* [PATCH 4.19 000/245] 4.19.149-rc1 review
@ 2020-09-29 10:57 Greg Kroah-Hartman
2020-09-29 10:57 ` [PATCH 4.19 001/245] selinux: allow labeling before policy is loaded Greg Kroah-Hartman
` (247 more replies)
0 siblings, 248 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:57 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah, patches,
ben.hutchings, lkft-triage, pavel, stable
This is the start of the stable review cycle for the 4.19.149 release.
There are 245 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Thu, 01 Oct 2020 10:59:03 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.149-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 4.19.149-rc1
Marc Zyngier <maz@kernel.org>
KVM: arm64: Assume write fault on S1PTW permission fault on instruction fetch
Jiri Slaby <jslaby@suse.cz>
ata: sata_mv, avoid trigerrable BUG_ON
Jiri Slaby <jslaby@suse.cz>
ata: make qc_prep return ata_completion_errors
Jiri Slaby <jslaby@suse.cz>
ata: define AC_ERR_OK
Muchun Song <songmuchun@bytedance.com>
kprobes: Fix compiler warning for !CONFIG_KPROBES_ON_FTRACE
Christian Borntraeger <borntraeger@de.ibm.com>
s390/zcrypt: Fix ZCRYPT_PERDEV_REQCNT ioctl
Gao Xiang <hsiangkao@redhat.com>
mm, THP, swap: fix allocating cluster for swapfile by mistake
Masami Hiramatsu <mhiramat@kernel.org>
kprobes: Fix to check probe enabled before disarm_kprobe_ftrace()
Jan Höppner <hoeppner@linux.ibm.com>
s390/dasd: Fix zero write for FBA devices
Tom Rix <trix@redhat.com>
tracing: fix double free
Tom Lendacky <thomas.lendacky@amd.com>
KVM: SVM: Add a dedicated INVD intercept routine
Sean Christopherson <sean.j.christopherson@intel.com>
KVM: x86: Reset MMU context if guest toggles CR4.SMAP or CR4.PKE
Wei Li <liwei391@huawei.com>
MIPS: Add the missing 'CPU_1074K' into __get_cpu_type()
Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
regmap: fix page selection for noinc reads
Tom Rix <trix@redhat.com>
ALSA: asihpi: fix iounmap in error handler
Yonghong Song <yhs@fb.com>
bpf: Fix a rcu warning for bpffs map pretty-print
Linus Lüssing <linus.luessing@c0d3.blue>
batman-adv: mcast: fix duplicate mcast packets from BLA backbone to mesh
Linus Lüssing <linus.luessing@c0d3.blue>
batman-adv: mcast: fix duplicate mcast packets in BLA backbone from mesh
Sven Eckelmann <sven@narfation.org>
batman-adv: Add missing include for in_interrupt()
Martin Cerveny <m.cerveny@computer.org>
drm/sun4i: sun8i-csc: Secondary CSC register correction
Dmitry Bogdanov <dbogdanov@marvell.com>
net: qed: RDMA personality shouldn't fail VF load
Marek Szyprowski <m.szyprowski@samsung.com>
drm/vc4/vc4_hdmi: fill ASoC card owner
Daniel Borkmann <daniel@iogearbox.net>
bpf: Fix clobbering of r2 in bpf_gen_ld_abs
Eric Dumazet <edumazet@google.com>
mac802154: tx: fix use-after-free
Linus Lüssing <linus.luessing@c0d3.blue>
batman-adv: mcast/TT: fix wrongly dropped or rerouted packets
Jing Xiangfeng <jingxiangfeng@huawei.com>
atm: eni: fix the missed pci_disable_device() for eni_init_one()
Linus Lüssing <ll@simonwunderlich.de>
batman-adv: bla: fix type misuse for backbone_gw hash indexing
Maximilian Luz <luzmaximilian@gmail.com>
mwifiex: Increase AES key storage size to 256 bits
Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
clocksource/drivers/h8300_timer8: Fix wrong return value in h8300_8timer_init()
Tom Rix <trix@redhat.com>
ieee802154/adf7242: check status of adf7242_read_reg
Liu Jian <liujian56@huawei.com>
ieee802154: fix one possible memleak in ca8210_dev_com_init
Josh Poimboeuf <jpoimboe@redhat.com>
objtool: Fix noreturn detection for ignored functions
Hans de Goede <hdegoede@redhat.com>
i2c: core: Call i2c_acpi_install_space_handler() before i2c_acpi_register_devices()
Dennis Li <Dennis.Li@amd.com>
drm/amdkfd: fix a memory leak issue
Sven Schnelle <svens@linux.ibm.com>
lockdep: fix order in trace_hardirqs_off_caller()
Ilya Leoshkevich <iii@linux.ibm.com>
s390/init: add missing __init annotations
Palmer Dabbelt <palmerdabbelt@google.com>
RISC-V: Take text_mutex in ftrace_init_nop()
Hans de Goede <hdegoede@redhat.com>
ASoC: Intel: bytcr_rt5640: Add quirk for MPMAN Converter9 2-in-1
Sylwester Nawrocki <s.nawrocki@samsung.com>
ASoC: wm8994: Ensure the device is resumed in wm89xx_mic_detect functions
Sylwester Nawrocki <s.nawrocki@samsung.com>
ASoC: wm8994: Skip setting of the WM8994_MICBIAS register for WM1811
Anthony Iliopoulos <ailiop@suse.com>
nvme: explicitly update mpath disk capacity on revalidation
Tonghao Zhang <xiangxia.m.yue@gmail.com>
net: openvswitch: use div_u64() for 64-by-32 divisions
Jin Yao <yao.jin@linux.intel.com>
perf parse-events: Use strcmp() to compare the PMU name
Hou Tao <houtao1@huawei.com>
ubi: fastmap: Free unused fastmap anchor peb during detach
Qu Wenruo <wqu@suse.com>
btrfs: qgroup: fix data leak caused by race between writeback and truncate
Zeng Tao <prime.zeng@hisilicon.com>
vfio/pci: fix racy on error and request eventfd ctx
Andy Lutomirski <luto@kernel.org>
selftests/x86/syscall_nt: Clear weird flags after each test
Javed Hasan <jhasan@marvell.com>
scsi: libfc: Skip additional kref updating work event
Javed Hasan <jhasan@marvell.com>
scsi: libfc: Handling of extra kref
Sagi Grimberg <sagi@grimberg.me>
nvme: fix possible deadlock when I/O is blocked
Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
cifs: Fix double add page to memcg when cifs_readpages
Alex Williamson <alex.williamson@redhat.com>
vfio/pci: Clear error and request eventfd ctx after releasing
Thomas Gleixner <tglx@linutronix.de>
x86/speculation/mds: Mark mds_user_clear_cpu_buffers() __always_inline
Boris Brezillon <boris.brezillon@collabora.com>
mtd: parser: cmdline: Support MTD names containing one or more colons
Madhuparna Bhowmik <madhuparnabhowmik10@gmail.com>
rapidio: avoid data race between file operation callbacks and mport_cdev_add().
Qian Cai <cai@lca.pw>
mm/swap_state: fix a data race in swapin_nr_pages
Jeff Layton <jlayton@kernel.org>
ceph: fix potential race in ceph_check_caps
Dinghao Liu <dinghao.liu@zju.edu.cn>
PCI: tegra: Fix runtime PM imbalance on error
Dinghao Liu <dinghao.liu@zju.edu.cn>
mtd: rawnand: omap_elm: Fix runtime PM imbalance on error
Dinghao Liu <dinghao.liu@zju.edu.cn>
wlcore: fix runtime pm imbalance in wlcore_regdomain_config
Dinghao Liu <dinghao.liu@zju.edu.cn>
wlcore: fix runtime pm imbalance in wl1271_tx_work
Dinghao Liu <dinghao.liu@zju.edu.cn>
ASoC: img-i2s-out: Fix runtime PM imbalance on error
Adrian Hunter <adrian.hunter@intel.com>
perf kcore_copy: Fix module map when there are no modules loaded
Ian Rogers <irogers@google.com>
perf metricgroup: Free metric_events on error
Xie XiuQi <xiexiuqi@huawei.com>
perf util: Fix memory leak of prefix_if_not_in
Jiri Olsa <jolsa@kernel.org>
perf stat: Fix duration_time value for higher intervals
Ian Rogers <irogers@google.com>
perf trace: Fix the selection for architectures to generate the errno name tables
Ian Rogers <irogers@google.com>
perf evsel: Fix 2 memory leaks
Qian Cai <cai@lca.pw>
vfio/pci: fix memory leaks of eventfd ctx
David Sterba <dsterba@suse.com>
btrfs: don't force read-only after error in drop snapshot
Yu Chen <chenyu56@huawei.com>
usb: dwc3: Increase timeout for CmdAct cleared by device controller
Shreyas Joshi <shreyas.joshi@biamp.com>
printk: handle blank console arguments passed in.
Dinghao Liu <dinghao.liu@zju.edu.cn>
drm/nouveau/dispnv50: fix runtime pm imbalance on error
Dinghao Liu <dinghao.liu@zju.edu.cn>
drm/nouveau: fix runtime pm imbalance on error
Dinghao Liu <dinghao.liu@zju.edu.cn>
drm/nouveau/debugfs: fix runtime pm imbalance on error
Alexander Duyck <alexander.h.duyck@linux.intel.com>
e1000: Do not perform reset in reset_task if we are already down
Anshuman Khandual <anshuman.khandual@arm.com>
arm64/cpufeature: Drop TraceFilt feature exposure from ID_DFR0 register
Wei Yongjun <weiyongjun1@huawei.com>
scsi: cxlflash: Fix error return code in cxlflash_probe()
Colin Ian King <colin.king@canonical.com>
USB: EHCI: ehci-mv: fix less than zero comparison of an unsigned int
Miklos Szeredi <mszeredi@redhat.com>
fuse: don't check refcount after stealing page
Nicholas Piggin <npiggin@gmail.com>
powerpc/traps: Make unrecoverable NMIs die instead of panic
Takashi Iwai <tiwai@suse.de>
ALSA: hda: Fix potential race in unsol event handler
Jonathan Bakker <xc-racer2@live.ca>
tty: serial: samsung: Correct clock selection logic
Tuong Lien <tuong.t.lien@dektech.com.au>
tipc: fix memory leak in service subscripting
Tang Bin <tangbin@cmss.chinamobile.com>
USB: EHCI: ehci-mv: fix error handling in mv_ehci_probe()
Sonny Sasaka <sonnysasaka@chromium.org>
Bluetooth: Handle Inquiry Cancel error after Inquiry Complete
Jonathan Bakker <xc-racer2@live.ca>
phy: samsung: s5pv210-usb2: Add delay after reset
Jonathan Bakker <xc-racer2@live.ca>
power: supply: max17040: Correct voltage reading
Ian Rogers <irogers@google.com>
perf mem2node: Avoid double free related to realloc
Cong Wang <xiyou.wangcong@gmail.com>
atm: fix a memory leak of vcc->user_back
Krzysztof Kozlowski <krzk@kernel.org>
dt-bindings: sound: wm8994: Correct required supplies based on actual implementaion
Will Deacon <will@kernel.org>
arm64: cpufeature: Relax checks for AArch32 support at EL[0-2]
Wei Yongjun <weiyongjun1@huawei.com>
sparc64: vcc: Fix error return code in vcc_probe()
Ivan Safonov <insafonov@gmail.com>
staging:r8188eu: avoid skb_clone for amsdu to msdu conversion
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
scsi: aacraid: Fix error handling paths in aac_probe_one()
Tonghao Zhang <xiangxia.m.yue@gmail.com>
net: openvswitch: use u64 for meter bucket
Zenghui Yu <yuzenghui@huawei.com>
KVM: arm64: vgic-its: Fix memory leak on the error path of vgic_add_lpi()
Madhuparna Bhowmik <madhuparnabhowmik10@gmail.com>
drivers: char: tlclk.c: Avoid data race between init and interrupt handler
Douglas Anderson <dianders@chromium.org>
bdev: Reduce time holding bd_mutex in sync in blkdev_close()
Stephane Eranian <eranian@google.com>
perf stat: Force error in fallback on :k events
Steve Rutherford <srutherford@google.com>
KVM: Remove CREATE_IRQCHIP/SET_PIT2 race
Raviteja Narayanam <raviteja.narayanam@xilinx.com>
serial: uartps: Wait for tx_empty in console setup
Nilesh Javali <njavali@marvell.com>
scsi: qedi: Fix termination timeouts in session logout
Jaewon Kim <jaewon31.kim@samsung.com>
mm/mmap.c: initialize align_offset explicitly for vm_unmapped_area
Israel Rukshin <israelr@mellanox.com>
nvmet-rdma: fix double free of rdma queue
Qian Cai <cai@lca.pw>
mm/vmscan.c: fix data races using kswapd_classzone_idx
Xianting Tian <xianting_tian@126.com>
mm/filemap.c: clear page error before actual read
Nathan Chancellor <natechancellor@gmail.com>
mm/kmemleak.c: use address-of operator on section symbols
Trond Myklebust <trond.myklebust@hammerspace.com>
NFS: Fix races nfs_page_group_destroy() vs nfs_destroy_unlinked_subrequests()
Stuart Hayes <stuart.w.hayes@gmail.com>
PCI: pciehp: Fix MSI interrupt race
Andreas Steinmetz <ast@domdv.de>
ALSA: usb-audio: Fix case when USB MIDI interface has more than one extra endpoint descriptor
Liu Song <liu.song11@zte.com.cn>
ubifs: Fix out-of-bounds memory access caused by abnormal value of node_len
Mikel Rychliski <mikel@mikelr.com>
PCI: Use ioremap(), not phys_to_virt() for platform ROM
Chuck Lever <chuck.lever@oracle.com>
svcrdma: Fix leak of transport addresses
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
SUNRPC: Fix a potential buffer overflow in 'svc_print_xprts()'
Don Brace <don.brace@microsemi.com>
scsi: hpsa: correct race condition in offload enabled
Zhu Yanjun <yanjunz@mellanox.com>
RDMA/rxe: Set sys_image_guid to be aligned with HW IB devices
Israel Rukshin <israelr@mellanox.com>
nvme: Fix controller creation races with teardown flow
John Meneghini <johnm@netapp.com>
nvme-multipath: do not reset on unknown status
Gabriel Ravier <gabravier@gmail.com>
tools: gpio-hammer: Avoid potential overflow in main
Pratik Rajesh Sampat <psampat@linux.ibm.com>
cpufreq: powernv: Fix frame-size-overflow in powernv_cpufreq_work_fn
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
perf cpumap: Fix snprintf overflow check
Vignesh Raghavendra <vigneshr@ti.com>
serial: 8250: 8250_omap: Terminate DMA before pushing data on RX timeout
Peter Ujfalusi <peter.ujfalusi@ti.com>
serial: 8250_omap: Fix sleeping function called from invalid context during probe
Vignesh Raghavendra <vigneshr@ti.com>
serial: 8250_port: Don't service RX FIFO if throttled
Ian Rogers <irogers@google.com>
perf parse-events: Fix 3 use after frees found with clang ASAN
Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
thermal: rcar_thermal: Handle probe error gracefully
Nathan Chancellor <natechancellor@gmail.com>
tracing: Use address-of operator on section symbols
Jordan Crouse <jcrouse@codeaurora.org>
drm/msm/a5xx: Always set an OPP supported hardware value
Pavel Machek <pavel@denx.de>
drm/msm: fix leaks if initialization fails
Gustavo Romero <gromero@linux.ibm.com>
KVM: PPC: Book3S HV: Treat TM-related invalid form instructions on P9 like the valid ones
Jason Gunthorpe <jgg@ziepe.ca>
RDMA/cm: Remove a race freeing timewait_info
Trond Myklebust <trondmy@gmail.com>
nfsd: Don't add locks to closed or closing open stateids
Alexandre Belloni <alexandre.belloni@bootlin.com>
rtc: ds1374: fix possible race condition
Alexandre Belloni <alexandre.belloni@bootlin.com>
rtc: sa1100: fix possible race condition
Stefan Berger <stefanb@linux.ibm.com>
tpm: ibmvtpm: Wait for buffer to be set before proceeding
Dmitry Monakhov <dmonakhov@gmail.com>
ext4: mark block bitmap corrupted when found instead of BUGON
Darrick J. Wong <darrick.wong@oracle.com>
xfs: mark dir corrupt when lookup-by-hash fails
Darrick J. Wong <darrick.wong@oracle.com>
xfs: don't ever return a stale pointer from __xfs_dir3_free_read
Colin Ian King <colin.king@canonical.com>
media: tda10071: fix unsigned sign extension overflow
Howard Chung <howardchung@google.com>
Bluetooth: L2CAP: handle l2cap config request during open state
Sagar Biradar <Sagar.Biradar@microchip.com>
scsi: aacraid: Disabling TM path and only processing IOP reset
Wen Gong <wgong@codeaurora.org>
ath10k: use kzalloc to read for ath10k_sdio_hif_diag_read
Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
drm/amd/display: Stop if retimer is not available
John Clements <john.clements@amd.com>
drm/amdgpu: increase atombios cmd timeout
Kirill A. Shutemov <kirill@shutemov.name>
mm: avoid data corruption on CoW fault into PFN-mapped VMA
John Garry <john.garry@huawei.com>
perf jevents: Fix leak of mapfile memory
Qiujun Huang <hqjagain@gmail.com>
ext4: fix a data race at inode->i_disksize
Wen Yang <wenyang@linux.alibaba.com>
timekeeping: Prevent 32bit truncation in scale64_check_overflow()
Alain Michaud <alainm@chromium.org>
Bluetooth: guard against controllers sending zero'd events
Takashi Iwai <tiwai@suse.de>
media: go7007: Fix URB type for interrupt handling
John Garry <john.garry@huawei.com>
bus: hisi_lpc: Fixup IO ports addresses to avoid use-after-free in host removal
Qian Cai <cai@lca.pw>
random: fix data races at timer_rand_state
James Morse <james.morse@arm.com>
firmware: arm_sdei: Use cpus_read_lock() to avoid races with cpuhp
Aric Cyr <aric.cyr@amd.com>
drm/amd/display: dal_ddc_i2c_payloads_create can fail causing panic
Dmitry Osipenko <digetx@gmail.com>
dmaengine: tegra-apb: Prevent race conditions on channel's freeing
Amelie Delaunay <amelie.delaunay@st.com>
dmaengine: stm32-dma: use vchan_terminate_vdesc() in .terminate_all
Thomas Gleixner <tglx@linutronix.de>
bpf: Remove recursion prevention from rcu free callback
Dave Hansen <dave.hansen@linux.intel.com>
x86/pkeys: Add check for pkey "overflow"
Dan Carpenter <dan.carpenter@oracle.com>
media: staging/imx: Missing assignment in imx_media_capture_device_register()
Amelie Delaunay <amelie.delaunay@st.com>
dmaengine: stm32-mdma: use vchan_terminate_vdesc() in .terminate_all
Paolo Bonzini <pbonzini@redhat.com>
KVM: x86: fix incorrect comparison in trace event
Bart Van Assche <bvanassche@acm.org>
RDMA/rxe: Fix configuration of atomic queue pair attributes
Thomas Richter <tmricht@linux.ibm.com>
perf test: Fix test trace+probe_vfs_getname.sh on s390
Takashi Iwai <tiwai@suse.de>
ALSA: usb-audio: Don't create a mixer element with bogus volume range
Felix Fietkau <nbd@nbd.name>
mt76: clear skb pointers from rx aggregation reorder buffer during cleanup
Ayush Sawal <ayush.sawal@chelsio.com>
crypto: chelsio - This fixes the kernel panic which occurs during a libkcapi test
Dinh Nguyen <dinguyen@kernel.org>
clk: stratix10: use do_div() for 64-bit calculation
Wen Yang <wen.yang99@zte.com.cn>
drm/omap: fix possible object reference leak
James Smart <jsmart2021@gmail.com>
scsi: lpfc: Fix coverity errors in fmdi attribute handling
James Smart <jsmart2021@gmail.com>
scsi: lpfc: Fix RQ buffer leakage when no IOCBs available
Vasily Averin <vvs@virtuozzo.com>
selinux: sel_avc_get_stat_idx should increase position index
Steve Grubb <sgrubb@redhat.com>
audit: CONFIG_CHANGE don't log internal bookkeeping as an event
Qian Cai <cai@lca.pw>
skbuff: fix a data race in skb_queue_len()
Mohan Kumar <mkumard@nvidia.com>
ALSA: hda: Clear RIRB status before reading WP
Zhuang Yanying <ann.zhuangyanying@huawei.com>
KVM: fix overflow of zero page refcount with ksm running
Hillf Danton <hdanton@sina.com>
Bluetooth: prefetch channel before killing sock
Steven Price <steven.price@arm.com>
mm: pagewalk: fix termination condition in walk_pte_range()
Vasily Averin <vvs@virtuozzo.com>
mm/swapfile.c: swap_next should increase position index
Manish Mandlik <mmandlik@google.com>
Bluetooth: Fix refcount use-after-free issue
Doug Smythies <doug.smythies@gmail.com>
tools/power/x86/intel_pstate_tracer: changes for python 3 compatibility
Sven Schnelle <svens@linux.ibm.com>
selftests/ftrace: fix glob selftest
Jeff Layton <jlayton@kernel.org>
ceph: ensure we have a new cap before continuing in fill_inode
Mert Dirik <mertdirik@gmail.com>
ar5523: Add USB ID of SMCWUSBT-G2 wireless adapter
Vincent Whitchurch <vincent.whitchurch@axis.com>
ARM: 8948/1: Prevent OOB access in stacktrace
Josef Bacik <jbacik@fb.com>
tracing: Set kernel_stack's caller size properly
Maxim Mikityanskiy <maxtram95@gmail.com>
Bluetooth: btrtl: Use kvmalloc for FW allocations
Oliver O'Halloran <oohall@gmail.com>
powerpc/eeh: Only dump stack once if an MMIO loop is detected
Thomas Richter <tmricht@linux.ibm.com>
s390/cpum_sf: Use kzalloc and minor changes
Matthias Fend <matthias.fend@wolfvision.net>
dmaengine: zynqmp_dma: fix burst length configuration
Bart Van Assche <bvanassche@acm.org>
scsi: ufs: Fix a race condition in the tracing code
Bart Van Assche <bvanassche@acm.org>
scsi: ufs: Make ufshcd_add_command_trace() easier to read
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
ACPI: EC: Reference count query handlers under lock
Kevin Kou <qdkevin.kou@gmail.com>
sctp: move trace_sctp_probe_path into sctp_outq_sack
Nikhil Devshatwar <nikhil.nd@ti.com>
media: ti-vpe: cal: Restrict DMA to avoid memory corruption
Marco Elver <elver@google.com>
seqlock: Require WRITE_ONCE surrounding raw_seqcount_barrier
Vasily Averin <vvs@virtuozzo.com>
ipv6_route_seq_next should increase position index
Vasily Averin <vvs@virtuozzo.com>
rt_cpu_seq_next should increase position index
Vasily Averin <vvs@virtuozzo.com>
neigh_stat_seq_next() should increase position index
Darrick J. Wong <darrick.wong@oracle.com>
xfs: fix log reservation overflows when allocating large rt extents
Miaohe Lin <linmiaohe@huawei.com>
KVM: arm/arm64: vgic: Fix potential double free dist->spis in __kvm_vgic_destroy()
Joe Perches <joe@perches.com>
kernel/sys.c: avoid copying possible padding bytes in copy_to_user
Tzung-Bi Shih <tzungbi@google.com>
ASoC: max98090: remove msleep in PLL unlocked workaround
Pavel Shilovsky <pshilov@microsoft.com>
CIFS: Properly process SMB3 lease breaks
Kusanagi Kouichi <slash@ac.auone-net.jp>
debugfs: Fix !DEBUG_FS debugfs_create_automount
peter chang <dpf@google.com>
scsi: pm80xx: Cleanup command when a reset times out
Bob Peterson <rpeterso@redhat.com>
gfs2: clean up iopen glock mess in gfs2_create_inode
Bradley Bolen <bradleybolen@gmail.com>
mmc: core: Fix size overflow for mmc partitions
Sascha Hauer <s.hauer@pengutronix.de>
ubi: Fix producing anchor PEBs
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
RDMA/iw_cgxb4: Fix an error handling path in 'c4iw_connect()'
Brian Foster <bfoster@redhat.com>
xfs: fix attr leaf header freemap.size underflow
Al Viro <viro@zeniv.linux.org.uk>
fix dget_parent() fastpath race
Pan Bian <bianpan2016@163.com>
RDMA/i40iw: Fix potential use after free
Pan Bian <bianpan2016@163.com>
RDMA/qedr: Fix potential use after free
Satendra Singh Thakur <sst2005@gmail.com>
dmaengine: mediatek: hsdma_probe: fixed a memory leak when devm_request_irq fails
Guoju Fang <fangguoju@gmail.com>
bcache: fix a lost wake-up problem caused by mca_cannibalize_lock
Divya Indi <divya.indi@oracle.com>
tracing: Adding NULL checks for trace_array descriptor pointer
Ivan Lazeev <ivan.lazeev@gmail.com>
tpm_crb: fix fTPM on AMD Zen+ CPUs
Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu/powerplay/smu7: fix AVFS handling with custom powerplay table
Lee Jones <lee.jones@linaro.org>
mfd: mfd-core: Protect against NULL call-back function pointer
Hou Tao <houtao1@huawei.com>
mtd: cfi_cmdset_0002: don't free cfi->cfiq in error path of cfi_amdstd_setup()
Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu/powerplay: fix AVFS handling with custom powerplay table
Stephen Kitt <steve@sk2.org>
clk/ti/adpll: allocate room for terminating null
Eric Dumazet <edumazet@google.com>
net: silence data-races on sk_backlog.tail
James Smart <jsmart2021@gmail.com>
scsi: lpfc: Fix kernel crash at lpfc_nvme_info_show during remote port bounce
Pan Bian <bianpan2016@163.com>
scsi: fnic: fix use after free
Dmitry Osipenko <digetx@gmail.com>
PM / devfreq: tegra30: Fix integer overflow on CPU's freq max out
Oleh Kravchenko <oleg@kaa.org.ua>
leds: mlxreg: Fix possible buffer overflow
Nick Desaulniers <ndesaulniers@google.com>
lib/string.c: implement stpcpy
Kai-Heng Feng <kai.heng.feng@canonical.com>
ALSA: hda/realtek: Enable front panel headset LED on Lenovo ThinkStation P520
Hui Wang <hui.wang@canonical.com>
ALSA: hda/realtek - Couldn't detect Mic if booting with headset plugged
Joakim Tjernlund <joakim.tjernlund@infinera.com>
ALSA: usb-audio: Add delay quirk for H570e USB headsets
Thomas Gleixner <tglx@linutronix.de>
x86/ioapic: Unbreak check_timer()
Mikulas Patocka <mpatocka@redhat.com>
arch/x86/lib/usercopy_64.c: fix __copy_user_flushcache() cache writeback
Sakari Ailus <sakari.ailus@linux.intel.com>
media: smiapp: Fix error handling at NVM reading
Russell King <rmk+kernel@armlinux.org.uk>
ASoC: kirkwood: fix IRQ error handling
Kangjie Lu <kjlu@umn.edu>
gma/gma500: fix a memory disclosure bug due to uninitialized bytes
Fuqian Huang <huangfq.daxian@gmail.com>
m68k: q40: Fix info-leak in rtc_ioctl
Balsundar P <balsundar.p@microsemi.com>
scsi: aacraid: fix illegal IO beyond last LBA
Jia He <justin.he@arm.com>
mm: fix double page fault on arm64 if PTE_AF is cleared
Miaoqing Pan <miaoqing@codeaurora.org>
ath10k: fix memory leak for tpc_stats_final
Miaoqing Pan <miaoqing@codeaurora.org>
ath10k: fix array out-of-bounds access
Chris Wilson <chris@chris-wilson.co.uk>
dma-fence: Serialise signal enabling (dma_fence_enable_sw_signaling)
zhengbin <zhengbin13@huawei.com>
media: mc-device.c: fix memleak in media_device_register_entity
Jonathan Lebon <jlebon@redhat.com>
selinux: allow labeling before policy is loaded
-------------
Diffstat:
Documentation/devicetree/bindings/sound/wm8994.txt | 18 ++-
Documentation/driver-api/libata.rst | 2 +-
Makefile | 4 +-
arch/arm/include/asm/kvm_emulate.h | 11 +-
arch/arm/kernel/stacktrace.c | 2 +
arch/arm/kernel/traps.c | 6 +-
arch/arm64/include/asm/kvm_emulate.h | 9 +-
arch/arm64/kernel/cpufeature.c | 12 +-
arch/arm64/kvm/hyp/switch.c | 2 +-
arch/m68k/q40/config.c | 1 +
arch/mips/include/asm/cpu-type.h | 1 +
arch/powerpc/include/asm/kvm_asm.h | 3 +
arch/powerpc/kernel/eeh.c | 2 +-
arch/powerpc/kernel/traps.c | 6 +-
arch/powerpc/kvm/book3s_hv_tm.c | 28 +++-
arch/powerpc/kvm/book3s_hv_tm_builtin.c | 16 ++-
arch/riscv/include/asm/ftrace.h | 7 +
arch/riscv/kernel/ftrace.c | 19 +++
arch/s390/kernel/perf_cpum_sf.c | 9 +-
arch/s390/kernel/setup.c | 6 +-
arch/x86/include/asm/nospec-branch.h | 4 +-
arch/x86/include/asm/pkeys.h | 5 +
arch/x86/kernel/apic/io_apic.c | 1 +
arch/x86/kernel/fpu/xstate.c | 9 +-
arch/x86/kvm/mmutrace.h | 2 +-
arch/x86/kvm/svm.c | 8 +-
arch/x86/kvm/x86.c | 13 +-
arch/x86/lib/usercopy_64.c | 2 +-
drivers/acpi/ec.c | 16 +--
drivers/ata/acard-ahci.c | 6 +-
drivers/ata/libahci.c | 6 +-
drivers/ata/libata-core.c | 9 +-
drivers/ata/libata-sff.c | 12 +-
drivers/ata/pata_macio.c | 6 +-
drivers/ata/pata_pxa.c | 8 +-
drivers/ata/pdc_adma.c | 7 +-
drivers/ata/sata_fsl.c | 4 +-
drivers/ata/sata_inic162x.c | 4 +-
drivers/ata/sata_mv.c | 34 ++---
drivers/ata/sata_nv.c | 18 ++-
drivers/ata/sata_promise.c | 6 +-
drivers/ata/sata_qstor.c | 8 +-
drivers/ata/sata_rcar.c | 6 +-
drivers/ata/sata_sil.c | 8 +-
drivers/ata/sata_sil24.c | 6 +-
drivers/ata/sata_sx4.c | 6 +-
drivers/atm/eni.c | 2 +-
drivers/base/regmap/regmap.c | 12 +-
drivers/bluetooth/btrtl.c | 20 +--
drivers/bus/hisi_lpc.c | 27 +++-
drivers/char/random.c | 12 +-
drivers/char/tlclk.c | 17 ++-
drivers/char/tpm/tpm_crb.c | 123 ++++++++++++-----
drivers/char/tpm/tpm_ibmvtpm.c | 9 ++
drivers/char/tpm/tpm_ibmvtpm.h | 1 +
drivers/clk/socfpga/clk-pll-s10.c | 4 +-
drivers/clk/ti/adpll.c | 11 +-
drivers/clocksource/h8300_timer8.c | 2 +-
drivers/cpufreq/powernv-cpufreq.c | 13 +-
drivers/crypto/chelsio/chcr_algo.c | 5 +-
drivers/crypto/chelsio/chtls/chtls_io.c | 10 +-
drivers/devfreq/tegra-devfreq.c | 4 +-
drivers/dma-buf/dma-fence.c | 78 +++++------
drivers/dma/mediatek/mtk-hsdma.c | 4 +-
drivers/dma/stm32-dma.c | 9 +-
drivers/dma/stm32-mdma.c | 9 +-
drivers/dma/tegra20-apb-dma.c | 3 +-
drivers/dma/xilinx/zynqmp_dma.c | 24 ++--
drivers/firmware/arm_sdei.c | 26 ++--
drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c | 31 +++--
drivers/gpu/drm/amd/amdgpu/atom.c | 4 +-
.../gpu/drm/amd/amdkfd/kfd_device_queue_manager.c | 2 +
drivers/gpu/drm/amd/display/dc/core/dc_link.c | 67 +++++-----
drivers/gpu/drm/amd/display/dc/core/dc_link_ddc.c | 52 ++++----
drivers/gpu/drm/amd/powerplay/hwmgr/smu7_hwmgr.c | 7 +
drivers/gpu/drm/amd/powerplay/hwmgr/vega10_hwmgr.c | 7 +
drivers/gpu/drm/gma500/cdv_intel_display.c | 2 +
drivers/gpu/drm/msm/adreno/a5xx_gpu.c | 27 +++-
drivers/gpu/drm/msm/msm_drv.c | 6 +-
drivers/gpu/drm/nouveau/dispnv50/disp.c | 4 +-
drivers/gpu/drm/nouveau/nouveau_debugfs.c | 5 +-
drivers/gpu/drm/nouveau/nouveau_gem.c | 4 +-
.../gpu/drm/nouveau/nvkm/subdev/bios/shadowpci.c | 17 ++-
drivers/gpu/drm/omapdrm/dss/omapdss-boot-init.c | 4 +-
drivers/gpu/drm/radeon/radeon_bios.c | 30 +++--
drivers/gpu/drm/sun4i/sun8i_csc.h | 2 +-
drivers/gpu/drm/vc4/vc4_hdmi.c | 1 +
drivers/i2c/i2c-core-base.c | 2 +-
drivers/infiniband/core/cm.c | 25 ++--
drivers/infiniband/hw/cxgb4/cm.c | 4 +-
drivers/infiniband/hw/i40iw/i40iw_cm.c | 2 +-
drivers/infiniband/hw/qedr/qedr_iw_cm.c | 2 +-
drivers/infiniband/sw/rxe/rxe.c | 2 +
drivers/infiniband/sw/rxe/rxe_qp.c | 7 +-
drivers/leds/leds-mlxreg.c | 4 +-
drivers/md/bcache/bcache.h | 1 +
drivers/md/bcache/btree.c | 12 +-
drivers/md/bcache/super.c | 1 +
drivers/media/dvb-frontends/tda10071.c | 9 +-
drivers/media/i2c/smiapp/smiapp-core.c | 3 +-
drivers/media/media-device.c | 65 ++++-----
drivers/media/platform/ti-vpe/cal.c | 6 +-
drivers/media/usb/go7007/go7007-usb.c | 4 +-
drivers/mfd/mfd-core.c | 10 ++
drivers/mmc/core/mmc.c | 9 +-
drivers/mtd/chips/cfi_cmdset_0002.c | 1 -
drivers/mtd/cmdlinepart.c | 23 +++-
drivers/mtd/nand/raw/omap_elm.c | 1 +
drivers/mtd/ubi/fastmap-wl.c | 46 ++++---
drivers/mtd/ubi/fastmap.c | 14 +-
drivers/mtd/ubi/ubi.h | 6 +-
drivers/mtd/ubi/wl.c | 32 ++---
drivers/mtd/ubi/wl.h | 1 -
drivers/net/ethernet/intel/e1000/e1000_main.c | 18 ++-
drivers/net/ethernet/qlogic/qed/qed_sriov.c | 1 +
drivers/net/ieee802154/adf7242.c | 4 +-
drivers/net/ieee802154/ca8210.c | 1 +
drivers/net/wireless/ath/ar5523/ar5523.c | 2 +
drivers/net/wireless/ath/ath10k/debug.c | 3 +-
drivers/net/wireless/ath/ath10k/sdio.c | 18 ++-
drivers/net/wireless/ath/ath10k/wmi.c | 49 ++++---
drivers/net/wireless/marvell/mwifiex/fw.h | 2 +-
drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c | 4 +-
drivers/net/wireless/mediatek/mt76/agg-rx.c | 1 +
drivers/net/wireless/ti/wlcore/main.c | 4 +-
drivers/net/wireless/ti/wlcore/tx.c | 1 +
drivers/nvme/host/core.c | 12 +-
drivers/nvme/host/multipath.c | 21 ++-
drivers/nvme/host/nvme.h | 19 ++-
drivers/nvme/target/rdma.c | 30 +++--
drivers/pci/controller/pci-tegra.c | 3 +-
drivers/pci/hotplug/pciehp_hpc.c | 26 +++-
drivers/pci/rom.c | 17 ---
drivers/phy/samsung/phy-s5pv210-usb2.c | 4 +
drivers/power/supply/max17040_battery.c | 2 +-
drivers/rapidio/devices/rio_mport_cdev.c | 14 +-
drivers/rtc/rtc-ds1374.c | 15 ++-
drivers/rtc/rtc-sa1100.c | 18 +--
drivers/s390/block/dasd_fba.c | 9 +-
drivers/s390/crypto/zcrypt_api.c | 3 +-
drivers/scsi/aacraid/aachba.c | 8 +-
drivers/scsi/aacraid/commsup.c | 2 +-
drivers/scsi/aacraid/linit.c | 46 +++++--
drivers/scsi/cxlflash/main.c | 1 +
drivers/scsi/fnic/fnic_scsi.c | 3 +-
drivers/scsi/hpsa.c | 80 ++++++++----
drivers/scsi/libfc/fc_rport.c | 13 +-
drivers/scsi/lpfc/lpfc_attr.c | 35 ++---
drivers/scsi/lpfc/lpfc_ct.c | 137 +++++++++----------
drivers/scsi/lpfc/lpfc_hw.h | 36 +++--
drivers/scsi/lpfc/lpfc_sli.c | 4 +
drivers/scsi/pm8001/pm8001_sas.c | 50 +++++--
drivers/scsi/qedi/qedi_iscsi.c | 3 +
drivers/scsi/ufs/ufshcd.c | 14 +-
drivers/staging/media/imx/imx-media-capture.c | 2 +-
drivers/staging/rtl8188eu/core/rtw_recv.c | 19 +--
drivers/thermal/rcar_thermal.c | 6 +-
drivers/tty/serial/8250/8250_omap.c | 8 +-
drivers/tty/serial/8250/8250_port.c | 16 ++-
drivers/tty/serial/samsung.c | 8 +-
drivers/tty/serial/xilinx_uartps.c | 8 ++
drivers/tty/vcc.c | 1 +
drivers/usb/dwc3/gadget.c | 2 +-
drivers/usb/host/ehci-mv.c | 8 +-
drivers/vfio/pci/vfio_pci.c | 13 ++
fs/block_dev.c | 10 ++
fs/btrfs/extent-tree.c | 2 -
fs/btrfs/inode.c | 23 ++--
fs/ceph/caps.c | 14 +-
fs/ceph/inode.c | 5 +-
fs/cifs/cifsglob.h | 9 +-
fs/cifs/file.c | 21 ++-
fs/cifs/misc.c | 17 +--
fs/cifs/smb1ops.c | 8 +-
fs/cifs/smb2misc.c | 32 +----
fs/cifs/smb2ops.c | 44 +++++--
fs/cifs/smb2pdu.h | 2 +-
fs/dcache.c | 4 +-
fs/ext4/inode.c | 2 +-
fs/ext4/mballoc.c | 11 +-
fs/fuse/dev.c | 1 -
fs/gfs2/inode.c | 13 +-
fs/nfs/pagelist.c | 67 ++++++----
fs/nfs/write.c | 10 +-
fs/nfsd/nfs4state.c | 73 ++++++-----
fs/ubifs/io.c | 16 ++-
fs/xfs/libxfs/xfs_attr_leaf.c | 4 +-
fs/xfs/libxfs/xfs_dir2_node.c | 1 +
fs/xfs/libxfs/xfs_trans_resv.c | 96 +++++++++++---
fs/xfs/scrub/dir.c | 3 +
include/linux/debugfs.h | 5 +-
include/linux/libata.h | 13 +-
include/linux/mmc/card.h | 2 +-
include/linux/nfs_page.h | 2 +
include/linux/pci.h | 1 -
include/linux/seqlock.h | 11 +-
include/linux/skbuff.h | 14 +-
include/net/sock.h | 4 +-
include/trace/events/sctp.h | 9 --
kernel/audit_watch.c | 2 -
kernel/bpf/hashtab.c | 8 --
kernel/bpf/inode.c | 4 +-
kernel/kprobes.c | 22 +++-
kernel/printk/printk.c | 3 +
kernel/sys.c | 4 +-
kernel/time/timekeeping.c | 3 +-
kernel/trace/trace.c | 5 +-
kernel/trace/trace_entries.h | 2 +-
kernel/trace/trace_events.c | 2 +
kernel/trace/trace_events_hist.c | 1 -
kernel/trace/trace_preemptirq.c | 4 +-
lib/string.c | 24 ++++
mm/filemap.c | 8 ++
mm/kmemleak.c | 2 +-
mm/memory.c | 121 +++++++++++++++--
mm/mmap.c | 2 +
mm/pagewalk.c | 4 +-
mm/swap_state.c | 5 +-
mm/swapfile.c | 4 +-
mm/vmscan.c | 45 ++++---
net/atm/lec.c | 6 +
net/batman-adv/bridge_loop_avoidance.c | 145 +++++++++++++++++----
net/batman-adv/bridge_loop_avoidance.h | 4 +-
net/batman-adv/routing.c | 4 +
net/batman-adv/soft-interface.c | 6 +-
net/bluetooth/hci_event.c | 25 +++-
net/bluetooth/l2cap_core.c | 29 +++--
net/bluetooth/l2cap_sock.c | 18 ++-
net/core/filter.c | 4 +-
net/core/neighbour.c | 1 +
net/ipv4/route.c | 1 +
net/ipv4/tcp.c | 2 +-
net/ipv6/ip6_fib.c | 7 +-
net/llc/af_llc.c | 2 +-
net/mac802154/tx.c | 8 +-
net/openvswitch/meter.c | 4 +-
net/openvswitch/meter.h | 2 +-
net/sctp/outqueue.c | 6 +
net/sunrpc/svc_xprt.c | 19 ++-
net/sunrpc/xprtrdma/svc_rdma_backchannel.c | 1 +
net/tipc/topsrv.c | 4 +-
net/unix/af_unix.c | 11 +-
security/selinux/hooks.c | 12 ++
security/selinux/selinuxfs.c | 1 +
sound/hda/hdac_bus.c | 4 +
sound/pci/asihpi/hpioctl.c | 4 +-
sound/pci/hda/hda_controller.c | 11 +-
sound/pci/hda/patch_realtek.c | 13 +-
sound/soc/codecs/max98090.c | 8 +-
sound/soc/codecs/wm8994.c | 10 ++
sound/soc/codecs/wm_hubs.c | 3 +
sound/soc/codecs/wm_hubs.h | 1 +
sound/soc/img/img-i2s-out.c | 8 +-
sound/soc/intel/boards/bytcr_rt5640.c | 10 ++
sound/soc/kirkwood/kirkwood-dma.c | 2 +-
sound/usb/midi.c | 29 ++++-
sound/usb/mixer.c | 10 ++
sound/usb/quirks.c | 7 +-
tools/gpio/gpio-hammer.c | 17 ++-
tools/objtool/check.c | 2 +-
tools/perf/builtin-stat.c | 2 +-
tools/perf/pmu-events/jevents.c | 15 ++-
tools/perf/tests/shell/lib/probe_vfs_getname.sh | 2 +-
tools/perf/trace/beauty/arch_errno_names.sh | 2 +-
tools/perf/util/cpumap.c | 10 +-
tools/perf/util/evsel.c | 7 +
tools/perf/util/mem2node.c | 3 +-
tools/perf/util/metricgroup.c | 3 +
tools/perf/util/parse-events.c | 9 +-
tools/perf/util/sort.c | 2 +-
tools/perf/util/symbol-elf.c | 7 +
.../x86/intel_pstate_tracer/intel_pstate_tracer.py | 22 ++--
.../ftrace/test.d/ftrace/func-filter-glob.tc | 2 +-
tools/testing/selftests/x86/syscall_nt.c | 1 +
virt/kvm/arm/mmio.c | 2 +-
virt/kvm/arm/mmu.c | 5 +-
virt/kvm/arm/vgic/vgic-init.c | 1 +
virt/kvm/arm/vgic/vgic-its.c | 11 +-
virt/kvm/kvm_main.c | 1 +
279 files changed, 2370 insertions(+), 1213 deletions(-)
^ permalink raw reply [flat|nested] 256+ messages in thread
* [PATCH 4.19 001/245] selinux: allow labeling before policy is loaded
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
@ 2020-09-29 10:57 ` Greg Kroah-Hartman
2020-09-29 10:57 ` [PATCH 4.19 002/245] media: mc-device.c: fix memleak in media_device_register_entity Greg Kroah-Hartman
` (246 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:57 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Victor Kamensky, Jonathan Lebon,
Paul Moore, Sasha Levin
From: Jonathan Lebon <jlebon@redhat.com>
[ Upstream commit 3e3e24b42043eceb97ed834102c2d094dfd7aaa6 ]
Currently, the SELinux LSM prevents one from setting the
`security.selinux` xattr on an inode without a policy first being
loaded. However, this restriction is problematic: it makes it impossible
to have newly created files with the correct label before actually
loading the policy.
This is relevant in distributions like Fedora, where the policy is
loaded by systemd shortly after pivoting out of the initrd. In such
instances, all files created prior to pivoting will be unlabeled. One
then has to relabel them after pivoting, an operation which inherently
races with other processes trying to access those same files.
Going further, there are use cases for creating the entire root
filesystem on first boot from the initrd (e.g. Container Linux supports
this today[1], and we'd like to support it in Fedora CoreOS as well[2]).
One can imagine doing this in two ways: at the block device level (e.g.
laying down a disk image), or at the filesystem level. In the former,
labeling can simply be part of the image. But even in the latter
scenario, one still really wants to be able to set the right labels when
populating the new filesystem.
This patch enables this by changing behaviour in the following two ways:
1. allow `setxattr` if we're not initialized
2. don't try to set the in-core inode SID if we're not initialized;
instead leave it as `LABEL_INVALID` so that revalidation may be
attempted at a later time
Note the first hunk of this patch is mostly the same as a previously
discussed one[3], though it was part of a larger series which wasn't
accepted.
[1] https://coreos.com/os/docs/latest/root-filesystem-placement.html
[2] https://github.com/coreos/fedora-coreos-tracker/issues/94
[3] https://www.spinics.net/lists/linux-initramfs/msg04593.html
Co-developed-by: Victor Kamensky <kamensky@cisco.com>
Signed-off-by: Victor Kamensky <kamensky@cisco.com>
Signed-off-by: Jonathan Lebon <jlebon@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
security/selinux/hooks.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 452254fd89f87..250b725f5754c 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3304,6 +3304,9 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
}
+ if (!selinux_state.initialized)
+ return (inode_owner_or_capable(inode) ? 0 : -EPERM);
+
sbsec = inode->i_sb->s_security;
if (!(sbsec->flags & SBLABEL_MNT))
return -EOPNOTSUPP;
@@ -3387,6 +3390,15 @@ static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
return;
}
+ if (!selinux_state.initialized) {
+ /* If we haven't even been initialized, then we can't validate
+ * against a policy, so leave the label as invalid. It may
+ * resolve to a valid label on the next revalidation try if
+ * we've since initialized.
+ */
+ return;
+ }
+
rc = security_context_to_sid_force(&selinux_state, value, size,
&newsid);
if (rc) {
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 002/245] media: mc-device.c: fix memleak in media_device_register_entity
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
2020-09-29 10:57 ` [PATCH 4.19 001/245] selinux: allow labeling before policy is loaded Greg Kroah-Hartman
@ 2020-09-29 10:57 ` Greg Kroah-Hartman
2020-09-29 10:57 ` [PATCH 4.19 003/245] dma-fence: Serialise signal enabling (dma_fence_enable_sw_signaling) Greg Kroah-Hartman
` (245 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:57 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Hulk Robot, zhengbin, Sakari Ailus,
Mauro Carvalho Chehab, Sasha Levin
From: zhengbin <zhengbin13@huawei.com>
[ Upstream commit 713f871b30a66dc4daff4d17b760c9916aaaf2e1 ]
In media_device_register_entity, if media_graph_walk_init fails,
need to free the previously memory.
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: zhengbin <zhengbin13@huawei.com>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/media-device.c | 65 ++++++++++++++++++------------------
1 file changed, 33 insertions(+), 32 deletions(-)
diff --git a/drivers/media/media-device.c b/drivers/media/media-device.c
index ed518b1f82e4a..d04ed438a45de 100644
--- a/drivers/media/media-device.c
+++ b/drivers/media/media-device.c
@@ -568,6 +568,38 @@ static void media_device_release(struct media_devnode *devnode)
dev_dbg(devnode->parent, "Media device released\n");
}
+static void __media_device_unregister_entity(struct media_entity *entity)
+{
+ struct media_device *mdev = entity->graph_obj.mdev;
+ struct media_link *link, *tmp;
+ struct media_interface *intf;
+ unsigned int i;
+
+ ida_free(&mdev->entity_internal_idx, entity->internal_idx);
+
+ /* Remove all interface links pointing to this entity */
+ list_for_each_entry(intf, &mdev->interfaces, graph_obj.list) {
+ list_for_each_entry_safe(link, tmp, &intf->links, list) {
+ if (link->entity == entity)
+ __media_remove_intf_link(link);
+ }
+ }
+
+ /* Remove all data links that belong to this entity */
+ __media_entity_remove_links(entity);
+
+ /* Remove all pads that belong to this entity */
+ for (i = 0; i < entity->num_pads; i++)
+ media_gobj_destroy(&entity->pads[i].graph_obj);
+
+ /* Remove the entity */
+ media_gobj_destroy(&entity->graph_obj);
+
+ /* invoke entity_notify callbacks to handle entity removal?? */
+
+ entity->graph_obj.mdev = NULL;
+}
+
/**
* media_device_register_entity - Register an entity with a media device
* @mdev: The media device
@@ -625,6 +657,7 @@ int __must_check media_device_register_entity(struct media_device *mdev,
*/
ret = media_graph_walk_init(&new, mdev);
if (ret) {
+ __media_device_unregister_entity(entity);
mutex_unlock(&mdev->graph_mutex);
return ret;
}
@@ -637,38 +670,6 @@ int __must_check media_device_register_entity(struct media_device *mdev,
}
EXPORT_SYMBOL_GPL(media_device_register_entity);
-static void __media_device_unregister_entity(struct media_entity *entity)
-{
- struct media_device *mdev = entity->graph_obj.mdev;
- struct media_link *link, *tmp;
- struct media_interface *intf;
- unsigned int i;
-
- ida_free(&mdev->entity_internal_idx, entity->internal_idx);
-
- /* Remove all interface links pointing to this entity */
- list_for_each_entry(intf, &mdev->interfaces, graph_obj.list) {
- list_for_each_entry_safe(link, tmp, &intf->links, list) {
- if (link->entity == entity)
- __media_remove_intf_link(link);
- }
- }
-
- /* Remove all data links that belong to this entity */
- __media_entity_remove_links(entity);
-
- /* Remove all pads that belong to this entity */
- for (i = 0; i < entity->num_pads; i++)
- media_gobj_destroy(&entity->pads[i].graph_obj);
-
- /* Remove the entity */
- media_gobj_destroy(&entity->graph_obj);
-
- /* invoke entity_notify callbacks to handle entity removal?? */
-
- entity->graph_obj.mdev = NULL;
-}
-
void media_device_unregister_entity(struct media_entity *entity)
{
struct media_device *mdev = entity->graph_obj.mdev;
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 003/245] dma-fence: Serialise signal enabling (dma_fence_enable_sw_signaling)
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
2020-09-29 10:57 ` [PATCH 4.19 001/245] selinux: allow labeling before policy is loaded Greg Kroah-Hartman
2020-09-29 10:57 ` [PATCH 4.19 002/245] media: mc-device.c: fix memleak in media_device_register_entity Greg Kroah-Hartman
@ 2020-09-29 10:57 ` Greg Kroah-Hartman
2020-09-29 10:57 ` [PATCH 4.19 004/245] ath10k: fix array out-of-bounds access Greg Kroah-Hartman
` (244 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:57 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Chris Wilson, Tvrtko Ursulin, Sasha Levin
From: Chris Wilson <chris@chris-wilson.co.uk>
[ Upstream commit 9c98f021e4e717ffd9948fa65340ea3ef12b7935 ]
Make dma_fence_enable_sw_signaling() behave like its
dma_fence_add_callback() and dma_fence_default_wait() counterparts and
perform the test to enable signaling under the fence->lock, along with
the action to do so. This ensure that should an implementation be trying
to flush the cb_list (by signaling) on retirement before freeing the
fence, it can do so in a race-free manner.
See also 0fc89b6802ba ("dma-fence: Simply wrap dma_fence_signal_locked
with dma_fence_signal").
v2: Refactor all 3 enable_signaling paths to use a common function.
v3: Don't argue, just keep the tracepoint in the existing spot.
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20191004101140.32713-1-chris@chris-wilson.co.uk
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma-buf/dma-fence.c | 78 +++++++++++++++++--------------------
1 file changed, 35 insertions(+), 43 deletions(-)
diff --git a/drivers/dma-buf/dma-fence.c b/drivers/dma-buf/dma-fence.c
index 1551ca7df3941..8586cc05def17 100644
--- a/drivers/dma-buf/dma-fence.c
+++ b/drivers/dma-buf/dma-fence.c
@@ -244,6 +244,30 @@ void dma_fence_free(struct dma_fence *fence)
}
EXPORT_SYMBOL(dma_fence_free);
+static bool __dma_fence_enable_signaling(struct dma_fence *fence)
+{
+ bool was_set;
+
+ lockdep_assert_held(fence->lock);
+
+ was_set = test_and_set_bit(DMA_FENCE_FLAG_ENABLE_SIGNAL_BIT,
+ &fence->flags);
+
+ if (test_bit(DMA_FENCE_FLAG_SIGNALED_BIT, &fence->flags))
+ return false;
+
+ if (!was_set && fence->ops->enable_signaling) {
+ trace_dma_fence_enable_signal(fence);
+
+ if (!fence->ops->enable_signaling(fence)) {
+ dma_fence_signal_locked(fence);
+ return false;
+ }
+ }
+
+ return true;
+}
+
/**
* dma_fence_enable_sw_signaling - enable signaling on fence
* @fence: the fence to enable
@@ -256,19 +280,12 @@ void dma_fence_enable_sw_signaling(struct dma_fence *fence)
{
unsigned long flags;
- if (!test_and_set_bit(DMA_FENCE_FLAG_ENABLE_SIGNAL_BIT,
- &fence->flags) &&
- !test_bit(DMA_FENCE_FLAG_SIGNALED_BIT, &fence->flags) &&
- fence->ops->enable_signaling) {
- trace_dma_fence_enable_signal(fence);
-
- spin_lock_irqsave(fence->lock, flags);
-
- if (!fence->ops->enable_signaling(fence))
- dma_fence_signal_locked(fence);
+ if (test_bit(DMA_FENCE_FLAG_SIGNALED_BIT, &fence->flags))
+ return;
- spin_unlock_irqrestore(fence->lock, flags);
- }
+ spin_lock_irqsave(fence->lock, flags);
+ __dma_fence_enable_signaling(fence);
+ spin_unlock_irqrestore(fence->lock, flags);
}
EXPORT_SYMBOL(dma_fence_enable_sw_signaling);
@@ -302,7 +319,6 @@ int dma_fence_add_callback(struct dma_fence *fence, struct dma_fence_cb *cb,
{
unsigned long flags;
int ret = 0;
- bool was_set;
if (WARN_ON(!fence || !func))
return -EINVAL;
@@ -314,25 +330,14 @@ int dma_fence_add_callback(struct dma_fence *fence, struct dma_fence_cb *cb,
spin_lock_irqsave(fence->lock, flags);
- was_set = test_and_set_bit(DMA_FENCE_FLAG_ENABLE_SIGNAL_BIT,
- &fence->flags);
-
- if (test_bit(DMA_FENCE_FLAG_SIGNALED_BIT, &fence->flags))
- ret = -ENOENT;
- else if (!was_set && fence->ops->enable_signaling) {
- trace_dma_fence_enable_signal(fence);
-
- if (!fence->ops->enable_signaling(fence)) {
- dma_fence_signal_locked(fence);
- ret = -ENOENT;
- }
- }
-
- if (!ret) {
+ if (__dma_fence_enable_signaling(fence)) {
cb->func = func;
list_add_tail(&cb->node, &fence->cb_list);
- } else
+ } else {
INIT_LIST_HEAD(&cb->node);
+ ret = -ENOENT;
+ }
+
spin_unlock_irqrestore(fence->lock, flags);
return ret;
@@ -432,7 +437,6 @@ dma_fence_default_wait(struct dma_fence *fence, bool intr, signed long timeout)
struct default_wait_cb cb;
unsigned long flags;
signed long ret = timeout ? timeout : 1;
- bool was_set;
if (test_bit(DMA_FENCE_FLAG_SIGNALED_BIT, &fence->flags))
return ret;
@@ -444,21 +448,9 @@ dma_fence_default_wait(struct dma_fence *fence, bool intr, signed long timeout)
goto out;
}
- was_set = test_and_set_bit(DMA_FENCE_FLAG_ENABLE_SIGNAL_BIT,
- &fence->flags);
-
- if (test_bit(DMA_FENCE_FLAG_SIGNALED_BIT, &fence->flags))
+ if (!__dma_fence_enable_signaling(fence))
goto out;
- if (!was_set && fence->ops->enable_signaling) {
- trace_dma_fence_enable_signal(fence);
-
- if (!fence->ops->enable_signaling(fence)) {
- dma_fence_signal_locked(fence);
- goto out;
- }
- }
-
if (!timeout) {
ret = 0;
goto out;
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 004/245] ath10k: fix array out-of-bounds access
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (2 preceding siblings ...)
2020-09-29 10:57 ` [PATCH 4.19 003/245] dma-fence: Serialise signal enabling (dma_fence_enable_sw_signaling) Greg Kroah-Hartman
@ 2020-09-29 10:57 ` Greg Kroah-Hartman
2020-09-29 10:57 ` [PATCH 4.19 005/245] ath10k: fix memory leak for tpc_stats_final Greg Kroah-Hartman
` (243 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:57 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Miaoqing Pan, Kalle Valo, Sasha Levin
From: Miaoqing Pan <miaoqing@codeaurora.org>
[ Upstream commit c5329b2d5b8b4e41be14d31ee8505b4f5607bf9b ]
If firmware reports rate_max > WMI_TPC_RATE_MAX(WMI_TPC_FINAL_RATE_MAX)
or num_tx_chain > WMI_TPC_TX_N_CHAIN, it will cause array out-of-bounds
access, so print a warning and reset to avoid memory corruption.
Tested HW: QCA9984
Tested FW: 10.4-3.9.0.2-00035
Signed-off-by: Miaoqing Pan <miaoqing@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath10k/debug.c | 2 +-
drivers/net/wireless/ath/ath10k/wmi.c | 49 ++++++++++++++++---------
2 files changed, 32 insertions(+), 19 deletions(-)
diff --git a/drivers/net/wireless/ath/ath10k/debug.c b/drivers/net/wireless/ath/ath10k/debug.c
index 0baaad90b8d18..aa333110eaba6 100644
--- a/drivers/net/wireless/ath/ath10k/debug.c
+++ b/drivers/net/wireless/ath/ath10k/debug.c
@@ -1521,7 +1521,7 @@ static void ath10k_tpc_stats_print(struct ath10k_tpc_stats *tpc_stats,
*len += scnprintf(buf + *len, buf_len - *len,
"No. Preamble Rate_code ");
- for (i = 0; i < WMI_TPC_TX_N_CHAIN; i++)
+ for (i = 0; i < tpc_stats->num_tx_chain; i++)
*len += scnprintf(buf + *len, buf_len - *len,
"tpc_value%d ", i);
diff --git a/drivers/net/wireless/ath/ath10k/wmi.c b/drivers/net/wireless/ath/ath10k/wmi.c
index 3372dfa0deccf..3f3fbee631c34 100644
--- a/drivers/net/wireless/ath/ath10k/wmi.c
+++ b/drivers/net/wireless/ath/ath10k/wmi.c
@@ -4550,16 +4550,13 @@ static void ath10k_tpc_config_disp_tables(struct ath10k *ar,
}
pream_idx = 0;
- for (i = 0; i < __le32_to_cpu(ev->rate_max); i++) {
+ for (i = 0; i < tpc_stats->rate_max; i++) {
memset(tpc_value, 0, sizeof(tpc_value));
memset(buff, 0, sizeof(buff));
if (i == pream_table[pream_idx])
pream_idx++;
- for (j = 0; j < WMI_TPC_TX_N_CHAIN; j++) {
- if (j >= __le32_to_cpu(ev->num_tx_chain))
- break;
-
+ for (j = 0; j < tpc_stats->num_tx_chain; j++) {
tpc[j] = ath10k_tpc_config_get_rate(ar, ev, i, j + 1,
rate_code[i],
type);
@@ -4672,7 +4669,7 @@ void ath10k_wmi_tpc_config_get_rate_code(u8 *rate_code, u16 *pream_table,
void ath10k_wmi_event_pdev_tpc_config(struct ath10k *ar, struct sk_buff *skb)
{
- u32 num_tx_chain;
+ u32 num_tx_chain, rate_max;
u8 rate_code[WMI_TPC_RATE_MAX];
u16 pream_table[WMI_TPC_PREAM_TABLE_MAX];
struct wmi_pdev_tpc_config_event *ev;
@@ -4688,6 +4685,13 @@ void ath10k_wmi_event_pdev_tpc_config(struct ath10k *ar, struct sk_buff *skb)
return;
}
+ rate_max = __le32_to_cpu(ev->rate_max);
+ if (rate_max > WMI_TPC_RATE_MAX) {
+ ath10k_warn(ar, "number of rate is %d greater than TPC configured rate %d\n",
+ rate_max, WMI_TPC_RATE_MAX);
+ rate_max = WMI_TPC_RATE_MAX;
+ }
+
tpc_stats = kzalloc(sizeof(*tpc_stats), GFP_ATOMIC);
if (!tpc_stats)
return;
@@ -4704,8 +4708,8 @@ void ath10k_wmi_event_pdev_tpc_config(struct ath10k *ar, struct sk_buff *skb)
__le32_to_cpu(ev->twice_antenna_reduction);
tpc_stats->power_limit = __le32_to_cpu(ev->power_limit);
tpc_stats->twice_max_rd_power = __le32_to_cpu(ev->twice_max_rd_power);
- tpc_stats->num_tx_chain = __le32_to_cpu(ev->num_tx_chain);
- tpc_stats->rate_max = __le32_to_cpu(ev->rate_max);
+ tpc_stats->num_tx_chain = num_tx_chain;
+ tpc_stats->rate_max = rate_max;
ath10k_tpc_config_disp_tables(ar, ev, tpc_stats,
rate_code, pream_table,
@@ -4900,16 +4904,13 @@ ath10k_wmi_tpc_stats_final_disp_tables(struct ath10k *ar,
}
pream_idx = 0;
- for (i = 0; i < __le32_to_cpu(ev->rate_max); i++) {
+ for (i = 0; i < tpc_stats->rate_max; i++) {
memset(tpc_value, 0, sizeof(tpc_value));
memset(buff, 0, sizeof(buff));
if (i == pream_table[pream_idx])
pream_idx++;
- for (j = 0; j < WMI_TPC_TX_N_CHAIN; j++) {
- if (j >= __le32_to_cpu(ev->num_tx_chain))
- break;
-
+ for (j = 0; j < tpc_stats->num_tx_chain; j++) {
tpc[j] = ath10k_wmi_tpc_final_get_rate(ar, ev, i, j + 1,
rate_code[i],
type, pream_idx);
@@ -4925,7 +4926,7 @@ ath10k_wmi_tpc_stats_final_disp_tables(struct ath10k *ar,
void ath10k_wmi_event_tpc_final_table(struct ath10k *ar, struct sk_buff *skb)
{
- u32 num_tx_chain;
+ u32 num_tx_chain, rate_max;
u8 rate_code[WMI_TPC_FINAL_RATE_MAX];
u16 pream_table[WMI_TPC_PREAM_TABLE_MAX];
struct wmi_pdev_tpc_final_table_event *ev;
@@ -4933,12 +4934,24 @@ void ath10k_wmi_event_tpc_final_table(struct ath10k *ar, struct sk_buff *skb)
ev = (struct wmi_pdev_tpc_final_table_event *)skb->data;
+ num_tx_chain = __le32_to_cpu(ev->num_tx_chain);
+ if (num_tx_chain > WMI_TPC_TX_N_CHAIN) {
+ ath10k_warn(ar, "number of tx chain is %d greater than TPC final configured tx chain %d\n",
+ num_tx_chain, WMI_TPC_TX_N_CHAIN);
+ return;
+ }
+
+ rate_max = __le32_to_cpu(ev->rate_max);
+ if (rate_max > WMI_TPC_FINAL_RATE_MAX) {
+ ath10k_warn(ar, "number of rate is %d greater than TPC final configured rate %d\n",
+ rate_max, WMI_TPC_FINAL_RATE_MAX);
+ rate_max = WMI_TPC_FINAL_RATE_MAX;
+ }
+
tpc_stats = kzalloc(sizeof(*tpc_stats), GFP_ATOMIC);
if (!tpc_stats)
return;
- num_tx_chain = __le32_to_cpu(ev->num_tx_chain);
-
ath10k_wmi_tpc_config_get_rate_code(rate_code, pream_table,
num_tx_chain);
@@ -4951,8 +4964,8 @@ void ath10k_wmi_event_tpc_final_table(struct ath10k *ar, struct sk_buff *skb)
__le32_to_cpu(ev->twice_antenna_reduction);
tpc_stats->power_limit = __le32_to_cpu(ev->power_limit);
tpc_stats->twice_max_rd_power = __le32_to_cpu(ev->twice_max_rd_power);
- tpc_stats->num_tx_chain = __le32_to_cpu(ev->num_tx_chain);
- tpc_stats->rate_max = __le32_to_cpu(ev->rate_max);
+ tpc_stats->num_tx_chain = num_tx_chain;
+ tpc_stats->rate_max = rate_max;
ath10k_wmi_tpc_stats_final_disp_tables(ar, ev, tpc_stats,
rate_code, pream_table,
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 005/245] ath10k: fix memory leak for tpc_stats_final
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (3 preceding siblings ...)
2020-09-29 10:57 ` [PATCH 4.19 004/245] ath10k: fix array out-of-bounds access Greg Kroah-Hartman
@ 2020-09-29 10:57 ` Greg Kroah-Hartman
2020-09-29 10:57 ` [PATCH 4.19 006/245] mm: fix double page fault on arm64 if PTE_AF is cleared Greg Kroah-Hartman
` (242 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:57 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Miaoqing Pan, Kalle Valo, Sasha Levin
From: Miaoqing Pan <miaoqing@codeaurora.org>
[ Upstream commit 486a8849843455298d49e694cca9968336ce2327 ]
The memory of ar->debug.tpc_stats_final is reallocated every debugfs
reading, it should be freed in ath10k_debug_destroy() for the last
allocation.
Tested HW: QCA9984
Tested FW: 10.4-3.9.0.2-00035
Signed-off-by: Miaoqing Pan <miaoqing@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath10k/debug.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/wireless/ath/ath10k/debug.c b/drivers/net/wireless/ath/ath10k/debug.c
index aa333110eaba6..4e980e78ba95c 100644
--- a/drivers/net/wireless/ath/ath10k/debug.c
+++ b/drivers/net/wireless/ath/ath10k/debug.c
@@ -2365,6 +2365,7 @@ void ath10k_debug_destroy(struct ath10k *ar)
ath10k_debug_fw_stats_reset(ar);
kfree(ar->debug.tpc_stats);
+ kfree(ar->debug.tpc_stats_final);
}
int ath10k_debug_register(struct ath10k *ar)
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 006/245] mm: fix double page fault on arm64 if PTE_AF is cleared
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (4 preceding siblings ...)
2020-09-29 10:57 ` [PATCH 4.19 005/245] ath10k: fix memory leak for tpc_stats_final Greg Kroah-Hartman
@ 2020-09-29 10:57 ` Greg Kroah-Hartman
2020-09-29 10:57 ` [PATCH 4.19 007/245] scsi: aacraid: fix illegal IO beyond last LBA Greg Kroah-Hartman
` (241 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:57 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Jia He, Yibo Cai, Catalin Marinas,
Kirill A. Shutemov, Sasha Levin
From: Jia He <justin.he@arm.com>
[ Upstream commit 83d116c53058d505ddef051e90ab27f57015b025 ]
When we tested pmdk unit test [1] vmmalloc_fork TEST3 on arm64 guest, there
will be a double page fault in __copy_from_user_inatomic of cow_user_page.
To reproduce the bug, the cmd is as follows after you deployed everything:
make -C src/test/vmmalloc_fork/ TEST_TIME=60m check
Below call trace is from arm64 do_page_fault for debugging purpose:
[ 110.016195] Call trace:
[ 110.016826] do_page_fault+0x5a4/0x690
[ 110.017812] do_mem_abort+0x50/0xb0
[ 110.018726] el1_da+0x20/0xc4
[ 110.019492] __arch_copy_from_user+0x180/0x280
[ 110.020646] do_wp_page+0xb0/0x860
[ 110.021517] __handle_mm_fault+0x994/0x1338
[ 110.022606] handle_mm_fault+0xe8/0x180
[ 110.023584] do_page_fault+0x240/0x690
[ 110.024535] do_mem_abort+0x50/0xb0
[ 110.025423] el0_da+0x20/0x24
The pte info before __copy_from_user_inatomic is (PTE_AF is cleared):
[ffff9b007000] pgd=000000023d4f8003, pud=000000023da9b003,
pmd=000000023d4b3003, pte=360000298607bd3
As told by Catalin: "On arm64 without hardware Access Flag, copying from
user will fail because the pte is old and cannot be marked young. So we
always end up with zeroed page after fork() + CoW for pfn mappings. we
don't always have a hardware-managed access flag on arm64."
This patch fixes it by calling pte_mkyoung. Also, the parameter is
changed because vmf should be passed to cow_user_page()
Add a WARN_ON_ONCE when __copy_from_user_inatomic() returns error
in case there can be some obscure use-case (by Kirill).
[1] https://github.com/pmem/pmdk/tree/master/src/test/vmmalloc_fork
Signed-off-by: Jia He <justin.he@arm.com>
Reported-by: Yibo Cai <Yibo.Cai@arm.com>
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
mm/memory.c | 104 ++++++++++++++++++++++++++++++++++++++++++++--------
1 file changed, 89 insertions(+), 15 deletions(-)
diff --git a/mm/memory.c b/mm/memory.c
index bbf0cc4066c84..fcad8a0d943d3 100644
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -116,6 +116,18 @@ int randomize_va_space __read_mostly =
2;
#endif
+#ifndef arch_faults_on_old_pte
+static inline bool arch_faults_on_old_pte(void)
+{
+ /*
+ * Those arches which don't have hw access flag feature need to
+ * implement their own helper. By default, "true" means pagefault
+ * will be hit on old pte.
+ */
+ return true;
+}
+#endif
+
static int __init disable_randmaps(char *s)
{
randomize_va_space = 0;
@@ -2335,32 +2347,82 @@ static inline int pte_unmap_same(struct mm_struct *mm, pmd_t *pmd,
return same;
}
-static inline void cow_user_page(struct page *dst, struct page *src, unsigned long va, struct vm_area_struct *vma)
+static inline bool cow_user_page(struct page *dst, struct page *src,
+ struct vm_fault *vmf)
{
+ bool ret;
+ void *kaddr;
+ void __user *uaddr;
+ bool force_mkyoung;
+ struct vm_area_struct *vma = vmf->vma;
+ struct mm_struct *mm = vma->vm_mm;
+ unsigned long addr = vmf->address;
+
debug_dma_assert_idle(src);
+ if (likely(src)) {
+ copy_user_highpage(dst, src, addr, vma);
+ return true;
+ }
+
/*
* If the source page was a PFN mapping, we don't have
* a "struct page" for it. We do a best-effort copy by
* just copying from the original user address. If that
* fails, we just zero-fill it. Live with it.
*/
- if (unlikely(!src)) {
- void *kaddr = kmap_atomic(dst);
- void __user *uaddr = (void __user *)(va & PAGE_MASK);
+ kaddr = kmap_atomic(dst);
+ uaddr = (void __user *)(addr & PAGE_MASK);
+
+ /*
+ * On architectures with software "accessed" bits, we would
+ * take a double page fault, so mark it accessed here.
+ */
+ force_mkyoung = arch_faults_on_old_pte() && !pte_young(vmf->orig_pte);
+ if (force_mkyoung) {
+ pte_t entry;
+
+ vmf->pte = pte_offset_map_lock(mm, vmf->pmd, addr, &vmf->ptl);
+ if (!likely(pte_same(*vmf->pte, vmf->orig_pte))) {
+ /*
+ * Other thread has already handled the fault
+ * and we don't need to do anything. If it's
+ * not the case, the fault will be triggered
+ * again on the same address.
+ */
+ ret = false;
+ goto pte_unlock;
+ }
+ entry = pte_mkyoung(vmf->orig_pte);
+ if (ptep_set_access_flags(vma, addr, vmf->pte, entry, 0))
+ update_mmu_cache(vma, addr, vmf->pte);
+ }
+
+ /*
+ * This really shouldn't fail, because the page is there
+ * in the page tables. But it might just be unreadable,
+ * in which case we just give up and fill the result with
+ * zeroes.
+ */
+ if (__copy_from_user_inatomic(kaddr, uaddr, PAGE_SIZE)) {
/*
- * This really shouldn't fail, because the page is there
- * in the page tables. But it might just be unreadable,
- * in which case we just give up and fill the result with
- * zeroes.
+ * Give a warn in case there can be some obscure
+ * use-case
*/
- if (__copy_from_user_inatomic(kaddr, uaddr, PAGE_SIZE))
- clear_page(kaddr);
- kunmap_atomic(kaddr);
- flush_dcache_page(dst);
- } else
- copy_user_highpage(dst, src, va, vma);
+ WARN_ON_ONCE(1);
+ clear_page(kaddr);
+ }
+
+ ret = true;
+
+pte_unlock:
+ if (force_mkyoung)
+ pte_unmap_unlock(vmf->pte, vmf->ptl);
+ kunmap_atomic(kaddr);
+ flush_dcache_page(dst);
+
+ return ret;
}
static gfp_t __get_fault_gfp_mask(struct vm_area_struct *vma)
@@ -2514,7 +2576,19 @@ static vm_fault_t wp_page_copy(struct vm_fault *vmf)
vmf->address);
if (!new_page)
goto oom;
- cow_user_page(new_page, old_page, vmf->address, vma);
+
+ if (!cow_user_page(new_page, old_page, vmf)) {
+ /*
+ * COW failed, if the fault was solved by other,
+ * it's fine. If not, userspace would re-fault on
+ * the same address and we will handle the fault
+ * from the second attempt.
+ */
+ put_page(new_page);
+ if (old_page)
+ put_page(old_page);
+ return 0;
+ }
}
if (mem_cgroup_try_charge_delay(new_page, mm, GFP_KERNEL, &memcg, false))
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 007/245] scsi: aacraid: fix illegal IO beyond last LBA
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (5 preceding siblings ...)
2020-09-29 10:57 ` [PATCH 4.19 006/245] mm: fix double page fault on arm64 if PTE_AF is cleared Greg Kroah-Hartman
@ 2020-09-29 10:57 ` Greg Kroah-Hartman
2020-09-29 10:57 ` [PATCH 4.19 008/245] m68k: q40: Fix info-leak in rtc_ioctl Greg Kroah-Hartman
` (240 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:57 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Balsundar P, Martin K. Petersen, Sasha Levin
From: Balsundar P <balsundar.p@microsemi.com>
[ Upstream commit c86fbe484c10b2cd1e770770db2d6b2c88801c1d ]
The driver fails to handle data when read or written beyond device reported
LBA, which triggers kernel panic
Link: https://lore.kernel.org/r/1571120524-6037-2-git-send-email-balsundar.p@microsemi.com
Signed-off-by: Balsundar P <balsundar.p@microsemi.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/aacraid/aachba.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/scsi/aacraid/aachba.c b/drivers/scsi/aacraid/aachba.c
index 6e356325d8d98..54717fb84a54c 100644
--- a/drivers/scsi/aacraid/aachba.c
+++ b/drivers/scsi/aacraid/aachba.c
@@ -2481,13 +2481,13 @@ static int aac_read(struct scsi_cmnd * scsicmd)
scsicmd->result = DID_OK << 16 | COMMAND_COMPLETE << 8 |
SAM_STAT_CHECK_CONDITION;
set_sense(&dev->fsa_dev[cid].sense_data,
- HARDWARE_ERROR, SENCODE_INTERNAL_TARGET_FAILURE,
+ ILLEGAL_REQUEST, SENCODE_LBA_OUT_OF_RANGE,
ASENCODE_INTERNAL_TARGET_FAILURE, 0, 0);
memcpy(scsicmd->sense_buffer, &dev->fsa_dev[cid].sense_data,
min_t(size_t, sizeof(dev->fsa_dev[cid].sense_data),
SCSI_SENSE_BUFFERSIZE));
scsicmd->scsi_done(scsicmd);
- return 1;
+ return 0;
}
dprintk((KERN_DEBUG "aac_read[cpu %d]: lba = %llu, t = %ld.\n",
@@ -2573,13 +2573,13 @@ static int aac_write(struct scsi_cmnd * scsicmd)
scsicmd->result = DID_OK << 16 | COMMAND_COMPLETE << 8 |
SAM_STAT_CHECK_CONDITION;
set_sense(&dev->fsa_dev[cid].sense_data,
- HARDWARE_ERROR, SENCODE_INTERNAL_TARGET_FAILURE,
+ ILLEGAL_REQUEST, SENCODE_LBA_OUT_OF_RANGE,
ASENCODE_INTERNAL_TARGET_FAILURE, 0, 0);
memcpy(scsicmd->sense_buffer, &dev->fsa_dev[cid].sense_data,
min_t(size_t, sizeof(dev->fsa_dev[cid].sense_data),
SCSI_SENSE_BUFFERSIZE));
scsicmd->scsi_done(scsicmd);
- return 1;
+ return 0;
}
dprintk((KERN_DEBUG "aac_write[cpu %d]: lba = %llu, t = %ld.\n",
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 008/245] m68k: q40: Fix info-leak in rtc_ioctl
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (6 preceding siblings ...)
2020-09-29 10:57 ` [PATCH 4.19 007/245] scsi: aacraid: fix illegal IO beyond last LBA Greg Kroah-Hartman
@ 2020-09-29 10:57 ` Greg Kroah-Hartman
2020-09-29 10:57 ` [PATCH 4.19 009/245] gma/gma500: fix a memory disclosure bug due to uninitialized bytes Greg Kroah-Hartman
` (239 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:57 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Fuqian Huang, Geert Uytterhoeven,
Sasha Levin
From: Fuqian Huang <huangfq.daxian@gmail.com>
[ Upstream commit 7cf78b6b12fd5550545e4b73b35dca18bd46b44c ]
When the option is RTC_PLL_GET, pll will be copied to userland
via copy_to_user. pll is initialized using mach_get_rtc_pll indirect
call and mach_get_rtc_pll is only assigned with function
q40_get_rtc_pll in arch/m68k/q40/config.c.
In function q40_get_rtc_pll, the field pll_ctrl is not initialized.
This will leak uninitialized stack content to userland.
Fix this by zeroing the uninitialized field.
Signed-off-by: Fuqian Huang <huangfq.daxian@gmail.com>
Link: https://lore.kernel.org/r/20190927121544.7650-1-huangfq.daxian@gmail.com
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/m68k/q40/config.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/m68k/q40/config.c b/arch/m68k/q40/config.c
index 96810d91da2bd..4a25ce6a1823d 100644
--- a/arch/m68k/q40/config.c
+++ b/arch/m68k/q40/config.c
@@ -273,6 +273,7 @@ static int q40_get_rtc_pll(struct rtc_pll_info *pll)
{
int tmp = Q40_RTC_CTRL;
+ pll->pll_ctrl = 0;
pll->pll_value = tmp & Q40_RTC_PLL_MASK;
if (tmp & Q40_RTC_PLL_SIGN)
pll->pll_value = -pll->pll_value;
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 009/245] gma/gma500: fix a memory disclosure bug due to uninitialized bytes
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (7 preceding siblings ...)
2020-09-29 10:57 ` [PATCH 4.19 008/245] m68k: q40: Fix info-leak in rtc_ioctl Greg Kroah-Hartman
@ 2020-09-29 10:57 ` Greg Kroah-Hartman
2020-09-29 10:57 ` [PATCH 4.19 010/245] ASoC: kirkwood: fix IRQ error handling Greg Kroah-Hartman
` (238 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:57 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Kangjie Lu, Daniel Vetter, Sasha Levin
From: Kangjie Lu <kjlu@umn.edu>
[ Upstream commit 57a25a5f754ce27da2cfa6f413cfd366f878db76 ]
`best_clock` is an object that may be sent out. Object `clock`
contains uninitialized bytes that are copied to `best_clock`,
which leads to memory disclosure and information leak.
Signed-off-by: Kangjie Lu <kjlu@umn.edu>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/20191018042953.31099-1-kjlu@umn.edu
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/gma500/cdv_intel_display.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/gpu/drm/gma500/cdv_intel_display.c b/drivers/gpu/drm/gma500/cdv_intel_display.c
index 17db4b4749d5a..2e8479744ca4a 100644
--- a/drivers/gpu/drm/gma500/cdv_intel_display.c
+++ b/drivers/gpu/drm/gma500/cdv_intel_display.c
@@ -415,6 +415,8 @@ static bool cdv_intel_find_dp_pll(const struct gma_limit_t *limit,
struct gma_crtc *gma_crtc = to_gma_crtc(crtc);
struct gma_clock_t clock;
+ memset(&clock, 0, sizeof(clock));
+
switch (refclk) {
case 27000:
if (target < 200000) {
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 010/245] ASoC: kirkwood: fix IRQ error handling
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (8 preceding siblings ...)
2020-09-29 10:57 ` [PATCH 4.19 009/245] gma/gma500: fix a memory disclosure bug due to uninitialized bytes Greg Kroah-Hartman
@ 2020-09-29 10:57 ` Greg Kroah-Hartman
2020-09-29 10:57 ` [PATCH 4.19 011/245] media: smiapp: Fix error handling at NVM reading Greg Kroah-Hartman
` (237 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:57 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Russell King, Mark Brown, Sasha Levin
From: Russell King <rmk+kernel@armlinux.org.uk>
[ Upstream commit 175fc928198236037174e5c5c066fe3c4691903e ]
Propagate the error code from request_irq(), rather than returning
-EBUSY.
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Link: https://lore.kernel.org/r/E1iNIqh-0000tW-EZ@rmk-PC.armlinux.org.uk
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/kirkwood/kirkwood-dma.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/soc/kirkwood/kirkwood-dma.c b/sound/soc/kirkwood/kirkwood-dma.c
index c6a58520d377a..255cc45905b81 100644
--- a/sound/soc/kirkwood/kirkwood-dma.c
+++ b/sound/soc/kirkwood/kirkwood-dma.c
@@ -136,7 +136,7 @@ static int kirkwood_dma_open(struct snd_pcm_substream *substream)
err = request_irq(priv->irq, kirkwood_dma_irq, IRQF_SHARED,
"kirkwood-i2s", priv);
if (err)
- return -EBUSY;
+ return err;
/*
* Enable Error interrupts. We're only ack'ing them but
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 011/245] media: smiapp: Fix error handling at NVM reading
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (9 preceding siblings ...)
2020-09-29 10:57 ` [PATCH 4.19 010/245] ASoC: kirkwood: fix IRQ error handling Greg Kroah-Hartman
@ 2020-09-29 10:57 ` Greg Kroah-Hartman
2020-09-29 10:57 ` [PATCH 4.19 012/245] arch/x86/lib/usercopy_64.c: fix __copy_user_flushcache() cache writeback Greg Kroah-Hartman
` (236 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:57 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Sakari Ailus, Mauro Carvalho Chehab,
Sasha Levin
From: Sakari Ailus <sakari.ailus@linux.intel.com>
[ Upstream commit a5b1d5413534607b05fb34470ff62bf395f5c8d0 ]
If NVM reading failed, the device was left powered on. Fix that.
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/i2c/smiapp/smiapp-core.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/media/i2c/smiapp/smiapp-core.c b/drivers/media/i2c/smiapp/smiapp-core.c
index 4731e1c72f960..0a434bdce3b3b 100644
--- a/drivers/media/i2c/smiapp/smiapp-core.c
+++ b/drivers/media/i2c/smiapp/smiapp-core.c
@@ -2337,11 +2337,12 @@ smiapp_sysfs_nvm_read(struct device *dev, struct device_attribute *attr,
if (rval < 0) {
if (rval != -EBUSY && rval != -EAGAIN)
pm_runtime_set_active(&client->dev);
- pm_runtime_put(&client->dev);
+ pm_runtime_put_noidle(&client->dev);
return -ENODEV;
}
if (smiapp_read_nvm(sensor, sensor->nvm)) {
+ pm_runtime_put(&client->dev);
dev_err(&client->dev, "nvm read failed\n");
return -ENODEV;
}
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 012/245] arch/x86/lib/usercopy_64.c: fix __copy_user_flushcache() cache writeback
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (10 preceding siblings ...)
2020-09-29 10:57 ` [PATCH 4.19 011/245] media: smiapp: Fix error handling at NVM reading Greg Kroah-Hartman
@ 2020-09-29 10:57 ` Greg Kroah-Hartman
2020-09-29 10:57 ` [PATCH 4.19 013/245] x86/ioapic: Unbreak check_timer() Greg Kroah-Hartman
` (235 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:57 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Mikulas Patocka, Andrew Morton,
Dan Williams, Jan Kara, Jeff Moyer, Ingo Molnar,
Christoph Hellwig, Toshi Kani, H. Peter Anvin, Al Viro,
Thomas Gleixner, Matthew Wilcox, Ross Zwisler, Ingo Molnar,
Linus Torvalds
From: Mikulas Patocka <mpatocka@redhat.com>
commit a1cd6c2ae47ee10ff21e62475685d5b399e2ed4a upstream.
If we copy less than 8 bytes and if the destination crosses a cache
line, __copy_user_flushcache would invalidate only the first cache line.
This patch makes it invalidate the second cache line as well.
Fixes: 0aed55af88345b ("x86, uaccess: introduce copy_from_iter_flushcache for pmem / cache-bypass operations")
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Reviewed-by: Dan Williams <dan.j.wiilliams@intel.com>
Cc: Jan Kara <jack@suse.cz>
Cc: Jeff Moyer <jmoyer@redhat.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Toshi Kani <toshi.kani@hpe.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Matthew Wilcox <mawilcox@microsoft.com>
Cc: Ross Zwisler <ross.zwisler@linux.intel.com>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: <stable@vger.kernel.org>
Link: https://lkml.kernel.org/r/alpine.LRH.2.02.2009161451140.21915@file01.intranet.prod.int.rdu2.redhat.com
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/lib/usercopy_64.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/x86/lib/usercopy_64.c
+++ b/arch/x86/lib/usercopy_64.c
@@ -139,7 +139,7 @@ long __copy_user_flushcache(void *dst, c
*/
if (size < 8) {
if (!IS_ALIGNED(dest, 4) || size != 4)
- clean_cache_range(dst, 1);
+ clean_cache_range(dst, size);
} else {
if (!IS_ALIGNED(dest, 8)) {
dest = ALIGN(dest, boot_cpu_data.x86_clflush_size);
^ permalink raw reply [flat|nested] 256+ messages in thread
* [PATCH 4.19 013/245] x86/ioapic: Unbreak check_timer()
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (11 preceding siblings ...)
2020-09-29 10:57 ` [PATCH 4.19 012/245] arch/x86/lib/usercopy_64.c: fix __copy_user_flushcache() cache writeback Greg Kroah-Hartman
@ 2020-09-29 10:57 ` Greg Kroah-Hartman
2020-09-29 10:57 ` [PATCH 4.19 014/245] ALSA: usb-audio: Add delay quirk for H570e USB headsets Greg Kroah-Hartman
` (234 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:57 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, p_c_chan, ecm4, perdigao1, matzes,
rvelascog, Thomas Gleixner
From: Thomas Gleixner <tglx@linutronix.de>
commit 86a82ae0b5095ea24c55898a3f025791e7958b21 upstream.
Several people reported in the kernel bugzilla that between v4.12 and v4.13
the magic which works around broken hardware and BIOSes to find the proper
timer interrupt delivery mode stopped working for some older affected
platforms which need to fall back to ExtINT delivery mode.
The reason is that the core code changed to keep track of the masked and
disabled state of an interrupt line more accurately to avoid the expensive
hardware operations.
That broke an assumption in i8259_make_irq() which invokes
disable_irq_nosync();
irq_set_chip_and_handler();
enable_irq();
Up to v4.12 this worked because enable_irq() unconditionally unmasked the
interrupt line, but after the state tracking improvements this is not
longer the case because the IO/APIC uses lazy disabling. So the line state
is unmasked which means that enable_irq() does not call into the new irq
chip to unmask it.
In principle this is a shortcoming of the core code, but it's more than
unclear whether the core code should try to reset state. At least this
cannot be done unconditionally as that would break other existing use cases
where the chip type is changed, e.g. when changing the trigger type, but
the callers expect the state to be preserved.
As the way how check_timer() is switching the delivery modes is truly
unique, the obvious fix is to simply unmask the i8259 manually after
changing the mode to ExtINT delivery and switching the irq chip to the
legacy PIC.
Note, that the fixes tag is not really precise, but identifies the commit
which broke the assumptions in the IO/APIC and i8259 code and that's the
kernel version to which this needs to be backported.
Fixes: bf22ff45bed6 ("genirq: Avoid unnecessary low level irq function calls")
Reported-by: p_c_chan@hotmail.com
Reported-by: ecm4@mail.com
Reported-by: perdigao1@yahoo.com
Reported-by: matzes@users.sourceforge.net
Reported-by: rvelascog@gmail.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Tested-by: p_c_chan@hotmail.com
Tested-by: matzes@users.sourceforge.net
Cc: stable@vger.kernel.org
Link: https://bugzilla.kernel.org/show_bug.cgi?id=197769
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/apic/io_apic.c | 1 +
1 file changed, 1 insertion(+)
--- a/arch/x86/kernel/apic/io_apic.c
+++ b/arch/x86/kernel/apic/io_apic.c
@@ -2250,6 +2250,7 @@ static inline void __init check_timer(vo
legacy_pic->init(0);
legacy_pic->make_irq(0);
apic_write(APIC_LVT0, APIC_DM_EXTINT);
+ legacy_pic->unmask(0);
unlock_ExtINT_logic();
^ permalink raw reply [flat|nested] 256+ messages in thread
* [PATCH 4.19 014/245] ALSA: usb-audio: Add delay quirk for H570e USB headsets
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (12 preceding siblings ...)
2020-09-29 10:57 ` [PATCH 4.19 013/245] x86/ioapic: Unbreak check_timer() Greg Kroah-Hartman
@ 2020-09-29 10:57 ` Greg Kroah-Hartman
2020-09-29 10:57 ` [PATCH 4.19 015/245] ALSA: hda/realtek - Couldnt detect Mic if booting with headset plugged Greg Kroah-Hartman
` (233 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:57 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Joakim Tjernlund, Takashi Iwai
From: Joakim Tjernlund <joakim.tjernlund@infinera.com>
commit 315c7ad7a701baba28c628c4c5426b3d9617ceed upstream.
Needs the same delay as H650e
Signed-off-by: Joakim Tjernlund <joakim.tjernlund@infinera.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20200910085328.19188-1-joakim.tjernlund@infinera.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/quirks.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/sound/usb/quirks.c
+++ b/sound/usb/quirks.c
@@ -1338,12 +1338,13 @@ void snd_usb_ctl_msg_quirk(struct usb_de
&& (requesttype & USB_TYPE_MASK) == USB_TYPE_CLASS)
msleep(20);
- /* Zoom R16/24, Logitech H650e, Jabra 550a, Kingston HyperX needs a tiny
- * delay here, otherwise requests like get/set frequency return as
- * failed despite actually succeeding.
+ /* Zoom R16/24, Logitech H650e/H570e, Jabra 550a, Kingston HyperX
+ * needs a tiny delay here, otherwise requests like get/set
+ * frequency return as failed despite actually succeeding.
*/
if ((chip->usb_id == USB_ID(0x1686, 0x00dd) ||
chip->usb_id == USB_ID(0x046d, 0x0a46) ||
+ chip->usb_id == USB_ID(0x046d, 0x0a56) ||
chip->usb_id == USB_ID(0x0b0e, 0x0349) ||
chip->usb_id == USB_ID(0x0951, 0x16ad)) &&
(requesttype & USB_TYPE_MASK) == USB_TYPE_CLASS)
^ permalink raw reply [flat|nested] 256+ messages in thread
* [PATCH 4.19 015/245] ALSA: hda/realtek - Couldnt detect Mic if booting with headset plugged
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (13 preceding siblings ...)
2020-09-29 10:57 ` [PATCH 4.19 014/245] ALSA: usb-audio: Add delay quirk for H570e USB headsets Greg Kroah-Hartman
@ 2020-09-29 10:57 ` Greg Kroah-Hartman
2020-09-29 10:57 ` [PATCH 4.19 016/245] ALSA: hda/realtek: Enable front panel headset LED on Lenovo ThinkStation P520 Greg Kroah-Hartman
` (232 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:57 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Kailang Yang, Hui Wang, Takashi Iwai
From: Hui Wang <hui.wang@canonical.com>
commit 3f74249057827c5f6676c41c18f6be12ce1469ce upstream.
We found a Mic detection issue on many Lenovo laptops, those laptops
belong to differnt models and they have different audio design like
internal mic connects to the codec or PCH, they all have this problem,
the problem is if plugging a headset before powerup/reboot the
machine, after booting up, the headphone could be detected but Mic
couldn't. If we plug out and plug in the headset, both headphone and
Mic could be detected then.
Through debugging we found the codec on those laptops are same, it is
alc257, and if we don't disable the 3k pulldown in alc256_shutup(),
the issue will be fixed. So far there is no pop noise or power
consumption regression on those laptops after this change.
Cc: Kailang Yang <kailang@realtek.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Hui Wang <hui.wang@canonical.com>
Link: https://lore.kernel.org/r/20200914065118.19238-1-hui.wang@canonical.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/patch_realtek.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -3290,7 +3290,11 @@ static void alc256_shutup(struct hda_cod
/* 3k pull low control for Headset jack. */
/* NOTE: call this before clearing the pin, otherwise codec stalls */
- alc_update_coef_idx(codec, 0x46, 0, 3 << 12);
+ /* If disable 3k pulldown control for alc257, the Mic detection will not work correctly
+ * when booting with headset plugged. So skip setting it for the codec alc257
+ */
+ if (codec->core.vendor_id != 0x10ec0257)
+ alc_update_coef_idx(codec, 0x46, 0, 3 << 12);
if (!spec->no_shutup_pins)
snd_hda_codec_write(codec, hp_pin, 0,
^ permalink raw reply [flat|nested] 256+ messages in thread
* [PATCH 4.19 016/245] ALSA: hda/realtek: Enable front panel headset LED on Lenovo ThinkStation P520
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (14 preceding siblings ...)
2020-09-29 10:57 ` [PATCH 4.19 015/245] ALSA: hda/realtek - Couldnt detect Mic if booting with headset plugged Greg Kroah-Hartman
@ 2020-09-29 10:57 ` Greg Kroah-Hartman
2020-09-29 10:57 ` [PATCH 4.19 017/245] lib/string.c: implement stpcpy Greg Kroah-Hartman
` (231 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:57 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Kai-Heng Feng, Hui Wang, Takashi Iwai
From: Kai-Heng Feng <kai.heng.feng@canonical.com>
commit f73bbf639b32acb6b409e188fdde5644b301978f upstream.
On Lenovo P520, the front panel headset LED isn't lit up right now.
Realtek states that the LED needs to be enabled by ALC233's GPIO2, so
let's do it accordingly to light the LED up.
Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
Acked-by: Hui Wang <hui.wang@canonical.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20200914070231.13192-1-kai.heng.feng@canonical.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/patch_realtek.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -5616,6 +5616,7 @@ static void alc_fixup_thinkpad_acpi(stru
#include "hp_x360_helper.c"
enum {
+ ALC269_FIXUP_GPIO2,
ALC269_FIXUP_SONY_VAIO,
ALC275_FIXUP_SONY_VAIO_GPIO2,
ALC269_FIXUP_DELL_M101Z,
@@ -5768,6 +5769,10 @@ enum {
};
static const struct hda_fixup alc269_fixups[] = {
+ [ALC269_FIXUP_GPIO2] = {
+ .type = HDA_FIXUP_FUNC,
+ .v.func = alc_fixup_gpio2,
+ },
[ALC269_FIXUP_SONY_VAIO] = {
.type = HDA_FIXUP_PINCTLS,
.v.pins = (const struct hda_pintbl[]) {
@@ -6563,6 +6568,8 @@ static const struct hda_fixup alc269_fix
[ALC233_FIXUP_LENOVO_MULTI_CODECS] = {
.type = HDA_FIXUP_FUNC,
.v.func = alc233_alc662_fixup_lenovo_dual_codecs,
+ .chained = true,
+ .chain_id = ALC269_FIXUP_GPIO2
},
[ALC233_FIXUP_ACER_HEADSET_MIC] = {
.type = HDA_FIXUP_VERBS,
^ permalink raw reply [flat|nested] 256+ messages in thread
* [PATCH 4.19 017/245] lib/string.c: implement stpcpy
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (15 preceding siblings ...)
2020-09-29 10:57 ` [PATCH 4.19 016/245] ALSA: hda/realtek: Enable front panel headset LED on Lenovo ThinkStation P520 Greg Kroah-Hartman
@ 2020-09-29 10:57 ` Greg Kroah-Hartman
2020-09-29 10:57 ` [PATCH 4.19 018/245] leds: mlxreg: Fix possible buffer overflow Greg Kroah-Hartman
` (230 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:57 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Sami Tolvanen, Andy Lavr,
Arvind Sankar, Joe Perches, Kees Cook, Masahiro Yamada,
Rasmus Villemoes, Nick Desaulniers, Andrew Morton,
Nathan Chancellor, Linus Torvalds
From: Nick Desaulniers <ndesaulniers@google.com>
commit 1e1b6d63d6340764e00356873e5794225a2a03ea upstream.
LLVM implemented a recent "libcall optimization" that lowers calls to
`sprintf(dest, "%s", str)` where the return value is used to
`stpcpy(dest, str) - dest`.
This generally avoids the machinery involved in parsing format strings.
`stpcpy` is just like `strcpy` except it returns the pointer to the new
tail of `dest`. This optimization was introduced into clang-12.
Implement this so that we don't observe linkage failures due to missing
symbol definitions for `stpcpy`.
Similar to last year's fire drill with: commit 5f074f3e192f
("lib/string.c: implement a basic bcmp")
The kernel is somewhere between a "freestanding" environment (no full
libc) and "hosted" environment (many symbols from libc exist with the
same type, function signature, and semantics).
As Peter Anvin notes, there's not really a great way to inform the
compiler that you're targeting a freestanding environment but would like
to opt-in to some libcall optimizations (see pr/47280 below), rather
than opt-out.
Arvind notes, -fno-builtin-* behaves slightly differently between GCC
and Clang, and Clang is missing many __builtin_* definitions, which I
consider a bug in Clang and am working on fixing.
Masahiro summarizes the subtle distinction between compilers justly:
To prevent transformation from foo() into bar(), there are two ways in
Clang to do that; -fno-builtin-foo, and -fno-builtin-bar. There is
only one in GCC; -fno-buitin-foo.
(Any difference in that behavior in Clang is likely a bug from a missing
__builtin_* definition.)
Masahiro also notes:
We want to disable optimization from foo() to bar(),
but we may still benefit from the optimization from
foo() into something else. If GCC implements the same transform, we
would run into a problem because it is not -fno-builtin-bar, but
-fno-builtin-foo that disables that optimization.
In this regard, -fno-builtin-foo would be more future-proof than
-fno-built-bar, but -fno-builtin-foo is still potentially overkill. We
may want to prevent calls from foo() being optimized into calls to
bar(), but we still may want other optimization on calls to foo().
It seems that compilers today don't quite provide the fine grain control
over which libcall optimizations pseudo-freestanding environments would
prefer.
Finally, Kees notes that this interface is unsafe, so we should not
encourage its use. As such, I've removed the declaration from any
header, but it still needs to be exported to avoid linkage errors in
modules.
Reported-by: Sami Tolvanen <samitolvanen@google.com>
Suggested-by: Andy Lavr <andy.lavr@gmail.com>
Suggested-by: Arvind Sankar <nivedita@alum.mit.edu>
Suggested-by: Joe Perches <joe@perches.com>
Suggested-by: Kees Cook <keescook@chromium.org>
Suggested-by: Masahiro Yamada <masahiroy@kernel.org>
Suggested-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Tested-by: Nathan Chancellor <natechancellor@gmail.com>
Cc: <stable@vger.kernel.org>
Link: https://lkml.kernel.org/r/20200914161643.938408-1-ndesaulniers@google.com
Link: https://bugs.llvm.org/show_bug.cgi?id=47162
Link: https://bugs.llvm.org/show_bug.cgi?id=47280
Link: https://github.com/ClangBuiltLinux/linux/issues/1126
Link: https://man7.org/linux/man-pages/man3/stpcpy.3.html
Link: https://pubs.opengroup.org/onlinepubs/9699919799/functions/stpcpy.html
Link: https://reviews.llvm.org/D85963
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
lib/string.c | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
--- a/lib/string.c
+++ b/lib/string.c
@@ -236,6 +236,30 @@ ssize_t strscpy(char *dest, const char *
EXPORT_SYMBOL(strscpy);
#endif
+/**
+ * stpcpy - copy a string from src to dest returning a pointer to the new end
+ * of dest, including src's %NUL-terminator. May overrun dest.
+ * @dest: pointer to end of string being copied into. Must be large enough
+ * to receive copy.
+ * @src: pointer to the beginning of string being copied from. Must not overlap
+ * dest.
+ *
+ * stpcpy differs from strcpy in a key way: the return value is a pointer
+ * to the new %NUL-terminating character in @dest. (For strcpy, the return
+ * value is a pointer to the start of @dest). This interface is considered
+ * unsafe as it doesn't perform bounds checking of the inputs. As such it's
+ * not recommended for usage. Instead, its definition is provided in case
+ * the compiler lowers other libcalls to stpcpy.
+ */
+char *stpcpy(char *__restrict__ dest, const char *__restrict__ src);
+char *stpcpy(char *__restrict__ dest, const char *__restrict__ src)
+{
+ while ((*dest++ = *src++) != '\0')
+ /* nothing */;
+ return --dest;
+}
+EXPORT_SYMBOL(stpcpy);
+
#ifndef __HAVE_ARCH_STRCAT
/**
* strcat - Append one %NUL-terminated string to another
^ permalink raw reply [flat|nested] 256+ messages in thread
* [PATCH 4.19 018/245] leds: mlxreg: Fix possible buffer overflow
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (16 preceding siblings ...)
2020-09-29 10:57 ` [PATCH 4.19 017/245] lib/string.c: implement stpcpy Greg Kroah-Hartman
@ 2020-09-29 10:57 ` Greg Kroah-Hartman
2020-09-29 10:57 ` [PATCH 4.19 019/245] PM / devfreq: tegra30: Fix integer overflow on CPUs freq max out Greg Kroah-Hartman
` (229 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:57 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Jacek Anaszewski, Pavel Machek,
Oleh Kravchenko, Sasha Levin
From: Oleh Kravchenko <oleg@kaa.org.ua>
[ Upstream commit 7c6082b903ac28dc3f383fba57c6f9e7e2594178 ]
Error was detected by PVS-Studio:
V512 A call of the 'sprintf' function will lead to overflow of
the buffer 'led_data->led_cdev_name'.
Acked-by: Jacek Anaszewski <jacek.anaszewski@gmail.com>
Acked-by: Pavel Machek <pavel@ucw.cz>
Signed-off-by: Oleh Kravchenko <oleg@kaa.org.ua>
Signed-off-by: Pavel Machek <pavel@ucw.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/leds/leds-mlxreg.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/leds/leds-mlxreg.c b/drivers/leds/leds-mlxreg.c
index 1ee48cb21df95..022e973dc7c31 100644
--- a/drivers/leds/leds-mlxreg.c
+++ b/drivers/leds/leds-mlxreg.c
@@ -209,8 +209,8 @@ static int mlxreg_led_config(struct mlxreg_led_priv_data *priv)
brightness = LED_OFF;
led_data->base_color = MLXREG_LED_GREEN_SOLID;
}
- sprintf(led_data->led_cdev_name, "%s:%s", "mlxreg",
- data->label);
+ snprintf(led_data->led_cdev_name, sizeof(led_data->led_cdev_name),
+ "mlxreg:%s", data->label);
led_cdev->name = led_data->led_cdev_name;
led_cdev->brightness = brightness;
led_cdev->max_brightness = LED_ON;
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 019/245] PM / devfreq: tegra30: Fix integer overflow on CPUs freq max out
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (17 preceding siblings ...)
2020-09-29 10:57 ` [PATCH 4.19 018/245] leds: mlxreg: Fix possible buffer overflow Greg Kroah-Hartman
@ 2020-09-29 10:57 ` Greg Kroah-Hartman
2020-09-29 10:57 ` [PATCH 4.19 020/245] scsi: fnic: fix use after free Greg Kroah-Hartman
` (228 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:57 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Chanwoo Choi, Peter Geis,
Dmitry Osipenko, Sasha Levin
From: Dmitry Osipenko <digetx@gmail.com>
[ Upstream commit 53b4b2aeee26f42cde5ff2a16dd0d8590c51a55a ]
There is another kHz-conversion bug in the code, resulting in integer
overflow. Although, this time the resulting value is 4294966296 and it's
close to ULONG_MAX, which is okay in this case.
Reviewed-by: Chanwoo Choi <cw00.choi@samsung.com>
Tested-by: Peter Geis <pgwipeout@gmail.com>
Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/devfreq/tegra-devfreq.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/devfreq/tegra-devfreq.c b/drivers/devfreq/tegra-devfreq.c
index 06768074d2d82..479d9575e1245 100644
--- a/drivers/devfreq/tegra-devfreq.c
+++ b/drivers/devfreq/tegra-devfreq.c
@@ -80,6 +80,8 @@
#define KHZ 1000
+#define KHZ_MAX (ULONG_MAX / KHZ)
+
/* Assume that the bus is saturated if the utilization is 25% */
#define BUS_SATURATION_RATIO 25
@@ -180,7 +182,7 @@ struct tegra_actmon_emc_ratio {
};
static struct tegra_actmon_emc_ratio actmon_emc_ratios[] = {
- { 1400000, ULONG_MAX },
+ { 1400000, KHZ_MAX },
{ 1200000, 750000 },
{ 1100000, 600000 },
{ 1000000, 500000 },
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 020/245] scsi: fnic: fix use after free
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (18 preceding siblings ...)
2020-09-29 10:57 ` [PATCH 4.19 019/245] PM / devfreq: tegra30: Fix integer overflow on CPUs freq max out Greg Kroah-Hartman
@ 2020-09-29 10:57 ` Greg Kroah-Hartman
2020-09-29 10:57 ` [PATCH 4.19 021/245] scsi: lpfc: Fix kernel crash at lpfc_nvme_info_show during remote port bounce Greg Kroah-Hartman
` (227 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:57 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Pan Bian, Satish Kharat,
Martin K. Petersen, Sasha Levin
From: Pan Bian <bianpan2016@163.com>
[ Upstream commit ec990306f77fd4c58c3b27cc3b3c53032d6e6670 ]
The memory chunk io_req is released by mempool_free. Accessing
io_req->start_time will result in a use after free bug. The variable
start_time is a backup of the timestamp. So, use start_time here to
avoid use after free.
Link: https://lore.kernel.org/r/1572881182-37664-1-git-send-email-bianpan2016@163.com
Signed-off-by: Pan Bian <bianpan2016@163.com>
Reviewed-by: Satish Kharat <satishkh@cisco.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/fnic/fnic_scsi.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/scsi/fnic/fnic_scsi.c b/drivers/scsi/fnic/fnic_scsi.c
index 73ffc16ec0225..b521fc7650cb9 100644
--- a/drivers/scsi/fnic/fnic_scsi.c
+++ b/drivers/scsi/fnic/fnic_scsi.c
@@ -1034,7 +1034,8 @@ static void fnic_fcpio_icmnd_cmpl_handler(struct fnic *fnic,
atomic64_inc(&fnic_stats->io_stats.io_completions);
- io_duration_time = jiffies_to_msecs(jiffies) - jiffies_to_msecs(io_req->start_time);
+ io_duration_time = jiffies_to_msecs(jiffies) -
+ jiffies_to_msecs(start_time);
if(io_duration_time <= 10)
atomic64_inc(&fnic_stats->io_stats.io_btw_0_to_10_msec);
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 021/245] scsi: lpfc: Fix kernel crash at lpfc_nvme_info_show during remote port bounce
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (19 preceding siblings ...)
2020-09-29 10:57 ` [PATCH 4.19 020/245] scsi: fnic: fix use after free Greg Kroah-Hartman
@ 2020-09-29 10:57 ` Greg Kroah-Hartman
2020-09-29 10:57 ` [PATCH 4.19 022/245] net: silence data-races on sk_backlog.tail Greg Kroah-Hartman
` (226 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:57 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Dick Kennedy, James Smart,
Martin K. Petersen, Sasha Levin
From: James Smart <jsmart2021@gmail.com>
[ Upstream commit 6c1e803eac846f886cd35131e6516fc51a8414b9 ]
When reading sysfs nvme_info file while a remote port leaves and comes
back, a NULL pointer is encountered. The issue is due to ndlp list
corruption as the the nvme_info_show does not use the same lock as the rest
of the code.
Correct by removing the rcu_xxx_lock calls and replace by the host_lock and
phba->hbaLock spinlocks that are used by the rest of the driver. Given
we're called from sysfs, we are safe to use _irq rather than _irqsave.
Link: https://lore.kernel.org/r/20191105005708.7399-4-jsmart2021@gmail.com
Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
Signed-off-by: James Smart <jsmart2021@gmail.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/lpfc/lpfc_attr.c | 35 ++++++++++++++++++-----------------
1 file changed, 18 insertions(+), 17 deletions(-)
diff --git a/drivers/scsi/lpfc/lpfc_attr.c b/drivers/scsi/lpfc/lpfc_attr.c
index fe084d47ed9e5..3447d19d4147a 100644
--- a/drivers/scsi/lpfc/lpfc_attr.c
+++ b/drivers/scsi/lpfc/lpfc_attr.c
@@ -332,7 +332,6 @@ lpfc_nvme_info_show(struct device *dev, struct device_attribute *attr,
if (strlcat(buf, "\nNVME Initiator Enabled\n", PAGE_SIZE) >= PAGE_SIZE)
goto buffer_done;
- rcu_read_lock();
scnprintf(tmp, sizeof(tmp),
"XRI Dist lpfc%d Total %d NVME %d SCSI %d ELS %d\n",
phba->brd_no,
@@ -341,7 +340,7 @@ lpfc_nvme_info_show(struct device *dev, struct device_attribute *attr,
phba->sli4_hba.scsi_xri_max,
lpfc_sli4_get_els_iocb_cnt(phba));
if (strlcat(buf, tmp, PAGE_SIZE) >= PAGE_SIZE)
- goto rcu_unlock_buf_done;
+ goto buffer_done;
/* Port state is only one of two values for now. */
if (localport->port_id)
@@ -357,7 +356,9 @@ lpfc_nvme_info_show(struct device *dev, struct device_attribute *attr,
wwn_to_u64(vport->fc_nodename.u.wwn),
localport->port_id, statep);
if (strlcat(buf, tmp, PAGE_SIZE) >= PAGE_SIZE)
- goto rcu_unlock_buf_done;
+ goto buffer_done;
+
+ spin_lock_irq(shost->host_lock);
list_for_each_entry(ndlp, &vport->fc_nodes, nlp_listp) {
nrport = NULL;
@@ -384,39 +385,39 @@ lpfc_nvme_info_show(struct device *dev, struct device_attribute *attr,
/* Tab in to show lport ownership. */
if (strlcat(buf, "NVME RPORT ", PAGE_SIZE) >= PAGE_SIZE)
- goto rcu_unlock_buf_done;
+ goto unlock_buf_done;
if (phba->brd_no >= 10) {
if (strlcat(buf, " ", PAGE_SIZE) >= PAGE_SIZE)
- goto rcu_unlock_buf_done;
+ goto unlock_buf_done;
}
scnprintf(tmp, sizeof(tmp), "WWPN x%llx ",
nrport->port_name);
if (strlcat(buf, tmp, PAGE_SIZE) >= PAGE_SIZE)
- goto rcu_unlock_buf_done;
+ goto unlock_buf_done;
scnprintf(tmp, sizeof(tmp), "WWNN x%llx ",
nrport->node_name);
if (strlcat(buf, tmp, PAGE_SIZE) >= PAGE_SIZE)
- goto rcu_unlock_buf_done;
+ goto unlock_buf_done;
scnprintf(tmp, sizeof(tmp), "DID x%06x ",
nrport->port_id);
if (strlcat(buf, tmp, PAGE_SIZE) >= PAGE_SIZE)
- goto rcu_unlock_buf_done;
+ goto unlock_buf_done;
/* An NVME rport can have multiple roles. */
if (nrport->port_role & FC_PORT_ROLE_NVME_INITIATOR) {
if (strlcat(buf, "INITIATOR ", PAGE_SIZE) >= PAGE_SIZE)
- goto rcu_unlock_buf_done;
+ goto unlock_buf_done;
}
if (nrport->port_role & FC_PORT_ROLE_NVME_TARGET) {
if (strlcat(buf, "TARGET ", PAGE_SIZE) >= PAGE_SIZE)
- goto rcu_unlock_buf_done;
+ goto unlock_buf_done;
}
if (nrport->port_role & FC_PORT_ROLE_NVME_DISCOVERY) {
if (strlcat(buf, "DISCSRVC ", PAGE_SIZE) >= PAGE_SIZE)
- goto rcu_unlock_buf_done;
+ goto unlock_buf_done;
}
if (nrport->port_role & ~(FC_PORT_ROLE_NVME_INITIATOR |
FC_PORT_ROLE_NVME_TARGET |
@@ -424,14 +425,14 @@ lpfc_nvme_info_show(struct device *dev, struct device_attribute *attr,
scnprintf(tmp, sizeof(tmp), "UNKNOWN ROLE x%x",
nrport->port_role);
if (strlcat(buf, tmp, PAGE_SIZE) >= PAGE_SIZE)
- goto rcu_unlock_buf_done;
+ goto unlock_buf_done;
}
scnprintf(tmp, sizeof(tmp), "%s\n", statep);
if (strlcat(buf, tmp, PAGE_SIZE) >= PAGE_SIZE)
- goto rcu_unlock_buf_done;
+ goto unlock_buf_done;
}
- rcu_read_unlock();
+ spin_unlock_irq(shost->host_lock);
if (!lport)
goto buffer_done;
@@ -491,11 +492,11 @@ lpfc_nvme_info_show(struct device *dev, struct device_attribute *attr,
atomic_read(&lport->cmpl_fcp_err));
strlcat(buf, tmp, PAGE_SIZE);
- /* RCU is already unlocked. */
+ /* host_lock is already unlocked. */
goto buffer_done;
- rcu_unlock_buf_done:
- rcu_read_unlock();
+ unlock_buf_done:
+ spin_unlock_irq(shost->host_lock);
buffer_done:
len = strnlen(buf, PAGE_SIZE);
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 022/245] net: silence data-races on sk_backlog.tail
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (20 preceding siblings ...)
2020-09-29 10:57 ` [PATCH 4.19 021/245] scsi: lpfc: Fix kernel crash at lpfc_nvme_info_show during remote port bounce Greg Kroah-Hartman
@ 2020-09-29 10:57 ` Greg Kroah-Hartman
2020-09-29 10:57 ` [PATCH 4.19 023/245] clk/ti/adpll: allocate room for terminating null Greg Kroah-Hartman
` (225 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:57 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Eric Dumazet, David S. Miller, Sasha Levin
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 9ed498c6280a2f2b51d02df96df53037272ede49 ]
sk->sk_backlog.tail might be read without holding the socket spinlock,
we need to add proper READ_ONCE()/WRITE_ONCE() to silence the warnings.
