[RFC PATCH] mtd: spi-nor: rockchip_sfc_runtime_suspend() can be static
Fixes: dbc2d867929a ("mtd: spi-nor: add rockchip serial flash controller driver") Signed-off-by: Fengguang Wu--- rockchip-sfc.c |4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/mtd/spi-nor/rockchip-sfc.c b/drivers/mtd/spi-nor/rockchip-sfc.c index 60371011..e38d79d 100644 --- a/drivers/mtd/spi-nor/rockchip-sfc.c +++ b/drivers/mtd/spi-nor/rockchip-sfc.c @@ -896,7 +896,7 @@ static int rockchip_sfc_remove(struct platform_device *pdev) } #ifdef CONFIG_PM -int rockchip_sfc_runtime_suspend(struct device *dev) +static int rockchip_sfc_runtime_suspend(struct device *dev) { struct rockchip_sfc *sfc = dev_get_drvdata(dev); @@ -904,7 +904,7 @@ int rockchip_sfc_runtime_suspend(struct device *dev) return 0; } -int rockchip_sfc_runtime_resume(struct device *dev) +static int rockchip_sfc_runtime_resume(struct device *dev) { struct rockchip_sfc *sfc = dev_get_drvdata(dev);
Re: [PATCH 0/3] Fix broken bananapi m2 devicetree/regulators
On 02/11/2018 01:07 AM, Philipp Rossak wrote: On 10.02.2018 22:08, Sergey Suloev wrote: On 02/11/2018 12:01 AM, Philipp Rossak wrote: Hey Sergey, Thanks for mentioning, but I think the problem has nothing to do with those patches. I tested them with the v4.15.0 Kernel since this is the last stable release and we are right now in the merging window. I tested the latest mainline, without those patches and the kernel is not booting (I can't see any uart output). Thanks, Philipp On 10.02.2018 14:56, Sergey Suloev wrote: On 02/09/2018 08:52 PM, Philipp Rossak wrote: This patchseries fixes the bananapi m1 devicetree, to be able to boot again. The first two patches update/improve the devicetree and the last patch adds all missing regulators. Regards, Philipp Philipp Rossak (3): arm: dts: sun6i: a31s: bpi-m2: update mmc supply nodes arm: dts: sun6i: a31s: bpi-m2: improve pmic properties arm: dts: sun6i: a31s: fix: bpi-m2: add missing regulators arch/arm/boot/dts/sun6i-a31s-sinovoip-bpi-m2.dts | 70 +++- 1 file changed, 67 insertions(+), 3 deletions(-) patches are not working Thanks same problem, but after applying the patches my device is till hanging. Can you please share a bootlog? Here is mine [1]. As you can see I'm able to boot. I build it with this branch [2]. For testing you should replace the dtb and the uImage/zImage Philipp [1]: https://pastebin.com/mVjv3LDf [2]: https://github.com/embed-3d/linux/tree/testing/bpi-m2-regulator-test-2 My dmesg is very similar to yours unless it hangs on the last line [1]. For this test I used kernel from tag v4.15 with no additional patching. [1] https://pastebin.com/3a6bk5Dk
[RFC PATCH] mtd: spi-nor: rockchip_sfc_runtime_suspend() can be static
Fixes: dbc2d867929a ("mtd: spi-nor: add rockchip serial flash controller driver") Signed-off-by: Fengguang Wu --- rockchip-sfc.c |4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/mtd/spi-nor/rockchip-sfc.c b/drivers/mtd/spi-nor/rockchip-sfc.c index 60371011..e38d79d 100644 --- a/drivers/mtd/spi-nor/rockchip-sfc.c +++ b/drivers/mtd/spi-nor/rockchip-sfc.c @@ -896,7 +896,7 @@ static int rockchip_sfc_remove(struct platform_device *pdev) } #ifdef CONFIG_PM -int rockchip_sfc_runtime_suspend(struct device *dev) +static int rockchip_sfc_runtime_suspend(struct device *dev) { struct rockchip_sfc *sfc = dev_get_drvdata(dev); @@ -904,7 +904,7 @@ int rockchip_sfc_runtime_suspend(struct device *dev) return 0; } -int rockchip_sfc_runtime_resume(struct device *dev) +static int rockchip_sfc_runtime_resume(struct device *dev) { struct rockchip_sfc *sfc = dev_get_drvdata(dev);
Re: [PATCH 0/3] Fix broken bananapi m2 devicetree/regulators
