR errors.
Please note that with af6fc858a35b90e89ea7a7ee58e66628c55c776b
"xen-pciback: limit guest control of command register"
a guest is still allowed to enable those control bits (safely), but
is not allowed to disable them and that therefore a well behaved
frontend which enables things before using them will still
function correctly.
This is done via an write to the configuration register 0x4 which
triggers on the backend side:
command_write
\- pci_enable_device
\- pci_enable_device_flags
\- do_pci_enable_device
\- pcibios_enable_device
\-pci_enable_resourcess
[which enables the PCI_COMMAND_MEMORY|PCI_COMMAND_IO]
However guests (and drivers) which don't do this could cause
problems, including the security issues which XSA-120 sought
to address.
Reported-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Reviewed-by: Prarit Bhargava <prarit@redhat.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/xen/xen-pciback/pciback_ops.c | 2 --
1 file changed, 2 deletions(-)
--- a/drivers/xen/xen-pciback/pciback_ops.c
+++ b/drivers/xen/xen-pciback/pciback_ops.c
@@ -126,8 +126,6 @@ void xen_pcibk_reset_device(struct pci_d
if (pci_is_enabled(dev))
pci_disable_device(dev);
- pci_write_config_word(dev, PCI_COMMAND, 0);
-
dev->is_busmaster = 0;
} else {
pci_read_config_word(dev, PCI_COMMAND, &cmd);
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 190/241] Revert "tipc: fix modprobe tipc failed after switch order of device registration"
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (188 preceding siblings ...)
2019-06-09 16:42 ` [PATCH 4.4 189/241] xen/pciback: Dont disable PCI_COMMAND on PCI device reset Greg Kroah-Hartman
@ 2019-06-09 16:42 ` Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 191/241] tipc: fix modprobe tipc failed after switch order of device registration -v2 Greg Kroah-Hartman
` (55 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:42 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, David S. Miller
From: David S. Miller <davem@davemloft.net>
commit 5593530e56943182ebb6d81eca8a3be6db6dbba4 upstream.
This reverts commit 532b0f7ece4cb2ffd24dc723ddf55242d1188e5e.
More revisions coming up.
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/tipc/core.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
--- a/net/tipc/core.c
+++ b/net/tipc/core.c
@@ -61,10 +61,6 @@ static int __net_init tipc_init_net(stru
INIT_LIST_HEAD(&tn->node_list);
spin_lock_init(&tn->node_list_lock);
- err = tipc_socket_init();
- if (err)
- goto out_socket;
-
err = tipc_sk_rht_init(net);
if (err)
goto out_sk_rht;
@@ -91,8 +87,6 @@ out_subscr:
out_nametbl:
tipc_sk_rht_destroy(net);
out_sk_rht:
- tipc_socket_stop();
-out_socket:
return err;
}
@@ -103,7 +97,6 @@ static void __net_exit tipc_exit_net(str
tipc_bcast_stop(net);
tipc_nametbl_stop(net);
tipc_sk_rht_destroy(net);
- tipc_socket_stop();
}
static struct pernet_operations tipc_net_ops = {
@@ -141,6 +134,10 @@ static int __init tipc_init(void)
if (err)
goto out_pernet;
+ err = tipc_socket_init();
+ if (err)
+ goto out_socket;
+
err = tipc_bearer_setup();
if (err)
goto out_bearer;
@@ -148,6 +145,8 @@ static int __init tipc_init(void)
pr_info("Started in single node mode\n");
return 0;
out_bearer:
+ tipc_socket_stop();
+out_socket:
unregister_pernet_subsys(&tipc_net_ops);
out_pernet:
tipc_unregister_sysctl();
@@ -163,6 +162,7 @@ out_netlink:
static void __exit tipc_exit(void)
{
tipc_bearer_cleanup();
+ tipc_socket_stop();
unregister_pernet_subsys(&tipc_net_ops);
tipc_netlink_stop();
tipc_netlink_compat_stop();
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 191/241] tipc: fix modprobe tipc failed after switch order of device registration -v2
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (189 preceding siblings ...)
2019-06-09 16:42 ` [PATCH 4.4 190/241] Revert "tipc: fix modprobe tipc failed after switch order of device registration" Greg Kroah-Hartman
@ 2019-06-09 16:42 ` Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 192/241] sparc64: Fix regression in non-hypervisor TLB flush xcall Greg Kroah-Hartman
` (54 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:42 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Junwei Hu, Wang Wang,
syzbot+1e8114b61079bfe9cbc5, Kang Zhou, Suanming Mou,
David S. Miller
From: Junwei Hu <hujunwei4@huawei.com>
commit 526f5b851a96566803ee4bee60d0a34df56c77f8 upstream.
Error message printed:
modprobe: ERROR: could not insert 'tipc': Address family not
supported by protocol.
when modprobe tipc after the following patch: switch order of
device registration, commit 7e27e8d6130c
("tipc: switch order of device registration to fix a crash")
Because sock_create_kern(net, AF_TIPC, ...) called by
tipc_topsrv_create_listener() in the initialization process
of tipc_init_net(), so tipc_socket_init() must be execute before that.
Meanwhile, tipc_net_id need to be initialized when sock_create()
called, and tipc_socket_init() is no need to be called for each namespace.
I add a variable tipc_topsrv_net_ops, and split the
register_pernet_subsys() of tipc into two parts, and split
tipc_socket_init() with initialization of pernet params.
By the way, I fixed resources rollback error when tipc_bcast_init()
failed in tipc_init_net().
Fixes: 7e27e8d6130c ("tipc: switch order of device registration to fix a crash")
Signed-off-by: Junwei Hu <hujunwei4@huawei.com>
Reported-by: Wang Wang <wangwang2@huawei.com>
Reported-by: syzbot+1e8114b61079bfe9cbc5@syzkaller.appspotmail.com
Reviewed-by: Kang Zhou <zhoukang7@huawei.com>
Reviewed-by: Suanming Mou <mousuanming@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/tipc/core.c | 18 ++++++++++++------
net/tipc/subscr.c | 14 ++++++++++++--
net/tipc/subscr.h | 5 +++--
3 files changed, 27 insertions(+), 10 deletions(-)
--- a/net/tipc/core.c
+++ b/net/tipc/core.c
@@ -70,9 +70,6 @@ static int __net_init tipc_init_net(stru
goto out_nametbl;
INIT_LIST_HEAD(&tn->dist_queue);
- err = tipc_topsrv_start(net);
- if (err)
- goto out_subscr;
err = tipc_bcast_init(net);
if (err)
@@ -81,8 +78,6 @@ static int __net_init tipc_init_net(stru
return 0;
out_bclink:
- tipc_bcast_stop(net);
-out_subscr:
tipc_nametbl_stop(net);
out_nametbl:
tipc_sk_rht_destroy(net);
@@ -92,7 +87,6 @@ out_sk_rht:
static void __net_exit tipc_exit_net(struct net *net)
{
- tipc_topsrv_stop(net);
tipc_net_stop(net);
tipc_bcast_stop(net);
tipc_nametbl_stop(net);
@@ -106,6 +100,11 @@ static struct pernet_operations tipc_net
.size = sizeof(struct tipc_net),
};
+static struct pernet_operations tipc_topsrv_net_ops = {
+ .init = tipc_topsrv_init_net,
+ .exit = tipc_topsrv_exit_net,
+};
+
static int __init tipc_init(void)
{
int err;
@@ -138,6 +137,10 @@ static int __init tipc_init(void)
if (err)
goto out_socket;
+ err = register_pernet_subsys(&tipc_topsrv_net_ops);
+ if (err)
+ goto out_pernet_topsrv;
+
err = tipc_bearer_setup();
if (err)
goto out_bearer;
@@ -145,6 +148,8 @@ static int __init tipc_init(void)
pr_info("Started in single node mode\n");
return 0;
out_bearer:
+ unregister_pernet_subsys(&tipc_topsrv_net_ops);
+out_pernet_topsrv:
tipc_socket_stop();
out_socket:
unregister_pernet_subsys(&tipc_net_ops);
@@ -162,6 +167,7 @@ out_netlink:
static void __exit tipc_exit(void)
{
tipc_bearer_cleanup();
+ unregister_pernet_subsys(&tipc_topsrv_net_ops);
tipc_socket_stop();
unregister_pernet_subsys(&tipc_net_ops);
tipc_netlink_stop();
--- a/net/tipc/subscr.c
+++ b/net/tipc/subscr.c
@@ -306,7 +306,7 @@ static void *tipc_subscrb_connect_cb(int
return (void *)tipc_subscrb_create(conid);
}
-int tipc_topsrv_start(struct net *net)
+static int tipc_topsrv_start(struct net *net)
{
struct tipc_net *tn = net_generic(net, tipc_net_id);
const char name[] = "topology_server";
@@ -344,7 +344,7 @@ int tipc_topsrv_start(struct net *net)
return tipc_server_start(topsrv);
}
-void tipc_topsrv_stop(struct net *net)
+static void tipc_topsrv_stop(struct net *net)
{
struct tipc_net *tn = net_generic(net, tipc_net_id);
struct tipc_server *topsrv = tn->topsrv;
@@ -353,3 +353,13 @@ void tipc_topsrv_stop(struct net *net)
kfree(topsrv->saddr);
kfree(topsrv);
}
+
+int __net_init tipc_topsrv_init_net(struct net *net)
+{
+ return tipc_topsrv_start(net);
+}
+
+void __net_exit tipc_topsrv_exit_net(struct net *net)
+{
+ tipc_topsrv_stop(net);
+}
--- a/net/tipc/subscr.h
+++ b/net/tipc/subscr.h
@@ -77,7 +77,8 @@ int tipc_subscrp_check_overlap(struct ti
void tipc_subscrp_report_overlap(struct tipc_subscription *sub,
u32 found_lower, u32 found_upper, u32 event,
u32 port_ref, u32 node, int must);
-int tipc_topsrv_start(struct net *net);
-void tipc_topsrv_stop(struct net *net);
+
+int __net_init tipc_topsrv_init_net(struct net *net);
+void __net_exit tipc_topsrv_exit_net(struct net *net);
#endif
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 192/241] sparc64: Fix regression in non-hypervisor TLB flush xcall
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (190 preceding siblings ...)
2019-06-09 16:42 ` [PATCH 4.4 191/241] tipc: fix modprobe tipc failed after switch order of device registration -v2 Greg Kroah-Hartman
@ 2019-06-09 16:42 ` Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 193/241] include/linux/bitops.h: sanitize rotate primitives Greg Kroah-Hartman
` (53 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:42 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Meelis Roos, James Clarke, David S. Miller
From: James Clarke <jrtc27@jrtc27.com>
commit d3c976c14ad8af421134c428b0a89ff8dd3bd8f8 upstream.
Previously, %g2 would end up with the value PAGE_SIZE, but after the
commit mentioned below it ends up with the value 1 due to being reused
for a different purpose. We need it to be PAGE_SIZE as we use it to step
through pages in our demap loop, otherwise we set different flags in the
low 12 bits of the address written to, thereby doing things other than a
nucleus page flush.
Fixes: a74ad5e660a9 ("sparc64: Handle extremely large kernel TLB range flushes more gracefully.")
Reported-by: Meelis Roos <mroos@linux.ee>
Tested-by: Meelis Roos <mroos@linux.ee>
Signed-off-by: James Clarke <jrtc27@jrtc27.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/sparc/mm/ultra.S | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/sparc/mm/ultra.S
+++ b/arch/sparc/mm/ultra.S
@@ -586,7 +586,7 @@ xcall_flush_tlb_kernel_range: /* 44 insn
sub %g7, %g1, %g3
srlx %g3, 18, %g2
brnz,pn %g2, 2f
- add %g2, 1, %g2
+ sethi %hi(PAGE_SIZE), %g2
sub %g3, %g2, %g3
or %g1, 0x20, %g1 ! Nucleus
1: stxa %g0, [%g1 + %g3] ASI_DMMU_DEMAP
@@ -750,7 +750,7 @@ __cheetah_xcall_flush_tlb_kernel_range:
sub %g7, %g1, %g3
srlx %g3, 18, %g2
brnz,pn %g2, 2f
- add %g2, 1, %g2
+ sethi %hi(PAGE_SIZE), %g2
sub %g3, %g2, %g3
or %g1, 0x20, %g1 ! Nucleus
1: stxa %g0, [%g1 + %g3] ASI_DMMU_DEMAP
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 193/241] include/linux/bitops.h: sanitize rotate primitives
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (191 preceding siblings ...)
2019-06-09 16:42 ` [PATCH 4.4 192/241] sparc64: Fix regression in non-hypervisor TLB flush xcall Greg Kroah-Hartman
@ 2019-06-09 16:42 ` Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 194/241] xhci: Convert xhci_handshake() to use readl_poll_timeout_atomic() Greg Kroah-Hartman
` (52 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:42 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Rasmus Villemoes, Ido Schimmel,
Will Deacon, Vadim Pasternak, Andrey Ryabinin, Jacek Anaszewski,
Pavel Machek, Andrew Morton, Linus Torvalds, Matthias Kaehlcke
From: Rasmus Villemoes <linux@rasmusvillemoes.dk>
commit ef4d6f6b275c498f8e5626c99dbeefdc5027f843 upstream.
The ror32 implementation (word >> shift) | (word << (32 - shift) has
undefined behaviour if shift is outside the [1, 31] range. Similarly
for the 64 bit variants. Most callers pass a compile-time constant
(naturally in that range), but there's an UBSAN report that these may
actually be called with a shift count of 0.
Instead of special-casing that, we can make them DTRT for all values of
shift while also avoiding UB. For some reason, this was already partly
done for rol32 (which was well-defined for [0, 31]). gcc 8 recognizes
these patterns as rotates, so for example
__u32 rol32(__u32 word, unsigned int shift)
{
return (word << (shift & 31)) | (word >> ((-shift) & 31));
}
compiles to
0000000000000020 <rol32>:
20: 89 f8 mov %edi,%eax
22: 89 f1 mov %esi,%ecx
24: d3 c0 rol %cl,%eax
26: c3 retq
Older compilers unfortunately do not do as well, but this only affects
the small minority of users that don't pass constants.
Due to integer promotions, ro[lr]8 were already well-defined for shifts
in [0, 8], and ro[lr]16 were mostly well-defined for shifts in [0, 16]
(only mostly - u16 gets promoted to _signed_ int, so if bit 15 is set,
word << 16 is undefined). For consistency, update those as well.
Link: http://lkml.kernel.org/r/20190410211906.2190-1-linux@rasmusvillemoes.dk
Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Reported-by: Ido Schimmel <idosch@mellanox.com>
Tested-by: Ido Schimmel <idosch@mellanox.com>
Reviewed-by: Will Deacon <will.deacon@arm.com>
Cc: Vadim Pasternak <vadimp@mellanox.com>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Jacek Anaszewski <jacek.anaszewski@gmail.com>
Cc: Pavel Machek <pavel@ucw.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/bitops.h | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
--- a/include/linux/bitops.h
+++ b/include/linux/bitops.h
@@ -68,7 +68,7 @@ static __always_inline unsigned long hwe
*/
static inline __u64 rol64(__u64 word, unsigned int shift)
{
- return (word << shift) | (word >> (64 - shift));
+ return (word << (shift & 63)) | (word >> ((-shift) & 63));
}
/**
@@ -78,7 +78,7 @@ static inline __u64 rol64(__u64 word, un
*/
static inline __u64 ror64(__u64 word, unsigned int shift)
{
- return (word >> shift) | (word << (64 - shift));
+ return (word >> (shift & 63)) | (word << ((-shift) & 63));
}
/**
@@ -88,7 +88,7 @@ static inline __u64 ror64(__u64 word, un
*/
static inline __u32 rol32(__u32 word, unsigned int shift)
{
- return (word << shift) | (word >> ((-shift) & 31));
+ return (word << (shift & 31)) | (word >> ((-shift) & 31));
}
/**
@@ -98,7 +98,7 @@ static inline __u32 rol32(__u32 word, un
*/
static inline __u32 ror32(__u32 word, unsigned int shift)
{
- return (word >> shift) | (word << (32 - shift));
+ return (word >> (shift & 31)) | (word << ((-shift) & 31));
}
/**
@@ -108,7 +108,7 @@ static inline __u32 ror32(__u32 word, un
*/
static inline __u16 rol16(__u16 word, unsigned int shift)
{
- return (word << shift) | (word >> (16 - shift));
+ return (word << (shift & 15)) | (word >> ((-shift) & 15));
}
/**
@@ -118,7 +118,7 @@ static inline __u16 rol16(__u16 word, un
*/
static inline __u16 ror16(__u16 word, unsigned int shift)
{
- return (word >> shift) | (word << (16 - shift));
+ return (word >> (shift & 15)) | (word << ((-shift) & 15));
}
/**
@@ -128,7 +128,7 @@ static inline __u16 ror16(__u16 word, un
*/
static inline __u8 rol8(__u8 word, unsigned int shift)
{
- return (word << shift) | (word >> (8 - shift));
+ return (word << (shift & 7)) | (word >> ((-shift) & 7));
}
/**
@@ -138,7 +138,7 @@ static inline __u8 rol8(__u8 word, unsig
*/
static inline __u8 ror8(__u8 word, unsigned int shift)
{
- return (word >> shift) | (word << (8 - shift));
+ return (word >> (shift & 7)) | (word << ((-shift) & 7));
}
/**
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 194/241] xhci: Convert xhci_handshake() to use readl_poll_timeout_atomic()
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (192 preceding siblings ...)
2019-06-09 16:42 ` [PATCH 4.4 193/241] include/linux/bitops.h: sanitize rotate primitives Greg Kroah-Hartman
@ 2019-06-09 16:42 ` Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 195/241] usb: xhci: avoid null pointer deref when bos field is NULL Greg Kroah-Hartman
` (51 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:42 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Andrey Smirnov, Raul E Rangel, Mathias Nyman
From: Andrey Smirnov <andrew.smirnov@gmail.com>
commit f7fac17ca925faa03fc5eb854c081a24075f8bad upstream.
Xhci_handshake() implements the algorithm already captured by
readl_poll_timeout_atomic(). Convert the former to use the latter to
avoid repetition.
Turned out this patch also fixes a bug on the AMD Stoneyridge platform
where usleep(1) sometimes takes over 10ms.
This means a 5 second timeout can easily take over 15 seconds which will
trigger the watchdog and reboot the system.
[Add info about patch fixing a bug to commit message -Mathias]
Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Tested-by: Raul E Rangel <rrangel@chromium.org>
Reviewed-by: Raul E Rangel <rrangel@chromium.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/host/xhci.c | 22 ++++++++++------------
1 file changed, 10 insertions(+), 12 deletions(-)
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -21,6 +21,7 @@
*/
#include <linux/pci.h>
+#include <linux/iopoll.h>
#include <linux/irq.h>
#include <linux/log2.h>
#include <linux/module.h>
@@ -46,7 +47,6 @@ static unsigned int quirks;
module_param(quirks, uint, S_IRUGO);
MODULE_PARM_DESC(quirks, "Bit flags for quirks to be enabled as default");
-/* TODO: copied from ehci-hcd.c - can this be refactored? */
/*
* xhci_handshake - spin reading hc until handshake completes or fails
* @ptr: address of hc register to be read
@@ -63,18 +63,16 @@ MODULE_PARM_DESC(quirks, "Bit flags for
int xhci_handshake(void __iomem *ptr, u32 mask, u32 done, int usec)
{
u32 result;
+ int ret;
- do {
- result = readl(ptr);
- if (result == ~(u32)0) /* card removed */
- return -ENODEV;
- result &= mask;
- if (result == done)
- return 0;
- udelay(1);
- usec--;
- } while (usec > 0);
- return -ETIMEDOUT;
+ ret = readl_poll_timeout_atomic(ptr, result,
+ (result & mask) == done ||
+ result == U32_MAX,
+ 1, usec);
+ if (result == U32_MAX) /* card removed */
+ return -ENODEV;
+
+ return ret;
}
/*
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 195/241] usb: xhci: avoid null pointer deref when bos field is NULL
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (193 preceding siblings ...)
2019-06-09 16:42 ` [PATCH 4.4 194/241] xhci: Convert xhci_handshake() to use readl_poll_timeout_atomic() Greg Kroah-Hartman
@ 2019-06-09 16:42 ` Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 196/241] USB: Fix slab-out-of-bounds write in usb_get_bos_descriptor Greg Kroah-Hartman
` (50 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:42 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Carsten Schmid, Mathias Nyman
From: Carsten Schmid <carsten_schmid@mentor.com>
commit 7aa1bb2ffd84d6b9b5f546b079bb15cd0ab6e76e upstream.
With defective USB sticks we see the following error happen:
usb 1-3: new high-speed USB device number 6 using xhci_hcd
usb 1-3: device descriptor read/64, error -71
usb 1-3: device descriptor read/64, error -71
usb 1-3: new high-speed USB device number 7 using xhci_hcd
usb 1-3: device descriptor read/64, error -71
usb 1-3: unable to get BOS descriptor set
usb 1-3: New USB device found, idVendor=0781, idProduct=5581
usb 1-3: New USB device strings: Mfr=1, Product=2, SerialNumber=3
...
BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
This comes from the following place:
[ 1660.215380] IP: xhci_set_usb2_hardware_lpm+0xdf/0x3d0 [xhci_hcd]
[ 1660.222092] PGD 0 P4D 0
[ 1660.224918] Oops: 0000 [#1] PREEMPT SMP NOPTI
[ 1660.425520] CPU: 1 PID: 38 Comm: kworker/1:1 Tainted: P U W O 4.14.67-apl #1
[ 1660.434277] Workqueue: usb_hub_wq hub_event [usbcore]
[ 1660.439918] task: ffffa295b6ae4c80 task.stack: ffffad4580150000
[ 1660.446532] RIP: 0010:xhci_set_usb2_hardware_lpm+0xdf/0x3d0 [xhci_hcd]
[ 1660.453821] RSP: 0018:ffffad4580153c70 EFLAGS: 00010046
[ 1660.459655] RAX: 0000000000000000 RBX: ffffa295b4d7c000 RCX: 0000000000000002
[ 1660.467625] RDX: 0000000000000002 RSI: ffffffff984a55b2 RDI: ffffffff984a55b2
[ 1660.475586] RBP: ffffad4580153cc8 R08: 0000000000d6520a R09: 0000000000000001
[ 1660.483556] R10: ffffad4580a004a0 R11: 0000000000000286 R12: ffffa295b4d7c000
[ 1660.491525] R13: 0000000000010648 R14: ffffa295a84e1800 R15: 0000000000000000
[ 1660.499494] FS: 0000000000000000(0000) GS:ffffa295bfc80000(0000) knlGS:0000000000000000
[ 1660.508530] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1660.514947] CR2: 0000000000000008 CR3: 000000025a114000 CR4: 00000000003406a0
[ 1660.522917] Call Trace:
[ 1660.525657] usb_set_usb2_hardware_lpm+0x3d/0x70 [usbcore]
[ 1660.531792] usb_disable_device+0x242/0x260 [usbcore]
[ 1660.537439] usb_disconnect+0xc1/0x2b0 [usbcore]
[ 1660.542600] hub_event+0x596/0x18f0 [usbcore]
[ 1660.547467] ? trace_preempt_on+0xdf/0x100
[ 1660.552040] ? process_one_work+0x1c1/0x410
[ 1660.556708] process_one_work+0x1d2/0x410
[ 1660.561184] ? preempt_count_add.part.3+0x21/0x60
[ 1660.566436] worker_thread+0x2d/0x3f0
[ 1660.570522] kthread+0x122/0x140
[ 1660.574123] ? process_one_work+0x410/0x410
[ 1660.578792] ? kthread_create_on_node+0x60/0x60
[ 1660.583849] ret_from_fork+0x3a/0x50
[ 1660.587839] Code: 00 49 89 c3 49 8b 84 24 50 16 00 00 8d 4a ff 48 8d 04 c8 48 89 ca 4c 8b 10 45 8b 6a 04 48 8b 00 48 89 45 c0 49 8b 86 80 03 00 00 <48> 8b 40 08 8b 40 03 0f 1f 44 00 00 45 85 ff 0f 84 81 01 00 00
[ 1660.608980] RIP: xhci_set_usb2_hardware_lpm+0xdf/0x3d0 [xhci_hcd] RSP: ffffad4580153c70
[ 1660.617921] CR2: 0000000000000008
Tracking this down shows that udev->bos is NULL in the following code:
(xhci.c, in xhci_set_usb2_hardware_lpm)
field = le32_to_cpu(udev->bos->ext_cap->bmAttributes); <<<<<<< here
xhci_dbg(xhci, "%s port %d USB2 hardware LPM\n",
enable ? "enable" : "disable", port_num + 1);
if (enable) {
/* Host supports BESL timeout instead of HIRD */
if (udev->usb2_hw_lpm_besl_capable) {
/* if device doesn't have a preferred BESL value use a
* default one which works with mixed HIRD and BESL
* systems. See XHCI_DEFAULT_BESL definition in xhci.h
*/
if ((field & USB_BESL_SUPPORT) &&
(field & USB_BESL_BASELINE_VALID))
hird = USB_GET_BESL_BASELINE(field);
else
hird = udev->l1_params.besl;
The failing case is when disabling LPM. So it is sufficient to avoid
access to udev->bos by moving the instruction into the "enable" clause.
Cc: Stable <stable@vger.kernel.org>
Signed-off-by: Carsten Schmid <carsten_schmid@mentor.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/host/xhci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -4191,7 +4191,6 @@ int xhci_set_usb2_hardware_lpm(struct us
pm_addr = port_array[port_num] + PORTPMSC;
pm_val = readl(pm_addr);
hlpm_addr = port_array[port_num] + PORTHLPMC;
- field = le32_to_cpu(udev->bos->ext_cap->bmAttributes);
xhci_dbg(xhci, "%s port %d USB2 hardware LPM\n",
enable ? "enable" : "disable", port_num + 1);
@@ -4203,6 +4202,7 @@ int xhci_set_usb2_hardware_lpm(struct us
* default one which works with mixed HIRD and BESL
* systems. See XHCI_DEFAULT_BESL definition in xhci.h
*/
+ field = le32_to_cpu(udev->bos->ext_cap->bmAttributes);
if ((field & USB_BESL_SUPPORT) &&
(field & USB_BESL_BASELINE_VALID))
hird = USB_GET_BESL_BASELINE(field);
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 196/241] USB: Fix slab-out-of-bounds write in usb_get_bos_descriptor
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (194 preceding siblings ...)
2019-06-09 16:42 ` [PATCH 4.4 195/241] usb: xhci: avoid null pointer deref when bos field is NULL Greg Kroah-Hartman
@ 2019-06-09 16:42 ` Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 197/241] USB: sisusbvga: fix oops in error path of sisusb_probe Greg Kroah-Hartman
` (49 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:42 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Alan Stern, syzbot+71f1e64501a309fcc012
From: Alan Stern <stern@rowland.harvard.edu>
commit a03ff54460817c76105f81f3aa8ef655759ccc9a upstream.
The syzkaller USB fuzzer found a slab-out-of-bounds write bug in the
USB core, caused by a failure to check the actual size of a BOS
descriptor. This patch adds a check to make sure the descriptor is at
least as large as it is supposed to be, so that the code doesn't
inadvertently access memory beyond the end of the allocated region
when assigning to dev->bos->desc->bNumDeviceCaps later on.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-and-tested-by: syzbot+71f1e64501a309fcc012@syzkaller.appspotmail.com
CC: <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/config.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -902,8 +902,8 @@ int usb_get_bos_descriptor(struct usb_de
/* Get BOS descriptor */
ret = usb_get_descriptor(dev, USB_DT_BOS, 0, bos, USB_DT_BOS_SIZE);
- if (ret < USB_DT_BOS_SIZE) {
- dev_err(ddev, "unable to get BOS descriptor\n");
+ if (ret < USB_DT_BOS_SIZE || bos->bLength < USB_DT_BOS_SIZE) {
+ dev_err(ddev, "unable to get BOS descriptor or descriptor too short\n");
if (ret >= 0)
ret = -ENOMSG;
kfree(bos);
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 197/241] USB: sisusbvga: fix oops in error path of sisusb_probe
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (195 preceding siblings ...)
2019-06-09 16:42 ` [PATCH 4.4 196/241] USB: Fix slab-out-of-bounds write in usb_get_bos_descriptor Greg Kroah-Hartman
@ 2019-06-09 16:42 ` Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 198/241] USB: Add LPM quirk for Surface Dock GigE adapter Greg Kroah-Hartman
` (48 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:42 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, oliver Neukum, syzbot+a0cbdbd6d169020c8959
From: Oliver Neukum <oneukum@suse.com>
commit 9a5729f68d3a82786aea110b1bfe610be318f80a upstream.
The pointer used to log a failure of usb_register_dev() must
be set before the error is logged.
v2: fix that minor is not available before registration
Signed-off-by: oliver Neukum <oneukum@suse.com>
Reported-by: syzbot+a0cbdbd6d169020c8959@syzkaller.appspotmail.com
Fixes: 7b5cd5fefbe02 ("USB: SisUSB2VGA: Convert printk to dev_* macros")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/misc/sisusbvga/sisusb.c | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
--- a/drivers/usb/misc/sisusbvga/sisusb.c
+++ b/drivers/usb/misc/sisusbvga/sisusb.c
@@ -3103,6 +3103,13 @@ static int sisusb_probe(struct usb_inter
mutex_init(&(sisusb->lock));
+ sisusb->sisusb_dev = dev;
+ sisusb->vrambase = SISUSB_PCI_MEMBASE;
+ sisusb->mmiobase = SISUSB_PCI_MMIOBASE;
+ sisusb->mmiosize = SISUSB_PCI_MMIOSIZE;
+ sisusb->ioportbase = SISUSB_PCI_IOPORTBASE;
+ /* Everything else is zero */
+
/* Register device */
retval = usb_register_dev(intf, &usb_sisusb_class);
if (retval) {
@@ -3112,13 +3119,7 @@ static int sisusb_probe(struct usb_inter
goto error_1;
}
- sisusb->sisusb_dev = dev;
- sisusb->minor = intf->minor;
- sisusb->vrambase = SISUSB_PCI_MEMBASE;
- sisusb->mmiobase = SISUSB_PCI_MMIOBASE;
- sisusb->mmiosize = SISUSB_PCI_MMIOSIZE;
- sisusb->ioportbase = SISUSB_PCI_IOPORTBASE;
- /* Everything else is zero */
+ sisusb->minor = intf->minor;
/* Allocate buffers */
sisusb->ibufsize = SISUSB_IBUF_SIZE;
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 198/241] USB: Add LPM quirk for Surface Dock GigE adapter
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (196 preceding siblings ...)