KCSAN reported :
BUG: KCSAN: data-race in tcp_add_backlog / tcp_recvmsg
write to 0xffff8881265109f8 of 8 bytes by interrupt on cpu 1:
__sk_add_backlog include/net/sock.h:907 [inline]
sk_add_backlog include/net/sock.h:938 [inline]
tcp_add_backlog+0x476/0xce0 net/ipv4/tcp_ipv4.c:1759
tcp_v4_rcv+0x1a70/0x1bd0 net/ipv4/tcp_ipv4.c:1947
ip_protocol_deliver_rcu+0x4d/0x420 net/ipv4/ip_input.c:204
ip_local_deliver_finish+0x110/0x140 net/ipv4/ip_input.c:231
NF_HOOK include/linux/netfilter.h:305 [inline]
NF_HOOK include/linux/netfilter.h:299 [inline]
ip_local_deliver+0x133/0x210 net/ipv4/ip_input.c:252
dst_input include/net/dst.h:442 [inline]
ip_rcv_finish+0x121/0x160 net/ipv4/ip_input.c:413
NF_HOOK include/linux/netfilter.h:305 [inline]
NF_HOOK include/linux/netfilter.h:299 [inline]
ip_rcv+0x18f/0x1a0 net/ipv4/ip_input.c:523
__netif_receive_skb_one_core+0xa7/0xe0 net/core/dev.c:4929
__netif_receive_skb+0x37/0xf0 net/core/dev.c:5043
netif_receive_skb_internal+0x59/0x190 net/core/dev.c:5133
napi_skb_finish net/core/dev.c:5596 [inline]
napi_gro_receive+0x28f/0x330 net/core/dev.c:5629
receive_buf+0x284/0x30b0 drivers/net/virtio_net.c:1061
virtnet_receive drivers/net/virtio_net.c:1323 [inline]
virtnet_poll+0x436/0x7d0 drivers/net/virtio_net.c:1428
napi_poll net/core/dev.c:6311 [inline]
net_rx_action+0x3ae/0xa90 net/core/dev.c:6379
__do_softirq+0x115/0x33f kernel/softirq.c:292
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0xbb/0xe0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:536 [inline]
do_IRQ+0xa6/0x180 arch/x86/kernel/irq.c:263
ret_from_intr+0x0/0x19
native_safe_halt+0xe/0x10 arch/x86/kernel/paravirt.c:71
arch_cpu_idle+0x1f/0x30 arch/x86/kernel/process.c:571
default_idle_call+0x1e/0x40 kernel/sched/idle.c:94
cpuidle_idle_call kernel/sched/idle.c:154 [inline]
do_idle+0x1af/0x280 kernel/sched/idle.c:263
cpu_startup_entry+0x1b/0x20 kernel/sched/idle.c:355
start_secondary+0x208/0x260 arch/x86/kernel/smpboot.c:264
secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:241
read to 0xffff8881265109f8 of 8 bytes by task 8057 on cpu 0:
tcp_recvmsg+0x46e/0x1b40 net/ipv4/tcp.c:2050
inet_recvmsg+0xbb/0x250 net/ipv4/af_inet.c:838
sock_recvmsg_nosec net/socket.c:871 [inline]
sock_recvmsg net/socket.c:889 [inline]
sock_recvmsg+0x92/0xb0 net/socket.c:885
sock_read_iter+0x15f/0x1e0 net/socket.c:967
call_read_iter include/linux/fs.h:1889 [inline]
new_sync_read+0x389/0x4f0 fs/read_write.c:414
__vfs_read+0xb1/0xc0 fs/read_write.c:427
vfs_read fs/read_write.c:461 [inline]
vfs_read+0x143/0x2c0 fs/read_write.c:446
ksys_read+0xd5/0x1b0 fs/read_write.c:587
__do_sys_read fs/read_write.c:597 [inline]
__se_sys_read fs/read_write.c:595 [inline]
__x64_sys_read+0x4c/0x60 fs/read_write.c:595
do_syscall_64+0xcc/0x370 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Reported by Kernel Concurrency Sanitizer on:
CPU: 0 PID: 8057 Comm: syz-fuzzer Not tainted 5.4.0-rc6+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/chelsio/chtls/chtls_io.c | 10 +++++-----
include/net/sock.h | 4 ++--
net/ipv4/tcp.c | 2 +-
net/llc/af_llc.c | 2 +-
4 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/drivers/crypto/chelsio/chtls/chtls_io.c b/drivers/crypto/chelsio/chtls/chtls_io.c
index 1e0cc96306dd7..2c1f3ddb0cc79 100644
--- a/drivers/crypto/chelsio/chtls/chtls_io.c
+++ b/drivers/crypto/chelsio/chtls/chtls_io.c
@@ -1449,7 +1449,7 @@ static int chtls_pt_recvmsg(struct sock *sk, struct msghdr *msg, size_t len,
csk->wr_max_credits))
sk->sk_write_space(sk);
- if (copied >= target && !sk->sk_backlog.tail)
+ if (copied >= target && !READ_ONCE(sk->sk_backlog.tail))
break;
if (copied) {
@@ -1482,7 +1482,7 @@ static int chtls_pt_recvmsg(struct sock *sk, struct msghdr *msg, size_t len,
break;
}
}
- if (sk->sk_backlog.tail) {
+ if (READ_ONCE(sk->sk_backlog.tail)) {
release_sock(sk);
lock_sock(sk);
chtls_cleanup_rbuf(sk, copied);
@@ -1627,7 +1627,7 @@ static int peekmsg(struct sock *sk, struct msghdr *msg,
break;
}
- if (sk->sk_backlog.tail) {
+ if (READ_ONCE(sk->sk_backlog.tail)) {
/* Do not sleep, just process backlog. */
release_sock(sk);
lock_sock(sk);
@@ -1759,7 +1759,7 @@ int chtls_recvmsg(struct sock *sk, struct msghdr *msg, size_t len,
csk->wr_max_credits))
sk->sk_write_space(sk);
- if (copied >= target && !sk->sk_backlog.tail)
+ if (copied >= target && !READ_ONCE(sk->sk_backlog.tail))
break;
if (copied) {
@@ -1790,7 +1790,7 @@ int chtls_recvmsg(struct sock *sk, struct msghdr *msg, size_t len,
}
}
- if (sk->sk_backlog.tail) {
+ if (READ_ONCE(sk->sk_backlog.tail)) {
release_sock(sk);
lock_sock(sk);
chtls_cleanup_rbuf(sk, copied);
diff --git a/include/net/sock.h b/include/net/sock.h
index 77f36257cac97..bc752237dff3f 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -900,11 +900,11 @@ static inline void __sk_add_backlog(struct sock *sk, struct sk_buff *skb)
skb_dst_force(skb);
if (!sk->sk_backlog.tail)
- sk->sk_backlog.head = skb;
+ WRITE_ONCE(sk->sk_backlog.head, skb);
else
sk->sk_backlog.tail->next = skb;
- sk->sk_backlog.tail = skb;
+ WRITE_ONCE(sk->sk_backlog.tail, skb);
skb->next = NULL;
}
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 616ff2970f4fc..4ce3397e6fcf7 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -2038,7 +2038,7 @@ int tcp_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, int nonblock,
/* Well, if we have backlog, try to process it now yet. */
- if (copied >= target && !sk->sk_backlog.tail)
+ if (copied >= target && !READ_ONCE(sk->sk_backlog.tail))
break;
if (copied) {
diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
index 6ead3c39f3566..bcba579e292ff 100644
--- a/net/llc/af_llc.c
+++ b/net/llc/af_llc.c
@@ -785,7 +785,7 @@ static int llc_ui_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
}
/* Well, if we have backlog, try to process it now yet. */
- if (copied >= target && !sk->sk_backlog.tail)
+ if (copied >= target && !READ_ONCE(sk->sk_backlog.tail))
break;
if (copied) {
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 023/245] clk/ti/adpll: allocate room for terminating null
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (21 preceding siblings ...)
2020-09-29 10:57 ` [PATCH 4.19 022/245] net: silence data-races on sk_backlog.tail Greg Kroah-Hartman
@ 2020-09-29 10:57 ` Greg Kroah-Hartman
2020-09-29 10:57 ` [PATCH 4.19 024/245] drm/amdgpu/powerplay: fix AVFS handling with custom powerplay table Greg Kroah-Hartman
` (224 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:57 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Stephen Kitt, Tony Lindgren,
Stephen Boyd, Sasha Levin
From: Stephen Kitt <steve@sk2.org>
[ Upstream commit 7f6ac72946b88b89ee44c1c527aa8591ac5ffcbe ]
The buffer allocated in ti_adpll_clk_get_name doesn't account for the
terminating null. This patch switches to devm_kasprintf to avoid
overflowing.
Signed-off-by: Stephen Kitt <steve@sk2.org>
Link: https://lkml.kernel.org/r/20191019140634.15596-1-steve@sk2.org
Acked-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/ti/adpll.c | 11 ++---------
1 file changed, 2 insertions(+), 9 deletions(-)
diff --git a/drivers/clk/ti/adpll.c b/drivers/clk/ti/adpll.c
index 688e403333b91..14926e07d09ae 100644
--- a/drivers/clk/ti/adpll.c
+++ b/drivers/clk/ti/adpll.c
@@ -193,15 +193,8 @@ static const char *ti_adpll_clk_get_name(struct ti_adpll_data *d,
if (err)
return NULL;
} else {
- const char *base_name = "adpll";
- char *buf;
-
- buf = devm_kzalloc(d->dev, 8 + 1 + strlen(base_name) + 1 +
- strlen(postfix), GFP_KERNEL);
- if (!buf)
- return NULL;
- sprintf(buf, "%08lx.%s.%s", d->pa, base_name, postfix);
- name = buf;
+ name = devm_kasprintf(d->dev, GFP_KERNEL, "%08lx.adpll.%s",
+ d->pa, postfix);
}
return name;
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 024/245] drm/amdgpu/powerplay: fix AVFS handling with custom powerplay table
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (22 preceding siblings ...)
2020-09-29 10:57 ` [PATCH 4.19 023/245] clk/ti/adpll: allocate room for terminating null Greg Kroah-Hartman
@ 2020-09-29 10:57 ` Greg Kroah-Hartman
2020-09-29 10:57 ` [PATCH 4.19 025/245] mtd: cfi_cmdset_0002: dont free cfi->cfiq in error path of cfi_amdstd_setup() Greg Kroah-Hartman
` (223 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:57 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Evan Quan, Alex Deucher, Sasha Levin
From: Alex Deucher <alexander.deucher@amd.com>
[ Upstream commit 53dbc27ad5a93932ff1892a8e4ef266827d74a0f ]
When a custom powerplay table is provided, we need to update
the OD VDDC flag to avoid AVFS being enabled when it shouldn't be.
Bug: https://bugzilla.kernel.org/show_bug.cgi?id=205393
Reviewed-by: Evan Quan <evan.quan@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/powerplay/hwmgr/vega10_hwmgr.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/gpu/drm/amd/powerplay/hwmgr/vega10_hwmgr.c b/drivers/gpu/drm/amd/powerplay/hwmgr/vega10_hwmgr.c
index ce459ea4ec3ad..da9e6923fa659 100644
--- a/drivers/gpu/drm/amd/powerplay/hwmgr/vega10_hwmgr.c
+++ b/drivers/gpu/drm/amd/powerplay/hwmgr/vega10_hwmgr.c
@@ -3591,6 +3591,13 @@ static int vega10_set_power_state_tasks(struct pp_hwmgr *hwmgr,
PP_ASSERT_WITH_CODE(!result,
"Failed to upload PPtable!", return result);
+ /*
+ * If a custom pp table is loaded, set DPMTABLE_OD_UPDATE_VDDC flag.
+ * That effectively disables AVFS feature.
+ */
+ if(hwmgr->hardcode_pp_table != NULL)
+ data->need_update_dpm_table |= DPMTABLE_OD_UPDATE_VDDC;
+
vega10_update_avfs(hwmgr);
data->need_update_dpm_table &= DPMTABLE_OD_UPDATE_VDDC;
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 025/245] mtd: cfi_cmdset_0002: dont free cfi->cfiq in error path of cfi_amdstd_setup()
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (23 preceding siblings ...)
2020-09-29 10:57 ` [PATCH 4.19 024/245] drm/amdgpu/powerplay: fix AVFS handling with custom powerplay table Greg Kroah-Hartman
@ 2020-09-29 10:57 ` Greg Kroah-Hartman
2020-09-29 10:57 ` [PATCH 4.19 026/245] mfd: mfd-core: Protect against NULL call-back function pointer Greg Kroah-Hartman
` (222 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:57 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Hou Tao, Richard Weinberger,
Vignesh Raghavendra, Sasha Levin
From: Hou Tao <houtao1@huawei.com>
[ Upstream commit 03976af89e3bd9489d542582a325892e6a8cacc0 ]
Else there may be a double-free problem, because cfi->cfiq will
be freed by mtd_do_chip_probe() if both the two invocations of
check_cmd_set() return failure.
Signed-off-by: Hou Tao <houtao1@huawei.com>
Reviewed-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/chips/cfi_cmdset_0002.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/mtd/chips/cfi_cmdset_0002.c b/drivers/mtd/chips/cfi_cmdset_0002.c
index 1dbc9554a0786..3ab75d3e2ce32 100644
--- a/drivers/mtd/chips/cfi_cmdset_0002.c
+++ b/drivers/mtd/chips/cfi_cmdset_0002.c
@@ -727,7 +727,6 @@ static struct mtd_info *cfi_amdstd_setup(struct mtd_info *mtd)
kfree(mtd->eraseregions);
kfree(mtd);
kfree(cfi->cmdset_priv);
- kfree(cfi->cfiq);
return NULL;
}
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 026/245] mfd: mfd-core: Protect against NULL call-back function pointer
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (24 preceding siblings ...)
2020-09-29 10:57 ` [PATCH 4.19 025/245] mtd: cfi_cmdset_0002: dont free cfi->cfiq in error path of cfi_amdstd_setup() Greg Kroah-Hartman
@ 2020-09-29 10:57 ` Greg Kroah-Hartman
2020-09-29 10:57 ` [PATCH 4.19 027/245] drm/amdgpu/powerplay/smu7: fix AVFS handling with custom powerplay table Greg Kroah-Hartman
` (221 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:57 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Lee Jones, Daniel Thompson,
Mark Brown, Sasha Levin
From: Lee Jones <lee.jones@linaro.org>
[ Upstream commit b195e101580db390f50b0d587b7f66f241d2bc88 ]
If a child device calls mfd_cell_{en,dis}able() without an appropriate
call-back being set, we are likely to encounter a panic. Avoid this
by adding suitable checking.
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Reviewed-by: Daniel Thompson <daniel.thompson@linaro.org>
Reviewed-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mfd/mfd-core.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/drivers/mfd/mfd-core.c b/drivers/mfd/mfd-core.c
index 182973df1aed4..77c965c6a65f1 100644
--- a/drivers/mfd/mfd-core.c
+++ b/drivers/mfd/mfd-core.c
@@ -32,6 +32,11 @@ int mfd_cell_enable(struct platform_device *pdev)
const struct mfd_cell *cell = mfd_get_cell(pdev);
int err = 0;
+ if (!cell->enable) {
+ dev_dbg(&pdev->dev, "No .enable() call-back registered\n");
+ return 0;
+ }
+
/* only call enable hook if the cell wasn't previously enabled */
if (atomic_inc_return(cell->usage_count) == 1)
err = cell->enable(pdev);
@@ -49,6 +54,11 @@ int mfd_cell_disable(struct platform_device *pdev)
const struct mfd_cell *cell = mfd_get_cell(pdev);
int err = 0;
+ if (!cell->disable) {
+ dev_dbg(&pdev->dev, "No .disable() call-back registered\n");
+ return 0;
+ }
+
/* only disable if no other clients are using it */
if (atomic_dec_return(cell->usage_count) == 0)
err = cell->disable(pdev);
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 027/245] drm/amdgpu/powerplay/smu7: fix AVFS handling with custom powerplay table
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (25 preceding siblings ...)
2020-09-29 10:57 ` [PATCH 4.19 026/245] mfd: mfd-core: Protect against NULL call-back function pointer Greg Kroah-Hartman
@ 2020-09-29 10:57 ` Greg Kroah-Hartman
2020-09-29 10:57 ` [PATCH 4.19 028/245] tpm_crb: fix fTPM on AMD Zen+ CPUs Greg Kroah-Hartman
` (220 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:57 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Evan Quan, Alex Deucher, Sasha Levin
From: Alex Deucher <alexander.deucher@amd.com>
[ Upstream commit 901245624c7812b6c95d67177bae850e783b5212 ]
When a custom powerplay table is provided, we need to update
the OD VDDC flag to avoid AVFS being enabled when it shouldn't be.
Bug: https://bugzilla.kernel.org/show_bug.cgi?id=205393
Reviewed-by: Evan Quan <evan.quan@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/powerplay/hwmgr/smu7_hwmgr.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/gpu/drm/amd/powerplay/hwmgr/smu7_hwmgr.c b/drivers/gpu/drm/amd/powerplay/hwmgr/smu7_hwmgr.c
index 72c0a2ae2dd4f..058898b321b8a 100644
--- a/drivers/gpu/drm/amd/powerplay/hwmgr/smu7_hwmgr.c
+++ b/drivers/gpu/drm/amd/powerplay/hwmgr/smu7_hwmgr.c
@@ -3970,6 +3970,13 @@ static int smu7_set_power_state_tasks(struct pp_hwmgr *hwmgr, const void *input)
"Failed to populate and upload SCLK MCLK DPM levels!",
result = tmp_result);
+ /*
+ * If a custom pp table is loaded, set DPMTABLE_OD_UPDATE_VDDC flag.
+ * That effectively disables AVFS feature.
+ */
+ if (hwmgr->hardcode_pp_table != NULL)
+ data->need_update_smu7_dpm_table |= DPMTABLE_OD_UPDATE_VDDC;
+
tmp_result = smu7_update_avfs(hwmgr);
PP_ASSERT_WITH_CODE((0 == tmp_result),
"Failed to update avfs voltages!",
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 028/245] tpm_crb: fix fTPM on AMD Zen+ CPUs
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (26 preceding siblings ...)
2020-09-29 10:57 ` [PATCH 4.19 027/245] drm/amdgpu/powerplay/smu7: fix AVFS handling with custom powerplay table Greg Kroah-Hartman
@ 2020-09-29 10:57 ` Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 029/245] tracing: Adding NULL checks for trace_array descriptor pointer Greg Kroah-Hartman
` (219 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:57 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Ivan Lazeev, Jerry Snitselaar,
Jarkko Sakkinen, Sasha Levin
From: Ivan Lazeev <ivan.lazeev@gmail.com>
[ Upstream commit 3ef193822b25e9ee629974f66dc1ff65167f770c ]
Bug link: https://bugzilla.kernel.org/show_bug.cgi?id=195657
cmd/rsp buffers are expected to be in the same ACPI region.
For Zen+ CPUs BIOS's might report two different regions, some of
them also report region sizes inconsistent with values from TPM
registers.
Memory configuration on ASRock x470 ITX:
db0a0000-dc59efff : Reserved
dc57e000-dc57efff : MSFT0101:00
dc582000-dc582fff : MSFT0101:00
Work around the issue by storing ACPI regions declared for the
device in a fixed array and adding an array for pointers to
corresponding possibly allocated resources in crb_map_io function.
This data was previously held for a single resource
in struct crb_priv (iobase field) and local variable io_res in
crb_map_io function. ACPI resources array is used to find index of
corresponding region for each buffer and make the buffer size
consistent with region's length. Array of pointers to allocated
resources is used to map the region at most once.
Signed-off-by: Ivan Lazeev <ivan.lazeev@gmail.com>
Tested-by: Jerry Snitselaar <jsnitsel@redhat.com>
Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/char/tpm/tpm_crb.c | 123 +++++++++++++++++++++++++++----------
1 file changed, 90 insertions(+), 33 deletions(-)
diff --git a/drivers/char/tpm/tpm_crb.c b/drivers/char/tpm/tpm_crb.c
index 763fc7e6c0058..20f27100708bd 100644
--- a/drivers/char/tpm/tpm_crb.c
+++ b/drivers/char/tpm/tpm_crb.c
@@ -26,6 +26,7 @@
#include "tpm.h"
#define ACPI_SIG_TPM2 "TPM2"
+#define TPM_CRB_MAX_RESOURCES 3
static const guid_t crb_acpi_start_guid =
GUID_INIT(0x6BBF6CAB, 0x5463, 0x4714,
@@ -95,7 +96,6 @@ enum crb_status {
struct crb_priv {
u32 sm;
const char *hid;
- void __iomem *iobase;
struct crb_regs_head __iomem *regs_h;
struct crb_regs_tail __iomem *regs_t;
u8 __iomem *cmd;
@@ -438,21 +438,27 @@ static const struct tpm_class_ops tpm_crb = {
static int crb_check_resource(struct acpi_resource *ares, void *data)
{
- struct resource *io_res = data;
+ struct resource *iores_array = data;
struct resource_win win;
struct resource *res = &(win.res);
+ int i;
if (acpi_dev_resource_memory(ares, res) ||
acpi_dev_resource_address_space(ares, &win)) {
- *io_res = *res;
- io_res->name = NULL;
+ for (i = 0; i < TPM_CRB_MAX_RESOURCES + 1; ++i) {
+ if (resource_type(iores_array + i) != IORESOURCE_MEM) {
+ iores_array[i] = *res;
+ iores_array[i].name = NULL;
+ break;
+ }
+ }
}
return 1;
}
-static void __iomem *crb_map_res(struct device *dev, struct crb_priv *priv,
- struct resource *io_res, u64 start, u32 size)
+static void __iomem *crb_map_res(struct device *dev, struct resource *iores,
+ void __iomem **iobase_ptr, u64 start, u32 size)
{
struct resource new_res = {
.start = start,
@@ -464,10 +470,16 @@ static void __iomem *crb_map_res(struct device *dev, struct crb_priv *priv,
if (start != new_res.start)
return (void __iomem *) ERR_PTR(-EINVAL);
- if (!resource_contains(io_res, &new_res))
+ if (!iores)
return devm_ioremap_resource(dev, &new_res);
- return priv->iobase + (new_res.start - io_res->start);
+ if (!*iobase_ptr) {
+ *iobase_ptr = devm_ioremap_resource(dev, iores);
+ if (IS_ERR(*iobase_ptr))
+ return *iobase_ptr;
+ }
+
+ return *iobase_ptr + (new_res.start - iores->start);
}
/*
@@ -494,9 +506,13 @@ static u64 crb_fixup_cmd_size(struct device *dev, struct resource *io_res,
static int crb_map_io(struct acpi_device *device, struct crb_priv *priv,
struct acpi_table_tpm2 *buf)
{
- struct list_head resources;
- struct resource io_res;
+ struct list_head acpi_resource_list;
+ struct resource iores_array[TPM_CRB_MAX_RESOURCES + 1] = { {0} };
+ void __iomem *iobase_array[TPM_CRB_MAX_RESOURCES] = {NULL};
struct device *dev = &device->dev;
+ struct resource *iores;
+ void __iomem **iobase_ptr;
+ int i;
u32 pa_high, pa_low;
u64 cmd_pa;
u32 cmd_size;
@@ -505,21 +521,41 @@ static int crb_map_io(struct acpi_device *device, struct crb_priv *priv,
u32 rsp_size;
int ret;
- INIT_LIST_HEAD(&resources);
- ret = acpi_dev_get_resources(device, &resources, crb_check_resource,
- &io_res);
+ INIT_LIST_HEAD(&acpi_resource_list);
+ ret = acpi_dev_get_resources(device, &acpi_resource_list,
+ crb_check_resource, iores_array);
if (ret < 0)
return ret;
- acpi_dev_free_resource_list(&resources);
+ acpi_dev_free_resource_list(&acpi_resource_list);
- if (resource_type(&io_res) != IORESOURCE_MEM) {
+ if (resource_type(iores_array) != IORESOURCE_MEM) {
dev_err(dev, FW_BUG "TPM2 ACPI table does not define a memory resource\n");
return -EINVAL;
+ } else if (resource_type(iores_array + TPM_CRB_MAX_RESOURCES) ==
+ IORESOURCE_MEM) {
+ dev_warn(dev, "TPM2 ACPI table defines too many memory resources\n");
+ memset(iores_array + TPM_CRB_MAX_RESOURCES,
+ 0, sizeof(*iores_array));
+ iores_array[TPM_CRB_MAX_RESOURCES].flags = 0;
}
- priv->iobase = devm_ioremap_resource(dev, &io_res);
- if (IS_ERR(priv->iobase))
- return PTR_ERR(priv->iobase);
+ iores = NULL;
+ iobase_ptr = NULL;
+ for (i = 0; resource_type(iores_array + i) == IORESOURCE_MEM; ++i) {
+ if (buf->control_address >= iores_array[i].start &&
+ buf->control_address + sizeof(struct crb_regs_tail) - 1 <=
+ iores_array[i].end) {
+ iores = iores_array + i;
+ iobase_ptr = iobase_array + i;
+ break;
+ }
+ }
+
+ priv->regs_t = crb_map_res(dev, iores, iobase_ptr, buf->control_address,
+ sizeof(struct crb_regs_tail));
+
+ if (IS_ERR(priv->regs_t))
+ return PTR_ERR(priv->regs_t);
/* The ACPI IO region starts at the head area and continues to include
* the control area, as one nice sane region except for some older
@@ -527,9 +563,10 @@ static int crb_map_io(struct acpi_device *device, struct crb_priv *priv,
*/
if ((priv->sm == ACPI_TPM2_COMMAND_BUFFER) ||
(priv->sm == ACPI_TPM2_MEMORY_MAPPED)) {
- if (buf->control_address == io_res.start +
+ if (iores &&
+ buf->control_address == iores->start +
sizeof(*priv->regs_h))
- priv->regs_h = priv->iobase;
+ priv->regs_h = *iobase_ptr;
else
dev_warn(dev, FW_BUG "Bad ACPI memory layout");
}
@@ -538,13 +575,6 @@ static int crb_map_io(struct acpi_device *device, struct crb_priv *priv,
if (ret)
return ret;
- priv->regs_t = crb_map_res(dev, priv, &io_res, buf->control_address,
- sizeof(struct crb_regs_tail));
- if (IS_ERR(priv->regs_t)) {
- ret = PTR_ERR(priv->regs_t);
- goto out_relinquish_locality;
- }
-
/*
* PTT HW bug w/a: wake up the device to access
* possibly not retained registers.
@@ -556,13 +586,26 @@ static int crb_map_io(struct acpi_device *device, struct crb_priv *priv,
pa_high = ioread32(&priv->regs_t->ctrl_cmd_pa_high);
pa_low = ioread32(&priv->regs_t->ctrl_cmd_pa_low);
cmd_pa = ((u64)pa_high << 32) | pa_low;
- cmd_size = crb_fixup_cmd_size(dev, &io_res, cmd_pa,
- ioread32(&priv->regs_t->ctrl_cmd_size));
+ cmd_size = ioread32(&priv->regs_t->ctrl_cmd_size);
+
+ iores = NULL;
+ iobase_ptr = NULL;
+ for (i = 0; iores_array[i].end; ++i) {
+ if (cmd_pa >= iores_array[i].start &&
+ cmd_pa <= iores_array[i].end) {
+ iores = iores_array + i;
+ iobase_ptr = iobase_array + i;
+ break;
+ }
+ }
+
+ if (iores)
+ cmd_size = crb_fixup_cmd_size(dev, iores, cmd_pa, cmd_size);
dev_dbg(dev, "cmd_hi = %X cmd_low = %X cmd_size %X\n",
pa_high, pa_low, cmd_size);
- priv->cmd = crb_map_res(dev, priv, &io_res, cmd_pa, cmd_size);
+ priv->cmd = crb_map_res(dev, iores, iobase_ptr, cmd_pa, cmd_size);
if (IS_ERR(priv->cmd)) {
ret = PTR_ERR(priv->cmd);
goto out;
@@ -570,11 +613,25 @@ static int crb_map_io(struct acpi_device *device, struct crb_priv *priv,
memcpy_fromio(&__rsp_pa, &priv->regs_t->ctrl_rsp_pa, 8);
rsp_pa = le64_to_cpu(__rsp_pa);
- rsp_size = crb_fixup_cmd_size(dev, &io_res, rsp_pa,
- ioread32(&priv->regs_t->ctrl_rsp_size));
+ rsp_size = ioread32(&priv->regs_t->ctrl_rsp_size);
+
+ iores = NULL;
+ iobase_ptr = NULL;
+ for (i = 0; resource_type(iores_array + i) == IORESOURCE_MEM; ++i) {
+ if (rsp_pa >= iores_array[i].start &&
+ rsp_pa <= iores_array[i].end) {
+ iores = iores_array + i;
+ iobase_ptr = iobase_array + i;
+ break;
+ }
+ }
+
+ if (iores)
+ rsp_size = crb_fixup_cmd_size(dev, iores, rsp_pa, rsp_size);
if (cmd_pa != rsp_pa) {
- priv->rsp = crb_map_res(dev, priv, &io_res, rsp_pa, rsp_size);
+ priv->rsp = crb_map_res(dev, iores, iobase_ptr,
+ rsp_pa, rsp_size);
ret = PTR_ERR_OR_ZERO(priv->rsp);
goto out;
}
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 029/245] tracing: Adding NULL checks for trace_array descriptor pointer
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (27 preceding siblings ...)
2020-09-29 10:57 ` [PATCH 4.19 028/245] tpm_crb: fix fTPM on AMD Zen+ CPUs Greg Kroah-Hartman
@ 2020-09-29 10:58 ` Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 030/245] bcache: fix a lost wake-up problem caused by mca_cannibalize_lock Greg Kroah-Hartman
` (218 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:58 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Divya Indi, Steven Rostedt (VMware),
Sasha Levin
From: Divya Indi <divya.indi@oracle.com>
[ Upstream commit 953ae45a0c25e09428d4a03d7654f97ab8a36647 ]
As part of commit f45d1225adb0 ("tracing: Kernel access to Ftrace
instances") we exported certain functions. Here, we are adding some additional
NULL checks to ensure safe usage by users of these APIs.
Link: http://lkml.kernel.org/r/1565805327-579-4-git-send-email-divya.indi@oracle.com
Signed-off-by: Divya Indi <divya.indi@oracle.com>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/trace/trace.c | 3 +++
kernel/trace/trace_events.c | 2 ++
2 files changed, 5 insertions(+)
diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
index 4966410bb0f4d..17505a22d800b 100644
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -3037,6 +3037,9 @@ int trace_array_printk(struct trace_array *tr,
if (!(global_trace.trace_flags & TRACE_ITER_PRINTK))
return 0;
+ if (!tr)
+ return -ENOENT;
+
va_start(ap, fmt);
ret = trace_array_vprintk(tr, ip, fmt, ap);
va_end(ap);
diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c
index 27726121d332c..0fc06a7da87fb 100644
--- a/kernel/trace/trace_events.c
+++ b/kernel/trace/trace_events.c
@@ -800,6 +800,8 @@ static int ftrace_set_clr_event(struct trace_array *tr, char *buf, int set)
char *event = NULL, *sub = NULL, *match;
int ret;
+ if (!tr)
+ return -ENOENT;
/*
* The buf format can be <subsystem>:<event-name>
* *:<event-name> means any event by that name.
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 030/245] bcache: fix a lost wake-up problem caused by mca_cannibalize_lock
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (28 preceding siblings ...)
2020-09-29 10:58 ` [PATCH 4.19 029/245] tracing: Adding NULL checks for trace_array descriptor pointer Greg Kroah-Hartman
@ 2020-09-29 10:58 ` Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 031/245] dmaengine: mediatek: hsdma_probe: fixed a memory leak when devm_request_irq fails Greg Kroah-Hartman
` (217 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:58 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Guoju Fang, Coly Li, Jens Axboe, Sasha Levin
From: Guoju Fang <fangguoju@gmail.com>
[ Upstream commit 34cf78bf34d48dddddfeeadb44f9841d7864997a ]
This patch fix a lost wake-up problem caused by the race between
mca_cannibalize_lock and bch_cannibalize_unlock.
Consider two processes, A and B. Process A is executing
mca_cannibalize_lock, while process B takes c->btree_cache_alloc_lock
and is executing bch_cannibalize_unlock. The problem happens that after
process A executes cmpxchg and will execute prepare_to_wait. In this
timeslice process B executes wake_up, but after that process A executes
prepare_to_wait and set the state to TASK_INTERRUPTIBLE. Then process A
goes to sleep but no one will wake up it. This problem may cause bcache
device to dead.
Signed-off-by: Guoju Fang <fangguoju@gmail.com>
Signed-off-by: Coly Li <colyli@suse.de>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/md/bcache/bcache.h | 1 +
drivers/md/bcache/btree.c | 12 ++++++++----
drivers/md/bcache/super.c | 1 +
3 files changed, 10 insertions(+), 4 deletions(-)
diff --git a/drivers/md/bcache/bcache.h b/drivers/md/bcache/bcache.h
index 1cc6ae3e058c6..6a380ed4919a0 100644
--- a/drivers/md/bcache/bcache.h
+++ b/drivers/md/bcache/bcache.h
@@ -585,6 +585,7 @@ struct cache_set {
*/
wait_queue_head_t btree_cache_wait;
struct task_struct *btree_cache_alloc_lock;
+ spinlock_t btree_cannibalize_lock;
/*
* When we free a btree node, we increment the gen of the bucket the
diff --git a/drivers/md/bcache/btree.c b/drivers/md/bcache/btree.c
index d320574b9a4c8..e388e7bb7b5db 100644
--- a/drivers/md/bcache/btree.c
+++ b/drivers/md/bcache/btree.c
@@ -876,15 +876,17 @@ out:
static int mca_cannibalize_lock(struct cache_set *c, struct btree_op *op)
{
- struct task_struct *old;
-
- old = cmpxchg(&c->btree_cache_alloc_lock, NULL, current);
- if (old && old != current) {
+ spin_lock(&c->btree_cannibalize_lock);
+ if (likely(c->btree_cache_alloc_lock == NULL)) {
+ c->btree_cache_alloc_lock = current;
+ } else if (c->btree_cache_alloc_lock != current) {
if (op)
prepare_to_wait(&c->btree_cache_wait, &op->wait,
TASK_UNINTERRUPTIBLE);
+ spin_unlock(&c->btree_cannibalize_lock);
return -EINTR;
}
+ spin_unlock(&c->btree_cannibalize_lock);
return 0;
}
@@ -919,10 +921,12 @@ static struct btree *mca_cannibalize(struct cache_set *c, struct btree_op *op,
*/
static void bch_cannibalize_unlock(struct cache_set *c)
{
+ spin_lock(&c->btree_cannibalize_lock);
if (c->btree_cache_alloc_lock == current) {
c->btree_cache_alloc_lock = NULL;
wake_up(&c->btree_cache_wait);
}
+ spin_unlock(&c->btree_cannibalize_lock);
}
static struct btree *mca_alloc(struct cache_set *c, struct btree_op *op,
diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.c
index 825bfde10c694..7787ec42f81e1 100644
--- a/drivers/md/bcache/super.c
+++ b/drivers/md/bcache/super.c
@@ -1737,6 +1737,7 @@ struct cache_set *bch_cache_set_alloc(struct cache_sb *sb)
sema_init(&c->sb_write_mutex, 1);
mutex_init(&c->bucket_lock);
init_waitqueue_head(&c->btree_cache_wait);
+ spin_lock_init(&c->btree_cannibalize_lock);
init_waitqueue_head(&c->bucket_wait);
init_waitqueue_head(&c->gc_wait);
sema_init(&c->uuid_write_mutex, 1);
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 031/245] dmaengine: mediatek: hsdma_probe: fixed a memory leak when devm_request_irq fails
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (29 preceding siblings ...)
2020-09-29 10:58 ` [PATCH 4.19 030/245] bcache: fix a lost wake-up problem caused by mca_cannibalize_lock Greg Kroah-Hartman
@ 2020-09-29 10:58 ` Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 032/245] RDMA/qedr: Fix potential use after free Greg Kroah-Hartman
` (216 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:58 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Satendra Singh Thakur, Vinod Koul,
Sasha Levin
From: Satendra Singh Thakur <sst2005@gmail.com>
[ Upstream commit 1ff95243257fad07290dcbc5f7a6ad79d6e703e2 ]
When devm_request_irq fails, currently, the function
dma_async_device_unregister gets called. This doesn't free
the resources allocated by of_dma_controller_register.
Therefore, we have called of_dma_controller_free for this purpose.
Signed-off-by: Satendra Singh Thakur <sst2005@gmail.com>
Link: https://lore.kernel.org/r/20191109113523.6067-1-sst2005@gmail.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma/mediatek/mtk-hsdma.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/dma/mediatek/mtk-hsdma.c b/drivers/dma/mediatek/mtk-hsdma.c
index b7ec56ae02a6e..fca232b1d4a64 100644
--- a/drivers/dma/mediatek/mtk-hsdma.c
+++ b/drivers/dma/mediatek/mtk-hsdma.c
@@ -997,7 +997,7 @@ static int mtk_hsdma_probe(struct platform_device *pdev)
if (err) {
dev_err(&pdev->dev,
"request_irq failed with err %d\n", err);
- goto err_unregister;
+ goto err_free;
}
platform_set_drvdata(pdev, hsdma);
@@ -1006,6 +1006,8 @@ static int mtk_hsdma_probe(struct platform_device *pdev)
return 0;
+err_free:
+ of_dma_controller_free(pdev->dev.of_node);
err_unregister:
dma_async_device_unregister(dd);
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 032/245] RDMA/qedr: Fix potential use after free
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (30 preceding siblings ...)
2020-09-29 10:58 ` [PATCH 4.19 031/245] dmaengine: mediatek: hsdma_probe: fixed a memory leak when devm_request_irq fails Greg Kroah-Hartman
@ 2020-09-29 10:58 ` Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 033/245] RDMA/i40iw: " Greg Kroah-Hartman
` (215 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:58 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Pan Bian, Michal Kalderon ,
Jason Gunthorpe, Sasha Levin
From: Pan Bian <bianpan2016@163.com>
[ Upstream commit 960657b732e1ce21b07be5ab48a7ad3913d72ba4 ]
Move the release operation after error log to avoid possible use after
free.
Link: https://lore.kernel.org/r/1573021434-18768-1-git-send-email-bianpan2016@163.com
Signed-off-by: Pan Bian <bianpan2016@163.com>
Acked-by: Michal Kalderon <michal.kalderon@marvell.com>
Reviewed-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/qedr/qedr_iw_cm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/infiniband/hw/qedr/qedr_iw_cm.c b/drivers/infiniband/hw/qedr/qedr_iw_cm.c
index 2566715773675..e908dfbaa1378 100644
--- a/drivers/infiniband/hw/qedr/qedr_iw_cm.c
+++ b/drivers/infiniband/hw/qedr/qedr_iw_cm.c
@@ -460,10 +460,10 @@ qedr_addr6_resolve(struct qedr_dev *dev,
if ((!dst) || dst->error) {
if (dst) {
- dst_release(dst);
DP_ERR(dev,
"ip6_route_output returned dst->error = %d\n",
dst->error);
+ dst_release(dst);
}
return -EINVAL;
}
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 033/245] RDMA/i40iw: Fix potential use after free
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (31 preceding siblings ...)
2020-09-29 10:58 ` [PATCH 4.19 032/245] RDMA/qedr: Fix potential use after free Greg Kroah-Hartman
@ 2020-09-29 10:58 ` Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 034/245] fix dget_parent() fastpath race Greg Kroah-Hartman
` (214 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:58 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Pan Bian, Jason Gunthorpe, Sasha Levin
From: Pan Bian <bianpan2016@163.com>
[ Upstream commit da046d5f895fca18d63b15ac8faebd5bf784e23a ]
Release variable dst after logging dst->error to avoid possible use after
free.
Link: https://lore.kernel.org/r/1573022651-37171-1-git-send-email-bianpan2016@163.com
Signed-off-by: Pan Bian <bianpan2016@163.com>
Reviewed-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/i40iw/i40iw_cm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/infiniband/hw/i40iw/i40iw_cm.c b/drivers/infiniband/hw/i40iw/i40iw_cm.c
index 4321b9e3dbb4b..0273d0404e740 100644
--- a/drivers/infiniband/hw/i40iw/i40iw_cm.c
+++ b/drivers/infiniband/hw/i40iw/i40iw_cm.c
@@ -2071,9 +2071,9 @@ static int i40iw_addr_resolve_neigh_ipv6(struct i40iw_device *iwdev,
dst = i40iw_get_dst_ipv6(&src_addr, &dst_addr);
if (!dst || dst->error) {
if (dst) {
- dst_release(dst);
i40iw_pr_err("ip6_route_output returned dst->error = %d\n",
dst->error);
+ dst_release(dst);
}
return rc;
}
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 034/245] fix dget_parent() fastpath race
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (32 preceding siblings ...)
2020-09-29 10:58 ` [PATCH 4.19 033/245] RDMA/i40iw: " Greg Kroah-Hartman
@ 2020-09-29 10:58 ` Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 035/245] xfs: fix attr leaf header freemap.size underflow Greg Kroah-Hartman
` (213 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:58 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Al Viro, Sasha Levin
From: Al Viro <viro@zeniv.linux.org.uk>
[ Upstream commit e84009336711d2bba885fc9cea66348ddfce3758 ]
We are overoptimistic about taking the fast path there; seeing
the same value in ->d_parent after having grabbed a reference
to that parent does *not* mean that it has remained our parent
all along.
That wouldn't be a big deal (in the end it is our parent and
we have grabbed the reference we are about to return), but...
the situation with barriers is messed up.
We might have hit the following sequence:
d is a dentry of /tmp/a/b
CPU1: CPU2:
parent = d->d_parent (i.e. dentry of /tmp/a)
rename /tmp/a/b to /tmp/b
rmdir /tmp/a, making its dentry negative
grab reference to parent,
end up with cached parent->d_inode (NULL)
mkdir /tmp/a, rename /tmp/b to /tmp/a/b
recheck d->d_parent, which is back to original
decide that everything's fine and return the reference we'd got.
The trouble is, caller (on CPU1) will observe dget_parent()
returning an apparently negative dentry. It actually is positive,
but CPU1 has stale ->d_inode cached.
Use d->d_seq to see if it has been moved instead of rechecking ->d_parent.
NOTE: we are *NOT* going to retry on any kind of ->d_seq mismatch;
we just go into the slow path in such case. We don't wait for ->d_seq
to become even either - again, if we are racing with renames, we
can bloody well go to slow path anyway.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/dcache.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/fs/dcache.c b/fs/dcache.c
index 6e0022326afe3..20370a0997bf9 100644
--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -864,17 +864,19 @@ struct dentry *dget_parent(struct dentry *dentry)
{
int gotref;
struct dentry *ret;
+ unsigned seq;
/*
* Do optimistic parent lookup without any
* locking.
*/
rcu_read_lock();
+ seq = raw_seqcount_begin(&dentry->d_seq);
ret = READ_ONCE(dentry->d_parent);
gotref = lockref_get_not_zero(&ret->d_lockref);
rcu_read_unlock();
if (likely(gotref)) {
- if (likely(ret == READ_ONCE(dentry->d_parent)))
+ if (!read_seqcount_retry(&dentry->d_seq, seq))
return ret;
dput(ret);
}
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 035/245] xfs: fix attr leaf header freemap.size underflow
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (33 preceding siblings ...)
2020-09-29 10:58 ` [PATCH 4.19 034/245] fix dget_parent() fastpath race Greg Kroah-Hartman
@ 2020-09-29 10:58 ` Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 036/245] RDMA/iw_cgxb4: Fix an error handling path in c4iw_connect() Greg Kroah-Hartman
` (212 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:58 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Brian Foster, Darrick J. Wong, Sasha Levin
From: Brian Foster <bfoster@redhat.com>
[ Upstream commit 2a2b5932db67586bacc560cc065d62faece5b996 ]
The leaf format xattr addition helper xfs_attr3_leaf_add_work()
adjusts the block freemap in a couple places. The first update drops
the size of the freemap that the caller had already selected to
place the xattr name/value data. Before the function returns, it
also checks whether the entries array has encroached on a freemap
range by virtue of the new entry addition. This is necessary because
the entries array grows from the start of the block (but end of the
block header) towards the end of the block while the name/value data
grows from the end of the block in the opposite direction. If the
associated freemap is already empty, however, size is zero and the
subtraction underflows the field and causes corruption.
This is reproduced rarely by generic/070. The observed behavior is
that a smaller sized freemap is aligned to the end of the entries
list, several subsequent xattr additions land in larger freemaps and
the entries list expands into the smaller freemap until it is fully
consumed and then underflows. Note that it is not otherwise a
corruption for the entries array to consume an empty freemap because
the nameval list (i.e. the firstused pointer in the xattr header)
starts beyond the end of the corrupted freemap.
Update the freemap size modification to account for the fact that
the freemap entry can be empty and thus stale.
Signed-off-by: Brian Foster <bfoster@redhat.com>
Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/xfs/libxfs/xfs_attr_leaf.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/fs/xfs/libxfs/xfs_attr_leaf.c b/fs/xfs/libxfs/xfs_attr_leaf.c
index bd37f4a292c3b..efb586ea508bf 100644
--- a/fs/xfs/libxfs/xfs_attr_leaf.c
+++ b/fs/xfs/libxfs/xfs_attr_leaf.c
@@ -1438,7 +1438,9 @@ xfs_attr3_leaf_add_work(
for (i = 0; i < XFS_ATTR_LEAF_MAPSIZE; i++) {
if (ichdr->freemap[i].base == tmp) {
ichdr->freemap[i].base += sizeof(xfs_attr_leaf_entry_t);
- ichdr->freemap[i].size -= sizeof(xfs_attr_leaf_entry_t);
+ ichdr->freemap[i].size -=
+ min_t(uint16_t, ichdr->freemap[i].size,
+ sizeof(xfs_attr_leaf_entry_t));
}
}
ichdr->usedbytes += xfs_attr_leaf_entsize(leaf, args->index);
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 036/245] RDMA/iw_cgxb4: Fix an error handling path in c4iw_connect()
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (34 preceding siblings ...)
2020-09-29 10:58 ` [PATCH 4.19 035/245] xfs: fix attr leaf header freemap.size underflow Greg Kroah-Hartman
@ 2020-09-29 10:58 ` Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 037/245] ubi: Fix producing anchor PEBs Greg Kroah-Hartman
` (211 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:58 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Christophe JAILLET, Jason Gunthorpe,
Sasha Levin
From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
[ Upstream commit 9067f2f0b41d7e817fc8c5259bab1f17512b0147 ]
We should jump to fail3 in order to undo the 'xa_insert_irq()' call.
Link: https://lore.kernel.org/r/20190923190746.10964-1-christophe.jaillet@wanadoo.fr
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/cxgb4/cm.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/infiniband/hw/cxgb4/cm.c b/drivers/infiniband/hw/cxgb4/cm.c
index 16145b0a14583..3fd3dfa3478b7 100644
--- a/drivers/infiniband/hw/cxgb4/cm.c
+++ b/drivers/infiniband/hw/cxgb4/cm.c
@@ -3293,7 +3293,7 @@ int c4iw_connect(struct iw_cm_id *cm_id, struct iw_cm_conn_param *conn_param)
if (raddr->sin_addr.s_addr == htonl(INADDR_ANY)) {
err = pick_local_ipaddrs(dev, cm_id);
if (err)
- goto fail2;
+ goto fail3;
}
/* find a route */
@@ -3315,7 +3315,7 @@ int c4iw_connect(struct iw_cm_id *cm_id, struct iw_cm_conn_param *conn_param)
if (ipv6_addr_type(&raddr6->sin6_addr) == IPV6_ADDR_ANY) {
err = pick_local_ip6addrs(dev, cm_id);
if (err)
- goto fail2;
+ goto fail3;
}
/* find a route */
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 037/245] ubi: Fix producing anchor PEBs
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (35 preceding siblings ...)
2020-09-29 10:58 ` [PATCH 4.19 036/245] RDMA/iw_cgxb4: Fix an error handling path in c4iw_connect() Greg Kroah-Hartman
@ 2020-09-29 10:58 ` Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 038/245] mmc: core: Fix size overflow for mmc partitions Greg Kroah-Hartman
` (210 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:58 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Sascha Hauer, Richard Weinberger,
Sasha Levin
From: Sascha Hauer <s.hauer@pengutronix.de>
[ Upstream commit f9c34bb529975fe9f85b870a80c53a83a3c5a182 ]
When a new fastmap is about to be written UBI must make sure it has a
free block for a fastmap anchor available. For this ubi_update_fastmap()
calls ubi_ensure_anchor_pebs(). This stopped working with 2e8f08deabbc
("ubi: Fix races around ubi_refill_pools()"), with this commit the wear
leveling code is blocked and can no longer produce free PEBs. UBI then
more often than not falls back to write the new fastmap anchor to the
same block it was already on which means the same erase block gets
erased during each fastmap write and wears out quite fast.
As the locking prevents us from producing the anchor PEB when we
actually need it, this patch changes the strategy for creating the
anchor PEB. We no longer create it on demand right before we want to
write a fastmap, but instead we create an anchor PEB right after we have
written a fastmap. This gives us enough time to produce a new anchor PEB
before it is needed. To make sure we have an anchor PEB for the very
first fastmap write we call ubi_ensure_anchor_pebs() during
initialisation as well.
Fixes: 2e8f08deabbc ("ubi: Fix races around ubi_refill_pools()")
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/ubi/fastmap-wl.c | 31 ++++++++++++++++++-------------
drivers/mtd/ubi/fastmap.c | 14 +++++---------
drivers/mtd/ubi/ubi.h | 6 ++++--
drivers/mtd/ubi/wl.c | 32 ++++++++++++++------------------
drivers/mtd/ubi/wl.h | 1 -
5 files changed, 41 insertions(+), 43 deletions(-)
diff --git a/drivers/mtd/ubi/fastmap-wl.c b/drivers/mtd/ubi/fastmap-wl.c
index 98f7d6be8d1fc..13efebb400225 100644
--- a/drivers/mtd/ubi/fastmap-wl.c
+++ b/drivers/mtd/ubi/fastmap-wl.c
@@ -66,18 +66,6 @@ static void return_unused_pool_pebs(struct ubi_device *ubi,
}
}
-static int anchor_pebs_available(struct rb_root *root)
-{
- struct rb_node *p;
- struct ubi_wl_entry *e;
-
- ubi_rb_for_each_entry(p, e, root, u.rb)
- if (e->pnum < UBI_FM_MAX_START)
- return 1;
-
- return 0;
-}
-
/**
* ubi_wl_get_fm_peb - find a physical erase block with a given maximal number.
* @ubi: UBI device description object
@@ -286,8 +274,26 @@ static struct ubi_wl_entry *get_peb_for_wl(struct ubi_device *ubi)
int ubi_ensure_anchor_pebs(struct ubi_device *ubi)
{
struct ubi_work *wrk;
+ struct ubi_wl_entry *anchor;
spin_lock(&ubi->wl_lock);
+
+ /* Do we already have an anchor? */
+ if (ubi->fm_anchor) {
+ spin_unlock(&ubi->wl_lock);
+ return 0;
+ }
+
+ /* See if we can find an anchor PEB on the list of free PEBs */
+ anchor = ubi_wl_get_fm_peb(ubi, 1);
+ if (anchor) {
+ ubi->fm_anchor = anchor;
+ spin_unlock(&ubi->wl_lock);
+ return 0;
+ }
+
+ /* No luck, trigger wear leveling to produce a new anchor PEB */
+ ubi->fm_do_produce_anchor = 1;
if (ubi->wl_scheduled) {
spin_unlock(&ubi->wl_lock);
return 0;
@@ -303,7 +309,6 @@ int ubi_ensure_anchor_pebs(struct ubi_device *ubi)
return -ENOMEM;
}
- wrk->anchor = 1;
wrk->func = &wear_leveling_worker;
__schedule_ubi_work(ubi, wrk);
return 0;
diff --git a/drivers/mtd/ubi/fastmap.c b/drivers/mtd/ubi/fastmap.c
index 8e292992f84c7..b88ef875236cc 100644
--- a/drivers/mtd/ubi/fastmap.c
+++ b/drivers/mtd/ubi/fastmap.c
@@ -1552,14 +1552,6 @@ int ubi_update_fastmap(struct ubi_device *ubi)
return 0;
}
- ret = ubi_ensure_anchor_pebs(ubi);
- if (ret) {
- up_write(&ubi->fm_eba_sem);
- up_write(&ubi->work_sem);
- up_write(&ubi->fm_protect);
- return ret;
- }
-
new_fm = kzalloc(sizeof(*new_fm), GFP_KERNEL);
if (!new_fm) {
up_write(&ubi->fm_eba_sem);
@@ -1630,7 +1622,8 @@ int ubi_update_fastmap(struct ubi_device *ubi)
}
spin_lock(&ubi->wl_lock);
- tmp_e = ubi_wl_get_fm_peb(ubi, 1);
+ tmp_e = ubi->fm_anchor;
+ ubi->fm_anchor = NULL;
spin_unlock(&ubi->wl_lock);
if (old_fm) {
@@ -1682,6 +1675,9 @@ out_unlock:
up_write(&ubi->work_sem);
up_write(&ubi->fm_protect);
kfree(old_fm);
+
+ ubi_ensure_anchor_pebs(ubi);
+
return ret;
err:
diff --git a/drivers/mtd/ubi/ubi.h b/drivers/mtd/ubi/ubi.h
index d47b9e436e673..d248ec371cc17 100644
--- a/drivers/mtd/ubi/ubi.h
+++ b/drivers/mtd/ubi/ubi.h
@@ -504,6 +504,8 @@ struct ubi_debug_info {
* @fm_work: fastmap work queue
* @fm_work_scheduled: non-zero if fastmap work was scheduled
* @fast_attach: non-zero if UBI was attached by fastmap
+ * @fm_anchor: The next anchor PEB to use for fastmap
+ * @fm_do_produce_anchor: If true produce an anchor PEB in wl
*
* @used: RB-tree of used physical eraseblocks
* @erroneous: RB-tree of erroneous used physical eraseblocks
@@ -612,6 +614,8 @@ struct ubi_device {
struct work_struct fm_work;
int fm_work_scheduled;
int fast_attach;
+ struct ubi_wl_entry *fm_anchor;
+ int fm_do_produce_anchor;
/* Wear-leveling sub-system's stuff */
struct rb_root used;
@@ -802,7 +806,6 @@ struct ubi_attach_info {
* @vol_id: the volume ID on which this erasure is being performed
* @lnum: the logical eraseblock number
* @torture: if the physical eraseblock has to be tortured
- * @anchor: produce a anchor PEB to by used by fastmap
*
* The @func pointer points to the worker function. If the @shutdown argument is
* not zero, the worker has to free the resources and exit immediately as the
@@ -818,7 +821,6 @@ struct ubi_work {
int vol_id;
int lnum;
int torture;
- int anchor;
};
#include "debug.h"
diff --git a/drivers/mtd/ubi/wl.c b/drivers/mtd/ubi/wl.c
index 6f2ac865ff05e..80d64d7e7a8be 100644
--- a/drivers/mtd/ubi/wl.c
+++ b/drivers/mtd/ubi/wl.c
@@ -331,13 +331,6 @@ static struct ubi_wl_entry *find_wl_entry(struct ubi_device *ubi,
}
}
- /* If no fastmap has been written and this WL entry can be used
- * as anchor PEB, hold it back and return the second best WL entry
- * such that fastmap can use the anchor PEB later. */
- if (prev_e && !ubi->fm_disabled &&
- !ubi->fm && e->pnum < UBI_FM_MAX_START)
- return prev_e;
-
return e;
}
@@ -648,9 +641,6 @@ static int wear_leveling_worker(struct ubi_device *ubi, struct ubi_work *wrk,
{
int err, scrubbing = 0, torture = 0, protect = 0, erroneous = 0;
int erase = 0, keep = 0, vol_id = -1, lnum = -1;
-#ifdef CONFIG_MTD_UBI_FASTMAP
- int anchor = wrk->anchor;
-#endif
struct ubi_wl_entry *e1, *e2;
struct ubi_vid_io_buf *vidb;
struct ubi_vid_hdr *vid_hdr;
@@ -690,11 +680,7 @@ static int wear_leveling_worker(struct ubi_device *ubi, struct ubi_work *wrk,
}
#ifdef CONFIG_MTD_UBI_FASTMAP
- /* Check whether we need to produce an anchor PEB */
- if (!anchor)
- anchor = !anchor_pebs_available(&ubi->free);
-
- if (anchor) {
+ if (ubi->fm_do_produce_anchor) {
e1 = find_anchor_wl_entry(&ubi->used);
if (!e1)
goto out_cancel;
@@ -705,6 +691,7 @@ static int wear_leveling_worker(struct ubi_device *ubi, struct ubi_work *wrk,
self_check_in_wl_tree(ubi, e1, &ubi->used);
rb_erase(&e1->u.rb, &ubi->used);
dbg_wl("anchor-move PEB %d to PEB %d", e1->pnum, e2->pnum);
+ ubi->fm_do_produce_anchor = 0;
} else if (!ubi->scrub.rb_node) {
#else
if (!ubi->scrub.rb_node) {
@@ -1037,7 +1024,6 @@ static int ensure_wear_leveling(struct ubi_device *ubi, int nested)
goto out_cancel;
}
- wrk->anchor = 0;
wrk->func = &wear_leveling_worker;
if (nested)
__schedule_ubi_work(ubi, wrk);
@@ -1079,8 +1065,15 @@ static int __erase_worker(struct ubi_device *ubi, struct ubi_work *wl_wrk)
err = sync_erase(ubi, e, wl_wrk->torture);
if (!err) {
spin_lock(&ubi->wl_lock);
- wl_tree_add(e, &ubi->free);
- ubi->free_count++;
+
+ if (!ubi->fm_anchor && e->pnum < UBI_FM_MAX_START) {
+ ubi->fm_anchor = e;
+ ubi->fm_do_produce_anchor = 0;
+ } else {
+ wl_tree_add(e, &ubi->free);
+ ubi->free_count++;
+ }
+
spin_unlock(&ubi->wl_lock);
/*
@@ -1724,6 +1717,9 @@ int ubi_wl_init(struct ubi_device *ubi, struct ubi_attach_info *ai)
if (err)
goto out_free;
+#ifdef CONFIG_MTD_UBI_FASTMAP
+ ubi_ensure_anchor_pebs(ubi);
+#endif
return 0;
out_free:
diff --git a/drivers/mtd/ubi/wl.h b/drivers/mtd/ubi/wl.h
index a9e2d669acd81..c93a532937863 100644
--- a/drivers/mtd/ubi/wl.h
+++ b/drivers/mtd/ubi/wl.h
@@ -2,7 +2,6 @@
#ifndef UBI_WL_H
#define UBI_WL_H
#ifdef CONFIG_MTD_UBI_FASTMAP
-static int anchor_pebs_available(struct rb_root *root);
static void update_fastmap_work_fn(struct work_struct *wrk);
static struct ubi_wl_entry *find_anchor_wl_entry(struct rb_root *root);
static struct ubi_wl_entry *get_peb_for_wl(struct ubi_device *ubi);
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 038/245] mmc: core: Fix size overflow for mmc partitions
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (36 preceding siblings ...)
2020-09-29 10:58 ` [PATCH 4.19 037/245] ubi: Fix producing anchor PEBs Greg Kroah-Hartman
@ 2020-09-29 10:58 ` Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 039/245] gfs2: clean up iopen glock mess in gfs2_create_inode Greg Kroah-Hartman
` (209 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:58 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Bradley Bolen, Ulf Hansson, Sasha Levin
From: Bradley Bolen <bradleybolen@gmail.com>
[ Upstream commit f3d7c2292d104519195fdb11192daec13229c219 ]
With large eMMC cards, it is possible to create general purpose
partitions that are bigger than 4GB. The size member of the mmc_part
struct is only an unsigned int which overflows for gp partitions larger
than 4GB. Change this to a u64 to handle the overflow.
Signed-off-by: Bradley Bolen <bradleybolen@gmail.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mmc/core/mmc.c | 9 ++++-----
include/linux/mmc/card.h | 2 +-
2 files changed, 5 insertions(+), 6 deletions(-)
diff --git a/drivers/mmc/core/mmc.c b/drivers/mmc/core/mmc.c
index 5ca53e225382d..4b18034537f53 100644
--- a/drivers/mmc/core/mmc.c
+++ b/drivers/mmc/core/mmc.c
@@ -300,7 +300,7 @@ static void mmc_manage_enhanced_area(struct mmc_card *card, u8 *ext_csd)
}
}
-static void mmc_part_add(struct mmc_card *card, unsigned int size,
+static void mmc_part_add(struct mmc_card *card, u64 size,
unsigned int part_cfg, char *name, int idx, bool ro,
int area_type)
{
@@ -316,7 +316,7 @@ static void mmc_manage_gp_partitions(struct mmc_card *card, u8 *ext_csd)
{
int idx;
u8 hc_erase_grp_sz, hc_wp_grp_sz;
- unsigned int part_size;
+ u64 part_size;
/*
* General purpose partition feature support --
@@ -346,8 +346,7 @@ static void mmc_manage_gp_partitions(struct mmc_card *card, u8 *ext_csd)
(ext_csd[EXT_CSD_GP_SIZE_MULT + idx * 3 + 1]
<< 8) +
ext_csd[EXT_CSD_GP_SIZE_MULT + idx * 3];
- part_size *= (size_t)(hc_erase_grp_sz *
- hc_wp_grp_sz);
+ part_size *= (hc_erase_grp_sz * hc_wp_grp_sz);
mmc_part_add(card, part_size << 19,
EXT_CSD_PART_CONFIG_ACC_GP0 + idx,
"gp%d", idx, false,
@@ -365,7 +364,7 @@ static void mmc_manage_gp_partitions(struct mmc_card *card, u8 *ext_csd)
static int mmc_decode_ext_csd(struct mmc_card *card, u8 *ext_csd)
{
int err = 0, idx;
- unsigned int part_size;
+ u64 part_size;
struct device_node *np;
bool broken_hpi = false;
diff --git a/include/linux/mmc/card.h b/include/linux/mmc/card.h
index 8ef330027b134..3f8e84a80b4ad 100644
--- a/include/linux/mmc/card.h
+++ b/include/linux/mmc/card.h
@@ -227,7 +227,7 @@ struct mmc_queue_req;
* MMC Physical partitions
*/
struct mmc_part {
- unsigned int size; /* partition size (in bytes) */
+ u64 size; /* partition size (in bytes) */
unsigned int part_cfg; /* partition type */
char name[MAX_MMC_PART_NAME_LEN];
bool force_ro; /* to make boot parts RO by default */
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 039/245] gfs2: clean up iopen glock mess in gfs2_create_inode
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (37 preceding siblings ...)
2020-09-29 10:58 ` [PATCH 4.19 038/245] mmc: core: Fix size overflow for mmc partitions Greg Kroah-Hartman
@ 2020-09-29 10:58 ` Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 040/245] scsi: pm80xx: Cleanup command when a reset times out Greg Kroah-Hartman
` (208 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:58 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Bob Peterson, Andreas Gruenbacher,
Sasha Levin
From: Bob Peterson <rpeterso@redhat.com>
[ Upstream commit 2c47c1be51fbded1f7baa2ceaed90f97932f79be ]
Before this patch, gfs2_create_inode had a use-after-free for the
iopen glock in some error paths because it did this:
gfs2_glock_put(io_gl);
fail_gunlock2:
if (io_gl)
clear_bit(GLF_INODE_CREATING, &io_gl->gl_flags);
In some cases, the io_gl was used for create and only had one
reference, so the glock might be freed before the clear_bit().
This patch tries to straighten it out by only jumping to the
error paths where iopen is properly set, and moving the
gfs2_glock_put after the clear_bit.
Signed-off-by: Bob Peterson <rpeterso@redhat.com>
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/gfs2/inode.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/fs/gfs2/inode.c b/fs/gfs2/inode.c
index d968b5c5df217..a52b8b0dceeb9 100644
--- a/fs/gfs2/inode.c
+++ b/fs/gfs2/inode.c
@@ -715,7 +715,7 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
error = gfs2_trans_begin(sdp, blocks, 0);
if (error)
- goto fail_gunlock2;
+ goto fail_free_inode;
if (blocks > 1) {
ip->i_eattr = ip->i_no_addr + 1;
@@ -726,7 +726,7 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
error = gfs2_glock_get(sdp, ip->i_no_addr, &gfs2_iopen_glops, CREATE, &io_gl);
if (error)
- goto fail_gunlock2;
+ goto fail_free_inode;
BUG_ON(test_and_set_bit(GLF_INODE_CREATING, &io_gl->gl_flags));
@@ -735,7 +735,6 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
goto fail_gunlock2;
glock_set_object(ip->i_iopen_gh.gh_gl, ip);
- gfs2_glock_put(io_gl);
gfs2_set_iop(inode);
insert_inode_hash(inode);
@@ -768,6 +767,8 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
mark_inode_dirty(inode);
d_instantiate(dentry, inode);
+ /* After instantiate, errors should result in evict which will destroy
+ * both inode and iopen glocks properly. */
if (file) {
file->f_mode |= FMODE_CREATED;
error = finish_open(file, dentry, gfs2_open_common);
@@ -775,15 +776,15 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
gfs2_glock_dq_uninit(ghs);
gfs2_glock_dq_uninit(ghs + 1);
clear_bit(GLF_INODE_CREATING, &io_gl->gl_flags);
+ gfs2_glock_put(io_gl);
return error;
fail_gunlock3:
glock_clear_object(io_gl, ip);
gfs2_glock_dq_uninit(&ip->i_iopen_gh);
- gfs2_glock_put(io_gl);
fail_gunlock2:
- if (io_gl)
- clear_bit(GLF_INODE_CREATING, &io_gl->gl_flags);
+ clear_bit(GLF_INODE_CREATING, &io_gl->gl_flags);
+ gfs2_glock_put(io_gl);
fail_free_inode:
if (ip->i_gl) {
glock_clear_object(ip->i_gl, ip);
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 040/245] scsi: pm80xx: Cleanup command when a reset times out
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (38 preceding siblings ...)
2020-09-29 10:58 ` [PATCH 4.19 039/245] gfs2: clean up iopen glock mess in gfs2_create_inode Greg Kroah-Hartman
@ 2020-09-29 10:58 ` Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 041/245] debugfs: Fix !DEBUG_FS debugfs_create_automount Greg Kroah-Hartman
` (207 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:58 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Jack Wang, peter chang, Deepak Ukey,
Viswas G, Martin K. Petersen, Sasha Levin
From: peter chang <dpf@google.com>
[ Upstream commit 51c1c5f6ed64c2b65a8cf89dac136273d25ca540 ]
Added the fix so the if driver properly sent the abort it tries to remove
it from the firmware's list of outstanding commands regardless of the abort
status. This means that the task gets freed 'now' rather than possibly
getting freed later when the scsi layer thinks it's leaked but still valid.
Link: https://lore.kernel.org/r/20191114100910.6153-10-deepak.ukey@microchip.com
Acked-by: Jack Wang <jinpu.wang@cloud.ionos.com>
Signed-off-by: peter chang <dpf@google.com>
Signed-off-by: Deepak Ukey <deepak.ukey@microchip.com>
Signed-off-by: Viswas G <Viswas.G@microchip.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/pm8001/pm8001_sas.c | 50 +++++++++++++++++++++++---------
1 file changed, 37 insertions(+), 13 deletions(-)
diff --git a/drivers/scsi/pm8001/pm8001_sas.c b/drivers/scsi/pm8001/pm8001_sas.c
index ba79b37d8cf7e..5becdde3ea324 100644
--- a/drivers/scsi/pm8001/pm8001_sas.c
+++ b/drivers/scsi/pm8001/pm8001_sas.c
@@ -1184,8 +1184,8 @@ int pm8001_abort_task(struct sas_task *task)
pm8001_ha = pm8001_find_ha_by_dev(dev);
device_id = pm8001_dev->device_id;
phy_id = pm8001_dev->attached_phy;
- rc = pm8001_find_tag(task, &tag);
- if (rc == 0) {
+ ret = pm8001_find_tag(task, &tag);
+ if (ret == 0) {
pm8001_printk("no tag for task:%p\n", task);
return TMF_RESP_FUNC_FAILED;
}
@@ -1223,26 +1223,50 @@ int pm8001_abort_task(struct sas_task *task)
/* 2. Send Phy Control Hard Reset */
reinit_completion(&completion);
+ phy->port_reset_status = PORT_RESET_TMO;
phy->reset_success = false;
phy->enable_completion = &completion;
phy->reset_completion = &completion_reset;
ret = PM8001_CHIP_DISP->phy_ctl_req(pm8001_ha, phy_id,
PHY_HARD_RESET);
- if (ret)
- goto out;
- PM8001_MSG_DBG(pm8001_ha,
- pm8001_printk("Waiting for local phy ctl\n"));
- wait_for_completion(&completion);
- if (!phy->reset_success)
+ if (ret) {
+ phy->enable_completion = NULL;
+ phy->reset_completion = NULL;
goto out;
+ }
- /* 3. Wait for Port Reset complete / Port reset TMO */
+ /* In the case of the reset timeout/fail we still
+ * abort the command at the firmware. The assumption
+ * here is that the drive is off doing something so
+ * that it's not processing requests, and we want to
+ * avoid getting a completion for this and either
+ * leaking the task in libsas or losing the race and
+ * getting a double free.
+ */
PM8001_MSG_DBG(pm8001_ha,
+ pm8001_printk("Waiting for local phy ctl\n"));
+ ret = wait_for_completion_timeout(&completion,
+ PM8001_TASK_TIMEOUT * HZ);
+ if (!ret || !phy->reset_success) {
+ phy->enable_completion = NULL;
+ phy->reset_completion = NULL;
+ } else {
+ /* 3. Wait for Port Reset complete or
+ * Port reset TMO
+ */
+ PM8001_MSG_DBG(pm8001_ha,
pm8001_printk("Waiting for Port reset\n"));
- wait_for_completion(&completion_reset);
- if (phy->port_reset_status) {
- pm8001_dev_gone_notify(dev);
- goto out;
+ ret = wait_for_completion_timeout(
+ &completion_reset,
+ PM8001_TASK_TIMEOUT * HZ);
+ if (!ret)
+ phy->reset_completion = NULL;
+ WARN_ON(phy->port_reset_status ==
+ PORT_RESET_TMO);
+ if (phy->port_reset_status == PORT_RESET_TMO) {
+ pm8001_dev_gone_notify(dev);
+ goto out;
+ }
}
/*
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 041/245] debugfs: Fix !DEBUG_FS debugfs_create_automount
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (39 preceding siblings ...)
2020-09-29 10:58 ` [PATCH 4.19 040/245] scsi: pm80xx: Cleanup command when a reset times out Greg Kroah-Hartman
@ 2020-09-29 10:58 ` Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 042/245] CIFS: Properly process SMB3 lease breaks Greg Kroah-Hartman
` (206 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:58 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Kusanagi Kouichi, Sasha Levin
From: Kusanagi Kouichi <slash@ac.auone-net.jp>
[ Upstream commit 4250b047039d324e0ff65267c8beb5bad5052a86 ]
If DEBUG_FS=n, compile fails with the following error:
kernel/trace/trace.c: In function 'tracing_init_dentry':
kernel/trace/trace.c:8658:9: error: passing argument 3 of 'debugfs_create_automount' from incompatible pointer type [-Werror=incompatible-pointer-types]
8658 | trace_automount, NULL);
| ^~~~~~~~~~~~~~~
| |
| struct vfsmount * (*)(struct dentry *, void *)
In file included from kernel/trace/trace.c:24:
./include/linux/debugfs.h:206:25: note: expected 'struct vfsmount * (*)(void *)' but argument is of type 'struct vfsmount * (*)(struct dentry *, void *)'
206 | struct vfsmount *(*f)(void *),
| ~~~~~~~~~~~~~~~~~~~^~~~~~~~~~
Signed-off-by: Kusanagi Kouichi <slash@ac.auone-net.jp>
Link: https://lore.kernel.org/r/20191121102021787.MLMY.25002.ppp.dion.ne.jp@dmta0003.auone-net.jp
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/debugfs.h | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/include/linux/debugfs.h b/include/linux/debugfs.h
index 3b0ba54cc4d5b..3bc1034c57e66 100644
--- a/include/linux/debugfs.h
+++ b/include/linux/debugfs.h
@@ -54,6 +54,8 @@ static const struct file_operations __fops = { \
.llseek = no_llseek, \
}
+typedef struct vfsmount *(*debugfs_automount_t)(struct dentry *, void *);
+
#if defined(CONFIG_DEBUG_FS)
struct dentry *debugfs_lookup(const char *name, struct dentry *parent);
@@ -75,7 +77,6 @@ struct dentry *debugfs_create_dir(const char *name, struct dentry *parent);
struct dentry *debugfs_create_symlink(const char *name, struct dentry *parent,
const char *dest);
-typedef struct vfsmount *(*debugfs_automount_t)(struct dentry *, void *);
struct dentry *debugfs_create_automount(const char *name,
struct dentry *parent,
debugfs_automount_t f,
@@ -204,7 +205,7 @@ static inline struct dentry *debugfs_create_symlink(const char *name,
static inline struct dentry *debugfs_create_automount(const char *name,
struct dentry *parent,
- struct vfsmount *(*f)(void *),
+ debugfs_automount_t f,
void *data)
{
return ERR_PTR(-ENODEV);
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 042/245] CIFS: Properly process SMB3 lease breaks
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (40 preceding siblings ...)
2020-09-29 10:58 ` [PATCH 4.19 041/245] debugfs: Fix !DEBUG_FS debugfs_create_automount Greg Kroah-Hartman
@ 2020-09-29 10:58 ` Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 043/245] ASoC: max98090: remove msleep in PLL unlocked workaround Greg Kroah-Hartman
` (205 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:58 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Pavel Shilovsky, Steve French, Sasha Levin
From: Pavel Shilovsky <pshilov@microsoft.com>
[ Upstream commit 9bd4540836684013aaad6070a65d6fcdd9006625 ]
Currenly we doesn't assume that a server may break a lease
from RWH to RW which causes us setting a wrong lease state
on a file and thus mistakenly flushing data and byte-range
locks and purging cached data on the client. This leads to
performance degradation because subsequent IOs go directly
to the server.
Fix this by propagating new lease state and epoch values
to the oplock break handler through cifsFileInfo structure
and removing the use of cifsInodeInfo flags for that. It
allows to avoid some races of several lease/oplock breaks
using those flags in parallel.
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/cifs/cifsglob.h | 9 ++++++---
fs/cifs/file.c | 10 +++++++---
fs/cifs/misc.c | 17 +++--------------
fs/cifs/smb1ops.c | 8 +++-----
fs/cifs/smb2misc.c | 32 +++++++-------------------------
fs/cifs/smb2ops.c | 44 ++++++++++++++++++++++++++++++--------------
fs/cifs/smb2pdu.h | 2 +-
7 files changed, 57 insertions(+), 65 deletions(-)
diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h
index 71c2dd0c7f038..2c632793c88c5 100644
--- a/fs/cifs/cifsglob.h
+++ b/fs/cifs/cifsglob.h
@@ -259,8 +259,9 @@ struct smb_version_operations {
int (*check_message)(char *, unsigned int, struct TCP_Server_Info *);
bool (*is_oplock_break)(char *, struct TCP_Server_Info *);
int (*handle_cancelled_mid)(char *, struct TCP_Server_Info *);
- void (*downgrade_oplock)(struct TCP_Server_Info *,
- struct cifsInodeInfo *, bool);
+ void (*downgrade_oplock)(struct TCP_Server_Info *server,
+ struct cifsInodeInfo *cinode, __u32 oplock,
+ unsigned int epoch, bool *purge_cache);
/* process transaction2 response */
bool (*check_trans2)(struct mid_q_entry *, struct TCP_Server_Info *,
char *, int);
@@ -1160,6 +1161,8 @@ struct cifsFileInfo {
unsigned int f_flags;
bool invalidHandle:1; /* file closed via session abend */
bool oplock_break_cancelled:1;
+ unsigned int oplock_epoch; /* epoch from the lease break */
+ __u32 oplock_level; /* oplock/lease level from the lease break */
int count;
spinlock_t file_info_lock; /* protects four flag/count fields above */
struct mutex fh_mutex; /* prevents reopen race after dead ses*/
@@ -1300,7 +1303,7 @@ struct cifsInodeInfo {
unsigned int epoch; /* used to track lease state changes */
#define CIFS_INODE_PENDING_OPLOCK_BREAK (0) /* oplock break in progress */
#define CIFS_INODE_PENDING_WRITERS (1) /* Writes in progress */
-#define CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2 (2) /* Downgrade oplock to L2 */
+#define CIFS_INODE_FLAG_UNUSED (2) /* Unused flag */
#define CIFS_INO_DELETE_PENDING (3) /* delete pending on server */
#define CIFS_INO_INVALID_MAPPING (4) /* pagecache is invalid */
#define CIFS_INO_LOCK (5) /* lock bit for synchronization */
diff --git a/fs/cifs/file.c b/fs/cifs/file.c
index 128cbd69911b4..e78b52c582f18 100644
--- a/fs/cifs/file.c
+++ b/fs/cifs/file.c
@@ -4185,12 +4185,13 @@ void cifs_oplock_break(struct work_struct *work)
struct cifs_tcon *tcon = tlink_tcon(cfile->tlink);
struct TCP_Server_Info *server = tcon->ses->server;
int rc = 0;
+ bool purge_cache = false;
wait_on_bit(&cinode->flags, CIFS_INODE_PENDING_WRITERS,
TASK_UNINTERRUPTIBLE);
- server->ops->downgrade_oplock(server, cinode,
- test_bit(CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2, &cinode->flags));
+ server->ops->downgrade_oplock(server, cinode, cfile->oplock_level,
+ cfile->oplock_epoch, &purge_cache);
if (!CIFS_CACHE_WRITE(cinode) && CIFS_CACHE_READ(cinode) &&
cifs_has_mand_locks(cinode)) {
@@ -4205,18 +4206,21 @@ void cifs_oplock_break(struct work_struct *work)
else
break_lease(inode, O_WRONLY);
rc = filemap_fdatawrite(inode->i_mapping);
- if (!CIFS_CACHE_READ(cinode)) {
+ if (!CIFS_CACHE_READ(cinode) || purge_cache) {
rc = filemap_fdatawait(inode->i_mapping);
mapping_set_error(inode->i_mapping, rc);
cifs_zap_mapping(inode);
}
cifs_dbg(FYI, "Oplock flush inode %p rc %d\n", inode, rc);
+ if (CIFS_CACHE_WRITE(cinode))
+ goto oplock_break_ack;
}
rc = cifs_push_locks(cfile);
if (rc)
cifs_dbg(VFS, "Push locks rc = %d\n", rc);
+oplock_break_ack:
/*
* releasing stale oplock after recent reconnect of smb session using
* a now incorrect file handle is not a data integrity issue but do
diff --git a/fs/cifs/misc.c b/fs/cifs/misc.c
index e45f8e321371c..dd67f56ea61e5 100644
--- a/fs/cifs/misc.c
+++ b/fs/cifs/misc.c
@@ -477,21 +477,10 @@ is_valid_oplock_break(char *buffer, struct TCP_Server_Info *srv)
set_bit(CIFS_INODE_PENDING_OPLOCK_BREAK,
&pCifsInode->flags);
- /*
- * Set flag if the server downgrades the oplock
- * to L2 else clear.
- */
- if (pSMB->OplockLevel)
- set_bit(
- CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2,
- &pCifsInode->flags);
- else
- clear_bit(
- CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2,
- &pCifsInode->flags);
-
- cifs_queue_oplock_break(netfile);
+ netfile->oplock_epoch = 0;
+ netfile->oplock_level = pSMB->OplockLevel;
netfile->oplock_break_cancelled = false;
+ cifs_queue_oplock_break(netfile);
spin_unlock(&tcon->open_file_lock);
spin_unlock(&cifs_tcp_ses_lock);
diff --git a/fs/cifs/smb1ops.c b/fs/cifs/smb1ops.c
index c7f0c85664425..0b7f924512848 100644
--- a/fs/cifs/smb1ops.c
+++ b/fs/cifs/smb1ops.c
@@ -381,12 +381,10 @@ coalesce_t2(char *second_buf, struct smb_hdr *target_hdr)
static void
cifs_downgrade_oplock(struct TCP_Server_Info *server,
- struct cifsInodeInfo *cinode, bool set_level2)
+ struct cifsInodeInfo *cinode, __u32 oplock,
+ unsigned int epoch, bool *purge_cache)
{
- if (set_level2)
- cifs_set_oplock_level(cinode, OPLOCK_READ);
- else
- cifs_set_oplock_level(cinode, 0);
+ cifs_set_oplock_level(cinode, oplock);
}
static bool
diff --git a/fs/cifs/smb2misc.c b/fs/cifs/smb2misc.c
index 2fc96f7923ee5..7d875a47d0226 100644
--- a/fs/cifs/smb2misc.c
+++ b/fs/cifs/smb2misc.c
@@ -550,7 +550,7 @@ smb2_tcon_has_lease(struct cifs_tcon *tcon, struct smb2_lease_break *rsp)
cifs_dbg(FYI, "found in the open list\n");
cifs_dbg(FYI, "lease key match, lease break 0x%x\n",
- le32_to_cpu(rsp->NewLeaseState));
+ lease_state);
if (ack_req)
cfile->oplock_break_cancelled = false;
@@ -559,17 +559,8 @@ smb2_tcon_has_lease(struct cifs_tcon *tcon, struct smb2_lease_break *rsp)
set_bit(CIFS_INODE_PENDING_OPLOCK_BREAK, &cinode->flags);
- /*
- * Set or clear flags depending on the lease state being READ.
- * HANDLE caching flag should be added when the client starts
- * to defer closing remote file handles with HANDLE leases.
- */
- if (lease_state & SMB2_LEASE_READ_CACHING_HE)
- set_bit(CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2,
- &cinode->flags);
- else
- clear_bit(CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2,
- &cinode->flags);
+ cfile->oplock_epoch = le16_to_cpu(rsp->Epoch);
+ cfile->oplock_level = lease_state;
cifs_queue_oplock_break(cfile);
return true;
@@ -599,7 +590,7 @@ smb2_tcon_find_pending_open_lease(struct cifs_tcon *tcon,
cifs_dbg(FYI, "found in the pending open list\n");
cifs_dbg(FYI, "lease key match, lease break 0x%x\n",
- le32_to_cpu(rsp->NewLeaseState));
+ lease_state);
open->oplock = lease_state;
}
@@ -732,18 +723,9 @@ smb2_is_valid_oplock_break(char *buffer, struct TCP_Server_Info *server)
set_bit(CIFS_INODE_PENDING_OPLOCK_BREAK,
&cinode->flags);
- /*
- * Set flag if the server downgrades the oplock
- * to L2 else clear.
- */
- if (rsp->OplockLevel)
- set_bit(
- CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2,
- &cinode->flags);
- else
- clear_bit(
- CIFS_INODE_DOWNGRADE_OPLOCK_TO_L2,
- &cinode->flags);
+ cfile->oplock_epoch = 0;
+ cfile->oplock_level = rsp->OplockLevel;
+
spin_unlock(&cfile->file_info_lock);
cifs_queue_oplock_break(cfile);
diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
index 2a523139a05fb..947a40069d246 100644
--- a/fs/cifs/smb2ops.c
+++ b/fs/cifs/smb2ops.c
@@ -2358,22 +2358,38 @@ static long smb3_fallocate(struct file *file, struct cifs_tcon *tcon, int mode,
static void
smb2_downgrade_oplock(struct TCP_Server_Info *server,
- struct cifsInodeInfo *cinode, bool set_level2)
+ struct cifsInodeInfo *cinode, __u32 oplock,
+ unsigned int epoch, bool *purge_cache)
{
- if (set_level2)
- server->ops->set_oplock_level(cinode, SMB2_OPLOCK_LEVEL_II,
- 0, NULL);
- else
- server->ops->set_oplock_level(cinode, 0, 0, NULL);
+ server->ops->set_oplock_level(cinode, oplock, 0, NULL);
}
static void
-smb21_downgrade_oplock(struct TCP_Server_Info *server,
- struct cifsInodeInfo *cinode, bool set_level2)
+smb21_set_oplock_level(struct cifsInodeInfo *cinode, __u32 oplock,
+ unsigned int epoch, bool *purge_cache);
+
+static void
+smb3_downgrade_oplock(struct TCP_Server_Info *server,
+ struct cifsInodeInfo *cinode, __u32 oplock,
+ unsigned int epoch, bool *purge_cache)
{
- server->ops->set_oplock_level(cinode,
- set_level2 ? SMB2_LEASE_READ_CACHING_HE :
- 0, 0, NULL);
+ unsigned int old_state = cinode->oplock;
+ unsigned int old_epoch = cinode->epoch;
+ unsigned int new_state;
+
+ if (epoch > old_epoch) {
+ smb21_set_oplock_level(cinode, oplock, 0, NULL);
+ cinode->epoch = epoch;
+ }
+
+ new_state = cinode->oplock;
+ *purge_cache = false;
+
+ if ((old_state & CIFS_CACHE_READ_FLG) != 0 &&
+ (new_state & CIFS_CACHE_READ_FLG) == 0)
+ *purge_cache = true;
+ else if (old_state == new_state && (epoch - old_epoch > 1))
+ *purge_cache = true;
}
static void
@@ -3449,7 +3465,7 @@ struct smb_version_operations smb21_operations = {
.print_stats = smb2_print_stats,
.is_oplock_break = smb2_is_valid_oplock_break,
.handle_cancelled_mid = smb2_handle_cancelled_mid,
- .downgrade_oplock = smb21_downgrade_oplock,
+ .downgrade_oplock = smb2_downgrade_oplock,
.need_neg = smb2_need_neg,
.negotiate = smb2_negotiate,
.negotiate_wsize = smb2_negotiate_wsize,
@@ -3546,7 +3562,7 @@ struct smb_version_operations smb30_operations = {
.dump_share_caps = smb2_dump_share_caps,
.is_oplock_break = smb2_is_valid_oplock_break,
.handle_cancelled_mid = smb2_handle_cancelled_mid,
- .downgrade_oplock = smb21_downgrade_oplock,
+ .downgrade_oplock = smb3_downgrade_oplock,
.need_neg = smb2_need_neg,
.negotiate = smb2_negotiate,
.negotiate_wsize = smb2_negotiate_wsize,
@@ -3651,7 +3667,7 @@ struct smb_version_operations smb311_operations = {
.dump_share_caps = smb2_dump_share_caps,
.is_oplock_break = smb2_is_valid_oplock_break,
.handle_cancelled_mid = smb2_handle_cancelled_mid,
- .downgrade_oplock = smb21_downgrade_oplock,
+ .downgrade_oplock = smb3_downgrade_oplock,
.need_neg = smb2_need_neg,
.negotiate = smb2_negotiate,
.negotiate_wsize = smb2_negotiate_wsize,
diff --git a/fs/cifs/smb2pdu.h b/fs/cifs/smb2pdu.h
index 308c682fa4d3b..44501f8cbd75e 100644
--- a/fs/cifs/smb2pdu.h
+++ b/fs/cifs/smb2pdu.h
@@ -1209,7 +1209,7 @@ struct smb2_oplock_break {
struct smb2_lease_break {
struct smb2_sync_hdr sync_hdr;
__le16 StructureSize; /* Must be 44 */
- __le16 Reserved;
+ __le16 Epoch;
__le32 Flags;
__u8 LeaseKey[16];
__le32 CurrentLeaseState;
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 043/245] ASoC: max98090: remove msleep in PLL unlocked workaround
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (41 preceding siblings ...)
2020-09-29 10:58 ` [PATCH 4.19 042/245] CIFS: Properly process SMB3 lease breaks Greg Kroah-Hartman
@ 2020-09-29 10:58 ` Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 044/245] kernel/sys.c: avoid copying possible padding bytes in copy_to_user Greg Kroah-Hartman
` (204 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:58 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Tzung-Bi Shih, Pierre-Louis Bossart,
Mark Brown, Sasha Levin
From: Tzung-Bi Shih <tzungbi@google.com>
[ Upstream commit acb874a7c049ec49d8fc66c893170fb42c01bdf7 ]
It was observed Baytrail-based chromebooks could cause continuous PLL
unlocked when using playback stream and capture stream simultaneously.
Specifically, starting a capture stream after started a playback stream.
As a result, the audio data could corrupt or turn completely silent.
As the datasheet suggested, the maximum PLL lock time should be 7 msec.
The workaround resets the codec softly by toggling SHDN off and on if
PLL failed to lock for 10 msec. Notably, there is no suggested hold
time for SHDN off.
On Baytrail-based chromebooks, it would easily happen continuous PLL
unlocked if there is a 10 msec delay between SHDN off and on. Removes
the msleep().
Signed-off-by: Tzung-Bi Shih <tzungbi@google.com>
Link: https://lore.kernel.org/r/20191122073114.219945-2-tzungbi@google.com
Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/codecs/max98090.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/sound/soc/codecs/max98090.c b/sound/soc/codecs/max98090.c
index 89b6e187ac235..a5b0c40ee545f 100644
--- a/sound/soc/codecs/max98090.c
+++ b/sound/soc/codecs/max98090.c
@@ -2130,10 +2130,16 @@ static void max98090_pll_work(struct max98090_priv *max98090)
dev_info_ratelimited(component->dev, "PLL unlocked\n");
+ /*
+ * As the datasheet suggested, the maximum PLL lock time should be
+ * 7 msec. The workaround resets the codec softly by toggling SHDN
+ * off and on if PLL failed to lock for 10 msec. Notably, there is
+ * no suggested hold time for SHDN off.
+ */
+
/* Toggle shutdown OFF then ON */
snd_soc_component_update_bits(component, M98090_REG_DEVICE_SHUTDOWN,
M98090_SHDNN_MASK, 0);
- msleep(10);
snd_soc_component_update_bits(component, M98090_REG_DEVICE_SHUTDOWN,
M98090_SHDNN_MASK, M98090_SHDNN_MASK);
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 044/245] kernel/sys.c: avoid copying possible padding bytes in copy_to_user
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (42 preceding siblings ...)
2020-09-29 10:58 ` [PATCH 4.19 043/245] ASoC: max98090: remove msleep in PLL unlocked workaround Greg Kroah-Hartman
@ 2020-09-29 10:58 ` Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 045/245] KVM: arm/arm64: vgic: Fix potential double free dist->spis in __kvm_vgic_destroy() Greg Kroah-Hartman
` (203 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:58 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Joe Perches, Dan Carpenter,
Julia Lawall, Thomas Gleixner, Kees Cook, Andrew Morton,
Linus Torvalds, Sasha Levin
From: Joe Perches <joe@perches.com>
[ Upstream commit 5e1aada08cd19ea652b2d32a250501d09b02ff2e ]
Initialization is not guaranteed to zero padding bytes so use an
explicit memset instead to avoid leaking any kernel content in any
possible padding bytes.
Link: http://lkml.kernel.org/r/dfa331c00881d61c8ee51577a082d8bebd61805c.camel@perches.com
Signed-off-by: Joe Perches <joe@perches.com>
Cc: Dan Carpenter <error27@gmail.com>
Cc: Julia Lawall <julia.lawall@lip6.fr>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Kees Cook <keescook@chromium.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/sys.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/kernel/sys.c b/kernel/sys.c
index 096932a450466..baf60a3aa34b7 100644
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -1275,11 +1275,13 @@ SYSCALL_DEFINE1(uname, struct old_utsname __user *, name)
SYSCALL_DEFINE1(olduname, struct oldold_utsname __user *, name)
{
- struct oldold_utsname tmp = {};
+ struct oldold_utsname tmp;
if (!name)
return -EFAULT;
+ memset(&tmp, 0, sizeof(tmp));
+
down_read(&uts_sem);
memcpy(&tmp.sysname, &utsname()->sysname, __OLD_UTS_LEN);
memcpy(&tmp.nodename, &utsname()->nodename, __OLD_UTS_LEN);
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 045/245] KVM: arm/arm64: vgic: Fix potential double free dist->spis in __kvm_vgic_destroy()
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (43 preceding siblings ...)
2020-09-29 10:58 ` [PATCH 4.19 044/245] kernel/sys.c: avoid copying possible padding bytes in copy_to_user Greg Kroah-Hartman
@ 2020-09-29 10:58 ` Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 046/245] xfs: fix log reservation overflows when allocating large rt extents Greg Kroah-Hartman
` (202 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:58 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Miaohe Lin, Marc Zyngier, Eric Auger,
Sasha Levin
From: Miaohe Lin <linmiaohe@huawei.com>
[ Upstream commit 0bda9498dd45280e334bfe88b815ebf519602cc3 ]
In kvm_vgic_dist_init() called from kvm_vgic_map_resources(), if
dist->vgic_model is invalid, dist->spis will be freed without set
dist->spis = NULL. And in vgicv2 resources clean up path,
__kvm_vgic_destroy() will be called to free allocated resources.
And dist->spis will be freed again in clean up chain because we
forget to set dist->spis = NULL in kvm_vgic_dist_init() failed
path. So double free would happen.
Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Link: https://lore.kernel.org/r/1574923128-19956-1-git-send-email-linmiaohe@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
virt/kvm/arm/vgic/vgic-init.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/virt/kvm/arm/vgic/vgic-init.c b/virt/kvm/arm/vgic/vgic-init.c
index cd75df25fe140..2fc1777da50d2 100644
--- a/virt/kvm/arm/vgic/vgic-init.c
+++ b/virt/kvm/arm/vgic/vgic-init.c
@@ -187,6 +187,7 @@ static int kvm_vgic_dist_init(struct kvm *kvm, unsigned int nr_spis)
break;
default:
kfree(dist->spis);
+ dist->spis = NULL;
return -EINVAL;
}
}
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 046/245] xfs: fix log reservation overflows when allocating large rt extents
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (44 preceding siblings ...)
2020-09-29 10:58 ` [PATCH 4.19 045/245] KVM: arm/arm64: vgic: Fix potential double free dist->spis in __kvm_vgic_destroy() Greg Kroah-Hartman
@ 2020-09-29 10:58 ` Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 047/245] neigh_stat_seq_next() should increase position index Greg Kroah-Hartman
` (201 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:58 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Omar Sandoval, Darrick J. Wong,
Brian Foster, Sasha Levin
From: Darrick J. Wong <darrick.wong@oracle.com>
[ Upstream commit b1de6fc7520fe12949c070af0e8c0e4044cd3420 ]
Omar Sandoval reported that a 4G fallocate on the realtime device causes
filesystem shutdowns due to a log reservation overflow that happens when
we log the rtbitmap updates. Factor rtbitmap/rtsummary updates into the
the tr_write and tr_itruncate log reservation calculation.
"The following reproducer results in a transaction log overrun warning
for me:
mkfs.xfs -f -r rtdev=/dev/vdc -d rtinherit=1 -m reflink=0 /dev/vdb
mount -o rtdev=/dev/vdc /dev/vdb /mnt
fallocate -l 4G /mnt/foo
Reported-by: Omar Sandoval <osandov@osandov.com>
Tested-by: Omar Sandoval <osandov@osandov.com>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/xfs/libxfs/xfs_trans_resv.c | 96 +++++++++++++++++++++++++++-------
1 file changed, 77 insertions(+), 19 deletions(-)
diff --git a/fs/xfs/libxfs/xfs_trans_resv.c b/fs/xfs/libxfs/xfs_trans_resv.c
index f99a7aefe4184..2b3cc5a8ced1b 100644
--- a/fs/xfs/libxfs/xfs_trans_resv.c
+++ b/fs/xfs/libxfs/xfs_trans_resv.c
@@ -197,6 +197,24 @@ xfs_calc_inode_chunk_res(
return res;
}
+/*
+ * Per-extent log reservation for the btree changes involved in freeing or
+ * allocating a realtime extent. We have to be able to log as many rtbitmap
+ * blocks as needed to mark inuse MAXEXTLEN blocks' worth of realtime extents,
+ * as well as the realtime summary block.
+ */
+unsigned int
+xfs_rtalloc_log_count(
+ struct xfs_mount *mp,
+ unsigned int num_ops)
+{
+ unsigned int blksz = XFS_FSB_TO_B(mp, 1);
+ unsigned int rtbmp_bytes;
+
+ rtbmp_bytes = (MAXEXTLEN / mp->m_sb.sb_rextsize) / NBBY;
+ return (howmany(rtbmp_bytes, blksz) + 1) * num_ops;
+}
+
/*
* Various log reservation values.
*
@@ -219,13 +237,21 @@ xfs_calc_inode_chunk_res(
/*
* In a write transaction we can allocate a maximum of 2
- * extents. This gives:
+ * extents. This gives (t1):
* the inode getting the new extents: inode size
* the inode's bmap btree: max depth * block size
* the agfs of the ags from which the extents are allocated: 2 * sector
* the superblock free block counter: sector size
* the allocation btrees: 2 exts * 2 trees * (2 * max depth - 1) * block size
- * And the bmap_finish transaction can free bmap blocks in a join:
+ * Or, if we're writing to a realtime file (t2):
+ * the inode getting the new extents: inode size
+ * the inode's bmap btree: max depth * block size
+ * the agfs of the ags from which the extents are allocated: 2 * sector
+ * the superblock free block counter: sector size
+ * the realtime bitmap: ((MAXEXTLEN / rtextsize) / NBBY) bytes
+ * the realtime summary: 1 block
+ * the allocation btrees: 2 trees * (2 * max depth - 1) * block size
+ * And the bmap_finish transaction can free bmap blocks in a join (t3):
* the agfs of the ags containing the blocks: 2 * sector size
* the agfls of the ags containing the blocks: 2 * sector size
* the super block free block counter: sector size
@@ -235,40 +261,72 @@ STATIC uint
xfs_calc_write_reservation(
struct xfs_mount *mp)
{
- return XFS_DQUOT_LOGRES(mp) +
- max((xfs_calc_inode_res(mp, 1) +
+ unsigned int t1, t2, t3;
+ unsigned int blksz = XFS_FSB_TO_B(mp, 1);
+
+ t1 = xfs_calc_inode_res(mp, 1) +
+ xfs_calc_buf_res(XFS_BM_MAXLEVELS(mp, XFS_DATA_FORK), blksz) +
+ xfs_calc_buf_res(3, mp->m_sb.sb_sectsize) +
+ xfs_calc_buf_res(xfs_allocfree_log_count(mp, 2), blksz);
+
+ if (xfs_sb_version_hasrealtime(&mp->m_sb)) {
+ t2 = xfs_calc_inode_res(mp, 1) +
xfs_calc_buf_res(XFS_BM_MAXLEVELS(mp, XFS_DATA_FORK),
- XFS_FSB_TO_B(mp, 1)) +
+ blksz) +
xfs_calc_buf_res(3, mp->m_sb.sb_sectsize) +
- xfs_calc_buf_res(xfs_allocfree_log_count(mp, 2),
- XFS_FSB_TO_B(mp, 1))),
- (xfs_calc_buf_res(5, mp->m_sb.sb_sectsize) +
- xfs_calc_buf_res(xfs_allocfree_log_count(mp, 2),
- XFS_FSB_TO_B(mp, 1))));
+ xfs_calc_buf_res(xfs_rtalloc_log_count(mp, 1), blksz) +
+ xfs_calc_buf_res(xfs_allocfree_log_count(mp, 1), blksz);
+ } else {
+ t2 = 0;
+ }
+
+ t3 = xfs_calc_buf_res(5, mp->m_sb.sb_sectsize) +
+ xfs_calc_buf_res(xfs_allocfree_log_count(mp, 2), blksz);
+
+ return XFS_DQUOT_LOGRES(mp) + max3(t1, t2, t3);
}
/*
- * In truncating a file we free up to two extents at once. We can modify:
+ * In truncating a file we free up to two extents at once. We can modify (t1):
* the inode being truncated: inode size
* the inode's bmap btree: (max depth + 1) * block size
- * And the bmap_finish transaction can free the blocks and bmap blocks:
+ * And the bmap_finish transaction can free the blocks and bmap blocks (t2):
* the agf for each of the ags: 4 * sector size
* the agfl for each of the ags: 4 * sector size
* the super block to reflect the freed blocks: sector size
* worst case split in allocation btrees per extent assuming 4 extents:
* 4 exts * 2 trees * (2 * max depth - 1) * block size
+ * Or, if it's a realtime file (t3):
+ * the agf for each of the ags: 2 * sector size
+ * the agfl for each of the ags: 2 * sector size
+ * the super block to reflect the freed blocks: sector size
+ * the realtime bitmap: 2 exts * ((MAXEXTLEN / rtextsize) / NBBY) bytes
+ * the realtime summary: 2 exts * 1 block
+ * worst case split in allocation btrees per extent assuming 2 extents:
+ * 2 exts * 2 trees * (2 * max depth - 1) * block size
*/
STATIC uint
xfs_calc_itruncate_reservation(
struct xfs_mount *mp)
{
- return XFS_DQUOT_LOGRES(mp) +
- max((xfs_calc_inode_res(mp, 1) +
- xfs_calc_buf_res(XFS_BM_MAXLEVELS(mp, XFS_DATA_FORK) + 1,
- XFS_FSB_TO_B(mp, 1))),
- (xfs_calc_buf_res(9, mp->m_sb.sb_sectsize) +
- xfs_calc_buf_res(xfs_allocfree_log_count(mp, 4),
- XFS_FSB_TO_B(mp, 1))));
+ unsigned int t1, t2, t3;
+ unsigned int blksz = XFS_FSB_TO_B(mp, 1);
+
+ t1 = xfs_calc_inode_res(mp, 1) +
+ xfs_calc_buf_res(XFS_BM_MAXLEVELS(mp, XFS_DATA_FORK) + 1, blksz);
+
+ t2 = xfs_calc_buf_res(9, mp->m_sb.sb_sectsize) +
+ xfs_calc_buf_res(xfs_allocfree_log_count(mp, 4), blksz);
+
+ if (xfs_sb_version_hasrealtime(&mp->m_sb)) {
+ t3 = xfs_calc_buf_res(5, mp->m_sb.sb_sectsize) +
+ xfs_calc_buf_res(xfs_rtalloc_log_count(mp, 2), blksz) +
+ xfs_calc_buf_res(xfs_allocfree_log_count(mp, 2), blksz);
+ } else {
+ t3 = 0;
+ }
+
+ return XFS_DQUOT_LOGRES(mp) + max3(t1, t2, t3);
}
/*
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 047/245] neigh_stat_seq_next() should increase position index
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (45 preceding siblings ...)
2020-09-29 10:58 ` [PATCH 4.19 046/245] xfs: fix log reservation overflows when allocating large rt extents Greg Kroah-Hartman
@ 2020-09-29 10:58 ` Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 048/245] rt_cpu_seq_next " Greg Kroah-Hartman
` (200 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:58 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Vasily Averin, David S. Miller, Sasha Levin
From: Vasily Averin <vvs@virtuozzo.com>
[ Upstream commit 1e3f9f073c47bee7c23e77316b07bc12338c5bba ]
if seq_file .next fuction does not change position index,
read after some lseek can generate unexpected output.
https://bugzilla.kernel.org/show_bug.cgi?id=206283
Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/neighbour.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/core/neighbour.c b/net/core/neighbour.c
index bf738ec68cb53..6e890f51b7d86 100644
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -2844,6 +2844,7 @@ static void *neigh_stat_seq_next(struct seq_file *seq, void *v, loff_t *pos)
*pos = cpu+1;
return per_cpu_ptr(tbl->stats, cpu);
}
+ (*pos)++;
return NULL;
}
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 048/245] rt_cpu_seq_next should increase position index
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (46 preceding siblings ...)
2020-09-29 10:58 ` [PATCH 4.19 047/245] neigh_stat_seq_next() should increase position index Greg Kroah-Hartman
@ 2020-09-29 10:58 ` Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 049/245] ipv6_route_seq_next " Greg Kroah-Hartman
` (199 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:58 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Vasily Averin, David S. Miller, Sasha Levin
From: Vasily Averin <vvs@virtuozzo.com>
[ Upstream commit a3ea86739f1bc7e121d921842f0f4a8ab1af94d9 ]
if seq_file .next fuction does not change position index,
read after some lseek can generate unexpected output.
https://bugzilla.kernel.org/show_bug.cgi?id=206283
Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/route.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 84de87b7eedcd..3db428242b22d 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -274,6 +274,7 @@ static void *rt_cpu_seq_next(struct seq_file *seq, void *v, loff_t *pos)
*pos = cpu+1;
return &per_cpu(rt_cache_stat, cpu);
}
+ (*pos)++;
return NULL;
}
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 049/245] ipv6_route_seq_next should increase position index
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (47 preceding siblings ...)
2020-09-29 10:58 ` [PATCH 4.19 048/245] rt_cpu_seq_next " Greg Kroah-Hartman
@ 2020-09-29 10:58 ` Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 050/245] seqlock: Require WRITE_ONCE surrounding raw_seqcount_barrier Greg Kroah-Hartman
` (198 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:58 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Vasily Averin, David S. Miller, Sasha Levin
From: Vasily Averin <vvs@virtuozzo.com>
[ Upstream commit 4fc427e0515811250647d44de38d87d7b0e0790f ]
if seq_file .next fuction does not change position index,
read after some lseek can generate unexpected output.
https://bugzilla.kernel.org/show_bug.cgi?id=206283
Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/ip6_fib.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
index 05a206202e23d..b924941b96a31 100644
--- a/net/ipv6/ip6_fib.c
+++ b/net/ipv6/ip6_fib.c
@@ -2377,14 +2377,13 @@ static void *ipv6_route_seq_next(struct seq_file *seq, void *v, loff_t *pos)
struct net *net = seq_file_net(seq);
struct ipv6_route_iter *iter = seq->private;
+ ++(*pos);
if (!v)
goto iter_table;
n = rcu_dereference_bh(((struct fib6_info *)v)->fib6_next);
- if (n) {
- ++*pos;
+ if (n)
return n;
- }
iter_table:
ipv6_route_check_sernum(iter);
@@ -2392,8 +2391,6 @@ iter_table:
r = fib6_walk_continue(&iter->w);
spin_unlock_bh(&iter->tbl->tb6_lock);
if (r > 0) {
- if (v)
- ++*pos;
return iter->w.leaf;
} else if (r < 0) {
fib6_walker_unlink(net, &iter->w);
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 050/245] seqlock: Require WRITE_ONCE surrounding raw_seqcount_barrier
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (48 preceding siblings ...)
2020-09-29 10:58 ` [PATCH 4.19 049/245] ipv6_route_seq_next " Greg Kroah-Hartman
@ 2020-09-29 10:58 ` Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 051/245] media: ti-vpe: cal: Restrict DMA to avoid memory corruption Greg Kroah-Hartman
` (197 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:58 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Marco Elver, Paul E. McKenney, Sasha Levin
From: Marco Elver <elver@google.com>
[ Upstream commit bf07132f96d426bcbf2098227fb680915cf44498 ]
This patch proposes to require marked atomic accesses surrounding
raw_write_seqcount_barrier. We reason that otherwise there is no way to
guarantee propagation nor atomicity of writes before/after the barrier
[1]. For example, consider the compiler tears stores either before or
after the barrier; in this case, readers may observe a partial value,
and because readers are unaware that writes are going on (writes are not
in a seq-writer critical section), will complete the seq-reader critical
section while having observed some partial state.
[1] https://lwn.net/Articles/793253/
This came up when designing and implementing KCSAN, because KCSAN would
flag these accesses as data-races. After careful analysis, our reasoning
as above led us to conclude that the best thing to do is to propose an
amendment to the raw_seqcount_barrier usage.
Signed-off-by: Marco Elver <elver@google.com>
Acked-by: Paul E. McKenney <paulmck@kernel.org>
Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/seqlock.h | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/include/linux/seqlock.h b/include/linux/seqlock.h
index bcf4cf26b8c89..a42a29952889c 100644
--- a/include/linux/seqlock.h
+++ b/include/linux/seqlock.h
@@ -243,6 +243,13 @@ static inline void raw_write_seqcount_end(seqcount_t *s)
* usual consistency guarantee. It is one wmb cheaper, because we can
* collapse the two back-to-back wmb()s.
*
+ * Note that, writes surrounding the barrier should be declared atomic (e.g.
+ * via WRITE_ONCE): a) to ensure the writes become visible to other threads
+ * atomically, avoiding compiler optimizations; b) to document which writes are
+ * meant to propagate to the reader critical section. This is necessary because
+ * neither writes before and after the barrier are enclosed in a seq-writer
+ * critical section that would ensure readers are aware of ongoing writes.
+ *
* seqcount_t seq;
* bool X = true, Y = false;
*
@@ -262,11 +269,11 @@ static inline void raw_write_seqcount_end(seqcount_t *s)
*
* void write(void)
* {
- * Y = true;
+ * WRITE_ONCE(Y, true);
*
* raw_write_seqcount_barrier(seq);
*
- * X = false;
+ * WRITE_ONCE(X, false);
* }
*/
static inline void raw_write_seqcount_barrier(seqcount_t *s)
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 051/245] media: ti-vpe: cal: Restrict DMA to avoid memory corruption
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (49 preceding siblings ...)
2020-09-29 10:58 ` [PATCH 4.19 050/245] seqlock: Require WRITE_ONCE surrounding raw_seqcount_barrier Greg Kroah-Hartman
@ 2020-09-29 10:58 ` Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 052/245] sctp: move trace_sctp_probe_path into sctp_outq_sack Greg Kroah-Hartman
` (196 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:58 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Nikhil Devshatwar, Benoit Parrot,
Hans Verkuil, Mauro Carvalho Chehab, Sasha Levin
From: Nikhil Devshatwar <nikhil.nd@ti.com>
[ Upstream commit 6e72eab2e7b7a157d554b8f9faed7676047be7c1 ]
When setting DMA for video capture from CSI channel, if the DMA size
is not given, it ends up writing as much data as sent by the camera.
This may lead to overwriting the buffers causing memory corruption.
Observed green lines on the default framebuffer.
Restrict the DMA to maximum height as specified in the S_FMT ioctl.
Signed-off-by: Nikhil Devshatwar <nikhil.nd@ti.com>
Signed-off-by: Benoit Parrot <bparrot@ti.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/platform/ti-vpe/cal.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/media/platform/ti-vpe/cal.c b/drivers/media/platform/ti-vpe/cal.c
index be3155275a6ba..d945323fc437d 100644
--- a/drivers/media/platform/ti-vpe/cal.c
+++ b/drivers/media/platform/ti-vpe/cal.c
@@ -684,12 +684,13 @@ static void pix_proc_config(struct cal_ctx *ctx)
}
static void cal_wr_dma_config(struct cal_ctx *ctx,
- unsigned int width)
+ unsigned int width, unsigned int height)
{
u32 val;
val = reg_read(ctx->dev, CAL_WR_DMA_CTRL(ctx->csi2_port));
set_field(&val, ctx->csi2_port, CAL_WR_DMA_CTRL_CPORT_MASK);
+ set_field(&val, height, CAL_WR_DMA_CTRL_YSIZE_MASK);
set_field(&val, CAL_WR_DMA_CTRL_DTAG_PIX_DAT,
CAL_WR_DMA_CTRL_DTAG_MASK);
set_field(&val, CAL_WR_DMA_CTRL_MODE_CONST,
@@ -1315,7 +1316,8 @@ static int cal_start_streaming(struct vb2_queue *vq, unsigned int count)
csi2_lane_config(ctx);
csi2_ctx_config(ctx);
pix_proc_config(ctx);
- cal_wr_dma_config(ctx, ctx->v_fmt.fmt.pix.bytesperline);
+ cal_wr_dma_config(ctx, ctx->v_fmt.fmt.pix.bytesperline,
+ ctx->v_fmt.fmt.pix.height);
cal_wr_dma_addr(ctx, addr);
csi2_ppi_enable(ctx);
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 052/245] sctp: move trace_sctp_probe_path into sctp_outq_sack
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (50 preceding siblings ...)
2020-09-29 10:58 ` [PATCH 4.19 051/245] media: ti-vpe: cal: Restrict DMA to avoid memory corruption Greg Kroah-Hartman
@ 2020-09-29 10:58 ` Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 053/245] ACPI: EC: Reference count query handlers under lock Greg Kroah-Hartman
` (195 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:58 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Kevin Kou, Marcelo Ricardo Leitner,
David S. Miller, Sasha Levin
From: Kevin Kou <qdkevin.kou@gmail.com>
[ Upstream commit f643ee295c1c63bc117fb052d4da681354d6f732 ]
The original patch bringed in the "SCTP ACK tracking trace event"
feature was committed at Dec.20, 2017, it replaced jprobe usage
with trace events, and bringed in two trace events, one is
TRACE_EVENT(sctp_probe), another one is TRACE_EVENT(sctp_probe_path).
The original patch intended to trigger the trace_sctp_probe_path in
TRACE_EVENT(sctp_probe) as below code,
+TRACE_EVENT(sctp_probe,
+
+ TP_PROTO(const struct sctp_endpoint *ep,
+ const struct sctp_association *asoc,
+ struct sctp_chunk *chunk),
+
+ TP_ARGS(ep, asoc, chunk),
+
+ TP_STRUCT__entry(
+ __field(__u64, asoc)
+ __field(__u32, mark)
+ __field(__u16, bind_port)
+ __field(__u16, peer_port)
+ __field(__u32, pathmtu)
+ __field(__u32, rwnd)
+ __field(__u16, unack_data)
+ ),
+
+ TP_fast_assign(
+ struct sk_buff *skb = chunk->skb;
+
+ __entry->asoc = (unsigned long)asoc;
+ __entry->mark = skb->mark;
+ __entry->bind_port = ep->base.bind_addr.port;
+ __entry->peer_port = asoc->peer.port;
+ __entry->pathmtu = asoc->pathmtu;
+ __entry->rwnd = asoc->peer.rwnd;
+ __entry->unack_data = asoc->unack_data;
+
+ if (trace_sctp_probe_path_enabled()) {
+ struct sctp_transport *sp;
+
+ list_for_each_entry(sp, &asoc->peer.transport_addr_list,
+ transports) {
+ trace_sctp_probe_path(sp, asoc);
+ }
+ }
+ ),
But I found it did not work when I did testing, and trace_sctp_probe_path
had no output, I finally found that there is trace buffer lock
operation(trace_event_buffer_reserve) in include/trace/trace_events.h:
static notrace void \
trace_event_raw_event_##call(void *__data, proto) \
{ \
struct trace_event_file *trace_file = __data; \
struct trace_event_data_offsets_##call __maybe_unused __data_offsets;\
struct trace_event_buffer fbuffer; \
struct trace_event_raw_##call *entry; \
int __data_size; \
\
if (trace_trigger_soft_disabled(trace_file)) \
return; \
\
__data_size = trace_event_get_offsets_##call(&__data_offsets, args); \
\
entry = trace_event_buffer_reserve(&fbuffer, trace_file, \
sizeof(*entry) + __data_size); \
\
if (!entry) \
return; \
\
tstruct \
\
{ assign; } \
\
trace_event_buffer_commit(&fbuffer); \
}
The reason caused no output of trace_sctp_probe_path is that
trace_sctp_probe_path written in TP_fast_assign part of
TRACE_EVENT(sctp_probe), and it will be placed( { assign; } ) after the
trace_event_buffer_reserve() when compiler expands Macro,
entry = trace_event_buffer_reserve(&fbuffer, trace_file, \
sizeof(*entry) + __data_size); \
\
if (!entry) \
return; \
\
tstruct \
\
{ assign; } \
so trace_sctp_probe_path finally can not acquire trace_event_buffer
and return no output, that is to say the nest of tracepoint entry function
is not allowed. The function call flow is:
trace_sctp_probe()
-> trace_event_raw_event_sctp_probe()
-> lock buffer
-> trace_sctp_probe_path()
-> trace_event_raw_event_sctp_probe_path() --nested
-> buffer has been locked and return no output.
This patch is to remove trace_sctp_probe_path from the TP_fast_assign
part of TRACE_EVENT(sctp_probe) to avoid the nest of entry function,
and trigger sctp_probe_path_trace in sctp_outq_sack.
After this patch, you can enable both events individually,
# cd /sys/kernel/debug/tracing
# echo 1 > events/sctp/sctp_probe/enable
# echo 1 > events/sctp/sctp_probe_path/enable
Or, you can enable all the events under sctp.
# echo 1 > events/sctp/enable
Signed-off-by: Kevin Kou <qdkevin.kou@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/trace/events/sctp.h | 9 ---------
net/sctp/outqueue.c | 6 ++++++
2 files changed, 6 insertions(+), 9 deletions(-)
diff --git a/include/trace/events/sctp.h b/include/trace/events/sctp.h
index 7475c7be165aa..d4aac34365955 100644
--- a/include/trace/events/sctp.h
+++ b/include/trace/events/sctp.h
@@ -75,15 +75,6 @@ TRACE_EVENT(sctp_probe,
__entry->pathmtu = asoc->pathmtu;
__entry->rwnd = asoc->peer.rwnd;
__entry->unack_data = asoc->unack_data;
-
- if (trace_sctp_probe_path_enabled()) {
- struct sctp_transport *sp;
-
- list_for_each_entry(sp, &asoc->peer.transport_addr_list,
- transports) {
- trace_sctp_probe_path(sp, asoc);
- }
- }
),
TP_printk("asoc=%#llx mark=%#x bind_port=%d peer_port=%d pathmtu=%d "
diff --git a/net/sctp/outqueue.c b/net/sctp/outqueue.c
index 7bb8e5603298d..d6e83a37a1adf 100644
--- a/net/sctp/outqueue.c
+++ b/net/sctp/outqueue.c
@@ -51,6 +51,7 @@
#include <net/sctp/sctp.h>
#include <net/sctp/sm.h>
#include <net/sctp/stream_sched.h>
+#include <trace/events/sctp.h>
/* Declare internal functions here. */
static int sctp_acked(struct sctp_sackhdr *sack, __u32 tsn);
@@ -1257,6 +1258,11 @@ int sctp_outq_sack(struct sctp_outq *q, struct sctp_chunk *chunk)
/* Grab the association's destination address list. */
transport_list = &asoc->peer.transport_addr_list;
+ /* SCTP path tracepoint for congestion control debugging. */
+ list_for_each_entry(transport, transport_list, transports) {
+ trace_sctp_probe_path(transport, asoc);
+ }
+
sack_ctsn = ntohl(sack->cum_tsn_ack);
gap_ack_blocks = ntohs(sack->num_gap_ack_blocks);
asoc->stats.gapcnt += gap_ack_blocks;
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 053/245] ACPI: EC: Reference count query handlers under lock
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (51 preceding siblings ...)
2020-09-29 10:58 ` [PATCH 4.19 052/245] sctp: move trace_sctp_probe_path into sctp_outq_sack Greg Kroah-Hartman
@ 2020-09-29 10:58 ` Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 054/245] scsi: ufs: Make ufshcd_add_command_trace() easier to read Greg Kroah-Hartman
` (194 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:58 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Rafael J. Wysocki, Sasha Levin
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[ Upstream commit 3df663a147fe077a6ee8444ec626738946e65547 ]
There is a race condition in acpi_ec_get_query_handler()
theoretically allowing query handlers to go away before refernce
counting them.
In order to avoid it, call kref_get() on query handlers under
ec->mutex.
Also simplify the code a bit while at it.
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/ec.c | 16 ++++------------
1 file changed, 4 insertions(+), 12 deletions(-)
diff --git a/drivers/acpi/ec.c b/drivers/acpi/ec.c
index 49e16f0090957..9415a0041aaf7 100644
--- a/drivers/acpi/ec.c
+++ b/drivers/acpi/ec.c
@@ -1080,29 +1080,21 @@ void acpi_ec_dispatch_gpe(void)
/* --------------------------------------------------------------------------
Event Management
-------------------------------------------------------------------------- */
-static struct acpi_ec_query_handler *
-acpi_ec_get_query_handler(struct acpi_ec_query_handler *handler)
-{
- if (handler)
- kref_get(&handler->kref);
- return handler;
-}
-
static struct acpi_ec_query_handler *
acpi_ec_get_query_handler_by_value(struct acpi_ec *ec, u8 value)
{
struct acpi_ec_query_handler *handler;
- bool found = false;
mutex_lock(&ec->mutex);
list_for_each_entry(handler, &ec->list, node) {
if (value == handler->query_bit) {
- found = true;
- break;
+ kref_get(&handler->kref);
+ mutex_unlock(&ec->mutex);
+ return handler;
}
}
mutex_unlock(&ec->mutex);
- return found ? acpi_ec_get_query_handler(handler) : NULL;
+ return NULL;
}
static void acpi_ec_query_handler_release(struct kref *kref)
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 054/245] scsi: ufs: Make ufshcd_add_command_trace() easier to read
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (52 preceding siblings ...)
2020-09-29 10:58 ` [PATCH 4.19 053/245] ACPI: EC: Reference count query handlers under lock Greg Kroah-Hartman
@ 2020-09-29 10:58 ` Greg Kroah-Hartman
2020-09-30 15:39 ` Pavel Machek
2020-09-29 10:58 ` [PATCH 4.19 055/245] scsi: ufs: Fix a race condition in the tracing code Greg Kroah-Hartman
` (193 subsequent siblings)
247 siblings, 1 reply; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:58 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Bean Huo, Can Guo, Avri Altman,
Stanley Chu, Tomas Winkler, Alim Akhtar, Bart Van Assche,
Martin K. Petersen, Sasha Levin
From: Bart Van Assche <bvanassche@acm.org>
[ Upstream commit e4d2add7fd5bc64ee3e388eabe6b9e081cb42e11 ]
Since the lrbp->cmd expression occurs multiple times, introduce a new local
variable to hold that pointer. This patch does not change any
functionality.
Cc: Bean Huo <beanhuo@micron.com>
Cc: Can Guo <cang@codeaurora.org>
Cc: Avri Altman <avri.altman@wdc.com>
Cc: Stanley Chu <stanley.chu@mediatek.com>
Cc: Tomas Winkler <tomas.winkler@intel.com>
Link: https://lore.kernel.org/r/20191224220248.30138-3-bvanassche@acm.org
Reviewed-by: Stanley Chu <stanley.chu@mediatek.com>
Reviewed-by: Can Guo <cang@codeaurora.org>
Reviewed-by: Alim Akhtar <alim.akhtar@samsung.com>
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/ufs/ufshcd.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
index eb10a5cacd90c..faf1959981784 100644
--- a/drivers/scsi/ufs/ufshcd.c
+++ b/drivers/scsi/ufs/ufshcd.c
@@ -353,27 +353,27 @@ static void ufshcd_add_command_trace(struct ufs_hba *hba,
u8 opcode = 0;
u32 intr, doorbell;
struct ufshcd_lrb *lrbp = &hba->lrb[tag];
+ struct scsi_cmnd *cmd = lrbp->cmd;
int transfer_len = -1;
if (!trace_ufshcd_command_enabled()) {
/* trace UPIU W/O tracing command */
- if (lrbp->cmd)
+ if (cmd)
ufshcd_add_cmd_upiu_trace(hba, tag, str);
return;
}
- if (lrbp->cmd) { /* data phase exists */
+ if (cmd) { /* data phase exists */
/* trace UPIU also */
ufshcd_add_cmd_upiu_trace(hba, tag, str);
- opcode = (u8)(*lrbp->cmd->cmnd);
+ opcode = cmd->cmnd[0];
if ((opcode == READ_10) || (opcode == WRITE_10)) {
/*
* Currently we only fully trace read(10) and write(10)
* commands
*/
- if (lrbp->cmd->request && lrbp->cmd->request->bio)
- lba =
- lrbp->cmd->request->bio->bi_iter.bi_sector;
+ if (cmd->request && cmd->request->bio)
+ lba = cmd->request->bio->bi_iter.bi_sector;
transfer_len = be32_to_cpu(
lrbp->ucd_req_ptr->sc.exp_data_transfer_len);
}
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 055/245] scsi: ufs: Fix a race condition in the tracing code
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (53 preceding siblings ...)
2020-09-29 10:58 ` [PATCH 4.19 054/245] scsi: ufs: Make ufshcd_add_command_trace() easier to read Greg Kroah-Hartman
@ 2020-09-29 10:58 ` Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 056/245] dmaengine: zynqmp_dma: fix burst length configuration Greg Kroah-Hartman
` (192 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:58 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Bean Huo, Can Guo, Avri Altman,
Stanley Chu, Tomas Winkler, Alim Akhtar, Bart Van Assche,
Martin K. Petersen, Sasha Levin
From: Bart Van Assche <bvanassche@acm.org>
[ Upstream commit eacf36f5bebde5089dddb3d5bfcbeab530b01f8a ]
Starting execution of a command before tracing a command may cause the
completion handler to free data while it is being traced. Fix this race by
tracing a command before it is submitted.