On 02/11/2018 01:07 AM, Philipp Rossak wrote: On 10.02.2018 22:08, Sergey Suloev wrote: On 02/11/2018 12:01 AM, Philipp Rossak wrote: Hey Sergey, Thanks for mentioning, but I think the problem has nothing to do with those patches. I tested them with the v4.15.0 Kernel since this is the last stable release and we are right now in the merging window. I tested the latest mainline, without those patches and the kernel is not booting (I can't see any uart output). Thanks, Philipp On 10.02.2018 14:56, Sergey Suloev wrote: On 02/09/2018 08:52 PM, Philipp Rossak wrote: This patchseries fixes the bananapi m1 devicetree, to be able to boot again. The first two patches update/improve the devicetree and the last patch adds all missing regulators. Regards, Philipp Philipp Rossak (3): arm: dts: sun6i: a31s: bpi-m2: update mmc supply nodes arm: dts: sun6i: a31s: bpi-m2: improve pmic properties arm: dts: sun6i: a31s: fix: bpi-m2: add missing regulators arch/arm/boot/dts/sun6i-a31s-sinovoip-bpi-m2.dts | 70 +++- 1 file changed, 67 insertions(+), 3 deletions(-) patches are not working Thanks same problem, but after applying the patches my device is till hanging. Can you please share a bootlog? Here is mine [1]. As you can see I'm able to boot. I build it with this branch [2]. For testing you should replace the dtb and the uImage/zImage Philipp [1]: https://pastebin.com/mVjv3LDf [2]: https://github.com/embed-3d/linux/tree/testing/bpi-m2-regulator-test-2 My dmesg is very similar to yours unless it hangs on the last line [1]. For this test I used kernel from tag v4.15 with no additional patching. [1] https://pastebin.com/3a6bk5Dk
Re: [PATCH v8 2/3] mtd: spi-nor: add rockchip serial flash controller driver
Hi Shawn, I love your patch! Perhaps something to improve: [auto build test WARNING on robh/for-next] [also build test WARNING on v4.15 next-20180209] [if your patch is applied to the wrong git tree, please drop us a note to help improve the system] url: https://github.com/0day-ci/linux/commits/Andy-Yan/Add-Rockchip-SFC-serial-flash-controller-support/20180211-135616 base: https://git.kernel.org/pub/scm/linux/kernel/git/robh/linux.git for-next reproduce: # apt-get install sparse make ARCH=x86_64 allmodconfig make C=1 CF=-D__CHECK_ENDIAN__ sparse warnings: (new ones prefixed by >>) >> drivers/mtd/spi-nor/rockchip-sfc.c:899:5: sparse: symbol >> 'rockchip_sfc_runtime_suspend' was not declared. Should it be >> drivers/mtd/spi-nor/rockchip-sfc.c:907:5: sparse: symbol >> 'rockchip_sfc_runtime_resume' was not declared. Should it be Please review and possibly fold the followup patch. --- 0-DAY kernel test infrastructureOpen Source Technology Center https://lists.01.org/pipermail/kbuild-all Intel Corporation
Re: [PATCH v8 2/3] mtd: spi-nor: add rockchip serial flash controller driver
Hi Shawn, I love your patch! Perhaps something to improve: [auto build test WARNING on robh/for-next] [also build test WARNING on v4.15 next-20180209] [if your patch is applied to the wrong git tree, please drop us a note to help improve the system] url: https://github.com/0day-ci/linux/commits/Andy-Yan/Add-Rockchip-SFC-serial-flash-controller-support/20180211-135616 base: https://git.kernel.org/pub/scm/linux/kernel/git/robh/linux.git for-next reproduce: # apt-get install sparse make ARCH=x86_64 allmodconfig make C=1 CF=-D__CHECK_ENDIAN__ sparse warnings: (new ones prefixed by >>) >> drivers/mtd/spi-nor/rockchip-sfc.c:899:5: sparse: symbol >> 'rockchip_sfc_runtime_suspend' was not declared. Should it be >> drivers/mtd/spi-nor/rockchip-sfc.c:907:5: sparse: symbol >> 'rockchip_sfc_runtime_resume' was not declared. Should it be Please review and possibly fold the followup patch. --- 0-DAY kernel test infrastructureOpen Source Technology Center https://lists.01.org/pipermail/kbuild-all Intel Corporation
Re: [PATCH v2 5/7] watchdog: mtk: allow setting timeout in devicetree