2019-06-09 16:42 ` [PATCH 4.4 197/241] USB: sisusbvga: fix oops in error path of sisusb_probe Greg Kroah-Hartman
@ 2019-06-09 16:42 ` Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 199/241] USB: rio500: refuse more than one device at a time Greg Kroah-Hartman
` (47 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:42 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Maximilian Luz
From: Maximilian Luz <luzmaximilian@gmail.com>
commit ea261113385ac0a71c2838185f39e8452d54b152 upstream.
Without USB_QUIRK_NO_LPM ethernet will not work and rtl8152 will
complain with
r8152 <device...>: Stop submitting intr, status -71
Adding the quirk resolves this. As the dock is externally powered, this
should not have any drawbacks.
Signed-off-by: Maximilian Luz <luzmaximilian@gmail.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/quirks.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -64,6 +64,9 @@ static const struct usb_device_id usb_qu
/* Microsoft LifeCam-VX700 v2.0 */
{ USB_DEVICE(0x045e, 0x0770), .driver_info = USB_QUIRK_RESET_RESUME },
+ /* Microsoft Surface Dock Ethernet (RTL8153 GigE) */
+ { USB_DEVICE(0x045e, 0x07c6), .driver_info = USB_QUIRK_NO_LPM },
+
/* Cherry Stream G230 2.0 (G85-231) and 3.0 (G85-232) */
{ USB_DEVICE(0x046a, 0x0023), .driver_info = USB_QUIRK_RESET_RESUME },
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 199/241] USB: rio500: refuse more than one device at a time
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (197 preceding siblings ...)
2019-06-09 16:42 ` [PATCH 4.4 198/241] USB: Add LPM quirk for Surface Dock GigE adapter Greg Kroah-Hartman
@ 2019-06-09 16:42 ` Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 200/241] USB: rio500: fix memory leak in close after disconnect Greg Kroah-Hartman
` (46 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:42 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Oliver Neukum, syzbot+35f04d136fc975a70da4
From: Oliver Neukum <oneukum@suse.com>
commit 3864d33943b4a76c6e64616280e98d2410b1190f upstream.
This driver is using a global variable. It cannot handle more than
one device at a time. The issue has been existing since the dawn
of the driver.
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Reported-by: syzbot+35f04d136fc975a70da4@syzkaller.appspotmail.com
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/misc/rio500.c | 24 ++++++++++++++++++------
1 file changed, 18 insertions(+), 6 deletions(-)
--- a/drivers/usb/misc/rio500.c
+++ b/drivers/usb/misc/rio500.c
@@ -464,15 +464,23 @@ static int probe_rio(struct usb_interfac
{
struct usb_device *dev = interface_to_usbdev(intf);
struct rio_usb_data *rio = &rio_instance;
- int retval;
+ int retval = 0;
- dev_info(&intf->dev, "USB Rio found at address %d\n", dev->devnum);
+ mutex_lock(&rio500_mutex);
+ if (rio->present) {
+ dev_info(&intf->dev, "Second USB Rio at address %d refused\n", dev->devnum);
+ retval = -EBUSY;
+ goto bail_out;
+ } else {
+ dev_info(&intf->dev, "USB Rio found at address %d\n", dev->devnum);
+ }
retval = usb_register_dev(intf, &usb_rio_class);
if (retval) {
dev_err(&dev->dev,
"Not able to get a minor for this device.\n");
- return -ENOMEM;
+ retval = -ENOMEM;
+ goto bail_out;
}
rio->rio_dev = dev;
@@ -481,7 +489,8 @@ static int probe_rio(struct usb_interfac
dev_err(&dev->dev,
"probe_rio: Not enough memory for the output buffer\n");
usb_deregister_dev(intf, &usb_rio_class);
- return -ENOMEM;
+ retval = -ENOMEM;
+ goto bail_out;
}
dev_dbg(&intf->dev, "obuf address:%p\n", rio->obuf);
@@ -490,7 +499,8 @@ static int probe_rio(struct usb_interfac
"probe_rio: Not enough memory for the input buffer\n");
usb_deregister_dev(intf, &usb_rio_class);
kfree(rio->obuf);
- return -ENOMEM;
+ retval = -ENOMEM;
+ goto bail_out;
}
dev_dbg(&intf->dev, "ibuf address:%p\n", rio->ibuf);
@@ -498,8 +508,10 @@ static int probe_rio(struct usb_interfac
usb_set_intfdata (intf, rio);
rio->present = 1;
+bail_out:
+ mutex_unlock(&rio500_mutex);
- return 0;
+ return retval;
}
static void disconnect_rio(struct usb_interface *intf)
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 200/241] USB: rio500: fix memory leak in close after disconnect
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (198 preceding siblings ...)
2019-06-09 16:42 ` [PATCH 4.4 199/241] USB: rio500: refuse more than one device at a time Greg Kroah-Hartman
@ 2019-06-09 16:42 ` Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 201/241] media: usb: siano: Fix general protection fault in smsusb Greg Kroah-Hartman
` (45 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:42 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Oliver Neukum
From: Oliver Neukum <oneukum@suse.com>
commit e0feb73428b69322dd5caae90b0207de369b5575 upstream.
If a disconnected device is closed, rio_close() must free
the buffers.
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/misc/rio500.c | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
--- a/drivers/usb/misc/rio500.c
+++ b/drivers/usb/misc/rio500.c
@@ -103,9 +103,22 @@ static int close_rio(struct inode *inode
{
struct rio_usb_data *rio = &rio_instance;
- rio->isopen = 0;
+ /* against disconnect() */
+ mutex_lock(&rio500_mutex);
+ mutex_lock(&(rio->lock));
- dev_info(&rio->rio_dev->dev, "Rio closed.\n");
+ rio->isopen = 0;
+ if (!rio->present) {
+ /* cleanup has been delayed */
+ kfree(rio->ibuf);
+ kfree(rio->obuf);
+ rio->ibuf = NULL;
+ rio->obuf = NULL;
+ } else {
+ dev_info(&rio->rio_dev->dev, "Rio closed.\n");
+ }
+ mutex_unlock(&(rio->lock));
+ mutex_unlock(&rio500_mutex);
return 0;
}
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 201/241] media: usb: siano: Fix general protection fault in smsusb
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (199 preceding siblings ...)
2019-06-09 16:42 ` [PATCH 4.4 200/241] USB: rio500: fix memory leak in close after disconnect Greg Kroah-Hartman
@ 2019-06-09 16:42 ` Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 202/241] media: usb: siano: Fix false-positive "uninitialized variable" warning Greg Kroah-Hartman
` (44 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:42 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Alan Stern, Johan Hovold,
syzbot+53f029db71c19a47325a
From: Alan Stern <stern@rowland.harvard.edu>
commit 31e0456de5be379b10fea0fa94a681057114a96e upstream.
The syzkaller USB fuzzer found a general-protection-fault bug in the
smsusb part of the Siano DVB driver. The fault occurs during probe
because the driver assumes without checking that the device has both
IN and OUT endpoints and the IN endpoint is ep1.
By slightly rearranging the driver's initialization code, we can make
the appropriate checks early on and thus avoid the problem. If the
expected endpoints aren't present, the new code safely returns -ENODEV
from the probe routine.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-and-tested-by: syzbot+53f029db71c19a47325a@syzkaller.appspotmail.com
CC: <stable@vger.kernel.org>
Reviewed-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/usb/siano/smsusb.c | 33 ++++++++++++++++++++-------------
1 file changed, 20 insertions(+), 13 deletions(-)
--- a/drivers/media/usb/siano/smsusb.c
+++ b/drivers/media/usb/siano/smsusb.c
@@ -391,6 +391,7 @@ static int smsusb_init_device(struct usb
struct smsusb_device_t *dev;
void *mdev;
int i, rc;
+ int in_maxp;
/* create device object */
dev = kzalloc(sizeof(struct smsusb_device_t), GFP_KERNEL);
@@ -402,6 +403,24 @@ static int smsusb_init_device(struct usb
dev->udev = interface_to_usbdev(intf);
dev->state = SMSUSB_DISCONNECTED;
+ for (i = 0; i < intf->cur_altsetting->desc.bNumEndpoints; i++) {
+ struct usb_endpoint_descriptor *desc =
+ &intf->cur_altsetting->endpoint[i].desc;
+
+ if (desc->bEndpointAddress & USB_DIR_IN) {
+ dev->in_ep = desc->bEndpointAddress;
+ in_maxp = usb_endpoint_maxp(desc);
+ } else {
+ dev->out_ep = desc->bEndpointAddress;
+ }
+ }
+
+ pr_debug("in_ep = %02x, out_ep = %02x\n", dev->in_ep, dev->out_ep);
+ if (!dev->in_ep || !dev->out_ep) { /* Missing endpoints? */
+ smsusb_term_device(intf);
+ return -ENODEV;
+ }
+
params.device_type = sms_get_board(board_id)->type;
switch (params.device_type) {
@@ -416,24 +435,12 @@ static int smsusb_init_device(struct usb
/* fall-thru */
default:
dev->buffer_size = USB2_BUFFER_SIZE;
- dev->response_alignment =
- le16_to_cpu(dev->udev->ep_in[1]->desc.wMaxPacketSize) -
- sizeof(struct sms_msg_hdr);
+ dev->response_alignment = in_maxp - sizeof(struct sms_msg_hdr);
params.flags |= SMS_DEVICE_FAMILY2;
break;
}
- for (i = 0; i < intf->cur_altsetting->desc.bNumEndpoints; i++) {
- if (intf->cur_altsetting->endpoint[i].desc. bEndpointAddress & USB_DIR_IN)
- dev->in_ep = intf->cur_altsetting->endpoint[i].desc.bEndpointAddress;
- else
- dev->out_ep = intf->cur_altsetting->endpoint[i].desc.bEndpointAddress;
- }
-
- pr_debug("in_ep = %02x, out_ep = %02x\n",
- dev->in_ep, dev->out_ep);
-
params.device = &dev->udev->dev;
params.buffer_size = dev->buffer_size;
params.num_buffers = MAX_BUFFERS;
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 202/241] media: usb: siano: Fix false-positive "uninitialized variable" warning
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (200 preceding siblings ...)
2019-06-09 16:42 ` [PATCH 4.4 201/241] media: usb: siano: Fix general protection fault in smsusb Greg Kroah-Hartman
@ 2019-06-09 16:42 ` Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 203/241] media: smsusb: better handle optional alignment Greg Kroah-Hartman
` (43 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:42 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alan Stern, kbuild test robot
From: Alan Stern <stern@rowland.harvard.edu>
commit 45457c01171fd1488a7000d1751c06ed8560ee38 upstream.
GCC complains about an apparently uninitialized variable recently
added to smsusb_init_device(). It's a false positive, but to silence
the warning this patch adds a trivial initialization.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: kbuild test robot <lkp@intel.com>
CC: <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/usb/siano/smsusb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/media/usb/siano/smsusb.c
+++ b/drivers/media/usb/siano/smsusb.c
@@ -391,7 +391,7 @@ static int smsusb_init_device(struct usb
struct smsusb_device_t *dev;
void *mdev;
int i, rc;
- int in_maxp;
+ int in_maxp = 0;
/* create device object */
dev = kzalloc(sizeof(struct smsusb_device_t), GFP_KERNEL);
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 203/241] media: smsusb: better handle optional alignment
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (201 preceding siblings ...)
2019-06-09 16:42 ` [PATCH 4.4 202/241] media: usb: siano: Fix false-positive "uninitialized variable" warning Greg Kroah-Hartman
@ 2019-06-09 16:42 ` Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 204/241] scsi: zfcp: fix missing zfcp_port reference put on -EBUSY from port_remove Greg Kroah-Hartman
` (42 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:42 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mauro Carvalho Chehab
From: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
commit a47686636d84eaec5c9c6e84bd5f96bed34d526d upstream.
Most Siano devices require an alignment for the response.
Changeset f3be52b0056a ("media: usb: siano: Fix general protection fault in smsusb")
changed the logic with gets such aligment, but it now produces a
sparce warning:
drivers/media/usb/siano/smsusb.c: In function 'smsusb_init_device':
drivers/media/usb/siano/smsusb.c:447:37: warning: 'in_maxp' may be used uninitialized in this function [-Wmaybe-uninitialized]
447 | dev->response_alignment = in_maxp - sizeof(struct sms_msg_hdr);
| ~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~
The sparse message itself is bogus, but a broken (or fake) USB
eeprom could produce a negative value for response_alignment.
So, change the code in order to check if the result is not
negative.
Fixes: 31e0456de5be ("media: usb: siano: Fix general protection fault in smsusb")
CC: <stable@vger.kernel.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/usb/siano/smsusb.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/media/usb/siano/smsusb.c
+++ b/drivers/media/usb/siano/smsusb.c
@@ -391,7 +391,7 @@ static int smsusb_init_device(struct usb
struct smsusb_device_t *dev;
void *mdev;
int i, rc;
- int in_maxp = 0;
+ int align = 0;
/* create device object */
dev = kzalloc(sizeof(struct smsusb_device_t), GFP_KERNEL);
@@ -409,14 +409,14 @@ static int smsusb_init_device(struct usb
if (desc->bEndpointAddress & USB_DIR_IN) {
dev->in_ep = desc->bEndpointAddress;
- in_maxp = usb_endpoint_maxp(desc);
+ align = usb_endpoint_maxp(desc) - sizeof(struct sms_msg_hdr);
} else {
dev->out_ep = desc->bEndpointAddress;
}
}
pr_debug("in_ep = %02x, out_ep = %02x\n", dev->in_ep, dev->out_ep);
- if (!dev->in_ep || !dev->out_ep) { /* Missing endpoints? */
+ if (!dev->in_ep || !dev->out_ep || align < 0) { /* Missing endpoints? */
smsusb_term_device(intf);
return -ENODEV;
}
@@ -435,7 +435,7 @@ static int smsusb_init_device(struct usb
/* fall-thru */
default:
dev->buffer_size = USB2_BUFFER_SIZE;
- dev->response_alignment = in_maxp - sizeof(struct sms_msg_hdr);
+ dev->response_alignment = align;
params.flags |= SMS_DEVICE_FAMILY2;
break;
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 204/241] scsi: zfcp: fix missing zfcp_port reference put on -EBUSY from port_remove
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (202 preceding siblings ...)
2019-06-09 16:42 ` [PATCH 4.4 203/241] media: smsusb: better handle optional alignment Greg Kroah-Hartman
@ 2019-06-09 16:42 ` Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 205/241] scsi: zfcp: fix to prevent port_remove with pure auto scan LUNs (only sdevs) Greg Kroah-Hartman
` (41 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:42 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Steffen Maier, Jens Remus,
Benjamin Block, Martin K. Petersen
From: Steffen Maier <maier@linux.ibm.com>
commit d27e5e07f9c49bf2a6a4ef254ce531c1b4fb5a38 upstream.
With this early return due to zfcp_unit child(ren), we don't use the
zfcp_port reference from the earlier zfcp_get_port_by_wwpn() anymore and
need to put it.
Signed-off-by: Steffen Maier <maier@linux.ibm.com>
Fixes: d99b601b6338 ("[SCSI] zfcp: restore refcount check on port_remove")
Cc: <stable@vger.kernel.org> #3.7+
Reviewed-by: Jens Remus <jremus@linux.ibm.com>
Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/s390/scsi/zfcp_sysfs.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/s390/scsi/zfcp_sysfs.c
+++ b/drivers/s390/scsi/zfcp_sysfs.c
@@ -263,6 +263,7 @@ static ssize_t zfcp_sysfs_port_remove_st
if (atomic_read(&port->units) > 0) {
retval = -EBUSY;
mutex_unlock(&zfcp_sysfs_port_units_mutex);
+ put_device(&port->dev); /* undo zfcp_get_port_by_wwpn() */
goto out;
}
/* port is about to be removed, so no more unit_add */
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 205/241] scsi: zfcp: fix to prevent port_remove with pure auto scan LUNs (only sdevs)
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (203 preceding siblings ...)
2019-06-09 16:42 ` [PATCH 4.4 204/241] scsi: zfcp: fix missing zfcp_port reference put on -EBUSY from port_remove Greg Kroah-Hartman
@ 2019-06-09 16:42 ` Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 206/241] Btrfs: fix race updating log root item during fsync Greg Kroah-Hartman
` (40 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:42 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Steffen Maier, Benjamin Block,
Martin K. Petersen
From: Steffen Maier <maier@linux.ibm.com>
commit ef4021fe5fd77ced0323cede27979d80a56211ca upstream.
When the user tries to remove a zfcp port via sysfs, we only rejected it if
there are zfcp unit children under the port. With purely automatically
scanned LUNs there are no zfcp units but only SCSI devices. In such cases,
the port_remove erroneously continued. We close the port and this
implicitly closes all LUNs under the port. The SCSI devices survive with
their private zfcp_scsi_dev still holding a reference to the "removed"
zfcp_port (still allocated but invisible in sysfs) [zfcp_get_port_by_wwpn
in zfcp_scsi_slave_alloc]. This is not a problem as long as the fc_rport
stays blocked. Once (auto) port scan brings back the removed port, we
unblock its fc_rport again by design. However, there is no mechanism that
would recover (open) the LUNs under the port (no "ersfs_3" without
zfcp_unit [zfcp_erp_strategy_followup_success]). Any pending or new I/O to
such LUN leads to repeated:
Done: NEEDS_RETRY Result: hostbyte=DID_IMM_RETRY driverbyte=DRIVER_OK
See also v4.10 commit 6f2ce1c6af37 ("scsi: zfcp: fix rport unblock race
with LUN recovery"). Even a manual LUN recovery
(echo 0 > /sys/bus/scsi/devices/H:C:T:L/zfcp_failed)
does not help, as the LUN links to the old "removed" port which remains
to lack ZFCP_STATUS_COMMON_RUNNING [zfcp_erp_required_act].
The only workaround is to first ensure that the fc_rport is blocked
(e.g. port_remove again in case it was re-discovered by (auto) port scan),
then delete the SCSI devices, and finally re-discover by (auto) port scan.
The port scan includes an fc_rport unblock, which in turn triggers
a new scan on the scsi target to freshly get new pure auto scan LUNs.
Fix this by rejecting port_remove also if there are SCSI devices
(even without any zfcp_unit) under this port. Re-use mechanics from v3.7
commit d99b601b6338 ("[SCSI] zfcp: restore refcount check on port_remove").
However, we have to give up zfcp_sysfs_port_units_mutex earlier in unit_add
to prevent a deadlock with scsi_host scan taking shost->scan_mutex first
and then zfcp_sysfs_port_units_mutex now in our zfcp_scsi_slave_alloc().
Signed-off-by: Steffen Maier <maier@linux.ibm.com>
Fixes: b62a8d9b45b9 ("[SCSI] zfcp: Use SCSI device data zfcp scsi dev instead of zfcp unit")
Fixes: f8210e34887e ("[SCSI] zfcp: Allow midlayer to scan for LUNs when running in NPIV mode")
Cc: <stable@vger.kernel.org> #2.6.37+
Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/s390/scsi/zfcp_ext.h | 1
drivers/s390/scsi/zfcp_scsi.c | 9 ++++++
drivers/s390/scsi/zfcp_sysfs.c | 54 ++++++++++++++++++++++++++++++++++++-----
drivers/s390/scsi/zfcp_unit.c | 8 +++++-
4 files changed, 65 insertions(+), 7 deletions(-)
--- a/drivers/s390/scsi/zfcp_ext.h
+++ b/drivers/s390/scsi/zfcp_ext.h
@@ -161,6 +161,7 @@ extern const struct attribute_group *zfc
extern struct mutex zfcp_sysfs_port_units_mutex;
extern struct device_attribute *zfcp_sysfs_sdev_attrs[];
extern struct device_attribute *zfcp_sysfs_shost_attrs[];
+bool zfcp_sysfs_port_is_removing(const struct zfcp_port *const port);
/* zfcp_unit.c */
extern int zfcp_unit_add(struct zfcp_port *, u64);
--- a/drivers/s390/scsi/zfcp_scsi.c
+++ b/drivers/s390/scsi/zfcp_scsi.c
@@ -124,6 +124,15 @@ static int zfcp_scsi_slave_alloc(struct
zfcp_sdev->erp_action.port = port;
+ mutex_lock(&zfcp_sysfs_port_units_mutex);
+ if (zfcp_sysfs_port_is_removing(port)) {
+ /* port is already gone */
+ mutex_unlock(&zfcp_sysfs_port_units_mutex);
+ put_device(&port->dev); /* undo zfcp_get_port_by_wwpn() */
+ return -ENXIO;
+ }
+ mutex_unlock(&zfcp_sysfs_port_units_mutex);
+
unit = zfcp_unit_find(port, zfcp_scsi_dev_lun(sdev));
if (unit)
put_device(&unit->dev);
--- a/drivers/s390/scsi/zfcp_sysfs.c
+++ b/drivers/s390/scsi/zfcp_sysfs.c
@@ -237,6 +237,53 @@ static ZFCP_DEV_ATTR(adapter, port_resca
DEFINE_MUTEX(zfcp_sysfs_port_units_mutex);
+static void zfcp_sysfs_port_set_removing(struct zfcp_port *const port)
+{
+ lockdep_assert_held(&zfcp_sysfs_port_units_mutex);
+ atomic_set(&port->units, -1);
+}
+
+bool zfcp_sysfs_port_is_removing(const struct zfcp_port *const port)
+{
+ lockdep_assert_held(&zfcp_sysfs_port_units_mutex);
+ return atomic_read(&port->units) == -1;
+}
+
+static bool zfcp_sysfs_port_in_use(struct zfcp_port *const port)
+{
+ struct zfcp_adapter *const adapter = port->adapter;
+ unsigned long flags;
+ struct scsi_device *sdev;
+ bool in_use = true;
+
+ mutex_lock(&zfcp_sysfs_port_units_mutex);
+ if (atomic_read(&port->units) > 0)
+ goto unlock_port_units_mutex; /* zfcp_unit(s) under port */
+
+ spin_lock_irqsave(adapter->scsi_host->host_lock, flags);
+ __shost_for_each_device(sdev, adapter->scsi_host) {
+ const struct zfcp_scsi_dev *zsdev = sdev_to_zfcp(sdev);
+
+ if (sdev->sdev_state == SDEV_DEL ||
+ sdev->sdev_state == SDEV_CANCEL)
+ continue;
+ if (zsdev->port != port)
+ continue;
+ /* alive scsi_device under port of interest */
+ goto unlock_host_lock;
+ }
+
+ /* port is about to be removed, so no more unit_add or slave_alloc */
+ zfcp_sysfs_port_set_removing(port);
+ in_use = false;
+
+unlock_host_lock:
+ spin_unlock_irqrestore(adapter->scsi_host->host_lock, flags);
+unlock_port_units_mutex:
+ mutex_unlock(&zfcp_sysfs_port_units_mutex);
+ return in_use;
+}
+
static ssize_t zfcp_sysfs_port_remove_store(struct device *dev,
struct device_attribute *attr,
const char *buf, size_t count)
@@ -259,16 +306,11 @@ static ssize_t zfcp_sysfs_port_remove_st
else
retval = 0;
- mutex_lock(&zfcp_sysfs_port_units_mutex);
- if (atomic_read(&port->units) > 0) {
+ if (zfcp_sysfs_port_in_use(port)) {
retval = -EBUSY;
- mutex_unlock(&zfcp_sysfs_port_units_mutex);
put_device(&port->dev); /* undo zfcp_get_port_by_wwpn() */
goto out;
}
- /* port is about to be removed, so no more unit_add */
- atomic_set(&port->units, -1);
- mutex_unlock(&zfcp_sysfs_port_units_mutex);
write_lock_irq(&adapter->port_list_lock);
list_del(&port->list);
--- a/drivers/s390/scsi/zfcp_unit.c
+++ b/drivers/s390/scsi/zfcp_unit.c
@@ -122,7 +122,7 @@ int zfcp_unit_add(struct zfcp_port *port
int retval = 0;
mutex_lock(&zfcp_sysfs_port_units_mutex);
- if (atomic_read(&port->units) == -1) {
+ if (zfcp_sysfs_port_is_removing(port)) {
/* port is already gone */
retval = -ENODEV;
goto out;
@@ -166,8 +166,14 @@ int zfcp_unit_add(struct zfcp_port *port
write_lock_irq(&port->unit_list_lock);
list_add_tail(&unit->list, &port->unit_list);
write_unlock_irq(&port->unit_list_lock);
+ /*
+ * lock order: shost->scan_mutex before zfcp_sysfs_port_units_mutex
+ * due to zfcp_unit_scsi_scan() => zfcp_scsi_slave_alloc()
+ */
+ mutex_unlock(&zfcp_sysfs_port_units_mutex);
zfcp_unit_scsi_scan(unit);
+ return retval;
out:
mutex_unlock(&zfcp_sysfs_port_units_mutex);
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 206/241] Btrfs: fix race updating log root item during fsync
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (204 preceding siblings ...)
2019-06-09 16:42 ` [PATCH 4.4 205/241] scsi: zfcp: fix to prevent port_remove with pure auto scan LUNs (only sdevs) Greg Kroah-Hartman
@ 2019-06-09 16:42 ` Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 207/241] ALSA: hda/realtek - Set default power save node to 0 Greg Kroah-Hartman
` (39 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:42 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Filipe Manana, David Sterba
From: Filipe Manana <fdmanana@suse.com>
commit 06989c799f04810f6876900d4760c0edda369cf7 upstream.
When syncing the log, the final phase of a fsync operation, we need to
either create a log root's item or update the existing item in the log
tree of log roots, and that depends on the current value of the log
root's log_transid - if it's 1 we need to create the log root item,
otherwise it must exist already and we update it. Since there is no
synchronization between updating the log_transid and checking it for
deciding whether the log root's item needs to be created or updated, we
end up with a tiny race window that results in attempts to update the
item to fail because the item was not yet created:
CPU 1 CPU 2
btrfs_sync_log()
lock root->log_mutex
set log root's log_transid to 1
unlock root->log_mutex
btrfs_sync_log()
lock root->log_mutex
sets log root's
log_transid to 2
unlock root->log_mutex
update_log_root()
sees log root's log_transid
with a value of 2
calls btrfs_update_root(),
which fails with -EUCLEAN
and causes transaction abort
Until recently the race lead to a BUG_ON at btrfs_update_root(), but after
the recent commit 7ac1e464c4d47 ("btrfs: Don't panic when we can't find a
root key") we just abort the current transaction.
A sample trace of the BUG_ON() on a SLE12 kernel:
------------[ cut here ]------------
kernel BUG at ../fs/btrfs/root-tree.c:157!
Oops: Exception in kernel mode, sig: 5 [#1]
SMP NR_CPUS=2048 NUMA pSeries
(...)
Supported: Yes, External
CPU: 78 PID: 76303 Comm: rtas_errd Tainted: G X 4.4.156-94.57-default #1
task: c00000ffa906d010 ti: c00000ff42b08000 task.ti: c00000ff42b08000
NIP: d000000036ae5cdc LR: d000000036ae5cd8 CTR: 0000000000000000
REGS: c00000ff42b0b860 TRAP: 0700 Tainted: G X (4.4.156-94.57-default)
MSR: 8000000002029033 <SF,VEC,EE,ME,IR,DR,RI,LE> CR: 22444484 XER: 20000000
CFAR: d000000036aba66c SOFTE: 1
GPR00: d000000036ae5cd8 c00000ff42b0bae0 d000000036bda220 0000000000000054
GPR04: 0000000000000001 0000000000000000 c00007ffff8d37c8 0000000000000000
GPR08: c000000000e19c00 0000000000000000 0000000000000000 3736343438312079
GPR12: 3930373337303434 c000000007a3a800 00000000007fffff 0000000000000023
GPR16: c00000ffa9d26028 c00000ffa9d261f8 0000000000000010 c00000ffa9d2ab28
GPR20: c00000ff42b0bc48 0000000000000001 c00000ff9f0d9888 0000000000000001
GPR24: c00000ffa9d26000 c00000ffa9d261e8 c00000ffa9d2a800 c00000ff9f0d9888
GPR28: c00000ffa9d26028 c00000ffa9d2aa98 0000000000000001 c00000ffa98f5b20
NIP [d000000036ae5cdc] btrfs_update_root+0x25c/0x4e0 [btrfs]
LR [d000000036ae5cd8] btrfs_update_root+0x258/0x4e0 [btrfs]
Call Trace:
[c00000ff42b0bae0] [d000000036ae5cd8] btrfs_update_root+0x258/0x4e0 [btrfs] (unreliable)
[c00000ff42b0bba0] [d000000036b53610] btrfs_sync_log+0x2d0/0xc60 [btrfs]
[c00000ff42b0bce0] [d000000036b1785c] btrfs_sync_file+0x44c/0x4e0 [btrfs]
[c00000ff42b0bd80] [c00000000032e300] vfs_fsync_range+0x70/0x120
[c00000ff42b0bdd0] [c00000000032e44c] do_fsync+0x5c/0xb0
[c00000ff42b0be10] [c00000000032e8dc] SyS_fdatasync+0x2c/0x40
[c00000ff42b0be30] [c000000000009488] system_call+0x3c/0x100
Instruction dump:
7f43d378 4bffebb9 60000000 88d90008 3d220000 e8b90000 3b390009 e87a01f0
e8898e08 e8f90000 4bfd48e5 60000000 <0fe00000> e95b0060 39200004 394a0ea0
---[ end trace 8f2dc8f919cabab8 ]---
So fix this by doing the check of log_transid and updating or creating the
log root's item while holding the root's log_mutex.
Fixes: 7237f1833601d ("Btrfs: fix tree logs parallel sync")
CC: stable@vger.kernel.org # 4.4+
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/tree-log.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/fs/btrfs/tree-log.c
+++ b/fs/btrfs/tree-log.c
@@ -2809,6 +2809,12 @@ int btrfs_sync_log(struct btrfs_trans_ha
log->log_transid = root->log_transid;
root->log_start_pid = 0;
/*
+ * Update or create log root item under the root's log_mutex to prevent
+ * races with concurrent log syncs that can lead to failure to update
+ * log root item because it was not created yet.
+ */
+ ret = update_log_root(trans, log);
+ /*
* IO has been started, blocks of the log tree have WRITTEN flag set
* in their headers. new modifications of the log will be written to
* new positions. so it's safe to allow log writers to go in.
@@ -2827,8 +2833,6 @@ int btrfs_sync_log(struct btrfs_trans_ha
mutex_unlock(&log_root_tree->log_mutex);
- ret = update_log_root(trans, log);
-
mutex_lock(&log_root_tree->log_mutex);
if (atomic_dec_and_test(&log_root_tree->log_writers)) {
/*
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 207/241] ALSA: hda/realtek - Set default power save node to 0
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (205 preceding siblings ...)