Cc: Bean Huo <beanhuo@micron.com>
Cc: Can Guo <cang@codeaurora.org>
Cc: Avri Altman <avri.altman@wdc.com>
Cc: Stanley Chu <stanley.chu@mediatek.com>
Cc: Tomas Winkler <tomas.winkler@intel.com>
Link: https://lore.kernel.org/r/20191224220248.30138-5-bvanassche@acm.org
Reviewed-by: Alim Akhtar <alim.akhtar@samsung.com>
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/ufs/ufshcd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
index faf1959981784..b2cbdd01ab10b 100644
--- a/drivers/scsi/ufs/ufshcd.c
+++ b/drivers/scsi/ufs/ufshcd.c
@@ -1910,12 +1910,12 @@ void ufshcd_send_command(struct ufs_hba *hba, unsigned int task_tag)
{
hba->lrb[task_tag].issue_time_stamp = ktime_get();
hba->lrb[task_tag].compl_time_stamp = ktime_set(0, 0);
+ ufshcd_add_command_trace(hba, task_tag, "send");
ufshcd_clk_scaling_start_busy(hba);
__set_bit(task_tag, &hba->outstanding_reqs);
ufshcd_writel(hba, 1 << task_tag, REG_UTP_TRANSFER_REQ_DOOR_BELL);
/* Make sure that doorbell is committed immediately */
wmb();
- ufshcd_add_command_trace(hba, task_tag, "send");
}
/**
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 056/245] dmaengine: zynqmp_dma: fix burst length configuration
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (54 preceding siblings ...)
2020-09-29 10:58 ` [PATCH 4.19 055/245] scsi: ufs: Fix a race condition in the tracing code Greg Kroah-Hartman
@ 2020-09-29 10:58 ` Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 057/245] s390/cpum_sf: Use kzalloc and minor changes Greg Kroah-Hartman
` (191 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:58 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Matthias Fend, Vinod Koul, Sasha Levin
From: Matthias Fend <matthias.fend@wolfvision.net>
[ Upstream commit cc88525ebffc757e00cc5a5d61da6271646c7f5f ]
Since the dma engine expects the burst length register content as
power of 2 value, the burst length needs to be converted first.
Additionally add a burst length range check to avoid corrupting unrelated
register bits.
Signed-off-by: Matthias Fend <matthias.fend@wolfvision.net>
Link: https://lore.kernel.org/r/20200115102249.24398-1-matthias.fend@wolfvision.net
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma/xilinx/zynqmp_dma.c | 24 +++++++++++++++---------
1 file changed, 15 insertions(+), 9 deletions(-)
diff --git a/drivers/dma/xilinx/zynqmp_dma.c b/drivers/dma/xilinx/zynqmp_dma.c
index 73de6a6179fcd..e002ff8413e2a 100644
--- a/drivers/dma/xilinx/zynqmp_dma.c
+++ b/drivers/dma/xilinx/zynqmp_dma.c
@@ -127,10 +127,12 @@
/* Max transfer size per descriptor */
#define ZYNQMP_DMA_MAX_TRANS_LEN 0x40000000
+/* Max burst lengths */
+#define ZYNQMP_DMA_MAX_DST_BURST_LEN 32768U
+#define ZYNQMP_DMA_MAX_SRC_BURST_LEN 32768U
+
/* Reset values for data attributes */
#define ZYNQMP_DMA_AXCACHE_VAL 0xF
-#define ZYNQMP_DMA_ARLEN_RST_VAL 0xF
-#define ZYNQMP_DMA_AWLEN_RST_VAL 0xF
#define ZYNQMP_DMA_SRC_ISSUE_RST_VAL 0x1F
@@ -536,17 +538,19 @@ static void zynqmp_dma_handle_ovfl_int(struct zynqmp_dma_chan *chan, u32 status)
static void zynqmp_dma_config(struct zynqmp_dma_chan *chan)
{
- u32 val;
+ u32 val, burst_val;
val = readl(chan->regs + ZYNQMP_DMA_CTRL0);
val |= ZYNQMP_DMA_POINT_TYPE_SG;
writel(val, chan->regs + ZYNQMP_DMA_CTRL0);
val = readl(chan->regs + ZYNQMP_DMA_DATA_ATTR);
+ burst_val = __ilog2_u32(chan->src_burst_len);
val = (val & ~ZYNQMP_DMA_ARLEN) |
- (chan->src_burst_len << ZYNQMP_DMA_ARLEN_OFST);
+ ((burst_val << ZYNQMP_DMA_ARLEN_OFST) & ZYNQMP_DMA_ARLEN);
+ burst_val = __ilog2_u32(chan->dst_burst_len);
val = (val & ~ZYNQMP_DMA_AWLEN) |
- (chan->dst_burst_len << ZYNQMP_DMA_AWLEN_OFST);
+ ((burst_val << ZYNQMP_DMA_AWLEN_OFST) & ZYNQMP_DMA_AWLEN);
writel(val, chan->regs + ZYNQMP_DMA_DATA_ATTR);
}
@@ -562,8 +566,10 @@ static int zynqmp_dma_device_config(struct dma_chan *dchan,
{
struct zynqmp_dma_chan *chan = to_chan(dchan);
- chan->src_burst_len = config->src_maxburst;
- chan->dst_burst_len = config->dst_maxburst;
+ chan->src_burst_len = clamp(config->src_maxburst, 1U,
+ ZYNQMP_DMA_MAX_SRC_BURST_LEN);
+ chan->dst_burst_len = clamp(config->dst_maxburst, 1U,
+ ZYNQMP_DMA_MAX_DST_BURST_LEN);
return 0;
}
@@ -884,8 +890,8 @@ static int zynqmp_dma_chan_probe(struct zynqmp_dma_device *zdev,
return PTR_ERR(chan->regs);
chan->bus_width = ZYNQMP_DMA_BUS_WIDTH_64;
- chan->dst_burst_len = ZYNQMP_DMA_AWLEN_RST_VAL;
- chan->src_burst_len = ZYNQMP_DMA_ARLEN_RST_VAL;
+ chan->dst_burst_len = ZYNQMP_DMA_MAX_DST_BURST_LEN;
+ chan->src_burst_len = ZYNQMP_DMA_MAX_SRC_BURST_LEN;
err = of_property_read_u32(node, "xlnx,bus-width", &chan->bus_width);
if (err < 0) {
dev_err(&pdev->dev, "missing xlnx,bus-width property\n");
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 057/245] s390/cpum_sf: Use kzalloc and minor changes
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (55 preceding siblings ...)
2020-09-29 10:58 ` [PATCH 4.19 056/245] dmaengine: zynqmp_dma: fix burst length configuration Greg Kroah-Hartman
@ 2020-09-29 10:58 ` Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 058/245] powerpc/eeh: Only dump stack once if an MMIO loop is detected Greg Kroah-Hartman
` (190 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:58 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Thomas Richter, Vasily Gorbik, Sasha Levin
From: Thomas Richter <tmricht@linux.ibm.com>
[ Upstream commit 32dab6828c42f087439d3e2617dc7283546bd8f7 ]
Use kzalloc() to allocate auxiliary buffer structure initialized
with all zeroes to avoid random value in trace output.
Avoid double access to SBD hardware flags.
Signed-off-by: Thomas Richter <tmricht@linux.ibm.com>
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/s390/kernel/perf_cpum_sf.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/arch/s390/kernel/perf_cpum_sf.c b/arch/s390/kernel/perf_cpum_sf.c
index 74a296cea21cc..0e6d01225a670 100644
--- a/arch/s390/kernel/perf_cpum_sf.c
+++ b/arch/s390/kernel/perf_cpum_sf.c
@@ -1377,8 +1377,8 @@ static int aux_output_begin(struct perf_output_handle *handle,
idx = aux->empty_mark + 1;
for (i = 0; i < range_scan; i++, idx++) {
te = aux_sdb_trailer(aux, idx);
- te->flags = te->flags & ~SDB_TE_BUFFER_FULL_MASK;
- te->flags = te->flags & ~SDB_TE_ALERT_REQ_MASK;
+ te->flags &= ~(SDB_TE_BUFFER_FULL_MASK |
+ SDB_TE_ALERT_REQ_MASK);
te->overflow = 0;
}
/* Save the position of empty SDBs */
@@ -1425,8 +1425,7 @@ static bool aux_set_alert(struct aux_buffer *aux, unsigned long alert_index,
te = aux_sdb_trailer(aux, alert_index);
do {
orig_flags = te->flags;
- orig_overflow = te->overflow;
- *overflow = orig_overflow;
+ *overflow = orig_overflow = te->overflow;
if (orig_flags & SDB_TE_BUFFER_FULL_MASK) {
/*
* SDB is already set by hardware.
@@ -1660,7 +1659,7 @@ static void *aux_buffer_setup(struct perf_event *event, void **pages,
}
/* Allocate aux_buffer struct for the event */
- aux = kmalloc(sizeof(struct aux_buffer), GFP_KERNEL);
+ aux = kzalloc(sizeof(struct aux_buffer), GFP_KERNEL);
if (!aux)
goto no_aux;
sfb = &aux->sfb;
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 058/245] powerpc/eeh: Only dump stack once if an MMIO loop is detected
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (56 preceding siblings ...)
2020-09-29 10:58 ` [PATCH 4.19 057/245] s390/cpum_sf: Use kzalloc and minor changes Greg Kroah-Hartman
@ 2020-09-29 10:58 ` Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 059/245] Bluetooth: btrtl: Use kvmalloc for FW allocations Greg Kroah-Hartman
` (189 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:58 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Oliver OHalloran, Sam Bobroff,
Michael Ellerman, Sasha Levin
From: Oliver O'Halloran <oohall@gmail.com>
[ Upstream commit 4e0942c0302b5ad76b228b1a7b8c09f658a1d58a ]
Many drivers don't check for errors when they get a 0xFFs response from an
MMIO load. As a result after an EEH event occurs a driver can get stuck in
a polling loop unless it some kind of internal timeout logic.
Currently EEH tries to detect and report stuck drivers by dumping a stack
trace after eeh_dev_check_failure() is called EEH_MAX_FAILS times on an
already frozen PE. The value of EEH_MAX_FAILS was chosen so that a dump
would occur every few seconds if the driver was spinning in a loop. This
results in a lot of spurious stack traces in the kernel log.
Fix this by limiting it to printing one stack trace for each PE freeze. If
the driver is truely stuck the kernel's hung task detector is better suited
to reporting the probelm anyway.
Signed-off-by: Oliver O'Halloran <oohall@gmail.com>
Reviewed-by: Sam Bobroff <sbobroff@linux.ibm.com>
Tested-by: Sam Bobroff <sbobroff@linux.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20191016012536.22588-1-oohall@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/kernel/eeh.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/powerpc/kernel/eeh.c b/arch/powerpc/kernel/eeh.c
index fe3c6f3bd3b62..d123cba0992d0 100644
--- a/arch/powerpc/kernel/eeh.c
+++ b/arch/powerpc/kernel/eeh.c
@@ -502,7 +502,7 @@ int eeh_dev_check_failure(struct eeh_dev *edev)
rc = 1;
if (pe->state & EEH_PE_ISOLATED) {
pe->check_count++;
- if (pe->check_count % EEH_MAX_FAILS == 0) {
+ if (pe->check_count == EEH_MAX_FAILS) {
dn = pci_device_to_OF_node(dev);
if (dn)
location = of_get_property(dn, "ibm,loc-code",
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 059/245] Bluetooth: btrtl: Use kvmalloc for FW allocations
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (57 preceding siblings ...)
2020-09-29 10:58 ` [PATCH 4.19 058/245] powerpc/eeh: Only dump stack once if an MMIO loop is detected Greg Kroah-Hartman
@ 2020-09-29 10:58 ` Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 060/245] tracing: Set kernel_stacks caller size properly Greg Kroah-Hartman
` (188 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:58 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Maxim Mikityanskiy, Marcel Holtmann,
Sasha Levin
From: Maxim Mikityanskiy <maxtram95@gmail.com>
[ Upstream commit 268d3636dfb22254324774de1f8875174b3be064 ]
Currently, kmemdup is applied to the firmware data, and it invokes
kmalloc under the hood. The firmware size and patch_length are big (more
than PAGE_SIZE), and on some low-end systems (like ASUS E202SA) kmalloc
may fail to allocate a contiguous chunk under high memory usage and
fragmentation:
Bluetooth: hci0: RTL: examining hci_ver=06 hci_rev=000a lmp_ver=06 lmp_subver=8821
Bluetooth: hci0: RTL: rom_version status=0 version=1
Bluetooth: hci0: RTL: loading rtl_bt/rtl8821a_fw.bin
kworker/u9:2: page allocation failure: order:4, mode:0x40cc0(GFP_KERNEL|__GFP_COMP), nodemask=(null),cpuset=/,mems_allowed=0
<stack trace follows>
As firmware load happens on each resume, Bluetooth will stop working
after several iterations, when the kernel fails to allocate an order-4
page.
This patch replaces kmemdup with kvmalloc+memcpy. It's not required to
have a contiguous chunk here, because it's not mapped to the device
directly.
Signed-off-by: Maxim Mikityanskiy <maxtram95@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bluetooth/btrtl.c | 20 +++++++++++---------
1 file changed, 11 insertions(+), 9 deletions(-)
diff --git a/drivers/bluetooth/btrtl.c b/drivers/bluetooth/btrtl.c
index 8d1cd2479e36f..cc51395d8b0e5 100644
--- a/drivers/bluetooth/btrtl.c
+++ b/drivers/bluetooth/btrtl.c
@@ -343,11 +343,11 @@ static int rtlbt_parse_firmware(struct hci_dev *hdev,
* the end.
*/
len = patch_length;
- buf = kmemdup(btrtl_dev->fw_data + patch_offset, patch_length,
- GFP_KERNEL);
+ buf = kvmalloc(patch_length, GFP_KERNEL);
if (!buf)
return -ENOMEM;
+ memcpy(buf, btrtl_dev->fw_data + patch_offset, patch_length - 4);
memcpy(buf + patch_length - 4, &epatch_info->fw_version, 4);
*_buf = buf;
@@ -415,8 +415,10 @@ static int rtl_load_file(struct hci_dev *hdev, const char *name, u8 **buff)
if (ret < 0)
return ret;
ret = fw->size;
- *buff = kmemdup(fw->data, ret, GFP_KERNEL);
- if (!*buff)
+ *buff = kvmalloc(fw->size, GFP_KERNEL);
+ if (*buff)
+ memcpy(*buff, fw->data, ret);
+ else
ret = -ENOMEM;
release_firmware(fw);
@@ -454,14 +456,14 @@ static int btrtl_setup_rtl8723b(struct hci_dev *hdev,
goto out;
if (btrtl_dev->cfg_len > 0) {
- tbuff = kzalloc(ret + btrtl_dev->cfg_len, GFP_KERNEL);
+ tbuff = kvzalloc(ret + btrtl_dev->cfg_len, GFP_KERNEL);
if (!tbuff) {
ret = -ENOMEM;
goto out;
}
memcpy(tbuff, fw_data, ret);
- kfree(fw_data);
+ kvfree(fw_data);
memcpy(tbuff + ret, btrtl_dev->cfg_data, btrtl_dev->cfg_len);
ret += btrtl_dev->cfg_len;
@@ -474,7 +476,7 @@ static int btrtl_setup_rtl8723b(struct hci_dev *hdev,
ret = rtl_download_firmware(hdev, fw_data, ret);
out:
- kfree(fw_data);
+ kvfree(fw_data);
return ret;
}
@@ -501,8 +503,8 @@ static struct sk_buff *btrtl_read_local_version(struct hci_dev *hdev)
void btrtl_free(struct btrtl_device_info *btrtl_dev)
{
- kfree(btrtl_dev->fw_data);
- kfree(btrtl_dev->cfg_data);
+ kvfree(btrtl_dev->fw_data);
+ kvfree(btrtl_dev->cfg_data);
kfree(btrtl_dev);
}
EXPORT_SYMBOL_GPL(btrtl_free);
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 060/245] tracing: Set kernel_stacks caller size properly
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (58 preceding siblings ...)
2020-09-29 10:58 ` [PATCH 4.19 059/245] Bluetooth: btrtl: Use kvmalloc for FW allocations Greg Kroah-Hartman
@ 2020-09-29 10:58 ` Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 061/245] ARM: 8948/1: Prevent OOB access in stacktrace Greg Kroah-Hartman
` (187 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:58 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Josef Bacik, Steven Rostedt (VMware),
Sasha Levin
From: Josef Bacik <jbacik@fb.com>
[ Upstream commit cbc3b92ce037f5e7536f6db157d185cd8b8f615c ]
I noticed when trying to use the trace-cmd python interface that reading the raw
buffer wasn't working for kernel_stack events. This is because it uses a
stubbed version of __dynamic_array that doesn't do the __data_loc trick and
encode the length of the array into the field. Instead it just shows up as a
size of 0. So change this to __array and set the len to FTRACE_STACK_ENTRIES
since this is what we actually do in practice and matches how user_stack_trace
works.
Link: http://lkml.kernel.org/r/1411589652-1318-1-git-send-email-jbacik@fb.com
Signed-off-by: Josef Bacik <jbacik@fb.com>
[ Pulled from the archeological digging of my INBOX ]
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/trace/trace_entries.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/trace/trace_entries.h b/kernel/trace/trace_entries.h
index 06bb2fd9a56c5..a97aad105d367 100644
--- a/kernel/trace/trace_entries.h
+++ b/kernel/trace/trace_entries.h
@@ -179,7 +179,7 @@ FTRACE_ENTRY(kernel_stack, stack_entry,
F_STRUCT(
__field( int, size )
- __dynamic_array(unsigned long, caller )
+ __array( unsigned long, caller, FTRACE_STACK_ENTRIES )
),
F_printk("\t=> (" IP_FMT ")\n\t=> (" IP_FMT ")\n\t=> (" IP_FMT ")\n"
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 061/245] ARM: 8948/1: Prevent OOB access in stacktrace
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (59 preceding siblings ...)
2020-09-29 10:58 ` [PATCH 4.19 060/245] tracing: Set kernel_stacks caller size properly Greg Kroah-Hartman
@ 2020-09-29 10:58 ` Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 062/245] ar5523: Add USB ID of SMCWUSBT-G2 wireless adapter Greg Kroah-Hartman
` (186 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:58 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Vincent Whitchurch, Russell King,
Sasha Levin
From: Vincent Whitchurch <vincent.whitchurch@axis.com>
[ Upstream commit 40ff1ddb5570284e039e0ff14d7a859a73dc3673 ]
The stacktrace code can read beyond the stack size, when it attempts to
read pt_regs from exception frames.
This can happen on normal, non-corrupt stacks. Since the unwind
information in the extable is not correct for function prologues, the
unwinding code can return data from the stack which is not actually the
caller function address, and if in_entry_text() happens to succeed on
this value, we can end up reading data from outside the task's stack
when attempting to read pt_regs, since there is no bounds check.
Example:
[<8010e729>] (unwind_backtrace) from [<8010a9c9>] (show_stack+0x11/0x14)
[<8010a9c9>] (show_stack) from [<8057d8d7>] (dump_stack+0x87/0xac)
[<8057d8d7>] (dump_stack) from [<8012271d>] (tasklet_action_common.constprop.4+0xa5/0xa8)
[<8012271d>] (tasklet_action_common.constprop.4) from [<80102333>] (__do_softirq+0x11b/0x31c)
[<80102333>] (__do_softirq) from [<80122485>] (irq_exit+0xad/0xd8)
[<80122485>] (irq_exit) from [<8015f3d7>] (__handle_domain_irq+0x47/0x84)
[<8015f3d7>] (__handle_domain_irq) from [<8036a523>] (gic_handle_irq+0x43/0x78)
[<8036a523>] (gic_handle_irq) from [<80101a49>] (__irq_svc+0x69/0xb4)
Exception stack(0xeb491f58 to 0xeb491fa0)
1f40: 7eb14794 00000000
1f60: ffffffff 008dd32c 008dd324 ffffffff 008dd314 0000002a 801011e4 eb490000
1f80: 0000002a 7eb1478c 50c5387d eb491fa8 80101001 8023d09c 40080033 ffffffff
[<80101a49>] (__irq_svc) from [<8023d09c>] (do_pipe2+0x0/0xac)
[<8023d09c>] (do_pipe2) from [<ffffffff>] (0xffffffff)
Exception stack(0xeb491fc8 to 0xeb492010)
1fc0: 008dd314 0000002a 00511ad8 008de4c8 7eb14790 7eb1478c
1fe0: 00511e34 7eb14774 004c8557 76f44098 60080030 7eb14794 00000000 00000000
2000: 00000001 00000000 ea846c00 ea847cc0
In this example, the stack limit is 0xeb492000, but 16 bytes outside the
stack have been read.
Fix it by adding bounds checks.
Signed-off-by: Vincent Whitchurch <vincent.whitchurch@axis.com>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/kernel/stacktrace.c | 2 ++
arch/arm/kernel/traps.c | 6 ++++--
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/arch/arm/kernel/stacktrace.c b/arch/arm/kernel/stacktrace.c
index a4d4a28fe07df..d23ab9ec130a3 100644
--- a/arch/arm/kernel/stacktrace.c
+++ b/arch/arm/kernel/stacktrace.c
@@ -115,6 +115,8 @@ static int save_trace(struct stackframe *frame, void *d)
return 0;
regs = (struct pt_regs *)frame->sp;
+ if ((unsigned long)®s[1] > ALIGN(frame->sp, THREAD_SIZE))
+ return 0;
trace->entries[trace->nr_entries++] = regs->ARM_pc;
diff --git a/arch/arm/kernel/traps.c b/arch/arm/kernel/traps.c
index badf02ca36938..aec533168f046 100644
--- a/arch/arm/kernel/traps.c
+++ b/arch/arm/kernel/traps.c
@@ -67,14 +67,16 @@ static void dump_mem(const char *, const char *, unsigned long, unsigned long);
void dump_backtrace_entry(unsigned long where, unsigned long from, unsigned long frame)
{
+ unsigned long end = frame + 4 + sizeof(struct pt_regs);
+
#ifdef CONFIG_KALLSYMS
printk("[<%08lx>] (%ps) from [<%08lx>] (%pS)\n", where, (void *)where, from, (void *)from);
#else
printk("Function entered at [<%08lx>] from [<%08lx>]\n", where, from);
#endif
- if (in_entry_text(from))
- dump_mem("", "Exception stack", frame + 4, frame + 4 + sizeof(struct pt_regs));
+ if (in_entry_text(from) && end <= ALIGN(frame, THREAD_SIZE))
+ dump_mem("", "Exception stack", frame + 4, end);
}
void dump_backtrace_stm(u32 *stack, u32 instruction)
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 062/245] ar5523: Add USB ID of SMCWUSBT-G2 wireless adapter
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (60 preceding siblings ...)
2020-09-29 10:58 ` [PATCH 4.19 061/245] ARM: 8948/1: Prevent OOB access in stacktrace Greg Kroah-Hartman
@ 2020-09-29 10:58 ` Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 063/245] ceph: ensure we have a new cap before continuing in fill_inode Greg Kroah-Hartman
` (185 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:58 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Mert Dirik, Kalle Valo, Sasha Levin
From: Mert Dirik <mertdirik@gmail.com>
[ Upstream commit 5b362498a79631f283578b64bf6f4d15ed4cc19a ]
Add the required USB ID for running SMCWUSBT-G2 wireless adapter (SMC
"EZ Connect g").
This device uses ar5523 chipset and requires firmware to be loaded. Even
though pid of the device is 4507, this patch adds it as 4506 so that
AR5523_DEVICE_UG macro can set the AR5523_FLAG_PRE_FIRMWARE flag for pid
4507.
Signed-off-by: Mert Dirik <mertdirik@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ar5523/ar5523.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/wireless/ath/ar5523/ar5523.c b/drivers/net/wireless/ath/ar5523/ar5523.c
index da2d179430ca5..4c57e79e5779a 100644
--- a/drivers/net/wireless/ath/ar5523/ar5523.c
+++ b/drivers/net/wireless/ath/ar5523/ar5523.c
@@ -1770,6 +1770,8 @@ static const struct usb_device_id ar5523_id_table[] = {
AR5523_DEVICE_UX(0x0846, 0x4300), /* Netgear / WG111U */
AR5523_DEVICE_UG(0x0846, 0x4250), /* Netgear / WG111T */
AR5523_DEVICE_UG(0x0846, 0x5f00), /* Netgear / WPN111 */
+ AR5523_DEVICE_UG(0x083a, 0x4506), /* SMC / EZ Connect
+ SMCWUSBT-G2 */
AR5523_DEVICE_UG(0x157e, 0x3006), /* Umedia / AR5523_1 */
AR5523_DEVICE_UX(0x157e, 0x3205), /* Umedia / AR5523_2 */
AR5523_DEVICE_UG(0x157e, 0x3006), /* Umedia / TEW444UBEU */
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 063/245] ceph: ensure we have a new cap before continuing in fill_inode
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (61 preceding siblings ...)
2020-09-29 10:58 ` [PATCH 4.19 062/245] ar5523: Add USB ID of SMCWUSBT-G2 wireless adapter Greg Kroah-Hartman
@ 2020-09-29 10:58 ` Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 064/245] selftests/ftrace: fix glob selftest Greg Kroah-Hartman
` (184 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:58 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Jeff Layton, Ilya Dryomov, Sasha Levin
From: Jeff Layton <jlayton@kernel.org>
[ Upstream commit 9a6bed4fe0c8bf57785cbc4db9f86086cb9b193d ]
If the caller passes in a NULL cap_reservation, and we can't allocate
one then ensure that we fail gracefully.
Signed-off-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ceph/inode.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/fs/ceph/inode.c b/fs/ceph/inode.c
index 1e438e0faf77e..3c24fb77ef325 100644
--- a/fs/ceph/inode.c
+++ b/fs/ceph/inode.c
@@ -764,8 +764,11 @@ static int fill_inode(struct inode *inode, struct page *locked_page,
info_caps = le32_to_cpu(info->cap.caps);
/* prealloc new cap struct */
- if (info_caps && ceph_snap(inode) == CEPH_NOSNAP)
+ if (info_caps && ceph_snap(inode) == CEPH_NOSNAP) {
new_cap = ceph_get_cap(mdsc, caps_reservation);
+ if (!new_cap)
+ return -ENOMEM;
+ }
/*
* prealloc xattr data, if it looks like we'll need it. only
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 064/245] selftests/ftrace: fix glob selftest
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (62 preceding siblings ...)
2020-09-29 10:58 ` [PATCH 4.19 063/245] ceph: ensure we have a new cap before continuing in fill_inode Greg Kroah-Hartman
@ 2020-09-29 10:58 ` Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 065/245] tools/power/x86/intel_pstate_tracer: changes for python 3 compatibility Greg Kroah-Hartman
` (183 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:58 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Steven Rostedt (VMware),
Sven Schnelle, Shuah Khan, Sasha Levin
From: Sven Schnelle <svens@linux.ibm.com>
[ Upstream commit af4ddd607dff7aabd466a4a878e01b9f592a75ab ]
test.d/ftrace/func-filter-glob.tc is failing on s390 because it has
ARCH_INLINE_SPIN_LOCK and friends set to 'y'. So the usual
__raw_spin_lock symbol isn't in the ftrace function list. Change
'*aw*lock' to '*spin*lock' which would hopefully match some of the
locking functions on all platforms.
Reviewed-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Sven Schnelle <svens@linux.ibm.com>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../testing/selftests/ftrace/test.d/ftrace/func-filter-glob.tc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/testing/selftests/ftrace/test.d/ftrace/func-filter-glob.tc b/tools/testing/selftests/ftrace/test.d/ftrace/func-filter-glob.tc
index 27a54a17da65d..f4e92afab14b2 100644
--- a/tools/testing/selftests/ftrace/test.d/ftrace/func-filter-glob.tc
+++ b/tools/testing/selftests/ftrace/test.d/ftrace/func-filter-glob.tc
@@ -30,7 +30,7 @@ ftrace_filter_check '*schedule*' '^.*schedule.*$'
ftrace_filter_check 'schedule*' '^schedule.*$'
# filter by *mid*end
-ftrace_filter_check '*aw*lock' '.*aw.*lock$'
+ftrace_filter_check '*pin*lock' '.*pin.*lock$'
# filter by start*mid*
ftrace_filter_check 'mutex*try*' '^mutex.*try.*'
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 065/245] tools/power/x86/intel_pstate_tracer: changes for python 3 compatibility
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (63 preceding siblings ...)
2020-09-29 10:58 ` [PATCH 4.19 064/245] selftests/ftrace: fix glob selftest Greg Kroah-Hartman
@ 2020-09-29 10:58 ` Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 066/245] Bluetooth: Fix refcount use-after-free issue Greg Kroah-Hartman
` (182 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:58 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Doug Smythies, Rafael J. Wysocki,
Sasha Levin
From: Doug Smythies <doug.smythies@gmail.com>
[ Upstream commit e749e09db30c38f1a275945814b0109e530a07b0 ]
Some syntax needs to be more rigorous for python 3.
Backwards compatibility tested with python 2.7
Signed-off-by: Doug Smythies <dsmythies@telus.net>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../intel_pstate_tracer.py | 22 +++++++++----------
1 file changed, 11 insertions(+), 11 deletions(-)
diff --git a/tools/power/x86/intel_pstate_tracer/intel_pstate_tracer.py b/tools/power/x86/intel_pstate_tracer/intel_pstate_tracer.py
index 2fa3c5757bcb5..dbed3d213bf17 100755
--- a/tools/power/x86/intel_pstate_tracer/intel_pstate_tracer.py
+++ b/tools/power/x86/intel_pstate_tracer/intel_pstate_tracer.py
@@ -10,11 +10,11 @@ then this utility enables and collects trace data for a user specified interval
and generates performance plots.
Prerequisites:
- Python version 2.7.x
+ Python version 2.7.x or higher
gnuplot 5.0 or higher
- gnuplot-py 1.8
+ gnuplot-py 1.8 or higher
(Most of the distributions have these required packages. They may be called
- gnuplot-py, phython-gnuplot. )
+ gnuplot-py, phython-gnuplot or phython3-gnuplot, gnuplot-nox, ... )
HWP (Hardware P-States are disabled)
Kernel config for Linux trace is enabled
@@ -180,7 +180,7 @@ def plot_pstate_cpu_with_sample():
g_plot('set xlabel "Samples"')
g_plot('set ylabel "P-State"')
g_plot('set title "{} : cpu pstate vs. sample : {:%F %H:%M}"'.format(testname, datetime.now()))
- title_list = subprocess.check_output('ls cpu???.csv | sed -e \'s/.csv//\'',shell=True).replace('\n', ' ')
+ title_list = subprocess.check_output('ls cpu???.csv | sed -e \'s/.csv//\'',shell=True).decode('utf-8').replace('\n', ' ')
plot_str = "plot for [i in title_list] i.'.csv' using {:d}:{:d} pt 7 ps 1 title i".format(C_SAMPLE, C_TO)
g_plot('title_list = "{}"'.format(title_list))
g_plot(plot_str)
@@ -197,7 +197,7 @@ def plot_pstate_cpu():
# the following command is really cool, but doesn't work with the CPU masking option because it aborts on the first missing file.
# plot_str = 'plot for [i=0:*] file=sprintf("cpu%03d.csv",i) title_s=sprintf("cpu%03d",i) file using 16:7 pt 7 ps 1 title title_s'
#
- title_list = subprocess.check_output('ls cpu???.csv | sed -e \'s/.csv//\'',shell=True).replace('\n', ' ')
+ title_list = subprocess.check_output('ls cpu???.csv | sed -e \'s/.csv//\'',shell=True).decode('utf-8').replace('\n', ' ')
plot_str = "plot for [i in title_list] i.'.csv' using {:d}:{:d} pt 7 ps 1 title i".format(C_ELAPSED, C_TO)
g_plot('title_list = "{}"'.format(title_list))
g_plot(plot_str)
@@ -211,7 +211,7 @@ def plot_load_cpu():
g_plot('set ylabel "CPU load (percent)"')
g_plot('set title "{} : cpu loads : {:%F %H:%M}"'.format(testname, datetime.now()))
- title_list = subprocess.check_output('ls cpu???.csv | sed -e \'s/.csv//\'',shell=True).replace('\n', ' ')
+ title_list = subprocess.check_output('ls cpu???.csv | sed -e \'s/.csv//\'',shell=True).decode('utf-8').replace('\n', ' ')
plot_str = "plot for [i in title_list] i.'.csv' using {:d}:{:d} pt 7 ps 1 title i".format(C_ELAPSED, C_LOAD)
g_plot('title_list = "{}"'.format(title_list))
g_plot(plot_str)
@@ -225,7 +225,7 @@ def plot_frequency_cpu():
g_plot('set ylabel "CPU Frequency (GHz)"')
g_plot('set title "{} : cpu frequencies : {:%F %H:%M}"'.format(testname, datetime.now()))
- title_list = subprocess.check_output('ls cpu???.csv | sed -e \'s/.csv//\'',shell=True).replace('\n', ' ')
+ title_list = subprocess.check_output('ls cpu???.csv | sed -e \'s/.csv//\'',shell=True).decode('utf-8').replace('\n', ' ')
plot_str = "plot for [i in title_list] i.'.csv' using {:d}:{:d} pt 7 ps 1 title i".format(C_ELAPSED, C_FREQ)
g_plot('title_list = "{}"'.format(title_list))
g_plot(plot_str)
@@ -240,7 +240,7 @@ def plot_duration_cpu():
g_plot('set ylabel "Timer Duration (MilliSeconds)"')
g_plot('set title "{} : cpu durations : {:%F %H:%M}"'.format(testname, datetime.now()))
- title_list = subprocess.check_output('ls cpu???.csv | sed -e \'s/.csv//\'',shell=True).replace('\n', ' ')
+ title_list = subprocess.check_output('ls cpu???.csv | sed -e \'s/.csv//\'',shell=True).decode('utf-8').replace('\n', ' ')
plot_str = "plot for [i in title_list] i.'.csv' using {:d}:{:d} pt 7 ps 1 title i".format(C_ELAPSED, C_DURATION)
g_plot('title_list = "{}"'.format(title_list))
g_plot(plot_str)
@@ -254,7 +254,7 @@ def plot_scaled_cpu():
g_plot('set ylabel "Scaled Busy (Unitless)"')
g_plot('set title "{} : cpu scaled busy : {:%F %H:%M}"'.format(testname, datetime.now()))
- title_list = subprocess.check_output('ls cpu???.csv | sed -e \'s/.csv//\'',shell=True).replace('\n', ' ')
+ title_list = subprocess.check_output('ls cpu???.csv | sed -e \'s/.csv//\'',shell=True).decode('utf-8').replace('\n', ' ')
plot_str = "plot for [i in title_list] i.'.csv' using {:d}:{:d} pt 7 ps 1 title i".format(C_ELAPSED, C_SCALED)
g_plot('title_list = "{}"'.format(title_list))
g_plot(plot_str)
@@ -268,7 +268,7 @@ def plot_boost_cpu():
g_plot('set ylabel "CPU IO Boost (percent)"')
g_plot('set title "{} : cpu io boost : {:%F %H:%M}"'.format(testname, datetime.now()))
- title_list = subprocess.check_output('ls cpu???.csv | sed -e \'s/.csv//\'',shell=True).replace('\n', ' ')
+ title_list = subprocess.check_output('ls cpu???.csv | sed -e \'s/.csv//\'',shell=True).decode('utf-8').replace('\n', ' ')
plot_str = "plot for [i in title_list] i.'.csv' using {:d}:{:d} pt 7 ps 1 title i".format(C_ELAPSED, C_BOOST)
g_plot('title_list = "{}"'.format(title_list))
g_plot(plot_str)
@@ -282,7 +282,7 @@ def plot_ghz_cpu():
g_plot('set ylabel "TSC Frequency (GHz)"')
g_plot('set title "{} : cpu TSC Frequencies (Sanity check calculation) : {:%F %H:%M}"'.format(testname, datetime.now()))
- title_list = subprocess.check_output('ls cpu???.csv | sed -e \'s/.csv//\'',shell=True).replace('\n', ' ')
+ title_list = subprocess.check_output('ls cpu???.csv | sed -e \'s/.csv//\'',shell=True).decode('utf-8').replace('\n', ' ')
plot_str = "plot for [i in title_list] i.'.csv' using {:d}:{:d} pt 7 ps 1 title i".format(C_ELAPSED, C_GHZ)
g_plot('title_list = "{}"'.format(title_list))
g_plot(plot_str)
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 066/245] Bluetooth: Fix refcount use-after-free issue
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (64 preceding siblings ...)
2020-09-29 10:58 ` [PATCH 4.19 065/245] tools/power/x86/intel_pstate_tracer: changes for python 3 compatibility Greg Kroah-Hartman
@ 2020-09-29 10:58 ` Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 067/245] mm/swapfile.c: swap_next should increase position index Greg Kroah-Hartman
` (181 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:58 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Manish Mandlik, Marcel Holtmann, Sasha Levin
From: Manish Mandlik <mmandlik@google.com>
[ Upstream commit 6c08fc896b60893c5d673764b0668015d76df462 ]
There is no lock preventing both l2cap_sock_release() and
chan->ops->close() from running at the same time.
If we consider Thread A running l2cap_chan_timeout() and Thread B running
l2cap_sock_release(), expected behavior is:
A::l2cap_chan_timeout()->l2cap_chan_close()->l2cap_sock_teardown_cb()
A::l2cap_chan_timeout()->l2cap_sock_close_cb()->l2cap_sock_kill()
B::l2cap_sock_release()->sock_orphan()
B::l2cap_sock_release()->l2cap_sock_kill()
where,
sock_orphan() clears "sk->sk_socket" and l2cap_sock_teardown_cb() marks
socket as SOCK_ZAPPED.
In l2cap_sock_kill(), there is an "if-statement" that checks if both
sock_orphan() and sock_teardown() has been run i.e. sk->sk_socket is NULL
and socket is marked as SOCK_ZAPPED. Socket is killed if the condition is
satisfied.
In the race condition, following occurs:
A::l2cap_chan_timeout()->l2cap_chan_close()->l2cap_sock_teardown_cb()
B::l2cap_sock_release()->sock_orphan()
B::l2cap_sock_release()->l2cap_sock_kill()
A::l2cap_chan_timeout()->l2cap_sock_close_cb()->l2cap_sock_kill()
In this scenario, "if-statement" is true in both B::l2cap_sock_kill() and
A::l2cap_sock_kill() and we hit "refcount: underflow; use-after-free" bug.
Similar condition occurs at other places where teardown/sock_kill is
happening:
l2cap_disconnect_rsp()->l2cap_chan_del()->l2cap_sock_teardown_cb()
l2cap_disconnect_rsp()->l2cap_sock_close_cb()->l2cap_sock_kill()
l2cap_conn_del()->l2cap_chan_del()->l2cap_sock_teardown_cb()
l2cap_conn_del()->l2cap_sock_close_cb()->l2cap_sock_kill()
l2cap_disconnect_req()->l2cap_chan_del()->l2cap_sock_teardown_cb()
l2cap_disconnect_req()->l2cap_sock_close_cb()->l2cap_sock_kill()
l2cap_sock_cleanup_listen()->l2cap_chan_close()->l2cap_sock_teardown_cb()
l2cap_sock_cleanup_listen()->l2cap_sock_kill()
Protect teardown/sock_kill and orphan/sock_kill by adding hold_lock on
l2cap channel to ensure that the socket is killed only after marked as
zapped and orphan.
Signed-off-by: Manish Mandlik <mmandlik@google.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/l2cap_core.c | 26 +++++++++++++++-----------
net/bluetooth/l2cap_sock.c | 16 +++++++++++++---
2 files changed, 28 insertions(+), 14 deletions(-)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 0d84d1f820d4c..b1f51cb007ea6 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -414,6 +414,9 @@ static void l2cap_chan_timeout(struct work_struct *work)
BT_DBG("chan %p state %s", chan, state_to_string(chan->state));
mutex_lock(&conn->chan_lock);
+ /* __set_chan_timer() calls l2cap_chan_hold(chan) while scheduling
+ * this work. No need to call l2cap_chan_hold(chan) here again.
+ */
l2cap_chan_lock(chan);
if (chan->state == BT_CONNECTED || chan->state == BT_CONFIG)
@@ -426,12 +429,12 @@ static void l2cap_chan_timeout(struct work_struct *work)
l2cap_chan_close(chan, reason);
- l2cap_chan_unlock(chan);
-
chan->ops->close(chan);
- mutex_unlock(&conn->chan_lock);
+ l2cap_chan_unlock(chan);
l2cap_chan_put(chan);
+
+ mutex_unlock(&conn->chan_lock);
}
struct l2cap_chan *l2cap_chan_create(void)
@@ -1725,9 +1728,9 @@ static void l2cap_conn_del(struct hci_conn *hcon, int err)
l2cap_chan_del(chan, err);
- l2cap_chan_unlock(chan);
-
chan->ops->close(chan);
+
+ l2cap_chan_unlock(chan);
l2cap_chan_put(chan);
}
@@ -4337,6 +4340,7 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
return 0;
}
+ l2cap_chan_hold(chan);
l2cap_chan_lock(chan);
rsp.dcid = cpu_to_le16(chan->scid);
@@ -4345,12 +4349,11 @@ static inline int l2cap_disconnect_req(struct l2cap_conn *conn,
chan->ops->set_shutdown(chan);
- l2cap_chan_hold(chan);
l2cap_chan_del(chan, ECONNRESET);
- l2cap_chan_unlock(chan);
-
chan->ops->close(chan);
+
+ l2cap_chan_unlock(chan);
l2cap_chan_put(chan);
mutex_unlock(&conn->chan_lock);
@@ -4382,20 +4385,21 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
return 0;
}
+ l2cap_chan_hold(chan);
l2cap_chan_lock(chan);
if (chan->state != BT_DISCONN) {
l2cap_chan_unlock(chan);
+ l2cap_chan_put(chan);
mutex_unlock(&conn->chan_lock);
return 0;
}
- l2cap_chan_hold(chan);
l2cap_chan_del(chan, 0);
- l2cap_chan_unlock(chan);
-
chan->ops->close(chan);
+
+ l2cap_chan_unlock(chan);
l2cap_chan_put(chan);
mutex_unlock(&conn->chan_lock);
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index a3a2cd55e23a9..d128750e47305 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -1039,7 +1039,7 @@ done:
}
/* Kill socket (only if zapped and orphan)
- * Must be called on unlocked socket.
+ * Must be called on unlocked socket, with l2cap channel lock.
*/
static void l2cap_sock_kill(struct sock *sk)
{
@@ -1200,8 +1200,15 @@ static int l2cap_sock_release(struct socket *sock)
err = l2cap_sock_shutdown(sock, 2);
+ l2cap_chan_hold(l2cap_pi(sk)->chan);
+ l2cap_chan_lock(l2cap_pi(sk)->chan);
+
sock_orphan(sk);
l2cap_sock_kill(sk);
+
+ l2cap_chan_unlock(l2cap_pi(sk)->chan);
+ l2cap_chan_put(l2cap_pi(sk)->chan);
+
return err;
}
@@ -1219,12 +1226,15 @@ static void l2cap_sock_cleanup_listen(struct sock *parent)
BT_DBG("child chan %p state %s", chan,
state_to_string(chan->state));
+ l2cap_chan_hold(chan);
l2cap_chan_lock(chan);
+
__clear_chan_timer(chan);
l2cap_chan_close(chan, ECONNRESET);
- l2cap_chan_unlock(chan);
-
l2cap_sock_kill(sk);
+
+ l2cap_chan_unlock(chan);
+ l2cap_chan_put(chan);
}
}
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 067/245] mm/swapfile.c: swap_next should increase position index
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (65 preceding siblings ...)
2020-09-29 10:58 ` [PATCH 4.19 066/245] Bluetooth: Fix refcount use-after-free issue Greg Kroah-Hartman
@ 2020-09-29 10:58 ` Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 068/245] mm: pagewalk: fix termination condition in walk_pte_range() Greg Kroah-Hartman
` (180 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:58 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Vasily Averin, Andrew Morton,
Jann Horn, Alexander Viro, Kees Cook, Hugh Dickins,
Linus Torvalds, Sasha Levin
From: Vasily Averin <vvs@virtuozzo.com>
[ Upstream commit 10c8d69f314d557d94d74ec492575ae6a4f1eb1c ]
If seq_file .next fuction does not change position index, read after
some lseek can generate unexpected output.
In Aug 2018 NeilBrown noticed commit 1f4aace60b0e ("fs/seq_file.c:
simplify seq_file iteration code and interface") "Some ->next functions
do not increment *pos when they return NULL... Note that such ->next
functions are buggy and should be fixed. A simple demonstration is
dd if=/proc/swaps bs=1000 skip=1
Choose any block size larger than the size of /proc/swaps. This will
always show the whole last line of /proc/swaps"
Described problem is still actual. If you make lseek into middle of
last output line following read will output end of last line and whole
last line once again.
$ dd if=/proc/swaps bs=1 # usual output
Filename Type Size Used Priority
/dev/dm-0 partition 4194812 97536 -2
104+0 records in
104+0 records out
104 bytes copied
$ dd if=/proc/swaps bs=40 skip=1 # last line was generated twice
dd: /proc/swaps: cannot skip to specified offset
v/dm-0 partition 4194812 97536 -2
/dev/dm-0 partition 4194812 97536 -2
3+1 records in
3+1 records out
131 bytes copied
https://bugzilla.kernel.org/show_bug.cgi?id=206283
Link: http://lkml.kernel.org/r/bd8cfd7b-ac95-9b91-f9e7-e8438bd5047d@virtuozzo.com
Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Jann Horn <jannh@google.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Kees Cook <keescook@chromium.org>
Cc: Hugh Dickins <hughd@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
mm/swapfile.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/mm/swapfile.c b/mm/swapfile.c
index 0047dcaf93697..c3684cfa9534e 100644
--- a/mm/swapfile.c
+++ b/mm/swapfile.c
@@ -2738,10 +2738,10 @@ static void *swap_next(struct seq_file *swap, void *v, loff_t *pos)
else
type = si->type + 1;
+ ++(*pos);
for (; (si = swap_type_to_swap_info(type)); type++) {
if (!(si->flags & SWP_USED) || !si->swap_map)
continue;
- ++*pos;
return si;
}
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 068/245] mm: pagewalk: fix termination condition in walk_pte_range()
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (66 preceding siblings ...)
2020-09-29 10:58 ` [PATCH 4.19 067/245] mm/swapfile.c: swap_next should increase position index Greg Kroah-Hartman
@ 2020-09-29 10:58 ` Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 069/245] Bluetooth: prefetch channel before killing sock Greg Kroah-Hartman
` (179 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:58 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Steven Price, Albert Ou,
Alexandre Ghiti, Andy Lutomirski, Ard Biesheuvel, Arnd Bergmann,
Benjamin Herrenschmidt, Borislav Petkov, Catalin Marinas,
Christian Borntraeger, Dave Hansen, David S. Miller,
Heiko Carstens, H. Peter Anvin, Ingo Molnar, James Hogan,
James Morse, Jerome Glisse, Liang, Kan, Mark Rutland,
Michael Ellerman, Paul Burton, Paul Mackerras, Paul Walmsley,
Peter Zijlstra, Ralf Baechle, Russell King, Thomas Gleixner,
Vasily Gorbik, Vineet Gupta, Will Deacon, Zong Li, Andrew Morton,
Linus Torvalds, Sasha Levin
From: Steven Price <steven.price@arm.com>
[ Upstream commit c02a98753e0a36ba65a05818626fa6adeb4e7c97 ]
If walk_pte_range() is called with a 'end' argument that is beyond the
last page of memory (e.g. ~0UL) then the comparison between 'addr' and
'end' will always fail and the loop will be infinite. Instead change the
comparison to >= while accounting for overflow.
Link: http://lkml.kernel.org/r/20191218162402.45610-15-steven.price@arm.com
Signed-off-by: Steven Price <steven.price@arm.com>
Cc: Albert Ou <aou@eecs.berkeley.edu>
Cc: Alexandre Ghiti <alex@ghiti.fr>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Christian Borntraeger <borntraeger@de.ibm.com>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: James Hogan <jhogan@kernel.org>
Cc: James Morse <james.morse@arm.com>
Cc: Jerome Glisse <jglisse@redhat.com>
Cc: "Liang, Kan" <kan.liang@linux.intel.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: Paul Burton <paul.burton@mips.com>
Cc: Paul Mackerras <paulus@samba.org>
Cc: Paul Walmsley <paul.walmsley@sifive.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: Russell King <linux@armlinux.org.uk>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vasily Gorbik <gor@linux.ibm.com>
Cc: Vineet Gupta <vgupta@synopsys.com>
Cc: Will Deacon <will@kernel.org>
Cc: Zong Li <zong.li@sifive.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
mm/pagewalk.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/mm/pagewalk.c b/mm/pagewalk.c
index c3084ff2569d2..3c0930d94a295 100644
--- a/mm/pagewalk.c
+++ b/mm/pagewalk.c
@@ -15,9 +15,9 @@ static int walk_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end,
err = walk->pte_entry(pte, addr, addr + PAGE_SIZE, walk);
if (err)
break;
- addr += PAGE_SIZE;
- if (addr == end)
+ if (addr >= end - PAGE_SIZE)
break;
+ addr += PAGE_SIZE;
pte++;
}
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 069/245] Bluetooth: prefetch channel before killing sock
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (67 preceding siblings ...)
2020-09-29 10:58 ` [PATCH 4.19 068/245] mm: pagewalk: fix termination condition in walk_pte_range() Greg Kroah-Hartman
@ 2020-09-29 10:58 ` Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 070/245] KVM: fix overflow of zero page refcount with ksm running Greg Kroah-Hartman
` (178 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:58 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, syzbot+c3c5bdea7863886115dc,
Manish Mandlik, Hillf Danton, Marcel Holtmann, Sasha Levin
From: Hillf Danton <hdanton@sina.com>
[ Upstream commit 2a154903cec20fb64ff4d7d617ca53c16f8fd53a ]
Prefetch channel before killing sock in order to fix UAF like
BUG: KASAN: use-after-free in l2cap_sock_release+0x24c/0x290 net/bluetooth/l2cap_sock.c:1212
Read of size 8 at addr ffff8880944904a0 by task syz-fuzzer/9751
Reported-by: syzbot+c3c5bdea7863886115dc@syzkaller.appspotmail.com
Fixes: 6c08fc896b60 ("Bluetooth: Fix refcount use-after-free issue")
Cc: Manish Mandlik <mmandlik@google.com>
Signed-off-by: Hillf Danton <hdanton@sina.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/l2cap_sock.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index d128750e47305..5572042f04531 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -1190,6 +1190,7 @@ static int l2cap_sock_release(struct socket *sock)
{
struct sock *sk = sock->sk;
int err;
+ struct l2cap_chan *chan;
BT_DBG("sock %p, sk %p", sock, sk);
@@ -1199,15 +1200,16 @@ static int l2cap_sock_release(struct socket *sock)
bt_sock_unlink(&l2cap_sk_list, sk);
err = l2cap_sock_shutdown(sock, 2);
+ chan = l2cap_pi(sk)->chan;
- l2cap_chan_hold(l2cap_pi(sk)->chan);
- l2cap_chan_lock(l2cap_pi(sk)->chan);
+ l2cap_chan_hold(chan);
+ l2cap_chan_lock(chan);
sock_orphan(sk);
l2cap_sock_kill(sk);
- l2cap_chan_unlock(l2cap_pi(sk)->chan);
- l2cap_chan_put(l2cap_pi(sk)->chan);
+ l2cap_chan_unlock(chan);
+ l2cap_chan_put(chan);
return err;
}
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 070/245] KVM: fix overflow of zero page refcount with ksm running
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (68 preceding siblings ...)
2020-09-29 10:58 ` [PATCH 4.19 069/245] Bluetooth: prefetch channel before killing sock Greg Kroah-Hartman
@ 2020-09-29 10:58 ` Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 071/245] ALSA: hda: Clear RIRB status before reading WP Greg Kroah-Hartman
` (177 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:58 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, LinFeng, Zhuang Yanying,
Paolo Bonzini, Sasha Levin
From: Zhuang Yanying <ann.zhuangyanying@huawei.com>
[ Upstream commit 7df003c85218b5f5b10a7f6418208f31e813f38f ]
We are testing Virtual Machine with KSM on v5.4-rc2 kernel,
and found the zero_page refcount overflow.
The cause of refcount overflow is increased in try_async_pf
(get_user_page) without being decreased in mmu_set_spte()
while handling ept violation.
In kvm_release_pfn_clean(), only unreserved page will call
put_page. However, zero page is reserved.
So, as well as creating and destroy vm, the refcount of
zero page will continue to increase until it overflows.
step1:
echo 10000 > /sys/kernel/pages_to_scan/pages_to_scan
echo 1 > /sys/kernel/pages_to_scan/run
echo 1 > /sys/kernel/pages_to_scan/use_zero_pages
step2:
just create several normal qemu kvm vms.
And destroy it after 10s.
Repeat this action all the time.
After a long period of time, all domains hang because
of the refcount of zero page overflow.
Qemu print error log as follow:
…
error: kvm run failed Bad address
EAX=00006cdc EBX=00000008 ECX=80202001 EDX=078bfbfd
ESI=ffffffff EDI=00000000 EBP=00000008 ESP=00006cc4
EIP=000efd75 EFL=00010002 [-------] CPL=0 II=0 A20=1 SMM=0 HLT=0
ES =0010 00000000 ffffffff 00c09300 DPL=0 DS [-WA]
CS =0008 00000000 ffffffff 00c09b00 DPL=0 CS32 [-RA]
SS =0010 00000000 ffffffff 00c09300 DPL=0 DS [-WA]
DS =0010 00000000 ffffffff 00c09300 DPL=0 DS [-WA]
FS =0010 00000000 ffffffff 00c09300 DPL=0 DS [-WA]
GS =0010 00000000 ffffffff 00c09300 DPL=0 DS [-WA]
LDT=0000 00000000 0000ffff 00008200 DPL=0 LDT
TR =0000 00000000 0000ffff 00008b00 DPL=0 TSS32-busy
GDT= 000f7070 00000037
IDT= 000f70ae 00000000
CR0=00000011 CR2=00000000 CR3=00000000 CR4=00000000
DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000
DR6=00000000ffff0ff0 DR7=0000000000000400
EFER=0000000000000000
Code=00 01 00 00 00 e9 e8 00 00 00 c7 05 4c 55 0f 00 01 00 00 00 <8b> 35 00 00 01 00 8b 3d 04 00 01 00 b8 d8 d3 00 00 c1 e0 08 0c ea a3 00 00 01 00 c7 05 04
…
Meanwhile, a kernel warning is departed.
[40914.836375] WARNING: CPU: 3 PID: 82067 at ./include/linux/mm.h:987 try_get_page+0x1f/0x30
[40914.836412] CPU: 3 PID: 82067 Comm: CPU 0/KVM Kdump: loaded Tainted: G OE 5.2.0-rc2 #5
[40914.836415] RIP: 0010:try_get_page+0x1f/0x30
[40914.836417] Code: 40 00 c3 0f 1f 84 00 00 00 00 00 48 8b 47 08 a8 01 75 11 8b 47 34 85 c0 7e 10 f0 ff 47 34 b8 01 00 00 00 c3 48 8d 78 ff eb e9 <0f> 0b 31 c0 c3 66 90 66 2e 0f 1f 84 00 0
0 00 00 00 48 8b 47 08 a8
[40914.836418] RSP: 0018:ffffb4144e523988 EFLAGS: 00010286
[40914.836419] RAX: 0000000080000000 RBX: 0000000000000326 RCX: 0000000000000000
[40914.836420] RDX: 0000000000000000 RSI: 00004ffdeba10000 RDI: ffffdf07093f6440
[40914.836421] RBP: ffffdf07093f6440 R08: 800000424fd91225 R09: 0000000000000000
[40914.836421] R10: ffff9eb41bfeebb8 R11: 0000000000000000 R12: ffffdf06bbd1e8a8
[40914.836422] R13: 0000000000000080 R14: 800000424fd91225 R15: ffffdf07093f6440
[40914.836423] FS: 00007fb60ffff700(0000) GS:ffff9eb4802c0000(0000) knlGS:0000000000000000
[40914.836425] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[40914.836426] CR2: 0000000000000000 CR3: 0000002f220e6002 CR4: 00000000003626e0
[40914.836427] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[40914.836427] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[40914.836428] Call Trace:
[40914.836433] follow_page_pte+0x302/0x47b
[40914.836437] __get_user_pages+0xf1/0x7d0
[40914.836441] ? irq_work_queue+0x9/0x70
[40914.836443] get_user_pages_unlocked+0x13f/0x1e0
[40914.836469] __gfn_to_pfn_memslot+0x10e/0x400 [kvm]
[40914.836486] try_async_pf+0x87/0x240 [kvm]
[40914.836503] tdp_page_fault+0x139/0x270 [kvm]
[40914.836523] kvm_mmu_page_fault+0x76/0x5e0 [kvm]
[40914.836588] vcpu_enter_guest+0xb45/0x1570 [kvm]
[40914.836632] kvm_arch_vcpu_ioctl_run+0x35d/0x580 [kvm]
[40914.836645] kvm_vcpu_ioctl+0x26e/0x5d0 [kvm]
[40914.836650] do_vfs_ioctl+0xa9/0x620
[40914.836653] ksys_ioctl+0x60/0x90
[40914.836654] __x64_sys_ioctl+0x16/0x20
[40914.836658] do_syscall_64+0x5b/0x180
[40914.836664] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[40914.836666] RIP: 0033:0x7fb61cb6bfc7
Signed-off-by: LinFeng <linfeng23@huawei.com>
Signed-off-by: Zhuang Yanying <ann.zhuangyanying@huawei.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
virt/kvm/kvm_main.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
index 6bd01d12df2ec..9312c7e750ed3 100644
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -169,6 +169,7 @@ bool kvm_is_reserved_pfn(kvm_pfn_t pfn)
*/
if (pfn_valid(pfn))
return PageReserved(pfn_to_page(pfn)) &&
+ !is_zero_pfn(pfn) &&
!kvm_is_zone_device_pfn(pfn);
return true;
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 071/245] ALSA: hda: Clear RIRB status before reading WP
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (69 preceding siblings ...)
2020-09-29 10:58 ` [PATCH 4.19 070/245] KVM: fix overflow of zero page refcount with ksm running Greg Kroah-Hartman
@ 2020-09-29 10:58 ` Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 072/245] skbuff: fix a data race in skb_queue_len() Greg Kroah-Hartman
` (176 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:58 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Mohan Kumar, Viswanath L,
Takashi Iwai, Sasha Levin
From: Mohan Kumar <mkumard@nvidia.com>
[ Upstream commit 6d011d5057ff88ee556c000ac6fe0be23bdfcd72 ]
RIRB interrupt status getting cleared after the write pointer is read
causes a race condition, where last response(s) into RIRB may remain
unserviced by IRQ, eventually causing azx_rirb_get_response to fall
back to polling mode. Clearing the RIRB interrupt status ahead of
write pointer access ensures that this condition is avoided.
Signed-off-by: Mohan Kumar <mkumard@nvidia.com>
Signed-off-by: Viswanath L <viswanathl@nvidia.com>
Link: https://lore.kernel.org/r/1580983853-351-1-git-send-email-viswanathl@nvidia.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pci/hda/hda_controller.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/sound/pci/hda/hda_controller.c b/sound/pci/hda/hda_controller.c
index fa261b27d8588..8198d2e53b7df 100644
--- a/sound/pci/hda/hda_controller.c
+++ b/sound/pci/hda/hda_controller.c
@@ -1169,16 +1169,23 @@ irqreturn_t azx_interrupt(int irq, void *dev_id)
if (snd_hdac_bus_handle_stream_irq(bus, status, stream_update))
active = true;
- /* clear rirb int */
status = azx_readb(chip, RIRBSTS);
if (status & RIRB_INT_MASK) {
+ /*
+ * Clearing the interrupt status here ensures that no
+ * interrupt gets masked after the RIRB wp is read in
+ * snd_hdac_bus_update_rirb. This avoids a possible
+ * race condition where codec response in RIRB may
+ * remain unserviced by IRQ, eventually falling back
+ * to polling mode in azx_rirb_get_response.
+ */
+ azx_writeb(chip, RIRBSTS, RIRB_INT_MASK);
active = true;
if (status & RIRB_INT_RESPONSE) {
if (chip->driver_caps & AZX_DCAPS_CTX_WORKAROUND)
udelay(80);
snd_hdac_bus_update_rirb(bus);
}
- azx_writeb(chip, RIRBSTS, RIRB_INT_MASK);
}
} while (active && ++repeat < 10);
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 072/245] skbuff: fix a data race in skb_queue_len()
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (70 preceding siblings ...)
2020-09-29 10:58 ` [PATCH 4.19 071/245] ALSA: hda: Clear RIRB status before reading WP Greg Kroah-Hartman
@ 2020-09-29 10:58 ` Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 073/245] audit: CONFIG_CHANGE dont log internal bookkeeping as an event Greg Kroah-Hartman
` (175 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:58 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Qian Cai, David S. Miller, Sasha Levin
From: Qian Cai <cai@lca.pw>
[ Upstream commit 86b18aaa2b5b5bb48e609cd591b3d2d0fdbe0442 ]
sk_buff.qlen can be accessed concurrently as noticed by KCSAN,
BUG: KCSAN: data-race in __skb_try_recv_from_queue / unix_dgram_sendmsg
read to 0xffff8a1b1d8a81c0 of 4 bytes by task 5371 on cpu 96:
unix_dgram_sendmsg+0x9a9/0xb70 include/linux/skbuff.h:1821
net/unix/af_unix.c:1761
____sys_sendmsg+0x33e/0x370
___sys_sendmsg+0xa6/0xf0
__sys_sendmsg+0x69/0xf0
__x64_sys_sendmsg+0x51/0x70
do_syscall_64+0x91/0xb47
entry_SYSCALL_64_after_hwframe+0x49/0xbe
write to 0xffff8a1b1d8a81c0 of 4 bytes by task 1 on cpu 99:
__skb_try_recv_from_queue+0x327/0x410 include/linux/skbuff.h:2029
__skb_try_recv_datagram+0xbe/0x220
unix_dgram_recvmsg+0xee/0x850
____sys_recvmsg+0x1fb/0x210
___sys_recvmsg+0xa2/0xf0
__sys_recvmsg+0x66/0xf0
__x64_sys_recvmsg+0x51/0x70
do_syscall_64+0x91/0xb47
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Since only the read is operating as lockless, it could introduce a logic
bug in unix_recvq_full() due to the load tearing. Fix it by adding
a lockless variant of skb_queue_len() and unix_recvq_full() where
READ_ONCE() is on the read while WRITE_ONCE() is on the write similar to
the commit d7d16a89350a ("net: add skb_queue_empty_lockless()").
Signed-off-by: Qian Cai <cai@lca.pw>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/skbuff.h | 14 +++++++++++++-
net/unix/af_unix.c | 11 +++++++++--
2 files changed, 22 insertions(+), 3 deletions(-)
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index cbc0294f39899..703ce71caeacb 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -1688,6 +1688,18 @@ static inline __u32 skb_queue_len(const struct sk_buff_head *list_)
return list_->qlen;
}
+/**
+ * skb_queue_len_lockless - get queue length
+ * @list_: list to measure
+ *
+ * Return the length of an &sk_buff queue.
+ * This variant can be used in lockless contexts.
+ */
+static inline __u32 skb_queue_len_lockless(const struct sk_buff_head *list_)
+{
+ return READ_ONCE(list_->qlen);
+}
+
/**
* __skb_queue_head_init - initialize non-spinlock portions of sk_buff_head
* @list: queue to initialize
@@ -1895,7 +1907,7 @@ static inline void __skb_unlink(struct sk_buff *skb, struct sk_buff_head *list)
{
struct sk_buff *next, *prev;
- list->qlen--;
+ WRITE_ONCE(list->qlen, list->qlen - 1);
next = skb->next;
prev = skb->prev;
skb->next = skb->prev = NULL;
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 2318e2e2748f4..2020306468af4 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -192,11 +192,17 @@ static inline int unix_may_send(struct sock *sk, struct sock *osk)
return unix_peer(osk) == NULL || unix_our_peer(sk, osk);
}
-static inline int unix_recvq_full(struct sock const *sk)
+static inline int unix_recvq_full(const struct sock *sk)
{
return skb_queue_len(&sk->sk_receive_queue) > sk->sk_max_ack_backlog;
}
+static inline int unix_recvq_full_lockless(const struct sock *sk)
+{
+ return skb_queue_len_lockless(&sk->sk_receive_queue) >
+ READ_ONCE(sk->sk_max_ack_backlog);
+}
+
struct sock *unix_peer_get(struct sock *s)
{
struct sock *peer;
@@ -1788,7 +1794,8 @@ restart_locked:
* - unix_peer(sk) == sk by time of get but disconnected before lock
*/
if (other != sk &&
- unlikely(unix_peer(other) != sk && unix_recvq_full(other))) {
+ unlikely(unix_peer(other) != sk &&
+ unix_recvq_full_lockless(other))) {
if (timeo) {
timeo = unix_wait_for_peer(other, timeo);
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 073/245] audit: CONFIG_CHANGE dont log internal bookkeeping as an event
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (71 preceding siblings ...)
2020-09-29 10:58 ` [PATCH 4.19 072/245] skbuff: fix a data race in skb_queue_len() Greg Kroah-Hartman
@ 2020-09-29 10:58 ` Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 074/245] selinux: sel_avc_get_stat_idx should increase position index Greg Kroah-Hartman
` (174 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:58 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Steve Grubb, Paul Moore, Sasha Levin
From: Steve Grubb <sgrubb@redhat.com>
[ Upstream commit 70b3eeed49e8190d97139806f6fbaf8964306cdb ]
Common Criteria calls out for any action that modifies the audit trail to
be recorded. That usually is interpreted to mean insertion or removal of
rules. It is not required to log modification of the inode information
since the watch is still in effect. Additionally, if the rule is a never
rule and the underlying file is one they do not want events for, they
get an event for this bookkeeping update against their wishes.
Since no device/inode info is logged at insertion and no device/inode
information is logged on update, there is nothing meaningful being
communicated to the admin by the CONFIG_CHANGE updated_rules event. One
can assume that the rule was not "modified" because it is still watching
the intended target. If the device or inode cannot be resolved, then
audit_panic is called which is sufficient.
The correct resolution is to drop logging config_update events since
the watch is still in effect but just on another unknown inode.
Signed-off-by: Steve Grubb <sgrubb@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/audit_watch.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
index 4f7262eba73d8..50952d6d81209 100644
--- a/kernel/audit_watch.c
+++ b/kernel/audit_watch.c
@@ -317,8 +317,6 @@ static void audit_update_watch(struct audit_parent *parent,
if (oentry->rule.exe)
audit_remove_mark(oentry->rule.exe);
- audit_watch_log_rule_change(r, owatch, "updated_rules");
-
call_rcu(&oentry->rcu, audit_free_rule_rcu);
}
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 074/245] selinux: sel_avc_get_stat_idx should increase position index
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (72 preceding siblings ...)
2020-09-29 10:58 ` [PATCH 4.19 073/245] audit: CONFIG_CHANGE dont log internal bookkeeping as an event Greg Kroah-Hartman
@ 2020-09-29 10:58 ` Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 075/245] scsi: lpfc: Fix RQ buffer leakage when no IOCBs available Greg Kroah-Hartman
` (173 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:58 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Vasily Averin, Stephen Smalley,
Paul Moore, Sasha Levin
From: Vasily Averin <vvs@virtuozzo.com>
[ Upstream commit 8d269a8e2a8f0bca89022f4ec98de460acb90365 ]
If seq_file .next function does not change position index,
read after some lseek can generate unexpected output.
$ dd if=/sys/fs/selinux/avc/cache_stats # usual output
lookups hits misses allocations reclaims frees
817223 810034 7189 7189 6992 7037
1934894 1926896 7998 7998 7632 7683
1322812 1317176 5636 5636 5456 5507
1560571 1551548 9023 9023 9056 9115
0+1 records in
0+1 records out
189 bytes copied, 5,1564e-05 s, 3,7 MB/s
$# read after lseek to midle of last line
$ dd if=/sys/fs/selinux/avc/cache_stats bs=180 skip=1
dd: /sys/fs/selinux/avc/cache_stats: cannot skip to specified offset
056 9115 <<<< end of last line
1560571 1551548 9023 9023 9056 9115 <<< whole last line once again
0+1 records in
0+1 records out
45 bytes copied, 8,7221e-05 s, 516 kB/s
$# read after lseek beyond end of of file
$ dd if=/sys/fs/selinux/avc/cache_stats bs=1000 skip=1
dd: /sys/fs/selinux/avc/cache_stats: cannot skip to specified offset
1560571 1551548 9023 9023 9056 9115 <<<< generates whole last line
0+1 records in
0+1 records out
36 bytes copied, 9,0934e-05 s, 396 kB/s
https://bugzilla.kernel.org/show_bug.cgi?id=206283
Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
security/selinux/selinuxfs.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index f3a5a138a096d..60b3f16bb5c7b 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -1509,6 +1509,7 @@ static struct avc_cache_stats *sel_avc_get_stat_idx(loff_t *idx)
*idx = cpu + 1;
return &per_cpu(avc_cache_stats, cpu);
}
+ (*idx)++;
return NULL;
}
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 075/245] scsi: lpfc: Fix RQ buffer leakage when no IOCBs available
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (73 preceding siblings ...)
2020-09-29 10:58 ` [PATCH 4.19 074/245] selinux: sel_avc_get_stat_idx should increase position index Greg Kroah-Hartman
@ 2020-09-29 10:58 ` Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 076/245] scsi: lpfc: Fix coverity errors in fmdi attribute handling Greg Kroah-Hartman
` (172 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:58 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Dick Kennedy, James Smart,
Martin K. Petersen, Sasha Levin
From: James Smart <jsmart2021@gmail.com>
[ Upstream commit 39c4f1a965a9244c3ba60695e8ff8da065ec6ac4 ]
The driver is occasionally seeing the following SLI Port error, requiring
reset and reinit:
Port Status Event: ... error 1=0x52004a01, error 2=0x218
The failure means an RQ timeout. That is, the adapter had received
asynchronous receive frames, ran out of buffer slots to place the frames,
and the driver did not replenish the buffer slots before a timeout
occurred. The driver should not be so slow in replenishing buffers that a
timeout can occur.
When the driver received all the frames of a sequence, it allocates an IOCB
to put the frames in. In a situation where there was no IOCB available for
the frame of a sequence, the RQ buffer corresponding to the first frame of
the sequence was not returned to the FW. Eventually, with enough traffic
encountering the situation, the timeout occurred.
Fix by releasing the buffer back to firmware whenever there is no IOCB for
the first frame.
[mkp: typo]
Link: https://lore.kernel.org/r/20200128002312.16346-2-jsmart2021@gmail.com
Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
Signed-off-by: James Smart <jsmart2021@gmail.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/lpfc/lpfc_sli.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c
index a56a939792ac1..2ab351260e815 100644
--- a/drivers/scsi/lpfc/lpfc_sli.c
+++ b/drivers/scsi/lpfc/lpfc_sli.c
@@ -17413,6 +17413,10 @@ lpfc_prep_seq(struct lpfc_vport *vport, struct hbq_dmabuf *seq_dmabuf)
list_add_tail(&iocbq->list, &first_iocbq->list);
}
}
+ /* Free the sequence's header buffer */
+ if (!first_iocbq)
+ lpfc_in_buf_free(vport->phba, &seq_dmabuf->dbuf);
+
return first_iocbq;
}
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 076/245] scsi: lpfc: Fix coverity errors in fmdi attribute handling
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (74 preceding siblings ...)
2020-09-29 10:58 ` [PATCH 4.19 075/245] scsi: lpfc: Fix RQ buffer leakage when no IOCBs available Greg Kroah-Hartman
@ 2020-09-29 10:58 ` Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 077/245] drm/omap: fix possible object reference leak Greg Kroah-Hartman
` (171 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:58 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Dick Kennedy, James Smart,
Martin K. Petersen, Sasha Levin
From: James Smart <jsmart2021@gmail.com>
[ Upstream commit 4cb9e1ddaa145be9ed67b6a7de98ca705a43f998 ]
Coverity reported a memory corruption error for the fdmi attributes
routines:
CID 15768 [Memory Corruption] Out-of-bounds access on FDMI
Sloppy coding of the fmdi structures. In both the lpfc_fdmi_attr_def and
lpfc_fdmi_reg_port_list structures, a field was placed at the start of
payload that may have variable content. The field was given an arbitrary
type (uint32_t). The code then uses the field name to derive an address,
which it used in things such as memset and memcpy. The memset sizes or
memcpy lengths were larger than the arbitrary type, thus coverity reported
an error.
Fix by replacing the arbitrary fields with the real field structures
describing the payload.
Link: https://lore.kernel.org/r/20200128002312.16346-8-jsmart2021@gmail.com
Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
Signed-off-by: James Smart <jsmart2021@gmail.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/lpfc/lpfc_ct.c | 137 ++++++++++++++++++------------------
drivers/scsi/lpfc/lpfc_hw.h | 36 +++++-----
2 files changed, 85 insertions(+), 88 deletions(-)
diff --git a/drivers/scsi/lpfc/lpfc_ct.c b/drivers/scsi/lpfc/lpfc_ct.c
index 384f5cd7c3c81..99b4ff78f9dce 100644
--- a/drivers/scsi/lpfc/lpfc_ct.c
+++ b/drivers/scsi/lpfc/lpfc_ct.c
@@ -1737,8 +1737,8 @@ lpfc_fdmi_hba_attr_wwnn(struct lpfc_vport *vport, struct lpfc_fdmi_attr_def *ad)
struct lpfc_fdmi_attr_entry *ae;
uint32_t size;
- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
- memset(ae, 0, sizeof(struct lpfc_name));
+ ae = &ad->AttrValue;
+ memset(ae, 0, sizeof(*ae));
memcpy(&ae->un.AttrWWN, &vport->fc_sparam.nodeName,
sizeof(struct lpfc_name));
@@ -1754,8 +1754,8 @@ lpfc_fdmi_hba_attr_manufacturer(struct lpfc_vport *vport,
struct lpfc_fdmi_attr_entry *ae;
uint32_t len, size;
- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
- memset(ae, 0, 256);
+ ae = &ad->AttrValue;
+ memset(ae, 0, sizeof(*ae));
/* This string MUST be consistent with other FC platforms
* supported by Broadcom.
@@ -1779,8 +1779,8 @@ lpfc_fdmi_hba_attr_sn(struct lpfc_vport *vport, struct lpfc_fdmi_attr_def *ad)
struct lpfc_fdmi_attr_entry *ae;
uint32_t len, size;
- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
- memset(ae, 0, 256);
+ ae = &ad->AttrValue;
+ memset(ae, 0, sizeof(*ae));
strncpy(ae->un.AttrString, phba->SerialNumber,
sizeof(ae->un.AttrString));
@@ -1801,8 +1801,8 @@ lpfc_fdmi_hba_attr_model(struct lpfc_vport *vport,
struct lpfc_fdmi_attr_entry *ae;
uint32_t len, size;
- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
- memset(ae, 0, 256);
+ ae = &ad->AttrValue;
+ memset(ae, 0, sizeof(*ae));
strncpy(ae->un.AttrString, phba->ModelName,
sizeof(ae->un.AttrString));
@@ -1822,8 +1822,8 @@ lpfc_fdmi_hba_attr_description(struct lpfc_vport *vport,
struct lpfc_fdmi_attr_entry *ae;
uint32_t len, size;
- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
- memset(ae, 0, 256);
+ ae = &ad->AttrValue;
+ memset(ae, 0, sizeof(*ae));
strncpy(ae->un.AttrString, phba->ModelDesc,
sizeof(ae->un.AttrString));
@@ -1845,8 +1845,8 @@ lpfc_fdmi_hba_attr_hdw_ver(struct lpfc_vport *vport,
struct lpfc_fdmi_attr_entry *ae;
uint32_t i, j, incr, size;
- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
- memset(ae, 0, 256);
+ ae = &ad->AttrValue;
+ memset(ae, 0, sizeof(*ae));
/* Convert JEDEC ID to ascii for hardware version */
incr = vp->rev.biuRev;
@@ -1875,8 +1875,8 @@ lpfc_fdmi_hba_attr_drvr_ver(struct lpfc_vport *vport,
struct lpfc_fdmi_attr_entry *ae;
uint32_t len, size;
- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
- memset(ae, 0, 256);
+ ae = &ad->AttrValue;
+ memset(ae, 0, sizeof(*ae));
strncpy(ae->un.AttrString, lpfc_release_version,
sizeof(ae->un.AttrString));
@@ -1897,8 +1897,8 @@ lpfc_fdmi_hba_attr_rom_ver(struct lpfc_vport *vport,
struct lpfc_fdmi_attr_entry *ae;
uint32_t len, size;
- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
- memset(ae, 0, 256);
+ ae = &ad->AttrValue;
+ memset(ae, 0, sizeof(*ae));
if (phba->sli_rev == LPFC_SLI_REV4)
lpfc_decode_firmware_rev(phba, ae->un.AttrString, 1);
@@ -1922,8 +1922,8 @@ lpfc_fdmi_hba_attr_fmw_ver(struct lpfc_vport *vport,
struct lpfc_fdmi_attr_entry *ae;
uint32_t len, size;
- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
- memset(ae, 0, 256);
+ ae = &ad->AttrValue;
+ memset(ae, 0, sizeof(*ae));
lpfc_decode_firmware_rev(phba, ae->un.AttrString, 1);
len = strnlen(ae->un.AttrString,
@@ -1942,8 +1942,8 @@ lpfc_fdmi_hba_attr_os_ver(struct lpfc_vport *vport,
struct lpfc_fdmi_attr_entry *ae;
uint32_t len, size;
- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
- memset(ae, 0, 256);
+ ae = &ad->AttrValue;
+ memset(ae, 0, sizeof(*ae));
snprintf(ae->un.AttrString, sizeof(ae->un.AttrString), "%s %s %s",
init_utsname()->sysname,
@@ -1965,7 +1965,7 @@ lpfc_fdmi_hba_attr_ct_len(struct lpfc_vport *vport,
struct lpfc_fdmi_attr_entry *ae;
uint32_t size;
- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
+ ae = &ad->AttrValue;
ae->un.AttrInt = cpu_to_be32(LPFC_MAX_CT_SIZE);
size = FOURBYTES + sizeof(uint32_t);
@@ -1981,8 +1981,8 @@ lpfc_fdmi_hba_attr_symbolic_name(struct lpfc_vport *vport,
struct lpfc_fdmi_attr_entry *ae;
uint32_t len, size;
- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
- memset(ae, 0, 256);
+ ae = &ad->AttrValue;
+ memset(ae, 0, sizeof(*ae));
len = lpfc_vport_symbolic_node_name(vport,
ae->un.AttrString, 256);
@@ -2000,7 +2000,7 @@ lpfc_fdmi_hba_attr_vendor_info(struct lpfc_vport *vport,
struct lpfc_fdmi_attr_entry *ae;
uint32_t size;
- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
+ ae = &ad->AttrValue;
/* Nothing is defined for this currently */
ae->un.AttrInt = cpu_to_be32(0);
@@ -2017,7 +2017,7 @@ lpfc_fdmi_hba_attr_num_ports(struct lpfc_vport *vport,
struct lpfc_fdmi_attr_entry *ae;
uint32_t size;
- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
+ ae = &ad->AttrValue;
/* Each driver instance corresponds to a single port */
ae->un.AttrInt = cpu_to_be32(1);
@@ -2034,8 +2034,8 @@ lpfc_fdmi_hba_attr_fabric_wwnn(struct lpfc_vport *vport,
struct lpfc_fdmi_attr_entry *ae;
uint32_t size;
- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
- memset(ae, 0, sizeof(struct lpfc_name));
+ ae = &ad->AttrValue;
+ memset(ae, 0, sizeof(*ae));
memcpy(&ae->un.AttrWWN, &vport->fabric_nodename,
sizeof(struct lpfc_name));
@@ -2053,8 +2053,8 @@ lpfc_fdmi_hba_attr_bios_ver(struct lpfc_vport *vport,
struct lpfc_fdmi_attr_entry *ae;
uint32_t len, size;
- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
- memset(ae, 0, 256);
+ ae = &ad->AttrValue;
+ memset(ae, 0, sizeof(*ae));
lpfc_decode_firmware_rev(phba, ae->un.AttrString, 1);
len = strnlen(ae->un.AttrString,
@@ -2073,7 +2073,7 @@ lpfc_fdmi_hba_attr_bios_state(struct lpfc_vport *vport,
struct lpfc_fdmi_attr_entry *ae;
uint32_t size;
- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
+ ae = &ad->AttrValue;
/* Driver doesn't have access to this information */
ae->un.AttrInt = cpu_to_be32(0);
@@ -2090,8 +2090,8 @@ lpfc_fdmi_hba_attr_vendor_id(struct lpfc_vport *vport,
struct lpfc_fdmi_attr_entry *ae;
uint32_t len, size;
- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
- memset(ae, 0, 256);
+ ae = &ad->AttrValue;
+ memset(ae, 0, sizeof(*ae));
strncpy(ae->un.AttrString, "EMULEX",
sizeof(ae->un.AttrString));
@@ -2112,8 +2112,8 @@ lpfc_fdmi_port_attr_fc4type(struct lpfc_vport *vport,
struct lpfc_fdmi_attr_entry *ae;
uint32_t size;
- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
- memset(ae, 0, 32);
+ ae = &ad->AttrValue;
+ memset(ae, 0, sizeof(*ae));
ae->un.AttrTypes[3] = 0x02; /* Type 0x1 - ELS */
ae->un.AttrTypes[2] = 0x01; /* Type 0x8 - FCP */
@@ -2134,7 +2134,7 @@ lpfc_fdmi_port_attr_support_speed(struct lpfc_vport *vport,
struct lpfc_fdmi_attr_entry *ae;
uint32_t size;
- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
+ ae = &ad->AttrValue;
ae->un.AttrInt = 0;
if (!(phba->hba_flag & HBA_FCOE_MODE)) {
@@ -2186,7 +2186,7 @@ lpfc_fdmi_port_attr_speed(struct lpfc_vport *vport,
struct lpfc_fdmi_attr_entry *ae;
uint32_t size;
- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
+ ae = &ad->AttrValue;
if (!(phba->hba_flag & HBA_FCOE_MODE)) {
switch (phba->fc_linkspeed) {
@@ -2253,7 +2253,7 @@ lpfc_fdmi_port_attr_max_frame(struct lpfc_vport *vport,
struct lpfc_fdmi_attr_entry *ae;
uint32_t size;
- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
+ ae = &ad->AttrValue;
hsp = (struct serv_parm *)&vport->fc_sparam;
ae->un.AttrInt = (((uint32_t) hsp->cmn.bbRcvSizeMsb) << 8) |
@@ -2273,8 +2273,8 @@ lpfc_fdmi_port_attr_os_devname(struct lpfc_vport *vport,
struct lpfc_fdmi_attr_entry *ae;
uint32_t len, size;
- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
- memset(ae, 0, 256);
+ ae = &ad->AttrValue;
+ memset(ae, 0, sizeof(*ae));
snprintf(ae->un.AttrString, sizeof(ae->un.AttrString),
"/sys/class/scsi_host/host%d", shost->host_no);
@@ -2294,8 +2294,8 @@ lpfc_fdmi_port_attr_host_name(struct lpfc_vport *vport,
struct lpfc_fdmi_attr_entry *ae;
uint32_t len, size;
- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
- memset(ae, 0, 256);
+ ae = &ad->AttrValue;
+ memset(ae, 0, sizeof(*ae));
snprintf(ae->un.AttrString, sizeof(ae->un.AttrString), "%s",
init_utsname()->nodename);
@@ -2315,8 +2315,8 @@ lpfc_fdmi_port_attr_wwnn(struct lpfc_vport *vport,
struct lpfc_fdmi_attr_entry *ae;
uint32_t size;
- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
- memset(ae, 0, sizeof(struct lpfc_name));
+ ae = &ad->AttrValue;
+ memset(ae, 0, sizeof(*ae));
memcpy(&ae->un.AttrWWN, &vport->fc_sparam.nodeName,
sizeof(struct lpfc_name));
@@ -2333,8 +2333,8 @@ lpfc_fdmi_port_attr_wwpn(struct lpfc_vport *vport,
struct lpfc_fdmi_attr_entry *ae;
uint32_t size;
- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
- memset(ae, 0, sizeof(struct lpfc_name));
+ ae = &ad->AttrValue;
+ memset(ae, 0, sizeof(*ae));
memcpy(&ae->un.AttrWWN, &vport->fc_sparam.portName,
sizeof(struct lpfc_name));
@@ -2351,8 +2351,8 @@ lpfc_fdmi_port_attr_symbolic_name(struct lpfc_vport *vport,
struct lpfc_fdmi_attr_entry *ae;
uint32_t len, size;
- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
- memset(ae, 0, 256);
+ ae = &ad->AttrValue;
+ memset(ae, 0, sizeof(*ae));
len = lpfc_vport_symbolic_port_name(vport, ae->un.AttrString, 256);
len += (len & 3) ? (4 - (len & 3)) : 4;
@@ -2370,7 +2370,7 @@ lpfc_fdmi_port_attr_port_type(struct lpfc_vport *vport,
struct lpfc_fdmi_attr_entry *ae;
uint32_t size;
- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
+ ae = &ad->AttrValue;
if (phba->fc_topology == LPFC_TOPOLOGY_LOOP)
ae->un.AttrInt = cpu_to_be32(LPFC_FDMI_PORTTYPE_NLPORT);
else
@@ -2388,7 +2388,7 @@ lpfc_fdmi_port_attr_class(struct lpfc_vport *vport,
struct lpfc_fdmi_attr_entry *ae;
uint32_t size;
- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
+ ae = &ad->AttrValue;
ae->un.AttrInt = cpu_to_be32(FC_COS_CLASS2 | FC_COS_CLASS3);
size = FOURBYTES + sizeof(uint32_t);
ad->AttrLen = cpu_to_be16(size);
@@ -2403,8 +2403,8 @@ lpfc_fdmi_port_attr_fabric_wwpn(struct lpfc_vport *vport,
struct lpfc_fdmi_attr_entry *ae;
uint32_t size;
- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
- memset(ae, 0, sizeof(struct lpfc_name));
+ ae = &ad->AttrValue;
+ memset(ae, 0, sizeof(*ae));
memcpy(&ae->un.AttrWWN, &vport->fabric_portname,
sizeof(struct lpfc_name));
@@ -2421,8 +2421,8 @@ lpfc_fdmi_port_attr_active_fc4type(struct lpfc_vport *vport,
struct lpfc_fdmi_attr_entry *ae;
uint32_t size;
- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
- memset(ae, 0, 32);
+ ae = &ad->AttrValue;
+ memset(ae, 0, sizeof(*ae));
ae->un.AttrTypes[3] = 0x02; /* Type 0x1 - ELS */
ae->un.AttrTypes[2] = 0x01; /* Type 0x8 - FCP */
@@ -2442,7 +2442,7 @@ lpfc_fdmi_port_attr_port_state(struct lpfc_vport *vport,
struct lpfc_fdmi_attr_entry *ae;
uint32_t size;
- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
+ ae = &ad->AttrValue;
/* Link Up - operational */
ae->un.AttrInt = cpu_to_be32(LPFC_FDMI_PORTSTATE_ONLINE);
size = FOURBYTES + sizeof(uint32_t);
@@ -2458,7 +2458,7 @@ lpfc_fdmi_port_attr_num_disc(struct lpfc_vport *vport,
struct lpfc_fdmi_attr_entry *ae;
uint32_t size;
- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
+ ae = &ad->AttrValue;
vport->fdmi_num_disc = lpfc_find_map_node(vport);
ae->un.AttrInt = cpu_to_be32(vport->fdmi_num_disc);
size = FOURBYTES + sizeof(uint32_t);
@@ -2474,7 +2474,7 @@ lpfc_fdmi_port_attr_nportid(struct lpfc_vport *vport,
struct lpfc_fdmi_attr_entry *ae;
uint32_t size;
- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
+ ae = &ad->AttrValue;
ae->un.AttrInt = cpu_to_be32(vport->fc_myDID);
size = FOURBYTES + sizeof(uint32_t);
ad->AttrLen = cpu_to_be16(size);
@@ -2489,8 +2489,8 @@ lpfc_fdmi_smart_attr_service(struct lpfc_vport *vport,
struct lpfc_fdmi_attr_entry *ae;
uint32_t len, size;
- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
- memset(ae, 0, 256);
+ ae = &ad->AttrValue;
+ memset(ae, 0, sizeof(*ae));
strncpy(ae->un.AttrString, "Smart SAN Initiator",
sizeof(ae->un.AttrString));
@@ -2510,8 +2510,8 @@ lpfc_fdmi_smart_attr_guid(struct lpfc_vport *vport,
struct lpfc_fdmi_attr_entry *ae;
uint32_t size;
- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
- memset(ae, 0, 256);
+ ae = &ad->AttrValue;
+ memset(ae, 0, sizeof(*ae));
memcpy(&ae->un.AttrString, &vport->fc_sparam.nodeName,
sizeof(struct lpfc_name));
@@ -2531,8 +2531,8 @@ lpfc_fdmi_smart_attr_version(struct lpfc_vport *vport,
struct lpfc_fdmi_attr_entry *ae;
uint32_t len, size;
- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
- memset(ae, 0, 256);
+ ae = &ad->AttrValue;
+ memset(ae, 0, sizeof(*ae));
strncpy(ae->un.AttrString, "Smart SAN Version 2.0",
sizeof(ae->un.AttrString));
@@ -2553,8 +2553,8 @@ lpfc_fdmi_smart_attr_model(struct lpfc_vport *vport,
struct lpfc_fdmi_attr_entry *ae;
uint32_t len, size;
- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
- memset(ae, 0, 256);
+ ae = &ad->AttrValue;
+ memset(ae, 0, sizeof(*ae));
strncpy(ae->un.AttrString, phba->ModelName,
sizeof(ae->un.AttrString));
@@ -2573,7 +2573,7 @@ lpfc_fdmi_smart_attr_port_info(struct lpfc_vport *vport,
struct lpfc_fdmi_attr_entry *ae;
uint32_t size;
- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
+ ae = &ad->AttrValue;
/* SRIOV (type 3) is not supported */
if (vport->vpi)
@@ -2593,7 +2593,7 @@ lpfc_fdmi_smart_attr_qos(struct lpfc_vport *vport,
struct lpfc_fdmi_attr_entry *ae;
uint32_t size;
- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
+ ae = &ad->AttrValue;
ae->un.AttrInt = cpu_to_be32(0);
size = FOURBYTES + sizeof(uint32_t);
ad->AttrLen = cpu_to_be16(size);
@@ -2608,7 +2608,7 @@ lpfc_fdmi_smart_attr_security(struct lpfc_vport *vport,
struct lpfc_fdmi_attr_entry *ae;
uint32_t size;
- ae = (struct lpfc_fdmi_attr_entry *)&ad->AttrValue;
+ ae = &ad->AttrValue;
ae->un.AttrInt = cpu_to_be32(1);
size = FOURBYTES + sizeof(uint32_t);
ad->AttrLen = cpu_to_be16(size);
@@ -2756,7 +2756,8 @@ lpfc_fdmi_cmd(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp,
/* Registered Port List */
/* One entry (port) per adapter */
rh->rpl.EntryCnt = cpu_to_be32(1);
- memcpy(&rh->rpl.pe, &phba->pport->fc_sparam.portName,
+ memcpy(&rh->rpl.pe.PortName,
+ &phba->pport->fc_sparam.portName,
sizeof(struct lpfc_name));
/* point to the HBA attribute block */
diff --git a/drivers/scsi/lpfc/lpfc_hw.h b/drivers/scsi/lpfc/lpfc_hw.h
index 009aa0eee0408..48d4d576d588e 100644
--- a/drivers/scsi/lpfc/lpfc_hw.h
+++ b/drivers/scsi/lpfc/lpfc_hw.h
@@ -1333,25 +1333,8 @@ struct fc_rdp_res_frame {
/* lpfc_sli_ct_request defines the CT_IU preamble for FDMI commands */
#define SLI_CT_FDMI_Subtypes 0x10 /* Management Service Subtype */
-/*
- * Registered Port List Format
- */
-struct lpfc_fdmi_reg_port_list {
- uint32_t EntryCnt;
- uint32_t pe; /* Variable-length array */
-};
-
-
/* Definitions for HBA / Port attribute entries */
-struct lpfc_fdmi_attr_def { /* Defined in TLV format */
- /* Structure is in Big Endian format */
- uint32_t AttrType:16;
- uint32_t AttrLen:16;
- uint32_t AttrValue; /* Marks start of Value (ATTRIBUTE_ENTRY) */
-};
-
-
/* Attribute Entry */
struct lpfc_fdmi_attr_entry {
union {
@@ -1362,7 +1345,13 @@ struct lpfc_fdmi_attr_entry {
} un;
};
-#define LPFC_FDMI_MAX_AE_SIZE sizeof(struct lpfc_fdmi_attr_entry)
+struct lpfc_fdmi_attr_def { /* Defined in TLV format */
+ /* Structure is in Big Endian format */
+ uint32_t AttrType:16;
+ uint32_t AttrLen:16;
+ /* Marks start of Value (ATTRIBUTE_ENTRY) */
+ struct lpfc_fdmi_attr_entry AttrValue;
+} __packed;
/*
* HBA Attribute Block
@@ -1386,13 +1375,20 @@ struct lpfc_fdmi_hba_ident {
struct lpfc_name PortName;
};
+/*
+ * Registered Port List Format
+ */
+struct lpfc_fdmi_reg_port_list {
+ uint32_t EntryCnt;
+ struct lpfc_fdmi_port_entry pe;
+} __packed;
+
/*
* Register HBA(RHBA)
*/
struct lpfc_fdmi_reg_hba {
struct lpfc_fdmi_hba_ident hi;
- struct lpfc_fdmi_reg_port_list rpl; /* variable-length array */
-/* struct lpfc_fdmi_attr_block ab; */
+ struct lpfc_fdmi_reg_port_list rpl;
};
/*
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 077/245] drm/omap: fix possible object reference leak
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (75 preceding siblings ...)
2020-09-29 10:58 ` [PATCH 4.19 076/245] scsi: lpfc: Fix coverity errors in fmdi attribute handling Greg Kroah-Hartman
@ 2020-09-29 10:58 ` Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 078/245] clk: stratix10: use do_div() for 64-bit calculation Greg Kroah-Hartman
` (170 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:58 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Wen Yang, Laurent Pinchart,
Mukesh Ojha, Tomi Valkeinen, David Airlie, Daniel Vetter,
Sebastian Reichel, dri-devel, Markus Elfring, Sasha Levin
From: Wen Yang <wen.yang99@zte.com.cn>
[ Upstream commit 47340e46f34a3b1d80e40b43ae3d7a8da34a3541 ]
The call to of_find_matching_node returns a node pointer with refcount
incremented thus it must be explicitly decremented after the last
usage.
Detected by coccinelle with the following warnings:
drivers/gpu/drm/omapdrm/dss/omapdss-boot-init.c:212:2-8: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 209, but without a corresponding object release within this function.
drivers/gpu/drm/omapdrm/dss/omapdss-boot-init.c:237:1-7: ERROR: missing of_node_put; acquired a node pointer with refcount incremented on line 209, but without a corresponding object release within this function.
Signed-off-by: Wen Yang <wen.yang99@zte.com.cn>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Reviewed-by: Mukesh Ojha <mojha@codeaurora.org>
Cc: Tomi Valkeinen <tomi.valkeinen@ti.com>
Cc: David Airlie <airlied@linux.ie>
Cc: Daniel Vetter <daniel@ffwll.ch>
Cc: Sebastian Reichel <sebastian.reichel@collabora.com>
Cc: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Cc: dri-devel@lists.freedesktop.org
Cc: linux-kernel@vger.kernel.org
Cc: Markus Elfring <Markus.Elfring@web.de>
Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
Link: https://patchwork.freedesktop.org/patch/msgid/1554692313-28882-2-git-send-email-wen.yang99@zte.com.cn
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/omapdrm/dss/omapdss-boot-init.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/omapdrm/dss/omapdss-boot-init.c b/drivers/gpu/drm/omapdrm/dss/omapdss-boot-init.c
index 3bfb95d230e0e..d8fb686c1fda9 100644
--- a/drivers/gpu/drm/omapdrm/dss/omapdss-boot-init.c
+++ b/drivers/gpu/drm/omapdrm/dss/omapdss-boot-init.c
@@ -193,7 +193,7 @@ static int __init omapdss_boot_init(void)
dss = of_find_matching_node(NULL, omapdss_of_match);
if (dss == NULL || !of_device_is_available(dss))
- return 0;
+ goto put_node;
omapdss_walk_device(dss, true);
@@ -218,6 +218,8 @@ static int __init omapdss_boot_init(void)
kfree(n);
}
+put_node:
+ of_node_put(dss);
return 0;
}
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 078/245] clk: stratix10: use do_div() for 64-bit calculation
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (76 preceding siblings ...)
2020-09-29 10:58 ` [PATCH 4.19 077/245] drm/omap: fix possible object reference leak Greg Kroah-Hartman
@ 2020-09-29 10:58 ` Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 079/245] crypto: chelsio - This fixes the kernel panic which occurs during a libkcapi test Greg Kroah-Hartman
` (169 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:58 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Dinh Nguyen, Stephen Boyd, Sasha Levin
From: Dinh Nguyen <dinguyen@kernel.org>
[ Upstream commit cc26ed7be46c5f5fa45f3df8161ed7ca3c4d318c ]
do_div() macro to perform u64 division and guards against overflow if
the result is too large for the unsigned long return type.
Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
Link: https://lkml.kernel.org/r/20200114160726.19771-1-dinguyen@kernel.org
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/socfpga/clk-pll-s10.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/clk/socfpga/clk-pll-s10.c b/drivers/clk/socfpga/clk-pll-s10.c
index c4d0b6f6abf2e..fc2e2839fe570 100644
--- a/drivers/clk/socfpga/clk-pll-s10.c
+++ b/drivers/clk/socfpga/clk-pll-s10.c
@@ -38,7 +38,9 @@ static unsigned long clk_pll_recalc_rate(struct clk_hw *hwclk,
/* read VCO1 reg for numerator and denominator */
reg = readl(socfpgaclk->hw.reg);
refdiv = (reg & SOCFPGA_PLL_REFDIV_MASK) >> SOCFPGA_PLL_REFDIV_SHIFT;
- vco_freq = (unsigned long long)parent_rate / refdiv;
+
+ vco_freq = parent_rate;
+ do_div(vco_freq, refdiv);
/* Read mdiv and fdiv from the fdbck register */
reg = readl(socfpgaclk->hw.reg + 0x4);
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 079/245] crypto: chelsio - This fixes the kernel panic which occurs during a libkcapi test
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (77 preceding siblings ...)
2020-09-29 10:58 ` [PATCH 4.19 078/245] clk: stratix10: use do_div() for 64-bit calculation Greg Kroah-Hartman
@ 2020-09-29 10:58 ` Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 080/245] mt76: clear skb pointers from rx aggregation reorder buffer during cleanup Greg Kroah-Hartman
` (168 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:58 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Ayush Sawal, Herbert Xu, Sasha Levin
From: Ayush Sawal <ayush.sawal@chelsio.com>
[ Upstream commit 9195189e00a7db55e7d448cee973cae87c5a3c71 ]
The libkcapi test which causes kernel panic is
aead asynchronous vmsplice multiple test.
./bin/kcapi -v -d 4 -x 10 -c "ccm(aes)"
-q 4edb58e8d5eb6bc711c43a6f3693daebde2e5524f1b55297abb29f003236e43d
-t a7877c99 -n 674742abd0f5ba -k 2861fd0253705d7875c95ba8a53171b4
-a fb7bc304a3909e66e2e0c5ef952712dd884ce3e7324171369f2c5db1adc48c7d
This patch avoids dma_mapping of a zero length sg which causes the panic,
by using sg_nents_for_len which maps only upto a specific length
Signed-off-by: Ayush Sawal <ayush.sawal@chelsio.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/crypto/chelsio/chcr_algo.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/crypto/chelsio/chcr_algo.c b/drivers/crypto/chelsio/chcr_algo.c
index 9b3c259f081d3..ee508bbbb7504 100644
--- a/drivers/crypto/chelsio/chcr_algo.c
+++ b/drivers/crypto/chelsio/chcr_algo.c
@@ -2418,8 +2418,9 @@ int chcr_aead_dma_map(struct device *dev,
else
reqctx->b0_dma = 0;
if (req->src == req->dst) {
- error = dma_map_sg(dev, req->src, sg_nents(req->src),
- DMA_BIDIRECTIONAL);
+ error = dma_map_sg(dev, req->src,
+ sg_nents_for_len(req->src, dst_size),
+ DMA_BIDIRECTIONAL);
if (!error)
goto err;
} else {
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 080/245] mt76: clear skb pointers from rx aggregation reorder buffer during cleanup
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (78 preceding siblings ...)
2020-09-29 10:58 ` [PATCH 4.19 079/245] crypto: chelsio - This fixes the kernel panic which occurs during a libkcapi test Greg Kroah-Hartman
@ 2020-09-29 10:58 ` Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 081/245] ALSA: usb-audio: Dont create a mixer element with bogus volume range Greg Kroah-Hartman
` (167 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:58 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Felix Fietkau, Sasha Levin
From: Felix Fietkau <nbd@nbd.name>
[ Upstream commit 9379df2fd9234e3b67a23101c2370c99f6af6d77 ]
During the cleanup of the aggregation session, a rx handler (or release timer)
on another CPU might still hold a pointer to the reorder buffer and could
attempt to release some packets.
Clearing pointers during cleanup avoids a theoretical use-after-free bug here.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mediatek/mt76/agg-rx.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/wireless/mediatek/mt76/agg-rx.c b/drivers/net/wireless/mediatek/mt76/agg-rx.c
index d44d57e6eb27a..97df6b3a472b1 100644
--- a/drivers/net/wireless/mediatek/mt76/agg-rx.c
+++ b/drivers/net/wireless/mediatek/mt76/agg-rx.c
@@ -278,6 +278,7 @@ static void mt76_rx_aggr_shutdown(struct mt76_dev *dev, struct mt76_rx_tid *tid)
if (!skb)
continue;
+ tid->reorder_buf[i] = NULL;
tid->nframes--;
dev_kfree_skb(skb);
}
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 081/245] ALSA: usb-audio: Dont create a mixer element with bogus volume range
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (79 preceding siblings ...)
2020-09-29 10:58 ` [PATCH 4.19 080/245] mt76: clear skb pointers from rx aggregation reorder buffer during cleanup Greg Kroah-Hartman
@ 2020-09-29 10:58 ` Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 082/245] perf test: Fix test trace+probe_vfs_getname.sh on s390 Greg Kroah-Hartman
` (166 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:58 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Takashi Iwai, Sasha Levin
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit e9a0ef0b5ddcbc0d56c65aefc0f18d16e6f71207 ]
Some USB-audio descriptors provide a bogus volume range (e.g. volume
min and max are identical), which confuses user-space.
This patch makes the driver skipping such a control element.
BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=206221
Link: https://lore.kernel.org/r/20200214144928.23628-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/usb/mixer.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c
index 45bd3d54be54b..451b8ea383c61 100644
--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -1699,6 +1699,16 @@ static void __build_feature_ctl(struct usb_mixer_interface *mixer,
/* get min/max values */
get_min_max_with_quirks(cval, 0, kctl);
+ /* skip a bogus volume range */
+ if (cval->max <= cval->min) {
+ usb_audio_dbg(mixer->chip,
+ "[%d] FU [%s] skipped due to invalid volume\n",
+ cval->head.id, kctl->id.name);
+ snd_ctl_free_one(kctl);
+ return;
+ }
+
+
if (control == UAC_FU_VOLUME) {
check_mapped_dB(map, cval);
if (cval->dBmin < cval->dBmax || !cval->initialized) {
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 082/245] perf test: Fix test trace+probe_vfs_getname.sh on s390
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (80 preceding siblings ...)
2020-09-29 10:58 ` [PATCH 4.19 081/245] ALSA: usb-audio: Dont create a mixer element with bogus volume range Greg Kroah-Hartman
@ 2020-09-29 10:58 ` Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 083/245] RDMA/rxe: Fix configuration of atomic queue pair attributes Greg Kroah-Hartman
` (165 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:58 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Thomas Richter, Masami Hiramatsu,
Arnaldo Carvalho de Melo, Heiko Carstens, Sumanth Korikkar,
Vasily Gorbik, Sasha Levin
From: Thomas Richter <tmricht@linux.ibm.com>
[ Upstream commit 2bbc83537614517730e9f2811195004b712de207 ]
This test places a kprobe to function getname_flags() in the kernel
which has the following prototype:
struct filename *getname_flags(const char __user *filename, int flags, int *empty)
The 'filename' argument points to a filename located in user space memory.
Looking at commit 88903c464321c ("tracing/probe: Add ustring type for
user-space string") the kprobe should indicate that user space memory is
accessed.
Output before:
[root@m35lp76 perf]# ./perf test 66 67
66: Use vfs_getname probe to get syscall args filenames : FAILED!
67: Check open filename arg using perf trace + vfs_getname: FAILED!
[root@m35lp76 perf]#
Output after:
[root@m35lp76 perf]# ./perf test 66 67
66: Use vfs_getname probe to get syscall args filenames : Ok
67: Check open filename arg using perf trace + vfs_getname: Ok
[root@m35lp76 perf]#
Comments from Masami Hiramatsu:
This bug doesn't happen on x86 or other archs on which user address
space and kernel address space is the same. On some arches (ppc64 in
this case?) user address space is partially or completely the same as
kernel address space.
(Yes, they switch the world when running into the kernel) In this case,
we need to use different data access functions for each space.
That is why I introduced the "ustring" type for kprobe events.
As far as I can see, Thomas's patch is sane. Thomas, could you show us
your result on your test environment?
Comments from Thomas Richter:
Test results for s/390 included above.
Signed-off-by: Thomas Richter <tmricht@linux.ibm.com>
Acked-by: Masami Hiramatsu <mhiramat@kernel.org>
Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: Sumanth Korikkar <sumanthk@linux.ibm.com>
Cc: Vasily Gorbik <gor@linux.ibm.com>
Link: http://lore.kernel.org/lkml/20200217102111.61137-1-tmricht@linux.ibm.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/tests/shell/lib/probe_vfs_getname.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/perf/tests/shell/lib/probe_vfs_getname.sh b/tools/perf/tests/shell/lib/probe_vfs_getname.sh
index 7cb99b433888b..c2cc42daf9242 100644
--- a/tools/perf/tests/shell/lib/probe_vfs_getname.sh
+++ b/tools/perf/tests/shell/lib/probe_vfs_getname.sh
@@ -14,7 +14,7 @@ add_probe_vfs_getname() {
if [ $had_vfs_getname -eq 1 ] ; then
line=$(perf probe -L getname_flags 2>&1 | egrep 'result.*=.*filename;' | sed -r 's/[[:space:]]+([[:digit:]]+)[[:space:]]+result->uptr.*/\1/')
perf probe -q "vfs_getname=getname_flags:${line} pathname=result->name:string" || \
- perf probe $verbose "vfs_getname=getname_flags:${line} pathname=filename:string"
+ perf probe $verbose "vfs_getname=getname_flags:${line} pathname=filename:ustring"
fi
}
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 083/245] RDMA/rxe: Fix configuration of atomic queue pair attributes
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (81 preceding siblings ...)
2020-09-29 10:58 ` [PATCH 4.19 082/245] perf test: Fix test trace+probe_vfs_getname.sh on s390 Greg Kroah-Hartman
@ 2020-09-29 10:58 ` Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 084/245] KVM: x86: fix incorrect comparison in trace event Greg Kroah-Hartman
` (164 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:58 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Bart Van Assche, Leon Romanovsky,
Jason Gunthorpe, Sasha Levin
From: Bart Van Assche <bvanassche@acm.org>
[ Upstream commit fb3063d31995cc4cf1d47a406bb61d6fb1b1d58d ]
>From the comment above the definition of the roundup_pow_of_two() macro:
The result is undefined when n == 0.
Hence only pass positive values to roundup_pow_of_two(). This patch fixes
the following UBSAN complaint:
UBSAN: Undefined behaviour in ./include/linux/log2.h:57:13
shift exponent 64 is too large for 64-bit type 'long unsigned int'
Call Trace:
dump_stack+0xa5/0xe6
ubsan_epilogue+0x9/0x26
__ubsan_handle_shift_out_of_bounds.cold+0x4c/0xf9
rxe_qp_from_attr.cold+0x37/0x5d [rdma_rxe]
rxe_modify_qp+0x59/0x70 [rdma_rxe]
_ib_modify_qp+0x5aa/0x7c0 [ib_core]
ib_modify_qp+0x3b/0x50 [ib_core]
cma_modify_qp_rtr+0x234/0x260 [rdma_cm]
__rdma_accept+0x1a7/0x650 [rdma_cm]
nvmet_rdma_cm_handler+0x1286/0x14cd [nvmet_rdma]
cma_cm_event_handler+0x6b/0x330 [rdma_cm]
cma_ib_req_handler+0xe60/0x22d0 [rdma_cm]
cm_process_work+0x30/0x140 [ib_cm]
cm_req_handler+0x11f4/0x1cd0 [ib_cm]
cm_work_handler+0xb8/0x344e [ib_cm]
process_one_work+0x569/0xb60
worker_thread+0x7a/0x5d0
kthread+0x1e6/0x210
ret_from_fork+0x24/0x30
Link: https://lore.kernel.org/r/20200217205714.26937-1-bvanassche@acm.org
Fixes: 8700e3e7c485 ("Soft RoCE driver")
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/sw/rxe/rxe_qp.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/infiniband/sw/rxe/rxe_qp.c b/drivers/infiniband/sw/rxe/rxe_qp.c
index 230697fa31fe3..8a22ab8b29e9b 100644
--- a/drivers/infiniband/sw/rxe/rxe_qp.c
+++ b/drivers/infiniband/sw/rxe/rxe_qp.c
@@ -583,15 +583,16 @@ int rxe_qp_from_attr(struct rxe_qp *qp, struct ib_qp_attr *attr, int mask,
int err;
if (mask & IB_QP_MAX_QP_RD_ATOMIC) {
- int max_rd_atomic = __roundup_pow_of_two(attr->max_rd_atomic);
+ int max_rd_atomic = attr->max_rd_atomic ?
+ roundup_pow_of_two(attr->max_rd_atomic) : 0;
qp->attr.max_rd_atomic = max_rd_atomic;
atomic_set(&qp->req.rd_atomic, max_rd_atomic);
}
if (mask & IB_QP_MAX_DEST_RD_ATOMIC) {
- int max_dest_rd_atomic =
- __roundup_pow_of_two(attr->max_dest_rd_atomic);
+ int max_dest_rd_atomic = attr->max_dest_rd_atomic ?
+ roundup_pow_of_two(attr->max_dest_rd_atomic) : 0;
qp->attr.max_dest_rd_atomic = max_dest_rd_atomic;
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 084/245] KVM: x86: fix incorrect comparison in trace event
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (82 preceding siblings ...)
2020-09-29 10:58 ` [PATCH 4.19 083/245] RDMA/rxe: Fix configuration of atomic queue pair attributes Greg Kroah-Hartman
@ 2020-09-29 10:58 ` Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 085/245] dmaengine: stm32-mdma: use vchan_terminate_vdesc() in .terminate_all Greg Kroah-Hartman
` (163 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:58 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Paolo Bonzini, Sasha Levin
From: Paolo Bonzini <pbonzini@redhat.com>
[ Upstream commit 147f1a1fe5d7e6b01b8df4d0cbd6f9eaf6b6c73b ]
The "u" field in the event has three states, -1/0/1. Using u8 however means that
comparison with -1 will always fail, so change to signed char.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kvm/mmutrace.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x86/kvm/mmutrace.h b/arch/x86/kvm/mmutrace.h
index cb41b036eb264..7e0dc8c7da2c0 100644
--- a/arch/x86/kvm/mmutrace.h
+++ b/arch/x86/kvm/mmutrace.h
@@ -339,7 +339,7 @@ TRACE_EVENT(
/* These depend on page entry type, so compute them now. */
__field(bool, r)
__field(bool, x)
- __field(u8, u)
+ __field(signed char, u)
),
TP_fast_assign(
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 085/245] dmaengine: stm32-mdma: use vchan_terminate_vdesc() in .terminate_all
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (83 preceding siblings ...)
2020-09-29 10:58 ` [PATCH 4.19 084/245] KVM: x86: fix incorrect comparison in trace event Greg Kroah-Hartman
@ 2020-09-29 10:58 ` Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 086/245] media: staging/imx: Missing assignment in imx_media_capture_device_register() Greg Kroah-Hartman
` (162 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:58 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Amelie Delaunay, Vinod Koul, Sasha Levin
From: Amelie Delaunay <amelie.delaunay@st.com>
[ Upstream commit dfc708812a2acfc0ca56f56233b3c3e7b0d4ffe7 ]
To avoid race with vchan_complete, use the race free way to terminate
running transfer.
Move vdesc->node list_del in stm32_mdma_start_transfer instead of in
stm32_mdma_xfer_end to avoid another race in vchan_dma_desc_free_list.
Signed-off-by: Amelie Delaunay <amelie.delaunay@st.com>
Link: https://lore.kernel.org/r/20200127085334.13163-7-amelie.delaunay@st.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma/stm32-mdma.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/dma/stm32-mdma.c b/drivers/dma/stm32-mdma.c
index 8c3c3e5b812a8..9c6867916e890 100644
--- a/drivers/dma/stm32-mdma.c
+++ b/drivers/dma/stm32-mdma.c
@@ -1137,6 +1137,8 @@ static void stm32_mdma_start_transfer(struct stm32_mdma_chan *chan)
return;
}
+ list_del(&vdesc->node);
+
chan->desc = to_stm32_mdma_desc(vdesc);
hwdesc = chan->desc->node[0].hwdesc;
chan->curr_hwdesc = 0;
@@ -1252,8 +1254,10 @@ static int stm32_mdma_terminate_all(struct dma_chan *c)
LIST_HEAD(head);
spin_lock_irqsave(&chan->vchan.lock, flags);
- if (chan->busy) {
- stm32_mdma_stop(chan);
+ if (chan->desc) {
+ vchan_terminate_vdesc(&chan->desc->vdesc);
+ if (chan->busy)
+ stm32_mdma_stop(chan);
chan->desc = NULL;
}
vchan_get_all_descriptors(&chan->vchan, &head);
@@ -1341,7 +1345,6 @@ static enum dma_status stm32_mdma_tx_status(struct dma_chan *c,
static void stm32_mdma_xfer_end(struct stm32_mdma_chan *chan)
{
- list_del(&chan->desc->vdesc.node);
vchan_cookie_complete(&chan->desc->vdesc);
chan->desc = NULL;
chan->busy = false;
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 086/245] media: staging/imx: Missing assignment in imx_media_capture_device_register()
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (84 preceding siblings ...)
2020-09-29 10:58 ` [PATCH 4.19 085/245] dmaengine: stm32-mdma: use vchan_terminate_vdesc() in .terminate_all Greg Kroah-Hartman
@ 2020-09-29 10:58 ` Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 087/245] x86/pkeys: Add check for pkey "overflow" Greg Kroah-Hartman
` (161 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:58 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Steve Longerbeam,
Hans Verkuil, Mauro Carvalho Chehab, Sasha Levin
From: Dan Carpenter <dan.carpenter@oracle.com>
[ Upstream commit ef0ed05dcef8a74178a8b480cce23a377b1de2b8 ]
There was supposed to be a "ret = " assignment here, otherwise the
error handling on the next line won't work.
Fixes: 64b5a49df486 ("[media] media: imx: Add Capture Device Interface")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Steve Longerbeam <slongerbeam@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/staging/media/imx/imx-media-capture.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/staging/media/imx/imx-media-capture.c b/drivers/staging/media/imx/imx-media-capture.c
index 256039ce561e6..81a3370551dbc 100644
--- a/drivers/staging/media/imx/imx-media-capture.c
+++ b/drivers/staging/media/imx/imx-media-capture.c
@@ -678,7 +678,7 @@ int imx_media_capture_device_register(struct imx_media_video_dev *vdev)
/* setup default format */
fmt_src.pad = priv->src_sd_pad;
fmt_src.which = V4L2_SUBDEV_FORMAT_ACTIVE;
- v4l2_subdev_call(sd, pad, get_fmt, NULL, &fmt_src);
+ ret = v4l2_subdev_call(sd, pad, get_fmt, NULL, &fmt_src);
if (ret) {
v4l2_err(sd, "failed to get src_sd format\n");
goto unreg;
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 087/245] x86/pkeys: Add check for pkey "overflow"
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (85 preceding siblings ...)
2020-09-29 10:58 ` [PATCH 4.19 086/245] media: staging/imx: Missing assignment in imx_media_capture_device_register() Greg Kroah-Hartman
@ 2020-09-29 10:58 ` Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 088/245] bpf: Remove recursion prevention from rcu free callback Greg Kroah-Hartman
` (160 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:58 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Alex Shi, Dave Hansen,
Borislav Petkov, Sasha Levin
From: Dave Hansen <dave.hansen@linux.intel.com>
[ Upstream commit 16171bffc829272d5e6014bad48f680cb50943d9 ]
Alex Shi reported the pkey macros above arch_set_user_pkey_access()
to be unused. They are unused, and even refer to a nonexistent
CONFIG option.
But, they might have served a good use, which was to ensure that
the code does not try to set values that would not fit in the
PKRU register. As it stands, a too-large 'pkey' value would
be likely to silently overflow the u32 new_pkru_bits.
Add a check to look for overflows. Also add a comment to remind
any future developer to closely examine the types used to store
pkey values if arch_max_pkey() ever changes.
This boots and passes the x86 pkey selftests.
Reported-by: Alex Shi <alex.shi@linux.alibaba.com>
Signed-off-by: Dave Hansen <dave.hansen@intel.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Link: https://lkml.kernel.org/r/20200122165346.AD4DA150@viggo.jf.intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/include/asm/pkeys.h | 5 +++++
arch/x86/kernel/fpu/xstate.c | 9 +++++++--
2 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/arch/x86/include/asm/pkeys.h b/arch/x86/include/asm/pkeys.h
index 19b137f1b3beb..2ff9b98812b76 100644
--- a/arch/x86/include/asm/pkeys.h
+++ b/arch/x86/include/asm/pkeys.h
@@ -4,6 +4,11 @@
#define ARCH_DEFAULT_PKEY 0
+/*
+ * If more than 16 keys are ever supported, a thorough audit
+ * will be necessary to ensure that the types that store key
+ * numbers and masks have sufficient capacity.
+ */
#define arch_max_pkey() (boot_cpu_has(X86_FEATURE_OSPKE) ? 16 : 1)
extern int arch_set_user_pkey_access(struct task_struct *tsk, int pkey,
diff --git a/arch/x86/kernel/fpu/xstate.c b/arch/x86/kernel/fpu/xstate.c
index 4b900035f2202..601a5da1d196a 100644
--- a/arch/x86/kernel/fpu/xstate.c
+++ b/arch/x86/kernel/fpu/xstate.c
@@ -907,8 +907,6 @@ const void *get_xsave_field_ptr(int xsave_state)
#ifdef CONFIG_ARCH_HAS_PKEYS
-#define NR_VALID_PKRU_BITS (CONFIG_NR_PROTECTION_KEYS * 2)
-#define PKRU_VALID_MASK (NR_VALID_PKRU_BITS - 1)
/*
* This will go out and modify PKRU register to set the access
* rights for @pkey to @init_val.
@@ -927,6 +925,13 @@ int arch_set_user_pkey_access(struct task_struct *tsk, int pkey,
if (!boot_cpu_has(X86_FEATURE_OSPKE))
return -EINVAL;
+ /*
+ * This code should only be called with valid 'pkey'
+ * values originating from in-kernel users. Complain
+ * if a bad value is observed.
+ */
+ WARN_ON_ONCE(pkey >= arch_max_pkey());
+
/* Set the bits we need in PKRU: */
if (init_val & PKEY_DISABLE_ACCESS)
new_pkru_bits |= PKRU_AD_BIT;
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 088/245] bpf: Remove recursion prevention from rcu free callback
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (86 preceding siblings ...)