On Sat, 2018-02-10 at 17:52 -0800, Guenter Roeck wrote: > On 02/10/2018 12:12 PM, Marcus Folkesson wrote: > > Hello Sean, > > > > On Sat, Feb 10, 2018 at 01:43:28PM +0100, Marcus Folkesson wrote: > >> Hello Sean, > >> > >> On Sat, Feb 10, 2018 at 07:10:02PM +0800, Sean Wang wrote: > >>> > >>> Hi, Marcus > >>> > >>> The changes you made for dt-bindings and driver should be put into > >>> separate patches. > >> > >> I actually thought about it but chose to have it in the same patch because > >> I > >> did not see any direct advantage to separating them. > >> > >> But I can do that. > >> I will come up with a v3 with this change if no one thinks differently. > >> > > > > When looking at the git log, I'm not that convinced it should be > > separate patches. > > > > For example, I found a4f741e3e157c3a5c8aea5f2ea62b692fbf17338 that is > > doing the exact same thing as this patch. > > > > There is plenty of patches that mixes the code change and dt bindings > > updates. > > Could it not be useful to overview both the implementation and > > dt-mapping change in one view? > > > > If you or anyone else still think it should be separated, please let me > > know and I will > > come up with a v3. > > > > If we were talking about something new, specifically new and unapproved DT > bindings, > it should be separate patches. However, that is not the case here. The DT > bindings > are well established. Sure, we could be pedantic and request a split into two > patches. However, the only benefit of that would be more work for the > maintainers, > ie Wim and myself (including me having to send this e-mail). I don't really > see > the point of that. > > I have already sent my Reviewed-by:, and I don't intend to withdraw it. > Hi, both Sorry for that if I caused any inconvenience to you. I didn't really insist on if the patch is needed to split into two, which totally depends on whether dt maintainers like it. The change for dt-binding is usually added as a split patch with dt-bindings as a prefix. This way I thought dt maintainers is not easy to miss those patches and also can give some useful feedback for them. Sean > Thanks, > Guenter >
Re: [PATCH v2 5/7] watchdog: mtk: allow setting timeout in devicetree
On Sat, 2018-02-10 at 17:52 -0800, Guenter Roeck wrote: > On 02/10/2018 12:12 PM, Marcus Folkesson wrote: > > Hello Sean, > > > > On Sat, Feb 10, 2018 at 01:43:28PM +0100, Marcus Folkesson wrote: > >> Hello Sean, > >> > >> On Sat, Feb 10, 2018 at 07:10:02PM +0800, Sean Wang wrote: > >>> > >>> Hi, Marcus > >>> > >>> The changes you made for dt-bindings and driver should be put into > >>> separate patches. > >> > >> I actually thought about it but chose to have it in the same patch because > >> I > >> did not see any direct advantage to separating them. > >> > >> But I can do that. > >> I will come up with a v3 with this change if no one thinks differently. > >> > > > > When looking at the git log, I'm not that convinced it should be > > separate patches. > > > > For example, I found a4f741e3e157c3a5c8aea5f2ea62b692fbf17338 that is > > doing the exact same thing as this patch. > > > > There is plenty of patches that mixes the code change and dt bindings > > updates. > > Could it not be useful to overview both the implementation and > > dt-mapping change in one view? > > > > If you or anyone else still think it should be separated, please let me > > know and I will > > come up with a v3. > > > > If we were talking about something new, specifically new and unapproved DT > bindings, > it should be separate patches. However, that is not the case here. The DT > bindings > are well established. Sure, we could be pedantic and request a split into two > patches. However, the only benefit of that would be more work for the > maintainers, > ie Wim and myself (including me having to send this e-mail). I don't really > see > the point of that. > > I have already sent my Reviewed-by:, and I don't intend to withdraw it. > Hi, both Sorry for that if I caused any inconvenience to you. I didn't really insist on if the patch is needed to split into two, which totally depends on whether dt maintainers like it. The change for dt-binding is usually added as a split patch with dt-bindings as a prefix. This way I thought dt maintainers is not easy to miss those patches and also can give some useful feedback for them. Sean > Thanks, > Guenter >