2019-06-09 16:42 ` [PATCH 4.4 206/241] Btrfs: fix race updating log root item during fsync Greg Kroah-Hartman
@ 2019-06-09 16:42 ` Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 208/241] drm/nouveau/i2c: Disable i2c bus access after ->fini() Greg Kroah-Hartman
` (38 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:42 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Kailang Yang, Takashi Iwai
From: Kailang Yang <kailang@realtek.com>
commit 317d9313925cd8388304286c0d3c8dda7f060a2d upstream.
I measured power consumption between power_save_node=1 and power_save_node=0.
It's almost the same.
Codec will enter to runtime suspend and suspend.
That pin also will enter to D3. Don't need to enter to D3 by single pin.
So, Disable power_save_node as default. It will avoid more issues.
Windows Driver also has not this option at runtime PM.
Signed-off-by: Kailang Yang <kailang@realtek.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/patch_realtek.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -6236,7 +6236,7 @@ static int patch_alc269(struct hda_codec
spec = codec->spec;
spec->gen.shared_mic_vref_pin = 0x18;
- codec->power_save_node = 1;
+ codec->power_save_node = 0;
#ifdef CONFIG_PM
codec->patch_ops.suspend = alc269_suspend;
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 208/241] drm/nouveau/i2c: Disable i2c bus access after ->fini()
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (206 preceding siblings ...)
2019-06-09 16:42 ` [PATCH 4.4 207/241] ALSA: hda/realtek - Set default power save node to 0 Greg Kroah-Hartman
@ 2019-06-09 16:42 ` Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 209/241] tty: serial: msm_serial: Fix XON/XOFF Greg Kroah-Hartman
` (37 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:42 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Lyude Paul, Ben Skeggs
From: Lyude Paul <lyude@redhat.com>
commit 342406e4fbba9a174125fbfe6aeac3d64ef90f76 upstream.
For a while, we've had the problem of i2c bus access not grabbing
a runtime PM ref when it's being used in userspace by i2c-dev, resulting
in nouveau spamming the kernel log with errors if anything attempts to
access the i2c bus while the GPU is in runtime suspend. An example:
[ 130.078386] nouveau 0000:01:00.0: i2c: aux 000d: begin idle timeout ffffffff
Since the GPU is in runtime suspend, the MMIO region that the i2c bus is
on isn't accessible. On x86, the standard behavior for accessing an
unavailable MMIO region is to just return ~0.
Except, that turned out to be a lie. While computers with a clean
concious will return ~0 in this scenario, some machines will actually
completely hang a CPU on certian bad MMIO accesses. This was witnessed
with someone's Lenovo ThinkPad P50, where sensors-detect attempting to
access the i2c bus while the GPU was suspended would result in a CPU
hang:
CPU: 5 PID: 12438 Comm: sensors-detect Not tainted 5.0.0-0.rc4.git3.1.fc30.x86_64 #1
Hardware name: LENOVO 20EQS64N17/20EQS64N17, BIOS N1EET74W (1.47 ) 11/21/2017
RIP: 0010:ioread32+0x2b/0x30
Code: 81 ff ff ff 03 00 77 20 48 81 ff 00 00 01 00 76 05 0f b7 d7 ed c3
48 c7 c6 e1 0c 36 96 e8 2d ff ff ff b8 ff ff ff ff c3 8b 07 <c3> 0f 1f
40 00 49 89 f0 48 81 fe ff ff 03 00 76 04 40 88 3e c3 48
RSP: 0018:ffffaac3c5007b48 EFLAGS: 00000292 ORIG_RAX: ffffffffffffff13
RAX: 0000000001111000 RBX: 0000000001111000 RCX: 0000043017a97186
RDX: 0000000000000aaa RSI: 0000000000000005 RDI: ffffaac3c400e4e4
RBP: ffff9e6443902c00 R08: ffffaac3c400e4e4 R09: ffffaac3c5007be7
R10: 0000000000000004 R11: 0000000000000001 R12: ffff9e6445dd0000
R13: 000000000000e4e4 R14: 00000000000003c4 R15: 0000000000000000
FS: 00007f253155a740(0000) GS:ffff9e644f600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005630d1500358 CR3: 0000000417c44006 CR4: 00000000003606e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
g94_i2c_aux_xfer+0x326/0x850 [nouveau]
nvkm_i2c_aux_i2c_xfer+0x9e/0x140 [nouveau]
__i2c_transfer+0x14b/0x620
i2c_smbus_xfer_emulated+0x159/0x680
? _raw_spin_unlock_irqrestore+0x1/0x60
? rt_mutex_slowlock.constprop.0+0x13d/0x1e0
? __lock_is_held+0x59/0xa0
__i2c_smbus_xfer+0x138/0x5a0
i2c_smbus_xfer+0x4f/0x80
i2cdev_ioctl_smbus+0x162/0x2d0 [i2c_dev]
i2cdev_ioctl+0x1db/0x2c0 [i2c_dev]
do_vfs_ioctl+0x408/0x750
ksys_ioctl+0x5e/0x90
__x64_sys_ioctl+0x16/0x20
do_syscall_64+0x60/0x1e0
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f25317f546b
Code: 0f 1e fa 48 8b 05 1d da 0c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff
ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01
f0 ff ff 73 01 c3 48 8b 0d ed d9 0c 00 f7 d8 64 89 01 48
RSP: 002b:00007ffc88caab68 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00005630d0fe7260 RCX: 00007f25317f546b
RDX: 00005630d1598e80 RSI: 0000000000000720 RDI: 0000000000000003
RBP: 00005630d155b968 R08: 0000000000000001 R09: 00005630d15a1da0
R10: 0000000000000070 R11: 0000000000000246 R12: 00005630d1598e80
R13: 00005630d12f3d28 R14: 0000000000000720 R15: 00005630d12f3ce0
watchdog: BUG: soft lockup - CPU#5 stuck for 23s! [sensors-detect:12438]
Yikes! While I wanted to try to make it so that accessing an i2c bus on
nouveau would wake up the GPU as needed, airlied pointed out that pretty
much any usecase for userspace accessing an i2c bus on a GPU (mainly for
the DDC brightness control that some displays have) is going to only be
useful while there's at least one display enabled on the GPU anyway, and
the GPU never sleeps while there's displays running.
Since teaching the i2c bus to wake up the GPU on userspace accesses is a
good deal more difficult than it might seem, mostly due to the fact that
we have to use the i2c bus during runtime resume of the GPU, we instead
opt for the easiest solution: don't let userspace access i2c busses on
the GPU at all while it's in runtime suspend.
Changes since v1:
* Also disable i2c busses that run over DP AUX
Signed-off-by: Lyude Paul <lyude@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/nouveau/include/nvkm/subdev/i2c.h | 2 +
drivers/gpu/drm/nouveau/nvkm/subdev/i2c/aux.c | 26 +++++++++++++++++++++-
drivers/gpu/drm/nouveau/nvkm/subdev/i2c/aux.h | 2 +
drivers/gpu/drm/nouveau/nvkm/subdev/i2c/base.c | 15 ++++++++++++
drivers/gpu/drm/nouveau/nvkm/subdev/i2c/bus.c | 21 ++++++++++++++++-
drivers/gpu/drm/nouveau/nvkm/subdev/i2c/bus.h | 1
6 files changed, 65 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/nouveau/include/nvkm/subdev/i2c.h
+++ b/drivers/gpu/drm/nouveau/include/nvkm/subdev/i2c.h
@@ -37,6 +37,7 @@ struct nvkm_i2c_bus {
struct mutex mutex;
struct list_head head;
struct i2c_adapter i2c;
+ u8 enabled;
};
int nvkm_i2c_bus_acquire(struct nvkm_i2c_bus *);
@@ -56,6 +57,7 @@ struct nvkm_i2c_aux {
struct mutex mutex;
struct list_head head;
struct i2c_adapter i2c;
+ u8 enabled;
u32 intr;
};
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/aux.c
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/aux.c
@@ -105,9 +105,15 @@ nvkm_i2c_aux_acquire(struct nvkm_i2c_aux
{
struct nvkm_i2c_pad *pad = aux->pad;
int ret;
+
AUX_TRACE(aux, "acquire");
mutex_lock(&aux->mutex);
- ret = nvkm_i2c_pad_acquire(pad, NVKM_I2C_PAD_AUX);
+
+ if (aux->enabled)
+ ret = nvkm_i2c_pad_acquire(pad, NVKM_I2C_PAD_AUX);
+ else
+ ret = -EIO;
+
if (ret)
mutex_unlock(&aux->mutex);
return ret;
@@ -141,6 +147,24 @@ nvkm_i2c_aux_del(struct nvkm_i2c_aux **p
}
}
+void
+nvkm_i2c_aux_init(struct nvkm_i2c_aux *aux)
+{
+ AUX_TRACE(aux, "init");
+ mutex_lock(&aux->mutex);
+ aux->enabled = true;
+ mutex_unlock(&aux->mutex);
+}
+
+void
+nvkm_i2c_aux_fini(struct nvkm_i2c_aux *aux)
+{
+ AUX_TRACE(aux, "fini");
+ mutex_lock(&aux->mutex);
+ aux->enabled = false;
+ mutex_unlock(&aux->mutex);
+}
+
int
nvkm_i2c_aux_ctor(const struct nvkm_i2c_aux_func *func,
struct nvkm_i2c_pad *pad, int id,
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/aux.h
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/aux.h
@@ -14,6 +14,8 @@ int nvkm_i2c_aux_ctor(const struct nvkm_
int nvkm_i2c_aux_new_(const struct nvkm_i2c_aux_func *, struct nvkm_i2c_pad *,
int id, struct nvkm_i2c_aux **);
void nvkm_i2c_aux_del(struct nvkm_i2c_aux **);
+void nvkm_i2c_aux_init(struct nvkm_i2c_aux *);
+void nvkm_i2c_aux_fini(struct nvkm_i2c_aux *);
int nvkm_i2c_aux_xfer(struct nvkm_i2c_aux *, bool retry, u8 type,
u32 addr, u8 *data, u8 size);
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/base.c
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/base.c
@@ -160,8 +160,18 @@ nvkm_i2c_fini(struct nvkm_subdev *subdev
{
struct nvkm_i2c *i2c = nvkm_i2c(subdev);
struct nvkm_i2c_pad *pad;
+ struct nvkm_i2c_bus *bus;
+ struct nvkm_i2c_aux *aux;
u32 mask;
+ list_for_each_entry(aux, &i2c->aux, head) {
+ nvkm_i2c_aux_fini(aux);
+ }
+
+ list_for_each_entry(bus, &i2c->bus, head) {
+ nvkm_i2c_bus_fini(bus);
+ }
+
if ((mask = (1 << i2c->func->aux) - 1), i2c->func->aux_stat) {
i2c->func->aux_mask(i2c, NVKM_I2C_ANY, mask, 0);
i2c->func->aux_stat(i2c, &mask, &mask, &mask, &mask);
@@ -180,6 +190,7 @@ nvkm_i2c_init(struct nvkm_subdev *subdev
struct nvkm_i2c *i2c = nvkm_i2c(subdev);
struct nvkm_i2c_bus *bus;
struct nvkm_i2c_pad *pad;
+ struct nvkm_i2c_aux *aux;
list_for_each_entry(pad, &i2c->pad, head) {
nvkm_i2c_pad_init(pad);
@@ -189,6 +200,10 @@ nvkm_i2c_init(struct nvkm_subdev *subdev
nvkm_i2c_bus_init(bus);
}
+ list_for_each_entry(aux, &i2c->aux, head) {
+ nvkm_i2c_aux_init(aux);
+ }
+
return 0;
}
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/bus.c
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/bus.c
@@ -110,6 +110,19 @@ nvkm_i2c_bus_init(struct nvkm_i2c_bus *b
BUS_TRACE(bus, "init");
if (bus->func->init)
bus->func->init(bus);
+
+ mutex_lock(&bus->mutex);
+ bus->enabled = true;
+ mutex_unlock(&bus->mutex);
+}
+
+void
+nvkm_i2c_bus_fini(struct nvkm_i2c_bus *bus)
+{
+ BUS_TRACE(bus, "fini");
+ mutex_lock(&bus->mutex);
+ bus->enabled = false;
+ mutex_unlock(&bus->mutex);
}
void
@@ -126,9 +139,15 @@ nvkm_i2c_bus_acquire(struct nvkm_i2c_bus
{
struct nvkm_i2c_pad *pad = bus->pad;
int ret;
+
BUS_TRACE(bus, "acquire");
mutex_lock(&bus->mutex);
- ret = nvkm_i2c_pad_acquire(pad, NVKM_I2C_PAD_I2C);
+
+ if (bus->enabled)
+ ret = nvkm_i2c_pad_acquire(pad, NVKM_I2C_PAD_I2C);
+ else
+ ret = -EIO;
+
if (ret)
mutex_unlock(&bus->mutex);
return ret;
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/bus.h
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/bus.h
@@ -17,6 +17,7 @@ int nvkm_i2c_bus_new_(const struct nvkm_
int id, struct nvkm_i2c_bus **);
void nvkm_i2c_bus_del(struct nvkm_i2c_bus **);
void nvkm_i2c_bus_init(struct nvkm_i2c_bus *);
+void nvkm_i2c_bus_fini(struct nvkm_i2c_bus *);
int nvkm_i2c_bit_xfer(struct nvkm_i2c_bus *, struct i2c_msg *, int);
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 209/241] tty: serial: msm_serial: Fix XON/XOFF
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (207 preceding siblings ...)
2019-06-09 16:42 ` [PATCH 4.4 208/241] drm/nouveau/i2c: Disable i2c bus access after ->fini() Greg Kroah-Hartman
@ 2019-06-09 16:42 ` Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 210/241] tty: max310x: Fix external crystal register setup Greg Kroah-Hartman
` (36 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:42 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Jorge Ramirez-Ortiz, Bjorn Andersson,
Stephen Boyd
From: Jorge Ramirez-Ortiz <jorge.ramirez-ortiz@linaro.org>
commit 61c0e37950b88bad590056286c1d766b1f167f4e upstream.
When the tty layer requests the uart to throttle, the current code
executing in msm_serial will trigger "Bad mode in Error Handler" and
generate an invalid stack frame in pstore before rebooting (that is if
pstore is indeed configured: otherwise the user shall just notice a
reboot with no further information dumped to the console).
This patch replaces the PIO byte accessor with the word accessor
already used in PIO mode.
Fixes: 68252424a7c7 ("tty: serial: msm: Support big-endian CPUs")
Cc: stable@vger.kernel.org
Signed-off-by: Jorge Ramirez-Ortiz <jorge.ramirez-ortiz@linaro.org>
Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Reviewed-by: Stephen Boyd <swboyd@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/msm_serial.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/tty/serial/msm_serial.c
+++ b/drivers/tty/serial/msm_serial.c
@@ -703,6 +703,7 @@ static void msm_handle_tx(struct uart_po
struct circ_buf *xmit = &msm_port->uart.state->xmit;
struct msm_dma *dma = &msm_port->tx_dma;
unsigned int pio_count, dma_count, dma_min;
+ char buf[4] = { 0 };
void __iomem *tf;
int err = 0;
@@ -712,10 +713,12 @@ static void msm_handle_tx(struct uart_po
else
tf = port->membase + UART_TF;
+ buf[0] = port->x_char;
+
if (msm_port->is_uartdm)
msm_reset_dm_count(port, 1);
- iowrite8_rep(tf, &port->x_char, 1);
+ iowrite32_rep(tf, buf, 1);
port->icount.tx++;
port->x_char = 0;
return;
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 210/241] tty: max310x: Fix external crystal register setup
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (208 preceding siblings ...)
2019-06-09 16:42 ` [PATCH 4.4 209/241] tty: serial: msm_serial: Fix XON/XOFF Greg Kroah-Hartman
@ 2019-06-09 16:42 ` Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 211/241] memcg: make it work on sparse non-0-node systems Greg Kroah-Hartman
` (35 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:42 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Joe Burmeister
From: Joe Burmeister <joe.burmeister@devtank.co.uk>
commit 5d24f455c182d5116dd5db8e1dc501115ecc9c2c upstream.
The datasheet states:
Bit 4: ClockEnSet the ClockEn bit high to enable an external clocking
(crystal or clock generator at XIN). Set the ClockEn bit to 0 to disable
clocking
Bit 1: CrystalEnSet the CrystalEn bit high to enable the crystal
oscillator. When using an external clock source at XIN, CrystalEn must
be set low.
The bit 4, MAX310X_CLKSRC_EXTCLK_BIT, should be set and was not.
This was required to make the MAX3107 with an external crystal on our
board able to send or receive data.
Signed-off-by: Joe Burmeister <joe.burmeister@devtank.co.uk>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/max310x.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/tty/serial/max310x.c
+++ b/drivers/tty/serial/max310x.c
@@ -571,7 +571,7 @@ static int max310x_set_ref_clk(struct ma
}
/* Configure clock source */
- clksrc = xtal ? MAX310X_CLKSRC_CRYST_BIT : MAX310X_CLKSRC_EXTCLK_BIT;
+ clksrc = MAX310X_CLKSRC_EXTCLK_BIT | (xtal ? MAX310X_CLKSRC_CRYST_BIT : 0);
/* Configure PLL */
if (pllcfg) {
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 211/241] memcg: make it work on sparse non-0-node systems
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (209 preceding siblings ...)
2019-06-09 16:42 ` [PATCH 4.4 210/241] tty: max310x: Fix external crystal register setup Greg Kroah-Hartman
@ 2019-06-09 16:42 ` Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 212/241] kernel/signal.c: trace_signal_deliver when signal_group_exit Greg Kroah-Hartman
` (34 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:42 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Jiri Slaby, Michal Hocko,
Vladimir Davydov, Shakeel Butt, Johannes Weiner, Raghavendra K T,
Andrew Morton, Linus Torvalds
From: Jiri Slaby <jslaby@suse.cz>
commit 3e8589963773a5c23e2f1fe4bcad0e9a90b7f471 upstream.
We have a single node system with node 0 disabled:
Scanning NUMA topology in Northbridge 24
Number of physical nodes 2
Skipping disabled node 0
Node 1 MemBase 0000000000000000 Limit 00000000fbff0000
NODE_DATA(1) allocated [mem 0xfbfda000-0xfbfeffff]
This causes crashes in memcg when system boots:
BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
#PF error: [normal kernel read fault]
...
RIP: 0010:list_lru_add+0x94/0x170
...
Call Trace:
d_lru_add+0x44/0x50
dput.part.34+0xfc/0x110
__fput+0x108/0x230
task_work_run+0x9f/0xc0
exit_to_usermode_loop+0xf5/0x100
It is reproducible as far as 4.12. I did not try older kernels. You have
to have a new enough systemd, e.g. 241 (the reason is unknown -- was not
investigated). Cannot be reproduced with systemd 234.
The system crashes because the size of lru array is never updated in
memcg_update_all_list_lrus and the reads are past the zero-sized array,
causing dereferences of random memory.
The root cause are list_lru_memcg_aware checks in the list_lru code. The
test in list_lru_memcg_aware is broken: it assumes node 0 is always
present, but it is not true on some systems as can be seen above.
So fix this by avoiding checks on node 0. Remember the memcg-awareness by
a bool flag in struct list_lru.
Link: http://lkml.kernel.org/r/20190522091940.3615-1-jslaby@suse.cz
Fixes: 60d3fd32a7a9 ("list_lru: introduce per-memcg lists")
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Acked-by: Michal Hocko <mhocko@suse.com>
Suggested-by: Vladimir Davydov <vdavydov.dev@gmail.com>
Acked-by: Vladimir Davydov <vdavydov.dev@gmail.com>
Reviewed-by: Shakeel Butt <shakeelb@google.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Raghavendra K T <raghavendra.kt@linux.vnet.ibm.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/list_lru.h | 1 +
mm/list_lru.c | 8 +++-----
2 files changed, 4 insertions(+), 5 deletions(-)
--- a/include/linux/list_lru.h
+++ b/include/linux/list_lru.h
@@ -51,6 +51,7 @@ struct list_lru {
struct list_lru_node *node;
#ifdef CONFIG_MEMCG_KMEM
struct list_head list;
+ bool memcg_aware;
#endif
};
--- a/mm/list_lru.c
+++ b/mm/list_lru.c
@@ -42,11 +42,7 @@ static void list_lru_unregister(struct l
#ifdef CONFIG_MEMCG_KMEM
static inline bool list_lru_memcg_aware(struct list_lru *lru)
{
- /*
- * This needs node 0 to be always present, even
- * in the systems supporting sparse numa ids.
- */
- return !!lru->node[0].memcg_lrus;
+ return lru->memcg_aware;
}
static inline struct list_lru_one *
@@ -389,6 +385,8 @@ static int memcg_init_list_lru(struct li
{
int i;
+ lru->memcg_aware = memcg_aware;
+
if (!memcg_aware)
return 0;
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 212/241] kernel/signal.c: trace_signal_deliver when signal_group_exit
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (210 preceding siblings ...)
2019-06-09 16:42 ` [PATCH 4.4 211/241] memcg: make it work on sparse non-0-node systems Greg Kroah-Hartman
@ 2019-06-09 16:42 ` Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 213/241] CIFS: cifs_read_allocate_pages: dont iterate through whole page array on ENOMEM Greg Kroah-Hartman
` (33 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:42 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Zhenliang Wei, Christian Brauner,
Oleg Nesterov, Eric W. Biederman, Ivan Delalande, Arnd Bergmann,
Thomas Gleixner, Deepa Dinamani, Andrew Morton, Linus Torvalds
From: Zhenliang Wei <weizhenliang@huawei.com>
commit 98af37d624ed8c83f1953b1b6b2f6866011fc064 upstream.
In the fixes commit, removing SIGKILL from each thread signal mask and
executing "goto fatal" directly will skip the call to
"trace_signal_deliver". At this point, the delivery tracking of the
SIGKILL signal will be inaccurate.
Therefore, we need to add trace_signal_deliver before "goto fatal" after
executing sigdelset.
Note: SEND_SIG_NOINFO matches the fact that SIGKILL doesn't have any info.
Link: http://lkml.kernel.org/r/20190425025812.91424-1-weizhenliang@huawei.com
Fixes: cf43a757fd4944 ("signal: Restore the stop PTRACE_EVENT_EXIT")
Signed-off-by: Zhenliang Wei <weizhenliang@huawei.com>
Reviewed-by: Christian Brauner <christian@brauner.io>
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Cc: Eric W. Biederman <ebiederm@xmission.com>
Cc: Ivan Delalande <colona@arista.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Deepa Dinamani <deepa.kernel@gmail.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/signal.c | 2 ++
1 file changed, 2 insertions(+)
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -2244,6 +2244,8 @@ relock:
if (signal_group_exit(signal)) {
ksig->info.si_signo = signr = SIGKILL;
sigdelset(¤t->pending.signal, SIGKILL);
+ trace_signal_deliver(SIGKILL, SEND_SIG_NOINFO,
+ &sighand->action[SIGKILL - 1]);
recalc_sigpending();
goto fatal;
}
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 213/241] CIFS: cifs_read_allocate_pages: dont iterate through whole page array on ENOMEM
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (211 preceding siblings ...)
2019-06-09 16:42 ` [PATCH 4.4 212/241] kernel/signal.c: trace_signal_deliver when signal_group_exit Greg Kroah-Hartman
@ 2019-06-09 16:42 ` Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 214/241] binder: Replace "%p" with "%pK" for stable Greg Kroah-Hartman
` (32 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:42 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Roberto Bergantinos Corpas,
Pavel Shilovsky, Steve French
From: Roberto Bergantinos Corpas <rbergant@redhat.com>
commit 31fad7d41e73731f05b8053d17078638cf850fa6 upstream.
In cifs_read_allocate_pages, in case of ENOMEM, we go through
whole rdata->pages array but we have failed the allocation before
nr_pages, therefore we may end up calling put_page with NULL
pointer, causing oops
Signed-off-by: Roberto Bergantinos Corpas <rbergant@redhat.com>
Acked-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
CC: Stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/cifs/file.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/fs/cifs/file.c
+++ b/fs/cifs/file.c
@@ -2829,7 +2829,9 @@ cifs_read_allocate_pages(struct cifs_rea
}
if (rc) {
- for (i = 0; i < nr_pages; i++) {
+ unsigned int nr_page_failed = i;
+
+ for (i = 0; i < nr_page_failed; i++) {
put_page(rdata->pages[i]);
rdata->pages[i] = NULL;
}
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 214/241] binder: Replace "%p" with "%pK" for stable
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (212 preceding siblings ...)
2019-06-09 16:42 ` [PATCH 4.4 213/241] CIFS: cifs_read_allocate_pages: dont iterate through whole page array on ENOMEM Greg Kroah-Hartman
@ 2019-06-09 16:42 ` Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 215/241] binder: replace "%p" with "%pK" Greg Kroah-Hartman
` (31 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:42 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ben Hutchings
From: Ben Hutchings <ben.hutchings@codethink.co.uk>
This was done as part of upstream commits fdfb4a99b6ab "8inder:
separate binder allocator structure from binder proc", 19c987241ca1
"binder: separate out binder_alloc functions", and 7a4408c6bd3e
"binder: make sure accesses to proc/thread are safe". However, those
commits made lots of other changes that are not suitable for stable.
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/android/binder.c | 28 ++++++++++++++--------------
1 file changed, 14 insertions(+), 14 deletions(-)
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -477,7 +477,7 @@ static void binder_insert_free_buffer(st
new_buffer_size = binder_buffer_size(proc, new_buffer);
binder_debug(BINDER_DEBUG_BUFFER_ALLOC,
- "%d: add free buffer, size %zd, at %p\n",
+ "%d: add free buffer, size %zd, at %pK\n",
proc->pid, new_buffer_size, new_buffer);
while (*p) {
@@ -555,7 +555,7 @@ static int binder_update_page_range(stru
struct mm_struct *mm;
binder_debug(BINDER_DEBUG_BUFFER_ALLOC,
- "%d: %s pages %p-%p\n", proc->pid,
+ "%d: %s pages %pK-%pK\n", proc->pid,
allocate ? "allocate" : "free", start, end);
if (end <= start)
@@ -595,7 +595,7 @@ static int binder_update_page_range(stru
BUG_ON(*page);
*page = alloc_page(GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO);
if (*page == NULL) {
- pr_err("%d: binder_alloc_buf failed for page at %p\n",
+ pr_err("%d: binder_alloc_buf failed for page at %pK\n",
proc->pid, page_addr);
goto err_alloc_page_failed;
}
@@ -604,7 +604,7 @@ static int binder_update_page_range(stru
flush_cache_vmap((unsigned long)page_addr,
(unsigned long)page_addr + PAGE_SIZE);
if (ret != 1) {
- pr_err("%d: binder_alloc_buf failed to map page at %p in kernel\n",
+ pr_err("%d: binder_alloc_buf failed to map page at %pK in kernel\n",
proc->pid, page_addr);
goto err_map_kernel_failed;
}
@@ -708,7 +708,7 @@ static struct binder_buffer *binder_allo
}
binder_debug(BINDER_DEBUG_BUFFER_ALLOC,
- "%d: binder_alloc_buf size %zd got buffer %p size %zd\n",
+ "%d: binder_alloc_buf size %zd got buffer %pK size %zd\n",
proc->pid, size, buffer, buffer_size);
has_page_addr =
@@ -738,7 +738,7 @@ static struct binder_buffer *binder_allo
binder_insert_free_buffer(proc, new_buffer);
}
binder_debug(BINDER_DEBUG_BUFFER_ALLOC,
- "%d: binder_alloc_buf size %zd got %p\n",
+ "%d: binder_alloc_buf size %zd got %pK\n",
proc->pid, size, buffer);
buffer->data_size = data_size;
buffer->offsets_size = offsets_size;
@@ -778,7 +778,7 @@ static void binder_delete_free_buffer(st
if (buffer_end_page(prev) == buffer_end_page(buffer))
free_page_end = 0;
binder_debug(BINDER_DEBUG_BUFFER_ALLOC,
- "%d: merge free, buffer %p share page with %p\n",
+ "%d: merge free, buffer %pK share page with %pK\n",
proc->pid, buffer, prev);
}
@@ -791,14 +791,14 @@ static void binder_delete_free_buffer(st
buffer_start_page(buffer))
free_page_start = 0;
binder_debug(BINDER_DEBUG_BUFFER_ALLOC,
- "%d: merge free, buffer %p share page with %p\n",
+ "%d: merge free, buffer %pK share page with %pK\n",
proc->pid, buffer, prev);
}
}
list_del(&buffer->entry);
if (free_page_start || free_page_end) {
binder_debug(BINDER_DEBUG_BUFFER_ALLOC,
- "%d: merge free, buffer %p do not share page%s%s with %p or %p\n",
+ "%d: merge free, buffer %pK do not share page%s%s with %pK or %pK\n",
proc->pid, buffer, free_page_start ? "" : " end",
free_page_end ? "" : " start", prev, next);
binder_update_page_range(proc, 0, free_page_start ?
@@ -819,7 +819,7 @@ static void binder_free_buf(struct binde
ALIGN(buffer->offsets_size, sizeof(void *));
binder_debug(BINDER_DEBUG_BUFFER_ALLOC,
- "%d: binder_free_buf %p size %zd buffer_size %zd\n",
+ "%d: binder_free_buf %pK size %zd buffer_size %zd\n",
proc->pid, buffer, size, buffer_size);
BUG_ON(buffer->free);
@@ -2912,7 +2912,7 @@ static int binder_mmap(struct file *filp
#ifdef CONFIG_CPU_CACHE_VIPT
if (cache_is_vipt_aliasing()) {
while (CACHE_COLOUR((vma->vm_start ^ (uint32_t)proc->buffer))) {
- pr_info("binder_mmap: %d %lx-%lx maps %p bad alignment\n", proc->pid, vma->vm_start, vma->vm_end, proc->buffer);
+ pr_info("binder_mmap: %d %lx-%lx maps %pK bad alignment\n", proc->pid, vma->vm_start, vma->vm_end, proc->buffer);
vma->vm_start += PAGE_SIZE;
}
}
@@ -3170,7 +3170,7 @@ static void binder_deferred_release(stru
page_addr = proc->buffer + i * PAGE_SIZE;
binder_debug(BINDER_DEBUG_BUFFER_ALLOC,
- "%s: %d: page %d at %p not freed\n",
+ "%s: %d: page %d at %pK not freed\n",
__func__, proc->pid, i, page_addr);
unmap_kernel_range((unsigned long)page_addr, PAGE_SIZE);
__free_page(proc->pages[i]);
@@ -3271,7 +3271,7 @@ static void print_binder_transaction(str
static void print_binder_buffer(struct seq_file *m, const char *prefix,
struct binder_buffer *buffer)
{
- seq_printf(m, "%s %d: %p size %zd:%zd %s\n",
+ seq_printf(m, "%s %d: %pK size %zd:%zd %s\n",
prefix, buffer->debug_id, buffer->data,
buffer->data_size, buffer->offsets_size,
buffer->transaction ? "active" : "delivered");
@@ -3374,7 +3374,7 @@ static void print_binder_node(struct seq
static void print_binder_ref(struct seq_file *m, struct binder_ref *ref)
{
- seq_printf(m, " ref %d: desc %d %snode %d s %d w %d d %p\n",
+ seq_printf(m, " ref %d: desc %d %snode %d s %d w %d d %pK\n",
ref->debug_id, ref->desc, ref->node->proc ? "" : "dead ",
ref->node->debug_id, ref->strong, ref->weak, ref->death);
}
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 215/241] binder: replace "%p" with "%pK"
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (213 preceding siblings ...)