2020-09-29 10:58 ` [PATCH 4.19 087/245] x86/pkeys: Add check for pkey "overflow" Greg Kroah-Hartman
@ 2020-09-29 10:58 ` Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 089/245] dmaengine: stm32-dma: use vchan_terminate_vdesc() in .terminate_all Greg Kroah-Hartman
` (159 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:58 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Thomas Gleixner, Alexei Starovoitov,
Sasha Levin
From: Thomas Gleixner <tglx@linutronix.de>
[ Upstream commit 8a37963c7ac9ecb7f86f8ebda020e3f8d6d7b8a0 ]
If an element is freed via RCU then recursion into BPF instrumentation
functions is not a concern. The element is already detached from the map
and the RCU callback does not hold any locks on which a kprobe, perf event
or tracepoint attached BPF program could deadlock.
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Link: https://lore.kernel.org/bpf/20200224145643.259118710@linutronix.de
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/hashtab.c | 8 --------
1 file changed, 8 deletions(-)
diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c
index 1b28fb006763a..3f3ed33bd2fdc 100644
--- a/kernel/bpf/hashtab.c
+++ b/kernel/bpf/hashtab.c
@@ -667,15 +667,7 @@ static void htab_elem_free_rcu(struct rcu_head *head)
struct htab_elem *l = container_of(head, struct htab_elem, rcu);
struct bpf_htab *htab = l->htab;
- /* must increment bpf_prog_active to avoid kprobe+bpf triggering while
- * we're calling kfree, otherwise deadlock is possible if kprobes
- * are placed somewhere inside of slub
- */
- preempt_disable();
- __this_cpu_inc(bpf_prog_active);
htab_elem_free(htab, l);
- __this_cpu_dec(bpf_prog_active);
- preempt_enable();
}
static void htab_put_fd_value(struct bpf_htab *htab, struct htab_elem *l)
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 089/245] dmaengine: stm32-dma: use vchan_terminate_vdesc() in .terminate_all
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (87 preceding siblings ...)
2020-09-29 10:58 ` [PATCH 4.19 088/245] bpf: Remove recursion prevention from rcu free callback Greg Kroah-Hartman
@ 2020-09-29 10:59 ` Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 090/245] dmaengine: tegra-apb: Prevent race conditions on channels freeing Greg Kroah-Hartman
` (158 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:59 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Amelie Delaunay, Vinod Koul, Sasha Levin
From: Amelie Delaunay <amelie.delaunay@st.com>
[ Upstream commit d80cbef35bf89b763f06e03bb4ff8f933bf012c5 ]
To avoid race with vchan_complete, use the race free way to terminate
running transfer.
Move vdesc->node list_del in stm32_dma_start_transfer instead of in
stm32_mdma_chan_complete to avoid another race in vchan_dma_desc_free_list.
Signed-off-by: Amelie Delaunay <amelie.delaunay@st.com>
Link: https://lore.kernel.org/r/20200129153628.29329-9-amelie.delaunay@st.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma/stm32-dma.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/dma/stm32-dma.c b/drivers/dma/stm32-dma.c
index 4903a408fc146..ac7af440f8658 100644
--- a/drivers/dma/stm32-dma.c
+++ b/drivers/dma/stm32-dma.c
@@ -494,8 +494,10 @@ static int stm32_dma_terminate_all(struct dma_chan *c)
spin_lock_irqsave(&chan->vchan.lock, flags);
- if (chan->busy) {
- stm32_dma_stop(chan);
+ if (chan->desc) {
+ vchan_terminate_vdesc(&chan->desc->vdesc);
+ if (chan->busy)
+ stm32_dma_stop(chan);
chan->desc = NULL;
}
@@ -551,6 +553,8 @@ static void stm32_dma_start_transfer(struct stm32_dma_chan *chan)
if (!vdesc)
return;
+ list_del(&vdesc->node);
+
chan->desc = to_stm32_dma_desc(vdesc);
chan->next_sg = 0;
}
@@ -628,7 +632,6 @@ static void stm32_dma_handle_chan_done(struct stm32_dma_chan *chan)
} else {
chan->busy = false;
if (chan->next_sg == chan->desc->num_sgs) {
- list_del(&chan->desc->vdesc.node);
vchan_cookie_complete(&chan->desc->vdesc);
chan->desc = NULL;
}
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 090/245] dmaengine: tegra-apb: Prevent race conditions on channels freeing
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (88 preceding siblings ...)
2020-09-29 10:59 ` [PATCH 4.19 089/245] dmaengine: stm32-dma: use vchan_terminate_vdesc() in .terminate_all Greg Kroah-Hartman
@ 2020-09-29 10:59 ` Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 091/245] drm/amd/display: dal_ddc_i2c_payloads_create can fail causing panic Greg Kroah-Hartman
` (157 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:59 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Dmitry Osipenko, Jon Hunter,
Vinod Koul, Sasha Levin
From: Dmitry Osipenko <digetx@gmail.com>
[ Upstream commit 8e84172e372bdca20c305d92d51d33640d2da431 ]
It's incorrect to check the channel's "busy" state without taking a lock.
That shouldn't cause any real troubles, nevertheless it's always better
not to have any race conditions in the code.
Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
Acked-by: Jon Hunter <jonathanh@nvidia.com>
Link: https://lore.kernel.org/r/20200209163356.6439-5-digetx@gmail.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma/tegra20-apb-dma.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/dma/tegra20-apb-dma.c b/drivers/dma/tegra20-apb-dma.c
index 15481aeaeecd1..5ccd24a46e381 100644
--- a/drivers/dma/tegra20-apb-dma.c
+++ b/drivers/dma/tegra20-apb-dma.c
@@ -1225,8 +1225,7 @@ static void tegra_dma_free_chan_resources(struct dma_chan *dc)
dev_dbg(tdc2dev(tdc), "Freeing channel %d\n", tdc->id);
- if (tdc->busy)
- tegra_dma_terminate_all(dc);
+ tegra_dma_terminate_all(dc);
spin_lock_irqsave(&tdc->lock, flags);
list_splice_init(&tdc->pending_sg_req, &sg_req_list);
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 091/245] drm/amd/display: dal_ddc_i2c_payloads_create can fail causing panic
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (89 preceding siblings ...)
2020-09-29 10:59 ` [PATCH 4.19 090/245] dmaengine: tegra-apb: Prevent race conditions on channels freeing Greg Kroah-Hartman
@ 2020-09-29 10:59 ` Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 092/245] firmware: arm_sdei: Use cpus_read_lock() to avoid races with cpuhp Greg Kroah-Hartman
` (156 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:59 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Aric Cyr, Joshua Aberback,
Rodrigo Siqueira, Harry Wentland, Alex Deucher, Sasha Levin
From: Aric Cyr <aric.cyr@amd.com>
[ Upstream commit 6a6c4a4d459ecacc9013c45dcbf2bc9747fdbdbd ]
[Why]
Since the i2c payload allocation can fail need to check return codes
[How]
Clean up i2c payload allocations and check for errors
Signed-off-by: Aric Cyr <aric.cyr@amd.com>
Reviewed-by: Joshua Aberback <Joshua.Aberback@amd.com>
Acked-by: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
Acked-by: Harry Wentland <harry.wentland@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../gpu/drm/amd/display/dc/core/dc_link_ddc.c | 52 +++++++++----------
1 file changed, 25 insertions(+), 27 deletions(-)
diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_link_ddc.c b/drivers/gpu/drm/amd/display/dc/core/dc_link_ddc.c
index 46c9cb47a96e5..145af3bb2dfcb 100644
--- a/drivers/gpu/drm/amd/display/dc/core/dc_link_ddc.c
+++ b/drivers/gpu/drm/amd/display/dc/core/dc_link_ddc.c
@@ -127,22 +127,16 @@ struct aux_payloads {
struct vector payloads;
};
-static struct i2c_payloads *dal_ddc_i2c_payloads_create(struct dc_context *ctx, uint32_t count)
+static bool dal_ddc_i2c_payloads_create(
+ struct dc_context *ctx,
+ struct i2c_payloads *payloads,
+ uint32_t count)
{
- struct i2c_payloads *payloads;
-
- payloads = kzalloc(sizeof(struct i2c_payloads), GFP_KERNEL);
-
- if (!payloads)
- return NULL;
-
if (dal_vector_construct(
&payloads->payloads, ctx, count, sizeof(struct i2c_payload)))
- return payloads;
-
- kfree(payloads);
- return NULL;
+ return true;
+ return false;
}
static struct i2c_payload *dal_ddc_i2c_payloads_get(struct i2c_payloads *p)
@@ -155,14 +149,12 @@ static uint32_t dal_ddc_i2c_payloads_get_count(struct i2c_payloads *p)
return p->payloads.count;
}
-static void dal_ddc_i2c_payloads_destroy(struct i2c_payloads **p)
+static void dal_ddc_i2c_payloads_destroy(struct i2c_payloads *p)
{
- if (!p || !*p)
+ if (!p)
return;
- dal_vector_destruct(&(*p)->payloads);
- kfree(*p);
- *p = NULL;
+ dal_vector_destruct(&p->payloads);
}
static struct aux_payloads *dal_ddc_aux_payloads_create(struct dc_context *ctx, uint32_t count)
@@ -580,9 +572,13 @@ bool dal_ddc_service_query_ddc_data(
uint32_t payloads_num = write_payloads + read_payloads;
+
if (write_size > EDID_SEGMENT_SIZE || read_size > EDID_SEGMENT_SIZE)
return false;
+ if (!payloads_num)
+ return false;
+
/*TODO: len of payload data for i2c and aux is uint8!!!!,
* but we want to read 256 over i2c!!!!*/
if (dal_ddc_service_is_in_aux_transaction_mode(ddc)) {
@@ -613,23 +609,25 @@ bool dal_ddc_service_query_ddc_data(
dal_ddc_aux_payloads_destroy(&payloads);
} else {
- struct i2c_payloads *payloads =
- dal_ddc_i2c_payloads_create(ddc->ctx, payloads_num);
+ struct i2c_command command = {0};
+ struct i2c_payloads payloads;
- struct i2c_command command = {
- .payloads = dal_ddc_i2c_payloads_get(payloads),
- .number_of_payloads = 0,
- .engine = DDC_I2C_COMMAND_ENGINE,
- .speed = ddc->ctx->dc->caps.i2c_speed_in_khz };
+ if (!dal_ddc_i2c_payloads_create(ddc->ctx, &payloads, payloads_num))
+ return false;
+
+ command.payloads = dal_ddc_i2c_payloads_get(&payloads);
+ command.number_of_payloads = 0;
+ command.engine = DDC_I2C_COMMAND_ENGINE;
+ command.speed = ddc->ctx->dc->caps.i2c_speed_in_khz;
dal_ddc_i2c_payloads_add(
- payloads, address, write_size, write_buf, true);
+ &payloads, address, write_size, write_buf, true);
dal_ddc_i2c_payloads_add(
- payloads, address, read_size, read_buf, false);
+ &payloads, address, read_size, read_buf, false);
command.number_of_payloads =
- dal_ddc_i2c_payloads_get_count(payloads);
+ dal_ddc_i2c_payloads_get_count(&payloads);
ret = dm_helpers_submit_i2c(
ddc->ctx,
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 092/245] firmware: arm_sdei: Use cpus_read_lock() to avoid races with cpuhp
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (90 preceding siblings ...)
2020-09-29 10:59 ` [PATCH 4.19 091/245] drm/amd/display: dal_ddc_i2c_payloads_create can fail causing panic Greg Kroah-Hartman
@ 2020-09-29 10:59 ` Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 093/245] random: fix data races at timer_rand_state Greg Kroah-Hartman
` (155 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:59 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, James Morse, Catalin Marinas, Sasha Levin
From: James Morse <james.morse@arm.com>
[ Upstream commit 54f529a6806c9710947a4f2cdc15d6ea54121ccd ]
SDEI has private events that need registering and enabling on each CPU.
CPUs can come and go while we are trying to do this. SDEI tries to avoid
these problems by setting the reregister flag before the register call,
so any CPUs that come online register the event too. Sticking plaster
like this doesn't work, as if the register call fails, a CPU that
subsequently comes online will register the event before reregister
is cleared.
Take cpus_read_lock() around the register and enable calls. We don't
want surprise CPUs to do the wrong thing if they race with these calls
failing.
Signed-off-by: James Morse <james.morse@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/firmware/arm_sdei.c | 26 ++++++++++++++------------
1 file changed, 14 insertions(+), 12 deletions(-)
diff --git a/drivers/firmware/arm_sdei.c b/drivers/firmware/arm_sdei.c
index 05b528c7ed8fd..e809f4d9a9e93 100644
--- a/drivers/firmware/arm_sdei.c
+++ b/drivers/firmware/arm_sdei.c
@@ -410,14 +410,19 @@ int sdei_event_enable(u32 event_num)
return -ENOENT;
}
- spin_lock(&sdei_list_lock);
- event->reenable = true;
- spin_unlock(&sdei_list_lock);
+ cpus_read_lock();
if (event->type == SDEI_EVENT_TYPE_SHARED)
err = sdei_api_event_enable(event->event_num);
else
err = sdei_do_cross_call(_local_event_enable, event);
+
+ if (!err) {
+ spin_lock(&sdei_list_lock);
+ event->reenable = true;
+ spin_unlock(&sdei_list_lock);
+ }
+ cpus_read_unlock();
mutex_unlock(&sdei_events_lock);
return err;
@@ -619,21 +624,18 @@ int sdei_event_register(u32 event_num, sdei_event_callback *cb, void *arg)
break;
}
- spin_lock(&sdei_list_lock);
- event->reregister = true;
- spin_unlock(&sdei_list_lock);
-
+ cpus_read_lock();
err = _sdei_event_register(event);
if (err) {
- spin_lock(&sdei_list_lock);
- event->reregister = false;
- event->reenable = false;
- spin_unlock(&sdei_list_lock);
-
sdei_event_destroy(event);
pr_warn("Failed to register event %u: %d\n", event_num,
err);
+ } else {
+ spin_lock(&sdei_list_lock);
+ event->reregister = true;
+ spin_unlock(&sdei_list_lock);
}
+ cpus_read_unlock();
} while (0);
mutex_unlock(&sdei_events_lock);
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 093/245] random: fix data races at timer_rand_state
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (91 preceding siblings ...)
2020-09-29 10:59 ` [PATCH 4.19 092/245] firmware: arm_sdei: Use cpus_read_lock() to avoid races with cpuhp Greg Kroah-Hartman
@ 2020-09-29 10:59 ` Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 094/245] bus: hisi_lpc: Fixup IO ports addresses to avoid use-after-free in host removal Greg Kroah-Hartman
` (154 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:59 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Qian Cai, Theodore Tso, Sasha Levin
From: Qian Cai <cai@lca.pw>
[ Upstream commit e00d996a4317aff5351c4338dd97d390225412c2 ]
Fields in "struct timer_rand_state" could be accessed concurrently.
Lockless plain reads and writes result in data races. Fix them by adding
pairs of READ|WRITE_ONCE(). The data races were reported by KCSAN,
BUG: KCSAN: data-race in add_timer_randomness / add_timer_randomness
write to 0xffff9f320a0a01d0 of 8 bytes by interrupt on cpu 22:
add_timer_randomness+0x100/0x190
add_timer_randomness at drivers/char/random.c:1152
add_disk_randomness+0x85/0x280
scsi_end_request+0x43a/0x4a0
scsi_io_completion+0xb7/0x7e0
scsi_finish_command+0x1ed/0x2a0
scsi_softirq_done+0x1c9/0x1d0
blk_done_softirq+0x181/0x1d0
__do_softirq+0xd9/0x57c
irq_exit+0xa2/0xc0
do_IRQ+0x8b/0x190
ret_from_intr+0x0/0x42
cpuidle_enter_state+0x15e/0x980
cpuidle_enter+0x69/0xc0
call_cpuidle+0x23/0x40
do_idle+0x248/0x280
cpu_startup_entry+0x1d/0x1f
start_secondary+0x1b2/0x230
secondary_startup_64+0xb6/0xc0
no locks held by swapper/22/0.
irq event stamp: 32871382
_raw_spin_unlock_irqrestore+0x53/0x60
_raw_spin_lock_irqsave+0x21/0x60
_local_bh_enable+0x21/0x30
irq_exit+0xa2/0xc0
read to 0xffff9f320a0a01d0 of 8 bytes by interrupt on cpu 2:
add_timer_randomness+0xe8/0x190
add_disk_randomness+0x85/0x280
scsi_end_request+0x43a/0x4a0
scsi_io_completion+0xb7/0x7e0
scsi_finish_command+0x1ed/0x2a0
scsi_softirq_done+0x1c9/0x1d0
blk_done_softirq+0x181/0x1d0
__do_softirq+0xd9/0x57c
irq_exit+0xa2/0xc0
do_IRQ+0x8b/0x190
ret_from_intr+0x0/0x42
cpuidle_enter_state+0x15e/0x980
cpuidle_enter+0x69/0xc0
call_cpuidle+0x23/0x40
do_idle+0x248/0x280
cpu_startup_entry+0x1d/0x1f
start_secondary+0x1b2/0x230
secondary_startup_64+0xb6/0xc0
no locks held by swapper/2/0.
irq event stamp: 37846304
_raw_spin_unlock_irqrestore+0x53/0x60
_raw_spin_lock_irqsave+0x21/0x60
_local_bh_enable+0x21/0x30
irq_exit+0xa2/0xc0
Reported by Kernel Concurrency Sanitizer on:
Hardware name: HP ProLiant BL660c Gen9, BIOS I38 10/17/2018
Link: https://lore.kernel.org/r/1582648024-13111-1-git-send-email-cai@lca.pw
Signed-off-by: Qian Cai <cai@lca.pw>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/char/random.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/char/random.c b/drivers/char/random.c
index 6a5d4dfafc474..80dedecfe15c5 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -1150,14 +1150,14 @@ static void add_timer_randomness(struct timer_rand_state *state, unsigned num)
* We take into account the first, second and third-order deltas
* in order to make our estimate.
*/
- delta = sample.jiffies - state->last_time;
- state->last_time = sample.jiffies;
+ delta = sample.jiffies - READ_ONCE(state->last_time);
+ WRITE_ONCE(state->last_time, sample.jiffies);
- delta2 = delta - state->last_delta;
- state->last_delta = delta;
+ delta2 = delta - READ_ONCE(state->last_delta);
+ WRITE_ONCE(state->last_delta, delta);
- delta3 = delta2 - state->last_delta2;
- state->last_delta2 = delta2;
+ delta3 = delta2 - READ_ONCE(state->last_delta2);
+ WRITE_ONCE(state->last_delta2, delta2);
if (delta < 0)
delta = -delta;
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 094/245] bus: hisi_lpc: Fixup IO ports addresses to avoid use-after-free in host removal
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (92 preceding siblings ...)
2020-09-29 10:59 ` [PATCH 4.19 093/245] random: fix data races at timer_rand_state Greg Kroah-Hartman
@ 2020-09-29 10:59 ` Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 095/245] media: go7007: Fix URB type for interrupt handling Greg Kroah-Hartman
` (153 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:59 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, John Garry, Wei Xu, Sasha Levin
From: John Garry <john.garry@huawei.com>
[ Upstream commit a6dd255bdd7d00bbdbf78ba00bde9fc64f86c3a7 ]
Some released ACPI FW for Huawei boards describes incorrect the port IO
address range for child devices, in that it tells us the IO port max range
is 0x3fff for each child device, which is not correct. The address range
should be [e4:e8) or similar. With this incorrect upper range, the child
device IO port resources overlap.
As such, the kernel thinks that the LPC host serial device is a child of
the IPMI device:
root@(none)$ more /proc/ioports
[...]
00ffc0e3-00ffffff : hisi-lpc-ipmi.0.auto
00ffc0e3-00ffc0e3 : ipmi_si
00ffc0e4-00ffc0e4 : ipmi_si
00ffc0e5-00ffc0e5 : ipmi_si
00ffc2f7-00ffffff : serial8250.1.auto
00ffc2f7-00ffc2fe : serial
root@(none)$
They should both be siblings. Note that these are logical PIO addresses,
which have a direct mapping from the FW IO port ranges.
This shows up as a real issue when we enable CONFIG_KASAN and
CONFIG_DEBUG_TEST_DRIVER_REMOVE - we see use-after-free warnings in the
host removal path:
==================================================================
BUG: KASAN: use-after-free in release_resource+0x38/0xc8
Read of size 8 at addr ffff0026accdbc38 by task swapper/0/1
CPU: 2 PID: 1 Comm: swapper/0 Not tainted 5.5.0-rc6-00001-g68e186e77b5c-dirty #1593
Hardware name: Huawei Taishan 2180 /D03, BIOS Hisilicon D03 IT20 Nemo 2.0 RC0 03/30/2018
Call trace:
dump_backtrace+0x0/0x290
show_stack+0x14/0x20
dump_stack+0xf0/0x14c
print_address_description.isra.9+0x6c/0x3b8
__kasan_report+0x12c/0x23c
kasan_report+0xc/0x18
__asan_load8+0x94/0xb8
release_resource+0x38/0xc8
platform_device_del.part.10+0x80/0xe0
platform_device_unregister+0x20/0x38
hisi_lpc_acpi_remove_subdev+0x10/0x20
device_for_each_child+0xc8/0x128
hisi_lpc_acpi_remove+0x4c/0xa8
hisi_lpc_remove+0xbc/0xc0
platform_drv_remove+0x3c/0x68
really_probe+0x174/0x548
driver_probe_device+0x7c/0x148
device_driver_attach+0x94/0xa0
__driver_attach+0xa4/0x110
bus_for_each_dev+0xe8/0x158
driver_attach+0x30/0x40
bus_add_driver+0x234/0x2f0
driver_register+0xbc/0x1d0
__platform_driver_register+0x7c/0x88
hisi_lpc_driver_init+0x18/0x20
do_one_initcall+0xb4/0x258
kernel_init_freeable+0x248/0x2c0
kernel_init+0x10/0x118
ret_from_fork+0x10/0x1c
...
The issue here is that the kernel created an incorrect parent-child
resource dependency between two devices, and references the false parent
node when deleting the second child device, when it had been deleted
already.
Fix up the child device resources from FW to create proper IO port
resource relationships for broken FW.
With this, the IO port layout looks more healthy:
root@(none)$ more /proc/ioports
[...]
00ffc0e3-00ffc0e7 : hisi-lpc-ipmi.0.auto
00ffc0e3-00ffc0e3 : ipmi_si
00ffc0e4-00ffc0e4 : ipmi_si
00ffc0e5-00ffc0e5 : ipmi_si
00ffc2f7-00ffc2ff : serial8250.1.auto
00ffc2f7-00ffc2fe : serial
Signed-off-by: John Garry <john.garry@huawei.com>
Signed-off-by: Wei Xu <xuwei5@hisilicon.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bus/hisi_lpc.c | 27 +++++++++++++++++++++++++--
1 file changed, 25 insertions(+), 2 deletions(-)
diff --git a/drivers/bus/hisi_lpc.c b/drivers/bus/hisi_lpc.c
index e31c02dc77709..cbd970fb02f18 100644
--- a/drivers/bus/hisi_lpc.c
+++ b/drivers/bus/hisi_lpc.c
@@ -358,6 +358,26 @@ static int hisi_lpc_acpi_xlat_io_res(struct acpi_device *adev,
return 0;
}
+/*
+ * Released firmware describes the IO port max address as 0x3fff, which is
+ * the max host bus address. Fixup to a proper range. This will probably
+ * never be fixed in firmware.
+ */
+static void hisi_lpc_acpi_fixup_child_resource(struct device *hostdev,
+ struct resource *r)
+{
+ if (r->end != 0x3fff)
+ return;
+
+ if (r->start == 0xe4)
+ r->end = 0xe4 + 0x04 - 1;
+ else if (r->start == 0x2f8)
+ r->end = 0x2f8 + 0x08 - 1;
+ else
+ dev_warn(hostdev, "unrecognised resource %pR to fixup, ignoring\n",
+ r);
+}
+
/*
* hisi_lpc_acpi_set_io_res - set the resources for a child
* @child: the device node to be updated the I/O resource
@@ -419,8 +439,11 @@ static int hisi_lpc_acpi_set_io_res(struct device *child,
return -ENOMEM;
}
count = 0;
- list_for_each_entry(rentry, &resource_list, node)
- resources[count++] = *rentry->res;
+ list_for_each_entry(rentry, &resource_list, node) {
+ resources[count] = *rentry->res;
+ hisi_lpc_acpi_fixup_child_resource(hostdev, &resources[count]);
+ count++;
+ }
acpi_dev_free_resource_list(&resource_list);
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 095/245] media: go7007: Fix URB type for interrupt handling
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (93 preceding siblings ...)
2020-09-29 10:59 ` [PATCH 4.19 094/245] bus: hisi_lpc: Fixup IO ports addresses to avoid use-after-free in host removal Greg Kroah-Hartman
@ 2020-09-29 10:59 ` Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 096/245] Bluetooth: guard against controllers sending zerod events Greg Kroah-Hartman
` (152 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:59 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Takashi Iwai, Hans Verkuil,
Mauro Carvalho Chehab, Sasha Levin, Josef Möllers
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit a3ea410cac41b19a5490aad7fe6d9a9a772e646e ]
Josef reported that his old-and-good Plextor ConvertX M402U video
converter spews lots of WARNINGs on the recent kernels, and it turned
out that the device uses a bulk endpoint for interrupt handling just
like 2250 board.
For fixing it, generalize the check with the proper verification of
the endpoint instead of hard-coded board type check.
Fixes: 7e5219d18e93 ("[media] go7007: Fix 2250 urb type")
Reported-and-tested-by: Josef Möllers <josef.moellers@suse.com>
BugLink: https://bugzilla.suse.com/show_bug.cgi?id=1162583
BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=206427
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/usb/go7007/go7007-usb.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/media/usb/go7007/go7007-usb.c b/drivers/media/usb/go7007/go7007-usb.c
index 19c6a0354ce00..b84a6f6548610 100644
--- a/drivers/media/usb/go7007/go7007-usb.c
+++ b/drivers/media/usb/go7007/go7007-usb.c
@@ -1052,6 +1052,7 @@ static int go7007_usb_probe(struct usb_interface *intf,
struct go7007_usb *usb;
const struct go7007_usb_board *board;
struct usb_device *usbdev = interface_to_usbdev(intf);
+ struct usb_host_endpoint *ep;
unsigned num_i2c_devs;
char *name;
int video_pipe, i, v_urb_len;
@@ -1148,7 +1149,8 @@ static int go7007_usb_probe(struct usb_interface *intf,
if (usb->intr_urb->transfer_buffer == NULL)
goto allocfail;
- if (go->board_id == GO7007_BOARDID_SENSORAY_2250)
+ ep = usb->usbdev->ep_in[4];
+ if (usb_endpoint_type(&ep->desc) == USB_ENDPOINT_XFER_BULK)
usb_fill_bulk_urb(usb->intr_urb, usb->usbdev,
usb_rcvbulkpipe(usb->usbdev, 4),
usb->intr_urb->transfer_buffer, 2*sizeof(u16),
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 096/245] Bluetooth: guard against controllers sending zerod events
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (94 preceding siblings ...)
2020-09-29 10:59 ` [PATCH 4.19 095/245] media: go7007: Fix URB type for interrupt handling Greg Kroah-Hartman
@ 2020-09-29 10:59 ` Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 097/245] timekeeping: Prevent 32bit truncation in scale64_check_overflow() Greg Kroah-Hartman
` (151 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:59 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Alain Michaud, Marcel Holtmann, Sasha Levin
From: Alain Michaud <alainm@chromium.org>
[ Upstream commit 08bb4da90150e2a225f35e0f642cdc463958d696 ]
Some controllers have been observed to send zero'd events under some
conditions. This change guards against this condition as well as adding
a trace to facilitate diagnosability of this condition.
Signed-off-by: Alain Michaud <alainm@chromium.org>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/hci_event.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 2b4a7cf03041b..ec6b3a87b3e7f 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -5738,6 +5738,11 @@ void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
u8 status = 0, event = hdr->evt, req_evt = 0;
u16 opcode = HCI_OP_NOP;
+ if (!event) {
+ bt_dev_warn(hdev, "Received unexpected HCI Event 00000000");
+ goto done;
+ }
+
if (hdev->sent_cmd && bt_cb(hdev->sent_cmd)->hci.req_event == event) {
struct hci_command_hdr *cmd_hdr = (void *) hdev->sent_cmd->data;
opcode = __le16_to_cpu(cmd_hdr->opcode);
@@ -5949,6 +5954,7 @@ void hci_event_packet(struct hci_dev *hdev, struct sk_buff *skb)
req_complete_skb(hdev, status, opcode, orig_skb);
}
+done:
kfree_skb(orig_skb);
kfree_skb(skb);
hdev->stat.evt_rx++;
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 097/245] timekeeping: Prevent 32bit truncation in scale64_check_overflow()
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (95 preceding siblings ...)
2020-09-29 10:59 ` [PATCH 4.19 096/245] Bluetooth: guard against controllers sending zerod events Greg Kroah-Hartman
@ 2020-09-29 10:59 ` Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 098/245] ext4: fix a data race at inode->i_disksize Greg Kroah-Hartman
` (150 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:59 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Wen Yang, Thomas Gleixner, Sasha Levin
From: Wen Yang <wenyang@linux.alibaba.com>
[ Upstream commit 4cbbc3a0eeed675449b1a4d080008927121f3da3 ]
While unlikely the divisor in scale64_check_overflow() could be >= 32bit in
scale64_check_overflow(). do_div() truncates the divisor to 32bit at least
on 32bit platforms.
Use div64_u64() instead to avoid the truncation to 32-bit.
[ tglx: Massaged changelog ]
Signed-off-by: Wen Yang <wenyang@linux.alibaba.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lkml.kernel.org/r/20200120100523.45656-1-wenyang@linux.alibaba.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/time/timekeeping.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c
index 81ee5b83c9200..c66fd11d94bc4 100644
--- a/kernel/time/timekeeping.c
+++ b/kernel/time/timekeeping.c
@@ -1004,9 +1004,8 @@ static int scale64_check_overflow(u64 mult, u64 div, u64 *base)
((int)sizeof(u64)*8 - fls64(mult) < fls64(rem)))
return -EOVERFLOW;
tmp *= mult;
- rem *= mult;
- do_div(rem, div);
+ rem = div64_u64(rem * mult, div);
*base = tmp + rem;
return 0;
}
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 098/245] ext4: fix a data race at inode->i_disksize
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (96 preceding siblings ...)
2020-09-29 10:59 ` [PATCH 4.19 097/245] timekeeping: Prevent 32bit truncation in scale64_check_overflow() Greg Kroah-Hartman
@ 2020-09-29 10:59 ` Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 099/245] perf jevents: Fix leak of mapfile memory Greg Kroah-Hartman
` (149 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:59 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Qiujun Huang, Theodore Tso, Sasha Levin
From: Qiujun Huang <hqjagain@gmail.com>
[ Upstream commit dce8e237100f60c28cc66effb526ba65a01d8cb3 ]
KCSAN find inode->i_disksize could be accessed concurrently.
BUG: KCSAN: data-race in ext4_mark_iloc_dirty / ext4_write_end
write (marked) to 0xffff8b8932f40090 of 8 bytes by task 66792 on cpu 0:
ext4_write_end+0x53f/0x5b0
ext4_da_write_end+0x237/0x510
generic_perform_write+0x1c4/0x2a0
ext4_buffered_write_iter+0x13a/0x210
ext4_file_write_iter+0xe2/0x9b0
new_sync_write+0x29c/0x3a0
__vfs_write+0x92/0xa0
vfs_write+0xfc/0x2a0
ksys_write+0xe8/0x140
__x64_sys_write+0x4c/0x60
do_syscall_64+0x8a/0x2a0
entry_SYSCALL_64_after_hwframe+0x44/0xa9
read to 0xffff8b8932f40090 of 8 bytes by task 14414 on cpu 1:
ext4_mark_iloc_dirty+0x716/0x1190
ext4_mark_inode_dirty+0xc9/0x360
ext4_convert_unwritten_extents+0x1bc/0x2a0
ext4_convert_unwritten_io_end_vec+0xc5/0x150
ext4_put_io_end+0x82/0x130
ext4_writepages+0xae7/0x16f0
do_writepages+0x64/0x120
__writeback_single_inode+0x7d/0x650
writeback_sb_inodes+0x3a4/0x860
__writeback_inodes_wb+0xc4/0x150
wb_writeback+0x43f/0x510
wb_workfn+0x3b2/0x8a0
process_one_work+0x39b/0x7e0
worker_thread+0x88/0x650
kthread+0x1d4/0x1f0
ret_from_fork+0x35/0x40
The plain read is outside of inode->i_data_sem critical section
which results in a data race. Fix it by adding READ_ONCE().
Signed-off-by: Qiujun Huang <hqjagain@gmail.com>
Link: https://lore.kernel.org/r/1582556566-3909-1-git-send-email-hqjagain@gmail.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/inode.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
index cd833f4e64ef1..52be4c9650241 100644
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -5315,7 +5315,7 @@ static int ext4_do_update_inode(handle_t *handle,
raw_inode->i_file_acl_high =
cpu_to_le16(ei->i_file_acl >> 32);
raw_inode->i_file_acl_lo = cpu_to_le32(ei->i_file_acl);
- if (ei->i_disksize != ext4_isize(inode->i_sb, raw_inode)) {
+ if (READ_ONCE(ei->i_disksize) != ext4_isize(inode->i_sb, raw_inode)) {
ext4_isize_set(raw_inode, ei->i_disksize);
need_datasync = 1;
}
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 099/245] perf jevents: Fix leak of mapfile memory
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (97 preceding siblings ...)
2020-09-29 10:59 ` [PATCH 4.19 098/245] ext4: fix a data race at inode->i_disksize Greg Kroah-Hartman
@ 2020-09-29 10:59 ` Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 100/245] mm: avoid data corruption on CoW fault into PFN-mapped VMA Greg Kroah-Hartman
` (148 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:59 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Jiri Olsa, John Garry,
Alexander Shishkin, Andi Kleen, James Clark, Joakim Zhang,
Mark Rutland, Namhyung Kim, Peter Zijlstra, Will Deacon,
linuxarm, Arnaldo Carvalho de Melo, Sasha Levin
From: John Garry <john.garry@huawei.com>
[ Upstream commit 3f5777fbaf04c58d940526a22a2e0c813c837936 ]
The memory for global pointer is never freed during normal program
execution, so let's do that in the main function exit as a good
programming practice.
A stray blank line is also removed.
Reported-by: Jiri Olsa <jolsa@redhat.com>
Signed-off-by: John Garry <john.garry@huawei.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: James Clark <james.clark@arm.com>
Cc: Joakim Zhang <qiangqing.zhang@nxp.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Will Deacon <will@kernel.org>
Cc: linuxarm@huawei.com
Link: http://lore.kernel.org/lkml/1583406486-154841-2-git-send-email-john.garry@huawei.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/pmu-events/jevents.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/tools/perf/pmu-events/jevents.c b/tools/perf/pmu-events/jevents.c
index c17e594041712..6631970f96832 100644
--- a/tools/perf/pmu-events/jevents.c
+++ b/tools/perf/pmu-events/jevents.c
@@ -1064,10 +1064,9 @@ static int process_one_file(const char *fpath, const struct stat *sb,
*/
int main(int argc, char *argv[])
{
- int rc;
+ int rc, ret = 0;
int maxfds;
char ldirname[PATH_MAX];
-
const char *arch;
const char *output_file;
const char *start_dirname;
@@ -1138,7 +1137,8 @@ int main(int argc, char *argv[])
/* Make build fail */
fclose(eventsfp);
free_arch_std_events();
- return 1;
+ ret = 1;
+ goto out_free_mapfile;
} else if (rc) {
goto empty_map;
}
@@ -1156,14 +1156,17 @@ int main(int argc, char *argv[])
/* Make build fail */
fclose(eventsfp);
free_arch_std_events();
- return 1;
+ ret = 1;
}
- return 0;
+
+ goto out_free_mapfile;
empty_map:
fclose(eventsfp);
create_empty_mapping(output_file);
free_arch_std_events();
- return 0;
+out_free_mapfile:
+ free(mapfile);
+ return ret;
}
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 100/245] mm: avoid data corruption on CoW fault into PFN-mapped VMA
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (98 preceding siblings ...)
2020-09-29 10:59 ` [PATCH 4.19 099/245] perf jevents: Fix leak of mapfile memory Greg Kroah-Hartman
@ 2020-09-29 10:59 ` Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 101/245] drm/amdgpu: increase atombios cmd timeout Greg Kroah-Hartman
` (147 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:59 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Jeff Moyer, Andrew Morton,
Kirill A. Shutemov, Justin He, Dan Williams, Linus Torvalds,
Sasha Levin
From: Kirill A. Shutemov <kirill@shutemov.name>
[ Upstream commit c3e5ea6ee574ae5e845a40ac8198de1fb63bb3ab ]
Jeff Moyer has reported that one of xfstests triggers a warning when run
on DAX-enabled filesystem:
WARNING: CPU: 76 PID: 51024 at mm/memory.c:2317 wp_page_copy+0xc40/0xd50
...
wp_page_copy+0x98c/0xd50 (unreliable)
do_wp_page+0xd8/0xad0
__handle_mm_fault+0x748/0x1b90
handle_mm_fault+0x120/0x1f0
__do_page_fault+0x240/0xd70
do_page_fault+0x38/0xd0
handle_page_fault+0x10/0x30
The warning happens on failed __copy_from_user_inatomic() which tries to
copy data into a CoW page.
This happens because of race between MADV_DONTNEED and CoW page fault:
CPU0 CPU1
handle_mm_fault()
do_wp_page()
wp_page_copy()
do_wp_page()
madvise(MADV_DONTNEED)
zap_page_range()
zap_pte_range()
ptep_get_and_clear_full()
<TLB flush>
__copy_from_user_inatomic()
sees empty PTE and fails
WARN_ON_ONCE(1)
clear_page()
The solution is to re-try __copy_from_user_inatomic() under PTL after
checking that PTE is matches the orig_pte.
The second copy attempt can still fail, like due to non-readable PTE, but
there's nothing reasonable we can do about, except clearing the CoW page.
Reported-by: Jeff Moyer <jmoyer@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Tested-by: Jeff Moyer <jmoyer@redhat.com>
Cc: <stable@vger.kernel.org>
Cc: Justin He <Justin.He@arm.com>
Cc: Dan Williams <dan.j.williams@intel.com>
Link: http://lkml.kernel.org/r/20200218154151.13349-1-kirill.shutemov@linux.intel.com
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
mm/memory.c | 35 +++++++++++++++++++++++++++--------
1 file changed, 27 insertions(+), 8 deletions(-)
diff --git a/mm/memory.c b/mm/memory.c
index fcad8a0d943d3..eeae63bd95027 100644
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -2353,7 +2353,7 @@ static inline bool cow_user_page(struct page *dst, struct page *src,
bool ret;
void *kaddr;
void __user *uaddr;
- bool force_mkyoung;
+ bool locked = false;
struct vm_area_struct *vma = vmf->vma;
struct mm_struct *mm = vma->vm_mm;
unsigned long addr = vmf->address;
@@ -2378,11 +2378,11 @@ static inline bool cow_user_page(struct page *dst, struct page *src,
* On architectures with software "accessed" bits, we would
* take a double page fault, so mark it accessed here.
*/
- force_mkyoung = arch_faults_on_old_pte() && !pte_young(vmf->orig_pte);
- if (force_mkyoung) {
+ if (arch_faults_on_old_pte() && !pte_young(vmf->orig_pte)) {
pte_t entry;
vmf->pte = pte_offset_map_lock(mm, vmf->pmd, addr, &vmf->ptl);
+ locked = true;
if (!likely(pte_same(*vmf->pte, vmf->orig_pte))) {
/*
* Other thread has already handled the fault
@@ -2406,18 +2406,37 @@ static inline bool cow_user_page(struct page *dst, struct page *src,
* zeroes.
*/
if (__copy_from_user_inatomic(kaddr, uaddr, PAGE_SIZE)) {
+ if (locked)
+ goto warn;
+
+ /* Re-validate under PTL if the page is still mapped */
+ vmf->pte = pte_offset_map_lock(mm, vmf->pmd, addr, &vmf->ptl);
+ locked = true;
+ if (!likely(pte_same(*vmf->pte, vmf->orig_pte))) {
+ /* The PTE changed under us. Retry page fault. */
+ ret = false;
+ goto pte_unlock;
+ }
+
/*
- * Give a warn in case there can be some obscure
- * use-case
+ * The same page can be mapped back since last copy attampt.
+ * Try to copy again under PTL.
*/
- WARN_ON_ONCE(1);
- clear_page(kaddr);
+ if (__copy_from_user_inatomic(kaddr, uaddr, PAGE_SIZE)) {
+ /*
+ * Give a warn in case there can be some obscure
+ * use-case
+ */
+warn:
+ WARN_ON_ONCE(1);
+ clear_page(kaddr);
+ }
}
ret = true;
pte_unlock:
- if (force_mkyoung)
+ if (locked)
pte_unmap_unlock(vmf->pte, vmf->ptl);
kunmap_atomic(kaddr);
flush_dcache_page(dst);
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 101/245] drm/amdgpu: increase atombios cmd timeout
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (99 preceding siblings ...)
2020-09-29 10:59 ` [PATCH 4.19 100/245] mm: avoid data corruption on CoW fault into PFN-mapped VMA Greg Kroah-Hartman
@ 2020-09-29 10:59 ` Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 102/245] drm/amd/display: Stop if retimer is not available Greg Kroah-Hartman
` (146 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:59 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Hawking Zhang, John Clements,
Alex Deucher, Sasha Levin
From: John Clements <john.clements@amd.com>
[ Upstream commit 1b3460a8b19688ad3033b75237d40fa580a5a953 ]
mitigates race condition on BACO reset between GPU bootcode and driver reload
Reviewed-by: Hawking Zhang <Hawking.Zhang@amd.com>
Signed-off-by: John Clements <john.clements@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/atom.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/atom.c b/drivers/gpu/drm/amd/amdgpu/atom.c
index e9934de1b9cf8..0222bb7ea49b4 100644
--- a/drivers/gpu/drm/amd/amdgpu/atom.c
+++ b/drivers/gpu/drm/amd/amdgpu/atom.c
@@ -742,8 +742,8 @@ static void atom_op_jump(atom_exec_context *ctx, int *ptr, int arg)
cjiffies = jiffies;
if (time_after(cjiffies, ctx->last_jump_jiffies)) {
cjiffies -= ctx->last_jump_jiffies;
- if ((jiffies_to_msecs(cjiffies) > 5000)) {
- DRM_ERROR("atombios stuck in loop for more than 5secs aborting\n");
+ if ((jiffies_to_msecs(cjiffies) > 10000)) {
+ DRM_ERROR("atombios stuck in loop for more than 10secs aborting\n");
ctx->abort = true;
}
} else {
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 102/245] drm/amd/display: Stop if retimer is not available
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (100 preceding siblings ...)
2020-09-29 10:59 ` [PATCH 4.19 101/245] drm/amdgpu: increase atombios cmd timeout Greg Kroah-Hartman
@ 2020-09-29 10:59 ` Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 103/245] ath10k: use kzalloc to read for ath10k_sdio_hif_diag_read Greg Kroah-Hartman
` (145 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:59 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Rodrigo Siqueira, Hersen Wu,
Alex Deucher, Sasha Levin
From: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
[ Upstream commit a0e40018dcc3f59a10ca21d58f8ea8ceb1b035ac ]
Raven provides retimer feature support that requires i2c interaction in
order to make it work well, all settings required for this configuration
are loaded from the Atom bios which include the i2c address. If the
retimer feature is not available, we should abort the attempt to set
this feature, otherwise, it makes the following line return
I2C_CHANNEL_OPERATION_NO_RESPONSE:
i2c_success = i2c_write(pipe_ctx, slave_address, buffer, sizeof(buffer));
...
if (!i2c_success)
ASSERT(i2c_success);
This ends up causing problems with hotplugging HDMI displays on Raven,
and causes retimer settings to warn like so:
WARNING: CPU: 1 PID: 429 at
drivers/gpu/drm/amd/amdgpu/../dal/dc/core/dc_link.c:1998
write_i2c_retimer_setting+0xc2/0x3c0 [amdgpu] Modules linked in:
edac_mce_amd ccp kvm irqbypass binfmt_misc crct10dif_pclmul crc32_pclmul
ghash_clmulni_intel snd_hda_codec_realtek snd_hda_codec_generic
ledtrig_audio snd_hda_codec_hdmi snd_hda_intel amdgpu(+) snd_hda_codec
snd_hda_core snd_hwdep snd_pcm snd_seq_midi snd_seq_midi_event
snd_rawmidi aesni_intel snd_seq amd_iommu_v2 gpu_sched aes_x86_64
crypto_simd cryptd glue_helper snd_seq_device ttm drm_kms_helper
snd_timer eeepc_wmi wmi_bmof asus_wmi sparse_keymap drm mxm_wmi snd
k10temp fb_sys_fops syscopyarea sysfillrect sysimgblt soundcore joydev
input_leds mac_hid sch_fq_codel parport_pc ppdev lp parport ip_tables
x_tables autofs4 igb i2c_algo_bit hid_generic usbhid i2c_piix4 dca ahci
hid libahci video wmi gpio_amdpt gpio_generic CPU: 1 PID: 429 Comm:
systemd-udevd Tainted: G W 5.2.0-rc1sept162019+ #1
Hardware name: System manufacturer System Product Name/ROG STRIX B450-F
GAMING, BIOS 2605 08/06/2019
RIP: 0010:write_i2c_retimer_setting+0xc2/0x3c0 [amdgpu]
Code: ff 0f b6 4d ce 44 0f b6 45 cf 44 0f b6 c8 45 89 cf 44 89 e2 48 c7
c6 f0 34 bc c0 bf 04 00 00 00 e8 63 b0 90 ff 45 84 ff 75 02 <0f> 0b 42
0f b6 04 73 8d 50 f6 80 fa 02 77 8c 3c 0a 0f 85 c8 00 00 RSP:
0018:ffffa99d02726fd0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffffa99d02727035 RCX: 0000000000000006
RDX: 0000000000000000 RSI: 0000000000000002 RDI: ffff976acc857440
RBP: ffffa99d02727018 R08: 0000000000000002 R09: 000000000002a600
R10: ffffe90610193680 R11: 00000000000005e3 R12: 000000000000005d
R13: ffff976ac4b201b8 R14: 0000000000000001 R15: 0000000000000000
FS: 00007f14f99e1680(0000) GS:ffff976acc840000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fdf212843b8 CR3: 0000000408906000 CR4: 00000000003406e0
Call Trace:
core_link_enable_stream+0x626/0x680 [amdgpu]
dce110_apply_ctx_to_hw+0x414/0x4e0 [amdgpu]
dc_commit_state+0x331/0x5e0 [amdgpu]
? drm_calc_timestamping_constants+0xf9/0x150 [drm]
amdgpu_dm_atomic_commit_tail+0x395/0x1e00 [amdgpu]
? dm_plane_helper_prepare_fb+0x20c/0x280 [amdgpu]
commit_tail+0x42/0x70 [drm_kms_helper]
drm_atomic_helper_commit+0x10c/0x120 [drm_kms_helper]
amdgpu_dm_atomic_commit+0x95/0xa0 [amdgpu]
drm_atomic_commit+0x4a/0x50 [drm]
restore_fbdev_mode_atomic+0x1c0/0x1e0 [drm_kms_helper]
restore_fbdev_mode+0x4c/0x160 [drm_kms_helper]
? _cond_resched+0x19/0x40
drm_fb_helper_restore_fbdev_mode_unlocked+0x4e/0xa0 [drm_kms_helper]
drm_fb_helper_set_par+0x2d/0x50 [drm_kms_helper]
fbcon_init+0x471/0x630
visual_init+0xd5/0x130
do_bind_con_driver+0x20a/0x430
do_take_over_console+0x7d/0x1b0
do_fbcon_takeover+0x5c/0xb0
fbcon_event_notify+0x6cd/0x8a0
notifier_call_chain+0x4c/0x70
blocking_notifier_call_chain+0x43/0x60
fb_notifier_call_chain+0x1b/0x20
register_framebuffer+0x254/0x360
__drm_fb_helper_initial_config_and_unlock+0x2c5/0x510 [drm_kms_helper]
drm_fb_helper_initial_config+0x35/0x40 [drm_kms_helper]
amdgpu_fbdev_init+0xcd/0x100 [amdgpu]
amdgpu_device_init+0x1156/0x1930 [amdgpu]
amdgpu_driver_load_kms+0x8d/0x2e0 [amdgpu]
drm_dev_register+0x12b/0x1c0 [drm]
amdgpu_pci_probe+0xd3/0x160 [amdgpu]
local_pci_probe+0x47/0xa0
pci_device_probe+0x142/0x1b0
really_probe+0xf5/0x3d0
driver_probe_device+0x11b/0x130
device_driver_attach+0x58/0x60
__driver_attach+0xa3/0x140
? device_driver_attach+0x60/0x60
? device_driver_attach+0x60/0x60
bus_for_each_dev+0x74/0xb0
? kmem_cache_alloc_trace+0x1a3/0x1c0
driver_attach+0x1e/0x20
bus_add_driver+0x147/0x220
? 0xffffffffc0cb9000
driver_register+0x60/0x100
? 0xffffffffc0cb9000
__pci_register_driver+0x5a/0x60
amdgpu_init+0x74/0x83 [amdgpu]
do_one_initcall+0x4a/0x1fa
? _cond_resched+0x19/0x40
? kmem_cache_alloc_trace+0x3f/0x1c0
? __vunmap+0x1cc/0x200
do_init_module+0x5f/0x227
load_module+0x2330/0x2b40
__do_sys_finit_module+0xfc/0x120
? __do_sys_finit_module+0xfc/0x120
__x64_sys_finit_module+0x1a/0x20
do_syscall_64+0x5a/0x130
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f14f9500839
Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89
f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01
f0 ff ff 73 01 c3 48 8b 0d 1f f6 2c 00 f7 d8 64 89 01 48
RSP: 002b:00007fff9bc4f5a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
RAX: ffffffffffffffda RBX: 000055afb5abce30 RCX: 00007f14f9500839
RDX: 0000000000000000 RSI: 000055afb5ace0f0 RDI: 0000000000000017
RBP: 000055afb5ace0f0 R08: 0000000000000000 R09: 000000000000000a
R10: 0000000000000017 R11: 0000000000000246 R12: 0000000000000000
R13: 000055afb5aad800 R14: 0000000000020000 R15: 0000000000000000
---[ end trace c286e96563966f08 ]---
This commit reworks the way that we handle i2c write for retimer in the
way that we abort this configuration if the feature is not available in
the device. For debug sake, we kept a simple log message in case the
retimer is not available.
Signed-off-by: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
Reviewed-by: Hersen Wu <hersenxs.wu@amd.com>
Acked-by: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/dc/core/dc_link.c | 67 ++++++++-----------
1 file changed, 29 insertions(+), 38 deletions(-)
diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_link.c b/drivers/gpu/drm/amd/display/dc/core/dc_link.c
index 3abc0294c05f5..2fb2c683ad54b 100644
--- a/drivers/gpu/drm/amd/display/dc/core/dc_link.c
+++ b/drivers/gpu/drm/amd/display/dc/core/dc_link.c
@@ -1576,8 +1576,7 @@ static void write_i2c_retimer_setting(
buffer, sizeof(buffer));
if (!i2c_success)
- /* Write failure */
- ASSERT(i2c_success);
+ goto i2c_write_fail;
/* Based on DP159 specs, APPLY_RX_TX_CHANGE bit in 0x0A
* needs to be set to 1 on every 0xA-0xC write.
@@ -1595,8 +1594,7 @@ static void write_i2c_retimer_setting(
pipe_ctx->stream->sink->link->ddc,
slave_address, &offset, 1, &value, 1);
if (!i2c_success)
- /* Write failure */
- ASSERT(i2c_success);
+ goto i2c_write_fail;
}
buffer[0] = offset;
@@ -1605,8 +1603,7 @@ static void write_i2c_retimer_setting(
i2c_success = i2c_write(pipe_ctx, slave_address,
buffer, sizeof(buffer));
if (!i2c_success)
- /* Write failure */
- ASSERT(i2c_success);
+ goto i2c_write_fail;
}
}
}
@@ -1623,8 +1620,7 @@ static void write_i2c_retimer_setting(
buffer, sizeof(buffer));
if (!i2c_success)
- /* Write failure */
- ASSERT(i2c_success);
+ goto i2c_write_fail;
/* Based on DP159 specs, APPLY_RX_TX_CHANGE bit in 0x0A
* needs to be set to 1 on every 0xA-0xC write.
@@ -1642,8 +1638,7 @@ static void write_i2c_retimer_setting(
pipe_ctx->stream->sink->link->ddc,
slave_address, &offset, 1, &value, 1);
if (!i2c_success)
- /* Write failure */
- ASSERT(i2c_success);
+ goto i2c_write_fail;
}
buffer[0] = offset;
@@ -1652,8 +1647,7 @@ static void write_i2c_retimer_setting(
i2c_success = i2c_write(pipe_ctx, slave_address,
buffer, sizeof(buffer));
if (!i2c_success)
- /* Write failure */
- ASSERT(i2c_success);
+ goto i2c_write_fail;
}
}
}
@@ -1668,8 +1662,7 @@ static void write_i2c_retimer_setting(
i2c_success = i2c_write(pipe_ctx, slave_address,
buffer, sizeof(buffer));
if (!i2c_success)
- /* Write failure */
- ASSERT(i2c_success);
+ goto i2c_write_fail;
/* Write offset 0x00 to 0x23 */
buffer[0] = 0x00;
@@ -1677,8 +1670,7 @@ static void write_i2c_retimer_setting(
i2c_success = i2c_write(pipe_ctx, slave_address,
buffer, sizeof(buffer));
if (!i2c_success)
- /* Write failure */
- ASSERT(i2c_success);
+ goto i2c_write_fail;
/* Write offset 0xff to 0x00 */
buffer[0] = 0xff;
@@ -1686,10 +1678,14 @@ static void write_i2c_retimer_setting(
i2c_success = i2c_write(pipe_ctx, slave_address,
buffer, sizeof(buffer));
if (!i2c_success)
- /* Write failure */
- ASSERT(i2c_success);
+ goto i2c_write_fail;
}
+
+ return;
+
+i2c_write_fail:
+ DC_LOG_DEBUG("Set retimer failed");
}
static void write_i2c_default_retimer_setting(
@@ -1710,8 +1706,7 @@ static void write_i2c_default_retimer_setting(
i2c_success = i2c_write(pipe_ctx, slave_address,
buffer, sizeof(buffer));
if (!i2c_success)
- /* Write failure */
- ASSERT(i2c_success);
+ goto i2c_write_fail;
/* Write offset 0x0A to 0x17 */
buffer[0] = 0x0A;
@@ -1719,8 +1714,7 @@ static void write_i2c_default_retimer_setting(
i2c_success = i2c_write(pipe_ctx, slave_address,
buffer, sizeof(buffer));
if (!i2c_success)
- /* Write failure */
- ASSERT(i2c_success);
+ goto i2c_write_fail;
/* Write offset 0x0B to 0xDA or 0xD8 */
buffer[0] = 0x0B;
@@ -1728,8 +1722,7 @@ static void write_i2c_default_retimer_setting(
i2c_success = i2c_write(pipe_ctx, slave_address,
buffer, sizeof(buffer));
if (!i2c_success)
- /* Write failure */
- ASSERT(i2c_success);
+ goto i2c_write_fail;
/* Write offset 0x0A to 0x17 */
buffer[0] = 0x0A;
@@ -1737,8 +1730,7 @@ static void write_i2c_default_retimer_setting(
i2c_success = i2c_write(pipe_ctx, slave_address,
buffer, sizeof(buffer));
if (!i2c_success)
- /* Write failure */
- ASSERT(i2c_success);
+ goto i2c_write_fail;
/* Write offset 0x0C to 0x1D or 0x91 */
buffer[0] = 0x0C;
@@ -1746,8 +1738,7 @@ static void write_i2c_default_retimer_setting(
i2c_success = i2c_write(pipe_ctx, slave_address,
buffer, sizeof(buffer));
if (!i2c_success)
- /* Write failure */
- ASSERT(i2c_success);
+ goto i2c_write_fail;
/* Write offset 0x0A to 0x17 */
buffer[0] = 0x0A;
@@ -1755,8 +1746,7 @@ static void write_i2c_default_retimer_setting(
i2c_success = i2c_write(pipe_ctx, slave_address,
buffer, sizeof(buffer));
if (!i2c_success)
- /* Write failure */
- ASSERT(i2c_success);
+ goto i2c_write_fail;
if (is_vga_mode) {
@@ -1768,8 +1758,7 @@ static void write_i2c_default_retimer_setting(
i2c_success = i2c_write(pipe_ctx, slave_address,
buffer, sizeof(buffer));
if (!i2c_success)
- /* Write failure */
- ASSERT(i2c_success);
+ goto i2c_write_fail;
/* Write offset 0x00 to 0x23 */
buffer[0] = 0x00;
@@ -1777,8 +1766,7 @@ static void write_i2c_default_retimer_setting(
i2c_success = i2c_write(pipe_ctx, slave_address,
buffer, sizeof(buffer));
if (!i2c_success)
- /* Write failure */
- ASSERT(i2c_success);
+ goto i2c_write_fail;
/* Write offset 0xff to 0x00 */
buffer[0] = 0xff;
@@ -1786,9 +1774,13 @@ static void write_i2c_default_retimer_setting(
i2c_success = i2c_write(pipe_ctx, slave_address,
buffer, sizeof(buffer));
if (!i2c_success)
- /* Write failure */
- ASSERT(i2c_success);
+ goto i2c_write_fail;
}
+
+ return;
+
+i2c_write_fail:
+ DC_LOG_DEBUG("Set default retimer failed");
}
static void write_i2c_redriver_setting(
@@ -1811,8 +1803,7 @@ static void write_i2c_redriver_setting(
buffer, sizeof(buffer));
if (!i2c_success)
- /* Write failure */
- ASSERT(i2c_success);
+ DC_LOG_DEBUG("Set redriver failed");
}
static void enable_link_hdmi(struct pipe_ctx *pipe_ctx)
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 103/245] ath10k: use kzalloc to read for ath10k_sdio_hif_diag_read
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (101 preceding siblings ...)
2020-09-29 10:59 ` [PATCH 4.19 102/245] drm/amd/display: Stop if retimer is not available Greg Kroah-Hartman
@ 2020-09-29 10:59 ` Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 104/245] scsi: aacraid: Disabling TM path and only processing IOP reset Greg Kroah-Hartman
` (144 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:59 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Wen Gong, Kalle Valo, Sasha Levin
From: Wen Gong <wgong@codeaurora.org>
[ Upstream commit 402f2992b4d62760cce7c689ff216ea3bf4d6e8a ]
When use command to read values, it crashed.
command:
dd if=/sys/kernel/debug/ieee80211/phy0/ath10k/mem_value count=1 bs=4 skip=$((0x100233))
It will call to ath10k_sdio_hif_diag_read with address = 0x4008cc and buf_len = 4.
Then system crash:
[ 1786.013258] Unable to handle kernel paging request at virtual address ffffffc00bd45000
[ 1786.013273] Mem abort info:
[ 1786.013281] ESR = 0x96000045
[ 1786.013291] Exception class = DABT (current EL), IL = 32 bits
[ 1786.013299] SET = 0, FnV = 0
[ 1786.013307] EA = 0, S1PTW = 0
[ 1786.013314] Data abort info:
[ 1786.013322] ISV = 0, ISS = 0x00000045
[ 1786.013330] CM = 0, WnR = 1
[ 1786.013342] swapper pgtable: 4k pages, 39-bit VAs, pgdp = 000000008542a60e
[ 1786.013350] [ffffffc00bd45000] pgd=0000000000000000, pud=0000000000000000
[ 1786.013368] Internal error: Oops: 96000045 [#1] PREEMPT SMP
[ 1786.013609] Process swapper/0 (pid: 0, stack limit = 0x0000000084b153c6)
[ 1786.013623] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.19.86 #137
[ 1786.013631] Hardware name: MediaTek krane sku176 board (DT)
[ 1786.013643] pstate: 80000085 (Nzcv daIf -PAN -UAO)
[ 1786.013662] pc : __memcpy+0x94/0x180
[ 1786.013678] lr : swiotlb_tbl_unmap_single+0x84/0x150
[ 1786.013686] sp : ffffff8008003c60
[ 1786.013694] x29: ffffff8008003c90 x28: ffffffae96411f80
[ 1786.013708] x27: ffffffae960d2018 x26: ffffff8019a4b9a8
[ 1786.013721] x25: 0000000000000000 x24: 0000000000000001
[ 1786.013734] x23: ffffffae96567000 x22: 00000000000051d4
[ 1786.013747] x21: 0000000000000000 x20: 00000000fe6e9000
[ 1786.013760] x19: 0000000000000004 x18: 0000000000000020
[ 1786.013773] x17: 0000000000000001 x16: 0000000000000000
[ 1786.013787] x15: 00000000ffffffff x14: 00000000000044c0
[ 1786.013800] x13: 0000000000365ba4 x12: 0000000000000000
[ 1786.013813] x11: 0000000000000001 x10: 00000037be6e9000
[ 1786.013826] x9 : ffffffc940000000 x8 : 000000000bd45000
[ 1786.013839] x7 : 0000000000000000 x6 : ffffffc00bd45000
[ 1786.013852] x5 : 0000000000000000 x4 : 0000000000000000
[ 1786.013865] x3 : 0000000000000c00 x2 : 0000000000000004
[ 1786.013878] x1 : fffffff7be6e9004 x0 : ffffffc00bd45000
[ 1786.013891] Call trace:
[ 1786.013903] __memcpy+0x94/0x180
[ 1786.013914] unmap_single+0x6c/0x84
[ 1786.013925] swiotlb_unmap_sg_attrs+0x54/0x80
[ 1786.013938] __swiotlb_unmap_sg_attrs+0x8c/0xa4
[ 1786.013952] msdc_unprepare_data+0x6c/0x84
[ 1786.013963] msdc_request_done+0x58/0x84
[ 1786.013974] msdc_data_xfer_done+0x1a0/0x1c8
[ 1786.013985] msdc_irq+0x12c/0x17c
[ 1786.013996] __handle_irq_event_percpu+0xe4/0x250
[ 1786.014006] handle_irq_event_percpu+0x28/0x68
[ 1786.014015] handle_irq_event+0x48/0x78
[ 1786.014026] handle_fasteoi_irq+0xd0/0x1a0
[ 1786.014039] __handle_domain_irq+0x84/0xc4
[ 1786.014050] gic_handle_irq+0x124/0x1a4
[ 1786.014059] el1_irq+0xb0/0x128
[ 1786.014072] cpuidle_enter_state+0x298/0x328
[ 1786.014082] cpuidle_enter+0x30/0x40
[ 1786.014094] do_idle+0x190/0x268
[ 1786.014104] cpu_startup_entry+0x24/0x28
[ 1786.014116] rest_init+0xd4/0xe0
[ 1786.014126] start_kernel+0x30c/0x38c
[ 1786.014139] Code: f8408423 f80084c3 36100062 b8404423 (b80044c3)
[ 1786.014150] ---[ end trace 3b02ddb698ea69ee ]---
[ 1786.015415] Kernel panic - not syncing: Fatal exception in interrupt
[ 1786.015433] SMP: stopping secondary CPUs
[ 1786.015447] Kernel Offset: 0x2e8d200000 from 0xffffff8008000000
[ 1786.015458] CPU features: 0x0,2188200c
[ 1786.015466] Memory Limit: none
For sdio chip, it need the memory which is kmalloc, if it is
vmalloc from ath10k_mem_value_read, then it have a memory error.
kzalloc of ath10k_sdio_hif_diag_read32 is the correct type, so
add kzalloc in ath10k_sdio_hif_diag_read to replace the buffer
which is vmalloc from ath10k_mem_value_read.
This patch only effect sdio chip.
Tested with QCA6174 SDIO with firmware WLAN.RMH.4.4.1-00029.
Signed-off-by: Wen Gong <wgong@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath10k/sdio.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/drivers/net/wireless/ath/ath10k/sdio.c b/drivers/net/wireless/ath/ath10k/sdio.c
index 0ecaba824fb28..0cdaecb0e28a9 100644
--- a/drivers/net/wireless/ath/ath10k/sdio.c
+++ b/drivers/net/wireless/ath/ath10k/sdio.c
@@ -1567,23 +1567,33 @@ static int ath10k_sdio_hif_diag_read(struct ath10k *ar, u32 address, void *buf,
size_t buf_len)
{
int ret;
+ void *mem;
+
+ mem = kzalloc(buf_len, GFP_KERNEL);
+ if (!mem)
+ return -ENOMEM;
/* set window register to start read cycle */
ret = ath10k_sdio_write32(ar, MBOX_WINDOW_READ_ADDR_ADDRESS, address);
if (ret) {
ath10k_warn(ar, "failed to set mbox window read address: %d", ret);
- return ret;
+ goto out;
}
/* read the data */
- ret = ath10k_sdio_read(ar, MBOX_WINDOW_DATA_ADDRESS, buf, buf_len);
+ ret = ath10k_sdio_read(ar, MBOX_WINDOW_DATA_ADDRESS, mem, buf_len);
if (ret) {
ath10k_warn(ar, "failed to read from mbox window data address: %d\n",
ret);
- return ret;
+ goto out;
}
- return 0;
+ memcpy(buf, mem, buf_len);
+
+out:
+ kfree(mem);
+
+ return ret;
}
static int ath10k_sdio_hif_diag_read32(struct ath10k *ar, u32 address,
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 104/245] scsi: aacraid: Disabling TM path and only processing IOP reset
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (102 preceding siblings ...)
2020-09-29 10:59 ` [PATCH 4.19 103/245] ath10k: use kzalloc to read for ath10k_sdio_hif_diag_read Greg Kroah-Hartman
@ 2020-09-29 10:59 ` Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 105/245] Bluetooth: L2CAP: handle l2cap config request during open state Greg Kroah-Hartman
` (143 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:59 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Sagar Biradar, Balsundar P,
Martin K. Petersen, Sasha Levin
From: Sagar Biradar <Sagar.Biradar@microchip.com>
[ Upstream commit bef18d308a2215eff8c3411a23d7f34604ce56c3 ]
Fixes the occasional adapter panic when sg_reset is issued with -d, -t, -b
and -H flags. Removal of command type HBA_IU_TYPE_SCSI_TM_REQ in
aac_hba_send since iu_type, request_id and fib_flags are not populated.
Device and target reset handlers are made to send TMF commands only when
reset_state is 0.
Link: https://lore.kernel.org/r/1581553771-25796-1-git-send-email-Sagar.Biradar@microchip.com
Reviewed-by: Sagar Biradar <Sagar.Biradar@microchip.com>
Signed-off-by: Sagar Biradar <Sagar.Biradar@microchip.com>
Signed-off-by: Balsundar P <balsundar.p@microsemi.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/aacraid/commsup.c | 2 +-
drivers/scsi/aacraid/linit.c | 34 +++++++++++++++++++++++++---------
2 files changed, 26 insertions(+), 10 deletions(-)
diff --git a/drivers/scsi/aacraid/commsup.c b/drivers/scsi/aacraid/commsup.c
index b7588de4484e5..4cb6ee6e1212e 100644
--- a/drivers/scsi/aacraid/commsup.c
+++ b/drivers/scsi/aacraid/commsup.c
@@ -743,7 +743,7 @@ int aac_hba_send(u8 command, struct fib *fibptr, fib_callback callback,
hbacmd->request_id =
cpu_to_le32((((u32)(fibptr - dev->fibs)) << 2) + 1);
fibptr->flags |= FIB_CONTEXT_FLAG_SCSI_CMD;
- } else if (command != HBA_IU_TYPE_SCSI_TM_REQ)
+ } else
return -EINVAL;
diff --git a/drivers/scsi/aacraid/linit.c b/drivers/scsi/aacraid/linit.c
index 1046947064a0b..0142547aaadd2 100644
--- a/drivers/scsi/aacraid/linit.c
+++ b/drivers/scsi/aacraid/linit.c
@@ -736,7 +736,11 @@ static int aac_eh_abort(struct scsi_cmnd* cmd)
status = aac_hba_send(HBA_IU_TYPE_SCSI_TM_REQ, fib,
(fib_callback) aac_hba_callback,
(void *) cmd);
-
+ if (status != -EINPROGRESS) {
+ aac_fib_complete(fib);
+ aac_fib_free(fib);
+ return ret;
+ }
/* Wait up to 15 secs for completion */
for (count = 0; count < 15; ++count) {
if (cmd->SCp.sent_command) {
@@ -915,11 +919,11 @@ static int aac_eh_dev_reset(struct scsi_cmnd *cmd)
info = &aac->hba_map[bus][cid];
- if (info->devtype != AAC_DEVTYPE_NATIVE_RAW &&
- info->reset_state > 0)
+ if (!(info->devtype == AAC_DEVTYPE_NATIVE_RAW &&
+ !(info->reset_state > 0)))
return FAILED;
- pr_err("%s: Host adapter reset request. SCSI hang ?\n",
+ pr_err("%s: Host device reset request. SCSI hang ?\n",
AAC_DRIVERNAME);
fib = aac_fib_alloc(aac);
@@ -934,7 +938,12 @@ static int aac_eh_dev_reset(struct scsi_cmnd *cmd)
status = aac_hba_send(command, fib,
(fib_callback) aac_tmf_callback,
(void *) info);
-
+ if (status != -EINPROGRESS) {
+ info->reset_state = 0;
+ aac_fib_complete(fib);
+ aac_fib_free(fib);
+ return ret;
+ }
/* Wait up to 15 seconds for completion */
for (count = 0; count < 15; ++count) {
if (info->reset_state == 0) {
@@ -973,11 +982,11 @@ static int aac_eh_target_reset(struct scsi_cmnd *cmd)
info = &aac->hba_map[bus][cid];
- if (info->devtype != AAC_DEVTYPE_NATIVE_RAW &&
- info->reset_state > 0)
+ if (!(info->devtype == AAC_DEVTYPE_NATIVE_RAW &&
+ !(info->reset_state > 0)))
return FAILED;
- pr_err("%s: Host adapter reset request. SCSI hang ?\n",
+ pr_err("%s: Host target reset request. SCSI hang ?\n",
AAC_DRIVERNAME);
fib = aac_fib_alloc(aac);
@@ -994,6 +1003,13 @@ static int aac_eh_target_reset(struct scsi_cmnd *cmd)
(fib_callback) aac_tmf_callback,
(void *) info);
+ if (status != -EINPROGRESS) {
+ info->reset_state = 0;
+ aac_fib_complete(fib);
+ aac_fib_free(fib);
+ return ret;
+ }
+
/* Wait up to 15 seconds for completion */
for (count = 0; count < 15; ++count) {
if (info->reset_state <= 0) {
@@ -1046,7 +1062,7 @@ static int aac_eh_bus_reset(struct scsi_cmnd* cmd)
}
}
- pr_err("%s: Host adapter reset request. SCSI hang ?\n", AAC_DRIVERNAME);
+ pr_err("%s: Host bus reset request. SCSI hang ?\n", AAC_DRIVERNAME);
/*
* Check the health of the controller
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 105/245] Bluetooth: L2CAP: handle l2cap config request during open state
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (103 preceding siblings ...)
2020-09-29 10:59 ` [PATCH 4.19 104/245] scsi: aacraid: Disabling TM path and only processing IOP reset Greg Kroah-Hartman
@ 2020-09-29 10:59 ` Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 106/245] media: tda10071: fix unsigned sign extension overflow Greg Kroah-Hartman
` (142 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:59 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Howard Chung, Marcel Holtmann, Sasha Levin
From: Howard Chung <howardchung@google.com>
[ Upstream commit 96298f640104e4cd9a913a6e50b0b981829b94ff ]
According to Core Spec Version 5.2 | Vol 3, Part A 6.1.5,
the incoming L2CAP_ConfigReq should be handled during
OPEN state.
The section below shows the btmon trace when running
L2CAP/COS/CFD/BV-12-C before and after this change.
=== Before ===
...
> ACL Data RX: Handle 256 flags 0x02 dlen 12 #22
L2CAP: Connection Request (0x02) ident 2 len 4
PSM: 1 (0x0001)
Source CID: 65
< ACL Data TX: Handle 256 flags 0x00 dlen 16 #23
L2CAP: Connection Response (0x03) ident 2 len 8
Destination CID: 64
Source CID: 65
Result: Connection successful (0x0000)
Status: No further information available (0x0000)
< ACL Data TX: Handle 256 flags 0x00 dlen 12 #24
L2CAP: Configure Request (0x04) ident 2 len 4
Destination CID: 65
Flags: 0x0000
> HCI Event: Number of Completed Packets (0x13) plen 5 #25
Num handles: 1
Handle: 256
Count: 1
> HCI Event: Number of Completed Packets (0x13) plen 5 #26
Num handles: 1
Handle: 256
Count: 1
> ACL Data RX: Handle 256 flags 0x02 dlen 16 #27
L2CAP: Configure Request (0x04) ident 3 len 8
Destination CID: 64
Flags: 0x0000
Option: Unknown (0x10) [hint]
01 00 ..
< ACL Data TX: Handle 256 flags 0x00 dlen 18 #28
L2CAP: Configure Response (0x05) ident 3 len 10
Source CID: 65
Flags: 0x0000
Result: Success (0x0000)
Option: Maximum Transmission Unit (0x01) [mandatory]
MTU: 672
> HCI Event: Number of Completed Packets (0x13) plen 5 #29
Num handles: 1
Handle: 256
Count: 1
> ACL Data RX: Handle 256 flags 0x02 dlen 14 #30
L2CAP: Configure Response (0x05) ident 2 len 6
Source CID: 64
Flags: 0x0000
Result: Success (0x0000)
> ACL Data RX: Handle 256 flags 0x02 dlen 20 #31
L2CAP: Configure Request (0x04) ident 3 len 12
Destination CID: 64
Flags: 0x0000
Option: Unknown (0x10) [hint]
01 00 91 02 11 11 ......
< ACL Data TX: Handle 256 flags 0x00 dlen 14 #32
L2CAP: Command Reject (0x01) ident 3 len 6
Reason: Invalid CID in request (0x0002)
Destination CID: 64
Source CID: 65
> HCI Event: Number of Completed Packets (0x13) plen 5 #33
Num handles: 1
Handle: 256
Count: 1
...
=== After ===
...
> ACL Data RX: Handle 256 flags 0x02 dlen 12 #22
L2CAP: Connection Request (0x02) ident 2 len 4
PSM: 1 (0x0001)
Source CID: 65
< ACL Data TX: Handle 256 flags 0x00 dlen 16 #23
L2CAP: Connection Response (0x03) ident 2 len 8
Destination CID: 64
Source CID: 65
Result: Connection successful (0x0000)
Status: No further information available (0x0000)
< ACL Data TX: Handle 256 flags 0x00 dlen 12 #24
L2CAP: Configure Request (0x04) ident 2 len 4
Destination CID: 65
Flags: 0x0000
> HCI Event: Number of Completed Packets (0x13) plen 5 #25
Num handles: 1
Handle: 256
Count: 1
> HCI Event: Number of Completed Packets (0x13) plen 5 #26
Num handles: 1
Handle: 256
Count: 1
> ACL Data RX: Handle 256 flags 0x02 dlen 16 #27
L2CAP: Configure Request (0x04) ident 3 len 8
Destination CID: 64
Flags: 0x0000
Option: Unknown (0x10) [hint]
01 00 ..
< ACL Data TX: Handle 256 flags 0x00 dlen 18 #28
L2CAP: Configure Response (0x05) ident 3 len 10
Source CID: 65
Flags: 0x0000
Result: Success (0x0000)
Option: Maximum Transmission Unit (0x01) [mandatory]
MTU: 672
> HCI Event: Number of Completed Packets (0x13) plen 5 #29
Num handles: 1
Handle: 256
Count: 1
> ACL Data RX: Handle 256 flags 0x02 dlen 14 #30
L2CAP: Configure Response (0x05) ident 2 len 6
Source CID: 64
Flags: 0x0000
Result: Success (0x0000)
> ACL Data RX: Handle 256 flags 0x02 dlen 20 #31
L2CAP: Configure Request (0x04) ident 3 len 12
Destination CID: 64
Flags: 0x0000
Option: Unknown (0x10) [hint]
01 00 91 02 11 11 .....
< ACL Data TX: Handle 256 flags 0x00 dlen 18 #32
L2CAP: Configure Response (0x05) ident 3 len 10
Source CID: 65
Flags: 0x0000
Result: Success (0x0000)
Option: Maximum Transmission Unit (0x01) [mandatory]
MTU: 672
< ACL Data TX: Handle 256 flags 0x00 dlen 12 #33
L2CAP: Configure Request (0x04) ident 3 len 4
Destination CID: 65
Flags: 0x0000
> HCI Event: Number of Completed Packets (0x13) plen 5 #34
Num handles: 1
Handle: 256
Count: 1
> HCI Event: Number of Completed Packets (0x13) plen 5 #35
Num handles: 1
Handle: 256
Count: 1
...
Signed-off-by: Howard Chung <howardchung@google.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/l2cap_core.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index b1f51cb007ea6..c04107d446016 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -4117,7 +4117,8 @@ static inline int l2cap_config_req(struct l2cap_conn *conn,
return 0;
}
- if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2) {
+ if (chan->state != BT_CONFIG && chan->state != BT_CONNECT2 &&
+ chan->state != BT_CONNECTED) {
cmd_reject_invalid_cid(conn, cmd->ident, chan->scid,
chan->dcid);
goto unlock;
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 106/245] media: tda10071: fix unsigned sign extension overflow
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (104 preceding siblings ...)
2020-09-29 10:59 ` [PATCH 4.19 105/245] Bluetooth: L2CAP: handle l2cap config request during open state Greg Kroah-Hartman
@ 2020-09-29 10:59 ` Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 107/245] xfs: dont ever return a stale pointer from __xfs_dir3_free_read Greg Kroah-Hartman
` (141 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:59 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Colin Ian King, Sean Young,
Mauro Carvalho Chehab, Sasha Levin
From: Colin Ian King <colin.king@canonical.com>
[ Upstream commit a7463e2dc698075132de9905b89f495df888bb79 ]
The shifting of buf[3] by 24 bits to the left will be promoted to
a 32 bit signed int and then sign-extended to an unsigned long. In
the unlikely event that the the top bit of buf[3] is set then all
then all the upper bits end up as also being set because of
the sign-extension and this affect the ev->post_bit_error sum.
Fix this by using the temporary u32 variable bit_error to avoid
the sign-extension promotion. This also removes the need to do the
computation twice.
Addresses-Coverity: ("Unintended sign extension")
Fixes: 267897a4708f ("[media] tda10071: implement DVBv5 statistics")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/dvb-frontends/tda10071.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/drivers/media/dvb-frontends/tda10071.c b/drivers/media/dvb-frontends/tda10071.c
index 097c42d3f8c26..df0c7243eafe4 100644
--- a/drivers/media/dvb-frontends/tda10071.c
+++ b/drivers/media/dvb-frontends/tda10071.c
@@ -483,10 +483,11 @@ static int tda10071_read_status(struct dvb_frontend *fe, enum fe_status *status)
goto error;
if (dev->delivery_system == SYS_DVBS) {
- dev->dvbv3_ber = buf[0] << 24 | buf[1] << 16 |
- buf[2] << 8 | buf[3] << 0;
- dev->post_bit_error += buf[0] << 24 | buf[1] << 16 |
- buf[2] << 8 | buf[3] << 0;
+ u32 bit_error = buf[0] << 24 | buf[1] << 16 |
+ buf[2] << 8 | buf[3] << 0;
+
+ dev->dvbv3_ber = bit_error;
+ dev->post_bit_error += bit_error;
c->post_bit_error.stat[0].scale = FE_SCALE_COUNTER;
c->post_bit_error.stat[0].uvalue = dev->post_bit_error;
dev->block_error += buf[4] << 8 | buf[5] << 0;
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 107/245] xfs: dont ever return a stale pointer from __xfs_dir3_free_read
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (105 preceding siblings ...)
2020-09-29 10:59 ` [PATCH 4.19 106/245] media: tda10071: fix unsigned sign extension overflow Greg Kroah-Hartman
@ 2020-09-29 10:59 ` Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 108/245] xfs: mark dir corrupt when lookup-by-hash fails Greg Kroah-Hartman
` (140 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:59 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Darrick J. Wong, Dave Chinner, Sasha Levin
From: Darrick J. Wong <darrick.wong@oracle.com>
[ Upstream commit 1cb5deb5bc095c070c09a4540c45f9c9ba24be43 ]
If we decide that a directory free block is corrupt, we must take care
not to leak a buffer pointer to the caller. After xfs_trans_brelse
returns, the buffer can be freed or reused, which means that we have to
set *bpp back to NULL.
Callers are supposed to notice the nonzero return value and not use the
buffer pointer, but we should code more defensively, even if all current
callers handle this situation correctly.
Fixes: de14c5f541e7 ("xfs: verify free block header fields")
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/xfs/libxfs/xfs_dir2_node.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/xfs/libxfs/xfs_dir2_node.c b/fs/xfs/libxfs/xfs_dir2_node.c
index f1bb3434f51c7..01e99806b941f 100644
--- a/fs/xfs/libxfs/xfs_dir2_node.c
+++ b/fs/xfs/libxfs/xfs_dir2_node.c
@@ -214,6 +214,7 @@ __xfs_dir3_free_read(
if (fa) {
xfs_verifier_error(*bpp, -EFSCORRUPTED, fa);
xfs_trans_brelse(tp, *bpp);
+ *bpp = NULL;
return -EFSCORRUPTED;
}
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 108/245] xfs: mark dir corrupt when lookup-by-hash fails
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (106 preceding siblings ...)
2020-09-29 10:59 ` [PATCH 4.19 107/245] xfs: dont ever return a stale pointer from __xfs_dir3_free_read Greg Kroah-Hartman
@ 2020-09-29 10:59 ` Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 109/245] ext4: mark block bitmap corrupted when found instead of BUGON Greg Kroah-Hartman
` (139 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:59 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Darrick J. Wong, Dave Chinner, Sasha Levin
From: Darrick J. Wong <darrick.wong@oracle.com>
[ Upstream commit 2e107cf869eecc770e3f630060bb4e5f547d0fd8 ]
In xchk_dir_actor, we attempt to validate the directory hash structures
by performing a directory entry lookup by (hashed) name. If the lookup
returns ENOENT, that means that the hash information is corrupt. The
_process_error functions don't catch this, so we have to add that
explicitly.
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/xfs/scrub/dir.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/fs/xfs/scrub/dir.c b/fs/xfs/scrub/dir.c
index cd3e4d768a18c..33dfcba72c7a0 100644
--- a/fs/xfs/scrub/dir.c
+++ b/fs/xfs/scrub/dir.c
@@ -156,6 +156,9 @@ xchk_dir_actor(
xname.type = XFS_DIR3_FT_UNKNOWN;
error = xfs_dir_lookup(sdc->sc->tp, ip, &xname, &lookup_ino, NULL);
+ /* ENOENT means the hash lookup failed and the dir is corrupt */
+ if (error == -ENOENT)
+ error = -EFSCORRUPTED;
if (!xchk_fblock_process_error(sdc->sc, XFS_DATA_FORK, offset,
&error))
goto out;
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 109/245] ext4: mark block bitmap corrupted when found instead of BUGON
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (107 preceding siblings ...)
2020-09-29 10:59 ` [PATCH 4.19 108/245] xfs: mark dir corrupt when lookup-by-hash fails Greg Kroah-Hartman
@ 2020-09-29 10:59 ` Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 110/245] tpm: ibmvtpm: Wait for buffer to be set before proceeding Greg Kroah-Hartman
` (138 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:59 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Andreas Dilger, Dmitry Monakhov,
Theodore Tso, Sasha Levin
From: Dmitry Monakhov <dmonakhov@gmail.com>
[ Upstream commit eb5760863fc28feab28b567ddcda7e667e638da0 ]
We already has similar code in ext4_mb_complex_scan_group(), but
ext4_mb_simple_scan_group() still affected.
Other reports: https://www.spinics.net/lists/linux-ext4/msg60231.html
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Signed-off-by: Dmitry Monakhov <dmonakhov@gmail.com>
Link: https://lore.kernel.org/r/20200310150156.641-1-dmonakhov@gmail.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/mballoc.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
index 8dd54a8a03610..054cfdd007d69 100644
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -1901,8 +1901,15 @@ void ext4_mb_simple_scan_group(struct ext4_allocation_context *ac,
BUG_ON(buddy == NULL);
k = mb_find_next_zero_bit(buddy, max, 0);
- BUG_ON(k >= max);
-
+ if (k >= max) {
+ ext4_grp_locked_error(ac->ac_sb, e4b->bd_group, 0, 0,
+ "%d free clusters of order %d. But found 0",
+ grp->bb_counters[i], i);
+ ext4_mark_group_bitmap_corrupted(ac->ac_sb,
+ e4b->bd_group,
+ EXT4_GROUP_INFO_BBITMAP_CORRUPT);
+ break;
+ }
ac->ac_found++;
ac->ac_b_ex.fe_len = 1 << i;
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 110/245] tpm: ibmvtpm: Wait for buffer to be set before proceeding
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (108 preceding siblings ...)
2020-09-29 10:59 ` [PATCH 4.19 109/245] ext4: mark block bitmap corrupted when found instead of BUGON Greg Kroah-Hartman
@ 2020-09-29 10:59 ` Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 111/245] rtc: sa1100: fix possible race condition Greg Kroah-Hartman
` (137 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:59 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Stefan Berger, Nayna Jain,
Jarkko Sakkinen, Sasha Levin
From: Stefan Berger <stefanb@linux.ibm.com>
[ Upstream commit d8d74ea3c00214aee1e1826ca18e77944812b9b4 ]
Synchronize with the results from the CRQs before continuing with
the initialization. This avoids trying to send TPM commands while
the rtce buffer has not been allocated, yet.
This patch fixes an existing race condition that may occurr if the
hypervisor does not quickly respond to the VTPM_GET_RTCE_BUFFER_SIZE
request sent during initialization and therefore the ibmvtpm->rtce_buf
has not been allocated at the time the first TPM command is sent.
Fixes: 132f76294744 ("drivers/char/tpm: Add new device driver to support IBM vTPM")
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Acked-by: Nayna Jain <nayna@linux.ibm.com>
Tested-by: Nayna Jain <nayna@linux.ibm.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/char/tpm/tpm_ibmvtpm.c | 9 +++++++++
drivers/char/tpm/tpm_ibmvtpm.h | 1 +
2 files changed, 10 insertions(+)
diff --git a/drivers/char/tpm/tpm_ibmvtpm.c b/drivers/char/tpm/tpm_ibmvtpm.c
index 569e93e1f06cc..3ba67bc6baba0 100644
--- a/drivers/char/tpm/tpm_ibmvtpm.c
+++ b/drivers/char/tpm/tpm_ibmvtpm.c
@@ -588,6 +588,7 @@ static irqreturn_t ibmvtpm_interrupt(int irq, void *vtpm_instance)
*/
while ((crq = ibmvtpm_crq_get_next(ibmvtpm)) != NULL) {
ibmvtpm_crq_process(crq, ibmvtpm);
+ wake_up_interruptible(&ibmvtpm->crq_queue.wq);
crq->valid = 0;
smp_wmb();
}
@@ -635,6 +636,7 @@ static int tpm_ibmvtpm_probe(struct vio_dev *vio_dev,
}
crq_q->num_entry = CRQ_RES_BUF_SIZE / sizeof(*crq_q->crq_addr);
+ init_waitqueue_head(&crq_q->wq);
ibmvtpm->crq_dma_handle = dma_map_single(dev, crq_q->crq_addr,
CRQ_RES_BUF_SIZE,
DMA_BIDIRECTIONAL);
@@ -687,6 +689,13 @@ static int tpm_ibmvtpm_probe(struct vio_dev *vio_dev,
if (rc)
goto init_irq_cleanup;
+ if (!wait_event_timeout(ibmvtpm->crq_queue.wq,
+ ibmvtpm->rtce_buf != NULL,
+ HZ)) {
+ dev_err(dev, "CRQ response timed out\n");
+ goto init_irq_cleanup;
+ }
+
return tpm_chip_register(chip);
init_irq_cleanup:
do {
diff --git a/drivers/char/tpm/tpm_ibmvtpm.h b/drivers/char/tpm/tpm_ibmvtpm.h
index 91dfe766d0800..4f6a124601db4 100644
--- a/drivers/char/tpm/tpm_ibmvtpm.h
+++ b/drivers/char/tpm/tpm_ibmvtpm.h
@@ -31,6 +31,7 @@ struct ibmvtpm_crq_queue {
struct ibmvtpm_crq *crq_addr;
u32 index;
u32 num_entry;
+ wait_queue_head_t wq;
};
struct ibmvtpm_dev {
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 111/245] rtc: sa1100: fix possible race condition
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (109 preceding siblings ...)
2020-09-29 10:59 ` [PATCH 4.19 110/245] tpm: ibmvtpm: Wait for buffer to be set before proceeding Greg Kroah-Hartman
@ 2020-09-29 10:59 ` Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 112/245] rtc: ds1374: " Greg Kroah-Hartman
` (136 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:59 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alexandre Belloni, Sasha Levin
From: Alexandre Belloni <alexandre.belloni@bootlin.com>
[ Upstream commit f2997775b111c6d660c32a18d5d44d37cb7361b1 ]
Both RTC IRQs are requested before the struct rtc_device is allocated,
this may lead to a NULL pointer dereference in the IRQ handler.
To fix this issue, allocating the rtc_device struct before requesting
the IRQs using devm_rtc_allocate_device, and use rtc_register_device
to register the RTC device.
Link: https://lore.kernel.org/r/20200306010146.39762-1-alexandre.belloni@bootlin.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/rtc/rtc-sa1100.c | 18 ++++++++++--------
1 file changed, 10 insertions(+), 8 deletions(-)
diff --git a/drivers/rtc/rtc-sa1100.c b/drivers/rtc/rtc-sa1100.c
index 304d905cb23fd..56f625371735f 100644
--- a/drivers/rtc/rtc-sa1100.c
+++ b/drivers/rtc/rtc-sa1100.c
@@ -186,7 +186,6 @@ static const struct rtc_class_ops sa1100_rtc_ops = {
int sa1100_rtc_init(struct platform_device *pdev, struct sa1100_rtc *info)
{
- struct rtc_device *rtc;
int ret;
spin_lock_init(&info->lock);
@@ -215,15 +214,14 @@ int sa1100_rtc_init(struct platform_device *pdev, struct sa1100_rtc *info)
writel_relaxed(0, info->rcnr);
}
- rtc = devm_rtc_device_register(&pdev->dev, pdev->name, &sa1100_rtc_ops,
- THIS_MODULE);
- if (IS_ERR(rtc)) {
+ info->rtc->ops = &sa1100_rtc_ops;
+ info->rtc->max_user_freq = RTC_FREQ;
+
+ ret = rtc_register_device(info->rtc);
+ if (ret) {
clk_disable_unprepare(info->clk);
- return PTR_ERR(rtc);
+ return ret;
}
- info->rtc = rtc;
-
- rtc->max_user_freq = RTC_FREQ;
/* Fix for a nasty initialization problem the in SA11xx RTSR register.
* See also the comments in sa1100_rtc_interrupt().
@@ -272,6 +270,10 @@ static int sa1100_rtc_probe(struct platform_device *pdev)
info->irq_1hz = irq_1hz;
info->irq_alarm = irq_alarm;
+ info->rtc = devm_rtc_allocate_device(&pdev->dev);
+ if (IS_ERR(info->rtc))
+ return PTR_ERR(info->rtc);
+
ret = devm_request_irq(&pdev->dev, irq_1hz, sa1100_rtc_interrupt, 0,
"rtc 1Hz", &pdev->dev);
if (ret) {
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 112/245] rtc: ds1374: fix possible race condition
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (110 preceding siblings ...)
2020-09-29 10:59 ` [PATCH 4.19 111/245] rtc: sa1100: fix possible race condition Greg Kroah-Hartman
@ 2020-09-29 10:59 ` Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 113/245] nfsd: Dont add locks to closed or closing open stateids Greg Kroah-Hartman
` (135 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:59 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alexandre Belloni, Sasha Levin
From: Alexandre Belloni <alexandre.belloni@bootlin.com>
[ Upstream commit c11af8131a4e7ba1960faed731ee7e84c2c13c94 ]
The RTC IRQ is requested before the struct rtc_device is allocated,
this may lead to a NULL pointer dereference in the IRQ handler.
To fix this issue, allocating the rtc_device struct before requesting
the RTC IRQ using devm_rtc_allocate_device, and use rtc_register_device
to register the RTC device.
Link: https://lore.kernel.org/r/20200306073404.56921-1-alexandre.belloni@bootlin.com
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/rtc/rtc-ds1374.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/drivers/rtc/rtc-ds1374.c b/drivers/rtc/rtc-ds1374.c
index 38a2e9e684df4..77a106e90124b 100644
--- a/drivers/rtc/rtc-ds1374.c
+++ b/drivers/rtc/rtc-ds1374.c
@@ -620,6 +620,10 @@ static int ds1374_probe(struct i2c_client *client,
if (!ds1374)
return -ENOMEM;
+ ds1374->rtc = devm_rtc_allocate_device(&client->dev);
+ if (IS_ERR(ds1374->rtc))
+ return PTR_ERR(ds1374->rtc);
+
ds1374->client = client;
i2c_set_clientdata(client, ds1374);
@@ -641,12 +645,11 @@ static int ds1374_probe(struct i2c_client *client,
device_set_wakeup_capable(&client->dev, 1);
}
- ds1374->rtc = devm_rtc_device_register(&client->dev, client->name,
- &ds1374_rtc_ops, THIS_MODULE);
- if (IS_ERR(ds1374->rtc)) {
- dev_err(&client->dev, "unable to register the class device\n");
- return PTR_ERR(ds1374->rtc);
- }
+ ds1374->rtc->ops = &ds1374_rtc_ops;
+
+ ret = rtc_register_device(ds1374->rtc);
+ if (ret)
+ return ret;
#ifdef CONFIG_RTC_DRV_DS1374_WDT
save_client = client;
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 113/245] nfsd: Dont add locks to closed or closing open stateids
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (111 preceding siblings ...)
2020-09-29 10:59 ` [PATCH 4.19 112/245] rtc: ds1374: " Greg Kroah-Hartman
@ 2020-09-29 10:59 ` Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 114/245] RDMA/cm: Remove a race freeing timewait_info Greg Kroah-Hartman
` (134 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:59 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Trond Myklebust, Chuck Lever, Sasha Levin
From: Trond Myklebust <trondmy@gmail.com>
[ Upstream commit a451b12311aa8c96c6f6e01c783a86995dc3ec6b ]
In NFSv4, the lock stateids are tied to the lockowner, and the open stateid,
so that the action of closing the file also results in either an automatic
loss of the locks, or an error of the form NFS4ERR_LOCKS_HELD.
In practice this means we must not add new locks to the open stateid
after the close process has been invoked. In fact doing so, can result
in the following panic:
kernel BUG at lib/list_debug.c:51!
invalid opcode: 0000 [#1] SMP NOPTI
CPU: 2 PID: 1085 Comm: nfsd Not tainted 5.6.0-rc3+ #2
Hardware name: VMware, Inc. VMware7,1/440BX Desktop Reference Platform, BIOS VMW71.00V.14410784.B64.1908150010 08/15/2019
RIP: 0010:__list_del_entry_valid.cold+0x31/0x55
Code: 1a 3d 9b e8 74 10 c2 ff 0f 0b 48 c7 c7 f0 1a 3d 9b e8 66 10 c2 ff 0f 0b 48 89 f2 48 89 fe 48 c7 c7 b0 1a 3d 9b e8 52 10 c2 ff <0f> 0b 48 89 fe 4c 89 c2 48 c7 c7 78 1a 3d 9b e8 3e 10 c2 ff 0f 0b
RSP: 0018:ffffb296c1d47d90 EFLAGS: 00010246
RAX: 0000000000000054 RBX: ffff8ba032456ec8 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffff8ba039e99cc8 RDI: ffff8ba039e99cc8
RBP: ffff8ba032456e60 R08: 0000000000000781 R09: 0000000000000003
R10: 0000000000000000 R11: 0000000000000001 R12: ffff8ba009a4abe0
R13: ffff8ba032456e8c R14: 0000000000000000 R15: ffff8ba00adb01d8
FS: 0000000000000000(0000) GS:ffff8ba039e80000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fb213f0b008 CR3: 00000001347de006 CR4: 00000000003606e0
Call Trace:
release_lock_stateid+0x2b/0x80 [nfsd]
nfsd4_free_stateid+0x1e9/0x210 [nfsd]
nfsd4_proc_compound+0x414/0x700 [nfsd]
? nfs4svc_decode_compoundargs+0x407/0x4c0 [nfsd]
nfsd_dispatch+0xc1/0x200 [nfsd]
svc_process_common+0x476/0x6f0 [sunrpc]
? svc_sock_secure_port+0x12/0x30 [sunrpc]
? svc_recv+0x313/0x9c0 [sunrpc]
? nfsd_svc+0x2d0/0x2d0 [nfsd]
svc_process+0xd4/0x110 [sunrpc]
nfsd+0xe3/0x140 [nfsd]
kthread+0xf9/0x130
? nfsd_destroy+0x50/0x50 [nfsd]
? kthread_park+0x90/0x90
ret_from_fork+0x1f/0x40
The fix is to ensure that lock creation tests for whether or not the
open stateid is unhashed, and to fail if that is the case.
Fixes: 659aefb68eca ("nfsd: Ensure we don't recognise lock stateids after freeing them")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfsd/nfs4state.c | 73 ++++++++++++++++++++++++++-------------------
1 file changed, 43 insertions(+), 30 deletions(-)
diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
index c24306af9758f..655079ae1dd1f 100644
--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -471,6 +471,8 @@ find_any_file(struct nfs4_file *f)
{
struct file *ret;
+ if (!f)
+ return NULL;
spin_lock(&f->fi_lock);
ret = __nfs4_get_fd(f, O_RDWR);
if (!ret) {
@@ -1207,6 +1209,12 @@ static void nfs4_put_stateowner(struct nfs4_stateowner *sop)
nfs4_free_stateowner(sop);
}
+static bool
+nfs4_ol_stateid_unhashed(const struct nfs4_ol_stateid *stp)
+{
+ return list_empty(&stp->st_perfile);
+}
+
static bool unhash_ol_stateid(struct nfs4_ol_stateid *stp)
{
struct nfs4_file *fp = stp->st_stid.sc_file;
@@ -1274,9 +1282,11 @@ static bool unhash_lock_stateid(struct nfs4_ol_stateid *stp)
{
lockdep_assert_held(&stp->st_stid.sc_client->cl_lock);
+ if (!unhash_ol_stateid(stp))
+ return false;
list_del_init(&stp->st_locks);
nfs4_unhash_stid(&stp->st_stid);
- return unhash_ol_stateid(stp);
+ return true;
}
static void release_lock_stateid(struct nfs4_ol_stateid *stp)
@@ -1341,13 +1351,12 @@ static void release_open_stateid_locks(struct nfs4_ol_stateid *open_stp,
static bool unhash_open_stateid(struct nfs4_ol_stateid *stp,
struct list_head *reaplist)
{
- bool unhashed;
-
lockdep_assert_held(&stp->st_stid.sc_client->cl_lock);
- unhashed = unhash_ol_stateid(stp);
+ if (!unhash_ol_stateid(stp))
+ return false;
release_open_stateid_locks(stp, reaplist);
- return unhashed;
+ return true;
}
static void release_open_stateid(struct nfs4_ol_stateid *stp)
@@ -5774,21 +5783,21 @@ alloc_init_lock_stateowner(unsigned int strhashval, struct nfs4_client *clp,
}
static struct nfs4_ol_stateid *
-find_lock_stateid(struct nfs4_lockowner *lo, struct nfs4_file *fp)
+find_lock_stateid(const struct nfs4_lockowner *lo,
+ const struct nfs4_ol_stateid *ost)
{
struct nfs4_ol_stateid *lst;
- struct nfs4_client *clp = lo->lo_owner.so_client;
- lockdep_assert_held(&clp->cl_lock);
+ lockdep_assert_held(&ost->st_stid.sc_client->cl_lock);
- list_for_each_entry(lst, &lo->lo_owner.so_stateids, st_perstateowner) {
- if (lst->st_stid.sc_type != NFS4_LOCK_STID)
- continue;
- if (lst->st_stid.sc_file == fp) {
- refcount_inc(&lst->st_stid.sc_count);
- return lst;
+ /* If ost is not hashed, ost->st_locks will not be valid */
+ if (!nfs4_ol_stateid_unhashed(ost))
+ list_for_each_entry(lst, &ost->st_locks, st_locks) {
+ if (lst->st_stateowner == &lo->lo_owner) {
+ refcount_inc(&lst->st_stid.sc_count);
+ return lst;
+ }
}
- }
return NULL;
}
@@ -5804,11 +5813,11 @@ init_lock_stateid(struct nfs4_ol_stateid *stp, struct nfs4_lockowner *lo,
mutex_lock_nested(&stp->st_mutex, OPEN_STATEID_MUTEX);
retry:
spin_lock(&clp->cl_lock);
- spin_lock(&fp->fi_lock);
- retstp = find_lock_stateid(lo, fp);
+ if (nfs4_ol_stateid_unhashed(open_stp))
+ goto out_close;
+ retstp = find_lock_stateid(lo, open_stp);
if (retstp)
- goto out_unlock;
-
+ goto out_found;
refcount_inc(&stp->st_stid.sc_count);
stp->st_stid.sc_type = NFS4_LOCK_STID;
stp->st_stateowner = nfs4_get_stateowner(&lo->lo_owner);
@@ -5817,22 +5826,26 @@ retry:
stp->st_access_bmap = 0;
stp->st_deny_bmap = open_stp->st_deny_bmap;
stp->st_openstp = open_stp;
+ spin_lock(&fp->fi_lock);
list_add(&stp->st_locks, &open_stp->st_locks);
list_add(&stp->st_perstateowner, &lo->lo_owner.so_stateids);
list_add(&stp->st_perfile, &fp->fi_stateids);
-out_unlock:
spin_unlock(&fp->fi_lock);
spin_unlock(&clp->cl_lock);
- if (retstp) {
- if (nfsd4_lock_ol_stateid(retstp) != nfs_ok) {
- nfs4_put_stid(&retstp->st_stid);
- goto retry;
- }
- /* To keep mutex tracking happy */
- mutex_unlock(&stp->st_mutex);
- stp = retstp;
- }
return stp;
+out_found:
+ spin_unlock(&clp->cl_lock);
+ if (nfsd4_lock_ol_stateid(retstp) != nfs_ok) {
+ nfs4_put_stid(&retstp->st_stid);
+ goto retry;
+ }
+ /* To keep mutex tracking happy */
+ mutex_unlock(&stp->st_mutex);
+ return retstp;
+out_close:
+ spin_unlock(&clp->cl_lock);
+ mutex_unlock(&stp->st_mutex);
+ return NULL;
}
static struct nfs4_ol_stateid *
@@ -5847,7 +5860,7 @@ find_or_create_lock_stateid(struct nfs4_lockowner *lo, struct nfs4_file *fi,
*new = false;
spin_lock(&clp->cl_lock);
- lst = find_lock_stateid(lo, fi);
+ lst = find_lock_stateid(lo, ost);
spin_unlock(&clp->cl_lock);
if (lst != NULL) {
if (nfsd4_lock_ol_stateid(lst) == nfs_ok)
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 114/245] RDMA/cm: Remove a race freeing timewait_info
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (112 preceding siblings ...)
2020-09-29 10:59 ` [PATCH 4.19 113/245] nfsd: Dont add locks to closed or closing open stateids Greg Kroah-Hartman
@ 2020-09-29 10:59 ` Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 115/245] KVM: PPC: Book3S HV: Treat TM-related invalid form instructions on P9 like the valid ones Greg Kroah-Hartman
` (133 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:59 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Leon Romanovsky, Jason Gunthorpe,
Sasha Levin
From: Jason Gunthorpe <jgg@mellanox.com>
[ Upstream commit bede86a39d9dc3387ac00dcb8e1ac221676b2f25 ]
When creating a cm_id during REQ the id immediately becomes visible to the
other MAD handlers, and shortly after the state is moved to IB_CM_REQ_RCVD
This allows cm_rej_handler() to run concurrently and free the work:
CPU 0 CPU1
cm_req_handler()
ib_create_cm_id()
cm_match_req()
id_priv->state = IB_CM_REQ_RCVD
cm_rej_handler()
cm_acquire_id()
spin_lock(&id_priv->lock)
switch (id_priv->state)
case IB_CM_REQ_RCVD:
cm_reset_to_idle()
kfree(id_priv->timewait_info);
goto destroy
destroy:
kfree(id_priv->timewait_info);
id_priv->timewait_info = NULL
Causing a double free or worse.
Do not free the timewait_info without also holding the
id_priv->lock. Simplify this entire flow by making the free unconditional
during cm_destroy_id() and removing the confusing special case error
unwind during creation of the timewait_info.
This also fixes a leak of the timewait if cm_destroy_id() is called in
IB_CM_ESTABLISHED with an XRC TGT QP. The state machine will be left in
ESTABLISHED while it needed to transition through IB_CM_TIMEWAIT to
release the timewait pointer.
Also fix a leak of the timewait_info if the caller mis-uses the API and
does ib_send_cm_reqs().
Fixes: a977049dacde ("[PATCH] IB: Add the kernel CM implementation")
Link: https://lore.kernel.org/r/20200310092545.251365-4-leon@kernel.org
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/core/cm.c | 25 +++++++++++++++----------
1 file changed, 15 insertions(+), 10 deletions(-)
diff --git a/drivers/infiniband/core/cm.c b/drivers/infiniband/core/cm.c
index 64f206e11d497..4ebf63360a697 100644
--- a/drivers/infiniband/core/cm.c
+++ b/drivers/infiniband/core/cm.c
@@ -1100,14 +1100,22 @@ retest:
break;
}
- spin_lock_irq(&cm.lock);
+ spin_lock_irq(&cm_id_priv->lock);
+ spin_lock(&cm.lock);
+ /* Required for cleanup paths related cm_req_handler() */
+ if (cm_id_priv->timewait_info) {
+ cm_cleanup_timewait(cm_id_priv->timewait_info);
+ kfree(cm_id_priv->timewait_info);
+ cm_id_priv->timewait_info = NULL;
+ }
if (!list_empty(&cm_id_priv->altr_list) &&
(!cm_id_priv->altr_send_port_not_ready))
list_del(&cm_id_priv->altr_list);
if (!list_empty(&cm_id_priv->prim_list) &&
(!cm_id_priv->prim_send_port_not_ready))
list_del(&cm_id_priv->prim_list);
- spin_unlock_irq(&cm.lock);
+ spin_unlock(&cm.lock);
+ spin_unlock_irq(&cm_id_priv->lock);
cm_free_id(cm_id->local_id);
cm_deref_id(cm_id_priv);
@@ -1424,7 +1432,7 @@ int ib_send_cm_req(struct ib_cm_id *cm_id,
/* Verify that we're not in timewait. */
cm_id_priv = container_of(cm_id, struct cm_id_private, id);
spin_lock_irqsave(&cm_id_priv->lock, flags);
- if (cm_id->state != IB_CM_IDLE) {
+ if (cm_id->state != IB_CM_IDLE || WARN_ON(cm_id_priv->timewait_info)) {
spin_unlock_irqrestore(&cm_id_priv->lock, flags);
ret = -EINVAL;
goto out;
@@ -1442,12 +1450,12 @@ int ib_send_cm_req(struct ib_cm_id *cm_id,
param->ppath_sgid_attr, &cm_id_priv->av,
cm_id_priv);
if (ret)
- goto error1;
+ goto out;
if (param->alternate_path) {
ret = cm_init_av_by_path(param->alternate_path, NULL,
&cm_id_priv->alt_av, cm_id_priv);
if (ret)
- goto error1;
+ goto out;
}
cm_id->service_id = param->service_id;
cm_id->service_mask = ~cpu_to_be64(0);
@@ -1465,7 +1473,7 @@ int ib_send_cm_req(struct ib_cm_id *cm_id,
ret = cm_alloc_msg(cm_id_priv, &cm_id_priv->msg);
if (ret)
- goto error1;
+ goto out;
req_msg = (struct cm_req_msg *) cm_id_priv->msg->mad;
cm_format_req(req_msg, cm_id_priv, param);
@@ -1488,7 +1496,6 @@ int ib_send_cm_req(struct ib_cm_id *cm_id,
return 0;
error2: cm_free_msg(cm_id_priv->msg);
-error1: kfree(cm_id_priv->timewait_info);
out: return ret;
}
EXPORT_SYMBOL(ib_send_cm_req);
@@ -1973,7 +1980,7 @@ static int cm_req_handler(struct cm_work *work)
pr_debug("%s: local_id %d, no listen_cm_id_priv\n", __func__,
be32_to_cpu(cm_id->local_id));
ret = -EINVAL;
- goto free_timeinfo;
+ goto destroy;
}
cm_id_priv->id.cm_handler = listen_cm_id_priv->id.cm_handler;
@@ -2057,8 +2064,6 @@ static int cm_req_handler(struct cm_work *work)
rejected:
atomic_dec(&cm_id_priv->refcount);
cm_deref_id(listen_cm_id_priv);
-free_timeinfo:
- kfree(cm_id_priv->timewait_info);
destroy:
ib_destroy_cm_id(cm_id);
return ret;
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 115/245] KVM: PPC: Book3S HV: Treat TM-related invalid form instructions on P9 like the valid ones
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (113 preceding siblings ...)
2020-09-29 10:59 ` [PATCH 4.19 114/245] RDMA/cm: Remove a race freeing timewait_info Greg Kroah-Hartman
@ 2020-09-29 10:59 ` Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 116/245] drm/msm: fix leaks if initialization fails Greg Kroah-Hartman
` (132 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:59 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Gustavo Romero, Segher Boessenkool,
Michael Neuling, Leonardo Bras, Paul Mackerras, Sasha Levin
From: Gustavo Romero <gromero@linux.ibm.com>
[ Upstream commit 1dff3064c764b5a51c367b949b341d2e38972bec ]
On P9 DD2.2 due to a CPU defect some TM instructions need to be emulated by
KVM. This is handled at first by the hardware raising a softpatch interrupt
when certain TM instructions that need KVM assistance are executed in the
guest. Althought some TM instructions per Power ISA are invalid forms they
can raise a softpatch interrupt too. For instance, 'tresume.' instruction
as defined in the ISA must have bit 31 set (1), but an instruction that
matches 'tresume.' PO and XO opcode fields but has bit 31 not set (0), like
0x7cfe9ddc, also raises a softpatch interrupt. Similarly for 'treclaim.'
and 'trechkpt.' instructions with bit 31 = 0, i.e. 0x7c00075c and
0x7c0007dc, respectively. Hence, if a code like the following is executed
in the guest it will raise a softpatch interrupt just like a 'tresume.'
when the TM facility is enabled ('tabort. 0' in the example is used only
to enable the TM facility):
int main() { asm("tabort. 0; .long 0x7cfe9ddc;"); }
Currently in such a case KVM throws a complete trace like:
[345523.705984] WARNING: CPU: 24 PID: 64413 at arch/powerpc/kvm/book3s_hv_tm.c:211 kvmhv_p9_tm_emulation+0x68/0x620 [kvm_hv]
[345523.705985] Modules linked in: kvm_hv(E) xt_conntrack ipt_REJECT nf_reject_ipv4 xt_tcpudp ip6table_mangle ip6table_nat
iptable_mangle iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ebtable_filter ebtables ip6table_filter
ip6_tables iptable_filter bridge stp llc sch_fq_codel ipmi_powernv at24 vmx_crypto ipmi_devintf ipmi_msghandler
ibmpowernv uio_pdrv_genirq kvm opal_prd uio leds_powernv ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp
libiscsi scsi_transport_iscsi ip_tables x_tables autofs4 btrfs blake2b_generic zstd_compress raid10 raid456
async_raid6_recov async_memcpy async_pq async_xor async_tx libcrc32c xor raid6_pq raid1 raid0 multipath linear tg3
crct10dif_vpmsum crc32c_vpmsum ipr [last unloaded: kvm_hv]
[345523.706030] CPU: 24 PID: 64413 Comm: CPU 0/KVM Tainted: G W E 5.5.0+ #1
[345523.706031] NIP: c0080000072cb9c0 LR: c0080000072b5e80 CTR: c0080000085c7850
[345523.706034] REGS: c000000399467680 TRAP: 0700 Tainted: G W E (5.5.0+)
[345523.706034] MSR: 900000010282b033 <SF,HV,VEC,VSX,EE,FP,ME,IR,DR,RI,LE,TM[E]> CR: 24022428 XER: 00000000
[345523.706042] CFAR: c0080000072b5e7c IRQMASK: 0
GPR00: c0080000072b5e80 c000000399467910 c0080000072db500 c000000375ccc720
GPR04: c000000375ccc720 00000003fbec0000 0000a10395dda5a6 0000000000000000
GPR08: 000000007cfe9ddc 7cfe9ddc000005dc 7cfe9ddc7c0005dc c0080000072cd530
GPR12: c0080000085c7850 c0000003fffeb800 0000000000000001 00007dfb737f0000
GPR16: c0002001edcca558 0000000000000000 0000000000000000 0000000000000001
GPR20: c000000001b21258 c0002001edcca558 0000000000000018 0000000000000000
GPR24: 0000000001000000 ffffffffffffffff 0000000000000001 0000000000001500
GPR28: c0002001edcc4278 c00000037dd80000 800000050280f033 c000000375ccc720
[345523.706062] NIP [c0080000072cb9c0] kvmhv_p9_tm_emulation+0x68/0x620 [kvm_hv]
[345523.706065] LR [c0080000072b5e80] kvmppc_handle_exit_hv.isra.53+0x3e8/0x798 [kvm_hv]
[345523.706066] Call Trace:
[345523.706069] [c000000399467910] [c000000399467940] 0xc000000399467940 (unreliable)
[345523.706071] [c000000399467950] [c000000399467980] 0xc000000399467980
[345523.706075] [c0000003994679f0] [c0080000072bd1c4] kvmhv_run_single_vcpu+0xa1c/0xb80 [kvm_hv]
[345523.706079] [c000000399467ac0] [c0080000072bd8e0] kvmppc_vcpu_run_hv+0x5b8/0xb00 [kvm_hv]
[345523.706087] [c000000399467b90] [c0080000085c93cc] kvmppc_vcpu_run+0x34/0x48 [kvm]
[345523.706095] [c000000399467bb0] [c0080000085c582c] kvm_arch_vcpu_ioctl_run+0x244/0x420 [kvm]
[345523.706101] [c000000399467c40] [c0080000085b7498] kvm_vcpu_ioctl+0x3d0/0x7b0 [kvm]
[345523.706105] [c000000399467db0] [c0000000004adf9c] ksys_ioctl+0x13c/0x170
[345523.706107] [c000000399467e00] [c0000000004adff8] sys_ioctl+0x28/0x80
[345523.706111] [c000000399467e20] [c00000000000b278] system_call+0x5c/0x68
[345523.706112] Instruction dump:
[345523.706114] 419e0390 7f8a4840 409d0048 6d497c00 2f89075d 419e021c 6d497c00 2f8907dd
[345523.706119] 419e01c0 6d497c00 2f8905dd 419e00a4 <0fe00000> 38210040 38600000 ebc1fff0
and then treats the executed instruction as a 'nop'.
However the POWER9 User's Manual, in section "4.6.10 Book II Invalid
Forms", informs that for TM instructions bit 31 is in fact ignored, thus
for the TM-related invalid forms ignoring bit 31 and handling them like the
valid forms is an acceptable way to handle them. POWER8 behaves the same
way too.
This commit changes the handling of the cases here described by treating
the TM-related invalid forms that can generate a softpatch interrupt
just like their valid forms (w/ bit 31 = 1) instead of as a 'nop' and by
gently reporting any other unrecognized case to the host and treating it as
illegal instruction instead of throwing a trace and treating it as a 'nop'.
Signed-off-by: Gustavo Romero <gromero@linux.ibm.com>
Reviewed-by: Segher Boessenkool <segher@kernel.crashing.org>
Acked-By: Michael Neuling <mikey@neuling.org>
Reviewed-by: Leonardo Bras <leonardo@linux.ibm.com>
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/include/asm/kvm_asm.h | 3 +++
arch/powerpc/kvm/book3s_hv_tm.c | 28 ++++++++++++++++++++-----
arch/powerpc/kvm/book3s_hv_tm_builtin.c | 16 ++++++++++++--
3 files changed, 40 insertions(+), 7 deletions(-)
diff --git a/arch/powerpc/include/asm/kvm_asm.h b/arch/powerpc/include/asm/kvm_asm.h
index a790d5cf6ea37..684e8ae00d160 100644
--- a/arch/powerpc/include/asm/kvm_asm.h
+++ b/arch/powerpc/include/asm/kvm_asm.h
@@ -163,4 +163,7 @@
#define KVM_INST_FETCH_FAILED -1
+/* Extract PO and XOP opcode fields */
+#define PO_XOP_OPCODE_MASK 0xfc0007fe
+
#endif /* __POWERPC_KVM_ASM_H__ */
diff --git a/arch/powerpc/kvm/book3s_hv_tm.c b/arch/powerpc/kvm/book3s_hv_tm.c
index 31cd0f327c8a2..e7fd60cf97804 100644
--- a/arch/powerpc/kvm/book3s_hv_tm.c
+++ b/arch/powerpc/kvm/book3s_hv_tm.c
@@ -6,6 +6,8 @@
* published by the Free Software Foundation.
*/
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+
#include <linux/kvm_host.h>
#include <asm/kvm_ppc.h>
@@ -47,7 +49,18 @@ int kvmhv_p9_tm_emulation(struct kvm_vcpu *vcpu)
u64 newmsr, bescr;
int ra, rs;
- switch (instr & 0xfc0007ff) {
+ /*
+ * rfid, rfebb, and mtmsrd encode bit 31 = 0 since it's a reserved bit
+ * in these instructions, so masking bit 31 out doesn't change these
+ * instructions. For treclaim., tsr., and trechkpt. instructions if bit
+ * 31 = 0 then they are per ISA invalid forms, however P9 UM, in section
+ * 4.6.10 Book II Invalid Forms, informs specifically that ignoring bit
+ * 31 is an acceptable way to handle these invalid forms that have
+ * bit 31 = 0. Moreover, for emulation purposes both forms (w/ and wo/
+ * bit 31 set) can generate a softpatch interrupt. Hence both forms
+ * are handled below for these instructions so they behave the same way.