Re: [PATCH 3.2 39/79] ocfs2: should wait dio before inode lock in ocfs2_setattr()
Hi Ben, ocfs2_dio_end_io_write() was introduced in 4.6 and the problem this patch fixes is only exist in the kernel 4.6 and above 4.6. Thanks, Alex On 2018/2/11 12:20, Ben Hutchings wrote: > 3.2.99-rc1 review patch. If anyone has any objections, please let me know. > > -- > > From: alex chen> > commit 28f5a8a7c033cbf3e32277f4cc9c6afd74f05300 upstream. > > we should wait dio requests to finish before inode lock in > ocfs2_setattr(), otherwise the following deadlock will happen: > > process 1 process 2process 3 > truncate file 'A' end_io of writing file 'A' receiving the bast > messages > ocfs2_setattr > ocfs2_inode_lock_tracker > ocfs2_inode_lock_full > inode_dio_wait > __inode_dio_wait > -->waiting for all dio > requests finish > dlm_proxy_ast_handler > dlm_do_local_bast > ocfs2_blocking_ast > > ocfs2_generic_handle_bast > set > OCFS2_LOCK_BLOCKED flag > dio_end_io > dio_bio_end_aio > dio_complete >ocfs2_dio_end_io > ocfs2_dio_end_io_write > ocfs2_inode_lock > __ocfs2_cluster_lock >ocfs2_wait_for_mask >-->waiting for OCFS2_LOCK_BLOCKED >flag to be cleared, that is waiting >for 'process 1' unlocking the inode lock >inode_dio_end >-->here dec the i_dio_count, but will never >be called, so a deadlock happened. > > Link: http://lkml.kernel.org/r/59f81636.70...@huawei.com > Signed-off-by: Alex Chen > Reviewed-by: Jun Piao > Reviewed-by: Joseph Qi > Acked-by: Changwei Ge > Cc: Mark Fasheh > Cc: Joel Becker > Cc: Junxiao Bi > Signed-off-by: Andrew Morton > Signed-off-by: Linus Torvalds > Signed-off-by: Ben Hutchings > --- > fs/ocfs2/file.c | 9 +++-- > 1 file changed, 7 insertions(+), 2 deletions(-) > > --- a/fs/ocfs2/file.c > +++ b/fs/ocfs2/file.c > @@ -1130,6 +1130,13 @@ int ocfs2_setattr(struct dentry *dentry, > dquot_initialize(inode); > size_change = S_ISREG(inode->i_mode) && attr->ia_valid & ATTR_SIZE; > if (size_change) { > + /* > + * Here we should wait dio to finish before inode lock > + * to avoid a deadlock between ocfs2_setattr() and > + * ocfs2_dio_end_io_write() > + */ > + inode_dio_wait(inode); > + > status = ocfs2_rw_lock(inode, 1); > if (status < 0) { > mlog_errno(status); > @@ -1149,8 +1156,6 @@ int ocfs2_setattr(struct dentry *dentry, > if (status) > goto bail_unlock; > > - inode_dio_wait(inode); > - > if (i_size_read(inode) >= attr->ia_size) { > if (ocfs2_should_order_data(inode)) { > status = ocfs2_begin_ordered_truncate(inode, > > > . >
Re: [PATCH 3.2 39/79] ocfs2: should wait dio before inode lock in ocfs2_setattr()
Hi Ben, ocfs2_dio_end_io_write() was introduced in 4.6 and the problem this patch fixes is only exist in the kernel 4.6 and above 4.6. Thanks, Alex On 2018/2/11 12:20, Ben Hutchings wrote: > 3.2.99-rc1 review patch. If anyone has any objections, please let me know. > > -- > > From: alex chen > > commit 28f5a8a7c033cbf3e32277f4cc9c6afd74f05300 upstream. > > we should wait dio requests to finish before inode lock in > ocfs2_setattr(), otherwise the following deadlock will happen: > > process 1 process 2process 3 > truncate file 'A' end_io of writing file 'A' receiving the bast > messages > ocfs2_setattr > ocfs2_inode_lock_tracker > ocfs2_inode_lock_full > inode_dio_wait > __inode_dio_wait > -->waiting for all dio > requests finish > dlm_proxy_ast_handler > dlm_do_local_bast > ocfs2_blocking_ast > > ocfs2_generic_handle_bast > set > OCFS2_LOCK_BLOCKED flag > dio_end_io > dio_bio_end_aio > dio_complete >ocfs2_dio_end_io > ocfs2_dio_end_io_write > ocfs2_inode_lock > __ocfs2_cluster_lock >ocfs2_wait_for_mask >-->waiting for OCFS2_LOCK_BLOCKED >flag to be cleared, that is waiting >for 'process 1' unlocking the inode lock >inode_dio_end >-->here dec the i_dio_count, but will never >be called, so a deadlock happened. > > Link: http://lkml.kernel.org/r/59f81636.70...