2019-06-09 16:42 ` [PATCH 4.4 214/241] binder: Replace "%p" with "%pK" for stable Greg Kroah-Hartman
@ 2019-06-09 16:42 ` Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 216/241] net: create skb_gso_validate_mac_len() Greg Kroah-Hartman
` (30 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:42 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Todd Kjos, Ben Hutchings
From: Todd Kjos <tkjos@android.com>
commit 8ca86f1639ec5890d400fff9211aca22d0a392eb upstream.
The format specifier "%p" can leak kernel addresses. Use
"%pK" instead. There were 4 remaining cases in binder.c.
Signed-off-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 4.4: adjust context]
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/android/binder.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/android/binder.c
+++ b/drivers/android/binder.c
@@ -1249,7 +1249,7 @@ static void binder_transaction_buffer_re
int debug_id = buffer->debug_id;
binder_debug(BINDER_DEBUG_TRANSACTION,
- "%d buffer release %d, size %zd-%zd, failed at %p\n",
+ "%d buffer release %d, size %zd-%zd, failed at %pK\n",
proc->pid, buffer->debug_id,
buffer->data_size, buffer->offsets_size, failed_at);
@@ -2105,7 +2105,7 @@ static int binder_thread_write(struct bi
}
}
binder_debug(BINDER_DEBUG_DEAD_BINDER,
- "%d:%d BC_DEAD_BINDER_DONE %016llx found %p\n",
+ "%d:%d BC_DEAD_BINDER_DONE %016llx found %pK\n",
proc->pid, thread->pid, (u64)cookie,
death);
if (death == NULL) {
@@ -3249,7 +3249,7 @@ static void print_binder_transaction(str
struct binder_transaction *t)
{
seq_printf(m,
- "%s %d: %p from %d:%d to %d:%d code %x flags %x pri %ld r%d",
+ "%s %d: %pK from %d:%d to %d:%d code %x flags %x pri %ld r%d",
prefix, t->debug_id, t,
t->from ? t->from->proc->pid : 0,
t->from ? t->from->pid : 0,
@@ -3263,7 +3263,7 @@ static void print_binder_transaction(str
if (t->buffer->target_node)
seq_printf(m, " node %d",
t->buffer->target_node->debug_id);
- seq_printf(m, " size %zd:%zd data %p\n",
+ seq_printf(m, " size %zd:%zd data %pK\n",
t->buffer->data_size, t->buffer->offsets_size,
t->buffer->data);
}
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 216/241] net: create skb_gso_validate_mac_len()
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (214 preceding siblings ...)
2019-06-09 16:42 ` [PATCH 4.4 215/241] binder: replace "%p" with "%pK" Greg Kroah-Hartman
@ 2019-06-09 16:42 ` Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 217/241] bnx2x: disable GSO where gso_size is too big for hardware Greg Kroah-Hartman
` (29 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:42 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Daniel Axtens, David S. Miller,
Ben Hutchings
From: Daniel Axtens <dja@axtens.net>
commit 2b16f048729bf35e6c28a40cbfad07239f9dcd90 upstream.
If you take a GSO skb, and split it into packets, will the MAC
length (L2 + L3 + L4 headers + payload) of those packets be small
enough to fit within a given length?
Move skb_gso_mac_seglen() to skbuff.h with other related functions
like skb_gso_network_seglen() so we can use it, and then create
skb_gso_validate_mac_len to do the full calculation.
Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 4.4: There is no GSO_BY_FRAGS case to handle, so
skb_gso_validate_mac_len() becomes a trivial comparison. Put it inline in
<linux/skbuff.h>.]
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/skbuff.h | 30 ++++++++++++++++++++++++++++++
net/sched/sch_tbf.c | 10 ----------
2 files changed, 30 insertions(+), 10 deletions(-)
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -3664,5 +3664,35 @@ static inline unsigned int skb_gso_netwo
return hdr_len + skb_gso_transport_seglen(skb);
}
+/**
+ * skb_gso_mac_seglen - Return length of individual segments of a gso packet
+ *
+ * @skb: GSO skb
+ *
+ * skb_gso_mac_seglen is used to determine the real size of the
+ * individual segments, including MAC/L2, Layer3 (IP, IPv6) and L4
+ * headers (TCP/UDP).
+ */
+static inline unsigned int skb_gso_mac_seglen(const struct sk_buff *skb)
+{
+ unsigned int hdr_len = skb_transport_header(skb) - skb_mac_header(skb);
+ return hdr_len + skb_gso_transport_seglen(skb);
+}
+
+/**
+ * skb_gso_validate_mac_len - Will a split GSO skb fit in a given length?
+ *
+ * @skb: GSO skb
+ * @len: length to validate against
+ *
+ * skb_gso_validate_mac_len validates if a given skb will fit a wanted
+ * length once split, including L2, L3 and L4 headers and the payload.
+ */
+static inline bool
+skb_gso_validate_mac_len(const struct sk_buff *skb, unsigned int len)
+{
+ return skb_gso_mac_seglen(skb) <= len;
+}
+
#endif /* __KERNEL__ */
#endif /* _LINUX_SKBUFF_H */
--- a/net/sched/sch_tbf.c
+++ b/net/sched/sch_tbf.c
@@ -142,16 +142,6 @@ static u64 psched_ns_t2l(const struct ps
return len;
}
-/*
- * Return length of individual segments of a gso packet,
- * including all headers (MAC, IP, TCP/UDP)
- */
-static unsigned int skb_gso_mac_seglen(const struct sk_buff *skb)
-{
- unsigned int hdr_len = skb_transport_header(skb) - skb_mac_header(skb);
- return hdr_len + skb_gso_transport_seglen(skb);
-}
-
/* GSO packet is too big, segment it so that tbf can transmit
* each segment in time
*/
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 217/241] bnx2x: disable GSO where gso_size is too big for hardware
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (215 preceding siblings ...)
2019-06-09 16:42 ` [PATCH 4.4 216/241] net: create skb_gso_validate_mac_len() Greg Kroah-Hartman
@ 2019-06-09 16:42 ` Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 218/241] brcmfmac: Add length checks on firmware events Greg Kroah-Hartman
` (28 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:42 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Daniel Axtens, Eric Dumazet,
David S. Miller, Ben Hutchings
From: Daniel Axtens <dja@axtens.net>
commit 8914a595110a6eca69a5e275b323f5d09e18f4f9 upstream.
If a bnx2x card is passed a GSO packet with a gso_size larger than
~9700 bytes, it will cause a firmware error that will bring the card
down:
bnx2x: [bnx2x_attn_int_deasserted3:4323(enP24p1s0f0)]MC assert!
bnx2x: [bnx2x_mc_assert:720(enP24p1s0f0)]XSTORM_ASSERT_LIST_INDEX 0x2
bnx2x: [bnx2x_mc_assert:736(enP24p1s0f0)]XSTORM_ASSERT_INDEX 0x0 = 0x00000000 0x25e43e47 0x00463e01 0x00010052
bnx2x: [bnx2x_mc_assert:750(enP24p1s0f0)]Chip Revision: everest3, FW Version: 7_13_1
... (dump of values continues) ...
Detect when the mac length of a GSO packet is greater than the maximum
packet size (9700 bytes) and disable GSO.
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
+++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c
@@ -12824,6 +12824,24 @@ static netdev_features_t bnx2x_features_
struct net_device *dev,
netdev_features_t features)
{
+ /*
+ * A skb with gso_size + header length > 9700 will cause a
+ * firmware panic. Drop GSO support.
+ *
+ * Eventually the upper layer should not pass these packets down.
+ *
+ * For speed, if the gso_size is <= 9000, assume there will
+ * not be 700 bytes of headers and pass it through. Only do a
+ * full (slow) validation if the gso_size is > 9000.
+ *
+ * (Due to the way SKB_BY_FRAGS works this will also do a full
+ * validation in that case.)
+ */
+ if (unlikely(skb_is_gso(skb) &&
+ (skb_shinfo(skb)->gso_size > 9000) &&
+ !skb_gso_validate_mac_len(skb, 9700)))
+ features &= ~NETIF_F_GSO_MASK;
+
features = vlan_features_check(skb, features);
return vxlan_features_check(skb, features);
}
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 218/241] brcmfmac: Add length checks on firmware events
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (216 preceding siblings ...)
2019-06-09 16:42 ` [PATCH 4.4 217/241] bnx2x: disable GSO where gso_size is too big for hardware Greg Kroah-Hartman
@ 2019-06-09 16:42 ` Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 219/241] brcmfmac: screening firmware event packet Greg Kroah-Hartman
` (27 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:42 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Arend Van Spriel,
Franky (Zhenhui) Lin, Pieter-Paul Giesberts, Lei Zhang,
Hante Meuleman, Kalle Valo, Ben Hutchings
From: Hante Meuleman <meuleman@broadcom.com>
commit 0aedbcaf6f182690790d98d90d5fe1e64c846c34 upstream.
Add additional length checks on firmware events to create more
robust code.
Reviewed-by: Arend Van Spriel <arend@broadcom.com>
Reviewed-by: Franky (Zhenhui) Lin <frankyl@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com>
Reviewed-by: Lei Zhang <leizh@broadcom.com>
Signed-off-by: Hante Meuleman <meuleman@broadcom.com>
Signed-off-by: Arend van Spriel <arend@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
[bwh: Backported to 4.4:
- Drop changes to brcmf_wowl_nd_results()
- Adjust filenames]
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c | 5 +
drivers/net/wireless/brcm80211/brcmfmac/fweh.c | 57 +++--------------
drivers/net/wireless/brcm80211/brcmfmac/fweh.h | 68 ++++++++++++++++-----
drivers/net/wireless/brcm80211/brcmfmac/p2p.c | 10 +++
4 files changed, 82 insertions(+), 58 deletions(-)
--- a/drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c
@@ -3331,6 +3331,11 @@ brcmf_notify_sched_scan_results(struct b
brcmf_dbg(SCAN, "Enter\n");
+ if (e->datalen < (sizeof(*pfn_result) + sizeof(*netinfo))) {
+ brcmf_dbg(SCAN, "Event data to small. Ignore\n");
+ return 0;
+ }
+
if (e->event_code == BRCMF_E_PFN_NET_LOST) {
brcmf_dbg(SCAN, "PFN NET LOST event. Do Nothing\n");
return 0;
--- a/drivers/net/wireless/brcm80211/brcmfmac/fweh.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/fweh.c
@@ -26,50 +26,6 @@
#include "fwil.h"
/**
- * struct brcm_ethhdr - broadcom specific ether header.
- *
- * @subtype: subtype for this packet.
- * @length: TODO: length of appended data.
- * @version: version indication.
- * @oui: OUI of this packet.
- * @usr_subtype: subtype for this OUI.
- */
-struct brcm_ethhdr {
- __be16 subtype;
- __be16 length;
- u8 version;
- u8 oui[3];
- __be16 usr_subtype;
-} __packed;
-
-struct brcmf_event_msg_be {
- __be16 version;
- __be16 flags;
- __be32 event_type;
- __be32 status;
- __be32 reason;
- __be32 auth_type;
- __be32 datalen;
- u8 addr[ETH_ALEN];
- char ifname[IFNAMSIZ];
- u8 ifidx;
- u8 bsscfgidx;
-} __packed;
-
-/**
- * struct brcmf_event - contents of broadcom event packet.
- *
- * @eth: standard ether header.
- * @hdr: broadcom specific ether header.
- * @msg: common part of the actual event message.
- */
-struct brcmf_event {
- struct ethhdr eth;
- struct brcm_ethhdr hdr;
- struct brcmf_event_msg_be msg;
-} __packed;
-
-/**
* struct brcmf_fweh_queue_item - event item on event queue.
*
* @q: list element for queuing.
@@ -85,6 +41,7 @@ struct brcmf_fweh_queue_item {
u8 ifidx;
u8 ifaddr[ETH_ALEN];
struct brcmf_event_msg_be emsg;
+ u32 datalen;
u8 data[0];
};
@@ -294,6 +251,11 @@ static void brcmf_fweh_event_worker(stru
brcmf_dbg_hex_dump(BRCMF_EVENT_ON(), event->data,
min_t(u32, emsg.datalen, 64),
"event payload, len=%d\n", emsg.datalen);
+ if (emsg.datalen > event->datalen) {
+ brcmf_err("event invalid length header=%d, msg=%d\n",
+ event->datalen, emsg.datalen);
+ goto event_free;
+ }
/* special handling of interface event */
if (event->code == BRCMF_E_IF) {
@@ -439,7 +401,8 @@ int brcmf_fweh_activate_events(struct br
* dispatch the event to a registered handler (using worker).
*/
void brcmf_fweh_process_event(struct brcmf_pub *drvr,
- struct brcmf_event *event_packet)
+ struct brcmf_event *event_packet,
+ u32 packet_len)
{
enum brcmf_fweh_event_code code;
struct brcmf_fweh_info *fweh = &drvr->fweh;
@@ -459,6 +422,9 @@ void brcmf_fweh_process_event(struct brc
if (code != BRCMF_E_IF && !fweh->evt_handler[code])
return;
+ if (datalen > BRCMF_DCMD_MAXLEN)
+ return;
+
if (in_interrupt())
alloc_flag = GFP_ATOMIC;
@@ -472,6 +438,7 @@ void brcmf_fweh_process_event(struct brc
/* use memcpy to get aligned event message */
memcpy(&event->emsg, &event_packet->msg, sizeof(event->emsg));
memcpy(event->data, data, datalen);
+ event->datalen = datalen;
memcpy(event->ifaddr, event_packet->eth.h_dest, ETH_ALEN);
brcmf_fweh_queue_event(fweh, event);
--- a/drivers/net/wireless/brcm80211/brcmfmac/fweh.h
+++ b/drivers/net/wireless/brcm80211/brcmfmac/fweh.h
@@ -27,7 +27,6 @@
struct brcmf_pub;
struct brcmf_if;
struct brcmf_cfg80211_info;
-struct brcmf_event;
/* list of firmware events */
#define BRCMF_FWEH_EVENT_ENUM_DEFLIST \
@@ -180,13 +179,55 @@ enum brcmf_fweh_event_code {
/**
* definitions for event packet validation.
*/
-#define BRCMF_EVENT_OUI_OFFSET 19
-#define BRCM_OUI "\x00\x10\x18"
-#define DOT11_OUI_LEN 3
-#define BCMILCP_BCM_SUBTYPE_EVENT 1
+#define BRCM_OUI "\x00\x10\x18"
+#define BCMILCP_BCM_SUBTYPE_EVENT 1
/**
+ * struct brcm_ethhdr - broadcom specific ether header.
+ *
+ * @subtype: subtype for this packet.
+ * @length: TODO: length of appended data.
+ * @version: version indication.
+ * @oui: OUI of this packet.
+ * @usr_subtype: subtype for this OUI.
+ */
+struct brcm_ethhdr {
+ __be16 subtype;
+ __be16 length;
+ u8 version;
+ u8 oui[3];
+ __be16 usr_subtype;
+} __packed;
+
+struct brcmf_event_msg_be {
+ __be16 version;
+ __be16 flags;
+ __be32 event_type;
+ __be32 status;
+ __be32 reason;
+ __be32 auth_type;
+ __be32 datalen;
+ u8 addr[ETH_ALEN];
+ char ifname[IFNAMSIZ];
+ u8 ifidx;
+ u8 bsscfgidx;
+} __packed;
+
+/**
+ * struct brcmf_event - contents of broadcom event packet.
+ *
+ * @eth: standard ether header.
+ * @hdr: broadcom specific ether header.
+ * @msg: common part of the actual event message.
+ */
+struct brcmf_event {
+ struct ethhdr eth;
+ struct brcm_ethhdr hdr;
+ struct brcmf_event_msg_be msg;
+} __packed;
+
+/**
* struct brcmf_event_msg - firmware event message.
*
* @version: version information.
@@ -256,34 +297,35 @@ void brcmf_fweh_unregister(struct brcmf_
enum brcmf_fweh_event_code code);
int brcmf_fweh_activate_events(struct brcmf_if *ifp);
void brcmf_fweh_process_event(struct brcmf_pub *drvr,
- struct brcmf_event *event_packet);
+ struct brcmf_event *event_packet,
+ u32 packet_len);
void brcmf_fweh_p2pdev_setup(struct brcmf_if *ifp, bool ongoing);
static inline void brcmf_fweh_process_skb(struct brcmf_pub *drvr,
struct sk_buff *skb)
{
struct brcmf_event *event_packet;
- u8 *data;
u16 usr_stype;
/* only process events when protocol matches */
if (skb->protocol != cpu_to_be16(ETH_P_LINK_CTL))
return;
+ if ((skb->len + ETH_HLEN) < sizeof(*event_packet))
+ return;
+
/* check for BRCM oui match */
event_packet = (struct brcmf_event *)skb_mac_header(skb);
- data = (u8 *)event_packet;
- data += BRCMF_EVENT_OUI_OFFSET;
- if (memcmp(BRCM_OUI, data, DOT11_OUI_LEN))
+ if (memcmp(BRCM_OUI, &event_packet->hdr.oui[0],
+ sizeof(event_packet->hdr.oui)))
return;
/* final match on usr_subtype */
- data += DOT11_OUI_LEN;
- usr_stype = get_unaligned_be16(data);
+ usr_stype = get_unaligned_be16(&event_packet->hdr.usr_subtype);
if (usr_stype != BCMILCP_BCM_SUBTYPE_EVENT)
return;
- brcmf_fweh_process_event(drvr, event_packet);
+ brcmf_fweh_process_event(drvr, event_packet, skb->len + ETH_HLEN);
}
#endif /* FWEH_H_ */
--- a/drivers/net/wireless/brcm80211/brcmfmac/p2p.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/p2p.c
@@ -1365,6 +1365,11 @@ int brcmf_p2p_notify_action_frame_rx(str
u16 mgmt_type;
u8 action;
+ if (e->datalen < sizeof(*rxframe)) {
+ brcmf_dbg(SCAN, "Event data to small. Ignore\n");
+ return 0;
+ }
+
ch.chspec = be16_to_cpu(rxframe->chanspec);
cfg->d11inf.decchspec(&ch);
/* Check if wpa_supplicant has registered for this frame */
@@ -1862,6 +1867,11 @@ s32 brcmf_p2p_notify_rx_mgmt_p2p_probere
brcmf_dbg(INFO, "Enter: event %d reason %d\n", e->event_code,
e->reason);
+ if (e->datalen < sizeof(*rxframe)) {
+ brcmf_dbg(SCAN, "Event data to small. Ignore\n");
+ return 0;
+ }
+
ch.chspec = be16_to_cpu(rxframe->chanspec);
cfg->d11inf.decchspec(&ch);
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 219/241] brcmfmac: screening firmware event packet
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (217 preceding siblings ...)
2019-06-09 16:42 ` [PATCH 4.4 218/241] brcmfmac: Add length checks on firmware events Greg Kroah-Hartman
@ 2019-06-09 16:42 ` Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 220/241] brcmfmac: revise handling events in receive path Greg Kroah-Hartman
` (26 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:42 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Pieter-Paul Giesberts, Franky Lin,
Arend van Spriel, Kalle Valo, Ben Hutchings
From: Franky Lin <franky.lin@broadcom.com>
commit c56caa9db8abbbfb9e31325e0897705aa897db37 upstream.
Firmware uses asynchronized events as a communication method to the
host. The event packets are marked as ETH_P_LINK_CTL protocol type. For
SDIO and PCIe bus, this kind of packets are delivered through virtual
event channel not data channel. This patch adds a screening logic to
make sure the event handler only processes the events coming from the
correct channel.
Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
Signed-off-by: Franky Lin <franky.lin@broadcom.com>
Signed-off-by: Arend van Spriel <arend@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
[bwh: Backported to 4.4 adjust filenames]
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/brcm80211/brcmfmac/bus.h | 4 +-
drivers/net/wireless/brcm80211/brcmfmac/core.c | 46 ++++++++++++++++++-----
drivers/net/wireless/brcm80211/brcmfmac/core.h | 3 +
drivers/net/wireless/brcm80211/brcmfmac/msgbuf.c | 42 ++++++++++++---------
drivers/net/wireless/brcm80211/brcmfmac/sdio.c | 32 ++++++++++++----
drivers/net/wireless/brcm80211/brcmfmac/usb.c | 2 -
6 files changed, 90 insertions(+), 39 deletions(-)
--- a/drivers/net/wireless/brcm80211/brcmfmac/bus.h
+++ b/drivers/net/wireless/brcm80211/brcmfmac/bus.h
@@ -214,7 +214,9 @@ bool brcmf_c_prec_enq(struct device *dev
int prec);
/* Receive frame for delivery to OS. Callee disposes of rxp. */
-void brcmf_rx_frame(struct device *dev, struct sk_buff *rxp);
+void brcmf_rx_frame(struct device *dev, struct sk_buff *rxp, bool handle_evnt);
+/* Receive async event packet from firmware. Callee disposes of rxp. */
+void brcmf_rx_event(struct device *dev, struct sk_buff *rxp);
/* Indication from bus module regarding presence/insertion of dongle. */
int brcmf_attach(struct device *dev);
--- a/drivers/net/wireless/brcm80211/brcmfmac/core.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/core.c
@@ -301,16 +301,17 @@ void brcmf_txflowblock(struct device *de
brcmf_fws_bus_blocked(drvr, state);
}
-void brcmf_netif_rx(struct brcmf_if *ifp, struct sk_buff *skb)
+void brcmf_netif_rx(struct brcmf_if *ifp, struct sk_buff *skb,
+ bool handle_event)
{
- skb->dev = ifp->ndev;
- skb->protocol = eth_type_trans(skb, skb->dev);
+ skb->protocol = eth_type_trans(skb, ifp->ndev);
if (skb->pkt_type == PACKET_MULTICAST)
ifp->stats.multicast++;
/* Process special event packets */
- brcmf_fweh_process_skb(ifp->drvr, skb);
+ if (handle_event)
+ brcmf_fweh_process_skb(ifp->drvr, skb);
if (!(ifp->ndev->flags & IFF_UP)) {
brcmu_pkt_buf_free_skb(skb);
@@ -371,7 +372,7 @@ static void brcmf_rxreorder_process_info
/* validate flags and flow id */
if (flags == 0xFF) {
brcmf_err("invalid flags...so ignore this packet\n");
- brcmf_netif_rx(ifp, pkt);
+ brcmf_netif_rx(ifp, pkt, false);
return;
}
@@ -383,7 +384,7 @@ static void brcmf_rxreorder_process_info
if (rfi == NULL) {
brcmf_dbg(INFO, "received flags to cleanup, but no flow (%d) yet\n",
flow_id);
- brcmf_netif_rx(ifp, pkt);
+ brcmf_netif_rx(ifp, pkt, false);
return;
}
@@ -408,7 +409,7 @@ static void brcmf_rxreorder_process_info
rfi = kzalloc(buf_size, GFP_ATOMIC);
if (rfi == NULL) {
brcmf_err("failed to alloc buffer\n");
- brcmf_netif_rx(ifp, pkt);
+ brcmf_netif_rx(ifp, pkt, false);
return;
}
@@ -522,11 +523,11 @@ static void brcmf_rxreorder_process_info
netif_rx:
skb_queue_walk_safe(&reorder_list, pkt, pnext) {
__skb_unlink(pkt, &reorder_list);
- brcmf_netif_rx(ifp, pkt);
+ brcmf_netif_rx(ifp, pkt, false);
}
}
-void brcmf_rx_frame(struct device *dev, struct sk_buff *skb)
+void brcmf_rx_frame(struct device *dev, struct sk_buff *skb, bool handle_evnt)
{
struct brcmf_if *ifp;
struct brcmf_bus *bus_if = dev_get_drvdata(dev);
@@ -550,7 +551,32 @@ void brcmf_rx_frame(struct device *dev,
if (rd->reorder)
brcmf_rxreorder_process_info(ifp, rd->reorder, skb);
else
- brcmf_netif_rx(ifp, skb);
+ brcmf_netif_rx(ifp, skb, handle_evnt);
+}
+
+void brcmf_rx_event(struct device *dev, struct sk_buff *skb)
+{
+ struct brcmf_if *ifp;
+ struct brcmf_bus *bus_if = dev_get_drvdata(dev);
+ struct brcmf_pub *drvr = bus_if->drvr;
+ int ret;
+
+ brcmf_dbg(EVENT, "Enter: %s: rxp=%p\n", dev_name(dev), skb);
+
+ /* process and remove protocol-specific header */
+ ret = brcmf_proto_hdrpull(drvr, true, skb, &ifp);
+
+ if (ret || !ifp || !ifp->ndev) {
+ if (ret != -ENODATA && ifp)
+ ifp->stats.rx_errors++;
+ brcmu_pkt_buf_free_skb(skb);
+ return;
+ }
+
+ skb->protocol = eth_type_trans(skb, ifp->ndev);
+
+ brcmf_fweh_process_skb(ifp->drvr, skb);
+ brcmu_pkt_buf_free_skb(skb);
}
void brcmf_txfinalize(struct brcmf_if *ifp, struct sk_buff *txp, bool success)
--- a/drivers/net/wireless/brcm80211/brcmfmac/core.h
+++ b/drivers/net/wireless/brcm80211/brcmfmac/core.h
@@ -215,7 +215,8 @@ int brcmf_get_next_free_bsscfgidx(struct
void brcmf_txflowblock_if(struct brcmf_if *ifp,
enum brcmf_netif_stop_reason reason, bool state);
void brcmf_txfinalize(struct brcmf_if *ifp, struct sk_buff *txp, bool success);
-void brcmf_netif_rx(struct brcmf_if *ifp, struct sk_buff *skb);
+void brcmf_netif_rx(struct brcmf_if *ifp, struct sk_buff *skb,
+ bool handle_event);
void brcmf_net_setcarrier(struct brcmf_if *ifp, bool on);
#endif /* BRCMFMAC_CORE_H */
--- a/drivers/net/wireless/brcm80211/brcmfmac/msgbuf.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/msgbuf.c
@@ -20,6 +20,7 @@
#include <linux/types.h>
#include <linux/netdevice.h>
+#include <linux/etherdevice.h>
#include <brcmu_utils.h>
#include <brcmu_wifi.h>
@@ -1076,28 +1077,13 @@ static void brcmf_msgbuf_rxbuf_event_pos
}
-static void
-brcmf_msgbuf_rx_skb(struct brcmf_msgbuf *msgbuf, struct sk_buff *skb,
- u8 ifidx)
-{
- struct brcmf_if *ifp;
-
- ifp = brcmf_get_ifp(msgbuf->drvr, ifidx);
- if (!ifp || !ifp->ndev) {
- brcmf_err("Received pkt for invalid ifidx %d\n", ifidx);
- brcmu_pkt_buf_free_skb(skb);
- return;
- }
- brcmf_netif_rx(ifp, skb);
-}
-
-
static void brcmf_msgbuf_process_event(struct brcmf_msgbuf *msgbuf, void *buf)
{
struct msgbuf_rx_event *event;
u32 idx;
u16 buflen;
struct sk_buff *skb;
+ struct brcmf_if *ifp;
event = (struct msgbuf_rx_event *)buf;
idx = le32_to_cpu(event->msg.request_id);
@@ -1117,7 +1103,19 @@ static void brcmf_msgbuf_process_event(s
skb_trim(skb, buflen);
- brcmf_msgbuf_rx_skb(msgbuf, skb, event->msg.ifidx);
+ ifp = brcmf_get_ifp(msgbuf->drvr, event->msg.ifidx);
+ if (!ifp || !ifp->ndev) {
+ brcmf_err("Received pkt for invalid ifidx %d\n",
+ event->msg.ifidx);
+ goto exit;
+ }
+
+ skb->protocol = eth_type_trans(skb, ifp->ndev);
+
+ brcmf_fweh_process_skb(ifp->drvr, skb);
+
+exit:
+ brcmu_pkt_buf_free_skb(skb);
}
@@ -1129,6 +1127,7 @@ brcmf_msgbuf_process_rx_complete(struct
u16 data_offset;
u16 buflen;
u32 idx;
+ struct brcmf_if *ifp;
brcmf_msgbuf_update_rxbufpost_count(msgbuf, 1);
@@ -1149,7 +1148,14 @@ brcmf_msgbuf_process_rx_complete(struct
skb_trim(skb, buflen);
- brcmf_msgbuf_rx_skb(msgbuf, skb, rx_complete->msg.ifidx);
+ ifp = brcmf_get_ifp(msgbuf->drvr, rx_complete->msg.ifidx);
+ if (!ifp || !ifp->ndev) {
+ brcmf_err("Received pkt for invalid ifidx %d\n",
+ rx_complete->msg.ifidx);
+ brcmu_pkt_buf_free_skb(skb);
+ return;
+ }
+ brcmf_netif_rx(ifp, skb, false);
}
--- a/drivers/net/wireless/brcm80211/brcmfmac/sdio.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/sdio.c
@@ -1394,6 +1394,17 @@ static inline u8 brcmf_sdio_getdatoffset
return (u8)((hdrvalue & SDPCM_DOFFSET_MASK) >> SDPCM_DOFFSET_SHIFT);
}
+static inline bool brcmf_sdio_fromevntchan(u8 *swheader)
+{
+ u32 hdrvalue;
+ u8 ret;
+
+ hdrvalue = *(u32 *)swheader;
+ ret = (u8)((hdrvalue & SDPCM_CHANNEL_MASK) >> SDPCM_CHANNEL_SHIFT);
+
+ return (ret == SDPCM_EVENT_CHANNEL);
+}
+
static int brcmf_sdio_hdparse(struct brcmf_sdio *bus, u8 *header,
struct brcmf_sdio_hdrinfo *rd,
enum brcmf_sdio_frmtype type)
@@ -1754,7 +1765,11 @@ static u8 brcmf_sdio_rxglom(struct brcmf
pfirst->len, pfirst->next,
pfirst->prev);
skb_unlink(pfirst, &bus->glom);
- brcmf_rx_frame(bus->sdiodev->dev, pfirst);
+ if (brcmf_sdio_fromevntchan(pfirst->data))
+ brcmf_rx_event(bus->sdiodev->dev, pfirst);
+ else
+ brcmf_rx_frame(bus->sdiodev->dev, pfirst,
+ false);
bus->sdcnt.rxglompkts++;
}
@@ -2081,18 +2096,19 @@ static uint brcmf_sdio_readframes(struct
__skb_trim(pkt, rd->len);
skb_pull(pkt, rd->dat_offset);
+ if (pkt->len == 0)
+ brcmu_pkt_buf_free_skb(pkt);
+ else if (rd->channel == SDPCM_EVENT_CHANNEL)
+ brcmf_rx_event(bus->sdiodev->dev, pkt);
+ else
+ brcmf_rx_frame(bus->sdiodev->dev, pkt,
+ false);
+
/* prepare the descriptor for the next read */
rd->len = rd->len_nxtfrm << 4;
rd->len_nxtfrm = 0;
/* treat all packet as event if we don't know */
rd->channel = SDPCM_EVENT_CHANNEL;
-
- if (pkt->len == 0) {
- brcmu_pkt_buf_free_skb(pkt);
- continue;
- }
-
- brcmf_rx_frame(bus->sdiodev->dev, pkt);
}
rxcount = maxframes - rxleft;
--- a/drivers/net/wireless/brcm80211/brcmfmac/usb.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/usb.c
@@ -502,7 +502,7 @@ static void brcmf_usb_rx_complete(struct
if (devinfo->bus_pub.state == BRCMFMAC_USB_STATE_UP) {
skb_put(skb, urb->actual_length);
- brcmf_rx_frame(devinfo->dev, skb);
+ brcmf_rx_frame(devinfo->dev, skb, true);
brcmf_usb_rx_refill(devinfo, req);
} else {
brcmu_pkt_buf_free_skb(skb);
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 220/241] brcmfmac: revise handling events in receive path
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (218 preceding siblings ...)