+ */
+ switch (instr & PO_XOP_OPCODE_MASK) {
case PPC_INST_RFID:
/* XXX do we need to check for PR=0 here? */
newmsr = vcpu->arch.shregs.srr1;
@@ -108,7 +121,8 @@ int kvmhv_p9_tm_emulation(struct kvm_vcpu *vcpu)
vcpu->arch.shregs.msr = newmsr;
return RESUME_GUEST;
- case PPC_INST_TSR:
+ /* ignore bit 31, see comment above */
+ case (PPC_INST_TSR & PO_XOP_OPCODE_MASK):
/* check for PR=1 and arch 2.06 bit set in PCR */
if ((msr & MSR_PR) && (vcpu->arch.vcore->pcr & PCR_ARCH_206)) {
/* generate an illegal instruction interrupt */
@@ -143,7 +157,8 @@ int kvmhv_p9_tm_emulation(struct kvm_vcpu *vcpu)
vcpu->arch.shregs.msr = msr;
return RESUME_GUEST;
- case PPC_INST_TRECLAIM:
+ /* ignore bit 31, see comment above */
+ case (PPC_INST_TRECLAIM & PO_XOP_OPCODE_MASK):
/* check for TM disabled in the HFSCR or MSR */
if (!(vcpu->arch.hfscr & HFSCR_TM)) {
/* generate an illegal instruction interrupt */
@@ -179,7 +194,8 @@ int kvmhv_p9_tm_emulation(struct kvm_vcpu *vcpu)
vcpu->arch.shregs.msr &= ~MSR_TS_MASK;
return RESUME_GUEST;
- case PPC_INST_TRECHKPT:
+ /* ignore bit 31, see comment above */
+ case (PPC_INST_TRECHKPT & PO_XOP_OPCODE_MASK):
/* XXX do we need to check for PR=0 here? */
/* check for TM disabled in the HFSCR or MSR */
if (!(vcpu->arch.hfscr & HFSCR_TM)) {
@@ -211,6 +227,8 @@ int kvmhv_p9_tm_emulation(struct kvm_vcpu *vcpu)
}
/* What should we do here? We didn't recognize the instruction */
- WARN_ON_ONCE(1);
+ kvmppc_core_queue_program(vcpu, SRR1_PROGILL);
+ pr_warn_ratelimited("Unrecognized TM-related instruction %#x for emulation", instr);
+
return RESUME_GUEST;
}
diff --git a/arch/powerpc/kvm/book3s_hv_tm_builtin.c b/arch/powerpc/kvm/book3s_hv_tm_builtin.c
index 3cf5863bc06e8..3c7ca2fa19597 100644
--- a/arch/powerpc/kvm/book3s_hv_tm_builtin.c
+++ b/arch/powerpc/kvm/book3s_hv_tm_builtin.c
@@ -26,7 +26,18 @@ int kvmhv_p9_tm_emulation_early(struct kvm_vcpu *vcpu)
u64 newmsr, msr, bescr;
int rs;
- switch (instr & 0xfc0007ff) {
+ /*
+ * rfid, rfebb, and mtmsrd encode bit 31 = 0 since it's a reserved bit
+ * in these instructions, so masking bit 31 out doesn't change these
+ * instructions. For the tsr. instruction if bit 31 = 0 then it is per
+ * ISA an invalid form, however P9 UM, in section 4.6.10 Book II Invalid
+ * Forms, informs specifically that ignoring bit 31 is an acceptable way
+ * to handle TM-related invalid forms that have bit 31 = 0. Moreover,
+ * for emulation purposes both forms (w/ and wo/ bit 31 set) can
+ * generate a softpatch interrupt. Hence both forms are handled below
+ * for tsr. to make them behave the same way.
+ */
+ switch (instr & PO_XOP_OPCODE_MASK) {
case PPC_INST_RFID:
/* XXX do we need to check for PR=0 here? */
newmsr = vcpu->arch.shregs.srr1;
@@ -76,7 +87,8 @@ int kvmhv_p9_tm_emulation_early(struct kvm_vcpu *vcpu)
vcpu->arch.shregs.msr = newmsr;
return 1;
- case PPC_INST_TSR:
+ /* ignore bit 31, see comment above */
+ case (PPC_INST_TSR & PO_XOP_OPCODE_MASK):
/* we know the MSR has the TS field = S (0b01) here */
msr = vcpu->arch.shregs.msr;
/* check for PR=1 and arch 2.06 bit set in PCR */
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 116/245] drm/msm: fix leaks if initialization fails
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (114 preceding siblings ...)
2020-09-29 10:59 ` [PATCH 4.19 115/245] KVM: PPC: Book3S HV: Treat TM-related invalid form instructions on P9 like the valid ones Greg Kroah-Hartman
@ 2020-09-29 10:59 ` Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 117/245] drm/msm/a5xx: Always set an OPP supported hardware value Greg Kroah-Hartman
` (131 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:59 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Pavel Machek, Rob Clark, Sasha Levin
From: Pavel Machek <pavel@denx.de>
[ Upstream commit 66be340f827554cb1c8a1ed7dea97920b4085af2 ]
We should free resources in unlikely case of allocation failure.
Signed-off-by: Pavel Machek <pavel@denx.de>
Signed-off-by: Rob Clark <robdclark@chromium.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/msm_drv.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/msm/msm_drv.c b/drivers/gpu/drm/msm/msm_drv.c
index 7f45486b6650b..3ba3ae9749bec 100644
--- a/drivers/gpu/drm/msm/msm_drv.c
+++ b/drivers/gpu/drm/msm/msm_drv.c
@@ -495,8 +495,10 @@ static int msm_drm_init(struct device *dev, struct drm_driver *drv)
if (!dev->dma_parms) {
dev->dma_parms = devm_kzalloc(dev, sizeof(*dev->dma_parms),
GFP_KERNEL);
- if (!dev->dma_parms)
- return -ENOMEM;
+ if (!dev->dma_parms) {
+ ret = -ENOMEM;
+ goto err_msm_uninit;
+ }
}
dma_set_max_seg_size(dev, DMA_BIT_MASK(32));
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 117/245] drm/msm/a5xx: Always set an OPP supported hardware value
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (115 preceding siblings ...)
2020-09-29 10:59 ` [PATCH 4.19 116/245] drm/msm: fix leaks if initialization fails Greg Kroah-Hartman
@ 2020-09-29 10:59 ` Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 118/245] tracing: Use address-of operator on section symbols Greg Kroah-Hartman
` (130 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:59 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Jordan Crouse, Eric Anholt,
Rob Clark, Sasha Levin
From: Jordan Crouse <jcrouse@codeaurora.org>
[ Upstream commit 0478b4fc5f37f4d494245fe7bcce3f531cf380e9 ]
If the opp table specifies opp-supported-hw as a property but the driver
has not set a supported hardware value the OPP subsystem will reject
all the table entries.
Set a "default" value that will match the default table entries but not
conflict with any possible real bin values. Also fix a small memory leak
and free the buffer allocated by nvmem_cell_read().
Signed-off-by: Jordan Crouse <jcrouse@codeaurora.org>
Reviewed-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Rob Clark <robdclark@chromium.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/adreno/a5xx_gpu.c | 27 ++++++++++++++++++++-------
1 file changed, 20 insertions(+), 7 deletions(-)
diff --git a/drivers/gpu/drm/msm/adreno/a5xx_gpu.c b/drivers/gpu/drm/msm/adreno/a5xx_gpu.c
index 1fc9a7fa37b45..d29a58bd2f7a3 100644
--- a/drivers/gpu/drm/msm/adreno/a5xx_gpu.c
+++ b/drivers/gpu/drm/msm/adreno/a5xx_gpu.c
@@ -1474,18 +1474,31 @@ static const struct adreno_gpu_funcs funcs = {
static void check_speed_bin(struct device *dev)
{
struct nvmem_cell *cell;
- u32 bin, val;
+ u32 val;
+
+ /*
+ * If the OPP table specifies a opp-supported-hw property then we have
+ * to set something with dev_pm_opp_set_supported_hw() or the table
+ * doesn't get populated so pick an arbitrary value that should
+ * ensure the default frequencies are selected but not conflict with any
+ * actual bins
+ */
+ val = 0x80;
cell = nvmem_cell_get(dev, "speed_bin");
- /* If a nvmem cell isn't defined, nothing to do */
- if (IS_ERR(cell))
- return;
+ if (!IS_ERR(cell)) {
+ void *buf = nvmem_cell_read(cell, NULL);
+
+ if (!IS_ERR(buf)) {
+ u8 bin = *((u8 *) buf);
- bin = *((u32 *) nvmem_cell_read(cell, NULL));
- nvmem_cell_put(cell);
+ val = (1 << bin);
+ kfree(buf);
+ }
- val = (1 << bin);
+ nvmem_cell_put(cell);
+ }
dev_pm_opp_set_supported_hw(dev, &val, 1);
}
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 118/245] tracing: Use address-of operator on section symbols
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (116 preceding siblings ...)
2020-09-29 10:59 ` [PATCH 4.19 117/245] drm/msm/a5xx: Always set an OPP supported hardware value Greg Kroah-Hartman
@ 2020-09-29 10:59 ` Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 119/245] thermal: rcar_thermal: Handle probe error gracefully Greg Kroah-Hartman
` (129 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:59 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Nick Desaulniers, Nathan Chancellor,
Steven Rostedt (VMware),
Sasha Levin
From: Nathan Chancellor <natechancellor@gmail.com>
[ Upstream commit bf2cbe044da275021b2de5917240411a19e5c50d ]
Clang warns:
../kernel/trace/trace.c:9335:33: warning: array comparison always
evaluates to true [-Wtautological-compare]
if (__stop___trace_bprintk_fmt != __start___trace_bprintk_fmt)
^
1 warning generated.
These are not true arrays, they are linker defined symbols, which are
just addresses. Using the address of operator silences the warning and
does not change the runtime result of the check (tested with some print
statements compiled in with clang + ld.lld and gcc + ld.bfd in QEMU).
Link: http://lkml.kernel.org/r/20200220051011.26113-1-natechancellor@gmail.com
Link: https://github.com/ClangBuiltLinux/linux/issues/893
Suggested-by: Nick Desaulniers <ndesaulniers@google.com>
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/trace/trace.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
index 17505a22d800b..6bf617ff03694 100644
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -8529,7 +8529,7 @@ __init static int tracer_alloc_buffers(void)
goto out_free_buffer_mask;
/* Only allocate trace_printk buffers if a trace_printk exists */
- if (__stop___trace_bprintk_fmt != __start___trace_bprintk_fmt)
+ if (&__stop___trace_bprintk_fmt != &__start___trace_bprintk_fmt)
/* Must be called before global_trace.buffer is allocated */
trace_printk_init_buffers();
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 119/245] thermal: rcar_thermal: Handle probe error gracefully
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (117 preceding siblings ...)
2020-09-29 10:59 ` [PATCH 4.19 118/245] tracing: Use address-of operator on section symbols Greg Kroah-Hartman
@ 2020-09-29 10:59 ` Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 120/245] perf parse-events: Fix 3 use after frees found with clang ASAN Greg Kroah-Hartman
` (128 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:59 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Niklas Söderlund,
Geert Uytterhoeven, Daniel Lezcano, Sasha Levin
From: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
[ Upstream commit 39056e8a989ef52486e063e34b4822b341e47b0e ]
If the common register memory resource is not available the driver needs
to fail gracefully to disable PM. Instead of returning the error
directly store it in ret and use the already existing error path.
Signed-off-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
Link: https://lore.kernel.org/r/20200310114709.1483860-1-niklas.soderlund+renesas@ragnatech.se
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/thermal/rcar_thermal.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/thermal/rcar_thermal.c b/drivers/thermal/rcar_thermal.c
index 4dc30e7890f6c..140386d7c75a3 100644
--- a/drivers/thermal/rcar_thermal.c
+++ b/drivers/thermal/rcar_thermal.c
@@ -505,8 +505,10 @@ static int rcar_thermal_probe(struct platform_device *pdev)
res = platform_get_resource(pdev, IORESOURCE_MEM,
mres++);
common->base = devm_ioremap_resource(dev, res);
- if (IS_ERR(common->base))
- return PTR_ERR(common->base);
+ if (IS_ERR(common->base)) {
+ ret = PTR_ERR(common->base);
+ goto error_unregister;
+ }
idle = 0; /* polling delay is not needed */
}
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 120/245] perf parse-events: Fix 3 use after frees found with clang ASAN
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (118 preceding siblings ...)
2020-09-29 10:59 ` [PATCH 4.19 119/245] thermal: rcar_thermal: Handle probe error gracefully Greg Kroah-Hartman
@ 2020-09-29 10:59 ` Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 121/245] serial: 8250_port: Dont service RX FIFO if throttled Greg Kroah-Hartman
` (127 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:59 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Ian Rogers, Jiri Olsa, Adrian Hunter,
Alexander Shishkin, Andi Kleen, Leo Yan, Mark Rutland,
Namhyung Kim, Peter Zijlstra, Stephane Eranian,
clang-built-linux, Arnaldo Carvalho de Melo, Sasha Levin
From: Ian Rogers <irogers@google.com>
[ Upstream commit d4953f7ef1a2e87ef732823af35361404d13fea8 ]
Reproducible with a clang asan build and then running perf test in
particular 'Parse event definition strings'.
Signed-off-by: Ian Rogers <irogers@google.com>
Acked-by: Jiri Olsa <jolsa@redhat.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: Leo Yan <leo.yan@linaro.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@google.com>
Cc: clang-built-linux@googlegroups.com
Link: http://lore.kernel.org/lkml/20200314170356.62914-1-irogers@google.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/evsel.c | 1 +
tools/perf/util/parse-events.c | 4 ++--
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c
index 4fad92213609f..68c5ab0e1800b 100644
--- a/tools/perf/util/evsel.c
+++ b/tools/perf/util/evsel.c
@@ -1290,6 +1290,7 @@ void perf_evsel__exit(struct perf_evsel *evsel)
thread_map__put(evsel->threads);
zfree(&evsel->group_name);
zfree(&evsel->name);
+ zfree(&evsel->pmu_name);
perf_evsel__object.fini(evsel);
}
diff --git a/tools/perf/util/parse-events.c b/tools/perf/util/parse-events.c
index 95043cae57740..6d087d9acd5ee 100644
--- a/tools/perf/util/parse-events.c
+++ b/tools/perf/util/parse-events.c
@@ -1261,7 +1261,7 @@ int parse_events_add_pmu(struct parse_events_state *parse_state,
attr.type = pmu->type;
evsel = __add_event(list, &parse_state->idx, &attr, NULL, pmu, NULL, auto_merge_stats);
if (evsel) {
- evsel->pmu_name = name;
+ evsel->pmu_name = name ? strdup(name) : NULL;
evsel->use_uncore_alias = use_uncore_alias;
return 0;
} else {
@@ -1302,7 +1302,7 @@ int parse_events_add_pmu(struct parse_events_state *parse_state,
evsel->snapshot = info.snapshot;
evsel->metric_expr = info.metric_expr;
evsel->metric_name = info.metric_name;
- evsel->pmu_name = name;
+ evsel->pmu_name = name ? strdup(name) : NULL;
evsel->use_uncore_alias = use_uncore_alias;
}
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 121/245] serial: 8250_port: Dont service RX FIFO if throttled
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (119 preceding siblings ...)
2020-09-29 10:59 ` [PATCH 4.19 120/245] perf parse-events: Fix 3 use after frees found with clang ASAN Greg Kroah-Hartman
@ 2020-09-29 10:59 ` Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 122/245] serial: 8250_omap: Fix sleeping function called from invalid context during probe Greg Kroah-Hartman
` (126 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:59 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Vignesh Raghavendra, Sasha Levin
From: Vignesh Raghavendra <vigneshr@ti.com>
[ Upstream commit f19c3f6c8109b8bab000afd35580929958e087a9 ]
When port's throttle callback is called, it should stop pushing any more
data into TTY buffer to avoid buffer overflow. This means driver has to
stop HW from receiving more data and assert the HW flow control. For
UARTs with auto HW flow control (such as 8250_omap) manual assertion of
flow control line is not possible and only way is to allow RX FIFO to
fill up, thus trigger auto HW flow control logic.
Therefore make sure that 8250 generic IRQ handler does not drain data
when port is stopped (i.e UART_LSR_DR is unset in read_status_mask). Not
servicing, RX FIFO would trigger auto HW flow control when FIFO
occupancy reaches preset threshold, thus halting RX.
Since, error conditions in UART_LSR register are cleared just by reading
the register, data has to be drained in case there are FIFO errors, else
error information will lost.
Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>
Link: https://lore.kernel.org/r/20200319103230.16867-2-vigneshr@ti.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tty/serial/8250/8250_port.c | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
diff --git a/drivers/tty/serial/8250/8250_port.c b/drivers/tty/serial/8250/8250_port.c
index 09f0dc3b967b1..60ca19eca1f63 100644
--- a/drivers/tty/serial/8250/8250_port.c
+++ b/drivers/tty/serial/8250/8250_port.c
@@ -1861,6 +1861,7 @@ int serial8250_handle_irq(struct uart_port *port, unsigned int iir)
unsigned char status;
unsigned long flags;
struct uart_8250_port *up = up_to_u8250p(port);
+ bool skip_rx = false;
if (iir & UART_IIR_NO_INT)
return 0;
@@ -1869,7 +1870,20 @@ int serial8250_handle_irq(struct uart_port *port, unsigned int iir)
status = serial_port_in(port, UART_LSR);
- if (status & (UART_LSR_DR | UART_LSR_BI)) {
+ /*
+ * If port is stopped and there are no error conditions in the
+ * FIFO, then don't drain the FIFO, as this may lead to TTY buffer
+ * overflow. Not servicing, RX FIFO would trigger auto HW flow
+ * control when FIFO occupancy reaches preset threshold, thus
+ * halting RX. This only works when auto HW flow control is
+ * available.
+ */
+ if (!(status & (UART_LSR_FIFOE | UART_LSR_BRK_ERROR_BITS)) &&
+ (port->status & (UPSTAT_AUTOCTS | UPSTAT_AUTORTS)) &&
+ !(port->read_status_mask & UART_LSR_DR))
+ skip_rx = true;
+
+ if (status & (UART_LSR_DR | UART_LSR_BI) && !skip_rx) {
if (!up->dma || handle_rx_dma(up, iir))
status = serial8250_rx_chars(up, status);
}
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 122/245] serial: 8250_omap: Fix sleeping function called from invalid context during probe
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (120 preceding siblings ...)
2020-09-29 10:59 ` [PATCH 4.19 121/245] serial: 8250_port: Dont service RX FIFO if throttled Greg Kroah-Hartman
@ 2020-09-29 10:59 ` Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 123/245] serial: 8250: 8250_omap: Terminate DMA before pushing data on RX timeout Greg Kroah-Hartman
` (125 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:59 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Tomi Valkeinen, Peter Ujfalusi, Sasha Levin
From: Peter Ujfalusi <peter.ujfalusi@ti.com>
[ Upstream commit 4ce35a3617c0ac758c61122b2218b6c8c9ac9398 ]
When booting j721e the following bug is printed:
[ 1.154821] BUG: sleeping function called from invalid context at kernel/sched/completion.c:99
[ 1.154827] in_atomic(): 0, irqs_disabled(): 128, non_block: 0, pid: 12, name: kworker/0:1
[ 1.154832] 3 locks held by kworker/0:1/12:
[ 1.154836] #0: ffff000840030728 ((wq_completion)events){+.+.}, at: process_one_work+0x1d4/0x6e8
[ 1.154852] #1: ffff80001214fdd8 (deferred_probe_work){+.+.}, at: process_one_work+0x1d4/0x6e8
[ 1.154860] #2: ffff00084060b170 (&dev->mutex){....}, at: __device_attach+0x38/0x138
[ 1.154872] irq event stamp: 63096
[ 1.154881] hardirqs last enabled at (63095): [<ffff800010b74318>] _raw_spin_unlock_irqrestore+0x70/0x78
[ 1.154887] hardirqs last disabled at (63096): [<ffff800010b740d8>] _raw_spin_lock_irqsave+0x28/0x80
[ 1.154893] softirqs last enabled at (62254): [<ffff800010080c88>] _stext+0x488/0x564
[ 1.154899] softirqs last disabled at (62247): [<ffff8000100fdb3c>] irq_exit+0x114/0x140
[ 1.154906] CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.6.0-rc6-next-20200318-00094-g45e4089b0bd3 #221
[ 1.154911] Hardware name: Texas Instruments K3 J721E SoC (DT)
[ 1.154917] Workqueue: events deferred_probe_work_func
[ 1.154923] Call trace:
[ 1.154928] dump_backtrace+0x0/0x190
[ 1.154933] show_stack+0x14/0x20
[ 1.154940] dump_stack+0xe0/0x148
[ 1.154946] ___might_sleep+0x150/0x1f0
[ 1.154952] __might_sleep+0x4c/0x80
[ 1.154957] wait_for_completion_timeout+0x40/0x140
[ 1.154964] ti_sci_set_device_state+0xa0/0x158
[ 1.154969] ti_sci_cmd_get_device_exclusive+0x14/0x20
[ 1.154977] ti_sci_dev_start+0x34/0x50
[ 1.154984] genpd_runtime_resume+0x78/0x1f8
[ 1.154991] __rpm_callback+0x3c/0x140
[ 1.154996] rpm_callback+0x20/0x80
[ 1.155001] rpm_resume+0x568/0x758
[ 1.155007] __pm_runtime_resume+0x44/0xb0
[ 1.155013] omap8250_probe+0x2b4/0x508
[ 1.155019] platform_drv_probe+0x50/0xa0
[ 1.155023] really_probe+0xd4/0x318
[ 1.155028] driver_probe_device+0x54/0xe8
[ 1.155033] __device_attach_driver+0x80/0xb8
[ 1.155039] bus_for_each_drv+0x74/0xc0
[ 1.155044] __device_attach+0xdc/0x138
[ 1.155049] device_initial_probe+0x10/0x18
[ 1.155053] bus_probe_device+0x98/0xa0
[ 1.155058] deferred_probe_work_func+0x74/0xb0
[ 1.155063] process_one_work+0x280/0x6e8
[ 1.155068] worker_thread+0x48/0x430
[ 1.155073] kthread+0x108/0x138
[ 1.155079] ret_from_fork+0x10/0x18
To fix the bug we need to first call pm_runtime_enable() prior to any
pm_runtime calls.
Reported-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
Link: https://lore.kernel.org/r/20200320125200.6772-1-peter.ujfalusi@ti.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tty/serial/8250/8250_omap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/tty/serial/8250/8250_omap.c b/drivers/tty/serial/8250/8250_omap.c
index a019286f8bb65..a7e555e413a69 100644
--- a/drivers/tty/serial/8250/8250_omap.c
+++ b/drivers/tty/serial/8250/8250_omap.c
@@ -1227,11 +1227,11 @@ static int omap8250_probe(struct platform_device *pdev)
spin_lock_init(&priv->rx_dma_lock);
device_init_wakeup(&pdev->dev, true);
+ pm_runtime_enable(&pdev->dev);
pm_runtime_use_autosuspend(&pdev->dev);
pm_runtime_set_autosuspend_delay(&pdev->dev, -1);
pm_runtime_irq_safe(&pdev->dev);
- pm_runtime_enable(&pdev->dev);
pm_runtime_get_sync(&pdev->dev);
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 123/245] serial: 8250: 8250_omap: Terminate DMA before pushing data on RX timeout
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (121 preceding siblings ...)
2020-09-29 10:59 ` [PATCH 4.19 122/245] serial: 8250_omap: Fix sleeping function called from invalid context during probe Greg Kroah-Hartman
@ 2020-09-29 10:59 ` Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 124/245] perf cpumap: Fix snprintf overflow check Greg Kroah-Hartman
` (124 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:59 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Vignesh Raghavendra, Sasha Levin
From: Vignesh Raghavendra <vigneshr@ti.com>
[ Upstream commit 7cf4df30a98175033e9849f7f16c46e96ba47f41 ]
Terminate and flush DMA internal buffers, before pushing RX data to
higher layer. Otherwise, this will lead to data corruption, as driver
would end up pushing stale buffer data to higher layer while actual data
is still stuck inside DMA hardware and has yet not arrived at the
memory.
While at that, replace deprecated dmaengine_terminate_all() with
dmaengine_terminate_async().
Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>
Link: https://lore.kernel.org/r/20200319110344.21348-2-vigneshr@ti.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tty/serial/8250/8250_omap.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/tty/serial/8250/8250_omap.c b/drivers/tty/serial/8250/8250_omap.c
index a7e555e413a69..cbd006fb7fbb9 100644
--- a/drivers/tty/serial/8250/8250_omap.c
+++ b/drivers/tty/serial/8250/8250_omap.c
@@ -781,7 +781,10 @@ static void __dma_rx_do_complete(struct uart_8250_port *p)
dmaengine_tx_status(dma->rxchan, dma->rx_cookie, &state);
count = dma->rx_size - state.residue;
-
+ if (count < dma->rx_size)
+ dmaengine_terminate_async(dma->rxchan);
+ if (!count)
+ goto unlock;
ret = tty_insert_flip_string(tty_port, dma->rx_buf, count);
p->port.icount.rx += ret;
@@ -843,7 +846,6 @@ static void omap_8250_rx_dma_flush(struct uart_8250_port *p)
spin_unlock_irqrestore(&priv->rx_dma_lock, flags);
__dma_rx_do_complete(p);
- dmaengine_terminate_all(dma->rxchan);
}
static int omap_8250_rx_dma(struct uart_8250_port *p)
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 124/245] perf cpumap: Fix snprintf overflow check
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (122 preceding siblings ...)
2020-09-29 10:59 ` [PATCH 4.19 123/245] serial: 8250: 8250_omap: Terminate DMA before pushing data on RX timeout Greg Kroah-Hartman
@ 2020-09-29 10:59 ` Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 125/245] cpufreq: powernv: Fix frame-size-overflow in powernv_cpufreq_work_fn Greg Kroah-Hartman
` (123 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:59 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Christophe JAILLET, David Laight,
Alexander Shishkin, Don Zickus, He Zhe, Jan Stancek, Jiri Olsa,
Kan Liang, Mark Rutland, Namhyung Kim, Peter Zijlstra,
kernel-janitors, Arnaldo Carvalho de Melo, Sasha Levin
From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
[ Upstream commit d74b181a028bb5a468f0c609553eff6a8fdf4887 ]
'snprintf' returns the number of characters which would be generated for
the given input.
If the returned value is *greater than* or equal to the buffer size, it
means that the output has been truncated.
Fix the overflow test accordingly.
Fixes: 7780c25bae59f ("perf tools: Allow ability to map cpus to nodes easily")
Fixes: 92a7e1278005b ("perf cpumap: Add cpu__max_present_cpu()")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Suggested-by: David Laight <David.Laight@ACULAB.COM>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Don Zickus <dzickus@redhat.com>
Cc: He Zhe <zhe.he@windriver.com>
Cc: Jan Stancek <jstancek@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Kan Liang <kan.liang@linux.intel.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: kernel-janitors@vger.kernel.org
Link: http://lore.kernel.org/lkml/20200324070319.10901-1-christophe.jaillet@wanadoo.fr
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/cpumap.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/tools/perf/util/cpumap.c b/tools/perf/util/cpumap.c
index f93846edc1e0d..827d844f4efb1 100644
--- a/tools/perf/util/cpumap.c
+++ b/tools/perf/util/cpumap.c
@@ -462,7 +462,7 @@ static void set_max_cpu_num(void)
/* get the highest possible cpu number for a sparse allocation */
ret = snprintf(path, PATH_MAX, "%s/devices/system/cpu/possible", mnt);
- if (ret == PATH_MAX) {
+ if (ret >= PATH_MAX) {
pr_err("sysfs path crossed PATH_MAX(%d) size\n", PATH_MAX);
goto out;
}
@@ -473,7 +473,7 @@ static void set_max_cpu_num(void)
/* get the highest present cpu number for a sparse allocation */
ret = snprintf(path, PATH_MAX, "%s/devices/system/cpu/present", mnt);
- if (ret == PATH_MAX) {
+ if (ret >= PATH_MAX) {
pr_err("sysfs path crossed PATH_MAX(%d) size\n", PATH_MAX);
goto out;
}
@@ -501,7 +501,7 @@ static void set_max_node_num(void)
/* get the highest possible cpu number for a sparse allocation */
ret = snprintf(path, PATH_MAX, "%s/devices/system/node/possible", mnt);
- if (ret == PATH_MAX) {
+ if (ret >= PATH_MAX) {
pr_err("sysfs path crossed PATH_MAX(%d) size\n", PATH_MAX);
goto out;
}
@@ -586,7 +586,7 @@ int cpu__setup_cpunode_map(void)
return 0;
n = snprintf(path, PATH_MAX, "%s/devices/system/node", mnt);
- if (n == PATH_MAX) {
+ if (n >= PATH_MAX) {
pr_err("sysfs path crossed PATH_MAX(%d) size\n", PATH_MAX);
return -1;
}
@@ -601,7 +601,7 @@ int cpu__setup_cpunode_map(void)
continue;
n = snprintf(buf, PATH_MAX, "%s/%s", path, dent1->d_name);
- if (n == PATH_MAX) {
+ if (n >= PATH_MAX) {
pr_err("sysfs path crossed PATH_MAX(%d) size\n", PATH_MAX);
continue;
}
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 125/245] cpufreq: powernv: Fix frame-size-overflow in powernv_cpufreq_work_fn
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (123 preceding siblings ...)
2020-09-29 10:59 ` [PATCH 4.19 124/245] perf cpumap: Fix snprintf overflow check Greg Kroah-Hartman
@ 2020-09-29 10:59 ` Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 126/245] tools: gpio-hammer: Avoid potential overflow in main Greg Kroah-Hartman
` (122 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:59 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Pratik Rajesh Sampat, Daniel Axtens,
Michael Ellerman, Sasha Levin
From: Pratik Rajesh Sampat <psampat@linux.ibm.com>
[ Upstream commit d95fe371ecd28901f11256c610b988ed44e36ee2 ]
The patch avoids allocating cpufreq_policy on stack hence fixing frame
size overflow in 'powernv_cpufreq_work_fn'
Fixes: 227942809b52 ("cpufreq: powernv: Restore cpu frequency to policy->cur on unthrottling")
Signed-off-by: Pratik Rajesh Sampat <psampat@linux.ibm.com>
Reviewed-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20200316135743.57735-1-psampat@linux.ibm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/cpufreq/powernv-cpufreq.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/drivers/cpufreq/powernv-cpufreq.c b/drivers/cpufreq/powernv-cpufreq.c
index 687c92ef76440..79942f7057576 100644
--- a/drivers/cpufreq/powernv-cpufreq.c
+++ b/drivers/cpufreq/powernv-cpufreq.c
@@ -903,6 +903,7 @@ static struct notifier_block powernv_cpufreq_reboot_nb = {
void powernv_cpufreq_work_fn(struct work_struct *work)
{
struct chip *chip = container_of(work, struct chip, throttle);
+ struct cpufreq_policy *policy;
unsigned int cpu;
cpumask_t mask;
@@ -917,12 +918,14 @@ void powernv_cpufreq_work_fn(struct work_struct *work)
chip->restore = false;
for_each_cpu(cpu, &mask) {
int index;
- struct cpufreq_policy policy;
- cpufreq_get_policy(&policy, cpu);
- index = cpufreq_table_find_index_c(&policy, policy.cur);
- powernv_cpufreq_target_index(&policy, index);
- cpumask_andnot(&mask, &mask, policy.cpus);
+ policy = cpufreq_cpu_get(cpu);
+ if (!policy)
+ continue;
+ index = cpufreq_table_find_index_c(policy, policy->cur);
+ powernv_cpufreq_target_index(policy, index);
+ cpumask_andnot(&mask, &mask, policy->cpus);
+ cpufreq_cpu_put(policy);
}
out:
put_online_cpus();
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 126/245] tools: gpio-hammer: Avoid potential overflow in main
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (124 preceding siblings ...)
2020-09-29 10:59 ` [PATCH 4.19 125/245] cpufreq: powernv: Fix frame-size-overflow in powernv_cpufreq_work_fn Greg Kroah-Hartman
@ 2020-09-29 10:59 ` Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 127/245] nvme-multipath: do not reset on unknown status Greg Kroah-Hartman
` (121 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:59 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Gabriel Ravier, Bartosz Golaszewski,
Sasha Levin
From: Gabriel Ravier <gabravier@gmail.com>
[ Upstream commit d1ee7e1f5c9191afb69ce46cc7752e4257340a31 ]
If '-o' was used more than 64 times in a single invocation of gpio-hammer,
this could lead to an overflow of the 'lines' array. This commit fixes
this by avoiding the overflow and giving a proper diagnostic back to the
user
Signed-off-by: Gabriel Ravier <gabravier@gmail.com>
Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/gpio/gpio-hammer.c | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/tools/gpio/gpio-hammer.c b/tools/gpio/gpio-hammer.c
index 4bcb234c0fcab..3da5462a0c7d3 100644
--- a/tools/gpio/gpio-hammer.c
+++ b/tools/gpio/gpio-hammer.c
@@ -138,7 +138,14 @@ int main(int argc, char **argv)
device_name = optarg;
break;
case 'o':
- lines[i] = strtoul(optarg, NULL, 10);
+ /*
+ * Avoid overflow. Do not immediately error, we want to
+ * be able to accurately report on the amount of times
+ * '-o' was given to give an accurate error message
+ */
+ if (i < GPIOHANDLES_MAX)
+ lines[i] = strtoul(optarg, NULL, 10);
+
i++;
break;
case '?':
@@ -146,6 +153,14 @@ int main(int argc, char **argv)
return -1;
}
}
+
+ if (i >= GPIOHANDLES_MAX) {
+ fprintf(stderr,
+ "Only %d occurences of '-o' are allowed, %d were found\n",
+ GPIOHANDLES_MAX, i + 1);
+ return -1;
+ }
+
nlines = i;
if (!device_name || !nlines) {
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 127/245] nvme-multipath: do not reset on unknown status
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (125 preceding siblings ...)
2020-09-29 10:59 ` [PATCH 4.19 126/245] tools: gpio-hammer: Avoid potential overflow in main Greg Kroah-Hartman
@ 2020-09-29 10:59 ` Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 128/245] nvme: Fix controller creation races with teardown flow Greg Kroah-Hartman
` (120 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:59 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Hannes Reinecke, John Meneghini,
Keith Busch, Sasha Levin, Christoph Hellwig
From: John Meneghini <johnm@netapp.com>
[ Upstream commit 764e9332098c0e60251386a507fe46ac91276120 ]
The nvme multipath error handling defaults to controller reset if the
error is unknown. There are, however, no existing nvme status codes that
indicate a reset should be used, and resetting causes unnecessary
disruption to the rest of IO.
Change nvme's error handling to first check if failover should happen.
If not, let the normal error handling take over rather than reset the
controller.
Based-on-a-patch-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: John Meneghini <johnm@netapp.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/host/core.c | 5 +----
drivers/nvme/host/multipath.c | 21 +++++++++------------
drivers/nvme/host/nvme.h | 5 +++--
3 files changed, 13 insertions(+), 18 deletions(-)
diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index 0d60f2f8f3eec..4b182ac15687e 100644
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -255,11 +255,8 @@ void nvme_complete_rq(struct request *req)
trace_nvme_complete_rq(req);
if (unlikely(status != BLK_STS_OK && nvme_req_needs_retry(req))) {
- if ((req->cmd_flags & REQ_NVME_MPATH) &&
- blk_path_error(status)) {
- nvme_failover_req(req);
+ if ((req->cmd_flags & REQ_NVME_MPATH) && nvme_failover_req(req))
return;
- }
if (!blk_queue_dying(req->q)) {
nvme_req(req)->retries++;
diff --git a/drivers/nvme/host/multipath.c b/drivers/nvme/host/multipath.c
index 2e63c1106030b..e71075338ff5c 100644
--- a/drivers/nvme/host/multipath.c
+++ b/drivers/nvme/host/multipath.c
@@ -73,17 +73,12 @@ void nvme_set_disk_name(char *disk_name, struct nvme_ns *ns,
}
}
-void nvme_failover_req(struct request *req)
+bool nvme_failover_req(struct request *req)
{
struct nvme_ns *ns = req->q->queuedata;
u16 status = nvme_req(req)->status;
unsigned long flags;
- spin_lock_irqsave(&ns->head->requeue_lock, flags);
- blk_steal_bios(&ns->head->requeue_list, req);
- spin_unlock_irqrestore(&ns->head->requeue_lock, flags);
- blk_mq_end_request(req, 0);
-
switch (status & 0x7ff) {
case NVME_SC_ANA_TRANSITION:
case NVME_SC_ANA_INACCESSIBLE:
@@ -111,15 +106,17 @@ void nvme_failover_req(struct request *req)
nvme_mpath_clear_current_path(ns);
break;
default:
- /*
- * Reset the controller for any non-ANA error as we don't know
- * what caused the error.
- */
- nvme_reset_ctrl(ns->ctrl);
- break;
+ /* This was a non-ANA error so follow the normal error path. */
+ return false;
}
+ spin_lock_irqsave(&ns->head->requeue_lock, flags);
+ blk_steal_bios(&ns->head->requeue_list, req);
+ spin_unlock_irqrestore(&ns->head->requeue_lock, flags);
+ blk_mq_end_request(req, 0);
+
kblockd_schedule_work(&ns->head->requeue_work);
+ return true;
}
void nvme_kick_requeue_lists(struct nvme_ctrl *ctrl)
diff --git a/drivers/nvme/host/nvme.h b/drivers/nvme/host/nvme.h
index cc4273f119894..31c1496f938fb 100644
--- a/drivers/nvme/host/nvme.h
+++ b/drivers/nvme/host/nvme.h
@@ -477,7 +477,7 @@ void nvme_mpath_wait_freeze(struct nvme_subsystem *subsys);
void nvme_mpath_start_freeze(struct nvme_subsystem *subsys);
void nvme_set_disk_name(char *disk_name, struct nvme_ns *ns,
struct nvme_ctrl *ctrl, int *flags);
-void nvme_failover_req(struct request *req);
+bool nvme_failover_req(struct request *req);
void nvme_kick_requeue_lists(struct nvme_ctrl *ctrl);
int nvme_mpath_alloc_disk(struct nvme_ctrl *ctrl,struct nvme_ns_head *head);
void nvme_mpath_add_disk(struct nvme_ns *ns, struct nvme_id_ns *id);
@@ -521,8 +521,9 @@ static inline void nvme_set_disk_name(char *disk_name, struct nvme_ns *ns,
sprintf(disk_name, "nvme%dn%d", ctrl->instance, ns->head->instance);
}
-static inline void nvme_failover_req(struct request *req)
+static inline bool nvme_failover_req(struct request *req)
{
+ return false;
}
static inline void nvme_kick_requeue_lists(struct nvme_ctrl *ctrl)
{
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 128/245] nvme: Fix controller creation races with teardown flow
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (126 preceding siblings ...)
2020-09-29 10:59 ` [PATCH 4.19 127/245] nvme-multipath: do not reset on unknown status Greg Kroah-Hartman
@ 2020-09-29 10:59 ` Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 129/245] RDMA/rxe: Set sys_image_guid to be aligned with HW IB devices Greg Kroah-Hartman
` (119 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:59 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Israel Rukshin, Max Gurtovoy,
Christoph Hellwig, Keith Busch, Sasha Levin
From: Israel Rukshin <israelr@mellanox.com>
[ Upstream commit ce1518139e6976cf19c133b555083354fdb629b8 ]
Calling nvme_sysfs_delete() when the controller is in the middle of
creation may cause several bugs. If the controller is in NEW state we
remove delete_controller file and don't delete the controller. The user
will not be able to use nvme disconnect command on that controller again,
although the controller may be active. Other bugs may happen if the
controller is in the middle of create_ctrl callback and
nvme_do_delete_ctrl() starts. For example, freeing I/O tagset at
nvme_do_delete_ctrl() before it was allocated at create_ctrl callback.
To fix all those races don't allow the user to delete the controller
before it was fully created.
Signed-off-by: Israel Rukshin <israelr@mellanox.com>
Reviewed-by: Max Gurtovoy <maxg@mellanox.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/host/core.c | 5 +++++
drivers/nvme/host/nvme.h | 1 +
2 files changed, 6 insertions(+)
diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index 4b182ac15687e..faa7feebb6095 100644
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -2856,6 +2856,10 @@ static ssize_t nvme_sysfs_delete(struct device *dev,
{
struct nvme_ctrl *ctrl = dev_get_drvdata(dev);
+ /* Can't delete non-created controllers */
+ if (!ctrl->created)
+ return -EBUSY;
+
if (device_remove_file_self(dev, attr))
nvme_delete_ctrl_sync(ctrl);
return count;
@@ -3576,6 +3580,7 @@ void nvme_start_ctrl(struct nvme_ctrl *ctrl)
queue_work(nvme_wq, &ctrl->async_event_work);
nvme_start_queues(ctrl);
}
+ ctrl->created = true;
}
EXPORT_SYMBOL_GPL(nvme_start_ctrl);
diff --git a/drivers/nvme/host/nvme.h b/drivers/nvme/host/nvme.h
index 31c1496f938fb..a70b997060e68 100644
--- a/drivers/nvme/host/nvme.h
+++ b/drivers/nvme/host/nvme.h
@@ -206,6 +206,7 @@ struct nvme_ctrl {
struct nvme_command ka_cmd;
struct work_struct fw_act_work;
unsigned long events;
+ bool created;
#ifdef CONFIG_NVME_MULTIPATH
/* asymmetric namespace access: */
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 129/245] RDMA/rxe: Set sys_image_guid to be aligned with HW IB devices
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (127 preceding siblings ...)
2020-09-29 10:59 ` [PATCH 4.19 128/245] nvme: Fix controller creation races with teardown flow Greg Kroah-Hartman
@ 2020-09-29 10:59 ` Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 130/245] scsi: hpsa: correct race condition in offload enabled Greg Kroah-Hartman
` (118 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:59 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Zhu Yanjun, Leon Romanovsky,
Jason Gunthorpe, Sasha Levin
From: Zhu Yanjun <yanjunz@mellanox.com>
[ Upstream commit d0ca2c35dd15a3d989955caec02beea02f735ee6 ]
The RXE driver doesn't set sys_image_guid and user space applications see
zeros. This causes to pyverbs tests to fail with the following traceback,
because the IBTA spec requires to have valid sys_image_guid.
Traceback (most recent call last):
File "./tests/test_device.py", line 51, in test_query_device
self.verify_device_attr(attr)
File "./tests/test_device.py", line 74, in verify_device_attr
assert attr.sys_image_guid != 0
In order to fix it, set sys_image_guid to be equal to node_guid.
Before:
5: rxe0: ... node_guid 5054:00ff:feaa:5363 sys_image_guid
0000:0000:0000:0000
After:
5: rxe0: ... node_guid 5054:00ff:feaa:5363 sys_image_guid
5054:00ff:feaa:5363
Fixes: 8700e3e7c485 ("Soft RoCE driver")
Link: https://lore.kernel.org/r/20200323112800.1444784-1-leon@kernel.org
Signed-off-by: Zhu Yanjun <yanjunz@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/sw/rxe/rxe.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/infiniband/sw/rxe/rxe.c b/drivers/infiniband/sw/rxe/rxe.c
index 94dedabe648c2..6589ff51eaf5c 100644
--- a/drivers/infiniband/sw/rxe/rxe.c
+++ b/drivers/infiniband/sw/rxe/rxe.c
@@ -121,6 +121,8 @@ static void rxe_init_device_param(struct rxe_dev *rxe)
rxe->attr.max_fast_reg_page_list_len = RXE_MAX_FMR_PAGE_LIST_LEN;
rxe->attr.max_pkeys = RXE_MAX_PKEYS;
rxe->attr.local_ca_ack_delay = RXE_LOCAL_CA_ACK_DELAY;
+ addrconf_addr_eui48((unsigned char *)&rxe->attr.sys_image_guid,
+ rxe->ndev->dev_addr);
rxe->max_ucontext = RXE_MAX_UCONTEXT;
}
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 130/245] scsi: hpsa: correct race condition in offload enabled
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (128 preceding siblings ...)
2020-09-29 10:59 ` [PATCH 4.19 129/245] RDMA/rxe: Set sys_image_guid to be aligned with HW IB devices Greg Kroah-Hartman
@ 2020-09-29 10:59 ` Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 131/245] SUNRPC: Fix a potential buffer overflow in svc_print_xprts() Greg Kroah-Hartman
` (117 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:59 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Scott Teel, Matt Perricone,
Scott Benesh, Don Brace, Martin K. Petersen, Sasha Levin
From: Don Brace <don.brace@microsemi.com>
[ Upstream commit 3e16e83a62edac7617bfd8dbb4e55d04ff6adbe1 ]
Correct race condition where ioaccel is re-enabled before the raid_map is
updated. For RAID_1, RAID_1ADM, and RAID 5/6 there is a BUG_ON called which
is bad.
- Change event thread to disable ioaccel only. Send all requests down the
RAID path instead.
- Have rescan thread handle offload_enable.
- Since there is only one rescan allowed at a time, turning
offload_enabled on/off should not be racy. Each handler queues up a
rescan if one is already in progress.
- For timing diagram, offload_enabled is initially off due to a change
(transformation: splitmirror/remirror), ...
otbe = offload_to_be_enabled
oe = offload_enabled
Time Event Rescan Completion Request
Worker Worker Thread Thread
---- ------ ------ ---------- -------
T0 | | + UA |
T1 | + rescan started | 0x3f |
T2 + Event | | 0x0e |
T3 + Ack msg | | |
T4 | + if (!dev[i]->oe && | |
T5 | | dev[i]->otbe) | |
T6 | | get_raid_map | |
T7 + otbe = 1 | | |
T8 | | | |
T9 | + oe = otbe | |
T10 | | | + ioaccel request
T11 * BUG_ON
T0 - I/O completion with UA 0x3f 0x0e sets rescan flag.
T1 - rescan worker thread starts a rescan.
T2 - event comes in
T3 - event thread starts and issues "Acknowledge" message
...
T6 - rescan thread has bypassed code to reload new raid map.
...
T7 - event thread runs and sets offload_to_be_enabled
...
T9 - rescan thread turns on offload_enabled.
T10- request comes in and goes down ioaccel path.
T11- BUG_ON.
- After the patch is applied, ioaccel_enabled can only be re-enabled in
the re-scan thread.
Link: https://lore.kernel.org/r/158472877894.14200.7077843399036368335.stgit@brunhilda
Reviewed-by: Scott Teel <scott.teel@microsemi.com>
Reviewed-by: Matt Perricone <matt.perricone@microsemi.com>
Reviewed-by: Scott Benesh <scott.benesh@microsemi.com>
Signed-off-by: Don Brace <don.brace@microsemi.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/hpsa.c | 80 ++++++++++++++++++++++++++++++++-------------
1 file changed, 57 insertions(+), 23 deletions(-)
diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
index f570b8c5d857c..11de2198bb87d 100644
--- a/drivers/scsi/hpsa.c
+++ b/drivers/scsi/hpsa.c
@@ -507,6 +507,12 @@ static ssize_t host_store_rescan(struct device *dev,
return count;
}
+static void hpsa_turn_off_ioaccel_for_device(struct hpsa_scsi_dev_t *device)
+{
+ device->offload_enabled = 0;
+ device->offload_to_be_enabled = 0;
+}
+
static ssize_t host_show_firmware_revision(struct device *dev,
struct device_attribute *attr, char *buf)
{
@@ -1743,8 +1749,7 @@ static void hpsa_figure_phys_disk_ptrs(struct ctlr_info *h,
__func__,
h->scsi_host->host_no, logical_drive->bus,
logical_drive->target, logical_drive->lun);
- logical_drive->offload_enabled = 0;
- logical_drive->offload_to_be_enabled = 0;
+ hpsa_turn_off_ioaccel_for_device(logical_drive);
logical_drive->queue_depth = 8;
}
}
@@ -2496,8 +2501,7 @@ static void process_ioaccel2_completion(struct ctlr_info *h,
IOACCEL2_SERV_RESPONSE_FAILURE) {
if (c2->error_data.status ==
IOACCEL2_STATUS_SR_IOACCEL_DISABLED) {
- dev->offload_enabled = 0;
- dev->offload_to_be_enabled = 0;
+ hpsa_turn_off_ioaccel_for_device(dev);
}
return hpsa_retry_cmd(h, c);
@@ -3676,10 +3680,17 @@ static void hpsa_get_ioaccel_status(struct ctlr_info *h,
this_device->offload_config =
!!(ioaccel_status & OFFLOAD_CONFIGURED_BIT);
if (this_device->offload_config) {
- this_device->offload_to_be_enabled =
+ bool offload_enabled =
!!(ioaccel_status & OFFLOAD_ENABLED_BIT);
- if (hpsa_get_raid_map(h, scsi3addr, this_device))
- this_device->offload_to_be_enabled = 0;
+ /*
+ * Check to see if offload can be enabled.
+ */
+ if (offload_enabled) {
+ rc = hpsa_get_raid_map(h, scsi3addr, this_device);
+ if (rc) /* could not load raid_map */
+ goto out;
+ this_device->offload_to_be_enabled = 1;
+ }
}
out:
@@ -3998,8 +4009,7 @@ static int hpsa_update_device_info(struct ctlr_info *h,
} else {
this_device->raid_level = RAID_UNKNOWN;
this_device->offload_config = 0;
- this_device->offload_enabled = 0;
- this_device->offload_to_be_enabled = 0;
+ hpsa_turn_off_ioaccel_for_device(this_device);
this_device->hba_ioaccel_enabled = 0;
this_device->volume_offline = 0;
this_device->queue_depth = h->nr_cmds;
@@ -5213,8 +5223,12 @@ static int hpsa_scsi_ioaccel_raid_map(struct ctlr_info *h,
/* Handles load balance across RAID 1 members.
* (2-drive R1 and R10 with even # of drives.)
* Appropriate for SSDs, not optimal for HDDs
+ * Ensure we have the correct raid_map.
*/
- BUG_ON(le16_to_cpu(map->layout_map_count) != 2);
+ if (le16_to_cpu(map->layout_map_count) != 2) {
+ hpsa_turn_off_ioaccel_for_device(dev);
+ return IO_ACCEL_INELIGIBLE;
+ }
if (dev->offload_to_mirror)
map_index += le16_to_cpu(map->data_disks_per_row);
dev->offload_to_mirror = !dev->offload_to_mirror;
@@ -5222,8 +5236,12 @@ static int hpsa_scsi_ioaccel_raid_map(struct ctlr_info *h,
case HPSA_RAID_ADM:
/* Handles N-way mirrors (R1-ADM)
* and R10 with # of drives divisible by 3.)
+ * Ensure we have the correct raid_map.
*/
- BUG_ON(le16_to_cpu(map->layout_map_count) != 3);
+ if (le16_to_cpu(map->layout_map_count) != 3) {
+ hpsa_turn_off_ioaccel_for_device(dev);
+ return IO_ACCEL_INELIGIBLE;
+ }
offload_to_mirror = dev->offload_to_mirror;
raid_map_helper(map, offload_to_mirror,
@@ -5248,7 +5266,10 @@ static int hpsa_scsi_ioaccel_raid_map(struct ctlr_info *h,
r5or6_blocks_per_row =
le16_to_cpu(map->strip_size) *
le16_to_cpu(map->data_disks_per_row);
- BUG_ON(r5or6_blocks_per_row == 0);
+ if (r5or6_blocks_per_row == 0) {
+ hpsa_turn_off_ioaccel_for_device(dev);
+ return IO_ACCEL_INELIGIBLE;
+ }
stripesize = r5or6_blocks_per_row *
le16_to_cpu(map->layout_map_count);
#if BITS_PER_LONG == 32
@@ -8218,7 +8239,7 @@ static int detect_controller_lockup(struct ctlr_info *h)
*
* Called from monitor controller worker (hpsa_event_monitor_worker)
*
- * A Volume (or Volumes that comprise an Array set may be undergoing a
+ * A Volume (or Volumes that comprise an Array set) may be undergoing a
* transformation, so we will be turning off ioaccel for all volumes that
* make up the Array.
*/
@@ -8241,6 +8262,9 @@ static void hpsa_set_ioaccel_status(struct ctlr_info *h)
* Run through current device list used during I/O requests.
*/
for (i = 0; i < h->ndevices; i++) {
+ int offload_to_be_enabled = 0;
+ int offload_config = 0;
+
device = h->dev[i];
if (!device)
@@ -8258,25 +8282,35 @@ static void hpsa_set_ioaccel_status(struct ctlr_info *h)
continue;
ioaccel_status = buf[IOACCEL_STATUS_BYTE];
- device->offload_config =
+
+ /*
+ * Check if offload is still configured on
+ */
+ offload_config =
!!(ioaccel_status & OFFLOAD_CONFIGURED_BIT);
- if (device->offload_config)
- device->offload_to_be_enabled =
+ /*
+ * If offload is configured on, check to see if ioaccel
+ * needs to be enabled.
+ */
+ if (offload_config)
+ offload_to_be_enabled =
!!(ioaccel_status & OFFLOAD_ENABLED_BIT);
+ /*
+ * If ioaccel is to be re-enabled, re-enable later during the
+ * scan operation so the driver can get a fresh raidmap
+ * before turning ioaccel back on.
+ */
+ if (offload_to_be_enabled)
+ continue;
+
/*
* Immediately turn off ioaccel for any volume the
* controller tells us to. Some of the reasons could be:
* transformation - change to the LVs of an Array.
* degraded volume - component failure
- *
- * If ioaccel is to be re-enabled, re-enable later during the
- * scan operation so the driver can get a fresh raidmap
- * before turning ioaccel back on.
- *
*/
- if (!device->offload_to_be_enabled)
- device->offload_enabled = 0;
+ hpsa_turn_off_ioaccel_for_device(device);
}
kfree(buf);
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 131/245] SUNRPC: Fix a potential buffer overflow in svc_print_xprts()
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (129 preceding siblings ...)
2020-09-29 10:59 ` [PATCH 4.19 130/245] scsi: hpsa: correct race condition in offload enabled Greg Kroah-Hartman
@ 2020-09-29 10:59 ` Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 132/245] svcrdma: Fix leak of transport addresses Greg Kroah-Hartman
` (116 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:59 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Christophe JAILLET, Chuck Lever, Sasha Levin
From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
[ Upstream commit b25b60d7bfb02a74bc3c2d998e09aab159df8059 ]
'maxlen' is the total size of the destination buffer. There is only one
caller and this value is 256.
When we compute the size already used and what we would like to add in
the buffer, the trailling NULL character is not taken into account.
However, this trailling character will be added by the 'strcat' once we
have checked that we have enough place.
So, there is a off-by-one issue and 1 byte of the stack could be
erroneously overwridden.
Take into account the trailling NULL, when checking if there is enough
place in the destination buffer.
While at it, also replace a 'sprintf' by a safer 'snprintf', check for
output truncation and avoid a superfluous 'strlen'.
Fixes: dc9a16e49dbba ("svc: Add /proc/sys/sunrpc/transport files")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
[ cel: very minor fix to documenting comment
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sunrpc/svc_xprt.c | 19 ++++++++++++++-----
1 file changed, 14 insertions(+), 5 deletions(-)
diff --git a/net/sunrpc/svc_xprt.c b/net/sunrpc/svc_xprt.c
index c8ee8e801edb8..709c082dc9059 100644
--- a/net/sunrpc/svc_xprt.c
+++ b/net/sunrpc/svc_xprt.c
@@ -103,8 +103,17 @@ void svc_unreg_xprt_class(struct svc_xprt_class *xcl)
}
EXPORT_SYMBOL_GPL(svc_unreg_xprt_class);
-/*
- * Format the transport list for printing
+/**
+ * svc_print_xprts - Format the transport list for printing
+ * @buf: target buffer for formatted address
+ * @maxlen: length of target buffer
+ *
+ * Fills in @buf with a string containing a list of transport names, each name
+ * terminated with '\n'. If the buffer is too small, some entries may be
+ * missing, but it is guaranteed that all lines in the output buffer are
+ * complete.
+ *
+ * Returns positive length of the filled-in string.
*/
int svc_print_xprts(char *buf, int maxlen)
{
@@ -117,9 +126,9 @@ int svc_print_xprts(char *buf, int maxlen)
list_for_each_entry(xcl, &svc_xprt_class_list, xcl_list) {
int slen;
- sprintf(tmpstr, "%s %d\n", xcl->xcl_name, xcl->xcl_max_payload);
- slen = strlen(tmpstr);
- if (len + slen > maxlen)
+ slen = snprintf(tmpstr, sizeof(tmpstr), "%s %d\n",
+ xcl->xcl_name, xcl->xcl_max_payload);
+ if (slen >= sizeof(tmpstr) || len + slen >= maxlen)
break;
len += slen;
strcat(buf, tmpstr);
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 132/245] svcrdma: Fix leak of transport addresses
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (130 preceding siblings ...)
2020-09-29 10:59 ` [PATCH 4.19 131/245] SUNRPC: Fix a potential buffer overflow in svc_print_xprts() Greg Kroah-Hartman
@ 2020-09-29 10:59 ` Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 133/245] PCI: Use ioremap(), not phys_to_virt() for platform ROM Greg Kroah-Hartman
` (115 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:59 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Chuck Lever, Sasha Levin
From: Chuck Lever <chuck.lever@oracle.com>
[ Upstream commit 1a33d8a284b1e85e03b8c7b1ea8fb985fccd1d71 ]
Kernel memory leak detected:
unreferenced object 0xffff888849cdf480 (size 8):
comm "kworker/u8:3", pid 2086, jiffies 4297898756 (age 4269.856s)
hex dump (first 8 bytes):
30 00 cd 49 88 88 ff ff 0..I....
backtrace:
[<00000000acfc370b>] __kmalloc_track_caller+0x137/0x183
[<00000000a2724354>] kstrdup+0x2b/0x43
[<0000000082964f84>] xprt_rdma_format_addresses+0x114/0x17d [rpcrdma]
[<00000000dfa6ed00>] xprt_setup_rdma_bc+0xc0/0x10c [rpcrdma]
[<0000000073051a83>] xprt_create_transport+0x3f/0x1a0 [sunrpc]
[<0000000053531a8e>] rpc_create+0x118/0x1cd [sunrpc]
[<000000003a51b5f8>] setup_callback_client+0x1a5/0x27d [nfsd]
[<000000001bd410af>] nfsd4_process_cb_update.isra.7+0x16c/0x1ac [nfsd]
[<000000007f4bbd56>] nfsd4_run_cb_work+0x4c/0xbd [nfsd]
[<0000000055c5586b>] process_one_work+0x1b2/0x2fe
[<00000000b1e3e8ef>] worker_thread+0x1a6/0x25a
[<000000005205fb78>] kthread+0xf6/0xfb
[<000000006d2dc057>] ret_from_fork+0x3a/0x50
Introduce a call to xprt_rdma_free_addresses() similar to the way
that the TCP backchannel releases a transport's peer address
strings.
Fixes: 5d252f90a800 ("svcrdma: Add class for RDMA backwards direction transport")
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sunrpc/xprtrdma/svc_rdma_backchannel.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/sunrpc/xprtrdma/svc_rdma_backchannel.c b/net/sunrpc/xprtrdma/svc_rdma_backchannel.c
index b9827665ff355..d183d4aee822c 100644
--- a/net/sunrpc/xprtrdma/svc_rdma_backchannel.c
+++ b/net/sunrpc/xprtrdma/svc_rdma_backchannel.c
@@ -256,6 +256,7 @@ xprt_rdma_bc_put(struct rpc_xprt *xprt)
{
dprintk("svcrdma: %s: xprt %p\n", __func__, xprt);
+ xprt_rdma_free_addresses(xprt);
xprt_free(xprt);
module_put(THIS_MODULE);
}
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 133/245] PCI: Use ioremap(), not phys_to_virt() for platform ROM
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (131 preceding siblings ...)
2020-09-29 10:59 ` [PATCH 4.19 132/245] svcrdma: Fix leak of transport addresses Greg Kroah-Hartman
@ 2020-09-29 10:59 ` Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 134/245] ubifs: Fix out-of-bounds memory access caused by abnormal value of node_len Greg Kroah-Hartman
` (114 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:59 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Mikel Rychliski, Bjorn Helgaas,
Alex Deucher, Sasha Levin
From: Mikel Rychliski <mikel@mikelr.com>
[ Upstream commit 72e0ef0e5f067fd991f702f0b2635d911d0cf208 ]
On some EFI systems, the video BIOS is provided by the EFI firmware. The
boot stub code stores the physical address of the ROM image in pdev->rom.
Currently we attempt to access this pointer using phys_to_virt(), which
doesn't work with CONFIG_HIGHMEM.
On these systems, attempting to load the radeon module on a x86_32 kernel
can result in the following:
BUG: unable to handle page fault for address: 3e8ed03c
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
*pde = 00000000
Oops: 0000 [#1] PREEMPT SMP
CPU: 0 PID: 317 Comm: systemd-udevd Not tainted 5.6.0-rc3-next-20200228 #2
Hardware name: Apple Computer, Inc. MacPro1,1/Mac-F4208DC8, BIOS MP11.88Z.005C.B08.0707021221 07/02/07
EIP: radeon_get_bios+0x5ed/0xe50 [radeon]
Code: 00 00 84 c0 0f 85 12 fd ff ff c7 87 64 01 00 00 00 00 00 00 8b 47 08 8b 55 b0 e8 1e 83 e1 d6 85 c0 74 1a 8b 55 c0 85 d2 74 13 <80> 38 55 75 0e 80 78 01 aa 0f 84 a4 03 00 00 8d 74 26 00 68 dc 06
EAX: 3e8ed03c EBX: 00000000 ECX: 3e8ed03c EDX: 00010000
ESI: 00040000 EDI: eec04000 EBP: eef3fc60 ESP: eef3fbe0
DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 EFLAGS: 00010206
CR0: 80050033 CR2: 3e8ed03c CR3: 2ec77000 CR4: 000006d0
Call Trace:
r520_init+0x26/0x240 [radeon]
radeon_device_init+0x533/0xa50 [radeon]
radeon_driver_load_kms+0x80/0x220 [radeon]
drm_dev_register+0xa7/0x180 [drm]
radeon_pci_probe+0x10f/0x1a0 [radeon]
pci_device_probe+0xd4/0x140
Fix the issue by updating all drivers which can access a platform provided
ROM. Instead of calling the helper function pci_platform_rom() which uses
phys_to_virt(), call ioremap() directly on the pdev->rom.
radeon_read_platform_bios() previously directly accessed an __iomem
pointer. Avoid this by calling memcpy_fromio() instead of kmemdup().
pci_platform_rom() now has no remaining callers, so remove it.
Link: https://lore.kernel.org/r/20200319021623.5426-1-mikel@mikelr.com
Signed-off-by: Mikel Rychliski <mikel@mikelr.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Acked-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c | 31 +++++++++++--------
.../drm/nouveau/nvkm/subdev/bios/shadowpci.c | 17 ++++++++--
drivers/gpu/drm/radeon/radeon_bios.c | 30 +++++++++++-------
drivers/pci/rom.c | 17 ----------
include/linux/pci.h | 1 -
5 files changed, 52 insertions(+), 44 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c
index a5df80d50d447..6cf3dd5edffda 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c
@@ -191,30 +191,35 @@ static bool amdgpu_read_bios_from_rom(struct amdgpu_device *adev)
static bool amdgpu_read_platform_bios(struct amdgpu_device *adev)
{
- uint8_t __iomem *bios;
- size_t size;
+ phys_addr_t rom = adev->pdev->rom;
+ size_t romlen = adev->pdev->romlen;
+ void __iomem *bios;
adev->bios = NULL;
- bios = pci_platform_rom(adev->pdev, &size);
- if (!bios) {
+ if (!rom || romlen == 0)
return false;
- }
- adev->bios = kzalloc(size, GFP_KERNEL);
- if (adev->bios == NULL)
+ adev->bios = kzalloc(romlen, GFP_KERNEL);
+ if (!adev->bios)
return false;
- memcpy_fromio(adev->bios, bios, size);
+ bios = ioremap(rom, romlen);
+ if (!bios)
+ goto free_bios;
- if (!check_atom_bios(adev->bios, size)) {
- kfree(adev->bios);
- return false;
- }
+ memcpy_fromio(adev->bios, bios, romlen);
+ iounmap(bios);
- adev->bios_size = size;
+ if (!check_atom_bios(adev->bios, romlen))
+ goto free_bios;
+
+ adev->bios_size = romlen;
return true;
+free_bios:
+ kfree(adev->bios);
+ return false;
}
#ifdef CONFIG_ACPI
diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/shadowpci.c b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/shadowpci.c
index 9b91da09dc5f8..8d9812a51ef63 100644
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/bios/shadowpci.c
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/bios/shadowpci.c
@@ -101,9 +101,13 @@ platform_init(struct nvkm_bios *bios, const char *name)
else
return ERR_PTR(-ENODEV);
+ if (!pdev->rom || pdev->romlen == 0)
+ return ERR_PTR(-ENODEV);
+
if ((priv = kmalloc(sizeof(*priv), GFP_KERNEL))) {
+ priv->size = pdev->romlen;
if (ret = -ENODEV,
- (priv->rom = pci_platform_rom(pdev, &priv->size)))
+ (priv->rom = ioremap(pdev->rom, pdev->romlen)))
return priv;
kfree(priv);
}
@@ -111,11 +115,20 @@ platform_init(struct nvkm_bios *bios, const char *name)
return ERR_PTR(ret);
}
+static void
+platform_fini(void *data)
+{
+ struct priv *priv = data;
+
+ iounmap(priv->rom);
+ kfree(priv);
+}
+
const struct nvbios_source
nvbios_platform = {
.name = "PLATFORM",
.init = platform_init,
- .fini = (void(*)(void *))kfree,
+ .fini = platform_fini,
.read = pcirom_read,
.rw = true,
};
diff --git a/drivers/gpu/drm/radeon/radeon_bios.c b/drivers/gpu/drm/radeon/radeon_bios.c
index 04c0ed41374f1..dd0528cf98183 100644
--- a/drivers/gpu/drm/radeon/radeon_bios.c
+++ b/drivers/gpu/drm/radeon/radeon_bios.c
@@ -104,25 +104,33 @@ static bool radeon_read_bios(struct radeon_device *rdev)
static bool radeon_read_platform_bios(struct radeon_device *rdev)
{
- uint8_t __iomem *bios;
- size_t size;
+ phys_addr_t rom = rdev->pdev->rom;
+ size_t romlen = rdev->pdev->romlen;
+ void __iomem *bios;
rdev->bios = NULL;
- bios = pci_platform_rom(rdev->pdev, &size);
- if (!bios) {
+ if (!rom || romlen == 0)
return false;
- }
- if (size == 0 || bios[0] != 0x55 || bios[1] != 0xaa) {
+ rdev->bios = kzalloc(romlen, GFP_KERNEL);
+ if (!rdev->bios)
return false;
- }
- rdev->bios = kmemdup(bios, size, GFP_KERNEL);
- if (rdev->bios == NULL) {
- return false;
- }
+
+ bios = ioremap(rom, romlen);
+ if (!bios)
+ goto free_bios;
+
+ memcpy_fromio(rdev->bios, bios, romlen);
+ iounmap(bios);
+
+ if (rdev->bios[0] != 0x55 || rdev->bios[1] != 0xaa)
+ goto free_bios;
return true;
+free_bios:
+ kfree(rdev->bios);
+ return false;
}
#ifdef CONFIG_ACPI
diff --git a/drivers/pci/rom.c b/drivers/pci/rom.c
index 137bf0cee897c..8fc9a4e911e3a 100644
--- a/drivers/pci/rom.c
+++ b/drivers/pci/rom.c
@@ -195,20 +195,3 @@ void pci_unmap_rom(struct pci_dev *pdev, void __iomem *rom)
pci_disable_rom(pdev);
}
EXPORT_SYMBOL(pci_unmap_rom);
-
-/**
- * pci_platform_rom - provides a pointer to any ROM image provided by the
- * platform
- * @pdev: pointer to pci device struct
- * @size: pointer to receive size of pci window over ROM
- */
-void __iomem *pci_platform_rom(struct pci_dev *pdev, size_t *size)
-{
- if (pdev->rom && pdev->romlen) {
- *size = pdev->romlen;
- return phys_to_virt((phys_addr_t)pdev->rom);
- }
-
- return NULL;
-}
-EXPORT_SYMBOL(pci_platform_rom);
diff --git a/include/linux/pci.h b/include/linux/pci.h
index 2517492dd1855..2fda9893962d1 100644
--- a/include/linux/pci.h
+++ b/include/linux/pci.h
@@ -1144,7 +1144,6 @@ int pci_enable_rom(struct pci_dev *pdev);
void pci_disable_rom(struct pci_dev *pdev);
void __iomem __must_check *pci_map_rom(struct pci_dev *pdev, size_t *size);
void pci_unmap_rom(struct pci_dev *pdev, void __iomem *rom);
-void __iomem __must_check *pci_platform_rom(struct pci_dev *pdev, size_t *size);
/* Power management related routines */
int pci_save_state(struct pci_dev *dev);
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 134/245] ubifs: Fix out-of-bounds memory access caused by abnormal value of node_len
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (132 preceding siblings ...)
2020-09-29 10:59 ` [PATCH 4.19 133/245] PCI: Use ioremap(), not phys_to_virt() for platform ROM Greg Kroah-Hartman
@ 2020-09-29 10:59 ` Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 135/245] ALSA: usb-audio: Fix case when USB MIDI interface has more than one extra endpoint descriptor Greg Kroah-Hartman
` (113 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:59 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Liu Song, Richard Weinberger, Sasha Levin
From: Liu Song <liu.song11@zte.com.cn>
[ Upstream commit acc5af3efa303d5f36cc8c0f61716161f6ca1384 ]
In “ubifs_check_node”, when the value of "node_len" is abnormal,
the code will goto label of "out_len" for execution. Then, in the
following "ubifs_dump_node", if inode type is "UBIFS_DATA_NODE",
in "print_hex_dump", an out-of-bounds access may occur due to the
wrong "ch->len".
Therefore, when the value of "node_len" is abnormal, data length
should to be adjusted to a reasonable safe range. At this time,
structured data is not credible, so dump the corrupted data directly
for analysis.
Signed-off-by: Liu Song <liu.song11@zte.com.cn>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ubifs/io.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/fs/ubifs/io.c b/fs/ubifs/io.c
index 099bec94b8207..fab29f899f913 100644
--- a/fs/ubifs/io.c
+++ b/fs/ubifs/io.c
@@ -237,7 +237,7 @@ int ubifs_is_mapped(const struct ubifs_info *c, int lnum)
int ubifs_check_node(const struct ubifs_info *c, const void *buf, int lnum,
int offs, int quiet, int must_chk_crc)
{
- int err = -EINVAL, type, node_len;
+ int err = -EINVAL, type, node_len, dump_node = 1;
uint32_t crc, node_crc, magic;
const struct ubifs_ch *ch = buf;
@@ -290,10 +290,22 @@ int ubifs_check_node(const struct ubifs_info *c, const void *buf, int lnum,
out_len:
if (!quiet)
ubifs_err(c, "bad node length %d", node_len);
+ if (type == UBIFS_DATA_NODE && node_len > UBIFS_DATA_NODE_SZ)
+ dump_node = 0;
out:
if (!quiet) {
ubifs_err(c, "bad node at LEB %d:%d", lnum, offs);
- ubifs_dump_node(c, buf);
+ if (dump_node) {
+ ubifs_dump_node(c, buf);
+ } else {
+ int safe_len = min3(node_len, c->leb_size - offs,
+ (int)UBIFS_MAX_DATA_NODE_SZ);
+ pr_err("\tprevent out-of-bounds memory access\n");
+ pr_err("\ttruncated data node length %d\n", safe_len);
+ pr_err("\tcorrupted data node:\n");
+ print_hex_dump(KERN_ERR, "\t", DUMP_PREFIX_OFFSET, 32, 1,
+ buf, safe_len, 0);
+ }
dump_stack();
}
return err;
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 135/245] ALSA: usb-audio: Fix case when USB MIDI interface has more than one extra endpoint descriptor
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (133 preceding siblings ...)
2020-09-29 10:59 ` [PATCH 4.19 134/245] ubifs: Fix out-of-bounds memory access caused by abnormal value of node_len Greg Kroah-Hartman
@ 2020-09-29 10:59 ` Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 136/245] PCI: pciehp: Fix MSI interrupt race Greg Kroah-Hartman
` (112 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:59 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Andreas Steinmetz, Takashi Iwai, Sasha Levin
From: Andreas Steinmetz <ast@domdv.de>
[ Upstream commit 5c6cd7021a05a02fcf37f360592d7c18d4d807fb ]
The Miditech MIDIFACE 16x16 (USB ID 1290:1749) has more than one extra
endpoint descriptor.
The first extra descriptor is: 0x06 0x30 0x00 0x00 0x00 0x00
As the code in snd_usbmidi_get_ms_info() looks only at the
first extra descriptor to find USB_DT_CS_ENDPOINT the device
as such is recognized but there is neither input nor output
configured.
The patch iterates through the extra descriptors to find the
proper one. With this patch the device is correctly configured.
Signed-off-by: Andreas Steinmetz <ast@domdv.de>
Link: https://lore.kernel.org/r/1c3b431a86f69e1d60745b6110cdb93c299f120b.camel@domdv.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/usb/midi.c | 29 ++++++++++++++++++++++++-----
1 file changed, 24 insertions(+), 5 deletions(-)
diff --git a/sound/usb/midi.c b/sound/usb/midi.c
index 28a3ad8b1d74b..137e1e8718d6f 100644
--- a/sound/usb/midi.c
+++ b/sound/usb/midi.c
@@ -1828,6 +1828,28 @@ static int snd_usbmidi_create_endpoints(struct snd_usb_midi *umidi,
return 0;
}
+static struct usb_ms_endpoint_descriptor *find_usb_ms_endpoint_descriptor(
+ struct usb_host_endpoint *hostep)
+{
+ unsigned char *extra = hostep->extra;
+ int extralen = hostep->extralen;
+
+ while (extralen > 3) {
+ struct usb_ms_endpoint_descriptor *ms_ep =
+ (struct usb_ms_endpoint_descriptor *)extra;
+
+ if (ms_ep->bLength > 3 &&
+ ms_ep->bDescriptorType == USB_DT_CS_ENDPOINT &&
+ ms_ep->bDescriptorSubtype == UAC_MS_GENERAL)
+ return ms_ep;
+ if (!extra[0])
+ break;
+ extralen -= extra[0];
+ extra += extra[0];
+ }
+ return NULL;
+}
+
/*
* Returns MIDIStreaming device capabilities.
*/
@@ -1865,11 +1887,8 @@ static int snd_usbmidi_get_ms_info(struct snd_usb_midi *umidi,
ep = get_ep_desc(hostep);
if (!usb_endpoint_xfer_bulk(ep) && !usb_endpoint_xfer_int(ep))
continue;
- ms_ep = (struct usb_ms_endpoint_descriptor *)hostep->extra;
- if (hostep->extralen < 4 ||
- ms_ep->bLength < 4 ||
- ms_ep->bDescriptorType != USB_DT_CS_ENDPOINT ||
- ms_ep->bDescriptorSubtype != UAC_MS_GENERAL)
+ ms_ep = find_usb_ms_endpoint_descriptor(hostep);
+ if (!ms_ep)
continue;
if (usb_endpoint_dir_out(ep)) {
if (endpoints[epidx].out_ep) {
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 136/245] PCI: pciehp: Fix MSI interrupt race
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (134 preceding siblings ...)
2020-09-29 10:59 ` [PATCH 4.19 135/245] ALSA: usb-audio: Fix case when USB MIDI interface has more than one extra endpoint descriptor Greg Kroah-Hartman
@ 2020-09-29 10:59 ` Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 137/245] NFS: Fix races nfs_page_group_destroy() vs nfs_destroy_unlinked_subrequests() Greg Kroah-Hartman
` (111 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:59 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Stuart Hayes, Lukas Wunner,
Bjorn Helgaas, Joerg Roedel, Sasha Levin
From: Stuart Hayes <stuart.w.hayes@gmail.com>
[ Upstream commit 8edf5332c39340b9583cf9cba659eb7ec71f75b5 ]
Without this commit, a PCIe hotplug port can stop generating interrupts on
hotplug events, so device adds and removals will not be seen:
The pciehp interrupt handler pciehp_isr() reads the Slot Status register
and then writes back to it to clear the bits that caused the interrupt. If
a different interrupt event bit gets set between the read and the write,
pciehp_isr() returns without having cleared all of the interrupt event
bits. If this happens when the MSI isn't masked (which by default it isn't
in handle_edge_irq(), and which it will never be when MSI per-vector
masking is not supported), we won't get any more hotplug interrupts from
that device.
That is expected behavior, according to the PCIe Base Spec r5.0, section
6.7.3.4, "Software Notification of Hot-Plug Events".
Because the Presence Detect Changed and Data Link Layer State Changed event
bits can both get set at nearly the same time when a device is added or
removed, this is more likely to happen than it might seem. The issue was
found (and can be reproduced rather easily) by connecting and disconnecting
an NVMe storage device on at least one system model where the NVMe devices
were being connected to an AMD PCIe port (PCI device 0x1022/0x1483).
Fix the issue by modifying pciehp_isr() to loop back and re-read the Slot
Status register immediately after writing to it, until it sees that all of
the event status bits have been cleared.
[lukas: drop loop count limitation, write "events" instead of "status",
don't loop back in INTx and poll modes, tweak code comment & commit msg]
Link: https://lore.kernel.org/r/78b4ced5072bfe6e369d20e8b47c279b8c7af12e.1582121613.git.lukas@wunner.de
Tested-by: Stuart Hayes <stuart.w.hayes@gmail.com>
Signed-off-by: Stuart Hayes <stuart.w.hayes@gmail.com>
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/hotplug/pciehp_hpc.c | 26 ++++++++++++++++++++------
1 file changed, 20 insertions(+), 6 deletions(-)
diff --git a/drivers/pci/hotplug/pciehp_hpc.c b/drivers/pci/hotplug/pciehp_hpc.c
index 07940d1d83b70..005817e40ad39 100644
--- a/drivers/pci/hotplug/pciehp_hpc.c
+++ b/drivers/pci/hotplug/pciehp_hpc.c
@@ -530,7 +530,7 @@ static irqreturn_t pciehp_isr(int irq, void *dev_id)
struct controller *ctrl = (struct controller *)dev_id;
struct pci_dev *pdev = ctrl_dev(ctrl);
struct device *parent = pdev->dev.parent;
- u16 status, events;
+ u16 status, events = 0;
/*
* Interrupts only occur in D3hot or shallower (PCIe r4.0, sec 6.7.3.4).
@@ -553,6 +553,7 @@ static irqreturn_t pciehp_isr(int irq, void *dev_id)
}
}
+read_status:
pcie_capability_read_word(pdev, PCI_EXP_SLTSTA, &status);
if (status == (u16) ~0) {
ctrl_info(ctrl, "%s: no response from device\n", __func__);
@@ -565,24 +566,37 @@ static irqreturn_t pciehp_isr(int irq, void *dev_id)
* Slot Status contains plain status bits as well as event
* notification bits; right now we only want the event bits.
*/
- events = status & (PCI_EXP_SLTSTA_ABP | PCI_EXP_SLTSTA_PFD |
- PCI_EXP_SLTSTA_PDC | PCI_EXP_SLTSTA_CC |
- PCI_EXP_SLTSTA_DLLSC);
+ status &= PCI_EXP_SLTSTA_ABP | PCI_EXP_SLTSTA_PFD |
+ PCI_EXP_SLTSTA_PDC | PCI_EXP_SLTSTA_CC |
+ PCI_EXP_SLTSTA_DLLSC;
/*
* If we've already reported a power fault, don't report it again
* until we've done something to handle it.
*/
if (ctrl->power_fault_detected)
- events &= ~PCI_EXP_SLTSTA_PFD;
+ status &= ~PCI_EXP_SLTSTA_PFD;
+ events |= status;
if (!events) {
if (parent)
pm_runtime_put(parent);
return IRQ_NONE;
}
- pcie_capability_write_word(pdev, PCI_EXP_SLTSTA, events);
+ if (status) {
+ pcie_capability_write_word(pdev, PCI_EXP_SLTSTA, events);
+
+ /*
+ * In MSI mode, all event bits must be zero before the port
+ * will send a new interrupt (PCIe Base Spec r5.0 sec 6.7.3.4).
+ * So re-read the Slot Status register in case a bit was set
+ * between read and write.
+ */
+ if (pci_dev_msi_enabled(pdev) && !pciehp_poll_mode)
+ goto read_status;
+ }
+
ctrl_dbg(ctrl, "pending interrupts %#06x from Slot Status\n", events);
if (parent)
pm_runtime_put(parent);
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 137/245] NFS: Fix races nfs_page_group_destroy() vs nfs_destroy_unlinked_subrequests()
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (135 preceding siblings ...)
2020-09-29 10:59 ` [PATCH 4.19 136/245] PCI: pciehp: Fix MSI interrupt race Greg Kroah-Hartman
@ 2020-09-29 10:59 ` Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 138/245] mm/kmemleak.c: use address-of operator on section symbols Greg Kroah-Hartman
` (110 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:59 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Trond Myklebust, Sasha Levin
From: Trond Myklebust <trond.myklebust@hammerspace.com>
[ Upstream commit 08ca8b21f760c0ed5034a5c122092eec22ccf8f4 ]
When a subrequest is being detached from the subgroup, we want to
ensure that it is not holding the group lock, or in the process
of waiting for the group lock.
Fixes: 5b2b5187fa85 ("NFS: Fix nfs_page_group_destroy() and nfs_lock_and_join_requests() race cases")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/pagelist.c | 67 +++++++++++++++++++++++++++-------------
fs/nfs/write.c | 10 ++++--
include/linux/nfs_page.h | 2 ++
3 files changed, 55 insertions(+), 24 deletions(-)
diff --git a/fs/nfs/pagelist.c b/fs/nfs/pagelist.c
index 5dae7c85d9b6e..2c7d76b4c5e18 100644
--- a/fs/nfs/pagelist.c
+++ b/fs/nfs/pagelist.c
@@ -132,47 +132,70 @@ nfs_async_iocounter_wait(struct rpc_task *task, struct nfs_lock_context *l_ctx)
EXPORT_SYMBOL_GPL(nfs_async_iocounter_wait);
/*
- * nfs_page_group_lock - lock the head of the page group
- * @req - request in group that is to be locked
+ * nfs_page_set_headlock - set the request PG_HEADLOCK
+ * @req: request that is to be locked
*
- * this lock must be held when traversing or modifying the page
- * group list
+ * this lock must be held when modifying req->wb_head
*
* return 0 on success, < 0 on error
*/
int
-nfs_page_group_lock(struct nfs_page *req)
+nfs_page_set_headlock(struct nfs_page *req)
{
- struct nfs_page *head = req->wb_head;
-
- WARN_ON_ONCE(head != head->wb_head);
-
- if (!test_and_set_bit(PG_HEADLOCK, &head->wb_flags))
+ if (!test_and_set_bit(PG_HEADLOCK, &req->wb_flags))
return 0;
- set_bit(PG_CONTENDED1, &head->wb_flags);
+ set_bit(PG_CONTENDED1, &req->wb_flags);
smp_mb__after_atomic();
- return wait_on_bit_lock(&head->wb_flags, PG_HEADLOCK,
+ return wait_on_bit_lock(&req->wb_flags, PG_HEADLOCK,
TASK_UNINTERRUPTIBLE);
}
/*
- * nfs_page_group_unlock - unlock the head of the page group
- * @req - request in group that is to be unlocked
+ * nfs_page_clear_headlock - clear the request PG_HEADLOCK
+ * @req: request that is to be locked
*/
void
-nfs_page_group_unlock(struct nfs_page *req)
+nfs_page_clear_headlock(struct nfs_page *req)
{
- struct nfs_page *head = req->wb_head;
-
- WARN_ON_ONCE(head != head->wb_head);
-
smp_mb__before_atomic();
- clear_bit(PG_HEADLOCK, &head->wb_flags);
+ clear_bit(PG_HEADLOCK, &req->wb_flags);
smp_mb__after_atomic();
- if (!test_bit(PG_CONTENDED1, &head->wb_flags))
+ if (!test_bit(PG_CONTENDED1, &req->wb_flags))
return;
- wake_up_bit(&head->wb_flags, PG_HEADLOCK);
+ wake_up_bit(&req->wb_flags, PG_HEADLOCK);
+}
+
+/*
+ * nfs_page_group_lock - lock the head of the page group
+ * @req: request in group that is to be locked
+ *
+ * this lock must be held when traversing or modifying the page
+ * group list
+ *
+ * return 0 on success, < 0 on error
+ */
+int
+nfs_page_group_lock(struct nfs_page *req)
+{
+ int ret;
+
+ ret = nfs_page_set_headlock(req);
+ if (ret || req->wb_head == req)
+ return ret;
+ return nfs_page_set_headlock(req->wb_head);
+}
+
+/*
+ * nfs_page_group_unlock - unlock the head of the page group
+ * @req: request in group that is to be unlocked
+ */
+void
+nfs_page_group_unlock(struct nfs_page *req)
+{
+ if (req != req->wb_head)
+ nfs_page_clear_headlock(req->wb_head);
+ nfs_page_clear_headlock(req);
}
/*
diff --git a/fs/nfs/write.c b/fs/nfs/write.c
index 63d20308a9bb7..d419d89b91f7c 100644
--- a/fs/nfs/write.c
+++ b/fs/nfs/write.c
@@ -416,22 +416,28 @@ nfs_destroy_unlinked_subrequests(struct nfs_page *destroy_list,
destroy_list = (subreq->wb_this_page == old_head) ?
NULL : subreq->wb_this_page;
+ /* Note: lock subreq in order to change subreq->wb_head */
+ nfs_page_set_headlock(subreq);
WARN_ON_ONCE(old_head != subreq->wb_head);
/* make sure old group is not used */
subreq->wb_this_page = subreq;
+ subreq->wb_head = subreq;
clear_bit(PG_REMOVE, &subreq->wb_flags);
/* Note: races with nfs_page_group_destroy() */
if (!kref_read(&subreq->wb_kref)) {
/* Check if we raced with nfs_page_group_destroy() */
- if (test_and_clear_bit(PG_TEARDOWN, &subreq->wb_flags))
+ if (test_and_clear_bit(PG_TEARDOWN, &subreq->wb_flags)) {
+ nfs_page_clear_headlock(subreq);
nfs_free_request(subreq);
+ } else
+ nfs_page_clear_headlock(subreq);
continue;
}
+ nfs_page_clear_headlock(subreq);
- subreq->wb_head = subreq;
nfs_release_request(old_head);
if (test_and_clear_bit(PG_INODE_REF, &subreq->wb_flags)) {
diff --git a/include/linux/nfs_page.h b/include/linux/nfs_page.h
index ad69430fd0eb5..5162fc1533c2f 100644
--- a/include/linux/nfs_page.h
+++ b/include/linux/nfs_page.h
@@ -142,6 +142,8 @@ extern void nfs_unlock_and_release_request(struct nfs_page *);
extern int nfs_page_group_lock(struct nfs_page *);
extern void nfs_page_group_unlock(struct nfs_page *);
extern bool nfs_page_group_sync_on_bit(struct nfs_page *, unsigned int);
+extern int nfs_page_set_headlock(struct nfs_page *req);
+extern void nfs_page_clear_headlock(struct nfs_page *req);
extern bool nfs_async_iocounter_wait(struct rpc_task *, struct nfs_lock_context *);
/*
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 138/245] mm/kmemleak.c: use address-of operator on section symbols
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (136 preceding siblings ...)
2020-09-29 10:59 ` [PATCH 4.19 137/245] NFS: Fix races nfs_page_group_destroy() vs nfs_destroy_unlinked_subrequests() Greg Kroah-Hartman
@ 2020-09-29 10:59 ` Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 139/245] mm/filemap.c: clear page error before actual read Greg Kroah-Hartman
` (109 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:59 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Nick Desaulniers, Nathan Chancellor,
Andrew Morton, Catalin Marinas, Linus Torvalds, Sasha Levin
From: Nathan Chancellor <natechancellor@gmail.com>
[ Upstream commit b0d14fc43d39203ae025f20ef4d5d25d9ccf4be1 ]
Clang warns:
mm/kmemleak.c:1955:28: warning: array comparison always evaluates to a constant [-Wtautological-compare]
if (__start_ro_after_init < _sdata || __end_ro_after_init > _edata)
^
mm/kmemleak.c:1955:60: warning: array comparison always evaluates to a constant [-Wtautological-compare]
if (__start_ro_after_init < _sdata || __end_ro_after_init > _edata)
These are not true arrays, they are linker defined symbols, which are just
addresses. Using the address of operator silences the warning and does
not change the resulting assembly with either clang/ld.lld or gcc/ld
(tested with diff + objdump -Dr).
Suggested-by: Nick Desaulniers <ndesaulniers@google.com>
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Acked-by: Catalin Marinas <catalin.marinas@arm.com>
Link: https://github.com/ClangBuiltLinux/linux/issues/895
Link: http://lkml.kernel.org/r/20200220051551.44000-1-natechancellor@gmail.com
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
mm/kmemleak.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/mm/kmemleak.c b/mm/kmemleak.c
index 5eeabece0c178..f54734abf9466 100644
--- a/mm/kmemleak.c
+++ b/mm/kmemleak.c
@@ -2039,7 +2039,7 @@ void __init kmemleak_init(void)
create_object((unsigned long)__bss_start, __bss_stop - __bss_start,
KMEMLEAK_GREY, GFP_ATOMIC);
/* only register .data..ro_after_init if not within .data */
- if (__start_ro_after_init < _sdata || __end_ro_after_init > _edata)
+ if (&__start_ro_after_init < &_sdata || &__end_ro_after_init > &_edata)
create_object((unsigned long)__start_ro_after_init,
__end_ro_after_init - __start_ro_after_init,
KMEMLEAK_GREY, GFP_ATOMIC);
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 139/245] mm/filemap.c: clear page error before actual read
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (137 preceding siblings ...)
2020-09-29 10:59 ` [PATCH 4.19 138/245] mm/kmemleak.c: use address-of operator on section symbols Greg Kroah-Hartman
@ 2020-09-29 10:59 ` Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 140/245] mm/vmscan.c: fix data races using kswapd_classzone_idx Greg Kroah-Hartman
` (108 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:59 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Xianting Tian, Andrew Morton,
Matthew Wilcox (Oracle),
Jan Kara, yubin, Linus Torvalds, Sasha Levin
From: Xianting Tian <xianting_tian@126.com>
[ Upstream commit faffdfa04fa11ccf048cebdde73db41ede0679e0 ]
Mount failure issue happens under the scenario: Application forked dozens
of threads to mount the same number of cramfs images separately in docker,
but several mounts failed with high probability. Mount failed due to the
checking result of the page(read from the superblock of loop dev) is not
uptodate after wait_on_page_locked(page) returned in function cramfs_read:
wait_on_page_locked(page);
if (!PageUptodate(page)) {
...
}
The reason of the checking result of the page not uptodate: systemd-udevd
read the loopX dev before mount, because the status of loopX is Lo_unbound
at this time, so loop_make_request directly trigger the calling of io_end
handler end_buffer_async_read, which called SetPageError(page). So It
caused the page can't be set to uptodate in function
end_buffer_async_read:
if(page_uptodate && !PageError(page)) {
SetPageUptodate(page);
}
Then mount operation is performed, it used the same page which is just
accessed by systemd-udevd above, Because this page is not uptodate, it
will launch a actual read via submit_bh, then wait on this page by calling
wait_on_page_locked(page). When the I/O of the page done, io_end handler
end_buffer_async_read is called, because no one cleared the page
error(during the whole read path of mount), which is caused by
systemd-udevd reading, so this page is still in "PageError" status, which
can't be set to uptodate in function end_buffer_async_read, then caused
mount failure.
But sometimes mount succeed even through systemd-udeved read loopX dev
just before, The reason is systemd-udevd launched other loopX read just
between step 3.1 and 3.2, the steps as below:
1, loopX dev default status is Lo_unbound;
2, systemd-udved read loopX dev (page is set to PageError);
3, mount operation
1) set loopX status to Lo_bound;
==>systemd-udevd read loopX dev<==
2) read loopX dev(page has no error)
3) mount succeed
As the loopX dev status is set to Lo_bound after step 3.1, so the other
loopX dev read by systemd-udevd will go through the whole I/O stack, part
of the call trace as below:
SYS_read
vfs_read
do_sync_read
blkdev_aio_read
generic_file_aio_read
do_generic_file_read:
ClearPageError(page);
mapping->a_ops->readpage(filp, page);
here, mapping->a_ops->readpage() is blkdev_readpage. In latest kernel,
some function name changed, the call trace as below:
blkdev_read_iter
generic_file_read_iter
generic_file_buffered_read:
/*
* A previous I/O error may have been due to temporary
* failures, eg. mutipath errors.
* Pg_error will be set again if readpage fails.
*/
ClearPageError(page);
/* Start the actual read. The read will unlock the page*/
error=mapping->a_ops->readpage(flip, page);
We can see ClearPageError(page) is called before the actual read,
then the read in step 3.2 succeed.
This patch is to add the calling of ClearPageError just before the actual
read of read path of cramfs mount. Without the patch, the call trace as
below when performing cramfs mount:
do_mount
cramfs_read
cramfs_blkdev_read
read_cache_page
do_read_cache_page:
filler(data, page);
or
mapping->a_ops->readpage(data, page);
With the patch, the call trace as below when performing mount:
do_mount
cramfs_read
cramfs_blkdev_read
read_cache_page:
do_read_cache_page:
ClearPageError(page); <== new add
filler(data, page);
or
mapping->a_ops->readpage(data, page);
With the patch, mount operation trigger the calling of
ClearPageError(page) before the actual read, the page has no error if no
additional page error happen when I/O done.
Signed-off-by: Xianting Tian <xianting_tian@126.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Reviewed-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Jan Kara <jack@suse.cz>
Cc: <yubin@h3c.com>
Link: http://lkml.kernel.org/r/1583318844-22971-1-git-send-email-xianting_tian@126.com
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
mm/filemap.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/mm/filemap.c b/mm/filemap.c
index 45f1c6d73b5b0..f2e777003b901 100644
--- a/mm/filemap.c
+++ b/mm/filemap.c
@@ -2889,6 +2889,14 @@ filler:
unlock_page(page);
goto out;
}
+
+ /*
+ * A previous I/O error may have been due to temporary
+ * failures.
+ * Clear page error before actual read, PG_error will be
+ * set again if read page fails.
+ */
+ ClearPageError(page);
goto filler;
out:
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 140/245] mm/vmscan.c: fix data races using kswapd_classzone_idx
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (138 preceding siblings ...)
2020-09-29 10:59 ` [PATCH 4.19 139/245] mm/filemap.c: clear page error before actual read Greg Kroah-Hartman
@ 2020-09-29 10:59 ` Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 141/245] nvmet-rdma: fix double free of rdma queue Greg Kroah-Hartman
` (107 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:59 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Qian Cai, Andrew Morton, Marco Elver,
Matthew Wilcox, Linus Torvalds, Sasha Levin
From: Qian Cai <cai@lca.pw>
[ Upstream commit 5644e1fbbfe15ad06785502bbfe5751223e5841d ]
pgdat->kswapd_classzone_idx could be accessed concurrently in
wakeup_kswapd(). Plain writes and reads without any lock protection
result in data races. Fix them by adding a pair of READ|WRITE_ONCE() as
well as saving a branch (compilers might well optimize the original code
in an unintentional way anyway). While at it, also take care of
pgdat->kswapd_order and non-kswapd threads in allow_direct_reclaim(). The
data races were reported by KCSAN,
BUG: KCSAN: data-race in wakeup_kswapd / wakeup_kswapd
write to 0xffff9f427ffff2dc of 4 bytes by task 7454 on cpu 13:
wakeup_kswapd+0xf1/0x400
wakeup_kswapd at mm/vmscan.c:3967
wake_all_kswapds+0x59/0xc0
wake_all_kswapds at mm/page_alloc.c:4241
__alloc_pages_slowpath+0xdcc/0x1290
__alloc_pages_slowpath at mm/page_alloc.c:4512
__alloc_pages_nodemask+0x3bb/0x450
alloc_pages_vma+0x8a/0x2c0
do_anonymous_page+0x16e/0x6f0
__handle_mm_fault+0xcd5/0xd40
handle_mm_fault+0xfc/0x2f0
do_page_fault+0x263/0x6f9
page_fault+0x34/0x40
1 lock held by mtest01/7454:
#0: ffff9f425afe8808 (&mm->mmap_sem#2){++++}, at:
do_page_fault+0x143/0x6f9
do_user_addr_fault at arch/x86/mm/fault.c:1405
(inlined by) do_page_fault at arch/x86/mm/fault.c:1539
irq event stamp: 6944085
count_memcg_event_mm+0x1a6/0x270
count_memcg_event_mm+0x119/0x270
__do_softirq+0x34c/0x57c
irq_exit+0xa2/0xc0
read to 0xffff9f427ffff2dc of 4 bytes by task 7472 on cpu 38:
wakeup_kswapd+0xc8/0x400
wake_all_kswapds+0x59/0xc0
__alloc_pages_slowpath+0xdcc/0x1290
__alloc_pages_nodemask+0x3bb/0x450
alloc_pages_vma+0x8a/0x2c0
do_anonymous_page+0x16e/0x6f0
__handle_mm_fault+0xcd5/0xd40
handle_mm_fault+0xfc/0x2f0
do_page_fault+0x263/0x6f9
page_fault+0x34/0x40
1 lock held by mtest01/7472:
#0: ffff9f425a9ac148 (&mm->mmap_sem#2){++++}, at:
do_page_fault+0x143/0x6f9
irq event stamp: 6793561
count_memcg_event_mm+0x1a6/0x270
count_memcg_event_mm+0x119/0x270
__do_softirq+0x34c/0x57c
irq_exit+0xa2/0xc0
BUG: KCSAN: data-race in kswapd / wakeup_kswapd
write to 0xffff90973ffff2dc of 4 bytes by task 820 on cpu 6:
kswapd+0x27c/0x8d0
kthread+0x1e0/0x200
ret_from_fork+0x27/0x50
read to 0xffff90973ffff2dc of 4 bytes by task 6299 on cpu 0:
wakeup_kswapd+0xf3/0x450
wake_all_kswapds+0x59/0xc0
__alloc_pages_slowpath+0xdcc/0x1290
__alloc_pages_nodemask+0x3bb/0x450
alloc_pages_vma+0x8a/0x2c0
do_anonymous_page+0x170/0x700
__handle_mm_fault+0xc9f/0xd00
handle_mm_fault+0xfc/0x2f0
do_page_fault+0x263/0x6f9
page_fault+0x34/0x40
Signed-off-by: Qian Cai <cai@lca.pw>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Marco Elver <elver@google.com>
Cc: Matthew Wilcox <willy@infradead.org>
Link: http://lkml.kernel.org/r/1582749472-5171-1-git-send-email-cai@lca.pw
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
mm/vmscan.c | 45 ++++++++++++++++++++++++++-------------------
1 file changed, 26 insertions(+), 19 deletions(-)
diff --git a/mm/vmscan.c b/mm/vmscan.c
index b93dc8fc6007f..b7d7f6d65bd5b 100644
--- a/mm/vmscan.c
+++ b/mm/vmscan.c
@@ -3109,8 +3109,9 @@ static bool allow_direct_reclaim(pg_data_t *pgdat)
/* kswapd must be awake if processes are being throttled */
if (!wmark_ok && waitqueue_active(&pgdat->kswapd_wait)) {
- pgdat->kswapd_classzone_idx = min(pgdat->kswapd_classzone_idx,
- (enum zone_type)ZONE_NORMAL);
+ if (READ_ONCE(pgdat->kswapd_classzone_idx) > ZONE_NORMAL)
+ WRITE_ONCE(pgdat->kswapd_classzone_idx, ZONE_NORMAL);
+
wake_up_interruptible(&pgdat->kswapd_wait);
}
@@ -3626,9 +3627,9 @@ out:
static enum zone_type kswapd_classzone_idx(pg_data_t *pgdat,
enum zone_type prev_classzone_idx)
{
- if (pgdat->kswapd_classzone_idx == MAX_NR_ZONES)
- return prev_classzone_idx;
- return pgdat->kswapd_classzone_idx;
+ enum zone_type curr_idx = READ_ONCE(pgdat->kswapd_classzone_idx);
+
+ return curr_idx == MAX_NR_ZONES ? prev_classzone_idx : curr_idx;
}
static void kswapd_try_to_sleep(pg_data_t *pgdat, int alloc_order, int reclaim_order,
@@ -3672,8 +3673,11 @@ static void kswapd_try_to_sleep(pg_data_t *pgdat, int alloc_order, int reclaim_o
* the previous request that slept prematurely.
*/
if (remaining) {
- pgdat->kswapd_classzone_idx = kswapd_classzone_idx(pgdat, classzone_idx);
- pgdat->kswapd_order = max(pgdat->kswapd_order, reclaim_order);
+ WRITE_ONCE(pgdat->kswapd_classzone_idx,
+ kswapd_classzone_idx(pgdat, classzone_idx));
+
+ if (READ_ONCE(pgdat->kswapd_order) < reclaim_order)
+ WRITE_ONCE(pgdat->kswapd_order, reclaim_order);
}
finish_wait(&pgdat->kswapd_wait, &wait);
@@ -3755,12 +3759,12 @@ static int kswapd(void *p)
tsk->flags |= PF_MEMALLOC | PF_SWAPWRITE | PF_KSWAPD;
set_freezable();
- pgdat->kswapd_order = 0;
- pgdat->kswapd_classzone_idx = MAX_NR_ZONES;
+ WRITE_ONCE(pgdat->kswapd_order, 0);
+ WRITE_ONCE(pgdat->kswapd_classzone_idx, MAX_NR_ZONES);
for ( ; ; ) {
bool ret;
- alloc_order = reclaim_order = pgdat->kswapd_order;
+ alloc_order = reclaim_order = READ_ONCE(pgdat->kswapd_order);
classzone_idx = kswapd_classzone_idx(pgdat, classzone_idx);
kswapd_try_sleep:
@@ -3768,10 +3772,10 @@ kswapd_try_sleep:
classzone_idx);
/* Read the new order and classzone_idx */
- alloc_order = reclaim_order = pgdat->kswapd_order;
+ alloc_order = reclaim_order = READ_ONCE(pgdat->kswapd_order);
classzone_idx = kswapd_classzone_idx(pgdat, classzone_idx);
- pgdat->kswapd_order = 0;
- pgdat->kswapd_classzone_idx = MAX_NR_ZONES;
+ WRITE_ONCE(pgdat->kswapd_order, 0);
+ WRITE_ONCE(pgdat->kswapd_classzone_idx, MAX_NR_ZONES);
ret = try_to_freeze();
if (kthread_should_stop())
@@ -3816,20 +3820,23 @@ void wakeup_kswapd(struct zone *zone, gfp_t gfp_flags, int order,
enum zone_type classzone_idx)
{
pg_data_t *pgdat;
+ enum zone_type curr_idx;
if (!managed_zone(zone))
return;
if (!cpuset_zone_allowed(zone, gfp_flags))
return;
+
pgdat = zone->zone_pgdat;
+ curr_idx = READ_ONCE(pgdat->kswapd_classzone_idx);
+
+ if (curr_idx == MAX_NR_ZONES || curr_idx < classzone_idx)
+ WRITE_ONCE(pgdat->kswapd_classzone_idx, classzone_idx);
+
+ if (READ_ONCE(pgdat->kswapd_order) < order)
+ WRITE_ONCE(pgdat->kswapd_order, order);
- if (pgdat->kswapd_classzone_idx == MAX_NR_ZONES)
- pgdat->kswapd_classzone_idx = classzone_idx;
- else
- pgdat->kswapd_classzone_idx = max(pgdat->kswapd_classzone_idx,
- classzone_idx);
- pgdat->kswapd_order = max(pgdat->kswapd_order, order);
if (!waitqueue_active(&pgdat->kswapd_wait))
return;
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 141/245] nvmet-rdma: fix double free of rdma queue
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (139 preceding siblings ...)
2020-09-29 10:59 ` [PATCH 4.19 140/245] mm/vmscan.c: fix data races using kswapd_classzone_idx Greg Kroah-Hartman
@ 2020-09-29 10:59 ` Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 142/245] mm/mmap.c: initialize align_offset explicitly for vm_unmapped_area Greg Kroah-Hartman
` (106 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:59 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Israel Rukshin, Sagi Grimberg,
Max Gurtovoy, Christoph Hellwig, Sasha Levin
From: Israel Rukshin <israelr@mellanox.com>
[ Upstream commit 21f9024355e58772ec5d7fc3534aa5e29d72a8b6 ]
In case rdma accept fails at nvmet_rdma_queue_connect(), release work is
scheduled. Later on, a new RDMA CM event may arrive since we didn't
destroy the cm-id and call nvmet_rdma_queue_connect_fail(), which
schedule another release work. This will cause calling
nvmet_rdma_free_queue twice. To fix this we implicitly destroy the cm_id
with non-zero ret code, which guarantees that new rdma_cm events will
not arrive afterwards. Also add a qp pointer to nvmet_rdma_queue
structure, so we can use it when the cm_id pointer is NULL or was
destroyed.
Signed-off-by: Israel Rukshin <israelr@mellanox.com>
Suggested-by: Sagi Grimberg <sagi@grimberg.me>
Reviewed-by: Max Gurtovoy <maxg@mellanox.com>
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/target/rdma.c | 30 ++++++++++++++++++------------
1 file changed, 18 insertions(+), 12 deletions(-)
diff --git a/drivers/nvme/target/rdma.c b/drivers/nvme/target/rdma.c
index 08f997a390d5d..cfd26437aeaea 100644
--- a/drivers/nvme/target/rdma.c
+++ b/drivers/nvme/target/rdma.c
@@ -83,6 +83,7 @@ enum nvmet_rdma_queue_state {
struct nvmet_rdma_queue {
struct rdma_cm_id *cm_id;
+ struct ib_qp *qp;
struct nvmet_port *port;
struct ib_cq *cq;
atomic_t sq_wr_avail;
@@ -471,7 +472,7 @@ static int nvmet_rdma_post_recv(struct nvmet_rdma_device *ndev,
if (ndev->srq)
ret = ib_post_srq_recv(ndev->srq, &cmd->wr, NULL);
else
- ret = ib_post_recv(cmd->queue->cm_id->qp, &cmd->wr, NULL);
+ ret = ib_post_recv(cmd->queue->qp, &cmd->wr, NULL);
if (unlikely(ret))
pr_err("post_recv cmd failed\n");
@@ -510,7 +511,7 @@ static void nvmet_rdma_release_rsp(struct nvmet_rdma_rsp *rsp)
atomic_add(1 + rsp->n_rdma, &queue->sq_wr_avail);
if (rsp->n_rdma) {
- rdma_rw_ctx_destroy(&rsp->rw, queue->cm_id->qp,
+ rdma_rw_ctx_destroy(&rsp->rw, queue->qp,
queue->cm_id->port_num, rsp->req.sg,
rsp->req.sg_cnt, nvmet_data_dir(&rsp->req));
}
@@ -594,7 +595,7 @@ static void nvmet_rdma_read_data_done(struct ib_cq *cq, struct ib_wc *wc)
WARN_ON(rsp->n_rdma <= 0);
atomic_add(rsp->n_rdma, &queue->sq_wr_avail);
- rdma_rw_ctx_destroy(&rsp->rw, queue->cm_id->qp,
+ rdma_rw_ctx_destroy(&rsp->rw, queue->qp,
queue->cm_id->port_num, rsp->req.sg,
rsp->req.sg_cnt, nvmet_data_dir(&rsp->req));
rsp->n_rdma = 0;
@@ -737,7 +738,7 @@ static bool nvmet_rdma_execute_command(struct nvmet_rdma_rsp *rsp)
}
if (nvmet_rdma_need_data_in(rsp)) {
- if (rdma_rw_ctx_post(&rsp->rw, queue->cm_id->qp,
+ if (rdma_rw_ctx_post(&rsp->rw, queue->qp,
queue->cm_id->port_num, &rsp->read_cqe, NULL))
nvmet_req_complete(&rsp->req, NVME_SC_DATA_XFER_ERROR);
} else {
@@ -1020,6 +1021,7 @@ static int nvmet_rdma_create_queue_ib(struct nvmet_rdma_queue *queue)
pr_err("failed to create_qp ret= %d\n", ret);
goto err_destroy_cq;
}
+ queue->qp = queue->cm_id->qp;
atomic_set(&queue->sq_wr_avail, qp_attr.cap.max_send_wr);
@@ -1048,11 +1050,10 @@ err_destroy_cq:
static void nvmet_rdma_destroy_queue_ib(struct nvmet_rdma_queue *queue)
{
- struct ib_qp *qp = queue->cm_id->qp;
-
- ib_drain_qp(qp);
- rdma_destroy_id(queue->cm_id);
- ib_destroy_qp(qp);
+ ib_drain_qp(queue->qp);
+ if (queue->cm_id)
+ rdma_destroy_id(queue->cm_id);
+ ib_destroy_qp(queue->qp);
ib_free_cq(queue->cq);
}
@@ -1286,9 +1287,12 @@ static int nvmet_rdma_queue_connect(struct rdma_cm_id *cm_id,
ret = nvmet_rdma_cm_accept(cm_id, queue, &event->param.conn);
if (ret) {
- schedule_work(&queue->release_work);
- /* Destroying rdma_cm id is not needed here */
- return 0;
+ /*
+ * Don't destroy the cm_id in free path, as we implicitly
+ * destroy the cm_id here with non-zero ret code.
+ */
+ queue->cm_id = NULL;
+ goto free_queue;
}
mutex_lock(&nvmet_rdma_queue_mutex);
@@ -1297,6 +1301,8 @@ static int nvmet_rdma_queue_connect(struct rdma_cm_id *cm_id,
return 0;
+free_queue:
+ nvmet_rdma_free_queue(queue);
put_device:
kref_put(&ndev->ref, nvmet_rdma_free_dev);
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 142/245] mm/mmap.c: initialize align_offset explicitly for vm_unmapped_area
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (140 preceding siblings ...)
2020-09-29 10:59 ` [PATCH 4.19 141/245] nvmet-rdma: fix double free of rdma queue Greg Kroah-Hartman
@ 2020-09-29 10:59 ` Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 143/245] scsi: qedi: Fix termination timeouts in session logout Greg Kroah-Hartman
` (105 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:59 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Jaewon Kim, Andrew Morton,
Matthew Wilcox (Oracle),
Michel Lespinasse, Borislav Petkov, Linus Torvalds, Sasha Levin
From: Jaewon Kim <jaewon31.kim@samsung.com>
[ Upstream commit 09ef5283fd96ac424ef0e569626f359bf9ab86c9 ]
On passing requirement to vm_unmapped_area, arch_get_unmapped_area and
arch_get_unmapped_area_topdown did not set align_offset. Internally on
both unmapped_area and unmapped_area_topdown, if info->align_mask is 0,
then info->align_offset was meaningless.
But commit df529cabb7a2 ("mm: mmap: add trace point of
vm_unmapped_area") always prints info->align_offset even though it is
uninitialized.
Fix this uninitialized value issue by setting it to 0 explicitly.
Before:
vm_unmapped_area: addr=0x755b155000 err=0 total_vm=0x15aaf0 flags=0x1 len=0x109000 lo=0x8000 hi=0x75eed48000 mask=0x0 ofs=0x4022
After:
vm_unmapped_area: addr=0x74a4ca1000 err=0 total_vm=0x168ab1 flags=0x1 len=0x9000 lo=0x8000 hi=0x753d94b000 mask=0x0 ofs=0x0
Signed-off-by: Jaewon Kim <jaewon31.kim@samsung.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Michel Lespinasse <walken@google.com>
Cc: Borislav Petkov <bp@suse.de>
Link: http://lkml.kernel.org/r/20200409094035.19457-1-jaewon31.kim@samsung.com
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
mm/mmap.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/mm/mmap.c b/mm/mmap.c
index e84fd3347a518..f875386e7acd4 100644
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -2077,6 +2077,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
info.low_limit = mm->mmap_base;
info.high_limit = TASK_SIZE;
info.align_mask = 0;
+ info.align_offset = 0;
return vm_unmapped_area(&info);
}
#endif
@@ -2118,6 +2119,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
info.low_limit = max(PAGE_SIZE, mmap_min_addr);
info.high_limit = mm->mmap_base;
info.align_mask = 0;
+ info.align_offset = 0;
addr = vm_unmapped_area(&info);
/*
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 143/245] scsi: qedi: Fix termination timeouts in session logout
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (141 preceding siblings ...)
2020-09-29 10:59 ` [PATCH 4.19 142/245] mm/mmap.c: initialize align_offset explicitly for vm_unmapped_area Greg Kroah-Hartman
@ 2020-09-29 10:59 ` Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 144/245] serial: uartps: Wait for tx_empty in console setup Greg Kroah-Hartman
` (104 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:59 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Lee Duncan, Nilesh Javali,
Manish Rangankar, Martin K. Petersen, Sasha Levin
From: Nilesh Javali <njavali@marvell.com>
[ Upstream commit b9b97e6903032ec56e6dcbe137a9819b74a17fea ]
The destroy connection ramrod timed out during session logout. Fix the
wait delay for graceful vs abortive termination as per the FW requirements.
Link: https://lore.kernel.org/r/20200408064332.19377-7-mrangankar@marvell.com
Reviewed-by: Lee Duncan <lduncan@suse.com>
Signed-off-by: Nilesh Javali <njavali@marvell.com>
Signed-off-by: Manish Rangankar <mrangankar@marvell.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/qedi/qedi_iscsi.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/scsi/qedi/qedi_iscsi.c b/drivers/scsi/qedi/qedi_iscsi.c
index 751941a3ed303..aa451c8b49e56 100644
--- a/drivers/scsi/qedi/qedi_iscsi.c
+++ b/drivers/scsi/qedi/qedi_iscsi.c
@@ -1065,6 +1065,9 @@ static void qedi_ep_disconnect(struct iscsi_endpoint *ep)
break;
}
+ if (!abrt_conn)
+ wait_delay += qedi->pf_params.iscsi_pf_params.two_msl_timer;
+
qedi_ep->state = EP_STATE_DISCONN_START;
ret = qedi_ops->destroy_conn(qedi->cdev, qedi_ep->handle, abrt_conn);
if (ret) {
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 144/245] serial: uartps: Wait for tx_empty in console setup
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (142 preceding siblings ...)
2020-09-29 10:59 ` [PATCH 4.19 143/245] scsi: qedi: Fix termination timeouts in session logout Greg Kroah-Hartman
@ 2020-09-29 10:59 ` Greg Kroah-Hartman
2020-09-30 20:07 ` Pavel Machek
2020-09-29 10:59 ` [PATCH 4.19 145/245] KVM: Remove CREATE_IRQCHIP/SET_PIT2 race Greg Kroah-Hartman
` (103 subsequent siblings)
247 siblings, 1 reply; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:59 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Raviteja Narayanam,
Shubhrajyoti Datta, Sasha Levin
From: Raviteja Narayanam <raviteja.narayanam@xilinx.com>
[ Upstream commit 42e11948ddf68b9f799cad8c0ddeab0a39da33e8 ]
On some platforms, the log is corrupted while console is being
registered. It is observed that when set_termios is called, there
are still some bytes in the FIFO to be transmitted.
So, wait for tx_empty inside cdns_uart_console_setup before calling
set_termios.
Signed-off-by: Raviteja Narayanam <raviteja.narayanam@xilinx.com>
Reviewed-by: Shubhrajyoti Datta <shubhrajyoti.datta@xilinx.com>
Link: https://lore.kernel.org/r/1586413563-29125-2-git-send-email-raviteja.narayanam@xilinx.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tty/serial/xilinx_uartps.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/tty/serial/xilinx_uartps.c b/drivers/tty/serial/xilinx_uartps.c
index 31950a38f0fb7..23f9b0cdff086 100644
--- a/drivers/tty/serial/xilinx_uartps.c
+++ b/drivers/tty/serial/xilinx_uartps.c
@@ -1236,6 +1236,7 @@ static int cdns_uart_console_setup(struct console *co, char *options)
int bits = 8;
int parity = 'n';
int flow = 'n';
+ unsigned long time_out;
if (!port->membase) {
pr_debug("console on " CDNS_UART_TTY_NAME "%i not present\n",
@@ -1246,6 +1247,13 @@ static int cdns_uart_console_setup(struct console *co, char *options)
if (options)
uart_parse_options(options, &baud, &parity, &bits, &flow);
+ /* Wait for tx_empty before setting up the console */
+ time_out = jiffies + usecs_to_jiffies(TX_TIMEOUT);
+
+ while (time_before(jiffies, time_out) &&
+ cdns_uart_tx_empty(port) != TIOCSER_TEMT)
+ cpu_relax();
+
return uart_set_options(port, co, baud, parity, bits, flow);
}
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 145/245] KVM: Remove CREATE_IRQCHIP/SET_PIT2 race
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (143 preceding siblings ...)
2020-09-29 10:59 ` [PATCH 4.19 144/245] serial: uartps: Wait for tx_empty in console setup Greg Kroah-Hartman
@ 2020-09-29 10:59 ` Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 146/245] perf stat: Force error in fallback on :k events Greg Kroah-Hartman
` (102 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:59 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Steve Rutherford, Jon Cargille,
Jim Mattson, Paolo Bonzini, Sasha Levin
From: Steve Rutherford <srutherford@google.com>
[ Upstream commit 7289fdb5dcdbc5155b5531529c44105868a762f2 ]
Fixes a NULL pointer dereference, caused by the PIT firing an interrupt
before the interrupt table has been initialized.
SET_PIT2 can race with the creation of the IRQchip. In particular,
if SET_PIT2 is called with a low PIT timer period (after the creation of
the IOAPIC, but before the instantiation of the irq routes), the PIT can
fire an interrupt at an uninitialized table.
Signed-off-by: Steve Rutherford <srutherford@google.com>
Signed-off-by: Jon Cargille <jcargill@google.com>
Reviewed-by: Jim Mattson <jmattson@google.com>
Message-Id: <20200416191152.259434-1-jcargill@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kvm/x86.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 430a4bc66f604..620ed1fa35119 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -4668,10 +4668,13 @@ set_identity_unlock:
r = -EFAULT;
if (copy_from_user(&u.ps, argp, sizeof u.ps))
goto out;
+ mutex_lock(&kvm->lock);
r = -ENXIO;
if (!kvm->arch.vpit)
- goto out;
+ goto set_pit_out;
r = kvm_vm_ioctl_set_pit(kvm, &u.ps);
+set_pit_out:
+ mutex_unlock(&kvm->lock);
break;
}
case KVM_GET_PIT2: {
@@ -4691,10 +4694,13 @@ set_identity_unlock:
r = -EFAULT;
if (copy_from_user(&u.ps2, argp, sizeof(u.ps2)))
goto out;
+ mutex_lock(&kvm->lock);
r = -ENXIO;
if (!kvm->arch.vpit)
- goto out;
+ goto set_pit2_out;
r = kvm_vm_ioctl_set_pit2(kvm, &u.ps2);
+set_pit2_out:
+ mutex_unlock(&kvm->lock);
break;
}
case KVM_REINJECT_CONTROL: {
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 146/245] perf stat: Force error in fallback on :k events
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (144 preceding siblings ...)
2020-09-29 10:59 ` [PATCH 4.19 145/245] KVM: Remove CREATE_IRQCHIP/SET_PIT2 race Greg Kroah-Hartman
@ 2020-09-29 10:59 ` Greg Kroah-Hartman
2020-09-29 13:33 ` Naresh Kamboju
2020-09-29 10:59 ` [PATCH 4.19 147/245] bdev: Reduce time holding bd_mutex in sync in blkdev_close() Greg Kroah-Hartman
` (101 subsequent siblings)
247 siblings, 1 reply; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:59 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Stephane Eranian, Ian Rogers,
Jiri Olsa, Arnaldo Carvalho de Melo, Alexander Shishkin,
Mark Rutland, Namhyung Kim, Peter Zijlstra, Sasha Levin
From: Stephane Eranian <eranian@google.com>
[ Upstream commit bec49a9e05db3dbdca696fa07c62c52638fb6371 ]
When it is not possible for a non-privilege perf command to monitor at
the kernel level (:k), the fallback code forces a :u. That works if the
event was previously monitoring both levels. But if the event was
already constrained to kernel only, then it does not make sense to
restrict it to user only.
Given the code works by exclusion, a kernel only event would have:
attr->exclude_user = 1
The fallback code would add:
attr->exclude_kernel = 1
In the end the end would not monitor in either the user level or kernel
level. In other words, it would count nothing.
An event programmed to monitor kernel only cannot be switched to user
only without seriously warning the user.
This patch forces an error in this case to make it clear the request
cannot really be satisfied.
Behavior with paranoid 1:
$ sudo bash -c "echo 1 > /proc/sys/kernel/perf_event_paranoid"
$ perf stat -e cycles:k sleep 1
Performance counter stats for 'sleep 1':
1,520,413 cycles:k
1.002361664 seconds time elapsed
0.002480000 seconds user
0.000000000 seconds sys
Old behavior with paranoid 2:
$ sudo bash -c "echo 2 > /proc/sys/kernel/perf_event_paranoid"
$ perf stat -e cycles:k sleep 1
Performance counter stats for 'sleep 1':
0 cycles:ku
1.002358127 seconds time elapsed
0.002384000 seconds user
0.000000000 seconds sys
New behavior with paranoid 2:
$ sudo bash -c "echo 2 > /proc/sys/kernel/perf_event_paranoid"
$ perf stat -e cycles:k sleep 1
Error:
You may not have permission to collect stats.
Consider tweaking /proc/sys/kernel/perf_event_paranoid,
which controls use of the performance events system by
unprivileged users (without CAP_PERFMON or CAP_SYS_ADMIN).