@huawei.com > Signed-off-by: Alex Chen > Reviewed-by: Jun Piao > Reviewed-by: Joseph Qi > Acked-by: Changwei Ge > Cc: Mark Fasheh > Cc: Joel Becker > Cc: Junxiao Bi > Signed-off-by: Andrew Morton > Signed-off-by: Linus Torvalds > Signed-off-by: Ben Hutchings > --- > fs/ocfs2/file.c | 9 +++-- > 1 file changed, 7 insertions(+), 2 deletions(-) > > --- a/fs/ocfs2/file.c > +++ b/fs/ocfs2/file.c > @@ -1130,6 +1130,13 @@ int ocfs2_setattr(struct dentry *dentry, > dquot_initialize(inode); > size_change = S_ISREG(inode->i_mode) && attr->ia_valid & ATTR_SIZE; > if (size_change) { > + /* > + * Here we should wait dio to finish before inode lock > + * to avoid a deadlock between ocfs2_setattr() and > + * ocfs2_dio_end_io_write() > + */ > + inode_dio_wait(inode); > + > status = ocfs2_rw_lock(inode, 1); > if (status < 0) { > mlog_errno(status); > @@ -1149,8 +1156,6 @@ int ocfs2_setattr(struct dentry *dentry, > if (status) > goto bail_unlock; > > - inode_dio_wait(inode); > - > if (i_size_read(inode) >= attr->ia_size) { > if (ocfs2_should_order_data(inode)) { > status = ocfs2_begin_ordered_truncate(inode, > > > . >
Re: [PATCH 0/3] Fix broken bananapi m2 devicetree/regulators
On 02/11/2018 01:07 AM, Philipp Rossak wrote: On 10.02.2018 22:08, Sergey Suloev wrote: On 02/11/2018 12:01 AM, Philipp Rossak wrote: Hey Sergey, Thanks for mentioning, but I think the problem has nothing to do with those patches. I tested them with the v4.15.0 Kernel since this is the last stable release and we are right now in the merging window. I tested the latest mainline, without those patches and the kernel is not booting (I can't see any uart output). Thanks, Philipp On 10.02.2018 14:56, Sergey Suloev wrote: On 02/09/2018 08:52 PM, Philipp Rossak wrote: This patchseries fixes the bananapi m1 devicetree, to be able to boot again. The first two patches update/improve the devicetree and the last patch adds all missing regulators. Regards, Philipp Philipp Rossak (3): arm: dts: sun6i: a31s: bpi-m2: update mmc supply nodes arm: dts: sun6i: a31s: bpi-m2: improve pmic properties arm: dts: sun6i: a31s: fix: bpi-m2: add missing regulators arch/arm/boot/dts/sun6i-a31s-sinovoip-bpi-m2.dts | 70 +++- 1 file changed, 67 insertions(+), 3 deletions(-) patches are not working Thanks same problem, but after applying the patches my device is till hanging. Can you please share a bootlog? Here is mine [1]. As you can see I'm able to boot. I build it with this branch [2]. For testing you should replace the dtb and the uImage/zImage Philipp [1]: https://pastebin.com/mVjv3LDf [2]: https://github.com/embed-3d/linux/tree/testing/bpi-m2-regulator-test-2 I am going to test it and come back with outcome Thanks
Re: [PATCH 0/3] Fix broken bananapi m2 devicetree/regulators
On 02/11/2018 01:07 AM, Philipp Rossak wrote: On 10.02.2018 22:08, Sergey Suloev wrote: On 02/11/2018 12:01 AM, Philipp Rossak wrote: Hey Sergey, Thanks for mentioning, but I think the problem has nothing to do with those patches. I tested them with the v4.15.0 Kernel since this is the last stable release and we are right now in the merging window. I tested the latest mainline, without those patches and the kernel is not booting (I can't see any uart output). Thanks, Philipp On 10.02.2018 14:56, Sergey Suloev wrote: On 02/09/2018 08:52 PM, Philipp Rossak wrote: This patchseries fixes the bananapi m1 devicetree, to be able to boot again. The first two patches update/improve the devicetree and the last patch adds all missing regulators. Regards, Philipp Philipp Rossak (3): arm: dts: sun6i: a31s: bpi-m2: update mmc supply nodes arm: dts: sun6i: a31s: bpi-m2: improve pmic properties arm: dts: sun6i: a31s: fix: bpi-m2: add missing regulators arch/arm/boot/dts/sun6i-a31s-sinovoip-bpi-m2.dts | 70 +++- 1 file changed, 67 insertions(+), 3 deletions(-) patches are not working Thanks same problem, but after applying the patches my device is till hanging. Can you please share a bootlog? Here is mine [1]. As you can see I'm able to boot. I build it with this branch [2]. For testing you should replace the dtb and the uImage/zImage Philipp [1]: https://pastebin.com/mVjv3LDf [2]: https://github.com/embed-3d/linux/tree/testing/bpi-m2-regulator-test-2 I am going to test it and come back with outcome Thanks