2019-06-09 16:42 ` [PATCH 4.4 219/241] brcmfmac: screening firmware event packet Greg Kroah-Hartman
@ 2019-06-09 16:42 ` Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 221/241] brcmfmac: fix incorrect event channel deduction Greg Kroah-Hartman
` (25 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:42 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Hante Meuleman,
Pieter-Paul Giesberts, Franky Lin, Arend van Spriel, Kalle Valo,
Ben Hutchings
From: Arend van Spriel <arend@broadcom.com>
commit 9c349892ccc90c6de2baaa69cc78449f58082273 upstream.
Move event handling out of brcmf_netif_rx() avoiding the need
to pass a flag. This flag is only ever true for USB hosts as
other interface use separate brcmf_rx_event() function.
Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
Reviewed-by: Franky Lin <franky.lin@broadcom.com>
Signed-off-by: Arend van Spriel <arend@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
[bwh: Backported to 4.4 as dependency of commit a4176ec356c7
"brcmfmac: add subtype check for event handling in data path"
- Adjust filenames, context]
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/brcm80211/brcmfmac/bus.h | 2 -
drivers/net/wireless/brcm80211/brcmfmac/core.c | 32 +++++++++++------------
drivers/net/wireless/brcm80211/brcmfmac/core.h | 3 --
drivers/net/wireless/brcm80211/brcmfmac/msgbuf.c | 2 -
4 files changed, 19 insertions(+), 20 deletions(-)
--- a/drivers/net/wireless/brcm80211/brcmfmac/bus.h
+++ b/drivers/net/wireless/brcm80211/brcmfmac/bus.h
@@ -214,7 +214,7 @@ bool brcmf_c_prec_enq(struct device *dev
int prec);
/* Receive frame for delivery to OS. Callee disposes of rxp. */
-void brcmf_rx_frame(struct device *dev, struct sk_buff *rxp, bool handle_evnt);
+void brcmf_rx_frame(struct device *dev, struct sk_buff *rxp, bool handle_event);
/* Receive async event packet from firmware. Callee disposes of rxp. */
void brcmf_rx_event(struct device *dev, struct sk_buff *rxp);
--- a/drivers/net/wireless/brcm80211/brcmfmac/core.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/core.c
@@ -301,18 +301,11 @@ void brcmf_txflowblock(struct device *de
brcmf_fws_bus_blocked(drvr, state);
}
-void brcmf_netif_rx(struct brcmf_if *ifp, struct sk_buff *skb,
- bool handle_event)
+void brcmf_netif_rx(struct brcmf_if *ifp, struct sk_buff *skb)
{
- skb->protocol = eth_type_trans(skb, ifp->ndev);
-
if (skb->pkt_type == PACKET_MULTICAST)
ifp->stats.multicast++;
- /* Process special event packets */
- if (handle_event)
- brcmf_fweh_process_skb(ifp->drvr, skb);
-
if (!(ifp->ndev->flags & IFF_UP)) {
brcmu_pkt_buf_free_skb(skb);
return;
@@ -372,7 +365,7 @@ static void brcmf_rxreorder_process_info
/* validate flags and flow id */
if (flags == 0xFF) {
brcmf_err("invalid flags...so ignore this packet\n");
- brcmf_netif_rx(ifp, pkt, false);
+ brcmf_netif_rx(ifp, pkt);
return;
}
@@ -384,7 +377,7 @@ static void brcmf_rxreorder_process_info
if (rfi == NULL) {
brcmf_dbg(INFO, "received flags to cleanup, but no flow (%d) yet\n",
flow_id);
- brcmf_netif_rx(ifp, pkt, false);
+ brcmf_netif_rx(ifp, pkt);
return;
}
@@ -409,7 +402,7 @@ static void brcmf_rxreorder_process_info
rfi = kzalloc(buf_size, GFP_ATOMIC);
if (rfi == NULL) {
brcmf_err("failed to alloc buffer\n");
- brcmf_netif_rx(ifp, pkt, false);
+ brcmf_netif_rx(ifp, pkt);
return;
}
@@ -523,11 +516,11 @@ static void brcmf_rxreorder_process_info
netif_rx:
skb_queue_walk_safe(&reorder_list, pkt, pnext) {
__skb_unlink(pkt, &reorder_list);
- brcmf_netif_rx(ifp, pkt, false);
+ brcmf_netif_rx(ifp, pkt);
}
}
-void brcmf_rx_frame(struct device *dev, struct sk_buff *skb, bool handle_evnt)
+void brcmf_rx_frame(struct device *dev, struct sk_buff *skb, bool handle_event)
{
struct brcmf_if *ifp;
struct brcmf_bus *bus_if = dev_get_drvdata(dev);
@@ -547,11 +540,18 @@ void brcmf_rx_frame(struct device *dev,
return;
}
+ skb->protocol = eth_type_trans(skb, ifp->ndev);
+
rd = (struct brcmf_skb_reorder_data *)skb->cb;
- if (rd->reorder)
+ if (rd->reorder) {
brcmf_rxreorder_process_info(ifp, rd->reorder, skb);
- else
- brcmf_netif_rx(ifp, skb, handle_evnt);
+ } else {
+ /* Process special event packets */
+ if (handle_event)
+ brcmf_fweh_process_skb(ifp->drvr, skb);
+
+ brcmf_netif_rx(ifp, skb);
+ }
}
void brcmf_rx_event(struct device *dev, struct sk_buff *skb)
--- a/drivers/net/wireless/brcm80211/brcmfmac/core.h
+++ b/drivers/net/wireless/brcm80211/brcmfmac/core.h
@@ -215,8 +215,7 @@ int brcmf_get_next_free_bsscfgidx(struct
void brcmf_txflowblock_if(struct brcmf_if *ifp,
enum brcmf_netif_stop_reason reason, bool state);
void brcmf_txfinalize(struct brcmf_if *ifp, struct sk_buff *txp, bool success);
-void brcmf_netif_rx(struct brcmf_if *ifp, struct sk_buff *skb,
- bool handle_event);
+void brcmf_netif_rx(struct brcmf_if *ifp, struct sk_buff *skb);
void brcmf_net_setcarrier(struct brcmf_if *ifp, bool on);
#endif /* BRCMFMAC_CORE_H */
--- a/drivers/net/wireless/brcm80211/brcmfmac/msgbuf.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/msgbuf.c
@@ -1155,7 +1155,7 @@ brcmf_msgbuf_process_rx_complete(struct
brcmu_pkt_buf_free_skb(skb);
return;
}
- brcmf_netif_rx(ifp, skb, false);
+ brcmf_netif_rx(ifp, skb);
}
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 221/241] brcmfmac: fix incorrect event channel deduction
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (219 preceding siblings ...)
2019-06-09 16:42 ` [PATCH 4.4 220/241] brcmfmac: revise handling events in receive path Greg Kroah-Hartman
@ 2019-06-09 16:42 ` Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 222/241] brcmfmac: add length checks in scheduled scan result handler Greg Kroah-Hartman
` (24 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:42 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Gavin Li, Arend van Spriel,
Kalle Valo, Ben Hutchings
From: Gavin Li <git@thegavinli.com>
commit 8e290cecdd0178f3d4cf7d463c51dc7e462843b4 upstream.
brcmf_sdio_fromevntchan() was being called on the the data frame
rather than the software header, causing some frames to be
mischaracterized as on the event channel rather than the data channel.
This fixes a major performance regression (due to dropped packets). With
this patch the download speed jumped from 1Mbit/s back up to 40MBit/s due
to the sheer amount of packets being incorrectly processed.
Fixes: c56caa9db8ab ("brcmfmac: screening firmware event packet")
Signed-off-by: Gavin Li <git@thegavinli.com>
Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
[kvalo@codeaurora.org: improve commit logs based on email discussion]
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
[bwh: Backported to 4.4: adjust filename]
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/brcm80211/brcmfmac/sdio.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/wireless/brcm80211/brcmfmac/sdio.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/sdio.c
@@ -1765,7 +1765,7 @@ static u8 brcmf_sdio_rxglom(struct brcmf
pfirst->len, pfirst->next,
pfirst->prev);
skb_unlink(pfirst, &bus->glom);
- if (brcmf_sdio_fromevntchan(pfirst->data))
+ if (brcmf_sdio_fromevntchan(&dptr[SDPCM_HWHDR_LEN]))
brcmf_rx_event(bus->sdiodev->dev, pfirst);
else
brcmf_rx_frame(bus->sdiodev->dev, pfirst,
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 222/241] brcmfmac: add length checks in scheduled scan result handler
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (220 preceding siblings ...)
2019-06-09 16:42 ` [PATCH 4.4 221/241] brcmfmac: fix incorrect event channel deduction Greg Kroah-Hartman
@ 2019-06-09 16:42 ` Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 223/241] brcmfmac: add subtype check for event handling in data path Greg Kroah-Hartman
` (23 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:42 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Hante Meuleman,
Pieter-Paul Giesberts, Franky Lin, Arend van Spriel, Kalle Valo,
Ben Hutchings
From: Arend Van Spriel <arend.vanspriel@broadcom.com>
commit 4835f37e3bafc138f8bfa3cbed2920dd56fed283 upstream.
Assure the event data buffer is long enough to hold the array
of netinfo items and that SSID length does not exceed the maximum
of 32 characters as per 802.11 spec.
Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
Reviewed-by: Franky Lin <franky.lin@broadcom.com>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
[bwh: Backported to 4.4:
- Move the assignment to "data" along with the assignment to "netinfo_start"
that depends on it
- Adjust filename, context, indentation]
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
--- a/drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c
@@ -3328,6 +3328,7 @@ brcmf_notify_sched_scan_results(struct b
struct brcmf_pno_scanresults_le *pfn_result;
u32 result_count;
u32 status;
+ u32 datalen;
brcmf_dbg(SCAN, "Enter\n");
@@ -3354,6 +3355,14 @@ brcmf_notify_sched_scan_results(struct b
if (result_count > 0) {
int i;
+ data += sizeof(struct brcmf_pno_scanresults_le);
+ netinfo_start = (struct brcmf_pno_net_info_le *)data;
+ datalen = e->datalen - ((void *)netinfo_start - (void *)pfn_result);
+ if (datalen < result_count * sizeof(*netinfo)) {
+ brcmf_err("insufficient event data\n");
+ goto out_err;
+ }
+
request = kzalloc(sizeof(*request), GFP_KERNEL);
ssid = kcalloc(result_count, sizeof(*ssid), GFP_KERNEL);
channel = kcalloc(result_count, sizeof(*channel), GFP_KERNEL);
@@ -3363,9 +3372,6 @@ brcmf_notify_sched_scan_results(struct b
}
request->wiphy = wiphy;
- data += sizeof(struct brcmf_pno_scanresults_le);
- netinfo_start = (struct brcmf_pno_net_info_le *)data;
-
for (i = 0; i < result_count; i++) {
netinfo = &netinfo_start[i];
if (!netinfo) {
@@ -3375,6 +3381,8 @@ brcmf_notify_sched_scan_results(struct b
goto out_err;
}
+ if (netinfo->SSID_len > IEEE80211_MAX_SSID_LEN)
+ netinfo->SSID_len = IEEE80211_MAX_SSID_LEN;
brcmf_dbg(SCAN, "SSID:%s Channel:%d\n",
netinfo->SSID, netinfo->channel);
memcpy(ssid[i].ssid, netinfo->SSID, netinfo->SSID_len);
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 223/241] brcmfmac: add subtype check for event handling in data path
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (221 preceding siblings ...)
2019-06-09 16:42 ` [PATCH 4.4 222/241] brcmfmac: add length checks in scheduled scan result handler Greg Kroah-Hartman
@ 2019-06-09 16:42 ` Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 224/241] userfaultfd: dont pin the user memory in userfaultfd_file_create() Greg Kroah-Hartman
` (22 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:42 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Hante Meuleman,
Pieter-Paul Giesberts, Franky Lin, Arend van Spriel, Kalle Valo,
Ben Hutchings
From: Arend van Spriel <arend.vanspriel@broadcom.com>
commit a4176ec356c73a46c07c181c6d04039fafa34a9f upstream.
For USB there is no separate channel being used to pass events
from firmware to the host driver and as such are passed over the
data path. In order to detect mock event messages an additional
check is needed on event subtype. This check is added conditionally
using unlikely() keyword.
Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
Reviewed-by: Franky Lin <franky.lin@broadcom.com>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
[bwh: Backported to 4.4: adjust filenames]
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/brcm80211/brcmfmac/core.c | 5 +++--
drivers/net/wireless/brcm80211/brcmfmac/fweh.h | 16 ++++++++++++----
drivers/net/wireless/brcm80211/brcmfmac/msgbuf.c | 2 +-
3 files changed, 16 insertions(+), 7 deletions(-)
--- a/drivers/net/wireless/brcm80211/brcmfmac/core.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/core.c
@@ -548,7 +548,8 @@ void brcmf_rx_frame(struct device *dev,
} else {
/* Process special event packets */
if (handle_event)
- brcmf_fweh_process_skb(ifp->drvr, skb);
+ brcmf_fweh_process_skb(ifp->drvr, skb,
+ BCMILCP_SUBTYPE_VENDOR_LONG);
brcmf_netif_rx(ifp, skb);
}
@@ -575,7 +576,7 @@ void brcmf_rx_event(struct device *dev,
skb->protocol = eth_type_trans(skb, ifp->ndev);
- brcmf_fweh_process_skb(ifp->drvr, skb);
+ brcmf_fweh_process_skb(ifp->drvr, skb, 0);
brcmu_pkt_buf_free_skb(skb);
}
--- a/drivers/net/wireless/brcm80211/brcmfmac/fweh.h
+++ b/drivers/net/wireless/brcm80211/brcmfmac/fweh.h
@@ -181,7 +181,7 @@ enum brcmf_fweh_event_code {
*/
#define BRCM_OUI "\x00\x10\x18"
#define BCMILCP_BCM_SUBTYPE_EVENT 1
-
+#define BCMILCP_SUBTYPE_VENDOR_LONG 32769
/**
* struct brcm_ethhdr - broadcom specific ether header.
@@ -302,10 +302,10 @@ void brcmf_fweh_process_event(struct brc
void brcmf_fweh_p2pdev_setup(struct brcmf_if *ifp, bool ongoing);
static inline void brcmf_fweh_process_skb(struct brcmf_pub *drvr,
- struct sk_buff *skb)
+ struct sk_buff *skb, u16 stype)
{
struct brcmf_event *event_packet;
- u16 usr_stype;
+ u16 subtype, usr_stype;
/* only process events when protocol matches */
if (skb->protocol != cpu_to_be16(ETH_P_LINK_CTL))
@@ -314,8 +314,16 @@ static inline void brcmf_fweh_process_sk
if ((skb->len + ETH_HLEN) < sizeof(*event_packet))
return;
- /* check for BRCM oui match */
event_packet = (struct brcmf_event *)skb_mac_header(skb);
+
+ /* check subtype if needed */
+ if (unlikely(stype)) {
+ subtype = get_unaligned_be16(&event_packet->hdr.subtype);
+ if (subtype != stype)
+ return;
+ }
+
+ /* check for BRCM oui match */
if (memcmp(BRCM_OUI, &event_packet->hdr.oui[0],
sizeof(event_packet->hdr.oui)))
return;
--- a/drivers/net/wireless/brcm80211/brcmfmac/msgbuf.c
+++ b/drivers/net/wireless/brcm80211/brcmfmac/msgbuf.c
@@ -1112,7 +1112,7 @@ static void brcmf_msgbuf_process_event(s
skb->protocol = eth_type_trans(skb, ifp->ndev);
- brcmf_fweh_process_skb(ifp->drvr, skb);
+ brcmf_fweh_process_skb(ifp->drvr, skb, 0);
exit:
brcmu_pkt_buf_free_skb(skb);
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 224/241] userfaultfd: dont pin the user memory in userfaultfd_file_create()
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (222 preceding siblings ...)
2019-06-09 16:42 ` [PATCH 4.4 223/241] brcmfmac: add subtype check for event handling in data path Greg Kroah-Hartman
@ 2019-06-09 16:42 ` Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 225/241] Revert "x86/build: Move _etext to actual end of .text" Greg Kroah-Hartman
` (21 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:42 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Oleg Nesterov, Andrea Arcangeli,
Michal Hocko, Andrew Morton, Linus Torvalds, Ben Hutchings
From: Oleg Nesterov <oleg@redhat.com>
commit d2005e3f41d4f9299e2df6a967c8beb5086967a9 upstream.
userfaultfd_file_create() increments mm->mm_users; this means that the
memory won't be unmapped/freed if mm owner exits/execs, and UFFDIO_COPY
after that can populate the orphaned mm more.
Change userfaultfd_file_create() and userfaultfd_ctx_put() to use
mm->mm_count to pin mm_struct. This means that
atomic_inc_not_zero(mm->mm_users) is needed when we are going to
actually play with this memory. Except handle_userfault() path doesn't
need this, the caller must already have a reference.
The patch adds the new trivial helper, mmget_not_zero(), it can have
more users.
Link: http://lkml.kernel.org/r/20160516172254.GA8595@redhat.com
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Michal Hocko <mhocko@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/userfaultfd.c | 41 ++++++++++++++++++++++++++++-------------
include/linux/sched.h | 7 ++++++-
2 files changed, 34 insertions(+), 14 deletions(-)
--- a/fs/userfaultfd.c
+++ b/fs/userfaultfd.c
@@ -137,7 +137,7 @@ static void userfaultfd_ctx_put(struct u
VM_BUG_ON(waitqueue_active(&ctx->fault_wqh));
VM_BUG_ON(spin_is_locked(&ctx->fd_wqh.lock));
VM_BUG_ON(waitqueue_active(&ctx->fd_wqh));
- mmput(ctx->mm);
+ mmdrop(ctx->mm);
kmem_cache_free(userfaultfd_ctx_cachep, ctx);
}
}
@@ -434,6 +434,9 @@ static int userfaultfd_release(struct in
ACCESS_ONCE(ctx->released) = true;
+ if (!mmget_not_zero(mm))
+ goto wakeup;
+
/*
* Flush page faults out of all CPUs. NOTE: all page faults
* must be retried without returning VM_FAULT_SIGBUS if
@@ -466,7 +469,8 @@ static int userfaultfd_release(struct in
vma->vm_userfaultfd_ctx = NULL_VM_UFFD_CTX;
}
up_write(&mm->mmap_sem);
-
+ mmput(mm);
+wakeup:
/*
* After no new page faults can wait on this fault_*wqh, flush
* the last page faults that may have been already waiting on
@@ -760,10 +764,12 @@ static int userfaultfd_register(struct u
start = uffdio_register.range.start;
end = start + uffdio_register.range.len;
+ ret = -ENOMEM;
+ if (!mmget_not_zero(mm))
+ goto out;
+
down_write(&mm->mmap_sem);
vma = find_vma_prev(mm, start, &prev);
-
- ret = -ENOMEM;
if (!vma)
goto out_unlock;
@@ -864,6 +870,7 @@ static int userfaultfd_register(struct u
} while (vma && vma->vm_start < end);
out_unlock:
up_write(&mm->mmap_sem);
+ mmput(mm);
if (!ret) {
/*
* Now that we scanned all vmas we can already tell
@@ -902,10 +909,12 @@ static int userfaultfd_unregister(struct
start = uffdio_unregister.start;
end = start + uffdio_unregister.len;
+ ret = -ENOMEM;
+ if (!mmget_not_zero(mm))
+ goto out;
+
down_write(&mm->mmap_sem);
vma = find_vma_prev(mm, start, &prev);
-
- ret = -ENOMEM;
if (!vma)
goto out_unlock;
@@ -998,6 +1007,7 @@ static int userfaultfd_unregister(struct
} while (vma && vma->vm_start < end);
out_unlock:
up_write(&mm->mmap_sem);
+ mmput(mm);
out:
return ret;
}
@@ -1067,9 +1077,11 @@ static int userfaultfd_copy(struct userf
goto out;
if (uffdio_copy.mode & ~UFFDIO_COPY_MODE_DONTWAKE)
goto out;
-
- ret = mcopy_atomic(ctx->mm, uffdio_copy.dst, uffdio_copy.src,
- uffdio_copy.len);
+ if (mmget_not_zero(ctx->mm)) {
+ ret = mcopy_atomic(ctx->mm, uffdio_copy.dst, uffdio_copy.src,
+ uffdio_copy.len);
+ mmput(ctx->mm);
+ }
if (unlikely(put_user(ret, &user_uffdio_copy->copy)))
return -EFAULT;
if (ret < 0)
@@ -1110,8 +1122,11 @@ static int userfaultfd_zeropage(struct u
if (uffdio_zeropage.mode & ~UFFDIO_ZEROPAGE_MODE_DONTWAKE)
goto out;
- ret = mfill_zeropage(ctx->mm, uffdio_zeropage.range.start,
- uffdio_zeropage.range.len);
+ if (mmget_not_zero(ctx->mm)) {
+ ret = mfill_zeropage(ctx->mm, uffdio_zeropage.range.start,
+ uffdio_zeropage.range.len);
+ mmput(ctx->mm);
+ }
if (unlikely(put_user(ret, &user_uffdio_zeropage->zeropage)))
return -EFAULT;
if (ret < 0)
@@ -1289,12 +1304,12 @@ static struct file *userfaultfd_file_cre
ctx->released = false;
ctx->mm = current->mm;
/* prevent the mm struct to be freed */
- atomic_inc(&ctx->mm->mm_users);
+ atomic_inc(&ctx->mm->mm_count);
file = anon_inode_getfile("[userfaultfd]", &userfaultfd_fops, ctx,
O_RDWR | (flags & UFFD_SHARED_FCNTL_FLAGS));
if (IS_ERR(file)) {
- mmput(ctx->mm);
+ mmdrop(ctx->mm);
kmem_cache_free(userfaultfd_ctx_cachep, ctx);
}
out:
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -2614,12 +2614,17 @@ extern struct mm_struct * mm_alloc(void)
/* mmdrop drops the mm and the page tables */
extern void __mmdrop(struct mm_struct *);
-static inline void mmdrop(struct mm_struct * mm)
+static inline void mmdrop(struct mm_struct *mm)
{
if (unlikely(atomic_dec_and_test(&mm->mm_count)))
__mmdrop(mm);
}
+static inline bool mmget_not_zero(struct mm_struct *mm)
+{
+ return atomic_inc_not_zero(&mm->mm_users);
+}
+
/* mmput gets rid of the mappings and all user-space */
extern void mmput(struct mm_struct *);
/* Grab a reference to a task's mm, if it is not already going away */
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 225/241] Revert "x86/build: Move _etext to actual end of .text"
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (223 preceding siblings ...)
2019-06-09 16:42 ` [PATCH 4.4 224/241] userfaultfd: dont pin the user memory in userfaultfd_file_create() Greg Kroah-Hartman
@ 2019-06-09 16:42 ` Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 226/241] net: cdc_ncm: GetNtbFormat endian fix Greg Kroah-Hartman
` (20 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:42 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Sami Tolvanen, Kees Cook,
Borislav Petkov, Linus Torvalds, Peter Zijlstra, Thomas Gleixner,
Alec Ari, Ingo Molnar
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This reverts commit 392bef709659abea614abfe53cf228e7a59876a4.
It seems to cause lots of problems when using the gold linker, and no
one really needs this at the moment, so just revert it from the stable
trees.
Cc: Sami Tolvanen <samitolvanen@google.com>
Reported-by: Kees Cook <keescook@chromium.org>
Cc: Borislav Petkov <bp@suse.de>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Reported-by: Alec Ari <neotheuser@gmail.com>
Cc: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/vmlinux.lds.S | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/arch/x86/kernel/vmlinux.lds.S
+++ b/arch/x86/kernel/vmlinux.lds.S
@@ -110,10 +110,10 @@ SECTIONS
*(.text.__x86.indirect_thunk)
__indirect_thunk_end = .;
#endif
- } :text = 0x9090
- /* End of text section */
- _etext = .;
+ /* End of text section */
+ _etext = .;
+ } :text = 0x9090
NOTES :text :note
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 226/241] net: cdc_ncm: GetNtbFormat endian fix
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (224 preceding siblings ...)
2019-06-09 16:42 ` [PATCH 4.4 225/241] Revert "x86/build: Move _etext to actual end of .text" Greg Kroah-Hartman
@ 2019-06-09 16:42 ` Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 227/241] usb: gadget: fix request length error for isoc transfer Greg Kroah-Hartman
` (19 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:42 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Ben Hutchings, Enrico Mioso,
Christian Panton, Bjørn Mork, David S. Miller,
Nobuhiro Iwamatsu
From: Bjørn Mork <bjorn@mork.no>
commit 6314dab4b8fb8493d810e175cb340376052c69b6 upstream.
The GetNtbFormat and SetNtbFormat requests operate on 16 bit little
endian values. We get away with ignoring this most of the time, because
we only care about USB_CDC_NCM_NTB16_FORMAT which is 0x0000. This
fails for USB_CDC_NCM_NTB32_FORMAT.
Fix comparison between LE value from device and constant by converting
the constant to LE.
Reported-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Fixes: 2b02c20ce0c2 ("cdc_ncm: Set NTB format again after altsetting switch for Huawei devices")
Cc: Enrico Mioso <mrkiko.rs@gmail.com>
Cc: Christian Panton <christian@panton.org>
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Acked-By: Enrico Mioso <mrkiko.rs@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/usb/cdc_ncm.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/net/usb/cdc_ncm.c
+++ b/drivers/net/usb/cdc_ncm.c
@@ -727,7 +727,7 @@ int cdc_ncm_bind_common(struct usbnet *d
int err;
u8 iface_no;
struct usb_cdc_parsed_header hdr;
- u16 curr_ntb_format;
+ __le16 curr_ntb_format;
ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
if (!ctx)
@@ -841,7 +841,7 @@ int cdc_ncm_bind_common(struct usbnet *d
goto error2;
}
- if (curr_ntb_format == USB_CDC_NCM_NTB32_FORMAT) {
+ if (curr_ntb_format == cpu_to_le16(USB_CDC_NCM_NTB32_FORMAT)) {
dev_info(&intf->dev, "resetting NTB format to 16-bit");
err = usbnet_write_cmd(dev, USB_CDC_SET_NTB_FORMAT,
USB_TYPE_CLASS | USB_DIR_OUT
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 227/241] usb: gadget: fix request length error for isoc transfer
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (225 preceding siblings ...)
2019-06-09 16:42 ` [PATCH 4.4 226/241] net: cdc_ncm: GetNtbFormat endian fix Greg Kroah-Hartman
@ 2019-06-09 16:42 ` Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 228/241] media: uvcvideo: Fix uvc_alloc_entity() allocation alignment Greg Kroah-Hartman
` (18 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:42 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Felipe F. Tonello, Felipe Balbi,
Peter Chen, Nobuhiro Iwamatsu
From: Peter Chen <peter.chen@nxp.com>
commit 982555fc26f9d8bcdbd5f9db0378fe0682eb4188 upstream.
For isoc endpoint descriptor, the wMaxPacketSize is not real max packet
size (see Table 9-13. Standard Endpoint Descriptor, USB 2.0 specifcation),
it may contain the number of packet, so the real max packet should be
ep->desc->wMaxPacketSize && 0x7ff.
Cc: Felipe F. Tonello <eu@felipetonello.com>
Cc: Felipe Balbi <felipe.balbi@linux.intel.com>
Fixes: 16b114a6d797 ("usb: gadget: fix usb_ep_align_maybe
endianness and new usb_ep_aligna")
Signed-off-by: Peter Chen <peter.chen@nxp.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/usb/gadget.h | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/include/linux/usb/gadget.h
+++ b/include/linux/usb/gadget.h
@@ -671,7 +671,9 @@ static inline struct usb_gadget *dev_to_
*/
static inline size_t usb_ep_align(struct usb_ep *ep, size_t len)
{
- return round_up(len, (size_t)le16_to_cpu(ep->desc->wMaxPacketSize));
+ int max_packet_size = (size_t)usb_endpoint_maxp(ep->desc) & 0x7ff;
+
+ return round_up(len, max_packet_size);
}
/**
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 228/241] media: uvcvideo: Fix uvc_alloc_entity() allocation alignment
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (226 preceding siblings ...)
2019-06-09 16:42 ` [PATCH 4.4 227/241] usb: gadget: fix request length error for isoc transfer Greg Kroah-Hartman
@ 2019-06-09 16:42 ` Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 229/241] ethtool: fix potential userspace buffer overflow Greg Kroah-Hartman
` (17 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:42 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Nadav Amit, Laurent Pinchart,
Mauro Carvalho Chehab, Doug Anderson, Ben Hutchings
From: Nadav Amit <namit@vmware.com>
commit 89dd34caf73e28018c58cd193751e41b1f8bdc56 upstream.