The current value is 2:
-1: Allow use of (almost) all events by all users
Ignore mlock limit after perf_event_mlock_kb without CAP_IPC_LOCK
>= 0: Disallow ftrace function tracepoint by users without CAP_PERFMON or CAP_SYS_ADMIN
Disallow raw tracepoint access by users without CAP_SYS_PERFMON or CAP_SYS_ADMIN
>= 1: Disallow CPU event access by users without CAP_PERFMON or CAP_SYS_ADMIN
>= 2: Disallow kernel profiling by users without CAP_PERFMON or CAP_SYS_ADMIN
To make this setting permanent, edit /etc/sysctl.conf too, e.g.:
kernel.perf_event_paranoid = -1
v2 of this patch addresses the review feedback from jolsa@redhat.com.
Signed-off-by: Stephane Eranian <eranian@google.com>
Reviewed-by: Ian Rogers <irogers@google.com>
Acked-by: Jiri Olsa <jolsa@redhat.com>
Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Link: http://lore.kernel.org/lkml/20200414161550.225588-1-irogers@google.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/evsel.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c
index 68c5ab0e1800b..e8586957562b3 100644
--- a/tools/perf/util/evsel.c
+++ b/tools/perf/util/evsel.c
@@ -2796,6 +2796,10 @@ bool perf_evsel__fallback(struct perf_evsel *evsel, int err,
char *new_name;
const char *sep = ":";
+ /* If event has exclude user then don't exclude kernel. */
+ if (evsel->core.attr.exclude_user)
+ return false;
+
/* Is there already the separator in the name. */
if (strchr(name, '/') ||
strchr(name, ':'))
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 147/245] bdev: Reduce time holding bd_mutex in sync in blkdev_close()
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (145 preceding siblings ...)
2020-09-29 10:59 ` [PATCH 4.19 146/245] perf stat: Force error in fallback on :k events Greg Kroah-Hartman
@ 2020-09-29 10:59 ` Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 148/245] drivers: char: tlclk.c: Avoid data race between init and interrupt handler Greg Kroah-Hartman
` (100 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:59 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Douglas Anderson, Guenter Roeck,
Christoph Hellwig, Jens Axboe, Sasha Levin
From: Douglas Anderson <dianders@chromium.org>
[ Upstream commit b849dd84b6ccfe32622988b79b7b073861fcf9f7 ]
While trying to "dd" to the block device for a USB stick, I
encountered a hung task warning (blocked for > 120 seconds). I
managed to come up with an easy way to reproduce this on my system
(where /dev/sdb is the block device for my USB stick) with:
while true; do dd if=/dev/zero of=/dev/sdb bs=4M; done
With my reproduction here are the relevant bits from the hung task
detector:
INFO: task udevd:294 blocked for more than 122 seconds.
...
udevd D 0 294 1 0x00400008
Call trace:
...
mutex_lock_nested+0x40/0x50
__blkdev_get+0x7c/0x3d4
blkdev_get+0x118/0x138
blkdev_open+0x94/0xa8
do_dentry_open+0x268/0x3a0
vfs_open+0x34/0x40
path_openat+0x39c/0xdf4
do_filp_open+0x90/0x10c
do_sys_open+0x150/0x3c8
...
...
Showing all locks held in the system:
...
1 lock held by dd/2798:
#0: ffffff814ac1a3b8 (&bdev->bd_mutex){+.+.}, at: __blkdev_put+0x50/0x204
...
dd D 0 2798 2764 0x00400208
Call trace:
...
schedule+0x8c/0xbc
io_schedule+0x1c/0x40
wait_on_page_bit_common+0x238/0x338
__lock_page+0x5c/0x68
write_cache_pages+0x194/0x500
generic_writepages+0x64/0xa4
blkdev_writepages+0x24/0x30
do_writepages+0x48/0xa8
__filemap_fdatawrite_range+0xac/0xd8
filemap_write_and_wait+0x30/0x84
__blkdev_put+0x88/0x204
blkdev_put+0xc4/0xe4
blkdev_close+0x28/0x38
__fput+0xe0/0x238
____fput+0x1c/0x28
task_work_run+0xb0/0xe4
do_notify_resume+0xfc0/0x14bc
work_pending+0x8/0x14
The problem appears related to the fact that my USB disk is terribly
slow and that I have a lot of RAM in my system to cache things.
Specifically my writes seem to be happening at ~15 MB/s and I've got
~4 GB of RAM in my system that can be used for buffering. To write 4
GB of buffer to disk thus takes ~4000 MB / ~15 MB/s = ~267 seconds.
The 267 second number is a problem because in __blkdev_put() we call
sync_blockdev() while holding the bd_mutex. Any other callers who
want the bd_mutex will be blocked for the whole time.
The problem is made worse because I believe blkdev_put() specifically
tells other tasks (namely udev) to go try to access the device at right
around the same time we're going to hold the mutex for a long time.
Putting some traces around this (after disabling the hung task detector),
I could confirm:
dd: 437.608600: __blkdev_put() right before sync_blockdev() for sdb
udevd: 437.623901: blkdev_open() right before blkdev_get() for sdb
dd: 661.468451: __blkdev_put() right after sync_blockdev() for sdb
udevd: 663.820426: blkdev_open() right after blkdev_get() for sdb
A simple fix for this is to realize that sync_blockdev() works fine if
you're not holding the mutex. Also, it's not the end of the world if
you sync a little early (though it can have performance impacts).
Thus we can make a guess that we're going to need to do the sync and
then do it without holding the mutex. We still do one last sync with
the mutex but it should be much, much faster.
With this, my hung task warnings for my test case are gone.
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Reviewed-by: Guenter Roeck <groeck@chromium.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/block_dev.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/fs/block_dev.c b/fs/block_dev.c
index 8ac8f7469354b..9f3faac490259 100644
--- a/fs/block_dev.c
+++ b/fs/block_dev.c
@@ -1793,6 +1793,16 @@ static void __blkdev_put(struct block_device *bdev, fmode_t mode, int for_part)
struct gendisk *disk = bdev->bd_disk;
struct block_device *victim = NULL;
+ /*
+ * Sync early if it looks like we're the last one. If someone else
+ * opens the block device between now and the decrement of bd_openers
+ * then we did a sync that we didn't need to, but that's not the end
+ * of the world and we want to avoid long (could be several minute)
+ * syncs while holding the mutex.
+ */
+ if (bdev->bd_openers == 1)
+ sync_blockdev(bdev);
+
mutex_lock_nested(&bdev->bd_mutex, for_part);
if (for_part)
bdev->bd_part_count--;
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 148/245] drivers: char: tlclk.c: Avoid data race between init and interrupt handler
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (146 preceding siblings ...)
2020-09-29 10:59 ` [PATCH 4.19 147/245] bdev: Reduce time holding bd_mutex in sync in blkdev_close() Greg Kroah-Hartman
@ 2020-09-29 10:59 ` Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 149/245] KVM: arm64: vgic-its: Fix memory leak on the error path of vgic_add_lpi() Greg Kroah-Hartman
` (99 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 10:59 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Madhuparna Bhowmik, Sasha Levin
From: Madhuparna Bhowmik <madhuparnabhowmik10@gmail.com>
[ Upstream commit 44b8fb6eaa7c3fb770bf1e37619cdb3902cca1fc ]
After registering character device the file operation callbacks can be
called. The open callback registers interrupt handler.
Therefore interrupt handler can execute in parallel with rest of the init
function. To avoid such data race initialize telclk_interrupt variable
and struct alarm_events before registering character device.
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Madhuparna Bhowmik <madhuparnabhowmik10@gmail.com>
Link: https://lore.kernel.org/r/20200417153451.1551-1-madhuparnabhowmik10@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/char/tlclk.c | 17 ++++++++++-------
1 file changed, 10 insertions(+), 7 deletions(-)
diff --git a/drivers/char/tlclk.c b/drivers/char/tlclk.c
index 8eeb4190207d1..dce22b7fc5449 100644
--- a/drivers/char/tlclk.c
+++ b/drivers/char/tlclk.c
@@ -776,17 +776,21 @@ static int __init tlclk_init(void)
{
int ret;
+ telclk_interrupt = (inb(TLCLK_REG7) & 0x0f);
+
+ alarm_events = kzalloc( sizeof(struct tlclk_alarms), GFP_KERNEL);
+ if (!alarm_events) {
+ ret = -ENOMEM;
+ goto out1;
+ }
+
ret = register_chrdev(tlclk_major, "telco_clock", &tlclk_fops);
if (ret < 0) {
printk(KERN_ERR "tlclk: can't get major %d.\n", tlclk_major);
+ kfree(alarm_events);
return ret;
}
tlclk_major = ret;
- alarm_events = kzalloc( sizeof(struct tlclk_alarms), GFP_KERNEL);
- if (!alarm_events) {
- ret = -ENOMEM;
- goto out1;
- }
/* Read telecom clock IRQ number (Set by BIOS) */
if (!request_region(TLCLK_BASE, 8, "telco_clock")) {
@@ -795,7 +799,6 @@ static int __init tlclk_init(void)
ret = -EBUSY;
goto out2;
}
- telclk_interrupt = (inb(TLCLK_REG7) & 0x0f);
if (0x0F == telclk_interrupt ) { /* not MCPBL0010 ? */
printk(KERN_ERR "telclk_interrupt = 0x%x non-mcpbl0010 hw.\n",
@@ -836,8 +839,8 @@ out3:
release_region(TLCLK_BASE, 8);
out2:
kfree(alarm_events);
-out1:
unregister_chrdev(tlclk_major, "telco_clock");
+out1:
return ret;
}
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 149/245] KVM: arm64: vgic-its: Fix memory leak on the error path of vgic_add_lpi()
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (147 preceding siblings ...)
2020-09-29 10:59 ` [PATCH 4.19 148/245] drivers: char: tlclk.c: Avoid data race between init and interrupt handler Greg Kroah-Hartman
@ 2020-09-29 11:00 ` Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 150/245] net: openvswitch: use u64 for meter bucket Greg Kroah-Hartman
` (98 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:00 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Zenghui Yu, Marc Zyngier, Sasha Levin
From: Zenghui Yu <yuzenghui@huawei.com>
[ Upstream commit 57bdb436ce869a45881d8aa4bc5dac8e072dd2b6 ]
If we're going to fail out the vgic_add_lpi(), let's make sure the
allocated vgic_irq memory is also freed. Though it seems that both
cases are unlikely to fail.
Signed-off-by: Zenghui Yu <yuzenghui@huawei.com>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Link: https://lore.kernel.org/r/20200414030349.625-3-yuzenghui@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
virt/kvm/arm/vgic/vgic-its.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/virt/kvm/arm/vgic/vgic-its.c b/virt/kvm/arm/vgic/vgic-its.c
index 9295addea7ecf..f139b1c62ca38 100644
--- a/virt/kvm/arm/vgic/vgic-its.c
+++ b/virt/kvm/arm/vgic/vgic-its.c
@@ -107,14 +107,21 @@ out_unlock:
* We "cache" the configuration table entries in our struct vgic_irq's.
* However we only have those structs for mapped IRQs, so we read in
* the respective config data from memory here upon mapping the LPI.
+ *
+ * Should any of these fail, behave as if we couldn't create the LPI
+ * by dropping the refcount and returning the error.
*/
ret = update_lpi_config(kvm, irq, NULL, false);
- if (ret)
+ if (ret) {
+ vgic_put_irq(kvm, irq);
return ERR_PTR(ret);
+ }
ret = vgic_v3_lpi_sync_pending_status(kvm, irq);
- if (ret)
+ if (ret) {
+ vgic_put_irq(kvm, irq);
return ERR_PTR(ret);
+ }
return irq;
}
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 150/245] net: openvswitch: use u64 for meter bucket
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (148 preceding siblings ...)
2020-09-29 11:00 ` [PATCH 4.19 149/245] KVM: arm64: vgic-its: Fix memory leak on the error path of vgic_add_lpi() Greg Kroah-Hartman
@ 2020-09-29 11:00 ` Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 151/245] scsi: aacraid: Fix error handling paths in aac_probe_one() Greg Kroah-Hartman
` (97 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:00 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Pravin B Shelar, Andy Zhou,
Tonghao Zhang, David S. Miller, Sasha Levin
From: Tonghao Zhang <xiangxia.m.yue@gmail.com>
[ Upstream commit e57358873bb5d6caa882b9684f59140912b37dde ]
When setting the meter rate to 4+Gbps, there is an
overflow, the meters don't work as expected.
Cc: Pravin B Shelar <pshelar@ovn.org>
Cc: Andy Zhou <azhou@ovn.org>
Signed-off-by: Tonghao Zhang <xiangxia.m.yue@gmail.com>
Acked-by: Pravin B Shelar <pshelar@ovn.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/openvswitch/meter.c | 2 +-
net/openvswitch/meter.h | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/openvswitch/meter.c b/net/openvswitch/meter.c
index c038e021a5916..6f5131d1074b0 100644
--- a/net/openvswitch/meter.c
+++ b/net/openvswitch/meter.c
@@ -255,7 +255,7 @@ static struct dp_meter *dp_meter_create(struct nlattr **a)
*
* Start with a full bucket.
*/
- band->bucket = (band->burst_size + band->rate) * 1000;
+ band->bucket = (band->burst_size + band->rate) * 1000ULL;
band_max_delta_t = band->bucket / band->rate;
if (band_max_delta_t > meter->max_delta_t)
meter->max_delta_t = band_max_delta_t;
diff --git a/net/openvswitch/meter.h b/net/openvswitch/meter.h
index 964ace2650f89..970557ed5b5b6 100644
--- a/net/openvswitch/meter.h
+++ b/net/openvswitch/meter.h
@@ -26,7 +26,7 @@ struct dp_meter_band {
u32 type;
u32 rate;
u32 burst_size;
- u32 bucket; /* 1/1000 packets, or in bits */
+ u64 bucket; /* 1/1000 packets, or in bits */
struct ovs_flow_stats stats;
};
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 151/245] scsi: aacraid: Fix error handling paths in aac_probe_one()
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (149 preceding siblings ...)
2020-09-29 11:00 ` [PATCH 4.19 150/245] net: openvswitch: use u64 for meter bucket Greg Kroah-Hartman
@ 2020-09-29 11:00 ` Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 152/245] staging:r8188eu: avoid skb_clone for amsdu to msdu conversion Greg Kroah-Hartman
` (96 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:00 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Christophe JAILLET,
Martin K. Petersen, Sasha Levin
From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
[ Upstream commit f7854c382240c1686900b2f098b36430c6f5047e ]
If 'scsi_host_alloc()' or 'kcalloc()' fail, 'error' is known to be 0. Set
it explicitly to -ENOMEM before branching to the error handling path.
While at it, remove 2 useless assignments to 'error'. These values are
overwridden a few lines later.
Link: https://lore.kernel.org/r/20200412094039.8822-1-christophe.jaillet@wanadoo.fr
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/aacraid/linit.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/drivers/scsi/aacraid/linit.c b/drivers/scsi/aacraid/linit.c
index 0142547aaadd2..eecffc03084c0 100644
--- a/drivers/scsi/aacraid/linit.c
+++ b/drivers/scsi/aacraid/linit.c
@@ -1620,7 +1620,7 @@ static int aac_probe_one(struct pci_dev *pdev, const struct pci_device_id *id)
struct Scsi_Host *shost;
struct aac_dev *aac;
struct list_head *insert = &aac_devices;
- int error = -ENODEV;
+ int error;
int unique_id = 0;
u64 dmamask;
int mask_bits = 0;
@@ -1645,7 +1645,6 @@ static int aac_probe_one(struct pci_dev *pdev, const struct pci_device_id *id)
error = pci_enable_device(pdev);
if (error)
goto out;
- error = -ENODEV;
if (!(aac_drivers[index].quirks & AAC_QUIRK_SRC)) {
error = pci_set_dma_mask(pdev, DMA_BIT_MASK(32));
@@ -1677,8 +1676,10 @@ static int aac_probe_one(struct pci_dev *pdev, const struct pci_device_id *id)
pci_set_master(pdev);
shost = scsi_host_alloc(&aac_driver_template, sizeof(struct aac_dev));
- if (!shost)
+ if (!shost) {
+ error = -ENOMEM;
goto out_disable_pdev;
+ }
shost->irq = pdev->irq;
shost->unique_id = unique_id;
@@ -1703,8 +1704,11 @@ static int aac_probe_one(struct pci_dev *pdev, const struct pci_device_id *id)
aac->fibs = kcalloc(shost->can_queue + AAC_NUM_MGT_FIB,
sizeof(struct fib),
GFP_KERNEL);
- if (!aac->fibs)
+ if (!aac->fibs) {
+ error = -ENOMEM;
goto out_free_host;
+ }
+
spin_lock_init(&aac->fib_lock);
mutex_init(&aac->ioctl_mutex);
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 152/245] staging:r8188eu: avoid skb_clone for amsdu to msdu conversion
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (150 preceding siblings ...)
2020-09-29 11:00 ` [PATCH 4.19 151/245] scsi: aacraid: Fix error handling paths in aac_probe_one() Greg Kroah-Hartman
@ 2020-09-29 11:00 ` Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 153/245] sparc64: vcc: Fix error return code in vcc_probe() Greg Kroah-Hartman
` (95 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:00 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ivan Safonov, Sasha Levin
From: Ivan Safonov <insafonov@gmail.com>
[ Upstream commit 628cbd971a927abe6388d44320e351c337b331e4 ]
skb clones use same data buffer,
so tail of one skb is corrupted by beginning of next skb.
Signed-off-by: Ivan Safonov <insafonov@gmail.com>
Link: https://lore.kernel.org/r/20200423191404.12028-1-insafonov@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/staging/rtl8188eu/core/rtw_recv.c | 19 ++++++-------------
1 file changed, 6 insertions(+), 13 deletions(-)
diff --git a/drivers/staging/rtl8188eu/core/rtw_recv.c b/drivers/staging/rtl8188eu/core/rtw_recv.c
index 17b4b9257b495..0ddf41b5a734a 100644
--- a/drivers/staging/rtl8188eu/core/rtw_recv.c
+++ b/drivers/staging/rtl8188eu/core/rtw_recv.c
@@ -1535,21 +1535,14 @@ static int amsdu_to_msdu(struct adapter *padapter, struct recv_frame *prframe)
/* Allocate new skb for releasing to upper layer */
sub_skb = dev_alloc_skb(nSubframe_Length + 12);
- if (sub_skb) {
- skb_reserve(sub_skb, 12);
- skb_put_data(sub_skb, pdata, nSubframe_Length);
- } else {
- sub_skb = skb_clone(prframe->pkt, GFP_ATOMIC);
- if (sub_skb) {
- sub_skb->data = pdata;
- sub_skb->len = nSubframe_Length;
- skb_set_tail_pointer(sub_skb, nSubframe_Length);
- } else {
- DBG_88E("skb_clone() Fail!!! , nr_subframes=%d\n", nr_subframes);
- break;
- }
+ if (!sub_skb) {
+ DBG_88E("dev_alloc_skb() Fail!!! , nr_subframes=%d\n", nr_subframes);
+ break;
}
+ skb_reserve(sub_skb, 12);
+ skb_put_data(sub_skb, pdata, nSubframe_Length);
+
subframes[nr_subframes++] = sub_skb;
if (nr_subframes >= MAX_SUBFRAME_COUNT) {
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 153/245] sparc64: vcc: Fix error return code in vcc_probe()
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (151 preceding siblings ...)
2020-09-29 11:00 ` [PATCH 4.19 152/245] staging:r8188eu: avoid skb_clone for amsdu to msdu conversion Greg Kroah-Hartman
@ 2020-09-29 11:00 ` Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 154/245] arm64: cpufeature: Relax checks for AArch32 support at EL[0-2] Greg Kroah-Hartman
` (94 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:00 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Wei Yongjun, Sasha Levin
From: Wei Yongjun <weiyongjun1@huawei.com>
[ Upstream commit ff62255a2a5c1228a28f2bb063646f948115a309 ]
Fix to return negative error code -ENOMEM from the error handling
case instead of 0, as done elsewhere in this function.
Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
Link: https://lore.kernel.org/r/20200427122415.47416-1-weiyongjun1@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tty/vcc.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/tty/vcc.c b/drivers/tty/vcc.c
index 58b454c34560a..10a832a2135e2 100644
--- a/drivers/tty/vcc.c
+++ b/drivers/tty/vcc.c
@@ -604,6 +604,7 @@ static int vcc_probe(struct vio_dev *vdev, const struct vio_device_id *id)
port->index = vcc_table_add(port);
if (port->index == -1) {
pr_err("VCC: no more TTY indices left for allocation\n");
+ rv = -ENOMEM;
goto free_ldc;
}
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 154/245] arm64: cpufeature: Relax checks for AArch32 support at EL[0-2]
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (152 preceding siblings ...)
2020-09-29 11:00 ` [PATCH 4.19 153/245] sparc64: vcc: Fix error return code in vcc_probe() Greg Kroah-Hartman
@ 2020-09-29 11:00 ` Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 155/245] dt-bindings: sound: wm8994: Correct required supplies based on actual implementaion Greg Kroah-Hartman
` (93 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:00 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Sai Prakash Ranjan, Suzuki K Poulose,
Will Deacon, Sasha Levin
From: Will Deacon <will@kernel.org>
[ Upstream commit 98448cdfe7060dd5491bfbd3f7214ffe1395d58e ]
We don't need to be quite as strict about mismatched AArch32 support,
which is good because the friendly hardware folks have been busy
mismatching this to their hearts' content.
* We don't care about EL2 or EL3 (there are silly comments concerning
the latter, so remove those)
* EL1 support is gated by the ARM64_HAS_32BIT_EL1 capability and handled
gracefully when a mismatch occurs
* EL0 support is gated by the ARM64_HAS_32BIT_EL0 capability and handled
gracefully when a mismatch occurs
Relax the AArch32 checks to FTR_NONSTRICT.
Tested-by: Sai Prakash Ranjan <saiprakash.ranjan@codeaurora.org>
Reviewed-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Link: https://lore.kernel.org/r/20200421142922.18950-8-will@kernel.org
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/kernel/cpufeature.c | 10 +++-------
1 file changed, 3 insertions(+), 7 deletions(-)
diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c
index ac3126aba0368..095dec566275f 100644
--- a/arch/arm64/kernel/cpufeature.c
+++ b/arch/arm64/kernel/cpufeature.c
@@ -155,11 +155,10 @@ static const struct arm64_ftr_bits ftr_id_aa64pfr0[] = {
ARM64_FTR_BITS(FTR_HIDDEN, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64PFR0_GIC_SHIFT, 4, 0),
S_ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64PFR0_ASIMD_SHIFT, 4, ID_AA64PFR0_ASIMD_NI),
S_ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64PFR0_FP_SHIFT, 4, ID_AA64PFR0_FP_NI),
- /* Linux doesn't care about the EL3 */
ARM64_FTR_BITS(FTR_HIDDEN, FTR_NONSTRICT, FTR_LOWER_SAFE, ID_AA64PFR0_EL3_SHIFT, 4, 0),
- ARM64_FTR_BITS(FTR_HIDDEN, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64PFR0_EL2_SHIFT, 4, 0),
- ARM64_FTR_BITS(FTR_HIDDEN, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64PFR0_EL1_SHIFT, 4, ID_AA64PFR0_EL1_64BIT_ONLY),
- ARM64_FTR_BITS(FTR_HIDDEN, FTR_STRICT, FTR_LOWER_SAFE, ID_AA64PFR0_EL0_SHIFT, 4, ID_AA64PFR0_EL0_64BIT_ONLY),
+ ARM64_FTR_BITS(FTR_HIDDEN, FTR_NONSTRICT, FTR_LOWER_SAFE, ID_AA64PFR0_EL2_SHIFT, 4, 0),
+ ARM64_FTR_BITS(FTR_HIDDEN, FTR_NONSTRICT, FTR_LOWER_SAFE, ID_AA64PFR0_EL1_SHIFT, 4, ID_AA64PFR0_EL1_64BIT_ONLY),
+ ARM64_FTR_BITS(FTR_HIDDEN, FTR_NONSTRICT, FTR_LOWER_SAFE, ID_AA64PFR0_EL0_SHIFT, 4, ID_AA64PFR0_EL0_64BIT_ONLY),
ARM64_FTR_END,
};
@@ -671,9 +670,6 @@ void update_cpu_features(int cpu,
taint |= check_update_ftr_reg(SYS_ID_AA64MMFR2_EL1, cpu,
info->reg_id_aa64mmfr2, boot->reg_id_aa64mmfr2);
- /*
- * EL3 is not our concern.
- */
taint |= check_update_ftr_reg(SYS_ID_AA64PFR0_EL1, cpu,
info->reg_id_aa64pfr0, boot->reg_id_aa64pfr0);
taint |= check_update_ftr_reg(SYS_ID_AA64PFR1_EL1, cpu,
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 155/245] dt-bindings: sound: wm8994: Correct required supplies based on actual implementaion
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (153 preceding siblings ...)
2020-09-29 11:00 ` [PATCH 4.19 154/245] arm64: cpufeature: Relax checks for AArch32 support at EL[0-2] Greg Kroah-Hartman
@ 2020-09-29 11:00 ` Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 156/245] atm: fix a memory leak of vcc->user_back Greg Kroah-Hartman
` (92 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:00 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Jonathan Bakker, Krzysztof Kozlowski,
Mark Brown, Sasha Levin
From: Krzysztof Kozlowski <krzk@kernel.org>
[ Upstream commit 8c149b7d75e53be47648742f40fc90d9fc6fa63a ]
The required supplies in bindings were actually not matching
implementation making the bindings incorrect and misleading. The Linux
kernel driver requires all supplies to be present. Also for wlf,wm8994
uses just DBVDD-supply instead of DBVDDn-supply (n: <1,3>).
Reported-by: Jonathan Bakker <xc-racer2@live.ca>
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Link: https://lore.kernel.org/r/20200501133534.6706-1-krzk@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../devicetree/bindings/sound/wm8994.txt | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
diff --git a/Documentation/devicetree/bindings/sound/wm8994.txt b/Documentation/devicetree/bindings/sound/wm8994.txt
index 68cccc4653ba3..367b58ce1bb92 100644
--- a/Documentation/devicetree/bindings/sound/wm8994.txt
+++ b/Documentation/devicetree/bindings/sound/wm8994.txt
@@ -14,9 +14,15 @@ Required properties:
- #gpio-cells : Must be 2. The first cell is the pin number and the
second cell is used to specify optional parameters (currently unused).
- - AVDD2-supply, DBVDD1-supply, DBVDD2-supply, DBVDD3-supply, CPVDD-supply,
- SPKVDD1-supply, SPKVDD2-supply : power supplies for the device, as covered
- in Documentation/devicetree/bindings/regulator/regulator.txt
+ - power supplies for the device, as covered in
+ Documentation/devicetree/bindings/regulator/regulator.txt, depending
+ on compatible:
+ - for wlf,wm1811 and wlf,wm8958:
+ AVDD1-supply, AVDD2-supply, DBVDD1-supply, DBVDD2-supply, DBVDD3-supply,
+ DCVDD-supply, CPVDD-supply, SPKVDD1-supply, SPKVDD2-supply
+ - for wlf,wm8994:
+ AVDD1-supply, AVDD2-supply, DBVDD-supply, DCVDD-supply, CPVDD-supply,
+ SPKVDD1-supply, SPKVDD2-supply
Optional properties:
@@ -73,11 +79,11 @@ wm8994: codec@1a {
lineout1-se;
+ AVDD1-supply = <®ulator>;
AVDD2-supply = <®ulator>;
CPVDD-supply = <®ulator>;
- DBVDD1-supply = <®ulator>;
- DBVDD2-supply = <®ulator>;
- DBVDD3-supply = <®ulator>;
+ DBVDD-supply = <®ulator>;
+ DCVDD-supply = <®ulator>;
SPKVDD1-supply = <®ulator>;
SPKVDD2-supply = <®ulator>;
};
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 156/245] atm: fix a memory leak of vcc->user_back
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (154 preceding siblings ...)
2020-09-29 11:00 ` [PATCH 4.19 155/245] dt-bindings: sound: wm8994: Correct required supplies based on actual implementaion Greg Kroah-Hartman
@ 2020-09-29 11:00 ` Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 157/245] perf mem2node: Avoid double free related to realloc Greg Kroah-Hartman
` (91 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:00 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Gengming Liu, Cong Wang,
David S. Miller, Sasha Levin
From: Cong Wang <xiyou.wangcong@gmail.com>
[ Upstream commit 8d9f73c0ad2f20e9fed5380de0a3097825859d03 ]
In lec_arp_clear_vccs() only entry->vcc is freed, but vcc
could be installed on entry->recv_vcc too in lec_vcc_added().
This fixes the following memory leak:
unreferenced object 0xffff8880d9266b90 (size 16):
comm "atm2", pid 425, jiffies 4294907980 (age 23.488s)
hex dump (first 16 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 6b 6b 6b a5 ............kkk.
backtrace:
[<(____ptrval____)>] kmem_cache_alloc_trace+0x10e/0x151
[<(____ptrval____)>] lane_ioctl+0x4b3/0x569
[<(____ptrval____)>] do_vcc_ioctl+0x1ea/0x236
[<(____ptrval____)>] svc_ioctl+0x17d/0x198
[<(____ptrval____)>] sock_do_ioctl+0x47/0x12f
[<(____ptrval____)>] sock_ioctl+0x2f9/0x322
[<(____ptrval____)>] vfs_ioctl+0x1e/0x2b
[<(____ptrval____)>] ksys_ioctl+0x61/0x80
[<(____ptrval____)>] __x64_sys_ioctl+0x16/0x19
[<(____ptrval____)>] do_syscall_64+0x57/0x65
[<(____ptrval____)>] entry_SYSCALL_64_after_hwframe+0x49/0xb3
Cc: Gengming Liu <l.dmxcsnsbh@gmail.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/atm/lec.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/atm/lec.c b/net/atm/lec.c
index ad4f829193f05..5a6186b809874 100644
--- a/net/atm/lec.c
+++ b/net/atm/lec.c
@@ -1270,6 +1270,12 @@ static void lec_arp_clear_vccs(struct lec_arp_table *entry)
entry->vcc = NULL;
}
if (entry->recv_vcc) {
+ struct atm_vcc *vcc = entry->recv_vcc;
+ struct lec_vcc_priv *vpriv = LEC_VCC_PRIV(vcc);
+
+ kfree(vpriv);
+ vcc->user_back = NULL;
+
entry->recv_vcc->push = entry->old_recv_push;
vcc_release_async(entry->recv_vcc, -EPIPE);
entry->recv_vcc = NULL;
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 157/245] perf mem2node: Avoid double free related to realloc
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (155 preceding siblings ...)
2020-09-29 11:00 ` [PATCH 4.19 156/245] atm: fix a memory leak of vcc->user_back Greg Kroah-Hartman
@ 2020-09-29 11:00 ` Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 158/245] power: supply: max17040: Correct voltage reading Greg Kroah-Hartman
` (90 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:00 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Ian Rogers, Jiri Olsa,
Alexander Shishkin, Mark Rutland, Namhyung Kim, Peter Zijlstra,
Stephane Eranian, clang-built-linux, Arnaldo Carvalho de Melo,
Sasha Levin
From: Ian Rogers <irogers@google.com>
[ Upstream commit 266150c94c69429cf6d18e130237224a047f5061 ]
Realloc of size zero is a free not an error, avoid this causing a double
free. Caught by clang's address sanitizer:
==2634==ERROR: AddressSanitizer: attempting double-free on 0x6020000015f0 in thread T0:
#0 0x5649659297fd in free llvm/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:123:3
#1 0x5649659e9251 in __zfree tools/lib/zalloc.c:13:2
#2 0x564965c0f92c in mem2node__exit tools/perf/util/mem2node.c:114:2
#3 0x564965a08b4c in perf_c2c__report tools/perf/builtin-c2c.c:2867:2
#4 0x564965a0616a in cmd_c2c tools/perf/builtin-c2c.c:2989:10
#5 0x564965944348 in run_builtin tools/perf/perf.c:312:11
#6 0x564965943235 in handle_internal_command tools/perf/perf.c:364:8
#7 0x5649659440c4 in run_argv tools/perf/perf.c:408:2
#8 0x564965942e41 in main tools/perf/perf.c:538:3
0x6020000015f0 is located 0 bytes inside of 1-byte region [0x6020000015f0,0x6020000015f1)
freed by thread T0 here:
#0 0x564965929da3 in realloc third_party/llvm/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:164:3
#1 0x564965c0f55e in mem2node__init tools/perf/util/mem2node.c:97:16
#2 0x564965a08956 in perf_c2c__report tools/perf/builtin-c2c.c:2803:8
#3 0x564965a0616a in cmd_c2c tools/perf/builtin-c2c.c:2989:10
#4 0x564965944348 in run_builtin tools/perf/perf.c:312:11
#5 0x564965943235 in handle_internal_command tools/perf/perf.c:364:8
#6 0x5649659440c4 in run_argv tools/perf/perf.c:408:2
#7 0x564965942e41 in main tools/perf/perf.c:538:3
previously allocated by thread T0 here:
#0 0x564965929c42 in calloc third_party/llvm/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:154:3
#1 0x5649659e9220 in zalloc tools/lib/zalloc.c:8:9
#2 0x564965c0f32d in mem2node__init tools/perf/util/mem2node.c:61:12
#3 0x564965a08956 in perf_c2c__report tools/perf/builtin-c2c.c:2803:8
#4 0x564965a0616a in cmd_c2c tools/perf/builtin-c2c.c:2989:10
#5 0x564965944348 in run_builtin tools/perf/perf.c:312:11
#6 0x564965943235 in handle_internal_command tools/perf/perf.c:364:8
#7 0x5649659440c4 in run_argv tools/perf/perf.c:408:2
#8 0x564965942e41 in main tools/perf/perf.c:538:3
v2: add a WARN_ON_ONCE when the free condition arises.
Signed-off-by: Ian Rogers <irogers@google.com>
Acked-by: Jiri Olsa <jolsa@redhat.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@google.com>
Cc: clang-built-linux@googlegroups.com
Link: http://lore.kernel.org/lkml/20200320182347.87675-1-irogers@google.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/mem2node.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/tools/perf/util/mem2node.c b/tools/perf/util/mem2node.c
index c6fd81c025863..81c5a2e438b7d 100644
--- a/tools/perf/util/mem2node.c
+++ b/tools/perf/util/mem2node.c
@@ -1,5 +1,6 @@
#include <errno.h>
#include <inttypes.h>
+#include <asm/bug.h>
#include <linux/bitmap.h>
#include "mem2node.h"
#include "util.h"
@@ -92,7 +93,7 @@ int mem2node__init(struct mem2node *map, struct perf_env *env)
/* Cut unused entries, due to merging. */
tmp_entries = realloc(entries, sizeof(*entries) * j);
- if (tmp_entries)
+ if (tmp_entries || WARN_ON_ONCE(j == 0))
entries = tmp_entries;
for (i = 0; i < j; i++) {
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 158/245] power: supply: max17040: Correct voltage reading
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (156 preceding siblings ...)
2020-09-29 11:00 ` [PATCH 4.19 157/245] perf mem2node: Avoid double free related to realloc Greg Kroah-Hartman
@ 2020-09-29 11:00 ` Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 159/245] phy: samsung: s5pv210-usb2: Add delay after reset Greg Kroah-Hartman
` (89 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:00 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Jonathan Bakker, Sebastian Reichel,
Sasha Levin
From: Jonathan Bakker <xc-racer2@live.ca>
[ Upstream commit 0383024f811aa469df258039807810fc3793a105 ]
According to the datasheet available at (1), the bottom four
bits are always zero and the actual voltage is 1.25x this value
in mV. Since the kernel API specifies that voltages should be in
uV, it should report 1250x the shifted value.
1) https://datasheets.maximintegrated.com/en/ds/MAX17040-MAX17041.pdf
Signed-off-by: Jonathan Bakker <xc-racer2@live.ca>
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/power/supply/max17040_battery.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/power/supply/max17040_battery.c b/drivers/power/supply/max17040_battery.c
index 33c40f79d23d5..2c35c13ad546f 100644
--- a/drivers/power/supply/max17040_battery.c
+++ b/drivers/power/supply/max17040_battery.c
@@ -109,7 +109,7 @@ static void max17040_get_vcell(struct i2c_client *client)
vcell = max17040_read_reg(client, MAX17040_VCELL);
- chip->vcell = vcell;
+ chip->vcell = (vcell >> 4) * 1250;
}
static void max17040_get_soc(struct i2c_client *client)
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 159/245] phy: samsung: s5pv210-usb2: Add delay after reset
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (157 preceding siblings ...)
2020-09-29 11:00 ` [PATCH 4.19 158/245] power: supply: max17040: Correct voltage reading Greg Kroah-Hartman
@ 2020-09-29 11:00 ` Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 160/245] Bluetooth: Handle Inquiry Cancel error after Inquiry Complete Greg Kroah-Hartman
` (88 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:00 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Jonathan Bakker,
Kishon Vijay Abraham I, Sasha Levin
From: Jonathan Bakker <xc-racer2@live.ca>
[ Upstream commit 05942b8c36c7eb5d3fc5e375d4b0d0c49562e85d ]
The USB phy takes some time to reset, so make sure we give it to it. The
delay length was taken from the 4x12 phy driver.
This manifested in issues with the DWC2 driver since commit fe369e1826b3
("usb: dwc2: Make dwc2_readl/writel functions endianness-agnostic.")
where the endianness check would read the DWC ID as 0 due to the phy still
resetting, resulting in the wrong endian mode being chosen.
Signed-off-by: Jonathan Bakker <xc-racer2@live.ca>
Link: https://lore.kernel.org/r/BN6PR04MB06605D52502816E500683553A3D10@BN6PR04MB0660.namprd04.prod.outlook.com
Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/phy/samsung/phy-s5pv210-usb2.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/phy/samsung/phy-s5pv210-usb2.c b/drivers/phy/samsung/phy-s5pv210-usb2.c
index f6f72339bbc32..bb7fdf491c1c2 100644
--- a/drivers/phy/samsung/phy-s5pv210-usb2.c
+++ b/drivers/phy/samsung/phy-s5pv210-usb2.c
@@ -142,6 +142,10 @@ static void s5pv210_phy_pwr(struct samsung_usb2_phy_instance *inst, bool on)
udelay(10);
rst &= ~rstbits;
writel(rst, drv->reg_phy + S5PV210_UPHYRST);
+ /* The following delay is necessary for the reset sequence to be
+ * completed
+ */
+ udelay(80);
} else {
pwr = readl(drv->reg_phy + S5PV210_UPHYPWR);
pwr |= phypwr;
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 160/245] Bluetooth: Handle Inquiry Cancel error after Inquiry Complete
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (158 preceding siblings ...)
2020-09-29 11:00 ` [PATCH 4.19 159/245] phy: samsung: s5pv210-usb2: Add delay after reset Greg Kroah-Hartman
@ 2020-09-29 11:00 ` Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 161/245] USB: EHCI: ehci-mv: fix error handling in mv_ehci_probe() Greg Kroah-Hartman
` (87 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:00 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Sonny Sasaka, Marcel Holtmann, Sasha Levin
From: Sonny Sasaka <sonnysasaka@chromium.org>
[ Upstream commit adf1d6926444029396861413aba8a0f2a805742a ]
After sending Inquiry Cancel command to the controller, it is possible
that Inquiry Complete event comes before Inquiry Cancel command complete
event. In this case the Inquiry Cancel command will have status of
Command Disallowed since there is no Inquiry session to be cancelled.
This case should not be treated as error, otherwise we can reach an
inconsistent state.
Example of a btmon trace when this happened:
< HCI Command: Inquiry Cancel (0x01|0x0002) plen 0
> HCI Event: Inquiry Complete (0x01) plen 1
Status: Success (0x00)
> HCI Event: Command Complete (0x0e) plen 4
Inquiry Cancel (0x01|0x0002) ncmd 1
Status: Command Disallowed (0x0c)
Signed-off-by: Sonny Sasaka <sonnysasaka@chromium.org>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/hci_event.c | 19 +++++++++++++++++--
1 file changed, 17 insertions(+), 2 deletions(-)
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index ec6b3a87b3e7f..310622086f74b 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -41,12 +41,27 @@
/* Handle HCI Event packets */
-static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb)
+static void hci_cc_inquiry_cancel(struct hci_dev *hdev, struct sk_buff *skb,
+ u8 *new_status)
{
__u8 status = *((__u8 *) skb->data);
BT_DBG("%s status 0x%2.2x", hdev->name, status);
+ /* It is possible that we receive Inquiry Complete event right
+ * before we receive Inquiry Cancel Command Complete event, in
+ * which case the latter event should have status of Command
+ * Disallowed (0x0c). This should not be treated as error, since
+ * we actually achieve what Inquiry Cancel wants to achieve,
+ * which is to end the last Inquiry session.
+ */
+ if (status == 0x0c && !test_bit(HCI_INQUIRY, &hdev->flags)) {
+ bt_dev_warn(hdev, "Ignoring error of Inquiry Cancel command");
+ status = 0x00;
+ }
+
+ *new_status = status;
+
if (status)
return;
@@ -3039,7 +3054,7 @@ static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb,
switch (*opcode) {
case HCI_OP_INQUIRY_CANCEL:
- hci_cc_inquiry_cancel(hdev, skb);
+ hci_cc_inquiry_cancel(hdev, skb, status);
break;
case HCI_OP_PERIODIC_INQ:
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 161/245] USB: EHCI: ehci-mv: fix error handling in mv_ehci_probe()
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (159 preceding siblings ...)
2020-09-29 11:00 ` [PATCH 4.19 160/245] Bluetooth: Handle Inquiry Cancel error after Inquiry Complete Greg Kroah-Hartman
@ 2020-09-29 11:00 ` Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 162/245] tipc: fix memory leak in service subscripting Greg Kroah-Hartman
` (86 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:00 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Zhang Shengju, Tang Bin, Sasha Levin
From: Tang Bin <tangbin@cmss.chinamobile.com>
[ Upstream commit c856b4b0fdb5044bca4c0acf9a66f3b5cc01a37a ]
If the function platform_get_irq() failed, the negative value
returned will not be detected here. So fix error handling in
mv_ehci_probe(). And when get irq failed, the function
platform_get_irq() logs an error message, so remove redundant
message here.
Signed-off-by: Zhang Shengju <zhangshengju@cmss.chinamobile.com>
Signed-off-by: Tang Bin <tangbin@cmss.chinamobile.com>
Link: https://lore.kernel.org/r/20200508114305.15740-1-tangbin@cmss.chinamobile.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/host/ehci-mv.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/usb/host/ehci-mv.c b/drivers/usb/host/ehci-mv.c
index de764459e05a6..4edcd7536a01b 100644
--- a/drivers/usb/host/ehci-mv.c
+++ b/drivers/usb/host/ehci-mv.c
@@ -193,9 +193,8 @@ static int mv_ehci_probe(struct platform_device *pdev)
hcd->regs = ehci_mv->op_regs;
hcd->irq = platform_get_irq(pdev, 0);
- if (!hcd->irq) {
- dev_err(&pdev->dev, "Cannot get irq.");
- retval = -ENODEV;
+ if (hcd->irq < 0) {
+ retval = hcd->irq;
goto err_disable_clk;
}
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 162/245] tipc: fix memory leak in service subscripting
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (160 preceding siblings ...)
2020-09-29 11:00 ` [PATCH 4.19 161/245] USB: EHCI: ehci-mv: fix error handling in mv_ehci_probe() Greg Kroah-Hartman
@ 2020-09-29 11:00 ` Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 163/245] tty: serial: samsung: Correct clock selection logic Greg Kroah-Hartman
` (85 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:00 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Ying Xue, Jon Maloy, Thang Ngo,
Tuong Lien, David S. Miller, Sasha Levin
From: Tuong Lien <tuong.t.lien@dektech.com.au>
[ Upstream commit 0771d7df819284d46cf5cfb57698621b503ec17f ]
Upon receipt of a service subscription request from user via a topology
connection, one 'sub' object will be allocated in kernel, so it will be
able to send an event of the service if any to the user correspondingly
then. Also, in case of any failure, the connection will be shutdown and
all the pertaining 'sub' objects will be freed.
However, there is a race condition as follows resulting in memory leak:
receive-work connection send-work
| | |
sub-1 |<------//-------| |
sub-2 |<------//-------| |
| |<---------------| evt for sub-x
sub-3 |<------//-------| |
: : :
: : :
| /--------| |
| | * peer closed |
| | | |
| | |<-------X-------| evt for sub-y
| | |<===============|
sub-n |<------/ X shutdown |
-> orphan | |
That is, the 'receive-work' may get the last subscription request while
the 'send-work' is shutting down the connection due to peer close.
We had a 'lock' on the connection, so the two actions cannot be carried
out simultaneously. If the last subscription is allocated e.g. 'sub-n',
before the 'send-work' closes the connection, there will be no issue at
all, the 'sub' objects will be freed. In contrast the last subscription
will become orphan since the connection was closed, and we released all
references.
This commit fixes the issue by simply adding one test if the connection
remains in 'connected' state right after we obtain the connection lock,
then a subscription object can be created as usual, otherwise we ignore
it.
Acked-by: Ying Xue <ying.xue@windriver.com>
Acked-by: Jon Maloy <jmaloy@redhat.com>
Reported-by: Thang Ngo <thang.h.ngo@dektech.com.au>
Signed-off-by: Tuong Lien <tuong.t.lien@dektech.com.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/tipc/topsrv.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/tipc/topsrv.c b/net/tipc/topsrv.c
index 41f4464ac6cc5..ec9a7137d2677 100644
--- a/net/tipc/topsrv.c
+++ b/net/tipc/topsrv.c
@@ -407,7 +407,9 @@ static int tipc_conn_rcv_from_sock(struct tipc_conn *con)
return -EWOULDBLOCK;
if (ret == sizeof(s)) {
read_lock_bh(&sk->sk_callback_lock);
- ret = tipc_conn_rcv_sub(srv, con, &s);
+ /* RACE: the connection can be closed in the meantime */
+ if (likely(connected(con)))
+ ret = tipc_conn_rcv_sub(srv, con, &s);
read_unlock_bh(&sk->sk_callback_lock);
if (!ret)
return 0;
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 163/245] tty: serial: samsung: Correct clock selection logic
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (161 preceding siblings ...)
2020-09-29 11:00 ` [PATCH 4.19 162/245] tipc: fix memory leak in service subscripting Greg Kroah-Hartman
@ 2020-09-29 11:00 ` Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 164/245] ALSA: hda: Fix potential race in unsol event handler Greg Kroah-Hartman
` (84 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:00 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Jonathan Bakker, Krzysztof Kozlowski,
Sasha Levin
From: Jonathan Bakker <xc-racer2@live.ca>
[ Upstream commit 7d31676a8d91dd18e08853efd1cb26961a38c6a6 ]
Some variants of the samsung tty driver can pick which clock
to use for their baud rate generation. In the DT conversion,
a default clock was selected to be used if a specific one wasn't
assigned and then a comparison of which clock rate worked better
was done. Unfortunately, the comparison was implemented in such
a way that only the default clock was ever actually compared.
Fix this by iterating through all possible clocks, except when a
specific clock has already been picked via clk_sel (which is
only possible via board files).
Signed-off-by: Jonathan Bakker <xc-racer2@live.ca>
Reviewed-by: Krzysztof Kozlowski <krzk@kernel.org>
Link: https://lore.kernel.org/r/BN6PR04MB06604E63833EA41837EBF77BA3A30@BN6PR04MB0660.namprd04.prod.outlook.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tty/serial/samsung.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/tty/serial/samsung.c b/drivers/tty/serial/samsung.c
index fcb89bf2524d1..1528a7ba2bf4d 100644
--- a/drivers/tty/serial/samsung.c
+++ b/drivers/tty/serial/samsung.c
@@ -1187,14 +1187,14 @@ static unsigned int s3c24xx_serial_getclk(struct s3c24xx_uart_port *ourport,
struct s3c24xx_uart_info *info = ourport->info;
struct clk *clk;
unsigned long rate;
- unsigned int cnt, baud, quot, clk_sel, best_quot = 0;
+ unsigned int cnt, baud, quot, best_quot = 0;
char clkname[MAX_CLK_NAME_LENGTH];
int calc_deviation, deviation = (1 << 30) - 1;
- clk_sel = (ourport->cfg->clk_sel) ? ourport->cfg->clk_sel :
- ourport->info->def_clk_sel;
for (cnt = 0; cnt < info->num_clks; cnt++) {
- if (!(clk_sel & (1 << cnt)))
+ /* Keep selected clock if provided */
+ if (ourport->cfg->clk_sel &&
+ !(ourport->cfg->clk_sel & (1 << cnt)))
continue;
sprintf(clkname, "clk_uart_baud%d", cnt);
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 164/245] ALSA: hda: Fix potential race in unsol event handler
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (162 preceding siblings ...)
2020-09-29 11:00 ` [PATCH 4.19 163/245] tty: serial: samsung: Correct clock selection logic Greg Kroah-Hartman
@ 2020-09-29 11:00 ` Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 165/245] powerpc/traps: Make unrecoverable NMIs die instead of panic Greg Kroah-Hartman
` (83 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:00 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Takashi Iwai, Sasha Levin
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit c637fa151259c0f74665fde7cba5b7eac1417ae5 ]
The unsol event handling code has a loop retrieving the read/write
indices and the arrays without locking while the append to the array
may happen concurrently. This may lead to some inconsistency.
Although there hasn't been any proof of this bad results, it's still
safer to protect the racy accesses.
This patch adds the spinlock protection around the unsol handling loop
for addressing it. Here we take bus->reg_lock as the writer side
snd_hdac_bus_queue_event() is also protected by that lock.
Link: https://lore.kernel.org/r/20200516062556.30951-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/hda/hdac_bus.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/sound/hda/hdac_bus.c b/sound/hda/hdac_bus.c
index 714a51721a313..ab9236e4c157e 100644
--- a/sound/hda/hdac_bus.c
+++ b/sound/hda/hdac_bus.c
@@ -155,6 +155,7 @@ static void process_unsol_events(struct work_struct *work)
struct hdac_driver *drv;
unsigned int rp, caddr, res;
+ spin_lock_irq(&bus->reg_lock);
while (bus->unsol_rp != bus->unsol_wp) {
rp = (bus->unsol_rp + 1) % HDA_UNSOL_QUEUE_SIZE;
bus->unsol_rp = rp;
@@ -166,10 +167,13 @@ static void process_unsol_events(struct work_struct *work)
codec = bus->caddr_tbl[caddr & 0x0f];
if (!codec || !codec->dev.driver)
continue;
+ spin_unlock_irq(&bus->reg_lock);
drv = drv_to_hdac_driver(codec->dev.driver);
if (drv->unsol_event)
drv->unsol_event(codec, res);
+ spin_lock_irq(&bus->reg_lock);
}
+ spin_unlock_irq(&bus->reg_lock);
}
/**
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 165/245] powerpc/traps: Make unrecoverable NMIs die instead of panic
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (163 preceding siblings ...)
2020-09-29 11:00 ` [PATCH 4.19 164/245] ALSA: hda: Fix potential race in unsol event handler Greg Kroah-Hartman
@ 2020-09-29 11:00 ` Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 166/245] fuse: dont check refcount after stealing page Greg Kroah-Hartman
` (82 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:00 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Nicholas Piggin, Michael Ellerman,
Christophe Leroy, Sasha Levin
From: Nicholas Piggin <npiggin@gmail.com>
[ Upstream commit 265d6e588d87194c2fe2d6c240247f0264e0c19b ]
System Reset and Machine Check interrupts that are not recoverable due
to being nested or interrupting when RI=0 currently panic. This is not
necessary, and can often just kill the current context and recover.
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Reviewed-by: Christophe Leroy <christophe.leroy@c-s.fr>
Link: https://lore.kernel.org/r/20200508043408.886394-16-npiggin@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/kernel/traps.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/arch/powerpc/kernel/traps.c b/arch/powerpc/kernel/traps.c
index d5f351f02c153..7781f0168ce8c 100644
--- a/arch/powerpc/kernel/traps.c
+++ b/arch/powerpc/kernel/traps.c
@@ -430,11 +430,11 @@ out:
#ifdef CONFIG_PPC_BOOK3S_64
BUG_ON(get_paca()->in_nmi == 0);
if (get_paca()->in_nmi > 1)
- nmi_panic(regs, "Unrecoverable nested System Reset");
+ die("Unrecoverable nested System Reset", regs, SIGABRT);
#endif
/* Must die if the interrupt is not recoverable */
if (!(regs->msr & MSR_RI))
- nmi_panic(regs, "Unrecoverable System Reset");
+ die("Unrecoverable System Reset", regs, SIGABRT);
if (!nested)
nmi_exit();
@@ -775,7 +775,7 @@ void machine_check_exception(struct pt_regs *regs)
/* Must die if the interrupt is not recoverable */
if (!(regs->msr & MSR_RI))
- nmi_panic(regs, "Unrecoverable Machine check");
+ die("Unrecoverable Machine check", regs, SIGBUS);
return;
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 166/245] fuse: dont check refcount after stealing page
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (164 preceding siblings ...)
2020-09-29 11:00 ` [PATCH 4.19 165/245] powerpc/traps: Make unrecoverable NMIs die instead of panic Greg Kroah-Hartman
@ 2020-09-29 11:00 ` Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 167/245] USB: EHCI: ehci-mv: fix less than zero comparison of an unsigned int Greg Kroah-Hartman
` (81 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:00 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Matthew Wilcox, Miklos Szeredi, Sasha Levin
From: Miklos Szeredi <mszeredi@redhat.com>
[ Upstream commit 32f98877c57bee6bc27f443a96f49678a2cd6a50 ]
page_count() is unstable. Unless there has been an RCU grace period
between when the page was removed from the page cache and now, a
speculative reference may exist from the page cache.
Reported-by: Matthew Wilcox <willy@infradead.org>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/fuse/dev.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c
index 01e6ea11822bf..c51c9a6881e49 100644
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -831,7 +831,6 @@ static int fuse_check_page(struct page *page)
{
if (page_mapcount(page) ||
page->mapping != NULL ||
- page_count(page) != 1 ||
(page->flags & PAGE_FLAGS_CHECK_AT_PREP &
~(1 << PG_locked |
1 << PG_referenced |
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 167/245] USB: EHCI: ehci-mv: fix less than zero comparison of an unsigned int
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (165 preceding siblings ...)
2020-09-29 11:00 ` [PATCH 4.19 166/245] fuse: dont check refcount after stealing page Greg Kroah-Hartman
@ 2020-09-29 11:00 ` Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 168/245] scsi: cxlflash: Fix error return code in cxlflash_probe() Greg Kroah-Hartman
` (80 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:00 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Colin Ian King, Sasha Levin
From: Colin Ian King <colin.king@canonical.com>
[ Upstream commit a7f40c233a6b0540d28743267560df9cfb571ca9 ]
The comparison of hcd->irq to less than zero for an error check will
never be true because hcd->irq is an unsigned int. Fix this by
assigning the int retval to the return of platform_get_irq and checking
this for the -ve error condition and assigning hcd->irq to retval.
Addresses-Coverity: ("Unsigned compared against 0")
Fixes: c856b4b0fdb5 ("USB: EHCI: ehci-mv: fix error handling in mv_ehci_probe()")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Link: https://lore.kernel.org/r/20200515165453.104028-1-colin.king@canonical.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/host/ehci-mv.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/drivers/usb/host/ehci-mv.c b/drivers/usb/host/ehci-mv.c
index 4edcd7536a01b..9d93e7441bbca 100644
--- a/drivers/usb/host/ehci-mv.c
+++ b/drivers/usb/host/ehci-mv.c
@@ -192,11 +192,10 @@ static int mv_ehci_probe(struct platform_device *pdev)
hcd->rsrc_len = resource_size(r);
hcd->regs = ehci_mv->op_regs;
- hcd->irq = platform_get_irq(pdev, 0);
- if (hcd->irq < 0) {
- retval = hcd->irq;
+ retval = platform_get_irq(pdev, 0);
+ if (retval < 0)
goto err_disable_clk;
- }
+ hcd->irq = retval;
ehci = hcd_to_ehci(hcd);
ehci->caps = (struct ehci_caps *) ehci_mv->cap_regs;
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 168/245] scsi: cxlflash: Fix error return code in cxlflash_probe()
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (166 preceding siblings ...)
2020-09-29 11:00 ` [PATCH 4.19 167/245] USB: EHCI: ehci-mv: fix less than zero comparison of an unsigned int Greg Kroah-Hartman
@ 2020-09-29 11:00 ` Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 169/245] arm64/cpufeature: Drop TraceFilt feature exposure from ID_DFR0 register Greg Kroah-Hartman
` (79 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:00 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Matthew R. Ochs, Wei Yongjun,
Martin K. Petersen, Sasha Levin
From: Wei Yongjun <weiyongjun1@huawei.com>
[ Upstream commit d0b1e4a638d670a09f42017a3e567dc846931ba8 ]
Fix to return negative error code -ENOMEM from create_afu error handling
case instead of 0, as done elsewhere in this function.
Link: https://lore.kernel.org/r/20200428141855.88704-1-weiyongjun1@huawei.com
Acked-by: Matthew R. Ochs <mrochs@linux.ibm.com>
Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/cxlflash/main.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/scsi/cxlflash/main.c b/drivers/scsi/cxlflash/main.c
index f987c40c47a13..443813feaef47 100644
--- a/drivers/scsi/cxlflash/main.c
+++ b/drivers/scsi/cxlflash/main.c
@@ -3749,6 +3749,7 @@ static int cxlflash_probe(struct pci_dev *pdev,
cfg->afu_cookie = cfg->ops->create_afu(pdev);
if (unlikely(!cfg->afu_cookie)) {
dev_err(dev, "%s: create_afu failed\n", __func__);
+ rc = -ENOMEM;
goto out_remove;
}
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 169/245] arm64/cpufeature: Drop TraceFilt feature exposure from ID_DFR0 register
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (167 preceding siblings ...)
2020-09-29 11:00 ` [PATCH 4.19 168/245] scsi: cxlflash: Fix error return code in cxlflash_probe() Greg Kroah-Hartman
@ 2020-09-29 11:00 ` Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 170/245] e1000: Do not perform reset in reset_task if we are already down Greg Kroah-Hartman
` (78 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:00 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Catalin Marinas, Will Deacon,
Marc Zyngier, Mark Rutland, James Morse, Suzuki K Poulose,
linux-arm-kernel, Anshuman Khandual, Sasha Levin
From: Anshuman Khandual <anshuman.khandual@arm.com>
[ Upstream commit 1ed1b90a0594c8c9d31e8bb8be25a2b37717dc9e ]
ID_DFR0 based TraceFilt feature should not be exposed to guests. Hence lets
drop it.
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will@kernel.org>
Cc: Marc Zyngier <maz@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: James Morse <james.morse@arm.com>
Cc: Suzuki K Poulose <suzuki.poulose@arm.com>
Cc: linux-arm-kernel@lists.infradead.org
Cc: linux-kernel@vger.kernel.org
Suggested-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Anshuman Khandual <anshuman.khandual@arm.com>
Reviewed-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Link: https://lore.kernel.org/r/1589881254-10082-3-git-send-email-anshuman.khandual@arm.com
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/kernel/cpufeature.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c
index 095dec566275f..de6fa9b4abfa0 100644
--- a/arch/arm64/kernel/cpufeature.c
+++ b/arch/arm64/kernel/cpufeature.c
@@ -300,7 +300,7 @@ static const struct arm64_ftr_bits ftr_id_pfr0[] = {
};
static const struct arm64_ftr_bits ftr_id_dfr0[] = {
- ARM64_FTR_BITS(FTR_HIDDEN, FTR_STRICT, FTR_LOWER_SAFE, 28, 4, 0),
+ /* [31:28] TraceFilt */
S_ARM64_FTR_BITS(FTR_HIDDEN, FTR_STRICT, FTR_LOWER_SAFE, 24, 4, 0xf), /* PerfMon */
ARM64_FTR_BITS(FTR_HIDDEN, FTR_STRICT, FTR_LOWER_SAFE, 20, 4, 0),
ARM64_FTR_BITS(FTR_HIDDEN, FTR_STRICT, FTR_LOWER_SAFE, 16, 4, 0),
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 170/245] e1000: Do not perform reset in reset_task if we are already down
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (168 preceding siblings ...)
2020-09-29 11:00 ` [PATCH 4.19 169/245] arm64/cpufeature: Drop TraceFilt feature exposure from ID_DFR0 register Greg Kroah-Hartman
@ 2020-09-29 11:00 ` Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 171/245] drm/nouveau/debugfs: fix runtime pm imbalance on error Greg Kroah-Hartman
` (77 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:00 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Alexander Duyck, Maxim Zhukov,
Jeff Kirsher, Sasha Levin
From: Alexander Duyck <alexander.h.duyck@linux.intel.com>
[ Upstream commit 49ee3c2ab5234757bfb56a0b3a3cb422f427e3a3 ]
We are seeing a deadlock in e1000 down when NAPI is being disabled. Looking
over the kernel function trace of the system it appears that the interface
is being closed and then a reset is hitting which deadlocks the interface
as the NAPI interface is already disabled.
To prevent this from happening I am disabling the reset task when
__E1000_DOWN is already set. In addition code has been added so that we set
the __E1000_DOWN while holding the __E1000_RESET flag in e1000_close in
order to guarantee that the reset task will not run after we have started
the close call.
Signed-off-by: Alexander Duyck <alexander.h.duyck@linux.intel.com>
Tested-by: Maxim Zhukov <mussitantesmortem@gmail.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/e1000/e1000_main.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/drivers/net/ethernet/intel/e1000/e1000_main.c b/drivers/net/ethernet/intel/e1000/e1000_main.c
index 47b867c64b147..195108858f38f 100644
--- a/drivers/net/ethernet/intel/e1000/e1000_main.c
+++ b/drivers/net/ethernet/intel/e1000/e1000_main.c
@@ -542,8 +542,13 @@ void e1000_reinit_locked(struct e1000_adapter *adapter)
WARN_ON(in_interrupt());
while (test_and_set_bit(__E1000_RESETTING, &adapter->flags))
msleep(1);
- e1000_down(adapter);
- e1000_up(adapter);
+
+ /* only run the task if not already down */
+ if (!test_bit(__E1000_DOWN, &adapter->flags)) {
+ e1000_down(adapter);
+ e1000_up(adapter);
+ }
+
clear_bit(__E1000_RESETTING, &adapter->flags);
}
@@ -1433,10 +1438,15 @@ int e1000_close(struct net_device *netdev)
struct e1000_hw *hw = &adapter->hw;
int count = E1000_CHECK_RESET_COUNT;
- while (test_bit(__E1000_RESETTING, &adapter->flags) && count--)
+ while (test_and_set_bit(__E1000_RESETTING, &adapter->flags) && count--)
usleep_range(10000, 20000);
- WARN_ON(test_bit(__E1000_RESETTING, &adapter->flags));
+ WARN_ON(count < 0);
+
+ /* signal that we're down so that the reset task will no longer run */
+ set_bit(__E1000_DOWN, &adapter->flags);
+ clear_bit(__E1000_RESETTING, &adapter->flags);
+
e1000_down(adapter);
e1000_power_down_phy(adapter);
e1000_free_irq(adapter);
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 171/245] drm/nouveau/debugfs: fix runtime pm imbalance on error
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (169 preceding siblings ...)
2020-09-29 11:00 ` [PATCH 4.19 170/245] e1000: Do not perform reset in reset_task if we are already down Greg Kroah-Hartman
@ 2020-09-29 11:00 ` Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 172/245] drm/nouveau: " Greg Kroah-Hartman
` (76 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:00 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Dinghao Liu, Ben Skeggs, Sasha Levin
From: Dinghao Liu <dinghao.liu@zju.edu.cn>
[ Upstream commit 00583fbe8031f69bba8b0a9a861efb75fb7131af ]
pm_runtime_get_sync() increments the runtime PM usage counter even
the call returns an error code. Thus a pairing decrement is needed
on the error handling path to keep the counter balanced.
Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/nouveau/nouveau_debugfs.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/nouveau/nouveau_debugfs.c b/drivers/gpu/drm/nouveau/nouveau_debugfs.c
index 9635704a1d864..4561a786fab07 100644
--- a/drivers/gpu/drm/nouveau/nouveau_debugfs.c
+++ b/drivers/gpu/drm/nouveau/nouveau_debugfs.c
@@ -161,8 +161,11 @@ nouveau_debugfs_pstate_set(struct file *file, const char __user *ubuf,
}
ret = pm_runtime_get_sync(drm->dev);
- if (ret < 0 && ret != -EACCES)
+ if (ret < 0 && ret != -EACCES) {
+ pm_runtime_put_autosuspend(drm->dev);
return ret;
+ }
+
ret = nvif_mthd(ctrl, NVIF_CONTROL_PSTATE_USER, &args, sizeof(args));
pm_runtime_put_autosuspend(drm->dev);
if (ret < 0)
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 172/245] drm/nouveau: fix runtime pm imbalance on error
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (170 preceding siblings ...)
2020-09-29 11:00 ` [PATCH 4.19 171/245] drm/nouveau/debugfs: fix runtime pm imbalance on error Greg Kroah-Hartman
@ 2020-09-29 11:00 ` Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 173/245] drm/nouveau/dispnv50: " Greg Kroah-Hartman
` (75 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:00 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Dinghao Liu, Ben Skeggs, Sasha Levin
From: Dinghao Liu <dinghao.liu@zju.edu.cn>
[ Upstream commit d7372dfb3f7f1602b87e0663e8b8646da23ebca7 ]
pm_runtime_get_sync() increments the runtime PM usage counter even
the call returns an error code. Thus a pairing decrement is needed
on the error handling path to keep the counter balanced.
Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/nouveau/nouveau_gem.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c b/drivers/gpu/drm/nouveau/nouveau_gem.c
index 791f970714ed6..a98fccb0d32f9 100644
--- a/drivers/gpu/drm/nouveau/nouveau_gem.c
+++ b/drivers/gpu/drm/nouveau/nouveau_gem.c
@@ -82,8 +82,10 @@ nouveau_gem_object_open(struct drm_gem_object *gem, struct drm_file *file_priv)
return ret;
ret = pm_runtime_get_sync(dev);
- if (ret < 0 && ret != -EACCES)
+ if (ret < 0 && ret != -EACCES) {
+ pm_runtime_put_autosuspend(dev);
goto out;
+ }
ret = nouveau_vma_new(nvbo, &cli->vmm, &vma);
pm_runtime_mark_last_busy(dev);
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 173/245] drm/nouveau/dispnv50: fix runtime pm imbalance on error
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (171 preceding siblings ...)
2020-09-29 11:00 ` [PATCH 4.19 172/245] drm/nouveau: " Greg Kroah-Hartman
@ 2020-09-29 11:00 ` Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 174/245] printk: handle blank console arguments passed in Greg Kroah-Hartman
` (74 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:00 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Dinghao Liu, Ben Skeggs, Sasha Levin
From: Dinghao Liu <dinghao.liu@zju.edu.cn>
[ Upstream commit dc455f4c888365595c0a13da445e092422d55b8d ]
pm_runtime_get_sync() increments the runtime PM usage counter even
the call returns an error code. Thus a pairing decrement is needed
on the error handling path to keep the counter balanced.
Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/nouveau/dispnv50/disp.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/nouveau/dispnv50/disp.c b/drivers/gpu/drm/nouveau/dispnv50/disp.c
index e06ea8c8184cb..1bb0a9f6fa730 100644
--- a/drivers/gpu/drm/nouveau/dispnv50/disp.c
+++ b/drivers/gpu/drm/nouveau/dispnv50/disp.c
@@ -909,8 +909,10 @@ nv50_mstc_detect(struct drm_connector *connector, bool force)
return connector_status_disconnected;
ret = pm_runtime_get_sync(connector->dev->dev);
- if (ret < 0 && ret != -EACCES)
+ if (ret < 0 && ret != -EACCES) {
+ pm_runtime_put_autosuspend(connector->dev->dev);
return connector_status_disconnected;
+ }
conn_status = drm_dp_mst_detect_port(connector, mstc->port->mgr,
mstc->port);
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 174/245] printk: handle blank console arguments passed in.
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (172 preceding siblings ...)
2020-09-29 11:00 ` [PATCH 4.19 173/245] drm/nouveau/dispnv50: " Greg Kroah-Hartman
@ 2020-09-29 11:00 ` Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 175/245] usb: dwc3: Increase timeout for CmdAct cleared by device controller Greg Kroah-Hartman
` (73 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:00 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Shreyas Joshi, Sergey Senozhatsky,
Petr Mladek, Sasha Levin
From: Shreyas Joshi <shreyas.joshi@biamp.com>
[ Upstream commit 48021f98130880dd74286459a1ef48b5e9bc374f ]
If uboot passes a blank string to console_setup then it results in
a trashed memory. Ultimately, the kernel crashes during freeing up
the memory.
This fix checks if there is a blank parameter being
passed to console_setup from uboot. In case it detects that
the console parameter is blank then it doesn't setup the serial
device and it gracefully exits.
Link: https://lore.kernel.org/r/20200522065306.83-1-shreyas.joshi@biamp.com
Signed-off-by: Shreyas Joshi <shreyas.joshi@biamp.com>
Acked-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
[pmladek@suse.com: Better format the commit message and code, remove unnecessary brackets.]
Signed-off-by: Petr Mladek <pmladek@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/printk/printk.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c
index 3cb0e5b479ff3..cf272aba362be 100644
--- a/kernel/printk/printk.c
+++ b/kernel/printk/printk.c
@@ -2148,6 +2148,9 @@ static int __init console_setup(char *str)
char *s, *options, *brl_options = NULL;
int idx;
+ if (str[0] == 0)
+ return 1;
+
if (_braille_console_setup(&str, &brl_options))
return 1;
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 175/245] usb: dwc3: Increase timeout for CmdAct cleared by device controller
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (173 preceding siblings ...)
2020-09-29 11:00 ` [PATCH 4.19 174/245] printk: handle blank console arguments passed in Greg Kroah-Hartman
@ 2020-09-29 11:00 ` Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 176/245] btrfs: dont force read-only after error in drop snapshot Greg Kroah-Hartman
` (72 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:00 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Yu Chen, John Stultz, Li Jun,
Felipe Balbi, Sasha Levin
From: Yu Chen <chenyu56@huawei.com>
[ Upstream commit 1c0e69ae1b9f9004fd72978612ae3463791edc56 ]
If the SS PHY is in P3, there is no pipe_clk, HW may use suspend_clk
for function, as suspend_clk is slow so EP command need more time to
complete, e.g, imx8M suspend_clk is 32K, set ep configuration will
take about 380us per below trace time stamp(44.286278 - 44.285897
= 0.000381):
configfs_acm.sh-822 [000] d..1 44.285896: dwc3_writel: addr
000000006d59aae1 value 00000401
configfs_acm.sh-822 [000] d..1 44.285897: dwc3_readl: addr
000000006d59aae1 value 00000401
... ...
configfs_acm.sh-822 [000] d..1 44.286278: dwc3_readl: addr
000000006d59aae1 value 00000001
configfs_acm.sh-822 [000] d..1 44.286279: dwc3_gadget_ep_cmd:
ep0out: cmd 'Set Endpoint Configuration' [401] params 00001000
00000500 00000000 --> status: Successful
This was originally found on Hisilicon Kirin Soc that need more time
for the device controller to clear the CmdAct of DEPCMD.
Signed-off-by: Yu Chen <chenyu56@huawei.com>
Signed-off-by: John Stultz <john.stultz@linaro.org>
Signed-off-by: Li Jun <jun.li@nxp.com>
Signed-off-by: Felipe Balbi <balbi@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/dwc3/gadget.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c
index 7bf2573dd459e..37cc3fd7c3cad 100644
--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -270,7 +270,7 @@ int dwc3_send_gadget_ep_cmd(struct dwc3_ep *dep, unsigned cmd,
{
const struct usb_endpoint_descriptor *desc = dep->endpoint.desc;
struct dwc3 *dwc = dep->dwc;
- u32 timeout = 1000;
+ u32 timeout = 5000;
u32 saved_config = 0;
u32 reg;
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 176/245] btrfs: dont force read-only after error in drop snapshot
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (174 preceding siblings ...)
2020-09-29 11:00 ` [PATCH 4.19 175/245] usb: dwc3: Increase timeout for CmdAct cleared by device controller Greg Kroah-Hartman
@ 2020-09-29 11:00 ` Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 177/245] vfio/pci: fix memory leaks of eventfd ctx Greg Kroah-Hartman
` (71 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:00 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, David Sterba, Sasha Levin
From: David Sterba <dsterba@suse.com>
[ Upstream commit 7c09c03091ac562ddca2b393e5d65c1d37da79f1 ]
Deleting a subvolume on a full filesystem leads to ENOSPC followed by a
forced read-only. This is not a transaction abort and the filesystem is
otherwise ok, so the error should be just propagated to the callers.
This is caused by unnecessary call to btrfs_handle_fs_error for all
errors, except EAGAIN. This does not make sense as the standard
transaction abort mechanism is in btrfs_drop_snapshot so all relevant
failures are handled.
Originally in commit cb1b69f4508a ("Btrfs: forced readonly when
btrfs_drop_snapshot() fails") there was no return value at all, so the
btrfs_std_error made some sense but once the error handling and
propagation has been implemented we don't need it anymore.
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/extent-tree.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
index 319a89d4d0735..ce5e0f6c6af4f 100644
--- a/fs/btrfs/extent-tree.c
+++ b/fs/btrfs/extent-tree.c
@@ -9098,8 +9098,6 @@ out:
*/
if (!for_reloc && !root_dropped)
btrfs_add_dead_root(root);
- if (err && err != -EAGAIN)
- btrfs_handle_fs_error(fs_info, err, NULL);
return err;
}
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 177/245] vfio/pci: fix memory leaks of eventfd ctx
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (175 preceding siblings ...)
2020-09-29 11:00 ` [PATCH 4.19 176/245] btrfs: dont force read-only after error in drop snapshot Greg Kroah-Hartman
@ 2020-09-29 11:00 ` Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 178/245] perf evsel: Fix 2 memory leaks Greg Kroah-Hartman
` (70 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:00 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Qian Cai, Alex Williamson, Sasha Levin
From: Qian Cai <cai@lca.pw>
[ Upstream commit 1518ac272e789cae8c555d69951b032a275b7602 ]
Finished a qemu-kvm (-device vfio-pci,host=0001:01:00.0) triggers a few
memory leaks after a while because vfio_pci_set_ctx_trigger_single()
calls eventfd_ctx_fdget() without the matching eventfd_ctx_put() later.
Fix it by calling eventfd_ctx_put() for those memory in
vfio_pci_release() before vfio_device_release().
unreferenced object 0xebff008981cc2b00 (size 128):
comm "qemu-kvm", pid 4043, jiffies 4294994816 (age 9796.310s)
hex dump (first 32 bytes):
01 00 00 00 6b 6b 6b 6b 00 00 00 00 ad 4e ad de ....kkkk.....N..
ff ff ff ff 6b 6b 6b 6b ff ff ff ff ff ff ff ff ....kkkk........
backtrace:
[<00000000917e8f8d>] slab_post_alloc_hook+0x74/0x9c
[<00000000df0f2aa2>] kmem_cache_alloc_trace+0x2b4/0x3d4
[<000000005fcec025>] do_eventfd+0x54/0x1ac
[<0000000082791a69>] __arm64_sys_eventfd2+0x34/0x44
[<00000000b819758c>] do_el0_svc+0x128/0x1dc
[<00000000b244e810>] el0_sync_handler+0xd0/0x268
[<00000000d495ef94>] el0_sync+0x164/0x180
unreferenced object 0x29ff008981cc4180 (size 128):
comm "qemu-kvm", pid 4043, jiffies 4294994818 (age 9796.290s)
hex dump (first 32 bytes):
01 00 00 00 6b 6b 6b 6b 00 00 00 00 ad 4e ad de ....kkkk.....N..
ff ff ff ff 6b 6b 6b 6b ff ff ff ff ff ff ff ff ....kkkk........
backtrace:
[<00000000917e8f8d>] slab_post_alloc_hook+0x74/0x9c
[<00000000df0f2aa2>] kmem_cache_alloc_trace+0x2b4/0x3d4
[<000000005fcec025>] do_eventfd+0x54/0x1ac
[<0000000082791a69>] __arm64_sys_eventfd2+0x34/0x44
[<00000000b819758c>] do_el0_svc+0x128/0x1dc
[<00000000b244e810>] el0_sync_handler+0xd0/0x268
[<00000000d495ef94>] el0_sync+0x164/0x180
Signed-off-by: Qian Cai <cai@lca.pw>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/vfio/pci/vfio_pci.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/vfio/pci/vfio_pci.c b/drivers/vfio/pci/vfio_pci.c
index 9f72a6ee13b53..86cd8bdfa9f28 100644
--- a/drivers/vfio/pci/vfio_pci.c
+++ b/drivers/vfio/pci/vfio_pci.c
@@ -409,6 +409,10 @@ static void vfio_pci_release(void *device_data)
if (!(--vdev->refcnt)) {
vfio_spapr_pci_eeh_release(vdev->pdev);
vfio_pci_disable(vdev);
+ if (vdev->err_trigger)
+ eventfd_ctx_put(vdev->err_trigger);
+ if (vdev->req_trigger)
+ eventfd_ctx_put(vdev->req_trigger);
}
mutex_unlock(&driver_lock);
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 178/245] perf evsel: Fix 2 memory leaks
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (176 preceding siblings ...)
2020-09-29 11:00 ` [PATCH 4.19 177/245] vfio/pci: fix memory leaks of eventfd ctx Greg Kroah-Hartman
@ 2020-09-29 11:00 ` Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 179/245] perf trace: Fix the selection for architectures to generate the errno name tables Greg Kroah-Hartman
` (69 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:00 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Ian Rogers, Andi Kleen,
Adrian Hunter, Alexander Shishkin, Jiri Olsa, Mark Rutland,
Namhyung Kim, Peter Zijlstra, Stephane Eranian,
Arnaldo Carvalho de Melo, Sasha Levin
From: Ian Rogers <irogers@google.com>
[ Upstream commit 3efc899d9afb3d03604f191a0be9669eabbfc4aa ]
If allocated, perf_pkg_mask and metric_events need freeing.
Signed-off-by: Ian Rogers <irogers@google.com>
Reviewed-by: Andi Kleen <ak@linux.intel.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@google.com>
Link: http://lore.kernel.org/lkml/20200512235918.10732-1-irogers@google.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/evsel.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c
index e8586957562b3..1b7b6244c8cfe 100644
--- a/tools/perf/util/evsel.c
+++ b/tools/perf/util/evsel.c
@@ -1291,6 +1291,8 @@ void perf_evsel__exit(struct perf_evsel *evsel)
zfree(&evsel->group_name);
zfree(&evsel->name);
zfree(&evsel->pmu_name);
+ zfree(&evsel->per_pkg_mask);
+ zfree(&evsel->metric_events);
perf_evsel__object.fini(evsel);
}
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 179/245] perf trace: Fix the selection for architectures to generate the errno name tables
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (177 preceding siblings ...)
2020-09-29 11:00 ` [PATCH 4.19 178/245] perf evsel: Fix 2 memory leaks Greg Kroah-Hartman
@ 2020-09-29 11:00 ` Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 180/245] perf stat: Fix duration_time value for higher intervals Greg Kroah-Hartman
` (68 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:00 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Ian Rogers, Adrian Hunter,
Alexander Shishkin, Alexios Zavras, Andi Kleen, Igor Lubashev,
Jiri Olsa, Kan Liang, Mark Rutland, Mathieu Poirier,
Namhyung Kim, Nick Desaulniers, Peter Zijlstra, Stephane Eranian,
Thomas Gleixner, Wei Li, Arnaldo Carvalho de Melo, Sasha Levin
From: Ian Rogers <irogers@google.com>
[ Upstream commit 7597ce89b3ed239f7a3408b930d2a6c7a4c938a1 ]
Make the architecture test directory agree with the code comment.
Committer notes:
This was split from a larger patch.
The code was assuming the developer always worked from tools/perf/, so make sure we
do the test -d having $toolsdir/perf/arch/$arch, to match the intent expressed in the comment,
just above that loop.
Signed-off-by: Ian Rogers <irogers@google.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Alexios Zavras <alexios.zavras@intel.com>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Igor Lubashev <ilubashe@akamai.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Kan Liang <kan.liang@linux.intel.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Nick Desaulniers <ndesaulniers@google.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Wei Li <liwei391@huawei.com>
Link: http://lore.kernel.org/lkml/20200306071110.130202-4-irogers@google.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/trace/beauty/arch_errno_names.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/perf/trace/beauty/arch_errno_names.sh b/tools/perf/trace/beauty/arch_errno_names.sh
index 22c9fc900c847..f8c44a85650be 100755
--- a/tools/perf/trace/beauty/arch_errno_names.sh
+++ b/tools/perf/trace/beauty/arch_errno_names.sh
@@ -91,7 +91,7 @@ EoHEADER
# in tools/perf/arch
archlist=""
for arch in $(find $toolsdir/arch -maxdepth 1 -mindepth 1 -type d -printf "%f\n" | grep -v x86 | sort); do
- test -d arch/$arch && archlist="$archlist $arch"
+ test -d $toolsdir/perf/arch/$arch && archlist="$archlist $arch"
done
for arch in x86 $archlist generic; do
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 180/245] perf stat: Fix duration_time value for higher intervals
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (178 preceding siblings ...)
2020-09-29 11:00 ` [PATCH 4.19 179/245] perf trace: Fix the selection for architectures to generate the errno name tables Greg Kroah-Hartman
@ 2020-09-29 11:00 ` Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 181/245] perf util: Fix memory leak of prefix_if_not_in Greg Kroah-Hartman
` (67 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:00 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Joakim Zhang, Jiri Olsa,
Alexander Shishkin, Andi Kleen, Michael Petlan, Namhyung Kim,
Peter Zijlstra, Arnaldo Carvalho de Melo, Sasha Levin
From: Jiri Olsa <jolsa@kernel.org>
[ Upstream commit ea9eb1f456a08c18feb485894185f7a4e31cc8a4 ]
Joakim reported wrong duration_time value for interval bigger
than 4000 [1].
The problem is in the interval value we pass to update_stats
function, which is typed as 'unsigned int' and overflows when
we get over 2^32 (happens between intervals 4000 and 5000).
Retyping the passed value to unsigned long long.
[1] https://www.spinics.net/lists/linux-perf-users/msg11777.html
Fixes: b90f1333ef08 ("perf stat: Update walltime_nsecs_stats in interval mode")
Reported-by: Joakim Zhang <qiangqing.zhang@nxp.com>
Signed-off-by: Jiri Olsa <jolsa@kernel.org>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: Michael Petlan <mpetlan@redhat.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Link: http://lore.kernel.org/lkml/20200518131445.3745083-1-jolsa@kernel.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/builtin-stat.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/perf/builtin-stat.c b/tools/perf/builtin-stat.c
index 6aae10ff954c7..adabe9d4dc866 100644
--- a/tools/perf/builtin-stat.c
+++ b/tools/perf/builtin-stat.c
@@ -422,7 +422,7 @@ static void process_interval(void)
}
init_stats(&walltime_nsecs_stats);
- update_stats(&walltime_nsecs_stats, stat_config.interval * 1000000);
+ update_stats(&walltime_nsecs_stats, stat_config.interval * 1000000ULL);
print_counters(&rs, 0, NULL);
}
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 181/245] perf util: Fix memory leak of prefix_if_not_in
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (179 preceding siblings ...)
2020-09-29 11:00 ` [PATCH 4.19 180/245] perf stat: Fix duration_time value for higher intervals Greg Kroah-Hartman
@ 2020-09-29 11:00 ` Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 182/245] perf metricgroup: Free metric_events on error Greg Kroah-Hartman
` (66 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:00 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Xie XiuQi, Alexander Shishkin,
Hongbo Yao, Jiri Olsa, Li Bin, Mark Rutland, Namhyung Kim,
Arnaldo Carvalho de Melo, Sasha Levin
From: Xie XiuQi <xiexiuqi@huawei.com>
[ Upstream commit 07e9a6f538cbeecaf5c55b6f2991416f873cdcbd ]
Need to free "str" before return when asprintf() failed to avoid memory
leak.
Signed-off-by: Xie XiuQi <xiexiuqi@huawei.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Hongbo Yao <yaohongbo@huawei.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Li Bin <huawei.libin@huawei.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Link: http://lore.kernel.org/lkml/20200521133218.30150-4-liwei391@huawei.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/sort.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/perf/util/sort.c b/tools/perf/util/sort.c
index 46daa22b86e3b..85ff4f68adc00 100644
--- a/tools/perf/util/sort.c
+++ b/tools/perf/util/sort.c
@@ -2690,7 +2690,7 @@ static char *prefix_if_not_in(const char *pre, char *str)
return str;
if (asprintf(&n, "%s,%s", pre, str) < 0)
- return NULL;
+ n = NULL;
free(str);
return n;
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 182/245] perf metricgroup: Free metric_events on error
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (180 preceding siblings ...)
2020-09-29 11:00 ` [PATCH 4.19 181/245] perf util: Fix memory leak of prefix_if_not_in Greg Kroah-Hartman
@ 2020-09-29 11:00 ` Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 183/245] perf kcore_copy: Fix module map when there are no modules loaded Greg Kroah-Hartman
` (65 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:00 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Ian Rogers, Alexander Shishkin,
Alexei Starovoitov, Andi Kleen, Andrii Nakryiko, Cong Wang,
Daniel Borkmann, Jin Yao, Jiri Olsa, John Fastabend, John Garry,
Kajol Jain, Kan Liang, Kim Phillips, Mark Rutland,
Martin KaFai Lau, Namhyung Kim, Peter Zijlstra, Song Liu,
Stephane Eranian, Vince Weaver, Yonghong Song, bpf, kp singh,
netdev, Arnaldo Carvalho de Melo, Sasha Levin
From: Ian Rogers <irogers@google.com>
[ Upstream commit a159e2fe89b4d1f9fb54b0ae418b961e239bf617 ]
Avoid a simple memory leak.
Signed-off-by: Ian Rogers <irogers@google.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: Andrii Nakryiko <andriin@fb.com>
Cc: Cong Wang <xiyou.wangcong@gmail.com>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: Jin Yao <yao.jin@linux.intel.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: John Fastabend <john.fastabend@gmail.com>
Cc: John Garry <john.garry@huawei.com>
Cc: Kajol Jain <kjain@linux.ibm.com>
Cc: Kan Liang <kan.liang@linux.intel.com>
Cc: Kim Phillips <kim.phillips@amd.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Martin KaFai Lau <kafai@fb.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Song Liu <songliubraving@fb.com>
Cc: Stephane Eranian <eranian@google.com>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Cc: Yonghong Song <yhs@fb.com>
Cc: bpf@vger.kernel.org
Cc: kp singh <kpsingh@chromium.org>
Cc: netdev@vger.kernel.org
Link: http://lore.kernel.org/lkml/20200508053629.210324-10-irogers@google.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/metricgroup.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/tools/perf/util/metricgroup.c b/tools/perf/util/metricgroup.c
index 8b3dafe3fac3a..6dcc6e1182a54 100644
--- a/tools/perf/util/metricgroup.c
+++ b/tools/perf/util/metricgroup.c
@@ -171,6 +171,7 @@ static int metricgroup__setup_events(struct list_head *groups,
if (!evsel) {
pr_debug("Cannot resolve %s: %s\n",
eg->metric_name, eg->metric_expr);
+ free(metric_events);
continue;
}
for (i = 0; i < eg->idnum; i++)
@@ -178,11 +179,13 @@ static int metricgroup__setup_events(struct list_head *groups,
me = metricgroup__lookup(metric_events_list, evsel, true);
if (!me) {
ret = -ENOMEM;
+ free(metric_events);
break;
}
expr = malloc(sizeof(struct metric_expr));
if (!expr) {
ret = -ENOMEM;
+ free(metric_events);
break;
}
expr->metric_expr = eg->metric_expr;
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 183/245] perf kcore_copy: Fix module map when there are no modules loaded
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (181 preceding siblings ...)
2020-09-29 11:00 ` [PATCH 4.19 182/245] perf metricgroup: Free metric_events on error Greg Kroah-Hartman
@ 2020-09-29 11:00 ` Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 184/245] ASoC: img-i2s-out: Fix runtime PM imbalance on error Greg Kroah-Hartman
` (64 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:00 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Adrian Hunter, Alexander Shishkin,
Borislav Petkov, H. Peter Anvin, Jiri Olsa, Leo Yan,
Mark Rutland, Masami Hiramatsu, Mathieu Poirier, Peter Zijlstra,
Steven Rostedt (VMware),
x86, Arnaldo Carvalho de Melo, Sasha Levin
From: Adrian Hunter <adrian.hunter@intel.com>
[ Upstream commit 61f82e3fb697a8e85f22fdec786528af73dc36d1 ]
In the absence of any modules, no "modules" map is created, but there
are other executable pages to map, due to eBPF JIT, kprobe or ftrace.
Map them by recognizing that the first "module" symbol is not
necessarily from a module, and adjust the map accordingly.
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Leo Yan <leo.yan@linaro.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Steven Rostedt (VMware) <rostedt@goodmis.org>
Cc: x86@kernel.org
Link: http://lore.kernel.org/lkml/20200512121922.8997-10-adrian.hunter@intel.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/symbol-elf.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/tools/perf/util/symbol-elf.c b/tools/perf/util/symbol-elf.c
index a701a8a48f005..166c621e02235 100644
--- a/tools/perf/util/symbol-elf.c
+++ b/tools/perf/util/symbol-elf.c
@@ -1421,6 +1421,7 @@ struct kcore_copy_info {
u64 first_symbol;
u64 last_symbol;
u64 first_module;
+ u64 first_module_symbol;
u64 last_module_symbol;
size_t phnum;
struct list_head phdrs;
@@ -1497,6 +1498,8 @@ static int kcore_copy__process_kallsyms(void *arg, const char *name, char type,
return 0;
if (strchr(name, '[')) {
+ if (!kci->first_module_symbol || start < kci->first_module_symbol)
+ kci->first_module_symbol = start;
if (start > kci->last_module_symbol)
kci->last_module_symbol = start;
return 0;
@@ -1694,6 +1697,10 @@ static int kcore_copy__calc_maps(struct kcore_copy_info *kci, const char *dir,
kci->etext += page_size;
}
+ if (kci->first_module_symbol &&
+ (!kci->first_module || kci->first_module_symbol < kci->first_module))
+ kci->first_module = kci->first_module_symbol;
+
kci->first_module = round_down(kci->first_module, page_size);
if (kci->last_module_symbol) {
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 184/245] ASoC: img-i2s-out: Fix runtime PM imbalance on error
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (182 preceding siblings ...)
2020-09-29 11:00 ` [PATCH 4.19 183/245] perf kcore_copy: Fix module map when there are no modules loaded Greg Kroah-Hartman
@ 2020-09-29 11:00 ` Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 185/245] wlcore: fix runtime pm imbalance in wl1271_tx_work Greg Kroah-Hartman
` (63 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:00 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Dinghao Liu, Mark Brown, Sasha Levin
From: Dinghao Liu <dinghao.liu@zju.edu.cn>
[ Upstream commit 65bd91dd6957390c42a0491b9622cf31a2cdb140 ]
pm_runtime_get_sync() increments the runtime PM usage counter even
the call returns an error code. Thus a pairing decrement is needed
on the error handling path to keep the counter balanced.
Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
Link: https://lore.kernel.org/r/20200529012230.5863-1-dinghao.liu@zju.edu.cn
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/img/img-i2s-out.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/sound/soc/img/img-i2s-out.c b/sound/soc/img/img-i2s-out.c
index fc2d1dac63339..798ab579564cb 100644
--- a/sound/soc/img/img-i2s-out.c
+++ b/sound/soc/img/img-i2s-out.c
@@ -350,8 +350,10 @@ static int img_i2s_out_set_fmt(struct snd_soc_dai *dai, unsigned int fmt)
chan_control_mask = IMG_I2S_OUT_CHAN_CTL_CLKT_MASK;
ret = pm_runtime_get_sync(i2s->dev);
- if (ret < 0)
+ if (ret < 0) {
+ pm_runtime_put_noidle(i2s->dev);
return ret;
+ }
img_i2s_out_disable(i2s);
@@ -491,8 +493,10 @@ static int img_i2s_out_probe(struct platform_device *pdev)
goto err_pm_disable;
}
ret = pm_runtime_get_sync(&pdev->dev);
- if (ret < 0)
+ if (ret < 0) {
+ pm_runtime_put_noidle(&pdev->dev);
goto err_suspend;
+ }
reg = IMG_I2S_OUT_CTL_FRM_SIZE_MASK;
img_i2s_out_writel(i2s, reg, IMG_I2S_OUT_CTL);
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 185/245] wlcore: fix runtime pm imbalance in wl1271_tx_work
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (183 preceding siblings ...)
2020-09-29 11:00 ` [PATCH 4.19 184/245] ASoC: img-i2s-out: Fix runtime PM imbalance on error Greg Kroah-Hartman
@ 2020-09-29 11:00 ` Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 186/245] wlcore: fix runtime pm imbalance in wlcore_regdomain_config Greg Kroah-Hartman
` (62 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:00 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Dinghao Liu, Tony Lindgren,
Kalle Valo, Sasha Levin
From: Dinghao Liu <dinghao.liu@zju.edu.cn>
[ Upstream commit 9604617e998b49f7695fea1479ed82421ef8c9f0 ]
There are two error handling paths in this functon. When
wlcore_tx_work_locked() returns an error code, we should
decrease the runtime PM usage counter the same way as the
error handling path beginning from pm_runtime_get_sync().
Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
Acked-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20200520124241.9931-1-dinghao.liu@zju.edu.cn
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ti/wlcore/tx.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/wireless/ti/wlcore/tx.c b/drivers/net/wireless/ti/wlcore/tx.c
index b6e19c2d66b0a..250bcbf4ea2f2 100644
--- a/drivers/net/wireless/ti/wlcore/tx.c
+++ b/drivers/net/wireless/ti/wlcore/tx.c
@@ -877,6 +877,7 @@ void wl1271_tx_work(struct work_struct *work)
ret = wlcore_tx_work_locked(wl);
if (ret < 0) {
+ pm_runtime_put_noidle(wl->dev);
wl12xx_queue_recovery_work(wl);
goto out;
}
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 186/245] wlcore: fix runtime pm imbalance in wlcore_regdomain_config
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (184 preceding siblings ...)
2020-09-29 11:00 ` [PATCH 4.19 185/245] wlcore: fix runtime pm imbalance in wl1271_tx_work Greg Kroah-Hartman
@ 2020-09-29 11:00 ` Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 187/245] mtd: rawnand: omap_elm: Fix runtime PM imbalance on error Greg Kroah-Hartman
` (61 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:00 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Dinghao Liu, Tony Lindgren,
Kalle Valo, Sasha Levin
From: Dinghao Liu <dinghao.liu@zju.edu.cn>
[ Upstream commit 282a04bf1d8029eb98585cb5db3fd70fe8bc91f7 ]
pm_runtime_get_sync() increments the runtime PM usage counter even
the call returns an error code. Thus a pairing decrement is needed
on the error handling path to keep the counter balanced.
Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
Acked-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20200520124649.10848-1-dinghao.liu@zju.edu.cn
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ti/wlcore/main.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/ti/wlcore/main.c b/drivers/net/wireless/ti/wlcore/main.c
index 2ca5658bbc2ab..43c7b37dec0c9 100644
--- a/drivers/net/wireless/ti/wlcore/main.c
+++ b/drivers/net/wireless/ti/wlcore/main.c
@@ -3671,8 +3671,10 @@ void wlcore_regdomain_config(struct wl1271 *wl)
goto out;
ret = pm_runtime_get_sync(wl->dev);
- if (ret < 0)
+ if (ret < 0) {
+ pm_runtime_put_autosuspend(wl->dev);
goto out;
+ }
ret = wlcore_cmd_regdomain_config_locked(wl);
if (ret < 0) {
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 187/245] mtd: rawnand: omap_elm: Fix runtime PM imbalance on error
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (185 preceding siblings ...)
2020-09-29 11:00 ` [PATCH 4.19 186/245] wlcore: fix runtime pm imbalance in wlcore_regdomain_config Greg Kroah-Hartman
@ 2020-09-29 11:00 ` Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 188/245] PCI: tegra: " Greg Kroah-Hartman
` (60 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:00 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Dinghao Liu, Miquel Raynal, Sasha Levin
From: Dinghao Liu <dinghao.liu@zju.edu.cn>
[ Upstream commit 37f7212148cf1d796135cdf8d0c7fee13067674b ]
pm_runtime_get_sync() increments the runtime PM usage counter even
when it returns an error code. Thus a pairing decrement is needed on
the error handling path to keep the counter balanced.
Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/linux-mtd/20200522104008.28340-1-dinghao.liu@zju.edu.cn
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/nand/raw/omap_elm.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/mtd/nand/raw/omap_elm.c b/drivers/mtd/nand/raw/omap_elm.c
index a3f32f939cc17..6736777a41567 100644
--- a/drivers/mtd/nand/raw/omap_elm.c
+++ b/drivers/mtd/nand/raw/omap_elm.c
@@ -421,6 +421,7 @@ static int elm_probe(struct platform_device *pdev)
pm_runtime_enable(&pdev->dev);
if (pm_runtime_get_sync(&pdev->dev) < 0) {
ret = -EINVAL;
+ pm_runtime_put_sync(&pdev->dev);
pm_runtime_disable(&pdev->dev);
dev_err(&pdev->dev, "can't enable clock\n");
return ret;
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 188/245] PCI: tegra: Fix runtime PM imbalance on error
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (186 preceding siblings ...)
2020-09-29 11:00 ` [PATCH 4.19 187/245] mtd: rawnand: omap_elm: Fix runtime PM imbalance on error Greg Kroah-Hartman
@ 2020-09-29 11:00 ` Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 189/245] ceph: fix potential race in ceph_check_caps Greg Kroah-Hartman
` (59 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:00 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Dinghao Liu, Lorenzo Pieralisi,
Thierry Reding, Sasha Levin
From: Dinghao Liu <dinghao.liu@zju.edu.cn>
[ Upstream commit fcee90cdf6f3a3a371add04d41528d5ba9c3b411 ]
pm_runtime_get_sync() increments the runtime PM usage counter even
when it returns an error code. Thus a pairing decrement is needed on
the error handling path to keep the counter balanced.
Also, call pm_runtime_disable() when pm_runtime_get_sync() returns
an error code.
Link: https://lore.kernel.org/r/20200521024709.2368-1-dinghao.liu@zju.edu.cn
Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Acked-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pci/controller/pci-tegra.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/pci/controller/pci-tegra.c b/drivers/pci/controller/pci-tegra.c
index 6f86583605a46..097c02197ec8f 100644
--- a/drivers/pci/controller/pci-tegra.c
+++ b/drivers/pci/controller/pci-tegra.c
@@ -2400,7 +2400,7 @@ static int tegra_pcie_probe(struct platform_device *pdev)
err = pm_runtime_get_sync(pcie->dev);
if (err < 0) {
dev_err(dev, "fail to enable pcie controller: %d\n", err);
- goto teardown_msi;
+ goto pm_runtime_put;
}
err = tegra_pcie_request_resources(pcie);
@@ -2440,7 +2440,6 @@ free_resources:
pm_runtime_put:
pm_runtime_put_sync(pcie->dev);
pm_runtime_disable(pcie->dev);
-teardown_msi:
tegra_pcie_msi_teardown(pcie);
put_resources:
tegra_pcie_put_resources(pcie);
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 189/245] ceph: fix potential race in ceph_check_caps
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (187 preceding siblings ...)
2020-09-29 11:00 ` [PATCH 4.19 188/245] PCI: tegra: " Greg Kroah-Hartman
@ 2020-09-29 11:00 ` Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 190/245] mm/swap_state: fix a data race in swapin_nr_pages Greg Kroah-Hartman
` (58 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:00 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Jeff Layton, Ilya Dryomov, Sasha Levin
From: Jeff Layton <jlayton@kernel.org>
[ Upstream commit dc3da0461cc4b76f2d0c5b12247fcb3b520edbbf ]
Nothing ensures that session will still be valid by the time we
dereference the pointer. Take and put a reference.
In principle, we should always be able to get a reference here, but
throw a warning if that's ever not the case.
Signed-off-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ceph/caps.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c
index a2d4eed27f804..c0dbf8b7762b4 100644
--- a/fs/ceph/caps.c
+++ b/fs/ceph/caps.c
@@ -2015,12 +2015,24 @@ ack:
if (mutex_trylock(&session->s_mutex) == 0) {
dout("inverting session/ino locks on %p\n",
session);
+ session = ceph_get_mds_session(session);
spin_unlock(&ci->i_ceph_lock);
if (took_snap_rwsem) {
up_read(&mdsc->snap_rwsem);
took_snap_rwsem = 0;
}
- mutex_lock(&session->s_mutex);
+ if (session) {
+ mutex_lock(&session->s_mutex);
+ ceph_put_mds_session(session);
+ } else {
+ /*
+ * Because we take the reference while
+ * holding the i_ceph_lock, it should
+ * never be NULL. Throw a warning if it
+ * ever is.
+ */
+ WARN_ON_ONCE(true);
+ }
goto retry;
}
}
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 190/245] mm/swap_state: fix a data race in swapin_nr_pages
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (188 preceding siblings ...)
2020-09-29 11:00 ` [PATCH 4.19 189/245] ceph: fix potential race in ceph_check_caps Greg Kroah-Hartman
@ 2020-09-29 11:00 ` Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 191/245] rapidio: avoid data race between file operation callbacks and mport_cdev_add() Greg Kroah-Hartman
` (57 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:00 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Qian Cai, Andrew Morton, Marco Elver,
Hugh Dickins, Linus Torvalds, Sasha Levin
From: Qian Cai <cai@lca.pw>
[ Upstream commit d6c1f098f2a7ba62627c9bc17cda28f534ef9e4a ]
"prev_offset" is a static variable in swapin_nr_pages() that can be
accessed concurrently with only mmap_sem held in read mode as noticed by
KCSAN,
BUG: KCSAN: data-race in swap_cluster_readahead / swap_cluster_readahead
write to 0xffffffff92763830 of 8 bytes by task 14795 on cpu 17:
swap_cluster_readahead+0x2a6/0x5e0
swapin_readahead+0x92/0x8dc
do_swap_page+0x49b/0xf20
__handle_mm_fault+0xcfb/0xd70
handle_mm_fault+0xfc/0x2f0
do_page_fault+0x263/0x715
page_fault+0x34/0x40
1 lock held by (dnf)/14795:
#0: ffff897bd2e98858 (&mm->mmap_sem#2){++++}-{3:3}, at: do_page_fault+0x143/0x715
do_user_addr_fault at arch/x86/mm/fault.c:1405
(inlined by) do_page_fault at arch/x86/mm/fault.c:1535
irq event stamp: 83493
count_memcg_event_mm+0x1a6/0x270
count_memcg_event_mm+0x119/0x270
__do_softirq+0x365/0x589
irq_exit+0xa2/0xc0
read to 0xffffffff92763830 of 8 bytes by task 1 on cpu 22:
swap_cluster_readahead+0xfd/0x5e0
swapin_readahead+0x92/0x8dc
do_swap_page+0x49b/0xf20
__handle_mm_fault+0xcfb/0xd70
handle_mm_fault+0xfc/0x2f0
do_page_fault+0x263/0x715
page_fault+0x34/0x40
1 lock held by systemd/1:
#0: ffff897c38f14858 (&mm->mmap_sem#2){++++}-{3:3}, at: do_page_fault+0x143/0x715
irq event stamp: 43530289
count_memcg_event_mm+0x1a6/0x270
count_memcg_event_mm+0x119/0x270
__do_softirq+0x365/0x589
irq_exit+0xa2/0xc0
Signed-off-by: Qian Cai <cai@lca.pw>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Marco Elver <elver@google.com>
Cc: Hugh Dickins <hughd@google.com>
Link: http://lkml.kernel.org/r/20200402213748.2237-1-cai@lca.pw
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
mm/swap_state.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/mm/swap_state.c b/mm/swap_state.c
index 09731f4174c7e..3febffe0fca4a 100644
--- a/mm/swap_state.c
+++ b/mm/swap_state.c
@@ -537,10 +537,11 @@ static unsigned long swapin_nr_pages(unsigned long offset)
return 1;
hits = atomic_xchg(&swapin_readahead_hits, 0);
- pages = __swapin_nr_pages(prev_offset, offset, hits, max_pages,
+ pages = __swapin_nr_pages(READ_ONCE(prev_offset), offset, hits,
+ max_pages,
atomic_read(&last_readahead_pages));
if (!hits)
- prev_offset = offset;
+ WRITE_ONCE(prev_offset, offset);
atomic_set(&last_readahead_pages, pages);
return pages;
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 191/245] rapidio: avoid data race between file operation callbacks and mport_cdev_add().
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (189 preceding siblings ...)
2020-09-29 11:00 ` [PATCH 4.19 190/245] mm/swap_state: fix a data race in swapin_nr_pages Greg Kroah-Hartman
@ 2020-09-29 11:00 ` Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 192/245] mtd: parser: cmdline: Support MTD names containing one or more colons Greg Kroah-Hartman
` (56 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:00 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Madhuparna Bhowmik, Andrew Morton,
Alexandre Bounine, Matt Porter, Dan Carpenter, Mike Marshall,
Thomas Gleixner, Ira Weiny, Allison Randal, Pavel Andrianov,
Linus Torvalds, Sasha Levin
From: Madhuparna Bhowmik <madhuparnabhowmik10@gmail.com>
[ Upstream commit e1c3cdb26ab881b77486dc50370356a349077c74 ]
Fields of md(mport_dev) are set after cdev_device_add(). However, the
file operation callbacks can be called after cdev_device_add() and
therefore accesses to fields of md in the callbacks can race with the rest
of the mport_cdev_add() function.
One such example is INIT_LIST_HEAD(&md->portwrites) in mport_cdev_add(),
the list is initialised after cdev_device_add(). This can race with
list_add_tail(&pw_filter->md_node,&md->portwrites) in
rio_mport_add_pw_filter() which is called by unlocked_ioctl.
To avoid such data races use cdev_device_add() after initializing md.
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Madhuparna Bhowmik <madhuparnabhowmik10@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Acked-by: Alexandre Bounine <alex.bou9@gmail.com>
Cc: Matt Porter <mporter@kernel.crashing.org>
Cc: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Mike Marshall <hubcap@omnibond.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ira Weiny <ira.weiny@intel.com>
Cc: Allison Randal <allison@lohutok.net>
Cc: Pavel Andrianov <andrianov@ispras.ru>
Link: http://lkml.kernel.org/r/20200426112950.1803-1-madhuparnabhowmik10@gmail.com
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/rapidio/devices/rio_mport_cdev.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/drivers/rapidio/devices/rio_mport_cdev.c b/drivers/rapidio/devices/rio_mport_cdev.c
index 5940780648e0f..f36a8a5261a13 100644
--- a/drivers/rapidio/devices/rio_mport_cdev.c
+++ b/drivers/rapidio/devices/rio_mport_cdev.c
@@ -2385,13 +2385,6 @@ static struct mport_dev *mport_cdev_add(struct rio_mport *mport)
cdev_init(&md->cdev, &mport_fops);
md->cdev.owner = THIS_MODULE;
- ret = cdev_device_add(&md->cdev, &md->dev);
- if (ret) {
- rmcd_error("Failed to register mport %d (err=%d)",
- mport->id, ret);
- goto err_cdev;
- }
-
INIT_LIST_HEAD(&md->doorbells);
spin_lock_init(&md->db_lock);
INIT_LIST_HEAD(&md->portwrites);
@@ -2411,6 +2404,13 @@ static struct mport_dev *mport_cdev_add(struct rio_mport *mport)
#else
md->properties.transfer_mode |= RIO_TRANSFER_MODE_TRANSFER;
#endif
+
+ ret = cdev_device_add(&md->cdev, &md->dev);
+ if (ret) {
+ rmcd_error("Failed to register mport %d (err=%d)",
+ mport->id, ret);
+ goto err_cdev;
+ }
ret = rio_query_mport(mport, &attr);
if (!ret) {
md->properties.flags = attr.flags;
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 192/245] mtd: parser: cmdline: Support MTD names containing one or more colons
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (190 preceding siblings ...)
2020-09-29 11:00 ` [PATCH 4.19 191/245] rapidio: avoid data race between file operation callbacks and mport_cdev_add() Greg Kroah-Hartman
@ 2020-09-29 11:00 ` Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 193/245] x86/speculation/mds: Mark mds_user_clear_cpu_buffers() __always_inline Greg Kroah-Hartman
` (55 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:00 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Boris Brezillon, Ron Minnich,
Richard Weinberger, Sasha Levin
From: Boris Brezillon <boris.brezillon@collabora.com>
[ Upstream commit eb13fa0227417e84aecc3bd9c029d376e33474d3 ]
Looks like some drivers define MTD names with a colon in it, thus
making mtdpart= parsing impossible. Let's fix the parser to gracefully
handle that case: the last ':' in a partition definition sequence is
considered instead of the first one.
Signed-off-by: Boris Brezillon <boris.brezillon@collabora.com>
Signed-off-by: Ron Minnich <rminnich@google.com>
Tested-by: Ron Minnich <rminnich@google.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/cmdlinepart.c | 23 ++++++++++++++++++++---
1 file changed, 20 insertions(+), 3 deletions(-)
diff --git a/drivers/mtd/cmdlinepart.c b/drivers/mtd/cmdlinepart.c
index 3ea44cff9b759..c29205ee82e20 100644
--- a/drivers/mtd/cmdlinepart.c
+++ b/drivers/mtd/cmdlinepart.c
@@ -231,12 +231,29 @@ static int mtdpart_setup_real(char *s)
struct cmdline_mtd_partition *this_mtd;
struct mtd_partition *parts;
int mtd_id_len, num_parts;
- char *p, *mtd_id;
+ char *p, *mtd_id, *semicol;
+
+ /*
+ * Replace the first ';' by a NULL char so strrchr can work
+ * properly.
+ */
+ semicol = strchr(s, ';');
+ if (semicol)
+ *semicol = '\0';
mtd_id = s;
- /* fetch <mtd-id> */
- p = strchr(s, ':');
+ /*
+ * fetch <mtd-id>. We use strrchr to ignore all ':' that could
+ * be present in the MTD name, only the last one is interpreted
+ * as an <mtd-id>/<part-definition> separator.
+ */
+ p = strrchr(s, ':');
+
+ /* Restore the ';' now. */
+ if (semicol)
+ *semicol = ';';
+
if (!p) {
pr_err("no mtd-id\n");
return -EINVAL;
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 193/245] x86/speculation/mds: Mark mds_user_clear_cpu_buffers() __always_inline
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (191 preceding siblings ...)
2020-09-29 11:00 ` [PATCH 4.19 192/245] mtd: parser: cmdline: Support MTD names containing one or more colons Greg Kroah-Hartman
@ 2020-09-29 11:00 ` Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 194/245] vfio/pci: Clear error and request eventfd ctx after releasing Greg Kroah-Hartman
` (54 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:00 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Thomas Gleixner, Alexandre Chartre,
Peter Zijlstra, Sasha Levin
From: Thomas Gleixner <tglx@linutronix.de>
[ Upstream commit a7ef9ba986b5fae9d80f8a7b31db0423687efe4e ]
Prevent the compiler from uninlining and creating traceable/probable
functions as this is invoked _after_ context tracking switched to
CONTEXT_USER and rcu idle.
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Alexandre Chartre <alexandre.chartre@oracle.com>
Acked-by: Peter Zijlstra <peterz@infradead.org>
Link: https://lkml.kernel.org/r/20200505134340.902709267@linutronix.de
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/include/asm/nospec-branch.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h
index e3f70c60e8ccd..62f9903544b59 100644
--- a/arch/x86/include/asm/nospec-branch.h
+++ b/arch/x86/include/asm/nospec-branch.h
@@ -330,7 +330,7 @@ DECLARE_STATIC_KEY_FALSE(mds_idle_clear);
* combination with microcode which triggers a CPU buffer flush when the
* instruction is executed.
*/
-static inline void mds_clear_cpu_buffers(void)
+static __always_inline void mds_clear_cpu_buffers(void)
{
static const u16 ds = __KERNEL_DS;
@@ -351,7 +351,7 @@ static inline void mds_clear_cpu_buffers(void)
*
* Clear CPU buffers if the corresponding static key is enabled
*/
-static inline void mds_user_clear_cpu_buffers(void)
+static __always_inline void mds_user_clear_cpu_buffers(void)
{
if (static_branch_likely(&mds_user_clear))
mds_clear_cpu_buffers();
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 194/245] vfio/pci: Clear error and request eventfd ctx after releasing
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (192 preceding siblings ...)
2020-09-29 11:00 ` [PATCH 4.19 193/245] x86/speculation/mds: Mark mds_user_clear_cpu_buffers() __always_inline Greg Kroah-Hartman
@ 2020-09-29 11:00 ` Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 195/245] cifs: Fix double add page to memcg when cifs_readpages Greg Kroah-Hartman
` (53 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:00 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Qian Cai, Daniel Wagner,
Cornelia Huck, Alex Williamson, Sasha Levin
From: Alex Williamson <alex.williamson@redhat.com>
[ Upstream commit 5c5866c593bbd444d0339ede6a8fb5f14ff66d72 ]
The next use of the device will generate an underflow from the
stale reference.
Cc: Qian Cai <cai@lca.pw>
Fixes: 1518ac272e78 ("vfio/pci: fix memory leaks of eventfd ctx")
Reported-by: Daniel Wagner <dwagner@suse.de>
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
Tested-by: Daniel Wagner <dwagner@suse.de>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/vfio/pci/vfio_pci.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/vfio/pci/vfio_pci.c b/drivers/vfio/pci/vfio_pci.c
index 86cd8bdfa9f28..94fad366312f1 100644
--- a/drivers/vfio/pci/vfio_pci.c
+++ b/drivers/vfio/pci/vfio_pci.c
@@ -409,10 +409,14 @@ static void vfio_pci_release(void *device_data)
if (!(--vdev->refcnt)) {
vfio_spapr_pci_eeh_release(vdev->pdev);
vfio_pci_disable(vdev);
- if (vdev->err_trigger)
+ if (vdev->err_trigger) {
eventfd_ctx_put(vdev->err_trigger);
- if (vdev->req_trigger)
+ vdev->err_trigger = NULL;
+ }
+ if (vdev->req_trigger) {
eventfd_ctx_put(vdev->req_trigger);
+ vdev->req_trigger = NULL;
+ }
}
mutex_unlock(&driver_lock);
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 195/245] cifs: Fix double add page to memcg when cifs_readpages
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (193 preceding siblings ...)
2020-09-29 11:00 ` [PATCH 4.19 194/245] vfio/pci: Clear error and request eventfd ctx after releasing Greg Kroah-Hartman
@ 2020-09-29 11:00 ` Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 196/245] nvme: fix possible deadlock when I/O is blocked Greg Kroah-Hartman
` (52 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:00 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Hulk Robot, Zhang Xiaoxu,
Steve French, Ronnie Sahlberg, Sasha Levin
From: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
[ Upstream commit 95a3d8f3af9b0d63b43f221b630beaab9739d13a ]
When xfstests generic/451, there is an BUG at mm/memcontrol.c:
page:ffffea000560f2c0 refcount:2 mapcount:0 mapping:000000008544e0ea
index:0xf
mapping->aops:cifs_addr_ops dentry name:"tst-aio-dio-cycle-write.451"
flags: 0x2fffff80000001(locked)
raw: 002fffff80000001 ffffc90002023c50 ffffea0005280088 ffff88815cda0210
raw: 000000000000000f 0000000000000000 00000002ffffffff ffff88817287d000
page dumped because: VM_BUG_ON_PAGE(page->mem_cgroup)
page->mem_cgroup:ffff88817287d000
------------[ cut here ]------------
kernel BUG at mm/memcontrol.c:2659!
invalid opcode: 0000 [#1] SMP
CPU: 2 PID: 2038 Comm: xfs_io Not tainted 5.8.0-rc1 #44
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_
073836-buildvm-ppc64le-16.ppc.4
RIP: 0010:commit_charge+0x35/0x50
Code: 0d 48 83 05 54 b2 02 05 01 48 89 77 38 c3 48 c7
c6 78 4a ea ba 48 83 05 38 b2 02 05 01 e8 63 0d9
RSP: 0018:ffffc90002023a50 EFLAGS: 00010202
RAX: 0000000000000000 RBX: ffff88817287d000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffff88817ac97ea0 RDI: ffff88817ac97ea0
RBP: ffffea000560f2c0 R08: 0000000000000203 R09: 0000000000000005
R10: 0000000000000030 R11: ffffc900020237a8 R12: 0000000000000000
R13: 0000000000000001 R14: 0000000000000001 R15: ffff88815a1272c0
FS: 00007f5071ab0800(0000) GS:ffff88817ac80000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055efcd5ca000 CR3: 000000015d312000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
mem_cgroup_charge+0x166/0x4f0
__add_to_page_cache_locked+0x4a9/0x710
add_to_page_cache_locked+0x15/0x20
cifs_readpages+0x217/0x1270
read_pages+0x29a/0x670
page_cache_readahead_unbounded+0x24f/0x390
__do_page_cache_readahead+0x3f/0x60
ondemand_readahead+0x1f1/0x470
page_cache_async_readahead+0x14c/0x170
generic_file_buffered_read+0x5df/0x1100
generic_file_read_iter+0x10c/0x1d0
cifs_strict_readv+0x139/0x170
new_sync_read+0x164/0x250
__vfs_read+0x39/0x60
vfs_read+0xb5/0x1e0
ksys_pread64+0x85/0xf0
__x64_sys_pread64+0x22/0x30
do_syscall_64+0x69/0x150
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f5071fcb1af
Code: Bad RIP value.
RSP: 002b:00007ffde2cdb8e0 EFLAGS: 00000293 ORIG_RAX: 0000000000000011
RAX: ffffffffffffffda RBX: 00007ffde2cdb990 RCX: 00007f5071fcb1af
RDX: 0000000000001000 RSI: 000055efcd5ca000 RDI: 0000000000000003
RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000001000 R11: 0000000000000293 R12: 0000000000000001
R13: 000000000009f000 R14: 0000000000000000 R15: 0000000000001000
Modules linked in:
---[ end trace 725fa14a3e1af65c ]---
Since commit 3fea5a499d57 ("mm: memcontrol: convert page cache to a new
mem_cgroup_charge() API") not cancel the page charge, the pages maybe
double add to pagecache:
thread1 | thread2
cifs_readpages
readpages_get_pages
add_to_page_cache_locked(head,index=n)=0
| readpages_get_pages
| add_to_page_cache_locked(head,index=n+1)=0
add_to_page_cache_locked(head, index=n+1)=-EEXIST
then, will next loop with list head page's
index=n+1 and the page->mapping not NULL
readpages_get_pages
add_to_page_cache_locked(head, index=n+1)
commit_charge
VM_BUG_ON_PAGE
So, we should not do the next loop when any page add to page cache
failed.
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Acked-by: Ronnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/cifs/file.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/fs/cifs/file.c b/fs/cifs/file.c
index e78b52c582f18..5cb15649adb07 100644
--- a/fs/cifs/file.c
+++ b/fs/cifs/file.c
@@ -3804,7 +3804,8 @@ readpages_get_pages(struct address_space *mapping, struct list_head *page_list,
break;
__SetPageLocked(page);
- if (add_to_page_cache_locked(page, mapping, page->index, gfp)) {
+ rc = add_to_page_cache_locked(page, mapping, page->index, gfp);
+ if (rc) {
__ClearPageLocked(page);
break;
}
@@ -3820,6 +3821,7 @@ static int cifs_readpages(struct file *file, struct address_space *mapping,
struct list_head *page_list, unsigned num_pages)
{
int rc;
+ int err = 0;
struct list_head tmplist;
struct cifsFileInfo *open_file = file->private_data;
struct cifs_sb_info *cifs_sb = CIFS_FILE_SB(file);
@@ -3860,7 +3862,7 @@ static int cifs_readpages(struct file *file, struct address_space *mapping,
* the order of declining indexes. When we put the pages in
* the rdata->pages, then we want them in increasing order.
*/
- while (!list_empty(page_list)) {
+ while (!list_empty(page_list) && !err) {
unsigned int i, nr_pages, bytes, rsize;
loff_t offset;
struct page *page, *tpage;
@@ -3883,9 +3885,10 @@ static int cifs_readpages(struct file *file, struct address_space *mapping,
return 0;
}
- rc = readpages_get_pages(mapping, page_list, rsize, &tmplist,
+ nr_pages = 0;
+ err = readpages_get_pages(mapping, page_list, rsize, &tmplist,
&nr_pages, &offset, &bytes);
- if (rc) {
+ if (!nr_pages) {
add_credits_and_wake_if(server, credits, 0);
break;
}
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 196/245] nvme: fix possible deadlock when I/O is blocked
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (194 preceding siblings ...)