The use of ALIGN() in uvc_alloc_entity() is incorrect, since the size of
(entity->pads) is not a power of two. As a stop-gap, until a better
solution is adapted, use roundup() instead.
Found by a static assertion. Compile-tested only.
Fixes: 4ffc2d89f38a ("uvcvideo: Register subdevices for each entity")
Signed-off-by: Nadav Amit <namit@vmware.com>
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Cc: Doug Anderson <dianders@chromium.org>
Cc: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/usb/uvc/uvc_driver.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/media/usb/uvc/uvc_driver.c
+++ b/drivers/media/usb/uvc/uvc_driver.c
@@ -868,7 +868,7 @@ static struct uvc_entity *uvc_alloc_enti
unsigned int size;
unsigned int i;
- extra_size = ALIGN(extra_size, sizeof(*entity->pads));
+ extra_size = roundup(extra_size, sizeof(*entity->pads));
num_inputs = (type & UVC_TERM_OUTPUT) ? num_pads : num_pads - 1;
size = sizeof(*entity) + extra_size + sizeof(*entity->pads) * num_pads
+ num_inputs;
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 229/241] ethtool: fix potential userspace buffer overflow
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (227 preceding siblings ...)
2019-06-09 16:42 ` [PATCH 4.4 228/241] media: uvcvideo: Fix uvc_alloc_entity() allocation alignment Greg Kroah-Hartman
@ 2019-06-09 16:42 ` Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 230/241] neighbor: Call __ipv4_neigh_lookup_noref in neigh_xmit Greg Kroah-Hartman
` (16 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:42 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Vivien Didelot, Michal Kubecek,
David S. Miller
From: Vivien Didelot <vivien.didelot@gmail.com>
[ Upstream commit 0ee4e76937d69128a6a66861ba393ebdc2ffc8a2 ]
ethtool_get_regs() allocates a buffer of size ops->get_regs_len(),
and pass it to the kernel driver via ops->get_regs() for filling.
There is no restriction about what the kernel drivers can or cannot do
with the open ethtool_regs structure. They usually set regs->version
and ignore regs->len or set it to the same size as ops->get_regs_len().
But if userspace allocates a smaller buffer for the registers dump,
we would cause a userspace buffer overflow in the final copy_to_user()
call, which uses the regs.len value potentially reset by the driver.
To fix this, make this case obvious and store regs.len before calling
ops->get_regs(), to only copy as much data as requested by userspace,
up to the value returned by ops->get_regs_len().
While at it, remove the redundant check for non-null regbuf.
Signed-off-by: Vivien Didelot <vivien.didelot@gmail.com>
Reviewed-by: Michal Kubecek <mkubecek@suse.cz>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/core/ethtool.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/net/core/ethtool.c
+++ b/net/core/ethtool.c
@@ -893,13 +893,16 @@ static int ethtool_get_regs(struct net_d
return -ENOMEM;
}
+ if (regs.len < reglen)
+ reglen = regs.len;
+
ops->get_regs(dev, ®s, regbuf);
ret = -EFAULT;
if (copy_to_user(useraddr, ®s, sizeof(regs)))
goto out;
useraddr += offsetof(struct ethtool_regs, data);
- if (regbuf && copy_to_user(useraddr, regbuf, regs.len))
+ if (copy_to_user(useraddr, regbuf, reglen))
goto out;
ret = 0;
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 230/241] neighbor: Call __ipv4_neigh_lookup_noref in neigh_xmit
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (228 preceding siblings ...)
2019-06-09 16:42 ` [PATCH 4.4 229/241] ethtool: fix potential userspace buffer overflow Greg Kroah-Hartman
@ 2019-06-09 16:42 ` Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 231/241] net/mlx4_en: ethtool, Remove unsupported SFP EEPROM high pages query Greg Kroah-Hartman
` (15 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:42 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Alan Maguire, David Ahern, David S. Miller
From: David Ahern <dsahern@gmail.com>
[ Upstream commit 4b2a2bfeb3f056461a90bd621e8bd7d03fa47f60 ]
Commit cd9ff4de0107 changed the key for IFF_POINTOPOINT devices to
INADDR_ANY but neigh_xmit which is used for MPLS encapsulations was not
updated to use the altered key. The result is that every packet Tx does
a lookup on the gateway address which does not find an entry, a new one
is created only to find the existing one in the table right before the
insert since arp_constructor was updated to reset the primary key. This
is seen in the allocs and destroys counters:
ip -s -4 ntable show | head -10 | grep alloc
which increase for each packet showing the unnecessary overhread.
Fix by having neigh_xmit use __ipv4_neigh_lookup_noref for NEIGH_ARP_TABLE.
Fixes: cd9ff4de0107 ("ipv4: Make neigh lookup keys for loopback/point-to-point devices be INADDR_ANY")
Reported-by: Alan Maguire <alan.maguire@oracle.com>
Signed-off-by: David Ahern <dsahern@gmail.com>
Tested-by: Alan Maguire <alan.maguire@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/core/neighbour.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -30,6 +30,7 @@
#include <linux/times.h>
#include <net/net_namespace.h>
#include <net/neighbour.h>
+#include <net/arp.h>
#include <net/dst.h>
#include <net/sock.h>
#include <net/netevent.h>
@@ -2490,7 +2491,13 @@ int neigh_xmit(int index, struct net_dev
if (!tbl)
goto out;
rcu_read_lock_bh();
- neigh = __neigh_lookup_noref(tbl, addr, dev);
+ if (index == NEIGH_ARP_TABLE) {
+ u32 key = *((u32 *)addr);
+
+ neigh = __ipv4_neigh_lookup_noref(dev, key);
+ } else {
+ neigh = __neigh_lookup_noref(tbl, addr, dev);
+ }
if (!neigh)
neigh = __neigh_create(tbl, addr, dev, false);
err = PTR_ERR(neigh);
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 231/241] net/mlx4_en: ethtool, Remove unsupported SFP EEPROM high pages query
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (229 preceding siblings ...)
2019-06-09 16:42 ` [PATCH 4.4 230/241] neighbor: Call __ipv4_neigh_lookup_noref in neigh_xmit Greg Kroah-Hartman
@ 2019-06-09 16:42 ` Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 232/241] net: rds: fix memory leak in rds_ib_flush_mr_pool Greg Kroah-Hartman
` (14 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:42 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Erez Alfasi, Tariq Toukan, David S. Miller
From: Erez Alfasi <ereza@mellanox.com>
[ Upstream commit 135dd9594f127c8a82d141c3c8430e9e2143216a ]
Querying EEPROM high pages data for SFP module is currently
not supported by our driver but is still tried, resulting in
invalid FW queries.
Set the EEPROM ethtool data length to 256 for SFP module to
limit the reading for page 0 only and prevent invalid FW queries.
Fixes: 7202da8b7f71 ("ethtool, net/mlx4_en: Cable info, get_module_info/eeprom ethtool support")
Signed-off-by: Erez Alfasi <ereza@mellanox.com>
Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 4 +++-
drivers/net/ethernet/mellanox/mlx4/port.c | 5 -----
2 files changed, 3 insertions(+), 6 deletions(-)
--- a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c
+++ b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c
@@ -1906,6 +1906,8 @@ static int mlx4_en_set_tunable(struct ne
return ret;
}
+#define MLX4_EEPROM_PAGE_LEN 256
+
static int mlx4_en_get_module_info(struct net_device *dev,
struct ethtool_modinfo *modinfo)
{
@@ -1940,7 +1942,7 @@ static int mlx4_en_get_module_info(struc
break;
case MLX4_MODULE_ID_SFP:
modinfo->type = ETH_MODULE_SFF_8472;
- modinfo->eeprom_len = ETH_MODULE_SFF_8472_LEN;
+ modinfo->eeprom_len = MLX4_EEPROM_PAGE_LEN;
break;
default:
return -ENOSYS;
--- a/drivers/net/ethernet/mellanox/mlx4/port.c
+++ b/drivers/net/ethernet/mellanox/mlx4/port.c
@@ -1398,11 +1398,6 @@ int mlx4_get_module_info(struct mlx4_dev
size -= offset + size - I2C_PAGE_SIZE;
i2c_addr = I2C_ADDR_LOW;
- if (offset >= I2C_PAGE_SIZE) {
- /* Reset offset to high page */
- i2c_addr = I2C_ADDR_HIGH;
- offset -= I2C_PAGE_SIZE;
- }
cable_info = (struct mlx4_cable_info *)inmad->data;
cable_info->dev_mem_address = cpu_to_be16(offset);
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 232/241] net: rds: fix memory leak in rds_ib_flush_mr_pool
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (230 preceding siblings ...)
2019-06-09 16:42 ` [PATCH 4.4 231/241] net/mlx4_en: ethtool, Remove unsupported SFP EEPROM high pages query Greg Kroah-Hartman
@ 2019-06-09 16:42 ` Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 233/241] pktgen: do not sleep with the thread lock held Greg Kroah-Hartman
` (13 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:42 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Zhu Yanjun, Santosh Shilimkar,
David S. Miller
From: Zhu Yanjun <yanjun.zhu@oracle.com>
[ Upstream commit 85cb928787eab6a2f4ca9d2a798b6f3bed53ced1 ]
When the following tests last for several hours, the problem will occur.
Server:
rds-stress -r 1.1.1.16 -D 1M
Client:
rds-stress -r 1.1.1.14 -s 1.1.1.16 -D 1M -T 30
The following will occur.
"
Starting up....
tsks tx/s rx/s tx+rx K/s mbi K/s mbo K/s tx us/c rtt us cpu
%
1 0 0 0.00 0.00 0.00 0.00 0.00 -1.00
1 0 0 0.00 0.00 0.00 0.00 0.00 -1.00
1 0 0 0.00 0.00 0.00 0.00 0.00 -1.00
1 0 0 0.00 0.00 0.00 0.00 0.00 -1.00
"
>From vmcore, we can find that clean_list is NULL.
>From the source code, rds_mr_flushd calls rds_ib_mr_pool_flush_worker.
Then rds_ib_mr_pool_flush_worker calls
"
rds_ib_flush_mr_pool(pool, 0, NULL);
"
Then in function
"
int rds_ib_flush_mr_pool(struct rds_ib_mr_pool *pool,
int free_all, struct rds_ib_mr **ibmr_ret)
"
ibmr_ret is NULL.
In the source code,
"
...
list_to_llist_nodes(pool, &unmap_list, &clean_nodes, &clean_tail);
if (ibmr_ret)
*ibmr_ret = llist_entry(clean_nodes, struct rds_ib_mr, llnode);
/* more than one entry in llist nodes */
if (clean_nodes->next)
llist_add_batch(clean_nodes->next, clean_tail, &pool->clean_list);
...
"
When ibmr_ret is NULL, llist_entry is not executed. clean_nodes->next
instead of clean_nodes is added in clean_list.
So clean_nodes is discarded. It can not be used again.
The workqueue is executed periodically. So more and more clean_nodes are
discarded. Finally the clean_list is NULL.
Then this problem will occur.
Fixes: 1bc144b62524 ("net, rds, Replace xlist in net/rds/xlist.h with llist")
Signed-off-by: Zhu Yanjun <yanjun.zhu@oracle.com>
Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/rds/ib_rdma.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
--- a/net/rds/ib_rdma.c
+++ b/net/rds/ib_rdma.c
@@ -725,12 +725,14 @@ static int rds_ib_flush_mr_pool(struct r
wait_clean_list_grace();
list_to_llist_nodes(pool, &unmap_list, &clean_nodes, &clean_tail);
- if (ibmr_ret)
+ if (ibmr_ret) {
*ibmr_ret = llist_entry(clean_nodes, struct rds_ib_mr, llnode);
-
+ clean_nodes = clean_nodes->next;
+ }
/* more than one entry in llist nodes */
- if (clean_nodes->next)
- llist_add_batch(clean_nodes->next, clean_tail, &pool->clean_list);
+ if (clean_nodes)
+ llist_add_batch(clean_nodes, clean_tail,
+ &pool->clean_list);
}
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 233/241] pktgen: do not sleep with the thread lock held.
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (231 preceding siblings ...)
2019-06-09 16:42 ` [PATCH 4.4 232/241] net: rds: fix memory leak in rds_ib_flush_mr_pool Greg Kroah-Hartman
@ 2019-06-09 16:42 ` Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 234/241] rcu: locking and unlocking need to always be at least barriers Greg Kroah-Hartman
` (12 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:42 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Paolo Abeni, David S. Miller, Matteo Croce
From: Paolo Abeni <pabeni@redhat.com>
[ Upstream commit 720f1de4021f09898b8c8443f3b3e995991b6e3a ]
Currently, the process issuing a "start" command on the pktgen procfs
interface, acquires the pktgen thread lock and never release it, until
all pktgen threads are completed. The above can blocks indefinitely any
other pktgen command and any (even unrelated) netdevice removal - as
the pktgen netdev notifier acquires the same lock.
The issue is demonstrated by the following script, reported by Matteo:
ip -b - <<'EOF'
link add type dummy
link add type veth
link set dummy0 up
EOF
modprobe pktgen
echo reset >/proc/net/pktgen/pgctrl
{
echo rem_device_all
echo add_device dummy0
} >/proc/net/pktgen/kpktgend_0
echo count 0 >/proc/net/pktgen/dummy0
echo start >/proc/net/pktgen/pgctrl &
sleep 1
rmmod veth
Fix the above releasing the thread lock around the sleep call.
Additionally we must prevent racing with forcefull rmmod - as the
thread lock no more protects from them. Instead, acquire a self-reference
before waiting for any thread. As a side effect, running
rmmod pktgen
while some thread is running now fails with "module in use" error,
before this patch such command hanged indefinitely.
Note: the issue predates the commit reported in the fixes tag, but
this fix can't be applied before the mentioned commit.
v1 -> v2:
- no need to check for thread existence after flipping the lock,
pktgen threads are freed only at net exit time
-
Fixes: 6146e6a43b35 ("[PKTGEN]: Removes thread_{un,}lock() macros.")
Reported-and-tested-by: Matteo Croce <mcroce@redhat.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/core/pktgen.c | 11 +++++++++++
1 file changed, 11 insertions(+)
--- a/net/core/pktgen.c
+++ b/net/core/pktgen.c
@@ -3139,7 +3139,13 @@ static int pktgen_wait_thread_run(struct
{
while (thread_is_running(t)) {
+ /* note: 't' will still be around even after the unlock/lock
+ * cycle because pktgen_thread threads are only cleared at
+ * net exit
+ */
+ mutex_unlock(&pktgen_thread_lock);
msleep_interruptible(100);
+ mutex_lock(&pktgen_thread_lock);
if (signal_pending(current))
goto signal;
@@ -3154,6 +3160,10 @@ static int pktgen_wait_all_threads_run(s
struct pktgen_thread *t;
int sig = 1;
+ /* prevent from racing with rmmod */
+ if (!try_module_get(THIS_MODULE))
+ return sig;
+
mutex_lock(&pktgen_thread_lock);
list_for_each_entry(t, &pn->pktgen_threads, th_list) {
@@ -3167,6 +3177,7 @@ static int pktgen_wait_all_threads_run(s
t->control |= (T_STOP);
mutex_unlock(&pktgen_thread_lock);
+ module_put(THIS_MODULE);
return sig;
}
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 234/241] rcu: locking and unlocking need to always be at least barriers
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (232 preceding siblings ...)
2019-06-09 16:42 ` [PATCH 4.4 233/241] pktgen: do not sleep with the thread lock held Greg Kroah-Hartman
@ 2019-06-09 16:42 ` Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 235/241] parisc: Use implicit space register selection for loading the coherence index of I/O pdirs Greg Kroah-Hartman
` (11 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:42 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Herbert Xu, stable, Boqun Feng,
Paul E. McKenney, Linus Torvalds
From: Linus Torvalds <torvalds@linux-foundation.org>
commit 66be4e66a7f422128748e3c3ef6ee72b20a6197b upstream.
Herbert Xu pointed out that commit bb73c52bad36 ("rcu: Don't disable
preemption for Tiny and Tree RCU readers") was incorrect in making the
preempt_disable/enable() be conditional on CONFIG_PREEMPT_COUNT.
If CONFIG_PREEMPT_COUNT isn't enabled, the preemption enable/disable is
a no-op, but still is a compiler barrier.
And RCU locking still _needs_ that compiler barrier.
It is simply fundamentally not true that RCU locking would be a complete
no-op: we still need to guarantee (for example) that things that can
trap and cause preemption cannot migrate into the RCU locked region.
The way we do that is by making it a barrier.
See for example commit 386afc91144b ("spinlocks and preemption points
need to be at least compiler barriers") from back in 2013 that had
similar issues with spinlocks that become no-ops on UP: they must still
constrain the compiler from moving other operations into the critical
region.
Now, it is true that a lot of RCU operations already use READ_ONCE() and
WRITE_ONCE() (which in practice likely would never be re-ordered wrt
anything remotely interesting), but it is also true that that is not
globally the case, and that it's not even necessarily always possible
(ie bitfields etc).
Reported-by: Herbert Xu <herbert@gondor.apana.org.au>
Fixes: bb73c52bad36 ("rcu: Don't disable preemption for Tiny and Tree RCU readers")
Cc: stable@kernel.org
Cc: Boqun Feng <boqun.feng@gmail.com>
Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/rcupdate.h | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
--- a/include/linux/rcupdate.h
+++ b/include/linux/rcupdate.h
@@ -297,14 +297,12 @@ void synchronize_rcu(void);
static inline void __rcu_read_lock(void)
{
- if (IS_ENABLED(CONFIG_PREEMPT_COUNT))
- preempt_disable();
+ preempt_disable();
}
static inline void __rcu_read_unlock(void)
{
- if (IS_ENABLED(CONFIG_PREEMPT_COUNT))
- preempt_enable();
+ preempt_enable();
}
static inline void synchronize_rcu(void)
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 235/241] parisc: Use implicit space register selection for loading the coherence index of I/O pdirs
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (233 preceding siblings ...)
2019-06-09 16:42 ` [PATCH 4.4 234/241] rcu: locking and unlocking need to always be at least barriers Greg Kroah-Hartman
@ 2019-06-09 16:42 ` Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 236/241] fuse: fallocate: fix return with locked inode Greg Kroah-Hartman
` (10 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:42 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, John David Anglin, Helge Deller
From: John David Anglin <dave.anglin@bell.net>
commit 63923d2c3800919774f5c651d503d1dd2adaddd5 upstream.
We only support I/O to kernel space. Using %sr1 to load the coherence
index may be racy unless interrupts are disabled. This patch changes the
code used to load the coherence index to use implicit space register
selection. This saves one instruction and eliminates the race.
Tested on rp3440, c8000 and c3750.
Signed-off-by: John David Anglin <dave.anglin@bell.net>
Cc: stable@vger.kernel.org
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/parisc/ccio-dma.c | 4 +---
drivers/parisc/sba_iommu.c | 3 +--
2 files changed, 2 insertions(+), 5 deletions(-)
--- a/drivers/parisc/ccio-dma.c
+++ b/drivers/parisc/ccio-dma.c
@@ -563,8 +563,6 @@ ccio_io_pdir_entry(u64 *pdir_ptr, space_
/* We currently only support kernel addresses */
BUG_ON(sid != KERNEL_SPACE);
- mtsp(sid,1);
-
/*
** WORD 1 - low order word
** "hints" parm includes the VALID bit!
@@ -595,7 +593,7 @@ ccio_io_pdir_entry(u64 *pdir_ptr, space_
** Grab virtual index [0:11]
** Deposit virt_idx bits into I/O PDIR word
*/
- asm volatile ("lci %%r0(%%sr1, %1), %0" : "=r" (ci) : "r" (vba));
+ asm volatile ("lci %%r0(%1), %0" : "=r" (ci) : "r" (vba));
asm volatile ("extru %1,19,12,%0" : "+r" (ci) : "r" (ci));
asm volatile ("depw %1,15,12,%0" : "+r" (pa) : "r" (ci));
--- a/drivers/parisc/sba_iommu.c
+++ b/drivers/parisc/sba_iommu.c
@@ -573,8 +573,7 @@ sba_io_pdir_entry(u64 *pdir_ptr, space_t
pa = virt_to_phys(vba);
pa &= IOVP_MASK;
- mtsp(sid,1);
- asm("lci 0(%%sr1, %1), %0" : "=r" (ci) : "r" (vba));
+ asm("lci 0(%1), %0" : "=r" (ci) : "r" (vba));
pa |= (ci >> PAGE_SHIFT) & 0xff; /* move CI (8 bits) into lowest byte */
pa |= SBA_PDIR_VALID_BIT; /* set "valid" bit */
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 236/241] fuse: fallocate: fix return with locked inode
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (234 preceding siblings ...)
2019-06-09 16:42 ` [PATCH 4.4 235/241] parisc: Use implicit space register selection for loading the coherence index of I/O pdirs Greg Kroah-Hartman
@ 2019-06-09 16:42 ` Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 237/241] MIPS: pistachio: Build uImage.gz by default Greg Kroah-Hartman
` (9 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:42 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, kbuild test robot, Dan Carpenter,
Liu Bo, Miklos Szeredi
From: Miklos Szeredi <mszeredi@redhat.com>
commit 35d6fcbb7c3e296a52136347346a698a35af3fda upstream.
Do the proper cleanup in case the size check fails.
Tested with xfstests:generic/228
Reported-by: kbuild test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Fixes: 0cbade024ba5 ("fuse: honor RLIMIT_FSIZE in fuse_file_fallocate")
Cc: Liu Bo <bo.liu@linux.alibaba.com>
Cc: <stable@vger.kernel.org> # v3.5
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/fuse/file.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -2951,7 +2951,7 @@ static long fuse_file_fallocate(struct f
offset + length > i_size_read(inode)) {
err = inode_newsize_ok(inode, offset + length);
if (err)
- return err;
+ goto out;
}
if (!(mode & FALLOC_FL_KEEP_SIZE))
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 237/241] MIPS: pistachio: Build uImage.gz by default
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (235 preceding siblings ...)
2019-06-09 16:42 ` [PATCH 4.4 236/241] fuse: fallocate: fix return with locked inode Greg Kroah-Hartman
@ 2019-06-09 16:42 ` Greg Kroah-Hartman
2019-06-09 16:43 ` [PATCH 4.4 238/241] genwqe: Prevent an integer overflow in the ioctl Greg Kroah-Hartman
` (8 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:42 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Paul Burton,
Philippe Mathieu-Daudé,
Kevin Hilman, linux-mips
From: Paul Burton <paul.burton@mips.com>
commit e4f2d1af7163becb181419af9dece9206001e0a6 upstream.
The pistachio platform uses the U-Boot bootloader & generally boots a
kernel in the uImage format. As such it's useful to build one when
building the kernel, but to do so currently requires the user to
manually specify a uImage target on the make command line.
Make uImage.gz the pistachio platform's default build target, so that
the default is to build a kernel image that we can actually boot on a
board such as the MIPS Creator Ci40.
Marked for stable backport as far as v4.1 where pistachio support was
introduced. This is primarily useful for CI systems such as kernelci.org
which will benefit from us building a suitable image which can then be
booted as part of automated testing, extending our test coverage to the
affected stable branches.
Signed-off-by: Paul Burton <paul.burton@mips.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Kevin Hilman <khilman@baylibre.com>
Tested-by: Kevin Hilman <khilman@baylibre.com>
URL: https://groups.io/g/kernelci/message/388
Cc: stable@vger.kernel.org # v4.1+
Cc: linux-mips@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/mips/pistachio/Platform | 1 +
1 file changed, 1 insertion(+)
--- a/arch/mips/pistachio/Platform
+++ b/arch/mips/pistachio/Platform
@@ -6,3 +6,4 @@ cflags-$(CONFIG_MACH_PISTACHIO) += \
-I$(srctree)/arch/mips/include/asm/mach-pistachio
load-$(CONFIG_MACH_PISTACHIO) += 0xffffffff80400000
zload-$(CONFIG_MACH_PISTACHIO) += 0xffffffff81000000
+all-$(CONFIG_MACH_PISTACHIO) := uImage.gz
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 238/241] genwqe: Prevent an integer overflow in the ioctl
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (236 preceding siblings ...)
2019-06-09 16:42 ` [PATCH 4.4 237/241] MIPS: pistachio: Build uImage.gz by default Greg Kroah-Hartman
@ 2019-06-09 16:43 ` Greg Kroah-Hartman
2019-06-09 16:43 ` [PATCH 4.4 239/241] drm/gma500/cdv: Check vbt config bits when detecting lvds panels Greg Kroah-Hartman
` (7 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:43 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dan Carpenter
From: Dan Carpenter <dan.carpenter@oracle.com>
commit 110080cea0d0e4dfdb0b536e7f8a5633ead6a781 upstream.
There are a couple potential integer overflows here.
round_up(m->size + (m->addr & ~PAGE_MASK), PAGE_SIZE);
The first thing is that the "m->size + (...)" addition could overflow,
and the second is that round_up() overflows to zero if the result is
within PAGE_SIZE of the type max.
In this code, the "m->size" variable is an u64 but we're saving the
result in "map_size" which is an unsigned long and genwqe_user_vmap()
takes an unsigned long as well. So I have used ULONG_MAX as the upper
bound. From a practical perspective unsigned long is fine/better than
trying to change all the types to u64.
Fixes: eaf4722d4645 ("GenWQE Character device and DDCB queue")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/misc/genwqe/card_dev.c | 2 ++
drivers/misc/genwqe/card_utils.c | 4 ++++
2 files changed, 6 insertions(+)
--- a/drivers/misc/genwqe/card_dev.c
+++ b/drivers/misc/genwqe/card_dev.c
@@ -782,6 +782,8 @@ static int genwqe_pin_mem(struct genwqe_
if ((m->addr == 0x0) || (m->size == 0))
return -EINVAL;
+ if (m->size > ULONG_MAX - PAGE_SIZE - (m->addr & ~PAGE_MASK))
+ return -EINVAL;
map_addr = (m->addr & PAGE_MASK);
map_size = round_up(m->size + (m->addr & ~PAGE_MASK), PAGE_SIZE);
--- a/drivers/misc/genwqe/card_utils.c
+++ b/drivers/misc/genwqe/card_utils.c
@@ -582,6 +582,10 @@ int genwqe_user_vmap(struct genwqe_dev *
/* determine space needed for page_list. */
data = (unsigned long)uaddr;
offs = offset_in_page(data);
+ if (size > ULONG_MAX - PAGE_SIZE - offs) {
+ m->size = 0; /* mark unused and not added */
+ return -EINVAL;
+ }
m->nr_pages = DIV_ROUND_UP(offs + size, PAGE_SIZE);
m->page_list = kcalloc(m->nr_pages,
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 239/241] drm/gma500/cdv: Check vbt config bits when detecting lvds panels
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (237 preceding siblings ...)
2019-06-09 16:43 ` [PATCH 4.4 238/241] genwqe: Prevent an integer overflow in the ioctl Greg Kroah-Hartman
@ 2019-06-09 16:43 ` Greg Kroah-Hartman
2019-06-09 16:43 ` [PATCH 4.4 240/241] fs: stream_open - opener for stream-like files so that read and write can run simultaneously without deadlock Greg Kroah-Hartman
` (6 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:43 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Hans de Goede, Patrik Jakobsson
From: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
commit 7c420636860a719049fae9403e2c87804f53bdde upstream.
Some machines have an lvds child device in vbt even though a panel is
not attached. To make detection more reliable we now also check the lvds
config bits available in the vbt.
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1665766
Cc: stable@vger.kernel.org
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20190416114607.1072-1-patrik.r.jakobsson@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/gma500/cdv_intel_lvds.c | 3 +++
drivers/gpu/drm/gma500/intel_bios.c | 3 +++
drivers/gpu/drm/gma500/psb_drv.h | 1 +
3 files changed, 7 insertions(+)
--- a/drivers/gpu/drm/gma500/cdv_intel_lvds.c
+++ b/drivers/gpu/drm/gma500/cdv_intel_lvds.c
@@ -620,6 +620,9 @@ void cdv_intel_lvds_init(struct drm_devi
int pipe;
u8 pin;
+ if (!dev_priv->lvds_enabled_in_vbt)
+ return;
+
pin = GMBUS_PORT_PANEL;
if (!lvds_is_present_in_vbt(dev, &pin)) {
DRM_DEBUG_KMS("LVDS is not present in VBT\n");
--- a/drivers/gpu/drm/gma500/intel_bios.c
+++ b/drivers/gpu/drm/gma500/intel_bios.c
@@ -436,6 +436,9 @@ parse_driver_features(struct drm_psb_pri
if (driver->lvds_config == BDB_DRIVER_FEATURE_EDP)
dev_priv->edp.support = 1;
+ dev_priv->lvds_enabled_in_vbt = driver->lvds_config != 0;
+ DRM_DEBUG_KMS("LVDS VBT config bits: 0x%x\n", driver->lvds_config);
+
/* This bit means to use 96Mhz for DPLL_A or not */
if (driver->primary_lfp_id)
dev_priv->dplla_96mhz = true;
--- a/drivers/gpu/drm/gma500/psb_drv.h
+++ b/drivers/gpu/drm/gma500/psb_drv.h
@@ -536,6 +536,7 @@ struct drm_psb_private {
int lvds_ssc_freq;
bool is_lvds_on;
bool is_mipi_on;
+ bool lvds_enabled_in_vbt;
u32 mipi_ctrl_display;
unsigned int core_freq;
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 240/241] fs: stream_open - opener for stream-like files so that read and write can run simultaneously without deadlock
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (238 preceding siblings ...)
2019-06-09 16:43 ` [PATCH 4.4 239/241] drm/gma500/cdv: Check vbt config bits when detecting lvds panels Greg Kroah-Hartman
@ 2019-06-09 16:43 ` Greg Kroah-Hartman
2019-06-09 16:43 ` [PATCH 4.4 241/241] fuse: Add FOPEN_STREAM to use stream_open() Greg Kroah-Hartman
` (5 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:43 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Michael Kerrisk, Yongzhi Pan,
Jonathan Corbet, David Vrabel, Juergen Gross, Miklos Szeredi,
Tejun Heo, Kirill Tkhai, Arnd Bergmann, Christoph Hellwig,
Julia Lawall, Nikolaus Rath, Han-Wen Nienhuys, Kirill Smelkov,
Linus Torvalds
From: Kirill Smelkov <kirr@nexedi.com>
commit 10dce8af34226d90fa56746a934f8da5dcdba3df upstream.
Commit 9c225f2655e3 ("vfs: atomic f_pos accesses as per POSIX") added
locking for file.f_pos access and in particular made concurrent read and
write not possible - now both those functions take f_pos lock for the
whole run, and so if e.g. a read is blocked waiting for data, write will
deadlock waiting for that read to complete.