2020-09-29 11:00 ` [PATCH 4.19 195/245] cifs: Fix double add page to memcg when cifs_readpages Greg Kroah-Hartman
@ 2020-09-29 11:00 ` Greg Kroah-Hartman
2020-09-30 16:22 ` Pavel Machek
2020-09-29 11:00 ` [PATCH 4.19 197/245] scsi: libfc: Handling of extra kref Greg Kroah-Hartman
` (51 subsequent siblings)
247 siblings, 1 reply; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:00 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Anton Eidelman, Sagi Grimberg,
Christoph Hellwig, Sasha Levin
From: Sagi Grimberg <sagi@grimberg.me>
[ Upstream commit 3b4b19721ec652ad2c4fe51dfbe5124212b5f581 ]
Revert fab7772bfbcf ("nvme-multipath: revalidate nvme_ns_head gendisk
in nvme_validate_ns")
When adding a new namespace to the head disk (via nvme_mpath_set_live)
we will see partition scan which triggers I/O on the mpath device node.
This process will usually be triggered from the scan_work which holds
the scan_lock. If I/O blocks (if we got ana change currently have only
available paths but none are accessible) this can deadlock on the head
disk bd_mutex as both partition scan I/O takes it, and head disk revalidation
takes it to check for resize (also triggered from scan_work on a different
path). See trace [1].
The mpath disk revalidation was originally added to detect online disk
size change, but this is no longer needed since commit cb224c3af4df
("nvme: Convert to use set_capacity_revalidate_and_notify") which already
updates resize info without unnecessarily revalidating the disk (the
mpath disk doesn't even implement .revalidate_disk fop).
[1]:
--
kernel: INFO: task kworker/u65:9:494 blocked for more than 241 seconds.
kernel: Tainted: G OE 5.3.5-050305-generic #201910071830
kernel: "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
kernel: kworker/u65:9 D 0 494 2 0x80004000
kernel: Workqueue: nvme-wq nvme_scan_work [nvme_core]
kernel: Call Trace:
kernel: __schedule+0x2b9/0x6c0
kernel: schedule+0x42/0xb0
kernel: schedule_preempt_disabled+0xe/0x10
kernel: __mutex_lock.isra.0+0x182/0x4f0
kernel: __mutex_lock_slowpath+0x13/0x20
kernel: mutex_lock+0x2e/0x40
kernel: revalidate_disk+0x63/0xa0
kernel: __nvme_revalidate_disk+0xfe/0x110 [nvme_core]
kernel: nvme_revalidate_disk+0xa4/0x160 [nvme_core]
kernel: ? evict+0x14c/0x1b0
kernel: revalidate_disk+0x2b/0xa0
kernel: nvme_validate_ns+0x49/0x940 [nvme_core]
kernel: ? blk_mq_free_request+0xd2/0x100
kernel: ? __nvme_submit_sync_cmd+0xbe/0x1e0 [nvme_core]
kernel: nvme_scan_work+0x24f/0x380 [nvme_core]
kernel: process_one_work+0x1db/0x380
kernel: worker_thread+0x249/0x400
kernel: kthread+0x104/0x140
kernel: ? process_one_work+0x380/0x380
kernel: ? kthread_park+0x80/0x80
kernel: ret_from_fork+0x1f/0x40
...
kernel: INFO: task kworker/u65:1:2630 blocked for more than 241 seconds.
kernel: Tainted: G OE 5.3.5-050305-generic #201910071830
kernel: "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
kernel: kworker/u65:1 D 0 2630 2 0x80004000
kernel: Workqueue: nvme-wq nvme_scan_work [nvme_core]
kernel: Call Trace:
kernel: __schedule+0x2b9/0x6c0
kernel: schedule+0x42/0xb0
kernel: io_schedule+0x16/0x40
kernel: do_read_cache_page+0x438/0x830
kernel: ? __switch_to_asm+0x34/0x70
kernel: ? file_fdatawait_range+0x30/0x30
kernel: read_cache_page+0x12/0x20
kernel: read_dev_sector+0x27/0xc0
kernel: read_lba+0xc1/0x220
kernel: ? kmem_cache_alloc_trace+0x19c/0x230
kernel: efi_partition+0x1e6/0x708
kernel: ? vsnprintf+0x39e/0x4e0
kernel: ? snprintf+0x49/0x60
kernel: check_partition+0x154/0x244
kernel: rescan_partitions+0xae/0x280
kernel: __blkdev_get+0x40f/0x560
kernel: blkdev_get+0x3d/0x140
kernel: __device_add_disk+0x388/0x480
kernel: device_add_disk+0x13/0x20
kernel: nvme_mpath_set_live+0x119/0x140 [nvme_core]
kernel: nvme_update_ns_ana_state+0x5c/0x60 [nvme_core]
kernel: nvme_set_ns_ana_state+0x1e/0x30 [nvme_core]
kernel: nvme_parse_ana_log+0xa1/0x180 [nvme_core]
kernel: ? nvme_update_ns_ana_state+0x60/0x60 [nvme_core]
kernel: nvme_mpath_add_disk+0x47/0x90 [nvme_core]
kernel: nvme_validate_ns+0x396/0x940 [nvme_core]
kernel: ? blk_mq_free_request+0xd2/0x100
kernel: nvme_scan_work+0x24f/0x380 [nvme_core]
kernel: process_one_work+0x1db/0x380
kernel: worker_thread+0x249/0x400
kernel: kthread+0x104/0x140
kernel: ? process_one_work+0x380/0x380
kernel: ? kthread_park+0x80/0x80
kernel: ret_from_fork+0x1f/0x40
--
Fixes: fab7772bfbcf ("nvme-multipath: revalidate nvme_ns_head gendisk
in nvme_validate_ns")
Signed-off-by: Anton Eidelman <anton@lightbitslabs.com>
Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/host/core.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index faa7feebb6095..84fcfcdb8ba5f 100644
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -1599,7 +1599,6 @@ static void __nvme_revalidate_disk(struct gendisk *disk, struct nvme_id_ns *id)
if (ns->head->disk) {
nvme_update_disk_info(ns->head->disk, ns, id);
blk_queue_stack_limits(ns->head->disk->queue, ns->queue);
- revalidate_disk(ns->head->disk);
}
#endif
}
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 197/245] scsi: libfc: Handling of extra kref
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (195 preceding siblings ...)
2020-09-29 11:00 ` [PATCH 4.19 196/245] nvme: fix possible deadlock when I/O is blocked Greg Kroah-Hartman
@ 2020-09-29 11:00 ` Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 198/245] scsi: libfc: Skip additional kref updating work event Greg Kroah-Hartman
` (50 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:00 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Girish Basrur, Saurav Kashyap,
Shyam Sundar, Javed Hasan, Martin K. Petersen, Sasha Levin
From: Javed Hasan <jhasan@marvell.com>
[ Upstream commit 71f2bf85e90d938d4a9ef9dd9bfa8d9b0b6a03f7 ]
Handling of extra kref which is done by lookup table in case rdata is
already present in list.
This issue was leading to memory leak. Trace from KMEMLEAK tool:
unreferenced object 0xffff8888259e8780 (size 512):
comm "kworker/2:1", pid 182614, jiffies 4433237386 (age 113021.971s)
hex dump (first 32 bytes):
58 0a ec cf 83 88 ff ff 00 00 00 00 00 00 00 00
01 00 00 00 08 00 00 00 13 7d f0 1e 0e 00 00 10
backtrace:
[<000000006b25760f>] fc_rport_recv_req+0x3c6/0x18f0 [libfc]
[<00000000f208d994>] fc_lport_recv_els_req+0x120/0x8a0 [libfc]
[<00000000a9c437b8>] fc_lport_recv+0xb9/0x130 [libfc]
[<00000000ad5be37b>] qedf_ll2_process_skb+0x73d/0xad0 [qedf]
[<00000000e0eb6893>] process_one_work+0x382/0x6c0
[<000000002dfd9e21>] worker_thread+0x57/0x5c0
[<00000000b648204f>] kthread+0x1a0/0x1c0
[<0000000072f5ab20>] ret_from_fork+0x35/0x40
[<000000001d5c05d8>] 0xffffffffffffffff
Below is the log sequence which leads to memory leak. Here we get the
nested "Received PLOGI request" for same port and this request leads to
call the fc_rport_create() twice for the same rport.
kernel: host1: rport fffce5: Received PLOGI request
kernel: host1: rport fffce5: Received PLOGI in INIT state
kernel: host1: rport fffce5: Port is Ready
kernel: host1: rport fffce5: Received PRLI request while in state Ready
kernel: host1: rport fffce5: PRLI rspp type 8 active 1 passive 0
kernel: host1: rport fffce5: Received LOGO request while in state Ready
kernel: host1: rport fffce5: Delete port
kernel: host1: rport fffce5: Received PLOGI request
kernel: host1: rport fffce5: Received PLOGI in state Delete - send busy
Link: https://lore.kernel.org/r/20200622101212.3922-2-jhasan@marvell.com
Reviewed-by: Girish Basrur <gbasrur@marvell.com>
Reviewed-by: Saurav Kashyap <skashyap@marvell.com>
Reviewed-by: Shyam Sundar <ssundar@marvell.com>
Signed-off-by: Javed Hasan <jhasan@marvell.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/libfc/fc_rport.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/scsi/libfc/fc_rport.c b/drivers/scsi/libfc/fc_rport.c
index 90a748551ede5..f39d2d62b002f 100644
--- a/drivers/scsi/libfc/fc_rport.c
+++ b/drivers/scsi/libfc/fc_rport.c
@@ -145,8 +145,10 @@ struct fc_rport_priv *fc_rport_create(struct fc_lport *lport, u32 port_id)
lockdep_assert_held(&lport->disc.disc_mutex);
rdata = fc_rport_lookup(lport, port_id);
- if (rdata)
+ if (rdata) {
+ kref_put(&rdata->kref, fc_rport_destroy);
return rdata;
+ }
if (lport->rport_priv_size > 0)
rport_priv_size = lport->rport_priv_size;
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 198/245] scsi: libfc: Skip additional kref updating work event
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (196 preceding siblings ...)
2020-09-29 11:00 ` [PATCH 4.19 197/245] scsi: libfc: Handling of extra kref Greg Kroah-Hartman
@ 2020-09-29 11:00 ` Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 199/245] selftests/x86/syscall_nt: Clear weird flags after each test Greg Kroah-Hartman
` (49 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:00 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Girish Basrur, Saurav Kashyap,
Shyam Sundar, Javed Hasan, Martin K. Petersen, Sasha Levin
From: Javed Hasan <jhasan@marvell.com>
[ Upstream commit 823a65409c8990f64c5693af98ce0e7819975cba ]
When an rport event (RPORT_EV_READY) is updated without work being queued,
avoid taking an additional reference.
This issue was leading to memory leak. Trace from KMEMLEAK tool:
unreferenced object 0xffff8888259e8780 (size 512):
comm "kworker/2:1", jiffies 4433237386 (age 113021.971s)
hex dump (first 32 bytes):
58 0a ec cf 83 88 ff ff 00 00 00 00 00 00 00 00
01 00 00 00 08 00 00 00 13 7d f0 1e 0e 00 00 10
backtrace:
[<000000006b25760f>] fc_rport_recv_req+0x3c6/0x18f0 [libfc]
[<00000000f208d994>] fc_lport_recv_els_req+0x120/0x8a0 [libfc]
[<00000000a9c437b8>] fc_lport_recv+0xb9/0x130 [libfc]
[<00000000a9c437b8>] fc_lport_recv+0xb9/0x130 [libfc]
[<00000000ad5be37b>] qedf_ll2_process_skb+0x73d/0xad0 [qedf]
[<00000000e0eb6893>] process_one_work+0x382/0x6c0
[<000000002dfd9e21>] worker_thread+0x57/0x5c0
[<00000000b648204f>] kthread+0x1a0/0x1c0
[<0000000072f5ab20>] ret_from_fork+0x35/0x40
[<000000001d5c05d8>] 0xffffffffffffffff
Below is the log sequence which leads to memory leak. Here we get the
RPORT_EV_READY and RPORT_EV_STOP back to back, which lead to overwrite the
event RPORT_EV_READY by event RPORT_EV_STOP. Because of this, kref_count
gets incremented by 1.
kernel: host0: rport fffce5: Received PLOGI request
kernel: host0: rport fffce5: Received PLOGI in INIT state
kernel: host0: rport fffce5: Port is Ready
kernel: host0: rport fffce5: Received PRLI request while in state Ready
kernel: host0: rport fffce5: PRLI rspp type 8 active 1 passive 0
kernel: host0: rport fffce5: Received LOGO request while in state Ready
kernel: host0: rport fffce5: Delete port
kernel: host0: rport fffce5: Received PLOGI request
kernel: host0: rport fffce5: Received PLOGI in state Delete - send busy
kernel: host0: rport fffce5: work event 3
kernel: host0: rport fffce5: lld callback ev 3
kernel: host0: rport fffce5: work delete
Link: https://lore.kernel.org/r/20200626094959.32151-1-jhasan@marvell.com
Reviewed-by: Girish Basrur <gbasrur@marvell.com>
Reviewed-by: Saurav Kashyap <skashyap@marvell.com>
Reviewed-by: Shyam Sundar <ssundar@marvell.com>
Signed-off-by: Javed Hasan <jhasan@marvell.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/libfc/fc_rport.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/drivers/scsi/libfc/fc_rport.c b/drivers/scsi/libfc/fc_rport.c
index f39d2d62b002f..2b3239765c249 100644
--- a/drivers/scsi/libfc/fc_rport.c
+++ b/drivers/scsi/libfc/fc_rport.c
@@ -495,10 +495,11 @@ static void fc_rport_enter_delete(struct fc_rport_priv *rdata,
fc_rport_state_enter(rdata, RPORT_ST_DELETE);
- kref_get(&rdata->kref);
- if (rdata->event == RPORT_EV_NONE &&
- !queue_work(rport_event_queue, &rdata->event_work))
- kref_put(&rdata->kref, fc_rport_destroy);
+ if (rdata->event == RPORT_EV_NONE) {
+ kref_get(&rdata->kref);
+ if (!queue_work(rport_event_queue, &rdata->event_work))
+ kref_put(&rdata->kref, fc_rport_destroy);
+ }
rdata->event = event;
}
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 199/245] selftests/x86/syscall_nt: Clear weird flags after each test
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (197 preceding siblings ...)
2020-09-29 11:00 ` [PATCH 4.19 198/245] scsi: libfc: Skip additional kref updating work event Greg Kroah-Hartman
@ 2020-09-29 11:00 ` Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 200/245] vfio/pci: fix racy on error and request eventfd ctx Greg Kroah-Hartman
` (48 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:00 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Andy Lutomirski, Thomas Gleixner,
Sasha Levin
From: Andy Lutomirski <luto@kernel.org>
[ Upstream commit a61fa2799ef9bf6c4f54cf7295036577cececc72 ]
Clear the weird flags before logging to improve strace output --
logging results while, say, TF is set does no one any favors.
Signed-off-by: Andy Lutomirski <luto@kernel.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lkml.kernel.org/r/907bfa5a42d4475b8245e18b67a04b13ca51ffdb.1593191971.git.luto@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/x86/syscall_nt.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/tools/testing/selftests/x86/syscall_nt.c b/tools/testing/selftests/x86/syscall_nt.c
index 43fcab367fb0a..74e6b3fc2d09e 100644
--- a/tools/testing/selftests/x86/syscall_nt.c
+++ b/tools/testing/selftests/x86/syscall_nt.c
@@ -67,6 +67,7 @@ static void do_it(unsigned long extraflags)
set_eflags(get_eflags() | extraflags);
syscall(SYS_getpid);
flags = get_eflags();
+ set_eflags(X86_EFLAGS_IF | X86_EFLAGS_FIXED);
if ((flags & extraflags) == extraflags) {
printf("[OK]\tThe syscall worked and flags are still set\n");
} else {
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 200/245] vfio/pci: fix racy on error and request eventfd ctx
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (198 preceding siblings ...)
2020-09-29 11:00 ` [PATCH 4.19 199/245] selftests/x86/syscall_nt: Clear weird flags after each test Greg Kroah-Hartman
@ 2020-09-29 11:00 ` Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 201/245] btrfs: qgroup: fix data leak caused by race between writeback and truncate Greg Kroah-Hartman
` (47 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:00 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Qian Cai, Alex Williamson, Zeng Tao,
Sasha Levin
From: Zeng Tao <prime.zeng@hisilicon.com>
[ Upstream commit b872d0640840018669032b20b6375a478ed1f923 ]
The vfio_pci_release call will free and clear the error and request
eventfd ctx while these ctx could be in use at the same time in the
function like vfio_pci_request, and it's expected to protect them under
the vdev->igate mutex, which is missing in vfio_pci_release.
This issue is introduced since commit 1518ac272e78 ("vfio/pci: fix memory
leaks of eventfd ctx"),and since commit 5c5866c593bb ("vfio/pci: Clear
error and request eventfd ctx after releasing"), it's very easily to
trigger the kernel panic like this:
[ 9513.904346] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008
[ 9513.913091] Mem abort info:
[ 9513.915871] ESR = 0x96000006
[ 9513.918912] EC = 0x25: DABT (current EL), IL = 32 bits
[ 9513.924198] SET = 0, FnV = 0
[ 9513.927238] EA = 0, S1PTW = 0
[ 9513.930364] Data abort info:
[ 9513.933231] ISV = 0, ISS = 0x00000006
[ 9513.937048] CM = 0, WnR = 0
[ 9513.940003] user pgtable: 4k pages, 48-bit VAs, pgdp=0000007ec7d12000
[ 9513.946414] [0000000000000008] pgd=0000007ec7d13003, p4d=0000007ec7d13003, pud=0000007ec728c003, pmd=0000000000000000
[ 9513.956975] Internal error: Oops: 96000006 [#1] PREEMPT SMP
[ 9513.962521] Modules linked in: vfio_pci vfio_virqfd vfio_iommu_type1 vfio hclge hns3 hnae3 [last unloaded: vfio_pci]
[ 9513.972998] CPU: 4 PID: 1327 Comm: bash Tainted: G W 5.8.0-rc4+ #3
[ 9513.980443] Hardware name: Huawei TaiShan 2280 V2/BC82AMDC, BIOS 2280-V2 CS V3.B270.01 05/08/2020
[ 9513.989274] pstate: 80400089 (Nzcv daIf +PAN -UAO BTYPE=--)
[ 9513.994827] pc : _raw_spin_lock_irqsave+0x48/0x88
[ 9513.999515] lr : eventfd_signal+0x6c/0x1b0
[ 9514.003591] sp : ffff800038a0b960
[ 9514.006889] x29: ffff800038a0b960 x28: ffff007ef7f4da10
[ 9514.012175] x27: ffff207eefbbfc80 x26: ffffbb7903457000
[ 9514.017462] x25: ffffbb7912191000 x24: ffff007ef7f4d400
[ 9514.022747] x23: ffff20be6e0e4c00 x22: 0000000000000008
[ 9514.028033] x21: 0000000000000000 x20: 0000000000000000
[ 9514.033321] x19: 0000000000000008 x18: 0000000000000000
[ 9514.038606] x17: 0000000000000000 x16: ffffbb7910029328
[ 9514.043893] x15: 0000000000000000 x14: 0000000000000001
[ 9514.049179] x13: 0000000000000000 x12: 0000000000000002
[ 9514.054466] x11: 0000000000000000 x10: 0000000000000a00
[ 9514.059752] x9 : ffff800038a0b840 x8 : ffff007ef7f4de60
[ 9514.065038] x7 : ffff007fffc96690 x6 : fffffe01faffb748
[ 9514.070324] x5 : 0000000000000000 x4 : 0000000000000000
[ 9514.075609] x3 : 0000000000000000 x2 : 0000000000000001
[ 9514.080895] x1 : ffff007ef7f4d400 x0 : 0000000000000000
[ 9514.086181] Call trace:
[ 9514.088618] _raw_spin_lock_irqsave+0x48/0x88
[ 9514.092954] eventfd_signal+0x6c/0x1b0
[ 9514.096691] vfio_pci_request+0x84/0xd0 [vfio_pci]
[ 9514.101464] vfio_del_group_dev+0x150/0x290 [vfio]
[ 9514.106234] vfio_pci_remove+0x30/0x128 [vfio_pci]
[ 9514.111007] pci_device_remove+0x48/0x108
[ 9514.115001] device_release_driver_internal+0x100/0x1b8
[ 9514.120200] device_release_driver+0x28/0x38
[ 9514.124452] pci_stop_bus_device+0x68/0xa8
[ 9514.128528] pci_stop_and_remove_bus_device+0x20/0x38
[ 9514.133557] pci_iov_remove_virtfn+0xb4/0x128
[ 9514.137893] sriov_disable+0x3c/0x108
[ 9514.141538] pci_disable_sriov+0x28/0x38
[ 9514.145445] hns3_pci_sriov_configure+0x48/0xb8 [hns3]
[ 9514.150558] sriov_numvfs_store+0x110/0x198
[ 9514.154724] dev_attr_store+0x44/0x60
[ 9514.158373] sysfs_kf_write+0x5c/0x78
[ 9514.162018] kernfs_fop_write+0x104/0x210
[ 9514.166010] __vfs_write+0x48/0x90
[ 9514.169395] vfs_write+0xbc/0x1c0
[ 9514.172694] ksys_write+0x74/0x100
[ 9514.176079] __arm64_sys_write+0x24/0x30
[ 9514.179987] el0_svc_common.constprop.4+0x110/0x200
[ 9514.184842] do_el0_svc+0x34/0x98
[ 9514.188144] el0_svc+0x14/0x40
[ 9514.191185] el0_sync_handler+0xb0/0x2d0
[ 9514.195088] el0_sync+0x140/0x180
[ 9514.198389] Code: b9001020 d2800000 52800022 f9800271 (885ffe61)
[ 9514.204455] ---[ end trace 648de00c8406465f ]---
[ 9514.212308] note: bash[1327] exited with preempt_count 1
Cc: Qian Cai <cai@lca.pw>
Cc: Alex Williamson <alex.williamson@redhat.com>
Fixes: 1518ac272e78 ("vfio/pci: fix memory leaks of eventfd ctx")
Signed-off-by: Zeng Tao <prime.zeng@hisilicon.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/vfio/pci/vfio_pci.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/vfio/pci/vfio_pci.c b/drivers/vfio/pci/vfio_pci.c
index 94fad366312f1..58e7336b2748b 100644
--- a/drivers/vfio/pci/vfio_pci.c
+++ b/drivers/vfio/pci/vfio_pci.c
@@ -409,14 +409,19 @@ static void vfio_pci_release(void *device_data)
if (!(--vdev->refcnt)) {
vfio_spapr_pci_eeh_release(vdev->pdev);
vfio_pci_disable(vdev);
+ mutex_lock(&vdev->igate);
if (vdev->err_trigger) {
eventfd_ctx_put(vdev->err_trigger);
vdev->err_trigger = NULL;
}
+ mutex_unlock(&vdev->igate);
+
+ mutex_lock(&vdev->igate);
if (vdev->req_trigger) {
eventfd_ctx_put(vdev->req_trigger);
vdev->req_trigger = NULL;
}
+ mutex_unlock(&vdev->igate);
}
mutex_unlock(&driver_lock);
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 201/245] btrfs: qgroup: fix data leak caused by race between writeback and truncate
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (199 preceding siblings ...)
2020-09-29 11:00 ` [PATCH 4.19 200/245] vfio/pci: fix racy on error and request eventfd ctx Greg Kroah-Hartman
@ 2020-09-29 11:00 ` Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 202/245] ubi: fastmap: Free unused fastmap anchor peb during detach Greg Kroah-Hartman
` (46 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:00 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Josef Bacik, Qu Wenruo, David Sterba,
Sasha Levin
From: Qu Wenruo <wqu@suse.com>
[ Upstream commit fa91e4aa1716004ea8096d5185ec0451e206aea0 ]
[BUG]
When running tests like generic/013 on test device with btrfs quota
enabled, it can normally lead to data leak, detected at unmount time:
BTRFS warning (device dm-3): qgroup 0/5 has unreleased space, type 0 rsv 4096
------------[ cut here ]------------
WARNING: CPU: 11 PID: 16386 at fs/btrfs/disk-io.c:4142 close_ctree+0x1dc/0x323 [btrfs]
RIP: 0010:close_ctree+0x1dc/0x323 [btrfs]
Call Trace:
btrfs_put_super+0x15/0x17 [btrfs]
generic_shutdown_super+0x72/0x110
kill_anon_super+0x18/0x30
btrfs_kill_super+0x17/0x30 [btrfs]
deactivate_locked_super+0x3b/0xa0
deactivate_super+0x40/0x50
cleanup_mnt+0x135/0x190
__cleanup_mnt+0x12/0x20
task_work_run+0x64/0xb0
__prepare_exit_to_usermode+0x1bc/0x1c0
__syscall_return_slowpath+0x47/0x230
do_syscall_64+0x64/0xb0
entry_SYSCALL_64_after_hwframe+0x44/0xa9
---[ end trace caf08beafeca2392 ]---
BTRFS error (device dm-3): qgroup reserved space leaked
[CAUSE]
In the offending case, the offending operations are:
2/6: writev f2X[269 1 0 0 0 0] [1006997,67,288] 0
2/7: truncate f2X[269 1 0 0 48 1026293] 18388 0
The following sequence of events could happen after the writev():
CPU1 (writeback) | CPU2 (truncate)
-----------------------------------------------------------------
btrfs_writepages() |
|- extent_write_cache_pages() |
|- Got page for 1003520 |
| 1003520 is Dirty, no writeback |
| So (!clear_page_dirty_for_io()) |
| gets called for it |
|- Now page 1003520 is Clean. |
| | btrfs_setattr()
| | |- btrfs_setsize()
| | |- truncate_setsize()
| | New i_size is 18388
|- __extent_writepage() |
| |- page_offset() > i_size |
|- btrfs_invalidatepage() |
|- Page is clean, so no qgroup |
callback executed
This means, the qgroup reserved data space is not properly released in
btrfs_invalidatepage() as the page is Clean.
[FIX]
Instead of checking the dirty bit of a page, call
btrfs_qgroup_free_data() unconditionally in btrfs_invalidatepage().
As qgroup rsv are completely bound to the QGROUP_RESERVED bit of
io_tree, not bound to page status, thus we won't cause double freeing
anyway.
Fixes: 0b34c261e235 ("btrfs: qgroup: Prevent qgroup->reserved from going subzero")
CC: stable@vger.kernel.org # 4.14+
Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Signed-off-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/inode.c | 23 ++++++++++-------------
1 file changed, 10 insertions(+), 13 deletions(-)
diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
index bdfe159a60da6..64d459ca76d06 100644
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -8913,20 +8913,17 @@ again:
/*
* Qgroup reserved space handler
* Page here will be either
- * 1) Already written to disk
- * In this case, its reserved space is released from data rsv map
- * and will be freed by delayed_ref handler finally.
- * So even we call qgroup_free_data(), it won't decrease reserved
- * space.
- * 2) Not written to disk
- * This means the reserved space should be freed here. However,
- * if a truncate invalidates the page (by clearing PageDirty)
- * and the page is accounted for while allocating extent
- * in btrfs_check_data_free_space() we let delayed_ref to
- * free the entire extent.
+ * 1) Already written to disk or ordered extent already submitted
+ * Then its QGROUP_RESERVED bit in io_tree is already cleaned.
+ * Qgroup will be handled by its qgroup_record then.
+ * btrfs_qgroup_free_data() call will do nothing here.
+ *
+ * 2) Not written to disk yet
+ * Then btrfs_qgroup_free_data() call will clear the QGROUP_RESERVED
+ * bit of its io_tree, and free the qgroup reserved data space.
+ * Since the IO will never happen for this page.
*/
- if (PageDirty(page))
- btrfs_qgroup_free_data(inode, NULL, page_start, PAGE_SIZE);
+ btrfs_qgroup_free_data(inode, NULL, page_start, PAGE_SIZE);
if (!inode_evicting) {
clear_extent_bit(tree, page_start, page_end,
EXTENT_LOCKED | EXTENT_DIRTY |
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 202/245] ubi: fastmap: Free unused fastmap anchor peb during detach
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (200 preceding siblings ...)
2020-09-29 11:00 ` [PATCH 4.19 201/245] btrfs: qgroup: fix data leak caused by race between writeback and truncate Greg Kroah-Hartman
@ 2020-09-29 11:00 ` Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 203/245] perf parse-events: Use strcmp() to compare the PMU name Greg Kroah-Hartman
` (45 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:00 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, syzbot+f317896aae32eb281a58,
Sascha Hauer, Hou Tao, Richard Weinberger, Sasha Levin
From: Hou Tao <houtao1@huawei.com>
[ Upstream commit c16f39d14a7e0ec59881fbdb22ae494907534384 ]
When CONFIG_MTD_UBI_FASTMAP is enabled, fm_anchor will be assigned
a free PEB during ubi_wl_init() or ubi_update_fastmap(). However
if fastmap is not used or disabled on the MTD device, ubi_wl_entry
related with the PEB will not be freed during detach.
So Fix it by freeing the unused fastmap anchor during detach.
Fixes: f9c34bb52997 ("ubi: Fix producing anchor PEBs")
Reported-by: syzbot+f317896aae32eb281a58@syzkaller.appspotmail.com
Reviewed-by: Sascha Hauer <s.hauer@pengutronix.de>
Signed-off-by: Hou Tao <houtao1@huawei.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mtd/ubi/fastmap-wl.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
diff --git a/drivers/mtd/ubi/fastmap-wl.c b/drivers/mtd/ubi/fastmap-wl.c
index 13efebb400225..e08f6b4637dda 100644
--- a/drivers/mtd/ubi/fastmap-wl.c
+++ b/drivers/mtd/ubi/fastmap-wl.c
@@ -48,6 +48,13 @@ static struct ubi_wl_entry *find_anchor_wl_entry(struct rb_root *root)
return victim;
}
+static inline void return_unused_peb(struct ubi_device *ubi,
+ struct ubi_wl_entry *e)
+{
+ wl_tree_add(e, &ubi->free);
+ ubi->free_count++;
+}
+
/**
* return_unused_pool_pebs - returns unused PEB to the free tree.
* @ubi: UBI device description object
@@ -61,8 +68,7 @@ static void return_unused_pool_pebs(struct ubi_device *ubi,
for (i = pool->used; i < pool->size; i++) {
e = ubi->lookuptbl[pool->pebs[i]];
- wl_tree_add(e, &ubi->free);
- ubi->free_count++;
+ return_unused_peb(ubi, e);
}
}
@@ -370,6 +376,11 @@ static void ubi_fastmap_close(struct ubi_device *ubi)
return_unused_pool_pebs(ubi, &ubi->fm_pool);
return_unused_pool_pebs(ubi, &ubi->fm_wl_pool);
+ if (ubi->fm_anchor) {
+ return_unused_peb(ubi, ubi->fm_anchor);
+ ubi->fm_anchor = NULL;
+ }
+
if (ubi->fm) {
for (i = 0; i < ubi->fm->used_blocks; i++)
kfree(ubi->fm->e[i]);
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 203/245] perf parse-events: Use strcmp() to compare the PMU name
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (201 preceding siblings ...)
2020-09-29 11:00 ` [PATCH 4.19 202/245] ubi: fastmap: Free unused fastmap anchor peb during detach Greg Kroah-Hartman
@ 2020-09-29 11:00 ` Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 204/245] net: openvswitch: use div_u64() for 64-by-32 divisions Greg Kroah-Hartman
` (44 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:00 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Jin Yao, Jiri Olsa,
Alexander Shishkin, Andi Kleen, Jin Yao, Kan Liang,
Peter Zijlstra, Arnaldo Carvalho de Melo, Sasha Levin
From: Jin Yao <yao.jin@linux.intel.com>
[ Upstream commit 8510895bafdbf7c4dd24c22946d925691135c2b2 ]
A big uncore event group is split into multiple small groups which only
include the uncore events from the same PMU. This has been supported in
the commit 3cdc5c2cb924a ("perf parse-events: Handle uncore event
aliases in small groups properly").
If the event's PMU name starts to repeat, it must be a new event.
That can be used to distinguish the leader from other members.
But now it only compares the pointer of pmu_name
(leader->pmu_name == evsel->pmu_name).
If we use "perf stat -M LLC_MISSES.PCIE_WRITE -a" on cascadelakex,
the event list is:
evsel->name evsel->pmu_name
---------------------------------------------------------------
unc_iio_data_req_of_cpu.mem_write.part0 uncore_iio_4 (as leader)
unc_iio_data_req_of_cpu.mem_write.part0 uncore_iio_2
unc_iio_data_req_of_cpu.mem_write.part0 uncore_iio_0
unc_iio_data_req_of_cpu.mem_write.part0 uncore_iio_5
unc_iio_data_req_of_cpu.mem_write.part0 uncore_iio_3
unc_iio_data_req_of_cpu.mem_write.part0 uncore_iio_1
unc_iio_data_req_of_cpu.mem_write.part1 uncore_iio_4
......
For the event "unc_iio_data_req_of_cpu.mem_write.part1" with
"uncore_iio_4", it should be the event from PMU "uncore_iio_4".
It's not a new leader for this PMU.
But if we use "(leader->pmu_name == evsel->pmu_name)", the check
would be failed and the event is stored to leaders[] as a new
PMU leader.
So this patch uses strcmp to compare the PMU name between events.
Fixes: d4953f7ef1a2 ("perf parse-events: Fix 3 use after frees found with clang ASAN")
Signed-off-by: Jin Yao <yao.jin@linux.intel.com>
Acked-by: Jiri Olsa <jolsa@redhat.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: Jin Yao <yao.jin@intel.com>
Cc: Kan Liang <kan.liang@linux.intel.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Link: http://lore.kernel.org/lkml/20200430003618.17002-1-yao.jin@linux.intel.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/parse-events.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/tools/perf/util/parse-events.c
+++ b/tools/perf/util/parse-events.c
@@ -1421,12 +1421,11 @@ parse_events__set_leader_for_uncore_alia
* event. That can be used to distinguish the leader from
* other members, even they have the same event name.
*/
- if ((leader != evsel) && (leader->pmu_name == evsel->pmu_name)) {
+ if ((leader != evsel) &&
+ !strcmp(leader->pmu_name, evsel->pmu_name)) {
is_leader = false;
continue;
}
- /* The name is always alias name */
- WARN_ON(strcmp(leader->name, evsel->name));
/* Store the leader event for each PMU */
leaders[nr_pmu++] = (uintptr_t) evsel;
^ permalink raw reply [flat|nested] 256+ messages in thread
* [PATCH 4.19 204/245] net: openvswitch: use div_u64() for 64-by-32 divisions
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (202 preceding siblings ...)
2020-09-29 11:00 ` [PATCH 4.19 203/245] perf parse-events: Use strcmp() to compare the PMU name Greg Kroah-Hartman
@ 2020-09-29 11:00 ` Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 205/245] nvme: explicitly update mpath disk capacity on revalidation Greg Kroah-Hartman
` (43 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:00 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, kbuild test robot, Tonghao Zhang,
David S. Miller, Sasha Levin
From: Tonghao Zhang <xiangxia.m.yue@gmail.com>
[ Upstream commit 659d4587fe7233bfdff303744b20d6f41ad04362 ]
Compile the kernel for arm 32 platform, the build warning found.
To fix that, should use div_u64() for divisions.
| net/openvswitch/meter.c:396: undefined reference to `__udivdi3'
[add more commit msg, change reported tag, and use div_u64 instead
of do_div by Tonghao]
Fixes: e57358873bb5d6ca ("net: openvswitch: use u64 for meter bucket")
Reported-by: kbuild test robot <lkp@intel.com>
Signed-off-by: Tonghao Zhang <xiangxia.m.yue@gmail.com>
Tested-by: Tonghao Zhang <xiangxia.m.yue@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/openvswitch/meter.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/openvswitch/meter.c b/net/openvswitch/meter.c
index 6f5131d1074b0..5ea2471ffc03f 100644
--- a/net/openvswitch/meter.c
+++ b/net/openvswitch/meter.c
@@ -256,7 +256,7 @@ static struct dp_meter *dp_meter_create(struct nlattr **a)
* Start with a full bucket.
*/
band->bucket = (band->burst_size + band->rate) * 1000ULL;
- band_max_delta_t = band->bucket / band->rate;
+ band_max_delta_t = div_u64(band->bucket, band->rate);
if (band_max_delta_t > meter->max_delta_t)
meter->max_delta_t = band_max_delta_t;
band++;
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 205/245] nvme: explicitly update mpath disk capacity on revalidation
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (203 preceding siblings ...)
2020-09-29 11:00 ` [PATCH 4.19 204/245] net: openvswitch: use div_u64() for 64-by-32 divisions Greg Kroah-Hartman
@ 2020-09-29 11:00 ` Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 206/245] ASoC: wm8994: Skip setting of the WM8994_MICBIAS register for WM1811 Greg Kroah-Hartman
` (42 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:00 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Anthony Iliopoulos,
Christoph Hellwig, Sasha Levin
From: Anthony Iliopoulos <ailiop@suse.com>
[ Upstream commit 05b29021fba5e725dd385151ef00b6340229b500 ]
Commit 3b4b19721ec652 ("nvme: fix possible deadlock when I/O is
blocked") reverted multipath head disk revalidation due to deadlocks
caused by holding the bd_mutex during revalidate.
Updating the multipath disk blockdev size is still required though for
userspace to be able to observe any resizing while the device is
mounted. Directly update the bdev inode size to avoid unnecessarily
holding the bdev->bd_mutex.
Fixes: 3b4b19721ec652 ("nvme: fix possible deadlock when I/O is
blocked")
Signed-off-by: Anthony Iliopoulos <ailiop@suse.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/host/core.c | 1 +
drivers/nvme/host/nvme.h | 13 +++++++++++++
2 files changed, 14 insertions(+)
diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index 84fcfcdb8ba5f..33dad9774da01 100644
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -1599,6 +1599,7 @@ static void __nvme_revalidate_disk(struct gendisk *disk, struct nvme_id_ns *id)
if (ns->head->disk) {
nvme_update_disk_info(ns->head->disk, ns, id);
blk_queue_stack_limits(ns->head->disk->queue, ns->queue);
+ nvme_mpath_update_disk_size(ns->head->disk);
}
#endif
}
diff --git a/drivers/nvme/host/nvme.h b/drivers/nvme/host/nvme.h
index a70b997060e68..9c2e7a151e400 100644
--- a/drivers/nvme/host/nvme.h
+++ b/drivers/nvme/host/nvme.h
@@ -504,6 +504,16 @@ static inline void nvme_mpath_check_last_path(struct nvme_ns *ns)
kblockd_schedule_work(&head->requeue_work);
}
+static inline void nvme_mpath_update_disk_size(struct gendisk *disk)
+{
+ struct block_device *bdev = bdget_disk(disk, 0);
+
+ if (bdev) {
+ bd_set_size(bdev, get_capacity(disk) << SECTOR_SHIFT);
+ bdput(bdev);
+ }
+}
+
extern struct device_attribute dev_attr_ana_grpid;
extern struct device_attribute dev_attr_ana_state;
@@ -570,6 +580,9 @@ static inline void nvme_mpath_wait_freeze(struct nvme_subsystem *subsys)
static inline void nvme_mpath_start_freeze(struct nvme_subsystem *subsys)
{
}
+static inline void nvme_mpath_update_disk_size(struct gendisk *disk)
+{
+}
#endif /* CONFIG_NVME_MULTIPATH */
#ifdef CONFIG_NVM
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 206/245] ASoC: wm8994: Skip setting of the WM8994_MICBIAS register for WM1811
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (204 preceding siblings ...)
2020-09-29 11:00 ` [PATCH 4.19 205/245] nvme: explicitly update mpath disk capacity on revalidation Greg Kroah-Hartman
@ 2020-09-29 11:00 ` Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 207/245] ASoC: wm8994: Ensure the device is resumed in wm89xx_mic_detect functions Greg Kroah-Hartman
` (41 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:00 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Sylwester Nawrocki,
Krzysztof Kozlowski, Charles Keepax, Mark Brown, Sasha Levin
From: Sylwester Nawrocki <s.nawrocki@samsung.com>
[ Upstream commit 811c5494436789e7149487c06e0602b507ce274b ]
The WM8994_MICBIAS register is not available in the WM1811 CODEC so skip
initialization of that register for that device.
This suppresses an error during boot:
"wm8994-codec: ASoC: error at snd_soc_component_update_bits on wm8994-codec"
Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
Acked-by: Krzysztof Kozlowski <krzk@kernel.org>
Acked-by: Charles Keepax <ckeepax@opensource.cirrus.com>
Link: https://lore.kernel.org/r/20200827173357.31891-1-s.nawrocki@samsung.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/codecs/wm8994.c | 2 ++
sound/soc/codecs/wm_hubs.c | 3 +++
sound/soc/codecs/wm_hubs.h | 1 +
3 files changed, 6 insertions(+)
diff --git a/sound/soc/codecs/wm8994.c b/sound/soc/codecs/wm8994.c
index 01acb8da2f48e..cd089b4143029 100644
--- a/sound/soc/codecs/wm8994.c
+++ b/sound/soc/codecs/wm8994.c
@@ -4051,11 +4051,13 @@ static int wm8994_component_probe(struct snd_soc_component *component)
wm8994->hubs.dcs_readback_mode = 2;
break;
}
+ wm8994->hubs.micd_scthr = true;
break;
case WM8958:
wm8994->hubs.dcs_readback_mode = 1;
wm8994->hubs.hp_startup_mode = 1;
+ wm8994->hubs.micd_scthr = true;
switch (control->revision) {
case 0:
diff --git a/sound/soc/codecs/wm_hubs.c b/sound/soc/codecs/wm_hubs.c
index fed6ea9b019f7..da7fa6f5459e6 100644
--- a/sound/soc/codecs/wm_hubs.c
+++ b/sound/soc/codecs/wm_hubs.c
@@ -1227,6 +1227,9 @@ int wm_hubs_handle_analogue_pdata(struct snd_soc_component *component,
snd_soc_component_update_bits(component, WM8993_ADDITIONAL_CONTROL,
WM8993_LINEOUT2_FB, WM8993_LINEOUT2_FB);
+ if (!hubs->micd_scthr)
+ return 0;
+
snd_soc_component_update_bits(component, WM8993_MICBIAS,
WM8993_JD_SCTHR_MASK | WM8993_JD_THR_MASK |
WM8993_MICB1_LVL | WM8993_MICB2_LVL,
diff --git a/sound/soc/codecs/wm_hubs.h b/sound/soc/codecs/wm_hubs.h
index ee339ad8514d1..1433d73e09bf8 100644
--- a/sound/soc/codecs/wm_hubs.h
+++ b/sound/soc/codecs/wm_hubs.h
@@ -31,6 +31,7 @@ struct wm_hubs_data {
int hp_startup_mode;
int series_startup;
int no_series_update;
+ bool micd_scthr;
bool no_cache_dac_hp_direct;
struct list_head dcs_cache;
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 207/245] ASoC: wm8994: Ensure the device is resumed in wm89xx_mic_detect functions
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (205 preceding siblings ...)
2020-09-29 11:00 ` [PATCH 4.19 206/245] ASoC: wm8994: Skip setting of the WM8994_MICBIAS register for WM1811 Greg Kroah-Hartman
@ 2020-09-29 11:00 ` Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 208/245] ASoC: Intel: bytcr_rt5640: Add quirk for MPMAN Converter9 2-in-1 Greg Kroah-Hartman
` (40 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:00 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Sylwester Nawrocki,
Krzysztof Kozlowski, Charles Keepax, Mark Brown, Sasha Levin
From: Sylwester Nawrocki <s.nawrocki@samsung.com>
[ Upstream commit f5a2cda4f1db89776b64c4f0f2c2ac609527ac70 ]
When the wm8958_mic_detect, wm8994_mic_detect functions get called from
the machine driver, e.g. from the card's late_probe() callback, the CODEC
device may be PM runtime suspended and any regmap writes have no effect.
Add PM runtime calls to these functions to ensure the device registers
are updated as expected.
This suppresses an error during boot
"wm8994-codec: ASoC: error at snd_soc_component_update_bits on wm8994-codec"
caused by the regmap access error due to the cache_only flag being set.
Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
Acked-by: Krzysztof Kozlowski <krzk@kernel.org>
Acked-by: Charles Keepax <ckeepax@opensource.cirrus.com>
Link: https://lore.kernel.org/r/20200827173357.31891-2-s.nawrocki@samsung.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/codecs/wm8994.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/sound/soc/codecs/wm8994.c b/sound/soc/codecs/wm8994.c
index cd089b4143029..e3e069277a3ff 100644
--- a/sound/soc/codecs/wm8994.c
+++ b/sound/soc/codecs/wm8994.c
@@ -3376,6 +3376,8 @@ int wm8994_mic_detect(struct snd_soc_component *component, struct snd_soc_jack *
return -EINVAL;
}
+ pm_runtime_get_sync(component->dev);
+
switch (micbias) {
case 1:
micdet = &wm8994->micdet[0];
@@ -3423,6 +3425,8 @@ int wm8994_mic_detect(struct snd_soc_component *component, struct snd_soc_jack *
snd_soc_dapm_sync(dapm);
+ pm_runtime_put(component->dev);
+
return 0;
}
EXPORT_SYMBOL_GPL(wm8994_mic_detect);
@@ -3790,6 +3794,8 @@ int wm8958_mic_detect(struct snd_soc_component *component, struct snd_soc_jack *
return -EINVAL;
}
+ pm_runtime_get_sync(component->dev);
+
if (jack) {
snd_soc_dapm_force_enable_pin(dapm, "CLK_SYS");
snd_soc_dapm_sync(dapm);
@@ -3858,6 +3864,8 @@ int wm8958_mic_detect(struct snd_soc_component *component, struct snd_soc_jack *
snd_soc_dapm_sync(dapm);
}
+ pm_runtime_put(component->dev);
+
return 0;
}
EXPORT_SYMBOL_GPL(wm8958_mic_detect);
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 208/245] ASoC: Intel: bytcr_rt5640: Add quirk for MPMAN Converter9 2-in-1
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (206 preceding siblings ...)
2020-09-29 11:00 ` [PATCH 4.19 207/245] ASoC: wm8994: Ensure the device is resumed in wm89xx_mic_detect functions Greg Kroah-Hartman
@ 2020-09-29 11:00 ` Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 209/245] RISC-V: Take text_mutex in ftrace_init_nop() Greg Kroah-Hartman
` (39 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:00 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Hans de Goede, Pierre-Louis Bossart,
Mark Brown, Sasha Levin
From: Hans de Goede <hdegoede@redhat.com>
[ Upstream commit 6a0137101f47301fff2da6ba4b9048383d569909 ]
The MPMAN Converter9 2-in-1 almost fully works with out default settings.
The only problem is that it has only 1 speaker so any sounds only playing
on the right channel get lost.
Add a quirk for this model using the default settings + MONO_SPEAKER.
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Acked-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Link: https://lore.kernel.org/r/20200901080623.4987-1-hdegoede@redhat.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/intel/boards/bytcr_rt5640.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/sound/soc/intel/boards/bytcr_rt5640.c b/sound/soc/intel/boards/bytcr_rt5640.c
index 0dcd249877c55..ec630127ef2f3 100644
--- a/sound/soc/intel/boards/bytcr_rt5640.c
+++ b/sound/soc/intel/boards/bytcr_rt5640.c
@@ -588,6 +588,16 @@ static const struct dmi_system_id byt_rt5640_quirk_table[] = {
BYT_RT5640_SSP0_AIF1 |
BYT_RT5640_MCLK_EN),
},
+ { /* MPMAN Converter 9, similar hw as the I.T.Works TW891 2-in-1 */
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "MPMAN"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "Converter9"),
+ },
+ .driver_data = (void *)(BYTCR_INPUT_DEFAULTS |
+ BYT_RT5640_MONO_SPEAKER |
+ BYT_RT5640_SSP0_AIF1 |
+ BYT_RT5640_MCLK_EN),
+ },
{
/* MPMAN MPWIN895CL */
.matches = {
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 209/245] RISC-V: Take text_mutex in ftrace_init_nop()
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (207 preceding siblings ...)
2020-09-29 11:00 ` [PATCH 4.19 208/245] ASoC: Intel: bytcr_rt5640: Add quirk for MPMAN Converter9 2-in-1 Greg Kroah-Hartman
@ 2020-09-29 11:01 ` Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 210/245] s390/init: add missing __init annotations Greg Kroah-Hartman
` (38 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:01 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Palmer Dabbelt, Guo Ren, Sasha Levin
From: Palmer Dabbelt <palmerdabbelt@google.com>
[ Upstream commit 66d18dbda8469a944dfec6c49d26d5946efba218 ]
Without this we get lockdep failures. They're spurious failures as SMP isn't
up when ftrace_init_nop() is called. As far as I can tell the easiest fix is
to just take the lock, which also seems like the safest fix.
Signed-off-by: Palmer Dabbelt <palmerdabbelt@google.com>
Acked-by: Guo Ren <guoren@kernel.org>
Signed-off-by: Palmer Dabbelt <palmerdabbelt@google.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/riscv/include/asm/ftrace.h | 7 +++++++
arch/riscv/kernel/ftrace.c | 19 +++++++++++++++++++
2 files changed, 26 insertions(+)
diff --git a/arch/riscv/include/asm/ftrace.h b/arch/riscv/include/asm/ftrace.h
index c6dcc5291f972..02fbc175142e2 100644
--- a/arch/riscv/include/asm/ftrace.h
+++ b/arch/riscv/include/asm/ftrace.h
@@ -63,4 +63,11 @@ do { \
* Let auipc+jalr be the basic *mcount unit*, so we make it 8 bytes here.
*/
#define MCOUNT_INSN_SIZE 8
+
+#ifndef __ASSEMBLY__
+struct dyn_ftrace;
+int ftrace_init_nop(struct module *mod, struct dyn_ftrace *rec);
+#define ftrace_init_nop ftrace_init_nop
+#endif
+
#endif
diff --git a/arch/riscv/kernel/ftrace.c b/arch/riscv/kernel/ftrace.c
index 6d39f64e4dce4..fa8530f05ed4f 100644
--- a/arch/riscv/kernel/ftrace.c
+++ b/arch/riscv/kernel/ftrace.c
@@ -88,6 +88,25 @@ int ftrace_make_nop(struct module *mod, struct dyn_ftrace *rec,
return __ftrace_modify_call(rec->ip, addr, false);
}
+
+/*
+ * This is called early on, and isn't wrapped by
+ * ftrace_arch_code_modify_{prepare,post_process}() and therefor doesn't hold
+ * text_mutex, which triggers a lockdep failure. SMP isn't running so we could
+ * just directly poke the text, but it's simpler to just take the lock
+ * ourselves.
+ */
+int ftrace_init_nop(struct module *mod, struct dyn_ftrace *rec)
+{
+ int out;
+
+ ftrace_arch_code_modify_prepare();
+ out = ftrace_make_nop(mod, rec, MCOUNT_ADDR);
+ ftrace_arch_code_modify_post_process();
+
+ return out;
+}
+
int ftrace_update_ftrace_func(ftrace_func_t func)
{
int ret = __ftrace_modify_call((unsigned long)&ftrace_call,
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 210/245] s390/init: add missing __init annotations
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (208 preceding siblings ...)
2020-09-29 11:01 ` [PATCH 4.19 209/245] RISC-V: Take text_mutex in ftrace_init_nop() Greg Kroah-Hartman
@ 2020-09-29 11:01 ` Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 211/245] lockdep: fix order in trace_hardirqs_off_caller() Greg Kroah-Hartman
` (37 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:01 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Ilya Leoshkevich, Heiko Carstens,
Vasily Gorbik, Sasha Levin
From: Ilya Leoshkevich <iii@linux.ibm.com>
[ Upstream commit fcb2b70cdb194157678fb1a75f9ff499aeba3d2a ]
Add __init to reserve_memory_end, reserve_oldmem and remove_oldmem.
Sometimes these functions are not inlined, and then the build
complains about section mismatch.
Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/s390/kernel/setup.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/arch/s390/kernel/setup.c b/arch/s390/kernel/setup.c
index 5f85e0dfa66d1..4bda9055daefa 100644
--- a/arch/s390/kernel/setup.c
+++ b/arch/s390/kernel/setup.c
@@ -537,7 +537,7 @@ static struct notifier_block kdump_mem_nb = {
/*
* Make sure that the area behind memory_end is protected
*/
-static void reserve_memory_end(void)
+static void __init reserve_memory_end(void)
{
#ifdef CONFIG_CRASH_DUMP
if (ipl_info.type == IPL_TYPE_FCP_DUMP &&
@@ -555,7 +555,7 @@ static void reserve_memory_end(void)
/*
* Make sure that oldmem, where the dump is stored, is protected
*/
-static void reserve_oldmem(void)
+static void __init reserve_oldmem(void)
{
#ifdef CONFIG_CRASH_DUMP
if (OLDMEM_BASE)
@@ -567,7 +567,7 @@ static void reserve_oldmem(void)
/*
* Make sure that oldmem, where the dump is stored, is protected
*/
-static void remove_oldmem(void)
+static void __init remove_oldmem(void)
{
#ifdef CONFIG_CRASH_DUMP
if (OLDMEM_BASE)
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 211/245] lockdep: fix order in trace_hardirqs_off_caller()
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (209 preceding siblings ...)
2020-09-29 11:01 ` [PATCH 4.19 210/245] s390/init: add missing __init annotations Greg Kroah-Hartman
@ 2020-09-29 11:01 ` Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 212/245] drm/amdkfd: fix a memory leak issue Greg Kroah-Hartman
` (36 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:01 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Peter Zijlstra, Sven Schnelle,
Vasily Gorbik, Sasha Levin
From: Sven Schnelle <svens@linux.ibm.com>
[ Upstream commit 73ac74c7d489756d2313219a108809921dbfaea1 ]
Switch order so that locking state is consistent even
if the IRQ tracer calls into lockdep again.
Acked-by: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Sven Schnelle <svens@linux.ibm.com>
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/trace/trace_preemptirq.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/kernel/trace/trace_preemptirq.c b/kernel/trace/trace_preemptirq.c
index 71f553cceb3c1..0e373cb0106bb 100644
--- a/kernel/trace/trace_preemptirq.c
+++ b/kernel/trace/trace_preemptirq.c
@@ -59,14 +59,14 @@ EXPORT_SYMBOL(trace_hardirqs_on_caller);
__visible void trace_hardirqs_off_caller(unsigned long caller_addr)
{
+ lockdep_hardirqs_off(CALLER_ADDR0);
+
if (!this_cpu_read(tracing_irq_cpu)) {
this_cpu_write(tracing_irq_cpu, 1);
tracer_hardirqs_off(CALLER_ADDR0, caller_addr);
if (!in_nmi())
trace_irq_disable_rcuidle(CALLER_ADDR0, caller_addr);
}
-
- lockdep_hardirqs_off(CALLER_ADDR0);
}
EXPORT_SYMBOL(trace_hardirqs_off_caller);
#endif /* CONFIG_TRACE_IRQFLAGS */
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 212/245] drm/amdkfd: fix a memory leak issue
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (210 preceding siblings ...)
2020-09-29 11:01 ` [PATCH 4.19 211/245] lockdep: fix order in trace_hardirqs_off_caller() Greg Kroah-Hartman
@ 2020-09-29 11:01 ` Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 213/245] i2c: core: Call i2c_acpi_install_space_handler() before i2c_acpi_register_devices() Greg Kroah-Hartman
` (35 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:01 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Felix Kuehling, Dennis Li,
Alex Deucher, Sasha Levin
From: Dennis Li <Dennis.Li@amd.com>
[ Upstream commit 087d764159996ae378b08c0fdd557537adfd6899 ]
In the resume stage of GPU recovery, start_cpsch will call pm_init
which set pm->allocated as false, cause the next pm_release_ib has
no chance to release ib memory.
Add pm_release_ib in stop_cpsch which will be called in the suspend
stage of GPU recovery.
Reviewed-by: Felix Kuehling <Felix.Kuehling@amd.com>
Signed-off-by: Dennis Li <Dennis.Li@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
index 189212cb35475..bff39f561264e 100644
--- a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
@@ -1101,6 +1101,8 @@ static int stop_cpsch(struct device_queue_manager *dqm)
unmap_queues_cpsch(dqm, KFD_UNMAP_QUEUES_FILTER_ALL_QUEUES, 0);
dqm_unlock(dqm);
+ pm_release_ib(&dqm->packets);
+
kfd_gtt_sa_free(dqm->dev, dqm->fence_mem);
pm_uninit(&dqm->packets);
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 213/245] i2c: core: Call i2c_acpi_install_space_handler() before i2c_acpi_register_devices()
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (211 preceding siblings ...)
2020-09-29 11:01 ` [PATCH 4.19 212/245] drm/amdkfd: fix a memory leak issue Greg Kroah-Hartman
@ 2020-09-29 11:01 ` Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 214/245] objtool: Fix noreturn detection for ignored functions Greg Kroah-Hartman
` (34 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:01 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Hans de Goede, Mika Westerberg,
Wolfram Sang, Sasha Levin
From: Hans de Goede <hdegoede@redhat.com>
[ Upstream commit 21653a4181ff292480599dad996a2b759ccf050f ]
Some ACPI i2c-devices _STA method (which is used to detect if the device
is present) use autodetection code which probes which device is present
over i2c. This requires the I2C ACPI OpRegion handler to be registered
before we enumerate i2c-clients under the i2c-adapter.
This fixes the i2c touchpad on the Lenovo ThinkBook 14-IIL and
ThinkBook 15 IIL not getting an i2c-client instantiated and thus not
working.
BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1842039
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Wolfram Sang <wsa@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i2c/i2c-core-base.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/i2c/i2c-core-base.c b/drivers/i2c/i2c-core-base.c
index f225bef1e043c..41dd0a08a625c 100644
--- a/drivers/i2c/i2c-core-base.c
+++ b/drivers/i2c/i2c-core-base.c
@@ -1292,8 +1292,8 @@ static int i2c_register_adapter(struct i2c_adapter *adap)
/* create pre-declared device nodes */
of_i2c_register_devices(adap);
- i2c_acpi_register_devices(adap);
i2c_acpi_install_space_handler(adap);
+ i2c_acpi_register_devices(adap);
if (adap->nr < __i2c_first_dynamic_bus_num)
i2c_scan_static_board_info(adap);
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 214/245] objtool: Fix noreturn detection for ignored functions
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (212 preceding siblings ...)
2020-09-29 11:01 ` [PATCH 4.19 213/245] i2c: core: Call i2c_acpi_install_space_handler() before i2c_acpi_register_devices() Greg Kroah-Hartman
@ 2020-09-29 11:01 ` Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 215/245] ieee802154: fix one possible memleak in ca8210_dev_com_init Greg Kroah-Hartman
` (33 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:01 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Linus Torvalds, Josh Poimboeuf,
Borislav Petkov, Sasha Levin
From: Josh Poimboeuf <jpoimboe@redhat.com>
[ Upstream commit db6c6a0df840e3f52c84cc302cc1a08ba11a4416 ]
When a function is annotated with STACK_FRAME_NON_STANDARD, objtool
doesn't validate its code paths. It also skips sibling call detection
within the function.
But sibling call detection is actually needed for the case where the
ignored function doesn't have any return instructions. Otherwise
objtool naively marks the function as implicit static noreturn, which
affects the reachability of its callers, resulting in "unreachable
instruction" warnings.
Fix it by just enabling sibling call detection for ignored functions.
The 'insn->ignore' check in add_jump_destinations() is no longer needed
after
e6da9567959e ("objtool: Don't use ignore flag for fake jumps").
Fixes the following warning:
arch/x86/kvm/vmx/vmx.o: warning: objtool: vmx_handle_exit_irqoff()+0x142: unreachable instruction
which triggers on an allmodconfig with CONFIG_GCOV_KERNEL unset.
Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Link: https://lkml.kernel.org/r/5b1e2536cdbaa5246b60d7791b76130a74082c62.1599751464.git.jpoimboe@redhat.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/objtool/check.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/objtool/check.c b/tools/objtool/check.c
index fd3071d83deae..c0ab27368a345 100644
--- a/tools/objtool/check.c
+++ b/tools/objtool/check.c
@@ -503,7 +503,7 @@ static int add_jump_destinations(struct objtool_file *file)
insn->type != INSN_JUMP_UNCONDITIONAL)
continue;
- if (insn->ignore || insn->offset == FAKE_JUMP_OFFSET)
+ if (insn->offset == FAKE_JUMP_OFFSET)
continue;
rela = find_rela_by_dest_range(insn->sec, insn->offset,
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 215/245] ieee802154: fix one possible memleak in ca8210_dev_com_init
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (213 preceding siblings ...)
2020-09-29 11:01 ` [PATCH 4.19 214/245] objtool: Fix noreturn detection for ignored functions Greg Kroah-Hartman
@ 2020-09-29 11:01 ` Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 216/245] ieee802154/adf7242: check status of adf7242_read_reg Greg Kroah-Hartman
` (32 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:01 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Liu Jian, Stefan Schmidt, Sasha Levin
From: Liu Jian <liujian56@huawei.com>
[ Upstream commit 88f46b3fe2ac41c381770ebad9f2ee49346b57a2 ]
We should call destroy_workqueue to destroy mlme_workqueue in error branch.
Fixes: ded845a781a5 ("ieee802154: Add CA8210 IEEE 802.15.4 device driver")
Signed-off-by: Liu Jian <liujian56@huawei.com>
Link: https://lore.kernel.org/r/20200720143315.40523-1-liujian56@huawei.com
Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ieee802154/ca8210.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/ieee802154/ca8210.c b/drivers/net/ieee802154/ca8210.c
index 38a41651e451c..deace0aadad24 100644
--- a/drivers/net/ieee802154/ca8210.c
+++ b/drivers/net/ieee802154/ca8210.c
@@ -2923,6 +2923,7 @@ static int ca8210_dev_com_init(struct ca8210_priv *priv)
);
if (!priv->irq_workqueue) {
dev_crit(&priv->spi->dev, "alloc of irq_workqueue failed!\n");
+ destroy_workqueue(priv->mlme_workqueue);
return -ENOMEM;
}
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 216/245] ieee802154/adf7242: check status of adf7242_read_reg
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (214 preceding siblings ...)
2020-09-29 11:01 ` [PATCH 4.19 215/245] ieee802154: fix one possible memleak in ca8210_dev_com_init Greg Kroah-Hartman
@ 2020-09-29 11:01 ` Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 217/245] clocksource/drivers/h8300_timer8: Fix wrong return value in h8300_8timer_init() Greg Kroah-Hartman
` (31 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:01 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Tom Rix, Michael Hennerich,
Stefan Schmidt, Sasha Levin
From: Tom Rix <trix@redhat.com>
[ Upstream commit e3914ed6cf44bfe1f169e26241f8314556fd1ac1 ]
Clang static analysis reports this error
adf7242.c:887:6: warning: Assigned value is garbage or undefined
len = len_u8;
^ ~~~~~~
len_u8 is set in
adf7242_read_reg(lp, 0, &len_u8);
When this call fails, len_u8 is not set.
So check the return code.
Fixes: 7302b9d90117 ("ieee802154/adf7242: Driver for ADF7242 MAC IEEE802154")
Signed-off-by: Tom Rix <trix@redhat.com>
Acked-by: Michael Hennerich <michael.hennerich@analog.com>
Link: https://lore.kernel.org/r/20200802142339.21091-1-trix@redhat.com
Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ieee802154/adf7242.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ieee802154/adf7242.c b/drivers/net/ieee802154/adf7242.c
index 71be8524cca87..a686926bba71e 100644
--- a/drivers/net/ieee802154/adf7242.c
+++ b/drivers/net/ieee802154/adf7242.c
@@ -883,7 +883,9 @@ static int adf7242_rx(struct adf7242_local *lp)
int ret;
u8 lqi, len_u8, *data;
- adf7242_read_reg(lp, 0, &len_u8);
+ ret = adf7242_read_reg(lp, 0, &len_u8);
+ if (ret)
+ return ret;
len = len_u8;
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 217/245] clocksource/drivers/h8300_timer8: Fix wrong return value in h8300_8timer_init()
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (215 preceding siblings ...)
2020-09-29 11:01 ` [PATCH 4.19 216/245] ieee802154/adf7242: check status of adf7242_read_reg Greg Kroah-Hartman
@ 2020-09-29 11:01 ` Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 218/245] mwifiex: Increase AES key storage size to 256 bits Greg Kroah-Hartman
` (30 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:01 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Daniel Lezcano, Tianjia Zhang, Sasha Levin
From: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
[ Upstream commit 400d033f5a599120089b5f0c54d14d198499af5a ]
In the init function, if the call to of_iomap() fails, the return
value is ENXIO instead of -ENXIO.
Change to the right negative errno.
Fixes: 691f8f878290f ("clocksource/drivers/h8300_timer8: Convert init function to return error")
Cc: Daniel Lezcano <daniel.lezcano@linaro.org>
Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
Link: https://lore.kernel.org/r/20200802111541.5429-1-tianjia.zhang@linux.alibaba.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clocksource/h8300_timer8.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/clocksource/h8300_timer8.c b/drivers/clocksource/h8300_timer8.c
index 1d740a8c42ab3..47114c2a7cb54 100644
--- a/drivers/clocksource/h8300_timer8.c
+++ b/drivers/clocksource/h8300_timer8.c
@@ -169,7 +169,7 @@ static int __init h8300_8timer_init(struct device_node *node)
return PTR_ERR(clk);
}
- ret = ENXIO;
+ ret = -ENXIO;
base = of_iomap(node, 0);
if (!base) {
pr_err("failed to map registers for clockevent\n");
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 218/245] mwifiex: Increase AES key storage size to 256 bits
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (216 preceding siblings ...)
2020-09-29 11:01 ` [PATCH 4.19 217/245] clocksource/drivers/h8300_timer8: Fix wrong return value in h8300_8timer_init() Greg Kroah-Hartman
@ 2020-09-29 11:01 ` Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 219/245] batman-adv: bla: fix type misuse for backbone_gw hash indexing Greg Kroah-Hartman
` (29 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:01 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Maximilian Luz, Kaloyan Nikolov,
Dan Carpenter, Brian Norris, Kalle Valo, Sasha Levin
From: Maximilian Luz <luzmaximilian@gmail.com>
[ Upstream commit 4afc850e2e9e781976fb2c7852ce7bac374af938 ]
Following commit e18696786548 ("mwifiex: Prevent memory corruption
handling keys") the mwifiex driver fails to authenticate with certain
networks, specifically networks with 256 bit keys, and repeatedly asks
for the password. The kernel log repeats the following lines (id and
bssid redacted):
mwifiex_pcie 0000:01:00.0: info: trying to associate to '<id>' bssid <bssid>
mwifiex_pcie 0000:01:00.0: info: associated to bssid <bssid> successfully
mwifiex_pcie 0000:01:00.0: crypto keys added
mwifiex_pcie 0000:01:00.0: info: successfully disconnected from <bssid>: reason code 3
Tracking down this problem lead to the overflow check introduced by the
aforementioned commit into mwifiex_ret_802_11_key_material_v2(). This
check fails on networks with 256 bit keys due to the current storage
size for AES keys in struct mwifiex_aes_param being only 128 bit.
To fix this issue, increase the storage size for AES keys to 256 bit.
Fixes: e18696786548 ("mwifiex: Prevent memory corruption handling keys")
Signed-off-by: Maximilian Luz <luzmaximilian@gmail.com>
Reported-by: Kaloyan Nikolov <konik98@gmail.com>
Tested-by: Kaloyan Nikolov <konik98@gmail.com>
Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Brian Norris <briannorris@chromium.org>
Tested-by: Brian Norris <briannorris@chromium.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20200825153829.38043-1-luzmaximilian@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/marvell/mwifiex/fw.h | 2 +-
drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/net/wireless/marvell/mwifiex/fw.h b/drivers/net/wireless/marvell/mwifiex/fw.h
index 1fb76d2f5d3fd..8b9d0809daf62 100644
--- a/drivers/net/wireless/marvell/mwifiex/fw.h
+++ b/drivers/net/wireless/marvell/mwifiex/fw.h
@@ -953,7 +953,7 @@ struct mwifiex_tkip_param {
struct mwifiex_aes_param {
u8 pn[WPA_PN_SIZE];
__le16 key_len;
- u8 key[WLAN_KEY_LEN_CCMP];
+ u8 key[WLAN_KEY_LEN_CCMP_256];
} __packed;
struct mwifiex_wapi_param {
diff --git a/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c b/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c
index 797c2e9783943..7003767eef423 100644
--- a/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c
+++ b/drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c
@@ -620,7 +620,7 @@ static int mwifiex_ret_802_11_key_material_v2(struct mwifiex_private *priv,
key_v2 = &resp->params.key_material_v2;
len = le16_to_cpu(key_v2->key_param_set.key_params.aes.key_len);
- if (len > WLAN_KEY_LEN_CCMP)
+ if (len > sizeof(key_v2->key_param_set.key_params.aes.key))
return -EINVAL;
if (le16_to_cpu(key_v2->action) == HostCmd_ACT_GEN_SET) {
@@ -636,7 +636,7 @@ static int mwifiex_ret_802_11_key_material_v2(struct mwifiex_private *priv,
return 0;
memset(priv->aes_key_v2.key_param_set.key_params.aes.key, 0,
- WLAN_KEY_LEN_CCMP);
+ sizeof(key_v2->key_param_set.key_params.aes.key));
priv->aes_key_v2.key_param_set.key_params.aes.key_len =
cpu_to_le16(len);
memcpy(priv->aes_key_v2.key_param_set.key_params.aes.key,
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 219/245] batman-adv: bla: fix type misuse for backbone_gw hash indexing
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (217 preceding siblings ...)
2020-09-29 11:01 ` [PATCH 4.19 218/245] mwifiex: Increase AES key storage size to 256 bits Greg Kroah-Hartman
@ 2020-09-29 11:01 ` Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 220/245] atm: eni: fix the missed pci_disable_device() for eni_init_one() Greg Kroah-Hartman
` (28 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:01 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Linus Lüssing, Sven Eckelmann,
Sasha Levin
From: Linus Lüssing <ll@simonwunderlich.de>
[ Upstream commit 097930e85f90f252c44dc0d084598265dd44ca48 ]
It seems that due to a copy & paste error the void pointer
in batadv_choose_backbone_gw() is cast to the wrong type.
Fixing this by using "struct batadv_bla_backbone_gw" instead of "struct
batadv_bla_claim" which better matches the caller's side.
For now it seems that we were lucky because the two structs both have
their orig/vid and addr/vid in the beginning. However I stumbled over
this issue when I was trying to add some debug variables in front of
"orig" in batadv_backbone_gw, which caused hash lookups to fail.
Fixes: 07568d0369f9 ("batman-adv: don't rely on positions in struct for hashing")
Signed-off-by: Linus Lüssing <ll@simonwunderlich.de>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/bridge_loop_avoidance.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c
index 9b8bf06ccb613..e71a35a3950de 100644
--- a/net/batman-adv/bridge_loop_avoidance.c
+++ b/net/batman-adv/bridge_loop_avoidance.c
@@ -96,11 +96,12 @@ static inline u32 batadv_choose_claim(const void *data, u32 size)
*/
static inline u32 batadv_choose_backbone_gw(const void *data, u32 size)
{
- const struct batadv_bla_claim *claim = (struct batadv_bla_claim *)data;
+ const struct batadv_bla_backbone_gw *gw;
u32 hash = 0;
- hash = jhash(&claim->addr, sizeof(claim->addr), hash);
- hash = jhash(&claim->vid, sizeof(claim->vid), hash);
+ gw = (struct batadv_bla_backbone_gw *)data;
+ hash = jhash(&gw->orig, sizeof(gw->orig), hash);
+ hash = jhash(&gw->vid, sizeof(gw->vid), hash);
return hash % size;
}
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 220/245] atm: eni: fix the missed pci_disable_device() for eni_init_one()
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (218 preceding siblings ...)
2020-09-29 11:01 ` [PATCH 4.19 219/245] batman-adv: bla: fix type misuse for backbone_gw hash indexing Greg Kroah-Hartman
@ 2020-09-29 11:01 ` Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 221/245] batman-adv: mcast/TT: fix wrongly dropped or rerouted packets Greg Kroah-Hartman
` (27 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:01 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Jing Xiangfeng, Jakub Kicinski, Sasha Levin
From: Jing Xiangfeng <jingxiangfeng@huawei.com>
[ Upstream commit c2b947879ca320ac5505c6c29a731ff17da5e805 ]
eni_init_one() misses to call pci_disable_device() in an error path.
Jump to err_disable to fix it.
Fixes: ede58ef28e10 ("atm: remove deprecated use of pci api")
Signed-off-by: Jing Xiangfeng <jingxiangfeng@huawei.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/atm/eni.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/atm/eni.c b/drivers/atm/eni.c
index 7323e9210f4b1..38fec976e62d4 100644
--- a/drivers/atm/eni.c
+++ b/drivers/atm/eni.c
@@ -2243,7 +2243,7 @@ static int eni_init_one(struct pci_dev *pci_dev,
rc = dma_set_mask_and_coherent(&pci_dev->dev, DMA_BIT_MASK(32));
if (rc < 0)
- goto out;
+ goto err_disable;
rc = -ENOMEM;
eni_dev = kmalloc(sizeof(struct eni_dev), GFP_KERNEL);
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 221/245] batman-adv: mcast/TT: fix wrongly dropped or rerouted packets
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (219 preceding siblings ...)
2020-09-29 11:01 ` [PATCH 4.19 220/245] atm: eni: fix the missed pci_disable_device() for eni_init_one() Greg Kroah-Hartman
@ 2020-09-29 11:01 ` Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 222/245] mac802154: tx: fix use-after-free Greg Kroah-Hartman
` (26 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:01 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Linus Lüssing, Sven Eckelmann,
Simon Wunderlich, Sasha Levin
From: Linus Lüssing <linus.luessing@c0d3.blue>
[ Upstream commit 7dda5b3384121181c4e79f6eaeac2b94c0622c8d ]
The unicast packet rerouting code makes several assumptions. For
instance it assumes that there is always exactly one destination in the
TT. This breaks for multicast frames in a unicast packets in several ways:
For one thing if there is actually no TT entry and the destination node
was selected due to the multicast tvlv flags it announced. Then an
intermediate node will wrongly drop the packet.
For another thing if there is a TT entry but the TTVN of this entry is
newer than the originally addressed destination node: Then the
intermediate node will wrongly redirect the packet, leading to
duplicated multicast packets at a multicast listener and missing
packets at other multicast listeners or multicast routers.
Fixing this by not applying the unicast packet rerouting to batman-adv
unicast packets with a multicast payload. We are not able to detect a
roaming multicast listener at the moment and will just continue to send
the multicast frame to both the new and old destination for a while in
case of such a roaming multicast listener.
Fixes: a73105b8d4c7 ("batman-adv: improved client announcement mechanism")
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/routing.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/batman-adv/routing.c b/net/batman-adv/routing.c
index cc3ed93a6d513..98af41e3810dc 100644
--- a/net/batman-adv/routing.c
+++ b/net/batman-adv/routing.c
@@ -838,6 +838,10 @@ static bool batadv_check_unicast_ttvn(struct batadv_priv *bat_priv,
vid = batadv_get_vid(skb, hdr_len);
ethhdr = (struct ethhdr *)(skb->data + hdr_len);
+ /* do not reroute multicast frames in a unicast header */
+ if (is_multicast_ether_addr(ethhdr->h_dest))
+ return true;
+
/* check if the destination client was served by this node and it is now
* roaming. In this case, it means that the node has got a ROAM_ADV
* message and that it knows the new destination in the mesh to re-route
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 222/245] mac802154: tx: fix use-after-free
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (220 preceding siblings ...)
2020-09-29 11:01 ` [PATCH 4.19 221/245] batman-adv: mcast/TT: fix wrongly dropped or rerouted packets Greg Kroah-Hartman
@ 2020-09-29 11:01 ` Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 223/245] bpf: Fix clobbering of r2 in bpf_gen_ld_abs Greg Kroah-Hartman
` (25 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:01 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Eric Dumazet, syzbot,
Alexander Aring, Stefan Schmidt, linux-wpan, Sasha Levin
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 0ff4628f4c6c1ab87eef9f16b25355cadc426d64 ]
syzbot reported a bug in ieee802154_tx() [1]
A similar issue in ieee802154_xmit_worker() is also fixed in this patch.
[1]
BUG: KASAN: use-after-free in ieee802154_tx+0x3d2/0x480 net/mac802154/tx.c:88
Read of size 4 at addr ffff8880251a8c70 by task syz-executor.3/928
CPU: 0 PID: 928 Comm: syz-executor.3 Not tainted 5.9.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x198/0x1fd lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xae/0x497 mm/kasan/report.c:383
__kasan_report mm/kasan/report.c:513 [inline]
kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
ieee802154_tx+0x3d2/0x480 net/mac802154/tx.c:88
ieee802154_subif_start_xmit+0xbe/0xe4 net/mac802154/tx.c:130
__netdev_start_xmit include/linux/netdevice.h:4634 [inline]
netdev_start_xmit include/linux/netdevice.h:4648 [inline]
dev_direct_xmit+0x4e9/0x6e0 net/core/dev.c:4203
packet_snd net/packet/af_packet.c:2989 [inline]
packet_sendmsg+0x2413/0x5290 net/packet/af_packet.c:3014
sock_sendmsg_nosec net/socket.c:651 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:671
____sys_sendmsg+0x6e8/0x810 net/socket.c:2353
___sys_sendmsg+0xf3/0x170 net/socket.c:2407
__sys_sendmsg+0xe5/0x1b0 net/socket.c:2440
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45d5b9
Code: 5d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fc98e749c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 000000000002ccc0 RCX: 000000000045d5b9
RDX: 0000000000000000 RSI: 0000000020007780 RDI: 000000000000000b
RBP: 000000000118d020 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118cfec
R13: 00007fff690c720f R14: 00007fc98e74a9c0 R15: 000000000118cfec
Allocated by task 928:
kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
kasan_set_track mm/kasan/common.c:56 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:461
slab_post_alloc_hook mm/slab.h:518 [inline]
slab_alloc_node mm/slab.c:3254 [inline]
kmem_cache_alloc_node+0x136/0x3e0 mm/slab.c:3574
__alloc_skb+0x71/0x550 net/core/skbuff.c:198
alloc_skb include/linux/skbuff.h:1094 [inline]
alloc_skb_with_frags+0x92/0x570 net/core/skbuff.c:5771
sock_alloc_send_pskb+0x72a/0x880 net/core/sock.c:2348
packet_alloc_skb net/packet/af_packet.c:2837 [inline]
packet_snd net/packet/af_packet.c:2932 [inline]
packet_sendmsg+0x19fb/0x5290 net/packet/af_packet.c:3014
sock_sendmsg_nosec net/socket.c:651 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:671
____sys_sendmsg+0x6e8/0x810 net/socket.c:2353
___sys_sendmsg+0xf3/0x170 net/socket.c:2407
__sys_sendmsg+0xe5/0x1b0 net/socket.c:2440
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Freed by task 928:
kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
kasan_set_track+0x1c/0x30 mm/kasan/common.c:56
kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:355
__kasan_slab_free+0xd8/0x120 mm/kasan/common.c:422
__cache_free mm/slab.c:3418 [inline]
kmem_cache_free.part.0+0x74/0x1e0 mm/slab.c:3693
kfree_skbmem+0xef/0x1b0 net/core/skbuff.c:622
__kfree_skb net/core/skbuff.c:679 [inline]
consume_skb net/core/skbuff.c:838 [inline]
consume_skb+0xcf/0x160 net/core/skbuff.c:832
__dev_kfree_skb_any+0x9c/0xc0 net/core/dev.c:3107
fakelb_hw_xmit+0x20e/0x2a0 drivers/net/ieee802154/fakelb.c:81
drv_xmit_async net/mac802154/driver-ops.h:16 [inline]
ieee802154_tx+0x282/0x480 net/mac802154/tx.c:81
ieee802154_subif_start_xmit+0xbe/0xe4 net/mac802154/tx.c:130
__netdev_start_xmit include/linux/netdevice.h:4634 [inline]
netdev_start_xmit include/linux/netdevice.h:4648 [inline]
dev_direct_xmit+0x4e9/0x6e0 net/core/dev.c:4203
packet_snd net/packet/af_packet.c:2989 [inline]
packet_sendmsg+0x2413/0x5290 net/packet/af_packet.c:3014
sock_sendmsg_nosec net/socket.c:651 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:671
____sys_sendmsg+0x6e8/0x810 net/socket.c:2353
___sys_sendmsg+0xf3/0x170 net/socket.c:2407
__sys_sendmsg+0xe5/0x1b0 net/socket.c:2440
do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x44/0xa9
The buggy address belongs to the object at ffff8880251a8c00
which belongs to the cache skbuff_head_cache of size 224
The buggy address is located 112 bytes inside of
224-byte region [ffff8880251a8c00, ffff8880251a8ce0)
The buggy address belongs to the page:
page:0000000062b6a4f1 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x251a8
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea0000435c88 ffffea00028b6c08 ffff8880a9055d00
raw: 0000000000000000 ffff8880251a80c0 000000010000000c 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880251a8b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880251a8b80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880251a8c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880251a8c80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
ffff8880251a8d00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
Fixes: 409c3b0c5f03 ("mac802154: tx: move stats tx increment")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: Alexander Aring <alex.aring@gmail.com>
Cc: Stefan Schmidt <stefan@datenfreihafen.org>
Cc: linux-wpan@vger.kernel.org
Link: https://lore.kernel.org/r/20200908104025.4009085-1-edumazet@google.com
Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mac802154/tx.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/net/mac802154/tx.c b/net/mac802154/tx.c
index bcd1a5e6ebf42..2f873a0dc5836 100644
--- a/net/mac802154/tx.c
+++ b/net/mac802154/tx.c
@@ -42,11 +42,11 @@ void ieee802154_xmit_worker(struct work_struct *work)
if (res)
goto err_tx;
- ieee802154_xmit_complete(&local->hw, skb, false);
-
dev->stats.tx_packets++;
dev->stats.tx_bytes += skb->len;
+ ieee802154_xmit_complete(&local->hw, skb, false);
+
return;
err_tx:
@@ -86,6 +86,8 @@ ieee802154_tx(struct ieee802154_local *local, struct sk_buff *skb)
/* async is priority, otherwise sync is fallback */
if (local->ops->xmit_async) {
+ unsigned int len = skb->len;
+
ret = drv_xmit_async(local, skb);
if (ret) {
ieee802154_wake_queue(&local->hw);
@@ -93,7 +95,7 @@ ieee802154_tx(struct ieee802154_local *local, struct sk_buff *skb)
}
dev->stats.tx_packets++;
- dev->stats.tx_bytes += skb->len;
+ dev->stats.tx_bytes += len;
} else {
local->tx_skb = skb;
queue_work(local->workqueue, &local->tx_work);
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 223/245] bpf: Fix clobbering of r2 in bpf_gen_ld_abs
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (221 preceding siblings ...)
2020-09-29 11:01 ` [PATCH 4.19 222/245] mac802154: tx: fix use-after-free Greg Kroah-Hartman
@ 2020-09-29 11:01 ` Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 224/245] drm/vc4/vc4_hdmi: fill ASoC card owner Greg Kroah-Hartman
` (24 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:01 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Bryce Kahle, Daniel Borkmann,
Alexei Starovoitov, Sasha Levin
From: Daniel Borkmann <daniel@iogearbox.net>
[ Upstream commit e6a18d36118bea3bf497c9df4d9988b6df120689 ]
Bryce reported that he saw the following with:
0: r6 = r1
1: r1 = 12
2: r0 = *(u16 *)skb[r1]
The xlated sequence was incorrectly clobbering r2 with pointer
value of r6 ...
0: (bf) r6 = r1
1: (b7) r1 = 12
2: (bf) r1 = r6
3: (bf) r2 = r1
4: (85) call bpf_skb_load_helper_16_no_cache#7692160
... and hence call to the load helper never succeeded given the
offset was too high. Fix it by reordering the load of r6 to r1.
Other than that the insn has similar calling convention than BPF
helpers, that is, r0 - r5 are scratch regs, so nothing else
affected after the insn.
Fixes: e0cea7ce988c ("bpf: implement ld_abs/ld_ind in native bpf")
Reported-by: Bryce Kahle <bryce.kahle@datadoghq.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Link: https://lore.kernel.org/bpf/cace836e4d07bb63b1a53e49c5dfb238a040c298.1599512096.git.daniel@iogearbox.net
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/filter.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/core/filter.c b/net/core/filter.c
index 25a2c3186e14a..557bd5cc8f94c 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -5418,8 +5418,6 @@ static int bpf_gen_ld_abs(const struct bpf_insn *orig,
bool indirect = BPF_MODE(orig->code) == BPF_IND;
struct bpf_insn *insn = insn_buf;
- /* We're guaranteed here that CTX is in R6. */
- *insn++ = BPF_MOV64_REG(BPF_REG_1, BPF_REG_CTX);
if (!indirect) {
*insn++ = BPF_MOV64_IMM(BPF_REG_2, orig->imm);
} else {
@@ -5427,6 +5425,8 @@ static int bpf_gen_ld_abs(const struct bpf_insn *orig,
if (orig->imm)
*insn++ = BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, orig->imm);
}
+ /* We're guaranteed here that CTX is in R6. */
+ *insn++ = BPF_MOV64_REG(BPF_REG_1, BPF_REG_CTX);
switch (BPF_SIZE(orig->code)) {
case BPF_B:
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 224/245] drm/vc4/vc4_hdmi: fill ASoC card owner
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (222 preceding siblings ...)
2020-09-29 11:01 ` [PATCH 4.19 223/245] bpf: Fix clobbering of r2 in bpf_gen_ld_abs Greg Kroah-Hartman
@ 2020-09-29 11:01 ` Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 225/245] net: qed: RDMA personality shouldnt fail VF load Greg Kroah-Hartman
` (23 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:01 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Takashi Iwai, Marek Szyprowski,
Stefan Wahren, Maxime Ripard, Sasha Levin
From: Marek Szyprowski <m.szyprowski@samsung.com>
[ Upstream commit ec653df2a0cbc306a4bfcb0e3484d318fa779002 ]
card->owner is a required property and since commit 81033c6b584b ("ALSA:
core: Warn on empty module") a warning is issued if it is empty. Fix lack
of it. This fixes following warning observed on RaspberryPi 3B board
with ARM 32bit kernel and multi_v7_defconfig:
------------[ cut here ]------------
WARNING: CPU: 1 PID: 210 at sound/core/init.c:207 snd_card_new+0x378/0x398 [snd]
Modules linked in: vc4(+) snd_soc_core ac97_bus snd_pcm_dmaengine bluetooth snd_pcm snd_timer crc32_arm_ce raspberrypi_hwmon snd soundcore ecdh_generic ecc bcm2835_thermal phy_generic
CPU: 1 PID: 210 Comm: systemd-udevd Not tainted 5.8.0-rc1-00027-g81033c6b584b #1087
Hardware name: BCM2835
[<c03113c0>] (unwind_backtrace) from [<c030bcb4>] (show_stack+0x10/0x14)
[<c030bcb4>] (show_stack) from [<c071cef8>] (dump_stack+0xd4/0xe8)
[<c071cef8>] (dump_stack) from [<c0345bfc>] (__warn+0xdc/0xf4)
[<c0345bfc>] (__warn) from [<c0345cc4>] (warn_slowpath_fmt+0xb0/0xb8)
[<c0345cc4>] (warn_slowpath_fmt) from [<bf02ff74>] (snd_card_new+0x378/0x398 [snd])
[<bf02ff74>] (snd_card_new [snd]) from [<bf11f0b4>] (snd_soc_bind_card+0x280/0x99c [snd_soc_core])
[<bf11f0b4>] (snd_soc_bind_card [snd_soc_core]) from [<bf12f000>] (devm_snd_soc_register_card+0x34/0x6c [snd_soc_core])
[<bf12f000>] (devm_snd_soc_register_card [snd_soc_core]) from [<bf165654>] (vc4_hdmi_bind+0x43c/0x5f4 [vc4])
[<bf165654>] (vc4_hdmi_bind [vc4]) from [<c09d660c>] (component_bind_all+0xec/0x24c)
[<c09d660c>] (component_bind_all) from [<bf15c44c>] (vc4_drm_bind+0xd4/0x174 [vc4])
[<bf15c44c>] (vc4_drm_bind [vc4]) from [<c09d6ac0>] (try_to_bring_up_master+0x160/0x1b0)
[<c09d6ac0>] (try_to_bring_up_master) from [<c09d6f38>] (component_master_add_with_match+0xd0/0x104)
[<c09d6f38>] (component_master_add_with_match) from [<bf15c588>] (vc4_platform_drm_probe+0x9c/0xbc [vc4])
[<bf15c588>] (vc4_platform_drm_probe [vc4]) from [<c09df740>] (platform_drv_probe+0x6c/0xa4)
[<c09df740>] (platform_drv_probe) from [<c09dd6f0>] (really_probe+0x210/0x350)
[<c09dd6f0>] (really_probe) from [<c09dd940>] (driver_probe_device+0x5c/0xb4)
[<c09dd940>] (driver_probe_device) from [<c09ddb38>] (device_driver_attach+0x58/0x60)
[<c09ddb38>] (device_driver_attach) from [<c09ddbc0>] (__driver_attach+0x80/0xbc)
[<c09ddbc0>] (__driver_attach) from [<c09db820>] (bus_for_each_dev+0x68/0xb4)
[<c09db820>] (bus_for_each_dev) from [<c09dc9f8>] (bus_add_driver+0x130/0x1e8)
[<c09dc9f8>] (bus_add_driver) from [<c09de648>] (driver_register+0x78/0x110)
[<c09de648>] (driver_register) from [<c0302038>] (do_one_initcall+0x50/0x220)
[<c0302038>] (do_one_initcall) from [<c03db544>] (do_init_module+0x60/0x210)
[<c03db544>] (do_init_module) from [<c03da4f8>] (load_module+0x1e34/0x2338)
[<c03da4f8>] (load_module) from [<c03dac00>] (sys_finit_module+0xac/0xbc)
[<c03dac00>] (sys_finit_module) from [<c03000c0>] (ret_fast_syscall+0x0/0x54)
Exception stack(0xeded9fa8 to 0xeded9ff0)
...
---[ end trace 6414689569c2bc08 ]---
Fixes: bb7d78568814 ("drm/vc4: Add HDMI audio support")
Suggested-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Tested-by: Stefan Wahren <stefan.wahren@i2se.com>
Signed-off-by: Maxime Ripard <maxime@cerno.tech>
Link: https://patchwork.freedesktop.org/patch/msgid/20200701073949.28941-1-m.szyprowski@samsung.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/vc4/vc4_hdmi.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/vc4/vc4_hdmi.c b/drivers/gpu/drm/vc4/vc4_hdmi.c
index 86b98856756d9..1161662664577 100644
--- a/drivers/gpu/drm/vc4/vc4_hdmi.c
+++ b/drivers/gpu/drm/vc4/vc4_hdmi.c
@@ -1134,6 +1134,7 @@ static int vc4_hdmi_audio_init(struct vc4_hdmi *hdmi)
card->num_links = 1;
card->name = "vc4-hdmi";
card->dev = dev;
+ card->owner = THIS_MODULE;
/*
* Be careful, snd_soc_register_card() calls dev_set_drvdata() and
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 225/245] net: qed: RDMA personality shouldnt fail VF load
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (223 preceding siblings ...)
2020-09-29 11:01 ` [PATCH 4.19 224/245] drm/vc4/vc4_hdmi: fill ASoC card owner Greg Kroah-Hartman
@ 2020-09-29 11:01 ` Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 226/245] drm/sun4i: sun8i-csc: Secondary CSC register correction Greg Kroah-Hartman
` (22 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:01 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Igor Russkikh, Michal Kalderon,
Dmitry Bogdanov, David S. Miller, Sasha Levin
From: Dmitry Bogdanov <dbogdanov@marvell.com>
[ Upstream commit ce1cf9e5025f4e2d2198728391f1847b3e168bc6 ]
Fix the assert during VF driver installation when the personality is iWARP
Fixes: 1fe614d10f45 ("qed: Relax VF firmware requirements")
Signed-off-by: Igor Russkikh <irusskikh@marvell.com>
Signed-off-by: Michal Kalderon <michal.kalderon@marvell.com>
Signed-off-by: Dmitry Bogdanov <dbogdanov@marvell.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/qlogic/qed/qed_sriov.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/ethernet/qlogic/qed/qed_sriov.c b/drivers/net/ethernet/qlogic/qed/qed_sriov.c
index 71a7af134dd8e..886c7aae662fa 100644
--- a/drivers/net/ethernet/qlogic/qed/qed_sriov.c
+++ b/drivers/net/ethernet/qlogic/qed/qed_sriov.c
@@ -96,6 +96,7 @@ static int qed_sp_vf_start(struct qed_hwfn *p_hwfn, struct qed_vf_info *p_vf)
p_ramrod->personality = PERSONALITY_ETH;
break;
case QED_PCI_ETH_ROCE:
+ case QED_PCI_ETH_IWARP:
p_ramrod->personality = PERSONALITY_RDMA_AND_ETH;
break;
default:
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 226/245] drm/sun4i: sun8i-csc: Secondary CSC register correction
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (224 preceding siblings ...)
2020-09-29 11:01 ` [PATCH 4.19 225/245] net: qed: RDMA personality shouldnt fail VF load Greg Kroah-Hartman
@ 2020-09-29 11:01 ` Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 227/245] batman-adv: Add missing include for in_interrupt() Greg Kroah-Hartman
` (21 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:01 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Martin Cerveny, Jernej Skrabec,
Maxime Ripard, Sasha Levin
From: Martin Cerveny <m.cerveny@computer.org>
[ Upstream commit cab4c03b4ba54c8d9378298cacb8bc0fd74ceece ]
"Allwinner V3s" has secondary video layer (VI).
Decoded video is displayed in wrong colors until
secondary CSC registers are programmed correctly.
Fixes: 883029390550 ("drm/sun4i: Add DE2 CSC library")
Signed-off-by: Martin Cerveny <m.cerveny@computer.org>
Reviewed-by: Jernej Skrabec <jernej.skrabec@siol.net>
Signed-off-by: Maxime Ripard <maxime@cerno.tech>
Link: https://patchwork.freedesktop.org/patch/msgid/20200906162140.5584-2-m.cerveny@computer.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/sun4i/sun8i_csc.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/sun4i/sun8i_csc.h b/drivers/gpu/drm/sun4i/sun8i_csc.h
index 880e8fbb08556..242752b2d328c 100644
--- a/drivers/gpu/drm/sun4i/sun8i_csc.h
+++ b/drivers/gpu/drm/sun4i/sun8i_csc.h
@@ -14,7 +14,7 @@ struct sun8i_mixer;
/* VI channel CSC units offsets */
#define CCSC00_OFFSET 0xAA050
-#define CCSC01_OFFSET 0xFA000
+#define CCSC01_OFFSET 0xFA050
#define CCSC10_OFFSET 0xA0000
#define CCSC11_OFFSET 0xF0000
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 227/245] batman-adv: Add missing include for in_interrupt()
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (225 preceding siblings ...)
2020-09-29 11:01 ` [PATCH 4.19 226/245] drm/sun4i: sun8i-csc: Secondary CSC register correction Greg Kroah-Hartman
@ 2020-09-29 11:01 ` Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 228/245] batman-adv: mcast: fix duplicate mcast packets in BLA backbone from mesh Greg Kroah-Hartman
` (20 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:01 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Sven Eckelmann, Simon Wunderlich,
Sasha Levin
From: Sven Eckelmann <sven@narfation.org>
[ Upstream commit 4bba9dab86b6ac15ca560ef1f2b5aa4529cbf784 ]
The fix for receiving (internally generated) bla packets outside the
interrupt context introduced the usage of in_interrupt(). But this
functionality is only defined in linux/preempt.h which was not included
with the same patch.
Fixes: 279e89b2281a ("batman-adv: bla: use netif_rx_ni when not in interrupt context")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/bridge_loop_avoidance.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c
index e71a35a3950de..557d7fdf0b8dc 100644
--- a/net/batman-adv/bridge_loop_avoidance.c
+++ b/net/batman-adv/bridge_loop_avoidance.c
@@ -37,6 +37,7 @@
#include <linux/lockdep.h>
#include <linux/netdevice.h>
#include <linux/netlink.h>
+#include <linux/preempt.h>
#include <linux/rculist.h>
#include <linux/rcupdate.h>
#include <linux/seq_file.h>
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 228/245] batman-adv: mcast: fix duplicate mcast packets in BLA backbone from mesh
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (226 preceding siblings ...)
2020-09-29 11:01 ` [PATCH 4.19 227/245] batman-adv: Add missing include for in_interrupt() Greg Kroah-Hartman
@ 2020-09-29 11:01 ` Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 229/245] batman-adv: mcast: fix duplicate mcast packets from BLA backbone to mesh Greg Kroah-Hartman
` (19 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:01 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Linus Lüssing, Sven Eckelmann,
Simon Wunderlich, Sasha Levin
From: Linus Lüssing <linus.luessing@c0d3.blue>
[ Upstream commit 74c09b7275126da1b642b90c9cdc3ae8b729ad4b ]
Scenario:
* Multicast frame send from mesh to a BLA backbone (multiple nodes
with their bat0 bridged together, with BLA enabled)
Issue:
* BLA backbone nodes receive the frame multiple times on bat0,
once from mesh->bat0 and once from each backbone_gw from LAN
For unicast, a node will send only to the best backbone gateway
according to the TQ. However for multicast we currently cannot determine
if multiple destination nodes share the same backbone if they don't share
the same backbone with us. So we need to keep sending the unicasts to
all backbone gateways and let the backbone gateways decide which one
will forward the frame. We can use the CLAIM mechanism to make this
decision.
One catch: The batman-adv gateway feature for DHCP packets potentially
sends multicast packets in the same batman-adv unicast header as the
multicast optimizations code. And we are not allowed to drop those even
if we did not claim the source address of the sender, as for such
packets there is only this one multicast-in-unicast packet.
How can we distinguish the two cases?
The gateway feature uses a batman-adv unicast 4 address header. While
the multicast-to-unicasts feature uses a simple, 3 address batman-adv
unicast header. So let's use this to distinguish.
Fixes: fe2da6ff27c7 ("batman-adv: check incoming packet type for bla")
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/bridge_loop_avoidance.c | 34 +++++++++++++++++++-------
net/batman-adv/bridge_loop_avoidance.h | 4 +--
net/batman-adv/soft-interface.c | 6 ++---
3 files changed, 30 insertions(+), 14 deletions(-)
diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c
index 557d7fdf0b8dc..3f76872d411bc 100644
--- a/net/batman-adv/bridge_loop_avoidance.c
+++ b/net/batman-adv/bridge_loop_avoidance.c
@@ -1827,7 +1827,7 @@ batadv_bla_loopdetect_check(struct batadv_priv *bat_priv, struct sk_buff *skb,
* @bat_priv: the bat priv with all the soft interface information
* @skb: the frame to be checked
* @vid: the VLAN ID of the frame
- * @is_bcast: the packet came in a broadcast packet type.
+ * @packet_type: the batman packet type this frame came in
*
* batadv_bla_rx avoidance checks if:
* * we have to race for a claim
@@ -1839,7 +1839,7 @@ batadv_bla_loopdetect_check(struct batadv_priv *bat_priv, struct sk_buff *skb,
* further process the skb.
*/
bool batadv_bla_rx(struct batadv_priv *bat_priv, struct sk_buff *skb,
- unsigned short vid, bool is_bcast)
+ unsigned short vid, int packet_type)
{
struct batadv_bla_backbone_gw *backbone_gw;
struct ethhdr *ethhdr;
@@ -1861,9 +1861,24 @@ bool batadv_bla_rx(struct batadv_priv *bat_priv, struct sk_buff *skb,
goto handled;
if (unlikely(atomic_read(&bat_priv->bla.num_requests)))
- /* don't allow broadcasts while requests are in flight */
- if (is_multicast_ether_addr(ethhdr->h_dest) && is_bcast)
- goto handled;
+ /* don't allow multicast packets while requests are in flight */
+ if (is_multicast_ether_addr(ethhdr->h_dest))
+ /* Both broadcast flooding or multicast-via-unicasts
+ * delivery might send to multiple backbone gateways
+ * sharing the same LAN and therefore need to coordinate
+ * which backbone gateway forwards into the LAN,
+ * by claiming the payload source address.
+ *
+ * Broadcast flooding and multicast-via-unicasts
+ * delivery use the following two batman packet types.
+ * Note: explicitly exclude BATADV_UNICAST_4ADDR,
+ * as the DHCP gateway feature will send explicitly
+ * to only one BLA gateway, so the claiming process
+ * should be avoided there.
+ */
+ if (packet_type == BATADV_BCAST ||
+ packet_type == BATADV_UNICAST)
+ goto handled;
ether_addr_copy(search_claim.addr, ethhdr->h_source);
search_claim.vid = vid;
@@ -1898,13 +1913,14 @@ bool batadv_bla_rx(struct batadv_priv *bat_priv, struct sk_buff *skb,
goto allow;
}
- /* if it is a broadcast ... */
- if (is_multicast_ether_addr(ethhdr->h_dest) && is_bcast) {
+ /* if it is a multicast ... */
+ if (is_multicast_ether_addr(ethhdr->h_dest) &&
+ (packet_type == BATADV_BCAST || packet_type == BATADV_UNICAST)) {
/* ... drop it. the responsible gateway is in charge.
*
- * We need to check is_bcast because with the gateway
+ * We need to check packet type because with the gateway
* feature, broadcasts (like DHCP requests) may be sent
- * using a unicast packet type.
+ * using a unicast 4 address packet type. See comment above.
*/
goto handled;
} else {
diff --git a/net/batman-adv/bridge_loop_avoidance.h b/net/batman-adv/bridge_loop_avoidance.h
index 71f95a3e4d3f3..af28fdb01467c 100644
--- a/net/batman-adv/bridge_loop_avoidance.h
+++ b/net/batman-adv/bridge_loop_avoidance.h
@@ -48,7 +48,7 @@ static inline bool batadv_bla_is_loopdetect_mac(const uint8_t *mac)
#ifdef CONFIG_BATMAN_ADV_BLA
bool batadv_bla_rx(struct batadv_priv *bat_priv, struct sk_buff *skb,
- unsigned short vid, bool is_bcast);
+ unsigned short vid, int packet_type);
bool batadv_bla_tx(struct batadv_priv *bat_priv, struct sk_buff *skb,
unsigned short vid);
bool batadv_bla_is_backbone_gw(struct sk_buff *skb,
@@ -79,7 +79,7 @@ bool batadv_bla_check_claim(struct batadv_priv *bat_priv, u8 *addr,
static inline bool batadv_bla_rx(struct batadv_priv *bat_priv,
struct sk_buff *skb, unsigned short vid,
- bool is_bcast)
+ int packet_type)
{
return false;
}
diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c
index a2976adeeedce..6ff78080ec7fb 100644
--- a/net/batman-adv/soft-interface.c
+++ b/net/batman-adv/soft-interface.c
@@ -426,10 +426,10 @@ void batadv_interface_rx(struct net_device *soft_iface,
struct vlan_ethhdr *vhdr;
struct ethhdr *ethhdr;
unsigned short vid;
- bool is_bcast;
+ int packet_type;
batadv_bcast_packet = (struct batadv_bcast_packet *)skb->data;
- is_bcast = (batadv_bcast_packet->packet_type == BATADV_BCAST);
+ packet_type = batadv_bcast_packet->packet_type;
skb_pull_rcsum(skb, hdr_size);
skb_reset_mac_header(skb);
@@ -472,7 +472,7 @@ void batadv_interface_rx(struct net_device *soft_iface,
/* Let the bridge loop avoidance check the packet. If will
* not handle it, we can safely push it up.
*/
- if (batadv_bla_rx(bat_priv, skb, vid, is_bcast))
+ if (batadv_bla_rx(bat_priv, skb, vid, packet_type))
goto out;
if (orig_node)
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 229/245] batman-adv: mcast: fix duplicate mcast packets from BLA backbone to mesh
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (227 preceding siblings ...)
2020-09-29 11:01 ` [PATCH 4.19 228/245] batman-adv: mcast: fix duplicate mcast packets in BLA backbone from mesh Greg Kroah-Hartman
@ 2020-09-29 11:01 ` Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 230/245] bpf: Fix a rcu warning for bpffs map pretty-print Greg Kroah-Hartman
` (18 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:01 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Linus Lüssing, Sven Eckelmann,
Simon Wunderlich, Sasha Levin
From: Linus Lüssing <linus.luessing@c0d3.blue>
[ Upstream commit 2369e827046920ef0599e6a36b975ac5c0a359c2 ]
Scenario:
* Multicast frame send from BLA backbone gateways (multiple nodes
with their bat0 bridged together, with BLA enabled) sharing the same
LAN to nodes in the mesh
Issue:
* Nodes receive the frame multiple times on bat0 from the mesh,
once from each foreign BLA backbone gateway which shares the same LAN
with another
For multicast frames via batman-adv broadcast packets coming from the
same BLA backbone but from different backbone gateways duplicates are
currently detected via a CRC history of previously received packets.
However this CRC so far was not performed for multicast frames received
via batman-adv unicast packets. Fixing this by appyling the same check
for such packets, too.
Room for improvements in the future: Ideally we would introduce the
possibility to not only claim a client, but a complete originator, too.
This would allow us to only send a multicast-in-unicast packet from a BLA
backbone gateway claiming the node and by that avoid potential redundant
transmissions in the first place.
Fixes: 279e89b2281a ("batman-adv: add broadcast duplicate check")
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/bridge_loop_avoidance.c | 103 +++++++++++++++++++++----
1 file changed, 87 insertions(+), 16 deletions(-)
diff --git a/net/batman-adv/bridge_loop_avoidance.c b/net/batman-adv/bridge_loop_avoidance.c
index 3f76872d411bc..1401031f4bb4a 100644
--- a/net/batman-adv/bridge_loop_avoidance.c
+++ b/net/batman-adv/bridge_loop_avoidance.c
@@ -1594,13 +1594,16 @@ int batadv_bla_init(struct batadv_priv *bat_priv)
}
/**
- * batadv_bla_check_bcast_duplist() - Check if a frame is in the broadcast dup.
+ * batadv_bla_check_duplist() - Check if a frame is in the broadcast dup.
* @bat_priv: the bat priv with all the soft interface information
- * @skb: contains the bcast_packet to be checked
+ * @skb: contains the multicast packet to be checked
+ * @payload_ptr: pointer to position inside the head buffer of the skb
+ * marking the start of the data to be CRC'ed
+ * @orig: originator mac address, NULL if unknown
*
- * check if it is on our broadcast list. Another gateway might
- * have sent the same packet because it is connected to the same backbone,
- * so we have to remove this duplicate.
+ * Check if it is on our broadcast list. Another gateway might have sent the
+ * same packet because it is connected to the same backbone, so we have to
+ * remove this duplicate.
*
* This is performed by checking the CRC, which will tell us
* with a good chance that it is the same packet. If it is furthermore
@@ -1609,19 +1612,17 @@ int batadv_bla_init(struct batadv_priv *bat_priv)
*
* Return: true if a packet is in the duplicate list, false otherwise.
*/
-bool batadv_bla_check_bcast_duplist(struct batadv_priv *bat_priv,
- struct sk_buff *skb)
+static bool batadv_bla_check_duplist(struct batadv_priv *bat_priv,
+ struct sk_buff *skb, u8 *payload_ptr,
+ const u8 *orig)
{
- int i, curr;
- __be32 crc;
- struct batadv_bcast_packet *bcast_packet;
struct batadv_bcast_duplist_entry *entry;
bool ret = false;
-
- bcast_packet = (struct batadv_bcast_packet *)skb->data;
+ int i, curr;
+ __be32 crc;
/* calculate the crc ... */
- crc = batadv_skb_crc32(skb, (u8 *)(bcast_packet + 1));
+ crc = batadv_skb_crc32(skb, payload_ptr);
spin_lock_bh(&bat_priv->bla.bcast_duplist_lock);
@@ -1640,8 +1641,21 @@ bool batadv_bla_check_bcast_duplist(struct batadv_priv *bat_priv,
if (entry->crc != crc)
continue;
- if (batadv_compare_eth(entry->orig, bcast_packet->orig))
- continue;
+ /* are the originators both known and not anonymous? */
+ if (orig && !is_zero_ether_addr(orig) &&
+ !is_zero_ether_addr(entry->orig)) {
+ /* If known, check if the new frame came from
+ * the same originator:
+ * We are safe to take identical frames from the
+ * same orig, if known, as multiplications in
+ * the mesh are detected via the (orig, seqno) pair.
+ * So we can be a bit more liberal here and allow
+ * identical frames from the same orig which the source
+ * host might have sent multiple times on purpose.
+ */
+ if (batadv_compare_eth(entry->orig, orig))
+ continue;
+ }
/* this entry seems to match: same crc, not too old,
* and from another gw. therefore return true to forbid it.
@@ -1657,7 +1671,14 @@ bool batadv_bla_check_bcast_duplist(struct batadv_priv *bat_priv,
entry = &bat_priv->bla.bcast_duplist[curr];
entry->crc = crc;
entry->entrytime = jiffies;
- ether_addr_copy(entry->orig, bcast_packet->orig);
+
+ /* known originator */
+ if (orig)
+ ether_addr_copy(entry->orig, orig);
+ /* anonymous originator */
+ else
+ eth_zero_addr(entry->orig);
+
bat_priv->bla.bcast_duplist_curr = curr;
out:
@@ -1666,6 +1687,48 @@ bool batadv_bla_check_bcast_duplist(struct batadv_priv *bat_priv,
return ret;
}
+/**
+ * batadv_bla_check_ucast_duplist() - Check if a frame is in the broadcast dup.
+ * @bat_priv: the bat priv with all the soft interface information
+ * @skb: contains the multicast packet to be checked, decapsulated from a
+ * unicast_packet
+ *
+ * Check if it is on our broadcast list. Another gateway might have sent the
+ * same packet because it is connected to the same backbone, so we have to
+ * remove this duplicate.
+ *
+ * Return: true if a packet is in the duplicate list, false otherwise.
+ */
+static bool batadv_bla_check_ucast_duplist(struct batadv_priv *bat_priv,
+ struct sk_buff *skb)
+{
+ return batadv_bla_check_duplist(bat_priv, skb, (u8 *)skb->data, NULL);
+}
+
+/**
+ * batadv_bla_check_bcast_duplist() - Check if a frame is in the broadcast dup.
+ * @bat_priv: the bat priv with all the soft interface information
+ * @skb: contains the bcast_packet to be checked
+ *
+ * Check if it is on our broadcast list. Another gateway might have sent the
+ * same packet because it is connected to the same backbone, so we have to
+ * remove this duplicate.
+ *
+ * Return: true if a packet is in the duplicate list, false otherwise.
+ */
+bool batadv_bla_check_bcast_duplist(struct batadv_priv *bat_priv,
+ struct sk_buff *skb)
+{
+ struct batadv_bcast_packet *bcast_packet;
+ u8 *payload_ptr;
+
+ bcast_packet = (struct batadv_bcast_packet *)skb->data;
+ payload_ptr = (u8 *)(bcast_packet + 1);
+
+ return batadv_bla_check_duplist(bat_priv, skb, payload_ptr,
+ bcast_packet->orig);
+}
+
/**
* batadv_bla_is_backbone_gw_orig() - Check if the originator is a gateway for
* the VLAN identified by vid.
@@ -1880,6 +1943,14 @@ bool batadv_bla_rx(struct batadv_priv *bat_priv, struct sk_buff *skb,
packet_type == BATADV_UNICAST)
goto handled;
+ /* potential duplicates from foreign BLA backbone gateways via
+ * multicast-in-unicast packets
+ */
+ if (is_multicast_ether_addr(ethhdr->h_dest) &&
+ packet_type == BATADV_UNICAST &&
+ batadv_bla_check_ucast_duplist(bat_priv, skb))
+ goto handled;
+
ether_addr_copy(search_claim.addr, ethhdr->h_source);
search_claim.vid = vid;
claim = batadv_claim_hash_find(bat_priv, &search_claim);
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 230/245] bpf: Fix a rcu warning for bpffs map pretty-print
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (228 preceding siblings ...)
2020-09-29 11:01 ` [PATCH 4.19 229/245] batman-adv: mcast: fix duplicate mcast packets from BLA backbone to mesh Greg Kroah-Hartman
@ 2020-09-29 11:01 ` Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 231/245] ALSA: asihpi: fix iounmap in error handler Greg Kroah-Hartman
` (17 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:01 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Alexei Starovoitov, Yonghong Song,
Andrii Nakryiko, Martin KaFai Lau, Sasha Levin
From: Yonghong Song <yhs@fb.com>
[ Upstream commit ce880cb825fcc22d4e39046a6c3a3a7f6603883d ]
Running selftest
./btf_btf -p
the kernel had the following warning:
[ 51.528185] WARNING: CPU: 3 PID: 1756 at kernel/bpf/hashtab.c:717 htab_map_get_next_key+0x2eb/0x300
[ 51.529217] Modules linked in:
[ 51.529583] CPU: 3 PID: 1756 Comm: test_btf Not tainted 5.9.0-rc1+ #878
[ 51.530346] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.9.3-1.el7.centos 04/01/2014
[ 51.531410] RIP: 0010:htab_map_get_next_key+0x2eb/0x300
...
[ 51.542826] Call Trace:
[ 51.543119] map_seq_next+0x53/0x80
[ 51.543528] seq_read+0x263/0x400
[ 51.543932] vfs_read+0xad/0x1c0
[ 51.544311] ksys_read+0x5f/0xe0
[ 51.544689] do_syscall_64+0x33/0x40
[ 51.545116] entry_SYSCALL_64_after_hwframe+0x44/0xa9
The related source code in kernel/bpf/hashtab.c:
709 static int htab_map_get_next_key(struct bpf_map *map, void *key, void *next_key)
710 {
711 struct bpf_htab *htab = container_of(map, struct bpf_htab, map);
712 struct hlist_nulls_head *head;
713 struct htab_elem *l, *next_l;
714 u32 hash, key_size;
715 int i = 0;
716
717 WARN_ON_ONCE(!rcu_read_lock_held());
In kernel/bpf/inode.c, bpffs map pretty print calls map->ops->map_get_next_key()
without holding a rcu_read_lock(), hence causing the above warning.
To fix the issue, just surrounding map->ops->map_get_next_key() with rcu read lock.
Fixes: a26ca7c982cb ("bpf: btf: Add pretty print support to the basic arraymap")
Reported-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Yonghong Song <yhs@fb.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Andrii Nakryiko <andriin@fb.com>
Cc: Martin KaFai Lau <kafai@fb.com>
Link: https://lore.kernel.org/bpf/20200916004401.146277-1-yhs@fb.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/inode.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/kernel/bpf/inode.c b/kernel/bpf/inode.c
index c04815bb15cc1..11fade89c1f38 100644
--- a/kernel/bpf/inode.c
+++ b/kernel/bpf/inode.c
@@ -207,10 +207,12 @@ static void *map_seq_next(struct seq_file *m, void *v, loff_t *pos)
else
prev_key = key;
+ rcu_read_lock();
if (map->ops->map_get_next_key(map, prev_key, key)) {
map_iter(m)->done = true;
- return NULL;
+ key = NULL;
}
+ rcu_read_unlock();
return key;
}
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 231/245] ALSA: asihpi: fix iounmap in error handler
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (229 preceding siblings ...)
2020-09-29 11:01 ` [PATCH 4.19 230/245] bpf: Fix a rcu warning for bpffs map pretty-print Greg Kroah-Hartman
@ 2020-09-29 11:01 ` Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 232/245] regmap: fix page selection for noinc reads Greg Kroah-Hartman
` (16 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:01 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Tom Rix, Takashi Iwai, Sasha Levin
From: Tom Rix <trix@redhat.com>
[ Upstream commit 472eb39103e885f302fd8fd6eff104fcf5503f1b ]
clang static analysis flags this problem
hpioctl.c:513:7: warning: Branch condition evaluates to
a garbage value
if (pci.ap_mem_base[idx]) {
^~~~~~~~~~~~~~~~~~~~
If there is a failure in the middle of the memory space loop,
only some of the memory spaces need to be cleaned up.
At the error handler, idx holds the number of successful
memory spaces mapped. So rework the handler loop to use the
old idx.
There is a second problem, the memory space loop conditionally
iomaps()/sets the mem_base so it is necessay to initize pci.
Fixes: 719f82d3987a ("ALSA: Add support of AudioScience ASI boards")
Signed-off-by: Tom Rix <trix@redhat.com>
Link: https://lore.kernel.org/r/20200913165230.17166-1-trix@redhat.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pci/asihpi/hpioctl.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sound/pci/asihpi/hpioctl.c b/sound/pci/asihpi/hpioctl.c
index 7d049569012c1..3f06986fbecf8 100644
--- a/sound/pci/asihpi/hpioctl.c
+++ b/sound/pci/asihpi/hpioctl.c
@@ -350,7 +350,7 @@ int asihpi_adapter_probe(struct pci_dev *pci_dev,
struct hpi_message hm;
struct hpi_response hr;
struct hpi_adapter adapter;
- struct hpi_pci pci;
+ struct hpi_pci pci = { 0 };
memset(&adapter, 0, sizeof(adapter));
@@ -506,7 +506,7 @@ int asihpi_adapter_probe(struct pci_dev *pci_dev,
return 0;
err:
- for (idx = 0; idx < HPI_MAX_ADAPTER_MEM_SPACES; idx++) {
+ while (--idx >= 0) {
if (pci.ap_mem_base[idx]) {
iounmap(pci.ap_mem_base[idx]);
pci.ap_mem_base[idx] = NULL;
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 232/245] regmap: fix page selection for noinc reads
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (230 preceding siblings ...)
2020-09-29 11:01 ` [PATCH 4.19 231/245] ALSA: asihpi: fix iounmap in error handler Greg Kroah-Hartman
@ 2020-09-29 11:01 ` Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 233/245] MIPS: Add the missing CPU_1074K into __get_cpu_type() Greg Kroah-Hartman
` (15 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:01 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Dmitry Baryshkov, Mark Brown, Sasha Levin
From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
[ Upstream commit 4003324856311faebb46cbd56a1616bd3f3b67c2 ]
Non-incrementing reads can fail if register + length crosses page
border. However for non-incrementing reads we should not check for page
border crossing. Fix this by passing additional flag to _regmap_raw_read
and passing length to _regmap_select_page basing on the flag.
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Fixes: 74fe7b551f33 ("regmap: Add regmap_noinc_read API")
Link: https://lore.kernel.org/r/20200917153405.3139200-1-dmitry.baryshkov@linaro.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/base/regmap/regmap.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c
index d26b485ccc7d0..e8b3353c18eb8 100644
--- a/drivers/base/regmap/regmap.c
+++ b/drivers/base/regmap/regmap.c
@@ -2367,7 +2367,7 @@ int regmap_raw_write_async(struct regmap *map, unsigned int reg,
EXPORT_SYMBOL_GPL(regmap_raw_write_async);
static int _regmap_raw_read(struct regmap *map, unsigned int reg, void *val,
- unsigned int val_len)
+ unsigned int val_len, bool noinc)
{
struct regmap_range_node *range;
int ret;
@@ -2380,7 +2380,7 @@ static int _regmap_raw_read(struct regmap *map, unsigned int reg, void *val,
range = _regmap_range_lookup(map, reg);
if (range) {
ret = _regmap_select_page(map, ®, range,
- val_len / map->format.val_bytes);
+ noinc ? 1 : val_len / map->format.val_bytes);
if (ret != 0)
return ret;
}
@@ -2418,7 +2418,7 @@ static int _regmap_bus_read(void *context, unsigned int reg,
if (!map->format.parse_val)
return -EINVAL;
- ret = _regmap_raw_read(map, reg, work_val, map->format.val_bytes);
+ ret = _regmap_raw_read(map, reg, work_val, map->format.val_bytes, false);
if (ret == 0)
*val = map->format.parse_val(work_val);
@@ -2536,7 +2536,7 @@ int regmap_raw_read(struct regmap *map, unsigned int reg, void *val,
/* Read bytes that fit into whole chunks */
for (i = 0; i < chunk_count; i++) {
- ret = _regmap_raw_read(map, reg, val, chunk_bytes);
+ ret = _regmap_raw_read(map, reg, val, chunk_bytes, false);
if (ret != 0)
goto out;
@@ -2547,7 +2547,7 @@ int regmap_raw_read(struct regmap *map, unsigned int reg, void *val,
/* Read remaining bytes */
if (val_len) {
- ret = _regmap_raw_read(map, reg, val, val_len);
+ ret = _regmap_raw_read(map, reg, val, val_len, false);
if (ret != 0)
goto out;
}
@@ -2622,7 +2622,7 @@ int regmap_noinc_read(struct regmap *map, unsigned int reg,
read_len = map->max_raw_read;
else
read_len = val_len;
- ret = _regmap_raw_read(map, reg, val, read_len);
+ ret = _regmap_raw_read(map, reg, val, read_len, true);
if (ret)
goto out_unlock;
val = ((u8 *)val) + read_len;
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 233/245] MIPS: Add the missing CPU_1074K into __get_cpu_type()
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (231 preceding siblings ...)
2020-09-29 11:01 ` [PATCH 4.19 232/245] regmap: fix page selection for noinc reads Greg Kroah-Hartman
@ 2020-09-29 11:01 ` Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 234/245] KVM: x86: Reset MMU context if guest toggles CR4.SMAP or CR4.PKE Greg Kroah-Hartman
` (14 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:01 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Wei Li, Thomas Bogendoerfer, Sasha Levin
From: Wei Li <liwei391@huawei.com>
[ Upstream commit e393fbe6fa27af23f78df6e16a8fd2963578a8c4 ]
Commit 442e14a2c55e ("MIPS: Add 1074K CPU support explicitly.") split
1074K from the 74K as an unique CPU type, while it missed to add the
'CPU_1074K' in __get_cpu_type(). So let's add it back.
Fixes: 442e14a2c55e ("MIPS: Add 1074K CPU support explicitly.")
Signed-off-by: Wei Li <liwei391@huawei.com>
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/mips/include/asm/cpu-type.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/mips/include/asm/cpu-type.h b/arch/mips/include/asm/cpu-type.h
index a45af3de075d9..d43e4ab20b238 100644
--- a/arch/mips/include/asm/cpu-type.h
+++ b/arch/mips/include/asm/cpu-type.h
@@ -47,6 +47,7 @@ static inline int __pure __get_cpu_type(const int cpu_type)
case CPU_34K:
case CPU_1004K:
case CPU_74K:
+ case CPU_1074K:
case CPU_M14KC:
case CPU_M14KEC:
case CPU_INTERAPTIV:
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 234/245] KVM: x86: Reset MMU context if guest toggles CR4.SMAP or CR4.PKE
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (232 preceding siblings ...)
2020-09-29 11:01 ` [PATCH 4.19 233/245] MIPS: Add the missing CPU_1074K into __get_cpu_type() Greg Kroah-Hartman
@ 2020-09-29 11:01 ` Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 235/245] KVM: SVM: Add a dedicated INVD intercept routine Greg Kroah-Hartman
` (13 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:01 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Jim Mattson, Peter Shier,
Oliver Upton, Sean Christopherson, Paolo Bonzini, Sasha Levin
From: Sean Christopherson <sean.j.christopherson@intel.com>
[ Upstream commit 8d214c481611b29458a57913bd786f0ac06f0605 ]
Reset the MMU context during kvm_set_cr4() if SMAP or PKE is toggled.
Recent commits to (correctly) not reload PDPTRs when SMAP/PKE are
toggled inadvertantly skipped the MMU context reset due to the mask
of bits that triggers PDPTR loads also being used to trigger MMU context
resets.
Fixes: 427890aff855 ("kvm: x86: Toggling CR4.SMAP does not load PDPTEs in PAE mode")
Fixes: cb957adb4ea4 ("kvm: x86: Toggling CR4.PKE does not load PDPTEs in PAE mode")
Cc: Jim Mattson <jmattson@google.com>
Cc: Peter Shier <pshier@google.com>
Cc: Oliver Upton <oupton@google.com>
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
Message-Id: <20200923215352.17756-1-sean.j.christopherson@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kvm/x86.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 620ed1fa35119..dd182228be714 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -858,6 +858,7 @@ int kvm_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4)
unsigned long old_cr4 = kvm_read_cr4(vcpu);
unsigned long pdptr_bits = X86_CR4_PGE | X86_CR4_PSE | X86_CR4_PAE |
X86_CR4_SMEP;
+ unsigned long mmu_role_bits = pdptr_bits | X86_CR4_SMAP | X86_CR4_PKE;
if (kvm_valid_cr4(vcpu, cr4))
return 1;
@@ -885,7 +886,7 @@ int kvm_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4)
if (kvm_x86_ops->set_cr4(vcpu, cr4))
return 1;
- if (((cr4 ^ old_cr4) & pdptr_bits) ||
+ if (((cr4 ^ old_cr4) & mmu_role_bits) ||
(!(cr4 & X86_CR4_PCIDE) && (old_cr4 & X86_CR4_PCIDE)))
kvm_mmu_reset_context(vcpu);
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 235/245] KVM: SVM: Add a dedicated INVD intercept routine
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (233 preceding siblings ...)
2020-09-29 11:01 ` [PATCH 4.19 234/245] KVM: x86: Reset MMU context if guest toggles CR4.SMAP or CR4.PKE Greg Kroah-Hartman
@ 2020-09-29 11:01 ` Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 236/245] tracing: fix double free Greg Kroah-Hartman
` (12 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:01 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Tom Lendacky, Paolo Bonzini, Sasha Levin
From: Tom Lendacky <thomas.lendacky@amd.com>
[ Upstream commit 4bb05f30483fd21ea5413eaf1182768f251cf625 ]
The INVD instruction intercept performs emulation. Emulation can't be done
on an SEV guest because the guest memory is encrypted.
Provide a dedicated intercept routine for the INVD intercept. And since
the instruction is emulated as a NOP, just skip it instead.
Fixes: 1654efcbc431 ("KVM: SVM: Add KVM_SEV_INIT command")
Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
Message-Id: <a0b9a19ffa7fef86a3cc700c7ea01cb2731e04e5.1600972918.git.thomas.lendacky@amd.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kvm/svm.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
index 2aafb6c791345..cb09a0ec87500 100644
--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
@@ -3942,6 +3942,12 @@ static int iret_interception(struct vcpu_svm *svm)
return 1;
}
+static int invd_interception(struct vcpu_svm *svm)
+{
+ /* Treat an INVD instruction as a NOP and just skip it. */
+ return kvm_skip_emulated_instruction(&svm->vcpu);
+}
+
static int invlpg_interception(struct vcpu_svm *svm)
{
if (!static_cpu_has(X86_FEATURE_DECODEASSISTS))
@@ -4831,7 +4837,7 @@ static int (*const svm_exit_handlers[])(struct vcpu_svm *svm) = {
[SVM_EXIT_RDPMC] = rdpmc_interception,
[SVM_EXIT_CPUID] = cpuid_interception,
[SVM_EXIT_IRET] = iret_interception,
- [SVM_EXIT_INVD] = emulate_on_interception,
+ [SVM_EXIT_INVD] = invd_interception,
[SVM_EXIT_PAUSE] = pause_interception,
[SVM_EXIT_HLT] = halt_interception,
[SVM_EXIT_INVLPG] = invlpg_interception,
--
2.25.1
^ permalink raw reply related [flat|nested] 256+ messages in thread
* [PATCH 4.19 236/245] tracing: fix double free
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (234 preceding siblings ...)
2020-09-29 11:01 ` [PATCH 4.19 235/245] KVM: SVM: Add a dedicated INVD intercept routine Greg Kroah-Hartman
@ 2020-09-29 11:01 ` Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 237/245] s390/dasd: Fix zero write for FBA devices Greg Kroah-Hartman
` (11 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:01 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Tom Zanussi, Tom Rix,
Steven Rostedt (VMware)
From: Tom Rix <trix@redhat.com>
commit 46bbe5c671e06f070428b9be142cc4ee5cedebac upstream.
clang static analyzer reports this problem
trace_events_hist.c:3824:3: warning: Attempt to free
released memory
kfree(hist_data->attrs->var_defs.name[i]);
In parse_var_defs() if there is a problem allocating
var_defs.expr, the earlier var_defs.name is freed.
This free is duplicated by free_var_defs() which frees
the rest of the list.
Because free_var_defs() has to run anyway, remove the
second free fom parse_var_defs().
Link: https://lkml.kernel.org/r/20200907135845.15804-1-trix@redhat.com
Cc: stable@vger.kernel.org
Fixes: 30350d65ac56 ("tracing: Add variable support to hist triggers")
Reviewed-by: Tom Zanussi <tom.zanussi@linux.intel.com>
Signed-off-by: Tom Rix <trix@redhat.com>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace_events_hist.c | 1 -
1 file changed, 1 deletion(-)
--- a/kernel/trace/trace_events_hist.c
+++ b/kernel/trace/trace_events_hist.c
@@ -4225,7 +4225,6 @@ static int parse_var_defs(struct hist_tr
s = kstrdup(field_str, GFP_KERNEL);
if (!s) {
- kfree(hist_data->attrs->var_defs.name[n_vars]);
ret = -ENOMEM;
goto free;
}
^ permalink raw reply [flat|nested] 256+ messages in thread
* [PATCH 4.19 237/245] s390/dasd: Fix zero write for FBA devices
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (235 preceding siblings ...)
2020-09-29 11:01 ` [PATCH 4.19 236/245] tracing: fix double free Greg Kroah-Hartman
@ 2020-09-29 11:01 ` Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 238/245] kprobes: Fix to check probe enabled before disarm_kprobe_ftrace() Greg Kroah-Hartman
` (10 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:01 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Jan Höppner, Stefan Haberland,
Jens Axboe
From: Jan Höppner <hoeppner@linux.ibm.com>
commit 709192d531e5b0a91f20aa14abfe2fc27ddd47af upstream.
A discard request that writes zeros using the global kernel internal
ZERO_PAGE will fail for machines with more than 2GB of memory due to the
location of the ZERO_PAGE.
Fix this by using a driver owned global zero page allocated with GFP_DMA
flag set.
Fixes: 28b841b3a7cb ("s390/dasd: Add discard support for FBA devices")
Signed-off-by: Jan Höppner <hoeppner@linux.ibm.com>
Reviewed-by: Stefan Haberland <sth@linux.ibm.com>
Cc: <stable@vger.kernel.org> # 4.14+
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/s390/block/dasd_fba.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/drivers/s390/block/dasd_fba.c
+++ b/drivers/s390/block/dasd_fba.c
@@ -40,6 +40,7 @@
MODULE_LICENSE("GPL");
static struct dasd_discipline dasd_fba_discipline;
+static void *dasd_fba_zero_page;
struct dasd_fba_private {
struct dasd_fba_characteristics rdc_data;
@@ -270,7 +271,7 @@ static void ccw_write_zero(struct ccw1 *
ccw->cmd_code = DASD_FBA_CCW_WRITE;
ccw->flags |= CCW_FLAG_SLI;
ccw->count = count;
- ccw->cda = (__u32) (addr_t) page_to_phys(ZERO_PAGE(0));
+ ccw->cda = (__u32) (addr_t) dasd_fba_zero_page;
}
/*
@@ -811,6 +812,11 @@ dasd_fba_init(void)
int ret;
ASCEBC(dasd_fba_discipline.ebcname, 4);
+
+ dasd_fba_zero_page = (void *)get_zeroed_page(GFP_KERNEL | GFP_DMA);
+ if (!dasd_fba_zero_page)
+ return -ENOMEM;
+
ret = ccw_driver_register(&dasd_fba_driver);
if (!ret)
wait_for_device_probe();
@@ -822,6 +828,7 @@ static void __exit
dasd_fba_cleanup(void)
{
ccw_driver_unregister(&dasd_fba_driver);
+ free_page((unsigned long)dasd_fba_zero_page);
}
module_init(dasd_fba_init);
^ permalink raw reply [flat|nested] 256+ messages in thread
* [PATCH 4.19 238/245] kprobes: Fix to check probe enabled before disarm_kprobe_ftrace()
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (236 preceding siblings ...)
2020-09-29 11:01 ` [PATCH 4.19 237/245] s390/dasd: Fix zero write for FBA devices Greg Kroah-Hartman
@ 2020-09-29 11:01 ` Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 239/245] mm, THP, swap: fix allocating cluster for swapfile by mistake Greg Kroah-Hartman
` (9 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:01 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Ingo Molnar, Naveen N . Rao,
Anil S Keshavamurthy, David Miller, Muchun Song, Chengming Zhou,
Masami Hiramatsu, Steven Rostedt (VMware)
From: Masami Hiramatsu <mhiramat@kernel.org>
commit 3031313eb3d549b7ad6f9fbcc52ba04412e3eb9e upstream.
Commit 0cb2f1372baa ("kprobes: Fix NULL pointer dereference at
kprobe_ftrace_handler") fixed one bug but not completely fixed yet.
If we run a kprobe_module.tc of ftracetest, kernel showed a warning
as below.
# ./ftracetest test.d/kprobe/kprobe_module.tc
=== Ftrace unit tests ===
[1] Kprobe dynamic event - probing module
...
[ 22.400215] ------------[ cut here ]------------
[ 22.400962] Failed to disarm kprobe-ftrace at trace_printk_irq_work+0x0/0x7e [trace_printk] (-2)
[ 22.402139] WARNING: CPU: 7 PID: 200 at kernel/kprobes.c:1091 __disarm_kprobe_ftrace.isra.0+0x7e/0xa0
[ 22.403358] Modules linked in: trace_printk(-)
[ 22.404028] CPU: 7 PID: 200 Comm: rmmod Not tainted 5.9.0-rc2+ #66
[ 22.404870] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1 04/01/2014
[ 22.406139] RIP: 0010:__disarm_kprobe_ftrace.isra.0+0x7e/0xa0
[ 22.406947] Code: 30 8b 03 eb c9 80 3d e5 09 1f 01 00 75 dc 49 8b 34 24 89 c2 48 c7 c7 a0 c2 05 82 89 45 e4 c6 05 cc 09 1f 01 01 e8 a9 c7 f0 ff <0f> 0b 8b 45 e4 eb b9 89 c6 48 c7 c7 70 c2 05 82 89 45 e4 e8 91 c7
[ 22.409544] RSP: 0018:ffffc90000237df0 EFLAGS: 00010286
[ 22.410385] RAX: 0000000000000000 RBX: ffffffff83066024 RCX: 0000000000000000
[ 22.411434] RDX: 0000000000000001 RSI: ffffffff810de8d3 RDI: ffffffff810de8d3
[ 22.412687] RBP: ffffc90000237e10 R08: 0000000000000001 R09: 0000000000000001
[ 22.413762] R10: 0000000000000000 R11: 0000000000000001 R12: ffff88807c478640
[ 22.414852] R13: ffffffff8235ebc0 R14: ffffffffa00060c0 R15: 0000000000000000
[ 22.415941] FS: 00000000019d48c0(0000) GS:ffff88807d7c0000(0000) knlGS:0000000000000000
[ 22.417264] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 22.418176] CR2: 00000000005bb7e3 CR3: 0000000078f7a000 CR4: 00000000000006a0
[ 22.419309] Call Trace:
[ 22.419990] kill_kprobe+0x94/0x160
[ 22.420652] kprobes_module_callback+0x64/0x230
[ 22.421470] notifier_call_chain+0x4f/0x70
[ 22.422184] blocking_notifier_call_chain+0x49/0x70
[ 22.422979] __x64_sys_delete_module+0x1ac/0x240
[ 22.423733] do_syscall_64+0x38/0x50
[ 22.424366] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 22.425176] RIP: 0033:0x4bb81d
[ 22.425741] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e0 ff ff ff f7 d8 64 89 01 48
[ 22.428726] RSP: 002b:00007ffc70fef008 EFLAGS: 00000246 ORIG_RAX: 00000000000000b0
[ 22.430169] RAX: ffffffffffffffda RBX: 00000000019d48a0 RCX: 00000000004bb81d
[ 22.431375] RDX: 0000000000000000 RSI: 0000000000000880 RDI: 00007ffc70fef028
[ 22.432543] RBP: 0000000000000880 R08: 00000000ffffffff R09: 00007ffc70fef320
[ 22.433692] R10: 0000000000656300 R11: 0000000000000246 R12: 00007ffc70fef028
[ 22.434635] R13: 0000000000000000 R14: 0000000000000002 R15: 0000000000000000
[ 22.435682] irq event stamp: 1169
[ 22.436240] hardirqs last enabled at (1179): [<ffffffff810df542>] console_unlock+0x422/0x580
[ 22.437466] hardirqs last disabled at (1188): [<ffffffff810df19b>] console_unlock+0x7b/0x580
[ 22.438608] softirqs last enabled at (866): [<ffffffff81c0038e>] __do_softirq+0x38e/0x490
[ 22.439637] softirqs last disabled at (859): [<ffffffff81a00f42>] asm_call_on_stack+0x12/0x20
[ 22.440690] ---[ end trace 1e7ce7e1e4567276 ]---
[ 22.472832] trace_kprobe: This probe might be able to register after target module is loaded. Continue.
This is because the kill_kprobe() calls disarm_kprobe_ftrace() even
if the given probe is not enabled. In that case, ftrace_set_filter_ip()
fails because the given probe point is not registered to ftrace.
Fix to check the given (going) probe is enabled before invoking
disarm_kprobe_ftrace().
Link: https://lkml.kernel.org/r/159888672694.1411785.5987998076694782591.stgit@devnote2
Fixes: 0cb2f1372baa ("kprobes: Fix NULL pointer dereference at kprobe_ftrace_handler")
Cc: Ingo Molnar <mingo@kernel.org>
Cc: "Naveen N . Rao" <naveen.n.rao@linux.ibm.com>
Cc: Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com>
Cc: David Miller <davem@davemloft.net>
Cc: Muchun Song <songmuchun@bytedance.com>
Cc: Chengming Zhou <zhouchengming@bytedance.com>
Cc: stable@vger.kernel.org
Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/kprobes.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/kernel/kprobes.c
+++ b/kernel/kprobes.c
@@ -2083,9 +2083,10 @@ static void kill_kprobe(struct kprobe *p
/*
* The module is going away. We should disarm the kprobe which
- * is using ftrace.
+ * is using ftrace, because ftrace framework is still available at
+ * MODULE_STATE_GOING notification.
*/
- if (kprobe_ftrace(p))
+ if (kprobe_ftrace(p) && !kprobe_disabled(p) && !kprobes_all_disarmed)
disarm_kprobe_ftrace(p);
}
^ permalink raw reply [flat|nested] 256+ messages in thread
* [PATCH 4.19 239/245] mm, THP, swap: fix allocating cluster for swapfile by mistake
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (237 preceding siblings ...)
2020-09-29 11:01 ` [PATCH 4.19 238/245] kprobes: Fix to check probe enabled before disarm_kprobe_ftrace() Greg Kroah-Hartman
@ 2020-09-29 11:01 ` Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 240/245] s390/zcrypt: Fix ZCRYPT_PERDEV_REQCNT ioctl Greg Kroah-Hartman
` (8 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:01 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Gao Xiang, Andrew Morton, Huang,
Ying, Yang Shi, Rafael Aquini, Matthew Wilcox, Carlos Maiolino,
Eric Sandeen, Dave Chinner, Linus Torvalds
From: Gao Xiang <hsiangkao@redhat.com>
commit 41663430588c737dd735bad5a0d1ba325dcabd59 upstream.
SWP_FS is used to make swap_{read,write}page() go through the
filesystem, and it's only used for swap files over NFS. So, !SWP_FS
means non NFS for now, it could be either file backed or device backed.
Something similar goes with legacy SWP_FILE.
So in order to achieve the goal of the original patch, SWP_BLKDEV should
be used instead.
FS corruption can be observed with SSD device + XFS + fragmented
swapfile due to CONFIG_THP_SWAP=y.
I reproduced the issue with the following details:
Environment:
QEMU + upstream kernel + buildroot + NVMe (2 GB)
Kernel config:
CONFIG_BLK_DEV_NVME=y
CONFIG_THP_SWAP=y
Some reproducible steps:
mkfs.xfs -f /dev/nvme0n1
mkdir /tmp/mnt
mount /dev/nvme0n1 /tmp/mnt
bs="32k"
sz="1024m" # doesn't matter too much, I also tried 16m
xfs_io -f -c "pwrite -R -b $bs 0 $sz" -c "fdatasync" /tmp/mnt/sw
xfs_io -f -c "pwrite -R -b $bs 0 $sz" -c "fdatasync" /tmp/mnt/sw
xfs_io -f -c "pwrite -R -b $bs 0 $sz" -c "fdatasync" /tmp/mnt/sw
xfs_io -f -c "pwrite -F -S 0 -b $bs 0 $sz" -c "fdatasync" /tmp/mnt/sw
xfs_io -f -c "pwrite -R -b $bs 0 $sz" -c "fsync" /tmp/mnt/sw
mkswap /tmp/mnt/sw
swapon /tmp/mnt/sw
stress --vm 2 --vm-bytes 600M # doesn't matter too much as well
Symptoms:
- FS corruption (e.g. checksum failure)
- memory corruption at: 0xd2808010
- segfault
Fixes: f0eea189e8e9 ("mm, THP, swap: Don't allocate huge cluster for file backed swap device")
Fixes: 38d8b4e6bdc8 ("mm, THP, swap: delay splitting THP during swap out")
Signed-off-by: Gao Xiang <hsiangkao@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Reviewed-by: "Huang, Ying" <ying.huang@intel.com>
Reviewed-by: Yang Shi <shy828301@gmail.com>
Acked-by: Rafael Aquini <aquini@redhat.com>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: Carlos Maiolino <cmaiolino@redhat.com>
Cc: Eric Sandeen <esandeen@redhat.com>
Cc: Dave Chinner <david@fromorbit.com>
Cc: <stable@vger.kernel.org>
Link: https://lkml.kernel.org/r/20200820045323.7809-1-hsiangkao@redhat.com
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/swapfile.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/mm/swapfile.c
+++ b/mm/swapfile.c
@@ -998,7 +998,7 @@ start_over:
goto nextsi;
}
if (size == SWAPFILE_CLUSTER) {
- if (!(si->flags & SWP_FILE))
+ if (si->flags & SWP_BLKDEV)
n_ret = swap_alloc_cluster(si, swp_entries);
} else
n_ret = scan_swap_map_slots(si, SWAP_HAS_CACHE,
^ permalink raw reply [flat|nested] 256+ messages in thread
* [PATCH 4.19 240/245] s390/zcrypt: Fix ZCRYPT_PERDEV_REQCNT ioctl
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (238 preceding siblings ...)
2020-09-29 11:01 ` [PATCH 4.19 239/245] mm, THP, swap: fix allocating cluster for swapfile by mistake Greg Kroah-Hartman
@ 2020-09-29 11:01 ` Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 241/245] kprobes: Fix compiler warning for !CONFIG_KPROBES_ON_FTRACE Greg Kroah-Hartman
` (7 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:01 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Christian Borntraeger,
Harald Freudenberger, Vasily Gorbik
From: Christian Borntraeger <borntraeger@de.ibm.com>
commit f7e80983f0cf470bb82036e73bff4d5a7daf8fc2 upstream.
reqcnt is an u32 pointer but we do copy sizeof(reqcnt) which is the
size of the pointer. This means we only copy 8 byte. Let us copy
the full monty.
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
Cc: Harald Freudenberger <freude@linux.ibm.com>
Cc: stable@vger.kernel.org
Fixes: af4a72276d49 ("s390/zcrypt: Support up to 256 crypto adapters.")
Reviewed-by: Harald Freudenberger <freude@linux.ibm.com>
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/s390/crypto/zcrypt_api.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/s390/crypto/zcrypt_api.c
+++ b/drivers/s390/crypto/zcrypt_api.c
@@ -915,7 +915,8 @@ static long zcrypt_unlocked_ioctl(struct
if (!reqcnt)
return -ENOMEM;
zcrypt_perdev_reqcnt(reqcnt, AP_DEVICES);
- if (copy_to_user((int __user *) arg, reqcnt, sizeof(reqcnt)))
+ if (copy_to_user((int __user *) arg, reqcnt,
+ sizeof(u32) * AP_DEVICES))
rc = -EFAULT;
kfree(reqcnt);
return rc;
^ permalink raw reply [flat|nested] 256+ messages in thread
* [PATCH 4.19 241/245] kprobes: Fix compiler warning for !CONFIG_KPROBES_ON_FTRACE
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (239 preceding siblings ...)
2020-09-29 11:01 ` [PATCH 4.19 240/245] s390/zcrypt: Fix ZCRYPT_PERDEV_REQCNT ioctl Greg Kroah-Hartman
@ 2020-09-29 11:01 ` Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 242/245] ata: define AC_ERR_OK Greg Kroah-Hartman
` (6 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:01 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Stephen Rothwell, Masami Hiramatsu,
John Fastabend, Muchun Song, Steven Rostedt (VMware)
From: Muchun Song <songmuchun@bytedance.com>
commit 10de795a5addd1962406796a6e13ba6cc0fc6bee upstream.
Fix compiler warning(as show below) for !CONFIG_KPROBES_ON_FTRACE.
kernel/kprobes.c: In function 'kill_kprobe':
kernel/kprobes.c:1116:33: warning: statement with no effect
[-Wunused-value]
1116 | #define disarm_kprobe_ftrace(p) (-ENODEV)
| ^
kernel/kprobes.c:2154:3: note: in expansion of macro
'disarm_kprobe_ftrace'
2154 | disarm_kprobe_ftrace(p);
Link: https://lore.kernel.org/r/20200805142136.0331f7ea@canb.auug.org.au
Link: https://lkml.kernel.org/r/20200805172046.19066-1-songmuchun@bytedance.com
Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
Fixes: 0cb2f1372baa ("kprobes: Fix NULL pointer dereference at kprobe_ftrace_handler")
Acked-by: Masami Hiramatsu <mhiramat@kernel.org>
Acked-by: John Fastabend <john.fastabend@gmail.com>
Signed-off-by: Muchun Song <songmuchun@bytedance.com>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/kprobes.c | 17 ++++++++++++++---
1 file changed, 14 insertions(+), 3 deletions(-)
--- a/kernel/kprobes.c
+++ b/kernel/kprobes.c
@@ -1065,9 +1065,20 @@ static int disarm_kprobe_ftrace(struct k
return ret;
}
#else /* !CONFIG_KPROBES_ON_FTRACE */
-#define prepare_kprobe(p) arch_prepare_kprobe(p)
-#define arm_kprobe_ftrace(p) (-ENODEV)
-#define disarm_kprobe_ftrace(p) (-ENODEV)
+static inline int prepare_kprobe(struct kprobe *p)
+{
+ return arch_prepare_kprobe(p);
+}
+
+static inline int arm_kprobe_ftrace(struct kprobe *p)
+{
+ return -ENODEV;
+}
+
+static inline int disarm_kprobe_ftrace(struct kprobe *p)
+{
+ return -ENODEV;
+}
#endif
/* Arm a kprobe with text_mutex */
^ permalink raw reply [flat|nested] 256+ messages in thread
* [PATCH 4.19 242/245] ata: define AC_ERR_OK
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (240 preceding siblings ...)
2020-09-29 11:01 ` [PATCH 4.19 241/245] kprobes: Fix compiler warning for !CONFIG_KPROBES_ON_FTRACE Greg Kroah-Hartman
@ 2020-09-29 11:01 ` Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 243/245] ata: make qc_prep return ata_completion_errors Greg Kroah-Hartman
` (5 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:01 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Jiri Slaby, Jens Axboe, linux-ide
From: Jiri Slaby <jslaby@suse.cz>
commit 25937580a5065d6fbd92d9c8ebd47145ad80052e upstream.
Since we will return enum ata_completion_errors from qc_prep in the next
patch, let's define AC_ERR_OK to mark the OK status.
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: linux-ide@vger.kernel.org
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/libata.h | 1 +
1 file changed, 1 insertion(+)
--- a/include/linux/libata.h
+++ b/include/linux/libata.h
@@ -503,6 +503,7 @@ enum hsm_task_states {
};
enum ata_completion_errors {
+ AC_ERR_OK = 0, /* no error */
AC_ERR_DEV = (1 << 0), /* device reported error */
AC_ERR_HSM = (1 << 1), /* host state machine violation */
AC_ERR_TIMEOUT = (1 << 2), /* timeout */
^ permalink raw reply [flat|nested] 256+ messages in thread
* [PATCH 4.19 243/245] ata: make qc_prep return ata_completion_errors
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (241 preceding siblings ...)
2020-09-29 11:01 ` [PATCH 4.19 242/245] ata: define AC_ERR_OK Greg Kroah-Hartman
@ 2020-09-29 11:01 ` Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 244/245] ata: sata_mv, avoid trigerrable BUG_ON Greg Kroah-Hartman
` (4 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:01 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Jiri Slaby, Jens Axboe, linux-ide
From: Jiri Slaby <jslaby@suse.cz>
commit 95364f36701e62dd50eee91e1303187fd1a9f567 upstream.
In case a driver wants to return an error from qc_prep, return enum
ata_completion_errors. sata_mv is one of those drivers -- see the next
patch. Other drivers return the newly defined AC_ERR_OK.
[v2] use enum ata_completion_errors and AC_ERR_OK.
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: linux-ide@vger.kernel.org
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/driver-api/libata.rst | 2 +-
drivers/ata/acard-ahci.c | 6 ++++--
drivers/ata/libahci.c | 6 ++++--
drivers/ata/libata-core.c | 9 +++++++--
drivers/ata/libata-sff.c | 12 ++++++++----
drivers/ata/pata_macio.c | 6 ++++--
drivers/ata/pata_pxa.c | 8 +++++---
drivers/ata/pdc_adma.c | 7 ++++---
drivers/ata/sata_fsl.c | 4 +++-
drivers/ata/sata_inic162x.c | 4 +++-
drivers/ata/sata_mv.c | 26 +++++++++++++++-----------
drivers/ata/sata_nv.c | 18 +++++++++++-------
drivers/ata/sata_promise.c | 6 ++++--
drivers/ata/sata_qstor.c | 8 +++++---
drivers/ata/sata_rcar.c | 6 ++++--
drivers/ata/sata_sil.c | 8 +++++---
drivers/ata/sata_sil24.c | 6 ++++--
drivers/ata/sata_sx4.c | 6 ++++--
include/linux/libata.h | 12 ++++++------
19 files changed, 101 insertions(+), 59 deletions(-)
--- a/Documentation/driver-api/libata.rst
+++ b/Documentation/driver-api/libata.rst
@@ -250,7 +250,7 @@ High-level taskfile hooks
::
- void (*qc_prep) (struct ata_queued_cmd *qc);
+ enum ata_completion_errors (*qc_prep) (struct ata_queued_cmd *qc);
int (*qc_issue) (struct ata_queued_cmd *qc);
--- a/drivers/ata/acard-ahci.c
+++ b/drivers/ata/acard-ahci.c
@@ -72,7 +72,7 @@ struct acard_sg {
__le32 size; /* bit 31 (EOT) max==0x10000 (64k) */
};
-static void acard_ahci_qc_prep(struct ata_queued_cmd *qc);
+static enum ata_completion_errors acard_ahci_qc_prep(struct ata_queued_cmd *qc);
static bool acard_ahci_qc_fill_rtf(struct ata_queued_cmd *qc);
static int acard_ahci_port_start(struct ata_port *ap);
static int acard_ahci_init_one(struct pci_dev *pdev, const struct pci_device_id *ent);
@@ -257,7 +257,7 @@ static unsigned int acard_ahci_fill_sg(s
return si;
}
-static void acard_ahci_qc_prep(struct ata_queued_cmd *qc)
+static enum ata_completion_errors acard_ahci_qc_prep(struct ata_queued_cmd *qc)
{
struct ata_port *ap = qc->ap;
struct ahci_port_priv *pp = ap->private_data;
@@ -295,6 +295,8 @@ static void acard_ahci_qc_prep(struct at
opts |= AHCI_CMD_ATAPI | AHCI_CMD_PREFETCH;
ahci_fill_cmd_slot(pp, qc->hw_tag, opts);
+
+ return AC_ERR_OK;
}
static bool acard_ahci_qc_fill_rtf(struct ata_queued_cmd *qc)
--- a/drivers/ata/libahci.c
+++ b/drivers/ata/libahci.c
@@ -73,7 +73,7 @@ static int ahci_scr_write(struct ata_lin
static bool ahci_qc_fill_rtf(struct ata_queued_cmd *qc);
static int ahci_port_start(struct ata_port *ap);
static void ahci_port_stop(struct ata_port *ap);
-static void ahci_qc_prep(struct ata_queued_cmd *qc);
+static enum ata_completion_errors ahci_qc_prep(struct ata_queued_cmd *qc);
static int ahci_pmp_qc_defer(struct ata_queued_cmd *qc);
static void ahci_freeze(struct ata_port *ap);
static void ahci_thaw(struct ata_port *ap);
@@ -1640,7 +1640,7 @@ static int ahci_pmp_qc_defer(struct ata_
return sata_pmp_qc_defer_cmd_switch(qc);
}
-static void ahci_qc_prep(struct ata_queued_cmd *qc)
+static enum ata_completion_errors ahci_qc_prep(struct ata_queued_cmd *qc)
{
struct ata_port *ap = qc->ap;
struct ahci_port_priv *pp = ap->private_data;
@@ -1676,6 +1676,8 @@ static void ahci_qc_prep(struct ata_queu
opts |= AHCI_CMD_ATAPI | AHCI_CMD_PREFETCH;
ahci_fill_cmd_slot(pp, qc->hw_tag, opts);
+
+ return AC_ERR_OK;
}
static void ahci_fbs_dec_intr(struct ata_port *ap)
--- a/drivers/ata/libata-core.c
+++ b/drivers/ata/libata-core.c
@@ -4996,7 +4996,10 @@ int ata_std_qc_defer(struct ata_queued_c
return ATA_DEFER_LINK;
}
-void ata_noop_qc_prep(struct ata_queued_cmd *qc) { }
+enum ata_completion_errors ata_noop_qc_prep(struct ata_queued_cmd *qc)
+{
+ return AC_ERR_OK;
+}
/**
* ata_sg_init - Associate command with scatter-gather table.
@@ -5483,7 +5486,9 @@ void ata_qc_issue(struct ata_queued_cmd
return;
}
- ap->ops->qc_prep(qc);
+ qc->err_mask |= ap->ops->qc_prep(qc);
+ if (unlikely(qc->err_mask))
+ goto err;
trace_ata_qc_issue(qc);
qc->err_mask |= ap->ops->qc_issue(qc);
if (unlikely(qc->err_mask))
--- a/drivers/ata/libata-sff.c
+++ b/drivers/ata/libata-sff.c
@@ -2695,12 +2695,14 @@ static void ata_bmdma_fill_sg_dumb(struc
* LOCKING:
* spin_lock_irqsave(host lock)
*/
-void ata_bmdma_qc_prep(struct ata_queued_cmd *qc)
+enum ata_completion_errors ata_bmdma_qc_prep(struct ata_queued_cmd *qc)
{
if (!(qc->flags & ATA_QCFLAG_DMAMAP))
- return;
+ return AC_ERR_OK;
ata_bmdma_fill_sg(qc);
+
+ return AC_ERR_OK;
}
EXPORT_SYMBOL_GPL(ata_bmdma_qc_prep);
@@ -2713,12 +2715,14 @@ EXPORT_SYMBOL_GPL(ata_bmdma_qc_prep);
* LOCKING:
* spin_lock_irqsave(host lock)
*/
-void ata_bmdma_dumb_qc_prep(struct ata_queued_cmd *qc)
+enum ata_completion_errors ata_bmdma_dumb_qc_prep(struct ata_queued_cmd *qc)
{
if (!(qc->flags & ATA_QCFLAG_DMAMAP))
- return;
+ return AC_ERR_OK;
ata_bmdma_fill_sg_dumb(qc);
+
+ return AC_ERR_OK;
}
EXPORT_SYMBOL_GPL(ata_bmdma_dumb_qc_prep);
--- a/drivers/ata/pata_macio.c
+++ b/drivers/ata/pata_macio.c
@@ -507,7 +507,7 @@ static int pata_macio_cable_detect(struc
return ATA_CBL_PATA40;
}
-static void pata_macio_qc_prep(struct ata_queued_cmd *qc)
+static enum ata_completion_errors pata_macio_qc_prep(struct ata_queued_cmd *qc)
{
unsigned int write = (qc->tf.flags & ATA_TFLAG_WRITE);
struct ata_port *ap = qc->ap;
@@ -520,7 +520,7 @@ static void pata_macio_qc_prep(struct at
__func__, qc, qc->flags, write, qc->dev->devno);
if (!(qc->flags & ATA_QCFLAG_DMAMAP))
- return;
+ return AC_ERR_OK;
table = (struct dbdma_cmd *) priv->dma_table_cpu;
@@ -565,6 +565,8 @@ static void pata_macio_qc_prep(struct at
table->command = cpu_to_le16(DBDMA_STOP);
dev_dbgdma(priv->dev, "%s: %d DMA list entries\n", __func__, pi);
+
+ return AC_ERR_OK;
}
--- a/drivers/ata/pata_pxa.c
+++ b/drivers/ata/pata_pxa.c
@@ -58,25 +58,27 @@ static void pxa_ata_dma_irq(void *d)
/*
* Prepare taskfile for submission.
*/
-static void pxa_qc_prep(struct ata_queued_cmd *qc)
+static enum ata_completion_errors pxa_qc_prep(struct ata_queued_cmd *qc)
{
struct pata_pxa_data *pd = qc->ap->private_data;
struct dma_async_tx_descriptor *tx;
enum dma_transfer_direction dir;
if (!(qc->flags & ATA_QCFLAG_DMAMAP))
- return;
+ return AC_ERR_OK;
dir = (qc->dma_dir == DMA_TO_DEVICE ? DMA_MEM_TO_DEV : DMA_DEV_TO_MEM);
tx = dmaengine_prep_slave_sg(pd->dma_chan, qc->sg, qc->n_elem, dir,
DMA_PREP_INTERRUPT);
if (!tx) {
ata_dev_err(qc->dev, "prep_slave_sg() failed\n");
- return;
+ return AC_ERR_OK;
}
tx->callback = pxa_ata_dma_irq;
tx->callback_param = pd;
pd->dma_cookie = dmaengine_submit(tx);
+
+ return AC_ERR_OK;
}
/*
--- a/drivers/ata/pdc_adma.c
+++ b/drivers/ata/pdc_adma.c
@@ -132,7 +132,7 @@ static int adma_ata_init_one(struct pci_
const struct pci_device_id *ent);
static int adma_port_start(struct ata_port *ap);
static void adma_port_stop(struct ata_port *ap);
-static void adma_qc_prep(struct ata_queued_cmd *qc);
+static enum ata_completion_errors adma_qc_prep(struct ata_queued_cmd *qc);
static unsigned int adma_qc_issue(struct ata_queued_cmd *qc);
static int adma_check_atapi_dma(struct ata_queued_cmd *qc);
static void adma_freeze(struct ata_port *ap);
@@ -311,7 +311,7 @@ static int adma_fill_sg(struct ata_queue
return i;
}
-static void adma_qc_prep(struct ata_queued_cmd *qc)
+static enum ata_completion_errors adma_qc_prep(struct ata_queued_cmd *qc)
{
struct adma_port_priv *pp = qc->ap->private_data;
u8 *buf = pp->pkt;
@@ -322,7 +322,7 @@ static void adma_qc_prep(struct ata_queu
adma_enter_reg_mode(qc->ap);
if (qc->tf.protocol != ATA_PROT_DMA)
- return;
+ return AC_ERR_OK;
buf[i++] = 0; /* Response flags */
buf[i++] = 0; /* reserved */
@@ -387,6 +387,7 @@ static void adma_qc_prep(struct ata_queu
printk("%s\n", obuf);
}
#endif
+ return AC_ERR_OK;
}
static inline void adma_packet_start(struct ata_queued_cmd *qc)
--- a/drivers/ata/sata_fsl.c
+++ b/drivers/ata/sata_fsl.c
@@ -507,7 +507,7 @@ static unsigned int sata_fsl_fill_sg(str
return num_prde;
}
-static void sata_fsl_qc_prep(struct ata_queued_cmd *qc)
+static enum ata_completion_errors sata_fsl_qc_prep(struct ata_queued_cmd *qc)
{
struct ata_port *ap = qc->ap;
struct sata_fsl_port_priv *pp = ap->private_data;
@@ -553,6 +553,8 @@ static void sata_fsl_qc_prep(struct ata_
VPRINTK("SATA FSL : xx_qc_prep, di = 0x%x, ttl = %d, num_prde = %d\n",
desc_info, ttl_dwords, num_prde);
+
+ return AC_ERR_OK;
}
static unsigned int sata_fsl_qc_issue(struct ata_queued_cmd *qc)
--- a/drivers/ata/sata_inic162x.c
+++ b/drivers/ata/sata_inic162x.c
@@ -472,7 +472,7 @@ static void inic_fill_sg(struct inic_prd
prd[-1].flags |= PRD_END;
}
-static void inic_qc_prep(struct ata_queued_cmd *qc)
+static enum ata_completion_errors inic_qc_prep(struct ata_queued_cmd *qc)
{
struct inic_port_priv *pp = qc->ap->private_data;
struct inic_pkt *pkt = pp->pkt;
@@ -532,6 +532,8 @@ static void inic_qc_prep(struct ata_queu
inic_fill_sg(prd, qc);
pp->cpb_tbl[0] = pp->pkt_dma;
+
+ return AC_ERR_OK;
}
static unsigned int inic_qc_issue(struct ata_queued_cmd *qc)
--- a/drivers/ata/sata_mv.c
+++ b/drivers/ata/sata_mv.c
@@ -605,8 +605,8 @@ static int mv5_scr_write(struct ata_link
static int mv_port_start(struct ata_port *ap);
static void mv_port_stop(struct ata_port *ap);
static int mv_qc_defer(struct ata_queued_cmd *qc);
-static void mv_qc_prep(struct ata_queued_cmd *qc);
-static void mv_qc_prep_iie(struct ata_queued_cmd *qc);
+static enum ata_completion_errors mv_qc_prep(struct ata_queued_cmd *qc);
+static enum ata_completion_errors mv_qc_prep_iie(struct ata_queued_cmd *qc);
static unsigned int mv_qc_issue(struct ata_queued_cmd *qc);
static int mv_hardreset(struct ata_link *link, unsigned int *class,
unsigned long deadline);
@@ -2044,7 +2044,7 @@ static void mv_rw_multi_errata_sata24(st
* LOCKING:
* Inherited from caller.
*/
-static void mv_qc_prep(struct ata_queued_cmd *qc)
+static enum ata_completion_errors mv_qc_prep(struct ata_queued_cmd *qc)
{
struct ata_port *ap = qc->ap;
struct mv_port_priv *pp = ap->private_data;
@@ -2056,15 +2056,15 @@ static void mv_qc_prep(struct ata_queued
switch (tf->protocol) {
case ATA_PROT_DMA:
if (tf->command == ATA_CMD_DSM)
- return;
+ return AC_ERR_OK;
/* fall-thru */
case ATA_PROT_NCQ:
break; /* continue below */
case ATA_PROT_PIO:
mv_rw_multi_errata_sata24(qc);
- return;
+ return AC_ERR_OK;
default:
- return;
+ return AC_ERR_OK;
}
/* Fill in command request block
@@ -2129,8 +2129,10 @@ static void mv_qc_prep(struct ata_queued
mv_crqb_pack_cmd(cw++, tf->command, ATA_REG_CMD, 1); /* last */
if (!(qc->flags & ATA_QCFLAG_DMAMAP))
- return;
+ return AC_ERR_OK;
mv_fill_sg(qc);
+
+ return AC_ERR_OK;
}
/**
@@ -2145,7 +2147,7 @@ static void mv_qc_prep(struct ata_queued
* LOCKING:
* Inherited from caller.
*/
-static void mv_qc_prep_iie(struct ata_queued_cmd *qc)
+static enum ata_completion_errors mv_qc_prep_iie(struct ata_queued_cmd *qc)
{
struct ata_port *ap = qc->ap;
struct mv_port_priv *pp = ap->private_data;
@@ -2156,9 +2158,9 @@ static void mv_qc_prep_iie(struct ata_qu
if ((tf->protocol != ATA_PROT_DMA) &&
(tf->protocol != ATA_PROT_NCQ))
- return;
+ return AC_ERR_OK;
if (tf->command == ATA_CMD_DSM)
- return; /* use bmdma for this */
+ return AC_ERR_OK; /* use bmdma for this */
/* Fill in Gen IIE command request block */
if (!(tf->flags & ATA_TFLAG_WRITE))
@@ -2199,8 +2201,10 @@ static void mv_qc_prep_iie(struct ata_qu
);
if (!(qc->flags & ATA_QCFLAG_DMAMAP))
- return;
+ return AC_ERR_OK;
mv_fill_sg(qc);
+
+ return AC_ERR_OK;
}
/**
--- a/drivers/ata/sata_nv.c
+++ b/drivers/ata/sata_nv.c
@@ -313,7 +313,7 @@ static void nv_ck804_freeze(struct ata_p
static void nv_ck804_thaw(struct ata_port *ap);
static int nv_adma_slave_config(struct scsi_device *sdev);
static int nv_adma_check_atapi_dma(struct ata_queued_cmd *qc);
-static void nv_adma_qc_prep(struct ata_queued_cmd *qc);
+static enum ata_completion_errors nv_adma_qc_prep(struct ata_queued_cmd *qc);
static unsigned int nv_adma_qc_issue(struct ata_queued_cmd *qc);
static irqreturn_t nv_adma_interrupt(int irq, void *dev_instance);
static void nv_adma_irq_clear(struct ata_port *ap);
@@ -335,7 +335,7 @@ static void nv_mcp55_freeze(struct ata_p
static void nv_swncq_error_handler(struct ata_port *ap);
static int nv_swncq_slave_config(struct scsi_device *sdev);
static int nv_swncq_port_start(struct ata_port *ap);
-static void nv_swncq_qc_prep(struct ata_queued_cmd *qc);
+static enum ata_completion_errors nv_swncq_qc_prep(struct ata_queued_cmd *qc);
static void nv_swncq_fill_sg(struct ata_queued_cmd *qc);
static unsigned int nv_swncq_qc_issue(struct ata_queued_cmd *qc);
static void nv_swncq_irq_clear(struct ata_port *ap, u16 fis);
@@ -1365,7 +1365,7 @@ static int nv_adma_use_reg_mode(struct a
return 1;
}
-static void nv_adma_qc_prep(struct ata_queued_cmd *qc)
+static enum ata_completion_errors nv_adma_qc_prep(struct ata_queued_cmd *qc)
{
struct nv_adma_port_priv *pp = qc->ap->private_data;
struct nv_adma_cpb *cpb = &pp->cpb[qc->hw_tag];
@@ -1377,7 +1377,7 @@ static void nv_adma_qc_prep(struct ata_q
(qc->flags & ATA_QCFLAG_DMAMAP));
nv_adma_register_mode(qc->ap);
ata_bmdma_qc_prep(qc);
- return;
+ return AC_ERR_OK;
}
cpb->resp_flags = NV_CPB_RESP_DONE;
@@ -1409,6 +1409,8 @@ static void nv_adma_qc_prep(struct ata_q
cpb->ctl_flags = ctl_flags;
wmb();
cpb->resp_flags = 0;
+
+ return AC_ERR_OK;
}
static unsigned int nv_adma_qc_issue(struct ata_queued_cmd *qc)
@@ -1972,17 +1974,19 @@ static int nv_swncq_port_start(struct at
return 0;
}
-static void nv_swncq_qc_prep(struct ata_queued_cmd *qc)
+static enum ata_completion_errors nv_swncq_qc_prep(struct ata_queued_cmd *qc)
{
if (qc->tf.protocol != ATA_PROT_NCQ) {
ata_bmdma_qc_prep(qc);
- return;
+ return AC_ERR_OK;
}
if (!(qc->flags & ATA_QCFLAG_DMAMAP))
- return;
+ return AC_ERR_OK;
nv_swncq_fill_sg(qc);
+
+ return AC_ERR_OK;
}
static void nv_swncq_fill_sg(struct ata_queued_cmd *qc)
--- a/drivers/ata/sata_promise.c
+++ b/drivers/ata/sata_promise.c
@@ -155,7 +155,7 @@ static int pdc_sata_scr_write(struct ata
static int pdc_ata_init_one(struct pci_dev *pdev, const struct pci_device_id *ent);
static int pdc_common_port_start(struct ata_port *ap);
static int pdc_sata_port_start(struct ata_port *ap);
-static void pdc_qc_prep(struct ata_queued_cmd *qc);
+static enum ata_completion_errors pdc_qc_prep(struct ata_queued_cmd *qc);
static void pdc_tf_load_mmio(struct ata_port *ap, const struct ata_taskfile *tf);
static void pdc_exec_command_mmio(struct ata_port *ap, const struct ata_taskfile *tf);
static int pdc_check_atapi_dma(struct ata_queued_cmd *qc);
@@ -649,7 +649,7 @@ static void pdc_fill_sg(struct ata_queue
prd[idx - 1].flags_len |= cpu_to_le32(ATA_PRD_EOT);
}
-static void pdc_qc_prep(struct ata_queued_cmd *qc)
+static enum ata_completion_errors pdc_qc_prep(struct ata_queued_cmd *qc)
{
struct pdc_port_priv *pp = qc->ap->private_data;
unsigned int i;
@@ -681,6 +681,8 @@ static void pdc_qc_prep(struct ata_queue
default:
break;
}
+
+ return AC_ERR_OK;
}
static int pdc_is_sataii_tx4(unsigned long flags)
--- a/drivers/ata/sata_qstor.c
+++ b/drivers/ata/sata_qstor.c
@@ -116,7 +116,7 @@ static int qs_scr_write(struct ata_link
static int qs_ata_init_one(struct pci_dev *pdev, const struct pci_device_id *ent);
static int qs_port_start(struct ata_port *ap);
static void qs_host_stop(struct ata_host *host);
-static void qs_qc_prep(struct ata_queued_cmd *qc);
+static enum ata_completion_errors qs_qc_prep(struct ata_queued_cmd *qc);
static unsigned int qs_qc_issue(struct ata_queued_cmd *qc);
static int qs_check_atapi_dma(struct ata_queued_cmd *qc);
static void qs_freeze(struct ata_port *ap);
@@ -276,7 +276,7 @@ static unsigned int qs_fill_sg(struct at
return si;
}
-static void qs_qc_prep(struct ata_queued_cmd *qc)
+static enum ata_completion_errors qs_qc_prep(struct ata_queued_cmd *qc)
{
struct qs_port_priv *pp = qc->ap->private_data;
u8 dflags = QS_DF_PORD, *buf = pp->pkt;
@@ -288,7 +288,7 @@ static void qs_qc_prep(struct ata_queued
qs_enter_reg_mode(qc->ap);
if (qc->tf.protocol != ATA_PROT_DMA)
- return;
+ return AC_ERR_OK;
nelem = qs_fill_sg(qc);
@@ -311,6 +311,8 @@ static void qs_qc_prep(struct ata_queued
/* frame information structure (FIS) */
ata_tf_to_fis(&qc->tf, 0, 1, &buf[32]);
+
+ return AC_ERR_OK;
}
static inline void qs_packet_start(struct ata_queued_cmd *qc)
--- a/drivers/ata/sata_rcar.c
+++ b/drivers/ata/sata_rcar.c
@@ -554,12 +554,14 @@ static void sata_rcar_bmdma_fill_sg(stru
prd[si - 1].addr |= cpu_to_le32(SATA_RCAR_DTEND);
}
-static void sata_rcar_qc_prep(struct ata_queued_cmd *qc)
+static enum ata_completion_errors sata_rcar_qc_prep(struct ata_queued_cmd *qc)
{
if (!(qc->flags & ATA_QCFLAG_DMAMAP))
- return;
+ return AC_ERR_OK;
sata_rcar_bmdma_fill_sg(qc);
+
+ return AC_ERR_OK;
}
static void sata_rcar_bmdma_setup(struct ata_queued_cmd *qc)
--- a/drivers/ata/sata_sil.c
+++ b/drivers/ata/sata_sil.c
@@ -119,7 +119,7 @@ static void sil_dev_config(struct ata_de
static int sil_scr_read(struct ata_link *link, unsigned int sc_reg, u32 *val);
static int sil_scr_write(struct ata_link *link, unsigned int sc_reg, u32 val);
static int sil_set_mode(struct ata_link *link, struct ata_device **r_failed);
-static void sil_qc_prep(struct ata_queued_cmd *qc);
+static enum ata_completion_errors sil_qc_prep(struct ata_queued_cmd *qc);
static void sil_bmdma_setup(struct ata_queued_cmd *qc);
static void sil_bmdma_start(struct ata_queued_cmd *qc);
static void sil_bmdma_stop(struct ata_queued_cmd *qc);
@@ -333,12 +333,14 @@ static void sil_fill_sg(struct ata_queue
last_prd->flags_len |= cpu_to_le32(ATA_PRD_EOT);
}
-static void sil_qc_prep(struct ata_queued_cmd *qc)
+static enum ata_completion_errors sil_qc_prep(struct ata_queued_cmd *qc)
{
if (!(qc->flags & ATA_QCFLAG_DMAMAP))
- return;
+ return AC_ERR_OK;
sil_fill_sg(qc);
+
+ return AC_ERR_OK;
}
static unsigned char sil_get_device_cache_line(struct pci_dev *pdev)
--- a/drivers/ata/sata_sil24.c
+++ b/drivers/ata/sata_sil24.c
@@ -336,7 +336,7 @@ static void sil24_dev_config(struct ata_
static int sil24_scr_read(struct ata_link *link, unsigned sc_reg, u32 *val);
static int sil24_scr_write(struct ata_link *link, unsigned sc_reg, u32 val);
static int sil24_qc_defer(struct ata_queued_cmd *qc);
-static void sil24_qc_prep(struct ata_queued_cmd *qc);
+static enum ata_completion_errors sil24_qc_prep(struct ata_queued_cmd *qc);
static unsigned int sil24_qc_issue(struct ata_queued_cmd *qc);
static bool sil24_qc_fill_rtf(struct ata_queued_cmd *qc);
static void sil24_pmp_attach(struct ata_port *ap);
@@ -840,7 +840,7 @@ static int sil24_qc_defer(struct ata_que
return ata_std_qc_defer(qc);
}
-static void sil24_qc_prep(struct ata_queued_cmd *qc)
+static enum ata_completion_errors sil24_qc_prep(struct ata_queued_cmd *qc)
{
struct ata_port *ap = qc->ap;
struct sil24_port_priv *pp = ap->private_data;
@@ -884,6 +884,8 @@ static void sil24_qc_prep(struct ata_que
if (qc->flags & ATA_QCFLAG_DMAMAP)
sil24_fill_sg(qc, sge);
+
+ return AC_ERR_OK;
}
static unsigned int sil24_qc_issue(struct ata_queued_cmd *qc)
--- a/drivers/ata/sata_sx4.c
+++ b/drivers/ata/sata_sx4.c
@@ -218,7 +218,7 @@ static void pdc_error_handler(struct ata
static void pdc_freeze(struct ata_port *ap);
static void pdc_thaw(struct ata_port *ap);
static int pdc_port_start(struct ata_port *ap);
-static void pdc20621_qc_prep(struct ata_queued_cmd *qc);
+static enum ata_completion_errors pdc20621_qc_prep(struct ata_queued_cmd *qc);
static void pdc_tf_load_mmio(struct ata_port *ap, const struct ata_taskfile *tf);
static void pdc_exec_command_mmio(struct ata_port *ap, const struct ata_taskfile *tf);
static unsigned int pdc20621_dimm_init(struct ata_host *host);
@@ -546,7 +546,7 @@ static void pdc20621_nodata_prep(struct
VPRINTK("ata pkt buf ofs %u, mmio copied\n", i);
}
-static void pdc20621_qc_prep(struct ata_queued_cmd *qc)
+static enum ata_completion_errors pdc20621_qc_prep(struct ata_queued_cmd *qc)
{
switch (qc->tf.protocol) {
case ATA_PROT_DMA:
@@ -558,6 +558,8 @@ static void pdc20621_qc_prep(struct ata_
default:
break;
}
+
+ return AC_ERR_OK;
}
static void __pdc20621_push_hdma(struct ata_queued_cmd *qc,
--- a/include/linux/libata.h
+++ b/include/linux/libata.h
@@ -913,9 +913,9 @@ struct ata_port_operations {
/*
* Command execution
*/
- int (*qc_defer)(struct ata_queued_cmd *qc);
- int (*check_atapi_dma)(struct ata_queued_cmd *qc);
- void (*qc_prep)(struct ata_queued_cmd *qc);
+ int (*qc_defer)(struct ata_queued_cmd *qc);
+ int (*check_atapi_dma)(struct ata_queued_cmd *qc);
+ enum ata_completion_errors (*qc_prep)(struct ata_queued_cmd *qc);
unsigned int (*qc_issue)(struct ata_queued_cmd *qc);
bool (*qc_fill_rtf)(struct ata_queued_cmd *qc);
@@ -1182,7 +1182,7 @@ extern int ata_xfer_mode2shift(unsigned
extern const char *ata_mode_string(unsigned long xfer_mask);
extern unsigned long ata_id_xfermask(const u16 *id);
extern int ata_std_qc_defer(struct ata_queued_cmd *qc);
-extern void ata_noop_qc_prep(struct ata_queued_cmd *qc);
+extern enum ata_completion_errors ata_noop_qc_prep(struct ata_queued_cmd *qc);
extern void ata_sg_init(struct ata_queued_cmd *qc, struct scatterlist *sg,
unsigned int n_elem);
extern unsigned int ata_dev_classify(const struct ata_taskfile *tf);
@@ -1917,9 +1917,9 @@ extern const struct ata_port_operations
.sg_tablesize = LIBATA_MAX_PRD, \
.dma_boundary = ATA_DMA_BOUNDARY
-extern void ata_bmdma_qc_prep(struct ata_queued_cmd *qc);
+extern enum ata_completion_errors ata_bmdma_qc_prep(struct ata_queued_cmd *qc);
extern unsigned int ata_bmdma_qc_issue(struct ata_queued_cmd *qc);
-extern void ata_bmdma_dumb_qc_prep(struct ata_queued_cmd *qc);
+extern enum ata_completion_errors ata_bmdma_dumb_qc_prep(struct ata_queued_cmd *qc);
extern unsigned int ata_bmdma_port_intr(struct ata_port *ap,
struct ata_queued_cmd *qc);
extern irqreturn_t ata_bmdma_interrupt(int irq, void *dev_instance);
^ permalink raw reply [flat|nested] 256+ messages in thread
* [PATCH 4.19 244/245] ata: sata_mv, avoid trigerrable BUG_ON
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (242 preceding siblings ...)
2020-09-29 11:01 ` [PATCH 4.19 243/245] ata: make qc_prep return ata_completion_errors Greg Kroah-Hartman
@ 2020-09-29 11:01 ` Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 245/245] KVM: arm64: Assume write fault on S1PTW permission fault on instruction fetch Greg Kroah-Hartman
` (3 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:01 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Jiri Slaby, Jens Axboe, linux-ide,
Sergei Shtylyov
From: Jiri Slaby <jslaby@suse.cz>
commit e9f691d899188679746eeb96e6cb520459eda9b4 upstream.
There are several reports that the BUG_ON on unsupported command in
mv_qc_prep can be triggered under some circumstances:
https://bugzilla.suse.com/show_bug.cgi?id=1110252
https://serverfault.com/questions/888897/raid-problems-after-power-outage
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1652185
https://bugs.centos.org/view.php?id=14998
Let sata_mv handle the failure gracefully: warn about that incl. the
failed command number and return an AC_ERR_INVALID error. We can do that
now thanks to the previous patch.
Remove also the long-standing FIXME.
[v2] use %.2x as commands are defined as hexa.
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: linux-ide@vger.kernel.org
Cc: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/ata/sata_mv.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
--- a/drivers/ata/sata_mv.c
+++ b/drivers/ata/sata_mv.c
@@ -2111,12 +2111,10 @@ static enum ata_completion_errors mv_qc_
* non-NCQ mode are: [RW] STREAM DMA and W DMA FUA EXT, none
* of which are defined/used by Linux. If we get here, this
* driver needs work.
- *
- * FIXME: modify libata to give qc_prep a return value and
- * return error here.
*/
- BUG_ON(tf->command);
- break;
+ ata_port_err(ap, "%s: unsupported command: %.2x\n", __func__,
+ tf->command);
+ return AC_ERR_INVALID;
}
mv_crqb_pack_cmd(cw++, tf->nsect, ATA_REG_NSECT, 0);
mv_crqb_pack_cmd(cw++, tf->hob_lbal, ATA_REG_LBAL, 0);
^ permalink raw reply [flat|nested] 256+ messages in thread
* [PATCH 4.19 245/245] KVM: arm64: Assume write fault on S1PTW permission fault on instruction fetch
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (243 preceding siblings ...)
2020-09-29 11:01 ` [PATCH 4.19 244/245] ata: sata_mv, avoid trigerrable BUG_ON Greg Kroah-Hartman
@ 2020-09-29 11:01 ` Greg Kroah-Hartman
2020-09-29 12:26 ` [PATCH 4.19 000/245] 4.19.149-rc1 review Pavel Machek
` (2 subsequent siblings)
247 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 11:01 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Marc Zyngier, Will Deacon
From: Marc Zyngier <maz@kernel.org>
commit c4ad98e4b72cb5be30ea282fce935248f2300e62 upstream.
KVM currently assumes that an instruction abort can never be a write.
This is in general true, except when the abort is triggered by
a S1PTW on instruction fetch that tries to update the S1 page tables
(to set AF, for example).
This can happen if the page tables have been paged out and brought
back in without seeing a direct write to them (they are thus marked
read only), and the fault handling code will make the PT executable(!)
instead of writable. The guest gets stuck forever.
In these conditions, the permission fault must be considered as
a write so that the Stage-1 update can take place. This is essentially
the I-side equivalent of the problem fixed by 60e21a0ef54c ("arm64: KVM:
Take S1 walks into account when determining S2 write faults").
Update kvm_is_write_fault() to return true on IABT+S1PTW, and introduce
kvm_vcpu_trap_is_exec_fault() that only return true when no faulting
on a S1 fault. Additionally, kvm_vcpu_dabt_iss1tw() is renamed to
kvm_vcpu_abt_iss1tw(), as the above makes it plain that it isn't
specific to data abort.
Signed-off-by: Marc Zyngier <maz@kernel.org>
Reviewed-by: Will Deacon <will@kernel.org>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20200915104218.1284701-2-maz@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/include/asm/kvm_emulate.h | 11 ++++++++---
arch/arm64/include/asm/kvm_emulate.h | 9 +++++++--
arch/arm64/kvm/hyp/switch.c | 2 +-
virt/kvm/arm/mmio.c | 2 +-
virt/kvm/arm/mmu.c | 5 ++++-
5 files changed, 21 insertions(+), 8 deletions(-)
--- a/arch/arm/include/asm/kvm_emulate.h
+++ b/arch/arm/include/asm/kvm_emulate.h
@@ -216,7 +216,7 @@ static inline int kvm_vcpu_dabt_get_rd(s
return (kvm_vcpu_get_hsr(vcpu) & HSR_SRT_MASK) >> HSR_SRT_SHIFT;
}
-static inline bool kvm_vcpu_dabt_iss1tw(struct kvm_vcpu *vcpu)
+static inline bool kvm_vcpu_abt_iss1tw(const struct kvm_vcpu *vcpu)
{
return kvm_vcpu_get_hsr(vcpu) & HSR_DABT_S1PTW;
}
@@ -248,16 +248,21 @@ static inline bool kvm_vcpu_trap_il_is32
return kvm_vcpu_get_hsr(vcpu) & HSR_IL;
}
-static inline u8 kvm_vcpu_trap_get_class(struct kvm_vcpu *vcpu)
+static inline u8 kvm_vcpu_trap_get_class(const struct kvm_vcpu *vcpu)
{
return kvm_vcpu_get_hsr(vcpu) >> HSR_EC_SHIFT;
}
-static inline bool kvm_vcpu_trap_is_iabt(struct kvm_vcpu *vcpu)
+static inline bool kvm_vcpu_trap_is_iabt(const struct kvm_vcpu *vcpu)
{
return kvm_vcpu_trap_get_class(vcpu) == HSR_EC_IABT;
}
+static inline bool kvm_vcpu_trap_is_exec_fault(const struct kvm_vcpu *vcpu)
+{
+ return kvm_vcpu_trap_is_iabt(vcpu) && !kvm_vcpu_abt_iss1tw(vcpu);
+}
+
static inline u8 kvm_vcpu_trap_get_fault(struct kvm_vcpu *vcpu)
{
return kvm_vcpu_get_hsr(vcpu) & HSR_FSC;
--- a/arch/arm64/include/asm/kvm_emulate.h
+++ b/arch/arm64/include/asm/kvm_emulate.h
@@ -303,7 +303,7 @@ static inline int kvm_vcpu_dabt_get_rd(c
return (kvm_vcpu_get_hsr(vcpu) & ESR_ELx_SRT_MASK) >> ESR_ELx_SRT_SHIFT;
}
-static inline bool kvm_vcpu_dabt_iss1tw(const struct kvm_vcpu *vcpu)
+static inline bool kvm_vcpu_abt_iss1tw(const struct kvm_vcpu *vcpu)
{
return !!(kvm_vcpu_get_hsr(vcpu) & ESR_ELx_S1PTW);
}
@@ -311,7 +311,7 @@ static inline bool kvm_vcpu_dabt_iss1tw(
static inline bool kvm_vcpu_dabt_iswrite(const struct kvm_vcpu *vcpu)
{
return !!(kvm_vcpu_get_hsr(vcpu) & ESR_ELx_WNR) ||
- kvm_vcpu_dabt_iss1tw(vcpu); /* AF/DBM update */
+ kvm_vcpu_abt_iss1tw(vcpu); /* AF/DBM update */
}
static inline bool kvm_vcpu_dabt_is_cm(const struct kvm_vcpu *vcpu)
@@ -340,6 +340,11 @@ static inline bool kvm_vcpu_trap_is_iabt
return kvm_vcpu_trap_get_class(vcpu) == ESR_ELx_EC_IABT_LOW;
}
+static inline bool kvm_vcpu_trap_is_exec_fault(const struct kvm_vcpu *vcpu)
+{
+ return kvm_vcpu_trap_is_iabt(vcpu) && !kvm_vcpu_abt_iss1tw(vcpu);
+}
+
static inline u8 kvm_vcpu_trap_get_fault(const struct kvm_vcpu *vcpu)
{
return kvm_vcpu_get_hsr(vcpu) & ESR_ELx_FSC;
--- a/arch/arm64/kvm/hyp/switch.c
+++ b/arch/arm64/kvm/hyp/switch.c
@@ -430,7 +430,7 @@ static bool __hyp_text fixup_guest_exit(
kvm_vcpu_trap_get_fault_type(vcpu) == FSC_FAULT &&
kvm_vcpu_dabt_isvalid(vcpu) &&
!kvm_vcpu_dabt_isextabt(vcpu) &&
- !kvm_vcpu_dabt_iss1tw(vcpu);
+ !kvm_vcpu_abt_iss1tw(vcpu);
if (valid) {
int ret = __vgic_v2_perform_cpuif_access(vcpu);
--- a/virt/kvm/arm/mmio.c
+++ b/virt/kvm/arm/mmio.c
@@ -142,7 +142,7 @@ static int decode_hsr(struct kvm_vcpu *v
bool sign_extend;
bool sixty_four;
- if (kvm_vcpu_dabt_iss1tw(vcpu)) {
+ if (kvm_vcpu_abt_iss1tw(vcpu)) {
/* page table accesses IO mem: tell guest to fix its TTBR */
kvm_inject_dabt(vcpu, kvm_vcpu_get_hfar(vcpu));
return 1;
--- a/virt/kvm/arm/mmu.c
+++ b/virt/kvm/arm/mmu.c
@@ -1282,6 +1282,9 @@ static bool transparent_hugepage_adjust(
static bool kvm_is_write_fault(struct kvm_vcpu *vcpu)
{
+ if (kvm_vcpu_abt_iss1tw(vcpu))
+ return true;
+
if (kvm_vcpu_trap_is_iabt(vcpu))
return false;
@@ -1496,7 +1499,7 @@ static int user_mem_abort(struct kvm_vcp
unsigned long flags = 0;
write_fault = kvm_is_write_fault(vcpu);
- exec_fault = kvm_vcpu_trap_is_iabt(vcpu);
+ exec_fault = kvm_vcpu_trap_is_exec_fault(vcpu);
VM_BUG_ON(write_fault && exec_fault);
if (fault_status == FSC_PERM && !write_fault && !exec_fault) {
^ permalink raw reply [flat|nested] 256+ messages in thread
* Re: [PATCH 4.19 000/245] 4.19.149-rc1 review
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (244 preceding siblings ...)
2020-09-29 11:01 ` [PATCH 4.19 245/245] KVM: arm64: Assume write fault on S1PTW permission fault on instruction fetch Greg Kroah-Hartman
@ 2020-09-29 12:26 ` Pavel Machek
2020-10-01 11:14 ` Greg Kroah-Hartman
2020-09-29 13:44 ` Naresh Kamboju
2020-09-29 15:15 ` Jon Hunter
247 siblings, 1 reply; 256+ messages in thread
From: Pavel Machek @ 2020-09-29 12:26 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: linux-kernel, torvalds, akpm, linux, shuah, patches,
ben.hutchings, lkft-triage, pavel, stable
[-- Attachment #1: Type: text/plain, Size: 1083 bytes --]
Hi!
> This is the start of the stable review cycle for the 4.19.149 release.
> There are 245 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 01 Oct 2020 10:59:03 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.149-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y
> and the diffstat can be found below.
No problems detected by CIP testing:
https://gitlab.com/cip-project/cip-testing/linux-stable-rc-ci/-/pipelines/195833156
The failures are caused by boards being offline; they are not caused
by kernel problems.
Best regards,
Pavel
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
^ permalink raw reply [flat|nested] 256+ messages in thread
* Re: [PATCH 4.19 146/245] perf stat: Force error in fallback on :k events
2020-09-29 10:59 ` [PATCH 4.19 146/245] perf stat: Force error in fallback on :k events Greg Kroah-Hartman
@ 2020-09-29 13:33 ` Naresh Kamboju
2020-09-29 14:27 ` Greg Kroah-Hartman
0 siblings, 1 reply; 256+ messages in thread
From: Naresh Kamboju @ 2020-09-29 13:33 UTC (permalink / raw)
To: Greg Kroah-Hartman, linux- stable, Arnaldo Carvalho de Melo
Cc: open list, Stephane Eranian, Ian Rogers, Jiri Olsa,
Alexander Shishkin, Mark Rutland, Namhyung Kim, Peter Zijlstra,
Sasha Levin
On Tue, 29 Sep 2020 at 17:54, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> From: Stephane Eranian <eranian@google.com>
>
> [ Upstream commit bec49a9e05db3dbdca696fa07c62c52638fb6371 ]
>
> When it is not possible for a non-privilege perf command to monitor at
> the kernel level (:k), the fallback code forces a :u. That works if the
> event was previously monitoring both levels. But if the event was
> already constrained to kernel only, then it does not make sense to
> restrict it to user only.
>
> Given the code works by exclusion, a kernel only event would have:
>
> attr->exclude_user = 1
>
> The fallback code would add:
>
> attr->exclude_kernel = 1
>
> In the end the end would not monitor in either the user level or kernel
> level. In other words, it would count nothing.
>
> An event programmed to monitor kernel only cannot be switched to user
> only without seriously warning the user.
>
> This patch forces an error in this case to make it clear the request
> cannot really be satisfied.
>
> Behavior with paranoid 1:
>
> $ sudo bash -c "echo 1 > /proc/sys/kernel/perf_event_paranoid"
> $ perf stat -e cycles:k sleep 1
>
> Performance counter stats for 'sleep 1':
>
> 1,520,413 cycles:k
>
> 1.002361664 seconds time elapsed
>
> 0.002480000 seconds user
> 0.000000000 seconds sys
>
> Old behavior with paranoid 2:
>
> $ sudo bash -c "echo 2 > /proc/sys/kernel/perf_event_paranoid"
> $ perf stat -e cycles:k sleep 1
> Performance counter stats for 'sleep 1':
>
> 0 cycles:ku
>
> 1.002358127 seconds time elapsed
>
> 0.002384000 seconds user
> 0.000000000 seconds sys
>
> New behavior with paranoid 2:
>
> $ sudo bash -c "echo 2 > /proc/sys/kernel/perf_event_paranoid"
> $ perf stat -e cycles:k sleep 1
> Error:
> You may not have permission to collect stats.
>
> Consider tweaking /proc/sys/kernel/perf_event_paranoid,
> which controls use of the performance events system by
> unprivileged users (without CAP_PERFMON or CAP_SYS_ADMIN).
>
> The current value is 2:
>
> -1: Allow use of (almost) all events by all users
> Ignore mlock limit after perf_event_mlock_kb without CAP_IPC_LOCK
> >= 0: Disallow ftrace function tracepoint by users without CAP_PERFMON or CAP_SYS_ADMIN
> Disallow raw tracepoint access by users without CAP_SYS_PERFMON or CAP_SYS_ADMIN
> >= 1: Disallow CPU event access by users without CAP_PERFMON or CAP_SYS_ADMIN
> >= 2: Disallow kernel profiling by users without CAP_PERFMON or CAP_SYS_ADMIN
>
> To make this setting permanent, edit /etc/sysctl.conf too, e.g.:
>
> kernel.perf_event_paranoid = -1
>
> v2 of this patch addresses the review feedback from jolsa@redhat.com.
>
> Signed-off-by: Stephane Eranian <eranian@google.com>
> Reviewed-by: Ian Rogers <irogers@google.com>
> Acked-by: Jiri Olsa <jolsa@redhat.com>
> Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
> Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
> Cc: Jiri Olsa <jolsa@redhat.com>
> Cc: Mark Rutland <mark.rutland@arm.com>
> Cc: Namhyung Kim <namhyung@kernel.org>
> Cc: Peter Zijlstra <peterz@infradead.org>
> Link: http://lore.kernel.org/lkml/20200414161550.225588-1-irogers@google.com
> Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
> Signed-off-by: Sasha Levin <sashal@kernel.org>
perf failed on stable rc branch 4.19 on all devices.
Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org>
build warning and errors,
-----------------------------------
In file included from util/evlist.h:15:0,
from util/evsel.c:30:
util/evsel.c: In function 'perf_evsel__exit':
util/util.h:25:28: warning: passing argument 1 of 'free' discards
'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
#define zfree(ptr) ({ free(*ptr); *ptr = NULL; })
^
util/evsel.c:1293:2: note: in expansion of macro 'zfree'
zfree(&evsel->pmu_name);
^~~~~
In file included from
/srv/oe/build/tmp-lkft-glibc/work/intel_corei7_64-linaro-linux/perf/1.0-r9/perf-1.0/tools/perf/arch/x86/include/perf_regs.h:5:0,
from util/perf_regs.h:27,
from util/event.h:11,
from util/callchain.h:8,
from util/evsel.c:26:
perf/1.0-r9/recipe-sysroot/usr/include/stdlib.h:563:13: note: expected
'void *' but argument is of type 'const char *'
extern void free (void *__ptr) __THROW;
^~~~
util/evsel.c: In function 'perf_evsel__fallback':
util/evsel.c:2802:14: error: 'struct perf_evsel' has no member named
'core'; did you mean 'node'?
if (evsel->core.attr.exclude_user)
^~~~
node
> ---
> tools/perf/util/evsel.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/tools/perf/util/evsel.c b/tools/perf/util/evsel.c
> index 68c5ab0e1800b..e8586957562b3 100644
> --- a/tools/perf/util/evsel.c
> +++ b/tools/perf/util/evsel.c
> @@ -2796,6 +2796,10 @@ bool perf_evsel__fallback(struct perf_evsel *evsel, int err,
> char *new_name;
> const char *sep = ":";
>
> + /* If event has exclude user then don't exclude kernel. */
> + if (evsel->core.attr.exclude_user)
> + return false;
> +
> /* Is there already the separator in the name. */
> if (strchr(name, '/') ||
> strchr(name, ':'))
> --
> 2.25.1
>
>
>
^ permalink raw reply [flat|nested] 256+ messages in thread
* Re: [PATCH 4.19 000/245] 4.19.149-rc1 review
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (245 preceding siblings ...)
2020-09-29 12:26 ` [PATCH 4.19 000/245] 4.19.149-rc1 review Pavel Machek
@ 2020-09-29 13:44 ` Naresh Kamboju
2020-09-29 15:15 ` Jon Hunter
247 siblings, 0 replies; 256+ messages in thread
From: Naresh Kamboju @ 2020-09-29 13:44 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: open list, Shuah Khan, patches, lkft-triage, Ben Hutchings,
linux- stable, pavel, Andrew Morton, Linus Torvalds,
Guenter Roeck
On Tue, 29 Sep 2020 at 16:58, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 4.19.149 release.
> There are 245 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 01 Oct 2020 10:59:03 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.149-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
<trim>
>
> Stephane Eranian <eranian@google.com>
> perf stat: Force error in fallback on :k events
perf failed on stable rc branch 4.19 on all devices.
Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org>
In file included from util/evlist.h:15:0,
from util/evsel.c:30:
util/evsel.c: In function 'perf_evsel__exit':
util/util.h:25:28: warning: passing argument 1 of 'free' discards
'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
#define zfree(ptr) ({ free(*ptr); *ptr = NULL; })
^
util/evsel.c:1293:2: note: in expansion of macro 'zfree'
zfree(&evsel->pmu_name);
^~~~~
In file included from
/srv/oe/build/tmp-lkft-glibc/work/intel_corei7_64-linaro-linux/perf/1.0-r9/perf-1.0/tools/perf/arch/x86/include/perf_regs.h:5:0,
from util/perf_regs.h:27,
from util/event.h:11,
from util/callchain.h:8,
from util/evsel.c:26:
perf/1.0-r9/recipe-sysroot/usr/include/stdlib.h:563:13: note: expected
'void *' but argument is of type 'const char *'
extern void free (void *__ptr) __THROW;
^~~~
util/evsel.c: In function 'perf_evsel__fallback':
util/evsel.c:2802:14: error: 'struct perf_evsel' has no member named
'core'; did you mean 'node'?
if (evsel->core.attr.exclude_user)
^~~~
node
--
Linaro LKFT
https://lkft.linaro.org
^ permalink raw reply [flat|nested] 256+ messages in thread
* Re: [PATCH 4.19 146/245] perf stat: Force error in fallback on :k events
2020-09-29 13:33 ` Naresh Kamboju
@ 2020-09-29 14:27 ` Greg Kroah-Hartman
2020-09-29 16:06 ` Sasha Levin
0 siblings, 1 reply; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-09-29 14:27 UTC (permalink / raw)
To: Naresh Kamboju
Cc: linux- stable, Arnaldo Carvalho de Melo, open list,
Stephane Eranian, Ian Rogers, Jiri Olsa, Alexander Shishkin,
Mark Rutland, Namhyung Kim, Peter Zijlstra, Sasha Levin
On Tue, Sep 29, 2020 at 07:03:46PM +0530, Naresh Kamboju wrote:
> On Tue, 29 Sep 2020 at 17:54, Greg Kroah-Hartman
> <gregkh@linuxfoundation.org> wrote:
> >
> > From: Stephane Eranian <eranian@google.com>
> >
> > [ Upstream commit bec49a9e05db3dbdca696fa07c62c52638fb6371 ]
> >
> > When it is not possible for a non-privilege perf command to monitor at
> > the kernel level (:k), the fallback code forces a :u. That works if the
> > event was previously monitoring both levels. But if the event was
> > already constrained to kernel only, then it does not make sense to
> > restrict it to user only.
> >
> > Given the code works by exclusion, a kernel only event would have:
> >
> > attr->exclude_user = 1
> >
> > The fallback code would add:
> >
> > attr->exclude_kernel = 1
> >
> > In the end the end would not monitor in either the user level or kernel
> > level. In other words, it would count nothing.
> >
> > An event programmed to monitor kernel only cannot be switched to user
> > only without seriously warning the user.
> >
> > This patch forces an error in this case to make it clear the request
> > cannot really be satisfied.
> >
> > Behavior with paranoid 1:
> >
> > $ sudo bash -c "echo 1 > /proc/sys/kernel/perf_event_paranoid"
> > $ perf stat -e cycles:k sleep 1
> >
> > Performance counter stats for 'sleep 1':
> >
> > 1,520,413 cycles:k
> >
> > 1.002361664 seconds time elapsed
> >
> > 0.002480000 seconds user
> > 0.000000000 seconds sys
> >
> > Old behavior with paranoid 2:
> >
> > $ sudo bash -c "echo 2 > /proc/sys/kernel/perf_event_paranoid"
> > $ perf stat -e cycles:k sleep 1
> > Performance counter stats for 'sleep 1':
> >
> > 0 cycles:ku
> >
> > 1.002358127 seconds time elapsed
> >
> > 0.002384000 seconds user
> > 0.000000000 seconds sys
> >
> > New behavior with paranoid 2:
> >
> > $ sudo bash -c "echo 2 > /proc/sys/kernel/perf_event_paranoid"
> > $ perf stat -e cycles:k sleep 1
> > Error:
> > You may not have permission to collect stats.
> >
> > Consider tweaking /proc/sys/kernel/perf_event_paranoid,
> > which controls use of the performance events system by
> > unprivileged users (without CAP_PERFMON or CAP_SYS_ADMIN).
> >
> > The current value is 2:
> >
> > -1: Allow use of (almost) all events by all users
> > Ignore mlock limit after perf_event_mlock_kb without CAP_IPC_LOCK
> > >= 0: Disallow ftrace function tracepoint by users without CAP_PERFMON or CAP_SYS_ADMIN
> > Disallow raw tracepoint access by users without CAP_SYS_PERFMON or CAP_SYS_ADMIN
> > >= 1: Disallow CPU event access by users without CAP_PERFMON or CAP_SYS_ADMIN
> > >= 2: Disallow kernel profiling by users without CAP_PERFMON or CAP_SYS_ADMIN
> >
> > To make this setting permanent, edit /etc/sysctl.conf too, e.g.:
> >
> > kernel.perf_event_paranoid = -1
> >
> > v2 of this patch addresses the review feedback from jolsa@redhat.com.
> >
> > Signed-off-by: Stephane Eranian <eranian@google.com>
> > Reviewed-by: Ian Rogers <irogers@google.com>
> > Acked-by: Jiri Olsa <jolsa@redhat.com>
> > Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
> > Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
> > Cc: Jiri Olsa <jolsa@redhat.com>
> > Cc: Mark Rutland <mark.rutland@arm.com>
> > Cc: Namhyung Kim <namhyung@kernel.org>
> > Cc: Peter Zijlstra <peterz@infradead.org>
> > Link: http://lore.kernel.org/lkml/20200414161550.225588-1-irogers@google.com
> > Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
> > Signed-off-by: Sasha Levin <sashal@kernel.org>
>
> perf failed on stable rc branch 4.19 on all devices.
>
> Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org>
>
> build warning and errors,
> -----------------------------------
> In file included from util/evlist.h:15:0,
> from util/evsel.c:30:
> util/evsel.c: In function 'perf_evsel__exit':
> util/util.h:25:28: warning: passing argument 1 of 'free' discards
> 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
> #define zfree(ptr) ({ free(*ptr); *ptr = NULL; })
> ^
> util/evsel.c:1293:2: note: in expansion of macro 'zfree'
> zfree(&evsel->pmu_name);
> ^~~~~
> In file included from
> /srv/oe/build/tmp-lkft-glibc/work/intel_corei7_64-linaro-linux/perf/1.0-r9/perf-1.0/tools/perf/arch/x86/include/perf_regs.h:5:0,
> from util/perf_regs.h:27,
> from util/event.h:11,
> from util/callchain.h:8,
> from util/evsel.c:26:
> perf/1.0-r9/recipe-sysroot/usr/include/stdlib.h:563:13: note: expected
> 'void *' but argument is of type 'const char *'
> extern void free (void *__ptr) __THROW;
> ^~~~
> util/evsel.c: In function 'perf_evsel__fallback':
> util/evsel.c:2802:14: error: 'struct perf_evsel' has no member named
> 'core'; did you mean 'node'?
> if (evsel->core.attr.exclude_user)
> ^~~~
> node
I thought Sasha had dropped all of the offending patches. I'll go drop
this one and push out a new 4.19-rc release.
But note, the latest 4.19.y tree doesn't even build perf for me, so I
can't really check this locally :(
thanks,
greg k-h
^ permalink raw reply [flat|nested] 256+ messages in thread
* Re: [PATCH 4.19 000/245] 4.19.149-rc1 review
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
` (246 preceding siblings ...)
2020-09-29 13:44 ` Naresh Kamboju
@ 2020-09-29 15:15 ` Jon Hunter
247 siblings, 0 replies; 256+ messages in thread
From: Jon Hunter @ 2020-09-29 15:15 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah, patches,
ben.hutchings, lkft-triage, pavel, stable, linux-tegra
On Tue, 29 Sep 2020 12:57:31 +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.19.149 release.
> There are 245 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 01 Oct 2020 10:59:03 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.149-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
All tests passing for Tegra ...
Test results for stable-v4.19:
14 builds: 14 pass, 0 fail
22 boots: 22 pass, 0 fail
38 tests: 38 pass, 0 fail
Linux version: 4.19.149-rc1-gf0a043791d0e
Boards tested: tegra124-jetson-tk1, tegra186-p2771-0000,
tegra194-p2972-0000, tegra20-ventana,
tegra210-p2371-2180, tegra30-cardhu-a04
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Jon
^ permalink raw reply [flat|nested] 256+ messages in thread
* Re: [PATCH 4.19 146/245] perf stat: Force error in fallback on :k events
2020-09-29 14:27 ` Greg Kroah-Hartman
@ 2020-09-29 16:06 ` Sasha Levin
0 siblings, 0 replies; 256+ messages in thread
From: Sasha Levin @ 2020-09-29 16:06 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: Naresh Kamboju, linux- stable, Arnaldo Carvalho de Melo,
open list, Stephane Eranian, Ian Rogers, Jiri Olsa,
Alexander Shishkin, Mark Rutland, Namhyung Kim, Peter Zijlstra
On Tue, Sep 29, 2020 at 04:27:17PM +0200, Greg Kroah-Hartman wrote:
>On Tue, Sep 29, 2020 at 07:03:46PM +0530, Naresh Kamboju wrote:
>> On Tue, 29 Sep 2020 at 17:54, Greg Kroah-Hartman
>> <gregkh@linuxfoundation.org> wrote:
>> >
>> > From: Stephane Eranian <eranian@google.com>
>> >
>> > [ Upstream commit bec49a9e05db3dbdca696fa07c62c52638fb6371 ]
>> >
>> > When it is not possible for a non-privilege perf command to monitor at
>> > the kernel level (:k), the fallback code forces a :u. That works if the
>> > event was previously monitoring both levels. But if the event was
>> > already constrained to kernel only, then it does not make sense to
>> > restrict it to user only.
>> >
>> > Given the code works by exclusion, a kernel only event would have:
>> >
>> > attr->exclude_user = 1
>> >
>> > The fallback code would add:
>> >
>> > attr->exclude_kernel = 1
>> >
>> > In the end the end would not monitor in either the user level or kernel
>> > level. In other words, it would count nothing.
>> >
>> > An event programmed to monitor kernel only cannot be switched to user
>> > only without seriously warning the user.
>> >
>> > This patch forces an error in this case to make it clear the request
>> > cannot really be satisfied.
>> >
>> > Behavior with paranoid 1:
>> >
>> > $ sudo bash -c "echo 1 > /proc/sys/kernel/perf_event_paranoid"
>> > $ perf stat -e cycles:k sleep 1
>> >
>> > Performance counter stats for 'sleep 1':
>> >
>> > 1,520,413 cycles:k
>> >
>> > 1.002361664 seconds time elapsed
>> >
>> > 0.002480000 seconds user
>> > 0.000000000 seconds sys
>> >
>> > Old behavior with paranoid 2:
>> >
>> > $ sudo bash -c "echo 2 > /proc/sys/kernel/perf_event_paranoid"
>> > $ perf stat -e cycles:k sleep 1
>> > Performance counter stats for 'sleep 1':
>> >
>> > 0 cycles:ku
>> >
>> > 1.002358127 seconds time elapsed
>> >
>> > 0.002384000 seconds user
>> > 0.000000000 seconds sys
>> >
>> > New behavior with paranoid 2:
>> >
>> > $ sudo bash -c "echo 2 > /proc/sys/kernel/perf_event_paranoid"
>> > $ perf stat -e cycles:k sleep 1
>> > Error:
>> > You may not have permission to collect stats.
>> >
>> > Consider tweaking /proc/sys/kernel/perf_event_paranoid,
>> > which controls use of the performance events system by
>> > unprivileged users (without CAP_PERFMON or CAP_SYS_ADMIN).
>> >
>> > The current value is 2:
>> >
>> > -1: Allow use of (almost) all events by all users
>> > Ignore mlock limit after perf_event_mlock_kb without CAP_IPC_LOCK
>> > >= 0: Disallow ftrace function tracepoint by users without CAP_PERFMON or CAP_SYS_ADMIN
>> > Disallow raw tracepoint access by users without CAP_SYS_PERFMON or CAP_SYS_ADMIN
>> > >= 1: Disallow CPU event access by users without CAP_PERFMON or CAP_SYS_ADMIN
>> > >= 2: Disallow kernel profiling by users without CAP_PERFMON or CAP_SYS_ADMIN
>> >
>> > To make this setting permanent, edit /etc/sysctl.conf too, e.g.:
>> >
>> > kernel.perf_event_paranoid = -1
>> >
>> > v2 of this patch addresses the review feedback from jolsa@redhat.com.
>> >
>> > Signed-off-by: Stephane Eranian <eranian@google.com>
>> > Reviewed-by: Ian Rogers <irogers@google.com>
>> > Acked-by: Jiri Olsa <jolsa@redhat.com>
>> > Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
>> > Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
>> > Cc: Jiri Olsa <jolsa@redhat.com>
>> > Cc: Mark Rutland <mark.rutland@arm.com>
>> > Cc: Namhyung Kim <namhyung@kernel.org>
>> > Cc: Peter Zijlstra <peterz@infradead.org>
>> > Link: http://lore.kernel.org/lkml/20200414161550.225588-1-irogers@google.com
>> > Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
>> > Signed-off-by: Sasha Levin <sashal@kernel.org>
>>
>> perf failed on stable rc branch 4.19 on all devices.
>>
>> Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org>
>>
>> build warning and errors,
>> -----------------------------------
>> In file included from util/evlist.h:15:0,
>> from util/evsel.c:30:
>> util/evsel.c: In function 'perf_evsel__exit':
>> util/util.h:25:28: warning: passing argument 1 of 'free' discards
>> 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
>> #define zfree(ptr) ({ free(*ptr); *ptr = NULL; })
>> ^
>> util/evsel.c:1293:2: note: in expansion of macro 'zfree'
>> zfree(&evsel->pmu_name);
>> ^~~~~
>> In file included from
>> /srv/oe/build/tmp-lkft-glibc/work/intel_corei7_64-linaro-linux/perf/1.0-r9/perf-1.0/tools/perf/arch/x86/include/perf_regs.h:5:0,
>> from util/perf_regs.h:27,
>> from util/event.h:11,
>> from util/callchain.h:8,
>> from util/evsel.c:26:
>> perf/1.0-r9/recipe-sysroot/usr/include/stdlib.h:563:13: note: expected
>> 'void *' but argument is of type 'const char *'
>> extern void free (void *__ptr) __THROW;
>> ^~~~
>> util/evsel.c: In function 'perf_evsel__fallback':
>> util/evsel.c:2802:14: error: 'struct perf_evsel' has no member named
>> 'core'; did you mean 'node'?
>> if (evsel->core.attr.exclude_user)
>> ^~~~
>> node
>
>I thought Sasha had dropped all of the offending patches. I'll go drop
>this one and push out a new 4.19-rc release.
I did, looks like this a new report.
>But note, the latest 4.19.y tree doesn't even build perf for me, so I
>can't really check this locally :(
Same here. Naresh, does perf builds "out of the box" for you, or do you
carry any patches on top?
--
Thanks,
Sasha
^ permalink raw reply [flat|nested] 256+ messages in thread
* Re: [PATCH 4.19 054/245] scsi: ufs: Make ufshcd_add_command_trace() easier to read
2020-09-29 10:58 ` [PATCH 4.19 054/245] scsi: ufs: Make ufshcd_add_command_trace() easier to read Greg Kroah-Hartman
@ 2020-09-30 15:39 ` Pavel Machek
0 siblings, 0 replies; 256+ messages in thread
From: Pavel Machek @ 2020-09-30 15:39 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: linux-kernel, stable, Bean Huo, Can Guo, Avri Altman,
Stanley Chu, Tomas Winkler, Alim Akhtar, Bart Van Assche,
Martin K. Petersen, Sasha Levin
[-- Attachment #1: Type: text/plain, Size: 553 bytes --]
Hi!
> From: Bart Van Assche <bvanassche@acm.org>
>
> [ Upstream commit e4d2add7fd5bc64ee3e388eabe6b9e081cb42e11 ]
>
> Since the lrbp->cmd expression occurs multiple times, introduce a new local
> variable to hold that pointer. This patch does not change any
> functionality.
This is just a cleanup, AFAICT, and there's no patch that depends on
it in 4.19-stable.
Best regards,
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
^ permalink raw reply [flat|nested] 256+ messages in thread
* Re: [PATCH 4.19 196/245] nvme: fix possible deadlock when I/O is blocked
2020-09-29 11:00 ` [PATCH 4.19 196/245] nvme: fix possible deadlock when I/O is blocked Greg Kroah-Hartman
@ 2020-09-30 16:22 ` Pavel Machek
0 siblings, 0 replies; 256+ messages in thread
From: Pavel Machek @ 2020-09-30 16:22 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: linux-kernel, stable, Anton Eidelman, Sagi Grimberg,
Christoph Hellwig, Sasha Levin
[-- Attachment #1: Type: text/plain, Size: 1866 bytes --]
Hi!
> [ Upstream commit 3b4b19721ec652ad2c4fe51dfbe5124212b5f581 ]
>
> Revert fab7772bfbcf ("nvme-multipath: revalidate nvme_ns_head gendisk
> in nvme_validate_ns")
>
> When adding a new namespace to the head disk (via nvme_mpath_set_live)
> we will see partition scan which triggers I/O on the mpath device node.
> This process will usually be triggered from the scan_work which holds
> the scan_lock. If I/O blocks (if we got ana change currently have only
> available paths but none are accessible) this can deadlock on the head
> disk bd_mutex as both partition scan I/O takes it, and head disk revalidation
> takes it to check for resize (also triggered from scan_work on a different
> path). See trace [1].
>
> The mpath disk revalidation was originally added to detect online disk
> size change, but this is no longer needed since commit cb224c3af4df
> ("nvme: Convert to use set_capacity_revalidate_and_notify") which already
> updates resize info without unnecessarily revalidating the disk (the
> mpath disk doesn't even implement .revalidate_disk fop).
Commit cb224c3af4df ("nvme: Convert to use
set_capacity_revalidate_and_notify") is not in 4.19-stable.
Does that mean we'll no longer detect disk size changes after this?
Best regards,
Pavel
> index faa7feebb6095..84fcfcdb8ba5f 100644
> --- a/drivers/nvme/host/core.c
> +++ b/drivers/nvme/host/core.c
> @@ -1599,7 +1599,6 @@ static void __nvme_revalidate_disk(struct gendisk *disk, struct nvme_id_ns *id)
> if (ns->head->disk) {
> nvme_update_disk_info(ns->head->disk, ns, id);
> blk_queue_stack_limits(ns->head->disk->queue, ns->queue);
> - revalidate_disk(ns->head->disk);
> }
> #endif
>
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
^ permalink raw reply [flat|nested] 256+ messages in thread
* Re: [PATCH 4.19 144/245] serial: uartps: Wait for tx_empty in console setup
2020-09-29 10:59 ` [PATCH 4.19 144/245] serial: uartps: Wait for tx_empty in console setup Greg Kroah-Hartman
@ 2020-09-30 20:07 ` Pavel Machek
0 siblings, 0 replies; 256+ messages in thread
From: Pavel Machek @ 2020-09-30 20:07 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: linux-kernel, stable, Raviteja Narayanam, Shubhrajyoti Datta,
Sasha Levin
[-- Attachment #1: Type: text/plain, Size: 1135 bytes --]
Hi!
> From: Raviteja Narayanam <raviteja.narayanam@xilinx.com>
>
> [ Upstream commit 42e11948ddf68b9f799cad8c0ddeab0a39da33e8 ]
>
> On some platforms, the log is corrupted while console is being
> registered. It is observed that when set_termios is called, there
> are still some bytes in the FIFO to be transmitted.
>
> So, wait for tx_empty inside cdns_uart_console_setup before calling
> set_termios.
> @@ -1246,6 +1247,13 @@ static int cdns_uart_console_setup(struct console *co, char *options)
> if (options)
> uart_parse_options(options, &baud, &parity, &bits, &flow);
>
> + /* Wait for tx_empty before setting up the console */
> + time_out = jiffies + usecs_to_jiffies(TX_TIMEOUT);
> +
> + while (time_before(jiffies, time_out) &&
> + cdns_uart_tx_empty(port) != TIOCSER_TEMT)
> + cpu_relax();
> +
So this is spinning for half a second. Could we use msleep(1) instead
of cpu_relax or something like that?
Best regards,
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]
^ permalink raw reply [flat|nested] 256+ messages in thread
* Re: [PATCH 4.19 000/245] 4.19.149-rc1 review
2020-09-29 12:26 ` [PATCH 4.19 000/245] 4.19.149-rc1 review Pavel Machek
@ 2020-10-01 11:14 ` Greg Kroah-Hartman
0 siblings, 0 replies; 256+ messages in thread
From: Greg Kroah-Hartman @ 2020-10-01 11:14 UTC (permalink / raw)
To: Pavel Machek
Cc: linux-kernel, torvalds, akpm, linux, shuah, patches,
ben.hutchings, lkft-triage, stable
On Tue, Sep 29, 2020 at 02:26:27PM +0200, Pavel Machek wrote:
> Hi!
>
> > This is the start of the stable review cycle for the 4.19.149 release.
> > There are 245 patches in this series, all will be posted as a response
> > to this one. If anyone has any issues with these being applied, please
> > let me know.
> >
> > Responses should be made by Thu, 01 Oct 2020 10:59:03 +0000.
> > Anything received after that time might be too late.
> >
> > The whole patch series can be found in one patch at:
> > https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.149-rc1.gz
> > or in the git tree and branch at:
> > git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y
> > and the diffstat can be found below.
>
> No problems detected by CIP testing:
>
> https://gitlab.com/cip-project/cip-testing/linux-stable-rc-ci/-/pipelines/195833156
>
> The failures are caused by boards being offline; they are not caused
> by kernel problems.
Thanks for testing two of these and letting me know.
greg k-h
^ permalink raw reply [flat|nested] 256+ messages in thread
end of thread, other threads:[~2020-10-01 11:14 UTC | newest]
Thread overview: 256+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-09-29 10:57 [PATCH 4.19 000/245] 4.19.149-rc1 review Greg Kroah-Hartman
2020-09-29 10:57 ` [PATCH 4.19 001/245] selinux: allow labeling before policy is loaded Greg Kroah-Hartman
2020-09-29 10:57 ` [PATCH 4.19 002/245] media: mc-device.c: fix memleak in media_device_register_entity Greg Kroah-Hartman
2020-09-29 10:57 ` [PATCH 4.19 003/245] dma-fence: Serialise signal enabling (dma_fence_enable_sw_signaling) Greg Kroah-Hartman
2020-09-29 10:57 ` [PATCH 4.19 004/245] ath10k: fix array out-of-bounds access Greg Kroah-Hartman
2020-09-29 10:57 ` [PATCH 4.19 005/245] ath10k: fix memory leak for tpc_stats_final Greg Kroah-Hartman
2020-09-29 10:57 ` [PATCH 4.19 006/245] mm: fix double page fault on arm64 if PTE_AF is cleared Greg Kroah-Hartman
2020-09-29 10:57 ` [PATCH 4.19 007/245] scsi: aacraid: fix illegal IO beyond last LBA Greg Kroah-Hartman
2020-09-29 10:57 ` [PATCH 4.19 008/245] m68k: q40: Fix info-leak in rtc_ioctl Greg Kroah-Hartman
2020-09-29 10:57 ` [PATCH 4.19 009/245] gma/gma500: fix a memory disclosure bug due to uninitialized bytes Greg Kroah-Hartman
2020-09-29 10:57 ` [PATCH 4.19 010/245] ASoC: kirkwood: fix IRQ error handling Greg Kroah-Hartman
2020-09-29 10:57 ` [PATCH 4.19 011/245] media: smiapp: Fix error handling at NVM reading Greg Kroah-Hartman
2020-09-29 10:57 ` [PATCH 4.19 012/245] arch/x86/lib/usercopy_64.c: fix __copy_user_flushcache() cache writeback Greg Kroah-Hartman
2020-09-29 10:57 ` [PATCH 4.19 013/245] x86/ioapic: Unbreak check_timer() Greg Kroah-Hartman
2020-09-29 10:57 ` [PATCH 4.19 014/245] ALSA: usb-audio: Add delay quirk for H570e USB headsets Greg Kroah-Hartman
2020-09-29 10:57 ` [PATCH 4.19 015/245] ALSA: hda/realtek - Couldnt detect Mic if booting with headset plugged Greg Kroah-Hartman
2020-09-29 10:57 ` [PATCH 4.19 016/245] ALSA: hda/realtek: Enable front panel headset LED on Lenovo ThinkStation P520 Greg Kroah-Hartman
2020-09-29 10:57 ` [PATCH 4.19 017/245] lib/string.c: implement stpcpy Greg Kroah-Hartman
2020-09-29 10:57 ` [PATCH 4.19 018/245] leds: mlxreg: Fix possible buffer overflow Greg Kroah-Hartman
2020-09-29 10:57 ` [PATCH 4.19 019/245] PM / devfreq: tegra30: Fix integer overflow on CPUs freq max out Greg Kroah-Hartman
2020-09-29 10:57 ` [PATCH 4.19 020/245] scsi: fnic: fix use after free Greg Kroah-Hartman
2020-09-29 10:57 ` [PATCH 4.19 021/245] scsi: lpfc: Fix kernel crash at lpfc_nvme_info_show during remote port bounce Greg Kroah-Hartman
2020-09-29 10:57 ` [PATCH 4.19 022/245] net: silence data-races on sk_backlog.tail Greg Kroah-Hartman
2020-09-29 10:57 ` [PATCH 4.19 023/245] clk/ti/adpll: allocate room for terminating null Greg Kroah-Hartman
2020-09-29 10:57 ` [PATCH 4.19 024/245] drm/amdgpu/powerplay: fix AVFS handling with custom powerplay table Greg Kroah-Hartman
2020-09-29 10:57 ` [PATCH 4.19 025/245] mtd: cfi_cmdset_0002: dont free cfi->cfiq in error path of cfi_amdstd_setup() Greg Kroah-Hartman
2020-09-29 10:57 ` [PATCH 4.19 026/245] mfd: mfd-core: Protect against NULL call-back function pointer Greg Kroah-Hartman
2020-09-29 10:57 ` [PATCH 4.19 027/245] drm/amdgpu/powerplay/smu7: fix AVFS handling with custom powerplay table Greg Kroah-Hartman
2020-09-29 10:57 ` [PATCH 4.19 028/245] tpm_crb: fix fTPM on AMD Zen+ CPUs Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 029/245] tracing: Adding NULL checks for trace_array descriptor pointer Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 030/245] bcache: fix a lost wake-up problem caused by mca_cannibalize_lock Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 031/245] dmaengine: mediatek: hsdma_probe: fixed a memory leak when devm_request_irq fails Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 032/245] RDMA/qedr: Fix potential use after free Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 033/245] RDMA/i40iw: " Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 034/245] fix dget_parent() fastpath race Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 035/245] xfs: fix attr leaf header freemap.size underflow Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 036/245] RDMA/iw_cgxb4: Fix an error handling path in c4iw_connect() Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 037/245] ubi: Fix producing anchor PEBs Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 038/245] mmc: core: Fix size overflow for mmc partitions Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 039/245] gfs2: clean up iopen glock mess in gfs2_create_inode Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 040/245] scsi: pm80xx: Cleanup command when a reset times out Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 041/245] debugfs: Fix !DEBUG_FS debugfs_create_automount Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 042/245] CIFS: Properly process SMB3 lease breaks Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 043/245] ASoC: max98090: remove msleep in PLL unlocked workaround Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 044/245] kernel/sys.c: avoid copying possible padding bytes in copy_to_user Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 045/245] KVM: arm/arm64: vgic: Fix potential double free dist->spis in __kvm_vgic_destroy() Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 046/245] xfs: fix log reservation overflows when allocating large rt extents Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 047/245] neigh_stat_seq_next() should increase position index Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 048/245] rt_cpu_seq_next " Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 049/245] ipv6_route_seq_next " Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 050/245] seqlock: Require WRITE_ONCE surrounding raw_seqcount_barrier Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 051/245] media: ti-vpe: cal: Restrict DMA to avoid memory corruption Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 052/245] sctp: move trace_sctp_probe_path into sctp_outq_sack Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 053/245] ACPI: EC: Reference count query handlers under lock Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 054/245] scsi: ufs: Make ufshcd_add_command_trace() easier to read Greg Kroah-Hartman
2020-09-30 15:39 ` Pavel Machek
2020-09-29 10:58 ` [PATCH 4.19 055/245] scsi: ufs: Fix a race condition in the tracing code Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 056/245] dmaengine: zynqmp_dma: fix burst length configuration Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 057/245] s390/cpum_sf: Use kzalloc and minor changes Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 058/245] powerpc/eeh: Only dump stack once if an MMIO loop is detected Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 059/245] Bluetooth: btrtl: Use kvmalloc for FW allocations Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 060/245] tracing: Set kernel_stacks caller size properly Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 061/245] ARM: 8948/1: Prevent OOB access in stacktrace Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 062/245] ar5523: Add USB ID of SMCWUSBT-G2 wireless adapter Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 063/245] ceph: ensure we have a new cap before continuing in fill_inode Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 064/245] selftests/ftrace: fix glob selftest Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 065/245] tools/power/x86/intel_pstate_tracer: changes for python 3 compatibility Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 066/245] Bluetooth: Fix refcount use-after-free issue Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 067/245] mm/swapfile.c: swap_next should increase position index Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 068/245] mm: pagewalk: fix termination condition in walk_pte_range() Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 069/245] Bluetooth: prefetch channel before killing sock Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 070/245] KVM: fix overflow of zero page refcount with ksm running Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 071/245] ALSA: hda: Clear RIRB status before reading WP Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 072/245] skbuff: fix a data race in skb_queue_len() Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 073/245] audit: CONFIG_CHANGE dont log internal bookkeeping as an event Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 074/245] selinux: sel_avc_get_stat_idx should increase position index Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 075/245] scsi: lpfc: Fix RQ buffer leakage when no IOCBs available Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 076/245] scsi: lpfc: Fix coverity errors in fmdi attribute handling Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 077/245] drm/omap: fix possible object reference leak Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 078/245] clk: stratix10: use do_div() for 64-bit calculation Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 079/245] crypto: chelsio - This fixes the kernel panic which occurs during a libkcapi test Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 080/245] mt76: clear skb pointers from rx aggregation reorder buffer during cleanup Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 081/245] ALSA: usb-audio: Dont create a mixer element with bogus volume range Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 082/245] perf test: Fix test trace+probe_vfs_getname.sh on s390 Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 083/245] RDMA/rxe: Fix configuration of atomic queue pair attributes Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 084/245] KVM: x86: fix incorrect comparison in trace event Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 085/245] dmaengine: stm32-mdma: use vchan_terminate_vdesc() in .terminate_all Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 086/245] media: staging/imx: Missing assignment in imx_media_capture_device_register() Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 087/245] x86/pkeys: Add check for pkey "overflow" Greg Kroah-Hartman
2020-09-29 10:58 ` [PATCH 4.19 088/245] bpf: Remove recursion prevention from rcu free callback Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 089/245] dmaengine: stm32-dma: use vchan_terminate_vdesc() in .terminate_all Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 090/245] dmaengine: tegra-apb: Prevent race conditions on channels freeing Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 091/245] drm/amd/display: dal_ddc_i2c_payloads_create can fail causing panic Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 092/245] firmware: arm_sdei: Use cpus_read_lock() to avoid races with cpuhp Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 093/245] random: fix data races at timer_rand_state Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 094/245] bus: hisi_lpc: Fixup IO ports addresses to avoid use-after-free in host removal Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 095/245] media: go7007: Fix URB type for interrupt handling Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 096/245] Bluetooth: guard against controllers sending zerod events Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 097/245] timekeeping: Prevent 32bit truncation in scale64_check_overflow() Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 098/245] ext4: fix a data race at inode->i_disksize Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 099/245] perf jevents: Fix leak of mapfile memory Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 100/245] mm: avoid data corruption on CoW fault into PFN-mapped VMA Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 101/245] drm/amdgpu: increase atombios cmd timeout Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 102/245] drm/amd/display: Stop if retimer is not available Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 103/245] ath10k: use kzalloc to read for ath10k_sdio_hif_diag_read Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 104/245] scsi: aacraid: Disabling TM path and only processing IOP reset Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 105/245] Bluetooth: L2CAP: handle l2cap config request during open state Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 106/245] media: tda10071: fix unsigned sign extension overflow Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 107/245] xfs: dont ever return a stale pointer from __xfs_dir3_free_read Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 108/245] xfs: mark dir corrupt when lookup-by-hash fails Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 109/245] ext4: mark block bitmap corrupted when found instead of BUGON Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 110/245] tpm: ibmvtpm: Wait for buffer to be set before proceeding Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 111/245] rtc: sa1100: fix possible race condition Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 112/245] rtc: ds1374: " Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 113/245] nfsd: Dont add locks to closed or closing open stateids Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 114/245] RDMA/cm: Remove a race freeing timewait_info Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 115/245] KVM: PPC: Book3S HV: Treat TM-related invalid form instructions on P9 like the valid ones Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 116/245] drm/msm: fix leaks if initialization fails Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 117/245] drm/msm/a5xx: Always set an OPP supported hardware value Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 118/245] tracing: Use address-of operator on section symbols Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 119/245] thermal: rcar_thermal: Handle probe error gracefully Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 120/245] perf parse-events: Fix 3 use after frees found with clang ASAN Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 121/245] serial: 8250_port: Dont service RX FIFO if throttled Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 122/245] serial: 8250_omap: Fix sleeping function called from invalid context during probe Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 123/245] serial: 8250: 8250_omap: Terminate DMA before pushing data on RX timeout Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 124/245] perf cpumap: Fix snprintf overflow check Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 125/245] cpufreq: powernv: Fix frame-size-overflow in powernv_cpufreq_work_fn Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 126/245] tools: gpio-hammer: Avoid potential overflow in main Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 127/245] nvme-multipath: do not reset on unknown status Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 128/245] nvme: Fix controller creation races with teardown flow Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 129/245] RDMA/rxe: Set sys_image_guid to be aligned with HW IB devices Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 130/245] scsi: hpsa: correct race condition in offload enabled Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 131/245] SUNRPC: Fix a potential buffer overflow in svc_print_xprts() Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 132/245] svcrdma: Fix leak of transport addresses Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 133/245] PCI: Use ioremap(), not phys_to_virt() for platform ROM Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 134/245] ubifs: Fix out-of-bounds memory access caused by abnormal value of node_len Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 135/245] ALSA: usb-audio: Fix case when USB MIDI interface has more than one extra endpoint descriptor Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 136/245] PCI: pciehp: Fix MSI interrupt race Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 137/245] NFS: Fix races nfs_page_group_destroy() vs nfs_destroy_unlinked_subrequests() Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 138/245] mm/kmemleak.c: use address-of operator on section symbols Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 139/245] mm/filemap.c: clear page error before actual read Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 140/245] mm/vmscan.c: fix data races using kswapd_classzone_idx Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 141/245] nvmet-rdma: fix double free of rdma queue Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 142/245] mm/mmap.c: initialize align_offset explicitly for vm_unmapped_area Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 143/245] scsi: qedi: Fix termination timeouts in session logout Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 144/245] serial: uartps: Wait for tx_empty in console setup Greg Kroah-Hartman
2020-09-30 20:07 ` Pavel Machek
2020-09-29 10:59 ` [PATCH 4.19 145/245] KVM: Remove CREATE_IRQCHIP/SET_PIT2 race Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 146/245] perf stat: Force error in fallback on :k events Greg Kroah-Hartman
2020-09-29 13:33 ` Naresh Kamboju
2020-09-29 14:27 ` Greg Kroah-Hartman
2020-09-29 16:06 ` Sasha Levin
2020-09-29 10:59 ` [PATCH 4.19 147/245] bdev: Reduce time holding bd_mutex in sync in blkdev_close() Greg Kroah-Hartman
2020-09-29 10:59 ` [PATCH 4.19 148/245] drivers: char: tlclk.c: Avoid data race between init and interrupt handler Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 149/245] KVM: arm64: vgic-its: Fix memory leak on the error path of vgic_add_lpi() Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 150/245] net: openvswitch: use u64 for meter bucket Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 151/245] scsi: aacraid: Fix error handling paths in aac_probe_one() Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 152/245] staging:r8188eu: avoid skb_clone for amsdu to msdu conversion Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 153/245] sparc64: vcc: Fix error return code in vcc_probe() Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 154/245] arm64: cpufeature: Relax checks for AArch32 support at EL[0-2] Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 155/245] dt-bindings: sound: wm8994: Correct required supplies based on actual implementaion Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 156/245] atm: fix a memory leak of vcc->user_back Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 157/245] perf mem2node: Avoid double free related to realloc Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 158/245] power: supply: max17040: Correct voltage reading Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 159/245] phy: samsung: s5pv210-usb2: Add delay after reset Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 160/245] Bluetooth: Handle Inquiry Cancel error after Inquiry Complete Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 161/245] USB: EHCI: ehci-mv: fix error handling in mv_ehci_probe() Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 162/245] tipc: fix memory leak in service subscripting Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 163/245] tty: serial: samsung: Correct clock selection logic Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 164/245] ALSA: hda: Fix potential race in unsol event handler Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 165/245] powerpc/traps: Make unrecoverable NMIs die instead of panic Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 166/245] fuse: dont check refcount after stealing page Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 167/245] USB: EHCI: ehci-mv: fix less than zero comparison of an unsigned int Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 168/245] scsi: cxlflash: Fix error return code in cxlflash_probe() Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 169/245] arm64/cpufeature: Drop TraceFilt feature exposure from ID_DFR0 register Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 170/245] e1000: Do not perform reset in reset_task if we are already down Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 171/245] drm/nouveau/debugfs: fix runtime pm imbalance on error Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 172/245] drm/nouveau: " Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 173/245] drm/nouveau/dispnv50: " Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 174/245] printk: handle blank console arguments passed in Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 175/245] usb: dwc3: Increase timeout for CmdAct cleared by device controller Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 176/245] btrfs: dont force read-only after error in drop snapshot Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 177/245] vfio/pci: fix memory leaks of eventfd ctx Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 178/245] perf evsel: Fix 2 memory leaks Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 179/245] perf trace: Fix the selection for architectures to generate the errno name tables Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 180/245] perf stat: Fix duration_time value for higher intervals Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 181/245] perf util: Fix memory leak of prefix_if_not_in Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 182/245] perf metricgroup: Free metric_events on error Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 183/245] perf kcore_copy: Fix module map when there are no modules loaded Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 184/245] ASoC: img-i2s-out: Fix runtime PM imbalance on error Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 185/245] wlcore: fix runtime pm imbalance in wl1271_tx_work Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 186/245] wlcore: fix runtime pm imbalance in wlcore_regdomain_config Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 187/245] mtd: rawnand: omap_elm: Fix runtime PM imbalance on error Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 188/245] PCI: tegra: " Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 189/245] ceph: fix potential race in ceph_check_caps Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 190/245] mm/swap_state: fix a data race in swapin_nr_pages Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 191/245] rapidio: avoid data race between file operation callbacks and mport_cdev_add() Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 192/245] mtd: parser: cmdline: Support MTD names containing one or more colons Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 193/245] x86/speculation/mds: Mark mds_user_clear_cpu_buffers() __always_inline Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 194/245] vfio/pci: Clear error and request eventfd ctx after releasing Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 195/245] cifs: Fix double add page to memcg when cifs_readpages Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 196/245] nvme: fix possible deadlock when I/O is blocked Greg Kroah-Hartman
2020-09-30 16:22 ` Pavel Machek
2020-09-29 11:00 ` [PATCH 4.19 197/245] scsi: libfc: Handling of extra kref Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 198/245] scsi: libfc: Skip additional kref updating work event Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 199/245] selftests/x86/syscall_nt: Clear weird flags after each test Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 200/245] vfio/pci: fix racy on error and request eventfd ctx Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 201/245] btrfs: qgroup: fix data leak caused by race between writeback and truncate Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 202/245] ubi: fastmap: Free unused fastmap anchor peb during detach Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 203/245] perf parse-events: Use strcmp() to compare the PMU name Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 204/245] net: openvswitch: use div_u64() for 64-by-32 divisions Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 205/245] nvme: explicitly update mpath disk capacity on revalidation Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 206/245] ASoC: wm8994: Skip setting of the WM8994_MICBIAS register for WM1811 Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 207/245] ASoC: wm8994: Ensure the device is resumed in wm89xx_mic_detect functions Greg Kroah-Hartman
2020-09-29 11:00 ` [PATCH 4.19 208/245] ASoC: Intel: bytcr_rt5640: Add quirk for MPMAN Converter9 2-in-1 Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 209/245] RISC-V: Take text_mutex in ftrace_init_nop() Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 210/245] s390/init: add missing __init annotations Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 211/245] lockdep: fix order in trace_hardirqs_off_caller() Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 212/245] drm/amdkfd: fix a memory leak issue Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 213/245] i2c: core: Call i2c_acpi_install_space_handler() before i2c_acpi_register_devices() Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 214/245] objtool: Fix noreturn detection for ignored functions Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 215/245] ieee802154: fix one possible memleak in ca8210_dev_com_init Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 216/245] ieee802154/adf7242: check status of adf7242_read_reg Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 217/245] clocksource/drivers/h8300_timer8: Fix wrong return value in h8300_8timer_init() Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 218/245] mwifiex: Increase AES key storage size to 256 bits Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 219/245] batman-adv: bla: fix type misuse for backbone_gw hash indexing Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 220/245] atm: eni: fix the missed pci_disable_device() for eni_init_one() Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 221/245] batman-adv: mcast/TT: fix wrongly dropped or rerouted packets Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 222/245] mac802154: tx: fix use-after-free Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 223/245] bpf: Fix clobbering of r2 in bpf_gen_ld_abs Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 224/245] drm/vc4/vc4_hdmi: fill ASoC card owner Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 225/245] net: qed: RDMA personality shouldnt fail VF load Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 226/245] drm/sun4i: sun8i-csc: Secondary CSC register correction Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 227/245] batman-adv: Add missing include for in_interrupt() Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 228/245] batman-adv: mcast: fix duplicate mcast packets in BLA backbone from mesh Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 229/245] batman-adv: mcast: fix duplicate mcast packets from BLA backbone to mesh Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 230/245] bpf: Fix a rcu warning for bpffs map pretty-print Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 231/245] ALSA: asihpi: fix iounmap in error handler Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 232/245] regmap: fix page selection for noinc reads Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 233/245] MIPS: Add the missing CPU_1074K into __get_cpu_type() Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 234/245] KVM: x86: Reset MMU context if guest toggles CR4.SMAP or CR4.PKE Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 235/245] KVM: SVM: Add a dedicated INVD intercept routine Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 236/245] tracing: fix double free Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 237/245] s390/dasd: Fix zero write for FBA devices Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 238/245] kprobes: Fix to check probe enabled before disarm_kprobe_ftrace() Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 239/245] mm, THP, swap: fix allocating cluster for swapfile by mistake Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 240/245] s390/zcrypt: Fix ZCRYPT_PERDEV_REQCNT ioctl Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 241/245] kprobes: Fix compiler warning for !CONFIG_KPROBES_ON_FTRACE Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 242/245] ata: define AC_ERR_OK Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 243/245] ata: make qc_prep return ata_completion_errors Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 244/245] ata: sata_mv, avoid trigerrable BUG_ON Greg Kroah-Hartman
2020-09-29 11:01 ` [PATCH 4.19 245/245] KVM: arm64: Assume write fault on S1PTW permission fault on instruction fetch Greg Kroah-Hartman
2020-09-29 12:26 ` [PATCH 4.19 000/245] 4.19.149-rc1 review Pavel Machek
2020-10-01 11:14 ` Greg Kroah-Hartman
2020-09-29 13:44 ` Naresh Kamboju
2020-09-29 15:15 ` Jon Hunter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).