This caused regression for stream-like files where previously read and
write could run simultaneously, but after that patch could not do so
anymore. See e.g. commit 581d21a2d02a ("xenbus: fix deadlock on writes
to /proc/xen/xenbus") which fixes such regression for particular case of
/proc/xen/xenbus.
The patch that added f_pos lock in 2014 did so to guarantee POSIX thread
safety for read/write/lseek and added the locking to file descriptors of
all regular files. In 2014 that thread-safety problem was not new as it
was already discussed earlier in 2006.
However even though 2006'th version of Linus's patch was adding f_pos
locking "only for files that are marked seekable with FMODE_LSEEK (thus
avoiding the stream-like objects like pipes and sockets)", the 2014
version - the one that actually made it into the tree as 9c225f2655e3 -
is doing so irregardless of whether a file is seekable or not.
See
https://lore.kernel.org/lkml/53022DB1.4070805@gmail.com/
https://lwn.net/Articles/180387
https://lwn.net/Articles/180396
for historic context.
The reason that it did so is, probably, that there are many files that
are marked non-seekable, but e.g. their read implementation actually
depends on knowing current position to correctly handle the read. Some
examples:
kernel/power/user.c snapshot_read
fs/debugfs/file.c u32_array_read
fs/fuse/control.c fuse_conn_waiting_read + ...
drivers/hwmon/asus_atk0110.c atk_debugfs_ggrp_read
arch/s390/hypfs/inode.c hypfs_read_iter
...
Despite that, many nonseekable_open users implement read and write with
pure stream semantics - they don't depend on passed ppos at all. And for
those cases where read could wait for something inside, it creates a
situation similar to xenbus - the write could be never made to go until
read is done, and read is waiting for some, potentially external, event,
for potentially unbounded time -> deadlock.
Besides xenbus, there are 14 such places in the kernel that I've found
with semantic patch (see below):
drivers/xen/evtchn.c:667:8-24: ERROR: evtchn_fops: .read() can deadlock .write()
drivers/isdn/capi/capi.c:963:8-24: ERROR: capi_fops: .read() can deadlock .write()
drivers/input/evdev.c:527:1-17: ERROR: evdev_fops: .read() can deadlock .write()
drivers/char/pcmcia/cm4000_cs.c:1685:7-23: ERROR: cm4000_fops: .read() can deadlock .write()
net/rfkill/core.c:1146:8-24: ERROR: rfkill_fops: .read() can deadlock .write()
drivers/s390/char/fs3270.c:488:1-17: ERROR: fs3270_fops: .read() can deadlock .write()
drivers/usb/misc/ldusb.c:310:1-17: ERROR: ld_usb_fops: .read() can deadlock .write()
drivers/hid/uhid.c:635:1-17: ERROR: uhid_fops: .read() can deadlock .write()
net/batman-adv/icmp_socket.c:80:1-17: ERROR: batadv_fops: .read() can deadlock .write()
drivers/media/rc/lirc_dev.c:198:1-17: ERROR: lirc_fops: .read() can deadlock .write()
drivers/leds/uleds.c:77:1-17: ERROR: uleds_fops: .read() can deadlock .write()
drivers/input/misc/uinput.c:400:1-17: ERROR: uinput_fops: .read() can deadlock .write()
drivers/infiniband/core/user_mad.c:985:7-23: ERROR: umad_fops: .read() can deadlock .write()
drivers/gnss/core.c:45:1-17: ERROR: gnss_fops: .read() can deadlock .write()
In addition to the cases above another regression caused by f_pos
locking is that now FUSE filesystems that implement open with
FOPEN_NONSEEKABLE flag, can no longer implement bidirectional
stream-like files - for the same reason as above e.g. read can deadlock
write locking on file.f_pos in the kernel.
FUSE's FOPEN_NONSEEKABLE was added in 2008 in a7c1b990f715 ("fuse:
implement nonseekable open") to support OSSPD. OSSPD implements /dev/dsp
in userspace with FOPEN_NONSEEKABLE flag, with corresponding read and
write routines not depending on current position at all, and with both
read and write being potentially blocking operations:
See
https://github.com/libfuse/osspd
https://lwn.net/Articles/308445
https://github.com/libfuse/osspd/blob/14a9cff0/osspd.c#L1406
https://github.com/libfuse/osspd/blob/14a9cff0/osspd.c#L1438-L1477
https://github.com/libfuse/osspd/blob/14a9cff0/osspd.c#L1479-L1510
Corresponding libfuse example/test also describes FOPEN_NONSEEKABLE as
"somewhat pipe-like files ..." with read handler not using offset.
However that test implements only read without write and cannot exercise
the deadlock scenario:
https://github.com/libfuse/libfuse/blob/fuse-3.4.2-3-ga1bff7d/example/poll.c#L124-L131
https://github.com/libfuse/libfuse/blob/fuse-3.4.2-3-ga1bff7d/example/poll.c#L146-L163
https://github.com/libfuse/libfuse/blob/fuse-3.4.2-3-ga1bff7d/example/poll.c#L209-L216
I've actually hit the read vs write deadlock for real while implementing
my FUSE filesystem where there is /head/watch file, for which open
creates separate bidirectional socket-like stream in between filesystem
and its user with both read and write being later performed
simultaneously. And there it is semantically not easy to split the
stream into two separate read-only and write-only channels:
https://lab.nexedi.com/kirr/wendelin.core/blob/f13aa600/wcfs/wcfs.go#L88-169
Let's fix this regression. The plan is:
1. We can't change nonseekable_open to include &~FMODE_ATOMIC_POS -
doing so would break many in-kernel nonseekable_open users which
actually use ppos in read/write handlers.
2. Add stream_open() to kernel to open stream-like non-seekable file
descriptors. Read and write on such file descriptors would never use
nor change ppos. And with that property on stream-like files read and
write will be running without taking f_pos lock - i.e. read and write
could be running simultaneously.
3. With semantic patch search and convert to stream_open all in-kernel
nonseekable_open users for which read and write actually do not
depend on ppos and where there is no other methods in file_operations
which assume @offset access.
4. Add FOPEN_STREAM to fs/fuse/ and open in-kernel file-descriptors via
steam_open if that bit is present in filesystem open reply.
It was tempting to change fs/fuse/ open handler to use stream_open
instead of nonseekable_open on just FOPEN_NONSEEKABLE flags, but
grepping through Debian codesearch shows users of FOPEN_NONSEEKABLE,
and in particular GVFS which actually uses offset in its read and
write handlers
https://codesearch.debian.net/search?q=-%3Enonseekable+%3D
https://gitlab.gnome.org/GNOME/gvfs/blob/1.40.0-6-gcbc54396/client/gvfsfusedaemon.c#L1080
https://gitlab.gnome.org/GNOME/gvfs/blob/1.40.0-6-gcbc54396/client/gvfsfusedaemon.c#L1247-1346
https://gitlab.gnome.org/GNOME/gvfs/blob/1.40.0-6-gcbc54396/client/gvfsfusedaemon.c#L1399-1481
so if we would do such a change it will break a real user.
5. Add stream_open and FOPEN_STREAM handling to stable kernels starting
from v3.14+ (the kernel where 9c225f2655 first appeared).
This will allow to patch OSSPD and other FUSE filesystems that
provide stream-like files to return FOPEN_STREAM | FOPEN_NONSEEKABLE
in their open handler and this way avoid the deadlock on all kernel
versions. This should work because fs/fuse/ ignores unknown open
flags returned from a filesystem and so passing FOPEN_STREAM to a
kernel that is not aware of this flag cannot hurt. In turn the kernel
that is not aware of FOPEN_STREAM will be < v3.14 where just
FOPEN_NONSEEKABLE is sufficient to implement streams without read vs
write deadlock.
This patch adds stream_open, converts /proc/xen/xenbus to it and adds
semantic patch to automatically locate in-kernel places that are either
required to be converted due to read vs write deadlock, or that are just
safe to be converted because read and write do not use ppos and there
are no other funky methods in file_operations.
Regarding semantic patch I've verified each generated change manually -
that it is correct to convert - and each other nonseekable_open instance
left - that it is either not correct to convert there, or that it is not
converted due to current stream_open.cocci limitations.
The script also does not convert files that should be valid to convert,
but that currently have .llseek = noop_llseek or generic_file_llseek for
unknown reason despite file being opened with nonseekable_open (e.g.
drivers/input/mousedev.c)
Cc: Michael Kerrisk <mtk.manpages@gmail.com>
Cc: Yongzhi Pan <panyongzhi@gmail.com>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: David Vrabel <david.vrabel@citrix.com>
Cc: Juergen Gross <jgross@suse.com>
Cc: Miklos Szeredi <miklos@szeredi.hu>
Cc: Tejun Heo <tj@kernel.org>
Cc: Kirill Tkhai <ktkhai@virtuozzo.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Julia Lawall <Julia.Lawall@lip6.fr>
Cc: Nikolaus Rath <Nikolaus@rath.org>
Cc: Han-Wen Nienhuys <hanwen@google.com>
[ backport to 4.4: actually fixed deadlock on /proc/xen/xenbus as 581d21a2d02a was not backported to 4.4 ]
Signed-off-by: Kirill Smelkov <kirr@nexedi.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/xen/xenbus/xenbus_dev_frontend.c | 2
fs/open.c | 18 +
fs/read_write.c | 5
include/linux/fs.h | 4
scripts/coccinelle/api/stream_open.cocci | 363 +++++++++++++++++++++++++++++++
5 files changed, 389 insertions(+), 3 deletions(-)
--- a/drivers/xen/xenbus/xenbus_dev_frontend.c
+++ b/drivers/xen/xenbus/xenbus_dev_frontend.c
@@ -536,7 +536,7 @@ static int xenbus_file_open(struct inode
if (xen_store_evtchn == 0)
return -ENOENT;
- nonseekable_open(inode, filp);
+ stream_open(inode, filp);
u = kzalloc(sizeof(*u), GFP_KERNEL);
if (u == NULL)
--- a/fs/open.c
+++ b/fs/open.c
@@ -1152,3 +1152,21 @@ int nonseekable_open(struct inode *inode
}
EXPORT_SYMBOL(nonseekable_open);
+
+/*
+ * stream_open is used by subsystems that want stream-like file descriptors.
+ * Such file descriptors are not seekable and don't have notion of position
+ * (file.f_pos is always 0). Contrary to file descriptors of other regular
+ * files, .read() and .write() can run simultaneously.
+ *
+ * stream_open never fails and is marked to return int so that it could be
+ * directly used as file_operations.open .
+ */
+int stream_open(struct inode *inode, struct file *filp)
+{
+ filp->f_mode &= ~(FMODE_LSEEK | FMODE_PREAD | FMODE_PWRITE | FMODE_ATOMIC_POS);
+ filp->f_mode |= FMODE_STREAM;
+ return 0;
+}
+
+EXPORT_SYMBOL(stream_open);
--- a/fs/read_write.c
+++ b/fs/read_write.c
@@ -553,12 +553,13 @@ EXPORT_SYMBOL(vfs_write);
static inline loff_t file_pos_read(struct file *file)
{
- return file->f_pos;
+ return file->f_mode & FMODE_STREAM ? 0 : file->f_pos;
}
static inline void file_pos_write(struct file *file, loff_t pos)
{
- file->f_pos = pos;
+ if ((file->f_mode & FMODE_STREAM) == 0)
+ file->f_pos = pos;
}
SYSCALL_DEFINE3(read, unsigned int, fd, char __user *, buf, size_t, count)
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -140,6 +140,9 @@ typedef void (dax_iodone_t)(struct buffe
/* Has write method(s) */
#define FMODE_CAN_WRITE ((__force fmode_t)0x40000)
+/* File is stream-like */
+#define FMODE_STREAM ((__force fmode_t)0x200000)
+
/* File was opened by fanotify and shouldn't generate fanotify events */
#define FMODE_NONOTIFY ((__force fmode_t)0x4000000)
@@ -2706,6 +2709,7 @@ extern loff_t fixed_size_llseek(struct f
int whence, loff_t size);
extern int generic_file_open(struct inode * inode, struct file * filp);
extern int nonseekable_open(struct inode * inode, struct file * filp);
+extern int stream_open(struct inode * inode, struct file * filp);
#ifdef CONFIG_BLOCK
typedef void (dio_submit_t)(int rw, struct bio *bio, struct inode *inode,
--- /dev/null
+++ b/scripts/coccinelle/api/stream_open.cocci
@@ -0,0 +1,363 @@
+// SPDX-License-Identifier: GPL-2.0
+// Author: Kirill Smelkov (kirr@nexedi.com)
+//
+// Search for stream-like files that are using nonseekable_open and convert
+// them to stream_open. A stream-like file is a file that does not use ppos in
+// its read and write. Rationale for the conversion is to avoid deadlock in
+// between read and write.
+
+virtual report
+virtual patch
+virtual explain // explain decisions in the patch (SPFLAGS="-D explain")
+
+// stream-like reader & writer - ones that do not depend on f_pos.
+@ stream_reader @
+identifier readstream, ppos;
+identifier f, buf, len;
+type loff_t;
+@@
+ ssize_t readstream(struct file *f, char *buf, size_t len, loff_t *ppos)
+ {
+ ... when != ppos
+ }
+
+@ stream_writer @
+identifier writestream, ppos;
+identifier f, buf, len;
+type loff_t;
+@@
+ ssize_t writestream(struct file *f, const char *buf, size_t len, loff_t *ppos)
+ {
+ ... when != ppos
+ }
+
+
+// a function that blocks
+@ blocks @
+identifier block_f;
+identifier wait_event =~ "^wait_event_.*";
+@@
+ block_f(...) {
+ ... when exists
+ wait_event(...)
+ ... when exists
+ }
+
+// stream_reader that can block inside.
+//
+// XXX wait_* can be called not directly from current function (e.g. func -> f -> g -> wait())
+// XXX currently reader_blocks supports only direct and 1-level indirect cases.
+@ reader_blocks_direct @
+identifier stream_reader.readstream;
+identifier wait_event =~ "^wait_event_.*";
+@@
+ readstream(...)
+ {
+ ... when exists
+ wait_event(...)
+ ... when exists
+ }
+
+@ reader_blocks_1 @
+identifier stream_reader.readstream;
+identifier blocks.block_f;
+@@
+ readstream(...)
+ {
+ ... when exists
+ block_f(...)
+ ... when exists
+ }
+
+@ reader_blocks depends on reader_blocks_direct || reader_blocks_1 @
+identifier stream_reader.readstream;
+@@
+ readstream(...) {
+ ...
+ }
+
+
+// file_operations + whether they have _any_ .read, .write, .llseek ... at all.
+//
+// XXX add support for file_operations xxx[N] = ... (sound/core/pcm_native.c)
+@ fops0 @
+identifier fops;
+@@
+ struct file_operations fops = {
+ ...
+ };
+
+@ has_read @
+identifier fops0.fops;
+identifier read_f;
+@@
+ struct file_operations fops = {
+ .read = read_f,
+ };
+
+@ has_read_iter @
+identifier fops0.fops;
+identifier read_iter_f;
+@@
+ struct file_operations fops = {
+ .read_iter = read_iter_f,
+ };
+
+@ has_write @
+identifier fops0.fops;
+identifier write_f;
+@@
+ struct file_operations fops = {
+ .write = write_f,
+ };
+
+@ has_write_iter @
+identifier fops0.fops;
+identifier write_iter_f;
+@@
+ struct file_operations fops = {
+ .write_iter = write_iter_f,
+ };
+
+@ has_llseek @
+identifier fops0.fops;
+identifier llseek_f;
+@@
+ struct file_operations fops = {
+ .llseek = llseek_f,
+ };
+
+@ has_no_llseek @
+identifier fops0.fops;
+@@
+ struct file_operations fops = {
+ .llseek = no_llseek,
+ };
+
+@ has_mmap @
+identifier fops0.fops;
+identifier mmap_f;
+@@
+ struct file_operations fops = {
+ .mmap = mmap_f,
+ };
+
+@ has_copy_file_range @
+identifier fops0.fops;
+identifier copy_file_range_f;
+@@
+ struct file_operations fops = {
+ .copy_file_range = copy_file_range_f,
+ };
+
+@ has_remap_file_range @
+identifier fops0.fops;
+identifier remap_file_range_f;
+@@
+ struct file_operations fops = {
+ .remap_file_range = remap_file_range_f,
+ };
+
+@ has_splice_read @
+identifier fops0.fops;
+identifier splice_read_f;
+@@
+ struct file_operations fops = {
+ .splice_read = splice_read_f,
+ };
+
+@ has_splice_write @
+identifier fops0.fops;
+identifier splice_write_f;
+@@
+ struct file_operations fops = {
+ .splice_write = splice_write_f,
+ };
+
+
+// file_operations that is candidate for stream_open conversion - it does not
+// use mmap and other methods that assume @offset access to file.
+//
+// XXX for simplicity require no .{read/write}_iter and no .splice_{read/write} for now.
+// XXX maybe_steam.fops cannot be used in other rules - it gives "bad rule maybe_stream or bad variable fops".
+@ maybe_stream depends on (!has_llseek || has_no_llseek) && !has_mmap && !has_copy_file_range && !has_remap_file_range && !has_read_iter && !has_write_iter && !has_splice_read && !has_splice_write @
+identifier fops0.fops;
+@@
+ struct file_operations fops = {
+ };
+
+
+// ---- conversions ----
+
+// XXX .open = nonseekable_open -> .open = stream_open
+// XXX .open = func -> openfunc -> nonseekable_open
+
+// read & write
+//
+// if both are used in the same file_operations together with an opener -
+// under that conditions we can use stream_open instead of nonseekable_open.
+@ fops_rw depends on maybe_stream @
+identifier fops0.fops, openfunc;
+identifier stream_reader.readstream;
+identifier stream_writer.writestream;
+@@
+ struct file_operations fops = {
+ .open = openfunc,
+ .read = readstream,
+ .write = writestream,
+ };
+
+@ report_rw depends on report @
+identifier fops_rw.openfunc;
+position p1;
+@@
+ openfunc(...) {
+ <...
+ nonseekable_open@p1
+ ...>
+ }
+
+@ script:python depends on report && reader_blocks @
+fops << fops0.fops;
+p << report_rw.p1;
+@@
+coccilib.report.print_report(p[0],
+ "ERROR: %s: .read() can deadlock .write(); change nonseekable_open -> stream_open to fix." % (fops,))
+
+@ script:python depends on report && !reader_blocks @
+fops << fops0.fops;
+p << report_rw.p1;
+@@
+coccilib.report.print_report(p[0],
+ "WARNING: %s: .read() and .write() have stream semantic; safe to change nonseekable_open -> stream_open." % (fops,))
+
+
+@ explain_rw_deadlocked depends on explain && reader_blocks @
+identifier fops_rw.openfunc;
+@@
+ openfunc(...) {
+ <...
+- nonseekable_open
++ nonseekable_open /* read & write (was deadlock) */
+ ...>
+ }
+
+
+@ explain_rw_nodeadlock depends on explain && !reader_blocks @
+identifier fops_rw.openfunc;
+@@
+ openfunc(...) {
+ <...
+- nonseekable_open
++ nonseekable_open /* read & write (no direct deadlock) */
+ ...>
+ }
+
+@ patch_rw depends on patch @
+identifier fops_rw.openfunc;
+@@
+ openfunc(...) {
+ <...
+- nonseekable_open
++ stream_open
+ ...>
+ }
+
+
+// read, but not write
+@ fops_r depends on maybe_stream && !has_write @
+identifier fops0.fops, openfunc;
+identifier stream_reader.readstream;
+@@
+ struct file_operations fops = {
+ .open = openfunc,
+ .read = readstream,
+ };
+
+@ report_r depends on report @
+identifier fops_r.openfunc;
+position p1;
+@@
+ openfunc(...) {
+ <...
+ nonseekable_open@p1
+ ...>
+ }
+
+@ script:python depends on report @
+fops << fops0.fops;
+p << report_r.p1;
+@@
+coccilib.report.print_report(p[0],
+ "WARNING: %s: .read() has stream semantic; safe to change nonseekable_open -> stream_open." % (fops,))
+
+@ explain_r depends on explain @
+identifier fops_r.openfunc;
+@@
+ openfunc(...) {
+ <...
+- nonseekable_open
++ nonseekable_open /* read only */
+ ...>
+ }
+
+@ patch_r depends on patch @
+identifier fops_r.openfunc;
+@@
+ openfunc(...) {
+ <...
+- nonseekable_open
++ stream_open
+ ...>
+ }
+
+
+// write, but not read
+@ fops_w depends on maybe_stream && !has_read @
+identifier fops0.fops, openfunc;
+identifier stream_writer.writestream;
+@@
+ struct file_operations fops = {
+ .open = openfunc,
+ .write = writestream,
+ };
+
+@ report_w depends on report @
+identifier fops_w.openfunc;
+position p1;
+@@
+ openfunc(...) {
+ <...
+ nonseekable_open@p1
+ ...>
+ }
+
+@ script:python depends on report @
+fops << fops0.fops;
+p << report_w.p1;
+@@
+coccilib.report.print_report(p[0],
+ "WARNING: %s: .write() has stream semantic; safe to change nonseekable_open -> stream_open." % (fops,))
+
+@ explain_w depends on explain @
+identifier fops_w.openfunc;
+@@
+ openfunc(...) {
+ <...
+- nonseekable_open
++ nonseekable_open /* write only */
+ ...>
+ }
+
+@ patch_w depends on patch @
+identifier fops_w.openfunc;
+@@
+ openfunc(...) {
+ <...
+- nonseekable_open
++ stream_open
+ ...>
+ }
+
+
+// no read, no write - don't change anything
^ permalink raw reply [flat|nested] 250+ messages in thread
* [PATCH 4.4 241/241] fuse: Add FOPEN_STREAM to use stream_open()
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (239 preceding siblings ...)
2019-06-09 16:43 ` [PATCH 4.4 240/241] fs: stream_open - opener for stream-like files so that read and write can run simultaneously without deadlock Greg Kroah-Hartman
@ 2019-06-09 16:43 ` Greg Kroah-Hartman
2019-06-09 22:30 ` [PATCH 4.4 000/241] 4.4.181-stable review kernelci.org bot
` (4 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-09 16:43 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Kirill Smelkov, Miklos Szeredi
From: Kirill Smelkov <kirr@nexedi.com>
commit bbd84f33652f852ce5992d65db4d020aba21f882 upstream.
Starting from commit 9c225f2655e3 ("vfs: atomic f_pos accesses as per
POSIX") files opened even via nonseekable_open gate read and write via lock
and do not allow them to be run simultaneously. This can create read vs
write deadlock if a filesystem is trying to implement a socket-like file
which is intended to be simultaneously used for both read and write from
filesystem client. See commit 10dce8af3422 ("fs: stream_open - opener for
stream-like files so that read and write can run simultaneously without
deadlock") for details and e.g. commit 581d21a2d02a ("xenbus: fix deadlock
on writes to /proc/xen/xenbus") for a similar deadlock example on
/proc/xen/xenbus.
To avoid such deadlock it was tempting to adjust fuse_finish_open to use
stream_open instead of nonseekable_open on just FOPEN_NONSEEKABLE flags,
but grepping through Debian codesearch shows users of FOPEN_NONSEEKABLE,
and in particular GVFS which actually uses offset in its read and write
handlers
https://codesearch.debian.net/search?q=-%3Enonseekable+%3D
https://gitlab.gnome.org/GNOME/gvfs/blob/1.40.0-6-gcbc54396/client/gvfsfusedaemon.c#L1080
https://gitlab.gnome.org/GNOME/gvfs/blob/1.40.0-6-gcbc54396/client/gvfsfusedaemon.c#L1247-1346
https://gitlab.gnome.org/GNOME/gvfs/blob/1.40.0-6-gcbc54396/client/gvfsfusedaemon.c#L1399-1481
so if we would do such a change it will break a real user.
Add another flag (FOPEN_STREAM) for filesystem servers to indicate that the
opened handler is having stream-like semantics; does not use file position
and thus the kernel is free to issue simultaneous read and write request on
opened file handle.
This patch together with stream_open() should be added to stable kernels
starting from v3.14+. This will allow to patch OSSPD and other FUSE
filesystems that provide stream-like files to return FOPEN_STREAM |
FOPEN_NONSEEKABLE in open handler and this way avoid the deadlock on all
kernel versions. This should work because fuse_finish_open ignores unknown
open flags returned from a filesystem and so passing FOPEN_STREAM to a
kernel that is not aware of this flag cannot hurt. In turn the kernel that
is not aware of FOPEN_STREAM will be < v3.14 where just FOPEN_NONSEEKABLE
is sufficient to implement streams without read vs write deadlock.
Cc: stable@vger.kernel.org # v3.14+
Signed-off-by: Kirill Smelkov <kirr@nexedi.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/fuse/file.c | 4 +++-
include/uapi/linux/fuse.h | 2 ++
2 files changed, 5 insertions(+), 1 deletion(-)
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -178,7 +178,9 @@ void fuse_finish_open(struct inode *inod
file->f_op = &fuse_direct_io_file_operations;
if (!(ff->open_flags & FOPEN_KEEP_CACHE))
invalidate_inode_pages2(inode->i_mapping);
- if (ff->open_flags & FOPEN_NONSEEKABLE)
+ if (ff->open_flags & FOPEN_STREAM)
+ stream_open(inode, file);
+ else if (ff->open_flags & FOPEN_NONSEEKABLE)
nonseekable_open(inode, file);
if (fc->atomic_o_trunc && (file->f_flags & O_TRUNC)) {
struct fuse_inode *fi = get_fuse_inode(inode);
--- a/include/uapi/linux/fuse.h
+++ b/include/uapi/linux/fuse.h
@@ -205,10 +205,12 @@ struct fuse_file_lock {
* FOPEN_DIRECT_IO: bypass page cache for this open file
* FOPEN_KEEP_CACHE: don't invalidate the data cache on open
* FOPEN_NONSEEKABLE: the file is not seekable
+ * FOPEN_STREAM: the file is stream-like (no file position at all)
*/
#define FOPEN_DIRECT_IO (1 << 0)
#define FOPEN_KEEP_CACHE (1 << 1)
#define FOPEN_NONSEEKABLE (1 << 2)
+#define FOPEN_STREAM (1 << 4)
/**
* INIT request/reply flags
^ permalink raw reply [flat|nested] 250+ messages in thread
* Re: [PATCH 4.4 000/241] 4.4.181-stable review
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (240 preceding siblings ...)
2019-06-09 16:43 ` [PATCH 4.4 241/241] fuse: Add FOPEN_STREAM to use stream_open() Greg Kroah-Hartman
@ 2019-06-09 22:30 ` kernelci.org bot
2019-06-10 8:48 ` Naresh Kamboju
` (3 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: kernelci.org bot @ 2019-06-09 22:30 UTC (permalink / raw)
To: Greg Kroah-Hartman, linux-kernel
Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah, patches,
ben.hutchings, lkft-triage, stable
stable-rc/linux-4.4.y boot: 94 boots: 1 failed, 92 passed with 1 conflict (v4.4.180-242-gc9c6a085b72e)
Full Boot Summary: https://kernelci.org/boot/all/job/stable-rc/branch/linux-4.4.y/kernel/v4.4.180-242-gc9c6a085b72e/
Full Build Summary: https://kernelci.org/build/stable-rc/branch/linux-4.4.y/kernel/v4.4.180-242-gc9c6a085b72e/
Tree: stable-rc
Branch: linux-4.4.y
Git Describe: v4.4.180-242-gc9c6a085b72e
Git Commit: c9c6a085b72ef62ce2cdcfbee79476ad2bdbd703
Git URL: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
Tested: 44 unique boards, 20 SoC families, 14 builds out of 190
Boot Regressions Detected:
x86_64:
x86_64_defconfig:
gcc-8:
qemu:
lab-baylibre: new failure (last pass: v4.4.180-230-g17950b5be27c)
Boot Failure Detected:
arm64:
defconfig:
gcc-8:
qcom-qdf2400: 1 failed lab
Conflicting Boot Failure Detected: (These likely are not failures as other labs are reporting PASS. Needs review.)
x86_64:
x86_64_defconfig:
qemu:
lab-drue: PASS (gcc-8)
lab-baylibre: FAIL (gcc-8)
lab-collabora: PASS (gcc-8)
lab-linaro-lkft: PASS (gcc-8)
lab-mhart: PASS (gcc-8)
---
For more info write to <info@kernelci.org>
^ permalink raw reply [flat|nested] 250+ messages in thread
* Re: [PATCH 4.4 000/241] 4.4.181-stable review
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (241 preceding siblings ...)
2019-06-09 22:30 ` [PATCH 4.4 000/241] 4.4.181-stable review kernelci.org bot
@ 2019-06-10 8:48 ` Naresh Kamboju
2019-06-10 8:49 ` Jon Hunter
` (2 subsequent siblings)
245 siblings, 0 replies; 250+ messages in thread
From: Naresh Kamboju @ 2019-06-10 8:48 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: open list, Shuah Khan, patches, lkft-triage, Ben Hutchings,
linux- stable, Andrew Morton, Linus Torvalds, Guenter Roeck
On Sun, 9 Jun 2019 at 22:26, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 4.4.181 release.
> There are 241 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Tue 11 Jun 2019 04:39:53 PM UTC.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.181-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.
Summary
------------------------------------------------------------------------
kernel: 4.4.181-rc1
git repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
git branch: linux-4.4.y
git commit: c9c6a085b72ef62ce2cdcfbee79476ad2bdbd703
git describe: v4.4.180-242-gc9c6a085b72e
Test details: https://qa-reports.linaro.org/lkft/linux-stable-rc-4.4-oe/build/v4.4.180-242-gc9c6a085b72e
No regressions (compared to build v4.4.180)
No fixes (compared to build v4.4.180)
Ran 16751 total tests in the following environments and test suites.
Environments
--------------
- i386
- juno-r2 - arm64
- qemu_arm
- qemu_arm64
- qemu_i386
- qemu_x86_64
- x15 - arm
- x86_64
Test Suites
-----------
* build
* kselftest
* libhugetlbfs
* ltp-cap_bounds-tests
* ltp-commands-tests
* ltp-containers-tests
* ltp-cpuhotplug-tests
* ltp-cve-tests
* ltp-dio-tests
* ltp-fcntl-locktests-tests
* ltp-filecaps-tests
* ltp-fs-tests
* ltp-fs_bind-tests
* ltp-fs_perms_simple-tests
* ltp-fsx-tests
* ltp-hugetlb-tests
* ltp-io-tests
* ltp-ipc-tests
* ltp-math-tests
* ltp-mm-tests
* ltp-nptl-tests
* ltp-open-posix-tests
* ltp-pty-tests
* ltp-sched-tests
* ltp-securebits-tests
* ltp-syscalls-tests
* ltp-timers-tests
* network-basic-tests
* perf
* spectre-meltdown-checker-test
* v4l2-compliance
* kvm-unit-tests
* install-android-platform-tools-r2600
* kselftest-vsyscall-mode-native
* kselftest-vsyscall-mode-none
Summary
------------------------------------------------------------------------
kernel: 4.4.181-rc1
git repo: https://git.linaro.org/lkft/arm64-stable-rc.git
git branch: 4.4.181-rc1-hikey-20190609-454
git commit: 08da993f3205945652b0e60ef5bc2fcbd22db646
git describe: 4.4.181-rc1-hikey-20190609-454
Test details: https://qa-reports.linaro.org/lkft/linaro-hikey-stable-rc-4.4-oe/build/4.4.181-rc1-hikey-20190609-454
No regressions (compared to build 4.4.181-rc1-hikey-20190607-453)
No fixes (compared to build 4.4.181-rc1-hikey-20190607-453)
Ran 1551 total tests in the following environments and test suites.
Environments
--------------
- hi6220-hikey - arm64
Test Suites
-----------
* build
* install-android-platform-tools-r2600
* kselftest
* libhugetlbfs
* ltp-cap_bounds-tests
* ltp-commands-tests
* ltp-containers-tests
* ltp-cpuhotplug-tests
* ltp-cve-tests
* ltp-dio-tests
* ltp-fcntl-locktests-tests
* ltp-filecaps-tests
* ltp-fs-tests
* ltp-fs_bind-tests
* ltp-fs_perms_simple-tests
* ltp-fsx-tests
* ltp-hugetlb-tests
* ltp-io-tests
* ltp-ipc-tests
* ltp-math-tests
* ltp-mm-tests
* ltp-nptl-tests
* ltp-pty-tests
* ltp-sched-tests
* ltp-securebits-tests
* ltp-syscalls-tests
* ltp-timers-tests
* perf
* spectre-meltdown-checker-test
* v4l2-compliance
--
Linaro LKFT
https://lkft.linaro.org
^ permalink raw reply [flat|nested] 250+ messages in thread
* Re: [PATCH 4.4 000/241] 4.4.181-stable review
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (242 preceding siblings ...)
2019-06-10 8:48 ` Naresh Kamboju
@ 2019-06-10 8:49 ` Jon Hunter
2019-06-10 14:41 ` Guenter Roeck
2019-06-10 21:46 ` shuah
245 siblings, 0 replies; 250+ messages in thread
From: Jon Hunter @ 2019-06-10 8:49 UTC (permalink / raw)
To: Greg Kroah-Hartman, linux-kernel
Cc: torvalds, akpm, linux, shuah, patches, ben.hutchings,
lkft-triage, stable, linux-tegra
On 09/06/2019 17:39, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.4.181 release.
> There are 241 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Tue 11 Jun 2019 04:39:53 PM UTC.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.181-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
All tests are passing for Tegra ...
Test results for stable-v4.4:
6 builds: 6 pass, 0 fail
12 boots: 12 pass, 0 fail
19 tests: 19 pass, 0 fail
Linux version: 4.4.181-rc1-gc9c6a08
Boards tested: tegra124-jetson-tk1, tegra20-ventana,
tegra30-cardhu-a04
Cheers
Jon
--
nvpublic
^ permalink raw reply [flat|nested] 250+ messages in thread
* Re: [PATCH 4.4 000/241] 4.4.181-stable review
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (243 preceding siblings ...)
2019-06-10 8:49 ` Jon Hunter
@ 2019-06-10 14:41 ` Guenter Roeck
2019-06-10 21:46 ` shuah
245 siblings, 0 replies; 250+ messages in thread
From: Guenter Roeck @ 2019-06-10 14:41 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: linux-kernel, torvalds, akpm, shuah, patches, ben.hutchings,
lkft-triage, stable
On Sun, Jun 09, 2019 at 06:39:02PM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.4.181 release.
> There are 241 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Tue 11 Jun 2019 04:39:53 PM UTC.
> Anything received after that time might be too late.
>
Build results:
total: 170 pass: 170 fail: 0
Qemu test results:
total: 298 pass: 298 fail: 0
Guenter
^ permalink raw reply [flat|nested] 250+ messages in thread
* RE: [PATCH 4.4 041/241] cifs: fix strcat buffer overflow and reduce raciness in smb21_set_oplock_level()
2019-06-09 16:39 ` [PATCH 4.4 041/241] cifs: fix strcat buffer overflow and reduce raciness in smb21_set_oplock_level() Greg Kroah-Hartman
@ 2019-06-10 19:13 ` Pavel Shilovskiy
2019-06-11 7:20 ` Greg Kroah-Hartman
0 siblings, 1 reply; 250+ messages in thread
From: Pavel Shilovskiy @ 2019-06-10 19:13 UTC (permalink / raw)
To: Greg Kroah-Hartman, linux-kernel; +Cc: stable, Christoph Probst, Steven French
-----Original Message-----
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Sent: Sunday, June 9, 2019 9:40 AM
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>; stable@vger.kernel.org; Christoph Probst <kernel@probst.it>; Pavel Shilovskiy <pshilov@microsoft.com>; Steven French <Steven.French@microsoft.com>
Subject: [PATCH 4.4 041/241] cifs: fix strcat buffer overflow and reduce raciness in smb21_set_oplock_level()
From: Christoph Probst <kernel@probst.it>
commit 6a54b2e002c9d00b398d35724c79f9fe0d9b38fb upstream.
Change strcat to strncpy in the "None" case to fix a buffer overflow when cinode->oplock is reset to 0 by another thread accessing the same cinode. It is never valid to append "None" to any other message.
Consolidate multiple writes to cinode->oplock to reduce raciness.
Signed-off-by: Christoph Probst <kernel@probst.it>
Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
CC: Stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
--------------------------------
Hi Greg,
This patch has been queued for 4.4.y and has already been merged into 5.1.y (5.1.5). Are you going to apply it to other stable kernels: 4.9, 4.14, 4.19?
Best regards,
Pavel Shilovsky
^ permalink raw reply [flat|nested] 250+ messages in thread
* Re: [PATCH 4.4 000/241] 4.4.181-stable review
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
` (244 preceding siblings ...)
2019-06-10 14:41 ` Guenter Roeck
@ 2019-06-10 21:46 ` shuah
245 siblings, 0 replies; 250+ messages in thread
From: shuah @ 2019-06-10 21:46 UTC (permalink / raw)
To: Greg Kroah-Hartman, linux-kernel
Cc: torvalds, akpm, linux, patches, ben.hutchings, lkft-triage,
stable, shuah
On 6/9/19 10:39 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.4.181 release.
> There are 241 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Tue 11 Jun 2019 04:39:53 PM UTC.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.181-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
Compiled and booted on my test system. No dmesg regressions.
thanks,
-- Shuah
^ permalink raw reply [flat|nested] 250+ messages in thread
* Re: [PATCH 4.4 041/241] cifs: fix strcat buffer overflow and reduce raciness in smb21_set_oplock_level()
2019-06-10 19:13 ` Pavel Shilovskiy
@ 2019-06-11 7:20 ` Greg Kroah-Hartman
2019-06-11 18:35 ` Pavel Shilovskiy
0 siblings, 1 reply; 250+ messages in thread
From: Greg Kroah-Hartman @ 2019-06-11 7:20 UTC (permalink / raw)
To: Pavel Shilovskiy; +Cc: linux-kernel, stable, Christoph Probst, Steven French
On Mon, Jun 10, 2019 at 07:13:24PM +0000, Pavel Shilovskiy wrote:
>
> -----Original Message-----
> From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> Sent: Sunday, June 9, 2019 9:40 AM
> To: linux-kernel@vger.kernel.org
> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>; stable@vger.kernel.org; Christoph Probst <kernel@probst.it>; Pavel Shilovskiy <pshilov@microsoft.com>; Steven French <Steven.French@microsoft.com>
> Subject: [PATCH 4.4 041/241] cifs: fix strcat buffer overflow and reduce raciness in smb21_set_oplock_level()
>
> From: Christoph Probst <kernel@probst.it>
>
> commit 6a54b2e002c9d00b398d35724c79f9fe0d9b38fb upstream.
>
> Change strcat to strncpy in the "None" case to fix a buffer overflow when cinode->oplock is reset to 0 by another thread accessing the same cinode. It is never valid to append "None" to any other message.
>
> Consolidate multiple writes to cinode->oplock to reduce raciness.
>
> Signed-off-by: Christoph Probst <kernel@probst.it>
> Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
> Signed-off-by: Steve French <stfrench@microsoft.com>
> CC: Stable <stable@vger.kernel.org>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> --------------------------------
>
> Hi Greg,
>
> This patch has been queued for 4.4.y and has already been merged into
> 5.1.y (5.1.5). Are you going to apply it to other stable kernels: 4.9,
> 4.14, 4.19?
It is already in the 4.9.179, 4.14.122, 4.19.46, 5.0.19, and 5.1.5
released kernels. So I don't think I can merge it into them again :)
thanks,
greg k-h
^ permalink raw reply [flat|nested] 250+ messages in thread
* RE: [PATCH 4.4 041/241] cifs: fix strcat buffer overflow and reduce raciness in smb21_set_oplock_level()
2019-06-11 7:20 ` Greg Kroah-Hartman
@ 2019-06-11 18:35 ` Pavel Shilovskiy
0 siblings, 0 replies; 250+ messages in thread
From: Pavel Shilovskiy @ 2019-06-11 18:35 UTC (permalink / raw)
To: Greg Kroah-Hartman; +Cc: linux-kernel, stable, Christoph Probst, Steven French
-----Original Message-----
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Sent: Tuesday, June 11, 2019 12:20 AM
To: Pavel Shilovskiy <pshilov@microsoft.com>
Cc: linux-kernel@vger.kernel.org; stable@vger.kernel.org; Christoph Probst <kernel@probst.it>; Steven French <Steven.French@microsoft.com>
Subject: Re: [PATCH 4.4 041/241] cifs: fix strcat buffer overflow and reduce raciness in smb21_set_oplock_level()
On Mon, Jun 10, 2019 at 07:13:24PM +0000, Pavel Shilovskiy wrote:
>
> -----Original Message-----
> From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> Sent: Sunday, June 9, 2019 9:40 AM
> To: linux-kernel@vger.kernel.org
> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>;
> stable@vger.kernel.org; Christoph Probst <kernel@probst.it>; Pavel
> Shilovskiy <pshilov@microsoft.com>; Steven French
> <Steven.French@microsoft.com>
> Subject: [PATCH 4.4 041/241] cifs: fix strcat buffer overflow and
> reduce raciness in smb21_set_oplock_level()
>
> From: Christoph Probst <kernel@probst.it>
>
> commit 6a54b2e002c9d00b398d35724c79f9fe0d9b38fb upstream.
>
> Change strcat to strncpy in the "None" case to fix a buffer overflow when cinode->oplock is reset to 0 by another thread accessing the same cinode. It is never valid to append "None" to any other message.
>
> Consolidate multiple writes to cinode->oplock to reduce raciness.
>
> Signed-off-by: Christoph Probst <kernel@probst.it>
> Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
> Signed-off-by: Steve French <stfrench@microsoft.com>
> CC: Stable <stable@vger.kernel.org>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> --------------------------------
>
> Hi Greg,
>
> This patch has been queued for 4.4.y and has already been merged into
> 5.1.y (5.1.5). Are you going to apply it to other stable kernels: 4.9,
> 4.14, 4.19?
It is already in the 4.9.179, 4.14.122, 4.19.46, 5.0.19, and 5.1.5 released kernels. So I don't think I can merge it into them again :)
thanks,
greg k-h
---------------------------------
You are right, I missed it somehow. Thanks for clarifying!
Best regards,
Pavel Shilovsky
^ permalink raw reply [flat|nested] 250+ messages in thread
end of thread, other threads:[~2019-06-11 18:36 UTC | newest]
Thread overview: 250+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-06-09 16:39 [PATCH 4.4 000/241] 4.4.181-stable review Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 001/241] x86/speculation/mds: Revert CPU buffer clear on double fault exit Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 002/241] x86/speculation/mds: Improve CPU buffer clear documentation Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 003/241] ARM: exynos: Fix a leaked reference by adding missing of_node_put Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 004/241] crypto: vmx - fix copy-paste error in CTR mode Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 005/241] crypto: crct10dif-generic - fix use via crypto_shash_digest() Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 006/241] crypto: x86/crct10dif-pcl " Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 007/241] ALSA: usb-audio: Fix a memory leak bug Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 008/241] ALSA: hda/hdmi - Consider eld_valid when reporting jack event Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 009/241] ALSA: hda/realtek - EAPD turn on later Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 010/241] ASoC: max98090: Fix restore of DAPM Muxes Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 011/241] ASoC: RT5677-SPI: Disable 16Bit SPI Transfers Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 012/241] mm/mincore.c: make mincore() more conservative Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 013/241] ocfs2: fix ocfs2 read inode data panic in ocfs2_iget Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 014/241] mfd: da9063: Fix OTP control register names to match datasheets for DA9063/63L Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 015/241] tty/vt: fix write/write race in ioctl(KDSKBSENT) handler Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 016/241] ext4: actually request zeroing of inode table after grow Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 017/241] ext4: fix ext4_show_options for file systems w/o journal Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 018/241] Btrfs: do not start a transaction at iterate_extent_inodes() Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 019/241] bcache: fix a race between cache register and cacheset unregister Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 020/241] bcache: never set KEY_PTRS of journal key to 0 in journal_reclaim() Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 021/241] ipmi:ssif: compare block number correctly for multi-part return messages Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 022/241] crypto: gcm - Fix error return code in crypto_gcm_create_common() Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 023/241] crypto: gcm - fix incompatibility between "gcm" and "gcm_base" Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 024/241] crypto: chacha20poly1305 - set cra_name correctly Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 025/241] crypto: salsa20 - dont access already-freed walk.iv Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 026/241] crypto: arm/aes-neonbs " Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 027/241] writeback: synchronize sync(2) against cgroup writeback membership switches Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 028/241] fs/writeback.c: use rcu_barrier() to wait for inflight wb switches going into workqueue when umount Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 029/241] ext4: zero out the unused memory region in the extent tree block Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 030/241] ALSA: hda/realtek - Fix for Lenovo B50-70 inverted internal microphone bug Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 031/241] KVM: x86: Skip EFER vs. guest CPUID checks for host-initiated writes Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 032/241] net: avoid weird emergency message Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 033/241] net/mlx4_core: Change the error print to info print Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 034/241] ppp: deflate: Fix possible crash in deflate_init Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 035/241] tipc: switch order of device registration to fix a crash Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 036/241] tipc: fix modprobe tipc failed after switch order of device registration Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 037/241] stm class: Fix channel free in stm output free path Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 038/241] md: add mddev->pers to avoid potential NULL pointer dereference Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 039/241] intel_th: msu: Fix single mode with IOMMU Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 040/241] of: fix clang -Wunsequenced for be32_to_cpu() Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 041/241] cifs: fix strcat buffer overflow and reduce raciness in smb21_set_oplock_level() Greg Kroah-Hartman
2019-06-10 19:13 ` Pavel Shilovskiy
2019-06-11 7:20 ` Greg Kroah-Hartman
2019-06-11 18:35 ` Pavel Shilovskiy
2019-06-09 16:39 ` [PATCH 4.4 042/241] media: ov6650: Fix sensor possibly not detected on probe Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 043/241] NFS4: Fix v4.0 client state corruption when mount Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 044/241] clk: tegra: Fix PLLM programming on Tegra124+ when PMC overrides divider Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 045/241] fuse: fix writepages on 32bit Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 046/241] fuse: honor RLIMIT_FSIZE in fuse_file_fallocate Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 047/241] iommu/tegra-smmu: Fix invalid ASID bits on Tegra30/114 Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 048/241] ceph: flush dirty inodes before proceeding with remount Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 049/241] tracing: Fix partial reading of trace events id file Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 050/241] memory: tegra: Fix integer overflow on tick value calculation Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 051/241] perf intel-pt: Fix instructions sampling rate Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 052/241] perf intel-pt: Fix improved sample timestamp Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 053/241] perf intel-pt: Fix sample timestamp wrt non-taken branches Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 054/241] fbdev: sm712fb: fix brightness control on reboot, dont set SR30 Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 055/241] fbdev: sm712fb: fix VRAM detection, dont set SR70/71/74/75 Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 056/241] fbdev: sm712fb: fix white screen of death on reboot, dont set CR3B-CR3F Greg Kroah-Hartman
2019-06-09 16:39 ` [PATCH 4.4 057/241] fbdev: sm712fb: fix boot screen glitch when sm712fb replaces VGA Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 058/241] fbdev: sm712fb: fix crashes during framebuffer writes by correctly mapping VRAM Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 059/241] fbdev: sm712fb: fix support for 1024x768-16 mode Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 060/241] fbdev: sm712fb: use 1024x768 by default on non-MIPS, fix garbled display Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 061/241] fbdev: sm712fb: fix crashes and garbled display during DPMS modesetting Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 062/241] PCI: Mark Atheros AR9462 to avoid bus reset Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 063/241] dm delay: fix a crash when invalid device is specified Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 064/241] xfrm: policy: Fix out-of-bound array accesses in __xfrm_policy_unlink Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 065/241] xfrm6_tunnel: Fix potential panic when unloading xfrm6_tunnel module Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 066/241] vti4: ipip tunnel deregistration fixes Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 067/241] xfrm4: Fix uninitialized memory read in _decode_session4 Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 068/241] KVM: arm/arm64: Ensure vcpu target is unset on reset failure Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 069/241] power: supply: sysfs: prevent endless uevent loop with CONFIG_POWER_SUPPLY_DEBUG Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 070/241] ufs: fix braino in ufs_get_inode_gid() for solaris UFS flavour Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 071/241] perf bench numa: Add define for RUSAGE_THREAD if not present Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 072/241] Revert "Dont jump to compute_result state from check_result state" Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 073/241] md/raid: raid5 preserve the writeback action after the parity check Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 074/241] btrfs: Honour FITRIM range constraints during free space trim Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 075/241] fbdev: sm712fb: fix memory frequency by avoiding a switch/case fallthrough Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 076/241] ext4: do not delete unlinked inode from orphan list on failed truncate Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 077/241] KVM: x86: fix return value for reserved EFER Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 078/241] bio: fix improper use of smp_mb__before_atomic() Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 079/241] Revert "scsi: sd: Keep disk read-only when re-reading partition" Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 080/241] crypto: vmx - CTR: always increment IV as quadword Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 081/241] gfs2: Fix sign extension bug in gfs2_update_stats Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 082/241] Btrfs: fix race between ranged fsync and writeback of adjacent ranges Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 083/241] btrfs: sysfs: dont leak memory when failing add fsid Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 084/241] fbdev: fix divide error in fb_var_to_videomode Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 085/241] hugetlb: use same fault hash key for shared and private mappings Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 086/241] fbdev: fix WARNING in __alloc_pages_nodemask bug Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 087/241] media: cpia2: Fix use-after-free in cpia2_exit Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 088/241] media: vivid: use vfree() instead of kfree() for dev->bitmap_cap Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 089/241] ssb: Fix possible NULL pointer dereference in ssb_host_pcmcia_exit Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 090/241] at76c50x-usb: Dont register led_trigger if usb_register_driver failed Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 091/241] perf tools: No need to include bitops.h in util.h Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 092/241] tools include: Adopt linux/bits.h Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 093/241] gfs2: Fix lru_count going negative Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 094/241] cxgb4: Fix error path in cxgb4_init_module Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 095/241] mmc: core: Verify SD bus width Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 096/241] powerpc/boot: Fix missing check of lseek() return value Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 097/241] ASoC: imx: fix fiq dependencies Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 098/241] spi: pxa2xx: fix SCR (divisor) calculation Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 099/241] brcm80211: potential NULL dereference in brcmf_cfg80211_vndr_cmds_dcmd_handler() Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 100/241] rtc: 88pm860x: prevent use-after-free on device remove Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 101/241] w1: fix the resume command API Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 102/241] dmaengine: pl330: _stop: clear interrupt status Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 103/241] mac80211/cfg80211: update bss channel on channel switch Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 104/241] ASoC: fsl_sai: Update is_slave_mode with correct value Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 105/241] mwifiex: prevent an array overflow Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 106/241] net: cw1200: fix a NULL pointer dereference Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 107/241] bcache: return error immediately in bch_journal_replay() Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 108/241] bcache: fix failure in journal relplay Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 109/241] bcache: add failure check to run_cache_set() for journal replay Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 110/241] bcache: avoid clang -Wunintialized warning Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 111/241] x86/build: Move _etext to actual end of .text Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 112/241] smpboot: Place the __percpu annotation correctly Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 113/241] x86/mm: Remove in_nmi() warning from 64-bit implementation of vmalloc_fault() Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 114/241] mm/uaccess: Use unsigned long to placate UBSAN warnings on older GCC versions Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 115/241] HID: logitech-hidpp: use RAP instead of FAP to get the protocol version Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 116/241] pinctrl: pistachio: fix leaked of_node references Greg Kroah-Hartman
2019-06-09 16:40 ` [PATCH 4.4 117/241] dmaengine: at_xdmac: remove BUG_ON macro in tasklet Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 118/241] media: coda: clear error return value before picture run Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 119/241] media: ov6650: Move v4l2_clk_get() to ov6650_video_probe() helper Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 120/241] media: au0828: stop video streaming only when last user stops Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 121/241] media: ov2659: make S_FMT succeed even if requested format doesnt match Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 122/241] audit: fix a memory leak bug Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 123/241] media: au0828: Fix NULL pointer dereference in au0828_analog_stream_enable() Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 124/241] media: pvrusb2: Prevent a buffer overflow Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 125/241] powerpc/numa: improve control of topology updates Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 126/241] sched/core: Check quota and period overflow at usec to nsec conversion Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 127/241] sched/core: Handle overflow in cpu_shares_write_u64 Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 128/241] USB: core: Dont unbind interfaces following device reset failure Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 129/241] x86/irq/64: Limit IST stack overflow check to #DB stack Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 130/241] i40e: dont allow changes to HW VLAN stripping on active port VLANs Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 131/241] RDMA/cxgb4: Fix null pointer dereference on alloc_skb failure Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 132/241] hwmon: (vt1211) Use request_muxed_region for Super-IO accesses Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 133/241] hwmon: (smsc47m1) " Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 134/241] hwmon: (smsc47b397) " Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 135/241] hwmon: (pc87427) " Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 136/241] hwmon: (f71805f) " Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 137/241] scsi: libsas: Do discovery on empty PHY to update PHY info Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 138/241] mmc_spi: add a status check for spi_sync_locked Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 139/241] mmc: sdhci-of-esdhc: add erratum eSDHC5 support Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 140/241] mmc: sdhci-of-esdhc: add erratum eSDHC-A001 and A-008358 support Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 141/241] PM / core: Propagate dev->power.wakeup_path when no callbacks Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 142/241] extcon: arizona: Disable mic detect if running when driver is removed Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 143/241] s390: cio: fix cio_irb declaration Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 144/241] cpufreq: ppc_cbe: fix possible object reference leak Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 145/241] cpufreq/pasemi: " Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 146/241] cpufreq: pmac32: " Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 147/241] x86/build: Keep local relocations with ld.lld Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 148/241] iio: ad_sigma_delta: Properly handle SPI bus locking vs CS assertion Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 149/241] iio: hmc5843: fix potential NULL pointer dereferences Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 150/241] iio: common: ssp_sensors: Initialize calculated_time in ssp_common_process_data Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 151/241] rtlwifi: fix a potential NULL pointer dereference Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 152/241] brcmfmac: fix missing checks for kmemdup Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 153/241] b43: shut up clang -Wuninitialized variable warning Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 154/241] brcmfmac: convert dev_init_lock mutex to completion Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 155/241] brcmfmac: fix race during disconnect when USB completion is in progress Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 156/241] scsi: ufs: Fix regulator load and icc-level configuration Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 157/241] scsi: ufs: Avoid configuring regulator with undefined voltage range Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 158/241] arm64: cpu_ops: fix a leaked reference by adding missing of_node_put Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 159/241] x86/ia32: Fix ia32_restore_sigcontext() AC leak Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 160/241] chardev: add additional check for minor range overlap Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 161/241] HID: core: move Usage Page concatenation to Main item Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 162/241] ASoC: eukrea-tlv320: fix a leaked reference by adding missing of_node_put Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 163/241] ASoC: fsl_utils: " Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 164/241] cxgb3/l2t: Fix undefined behaviour Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 165/241] spi: tegra114: reset controller on probe Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 166/241] media: wl128x: prevent two potential buffer overflows Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 167/241] virtio_console: initialize vtermno value for ports Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 168/241] tty: ipwireless: fix missing checks for ioremap Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 169/241] rcutorture: Fix cleanup path for invalid torture_type strings Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 170/241] usb: core: Add PM runtime calls to usb_hcd_platform_shutdown Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 171/241] scsi: qla4xxx: avoid freeing unallocated dma memory Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 172/241] media: m88ds3103: serialize reset messages in m88ds3103_set_frontend Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 173/241] media: go7007: avoid clang frame overflow warning with KASAN Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 174/241] media: saa7146: avoid high stack usage with clang Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 175/241] scsi: lpfc: Fix SLI3 commands being issued on SLI4 devices Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 176/241] spi : spi-topcliff-pch: Fix to handle empty DMA buffers Greg Kroah-Hartman
2019-06-09 16:41 ` [PATCH 4.4 177/241] spi: rspi: Fix sequencer reset during initialization Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 178/241] spi: Fix zero length xfer bug Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 179/241] ASoC: davinci-mcasp: Fix clang warning without CONFIG_PM Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 180/241] ipv6: Consider sk_bound_dev_if when binding a raw socket to an address Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 181/241] llc: fix skb leak in llc_build_and_send_ui_pkt() Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 182/241] net-gro: fix use-after-free read in napi_gro_frags() Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 183/241] net: stmmac: fix reset gpio free missing Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 184/241] usbnet: fix kernel crash after disconnect Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 185/241] tipc: Avoid copying bytes beyond the supplied data Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 186/241] bnxt_en: Fix aggregation buffer leak under OOM condition Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 187/241] net: mvpp2: fix bad MVPP2_TXQ_SCHED_TOKEN_CNTR_REG queue value Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 188/241] crypto: vmx - ghash: do nosimd fallback manually Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 189/241] xen/pciback: Dont disable PCI_COMMAND on PCI device reset Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 190/241] Revert "tipc: fix modprobe tipc failed after switch order of device registration" Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 191/241] tipc: fix modprobe tipc failed after switch order of device registration -v2 Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 192/241] sparc64: Fix regression in non-hypervisor TLB flush xcall Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 193/241] include/linux/bitops.h: sanitize rotate primitives Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 194/241] xhci: Convert xhci_handshake() to use readl_poll_timeout_atomic() Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 195/241] usb: xhci: avoid null pointer deref when bos field is NULL Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 196/241] USB: Fix slab-out-of-bounds write in usb_get_bos_descriptor Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 197/241] USB: sisusbvga: fix oops in error path of sisusb_probe Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 198/241] USB: Add LPM quirk for Surface Dock GigE adapter Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 199/241] USB: rio500: refuse more than one device at a time Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 200/241] USB: rio500: fix memory leak in close after disconnect Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 201/241] media: usb: siano: Fix general protection fault in smsusb Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 202/241] media: usb: siano: Fix false-positive "uninitialized variable" warning Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 203/241] media: smsusb: better handle optional alignment Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 204/241] scsi: zfcp: fix missing zfcp_port reference put on -EBUSY from port_remove Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 205/241] scsi: zfcp: fix to prevent port_remove with pure auto scan LUNs (only sdevs) Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 206/241] Btrfs: fix race updating log root item during fsync Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 207/241] ALSA: hda/realtek - Set default power save node to 0 Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 208/241] drm/nouveau/i2c: Disable i2c bus access after ->fini() Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 209/241] tty: serial: msm_serial: Fix XON/XOFF Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 210/241] tty: max310x: Fix external crystal register setup Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 211/241] memcg: make it work on sparse non-0-node systems Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 212/241] kernel/signal.c: trace_signal_deliver when signal_group_exit Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 213/241] CIFS: cifs_read_allocate_pages: dont iterate through whole page array on ENOMEM Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 214/241] binder: Replace "%p" with "%pK" for stable Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 215/241] binder: replace "%p" with "%pK" Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 216/241] net: create skb_gso_validate_mac_len() Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 217/241] bnx2x: disable GSO where gso_size is too big for hardware Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 218/241] brcmfmac: Add length checks on firmware events Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 219/241] brcmfmac: screening firmware event packet Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 220/241] brcmfmac: revise handling events in receive path Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 221/241] brcmfmac: fix incorrect event channel deduction Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 222/241] brcmfmac: add length checks in scheduled scan result handler Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 223/241] brcmfmac: add subtype check for event handling in data path Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 224/241] userfaultfd: dont pin the user memory in userfaultfd_file_create() Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 225/241] Revert "x86/build: Move _etext to actual end of .text" Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 226/241] net: cdc_ncm: GetNtbFormat endian fix Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 227/241] usb: gadget: fix request length error for isoc transfer Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 228/241] media: uvcvideo: Fix uvc_alloc_entity() allocation alignment Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 229/241] ethtool: fix potential userspace buffer overflow Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 230/241] neighbor: Call __ipv4_neigh_lookup_noref in neigh_xmit Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 231/241] net/mlx4_en: ethtool, Remove unsupported SFP EEPROM high pages query Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 232/241] net: rds: fix memory leak in rds_ib_flush_mr_pool Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 233/241] pktgen: do not sleep with the thread lock held Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 234/241] rcu: locking and unlocking need to always be at least barriers Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 235/241] parisc: Use implicit space register selection for loading the coherence index of I/O pdirs Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 236/241] fuse: fallocate: fix return with locked inode Greg Kroah-Hartman
2019-06-09 16:42 ` [PATCH 4.4 237/241] MIPS: pistachio: Build uImage.gz by default Greg Kroah-Hartman
2019-06-09 16:43 ` [PATCH 4.4 238/241] genwqe: Prevent an integer overflow in the ioctl Greg Kroah-Hartman
2019-06-09 16:43 ` [PATCH 4.4 239/241] drm/gma500/cdv: Check vbt config bits when detecting lvds panels Greg Kroah-Hartman
2019-06-09 16:43 ` [PATCH 4.4 240/241] fs: stream_open - opener for stream-like files so that read and write can run simultaneously without deadlock Greg Kroah-Hartman
2019-06-09 16:43 ` [PATCH 4.4 241/241] fuse: Add FOPEN_STREAM to use stream_open() Greg Kroah-Hartman
2019-06-09 22:30 ` [PATCH 4.4 000/241] 4.4.181-stable review kernelci.org bot
2019-06-10 8:48 ` Naresh Kamboju
2019-06-10 8:49 ` Jon Hunter
2019-06-10 14:41 ` Guenter Roeck
2019-06-10 21:46 ` shuah
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).