Re: [RFC PATCH 4/7] kconfig: support new special property shell=
On Sat, Feb 10, 2018 at 8:46 PM, Linus Torvaldswrote: > > Argh. I wanted to get rid of all that entirely, and simplify this all. > The mentioned script (and bugzilla) was from 2006, I assumed this was > all historical. > > But if it has broken again since, I guess we need to have a silly script. Grr. Ok, so this really ended up bothering me. I was hoping to really just unify all the stupid compiler flag testing in just the Kconfig files and hoping we could really just use config CC_xyz bool option cc_option "-fwhatever-xyz" to set them, and then build Kconfig rules from that: config USE_xyz bool "Some question that needs xyz" depends on CC_xyz and have a nice simple ccflags-$(CONFIG_USE_xyz) += -fwhataver-xyz in the Makefiles. And one thought I had was "hey, if we need a script for -fstack-protector, maybe we can simply standardize on _everything_ using a script". But doing the stats, we test about two _hundred_ different compiler options, and it really looks like -fstack-protector is the _only_ one that uses a dedicated script. Everything else is just using the "see if the compiler accepts the flag". So no, we wouldn't want to standardize around a script. We do have a script for some other build options related to gcc breakage, but not command line flags per se: both 'asm goto' and for gcc version generation. And gcc plugin compatibility checking. Oh well. It looks like we really have to have those nasty exceptions from the normal rules. Linus
Re: [RFC PATCH 4/7] kconfig: support new special property shell=
On Sat, Feb 10, 2018 at 8:46 PM, Linus Torvalds wrote: > > Argh. I wanted to get rid of all that entirely, and simplify this all. > The mentioned script (and bugzilla) was from 2006, I assumed this was > all historical. > > But if it has broken again since, I guess we need to have a silly script. Grr. Ok, so this really ended up bothering me. I was hoping to really just unify all the stupid compiler flag testing in just the Kconfig files and hoping we could really just use config CC_xyz bool option cc_option "-fwhatever-xyz" to set them, and then build Kconfig rules from that: config USE_xyz bool "Some question that needs xyz" depends on CC_xyz and have a nice simple ccflags-$(CONFIG_USE_xyz) += -fwhataver-xyz in the Makefiles. And one thought I had was "hey, if we need a script for -fstack-protector, maybe we can simply standardize on _everything_ using a script". But doing the stats, we test about two _hundred_ different compiler options, and it really looks like -fstack-protector is the _only_ one that uses a dedicated script. Everything else is just using the "see if the compiler accepts the flag". So no, we wouldn't want to standardize around a script. We do have a script for some other build options related to gcc breakage, but not command line flags per se: both 'asm goto' and for gcc version generation. And gcc plugin compatibility checking. Oh well. It looks like we really have to have those nasty exceptions from the normal rules. Linus
/kbuild/src/consumer/include/linux/kasan.h:28:41: error: 'KASAN_SHADOW_SCALE_SHIFT' undeclared; did you mean 'KASAN_SHADOW_START'?
tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master head: d48fcbd864a008802a90c58a9ceddd9436d11a49 commit: 917538e212a2c080af95ccb4376c5387fac08176 kasan: clean up KASAN_SHADOW_SCALE_SHIFT usage date: 4 days ago config: xtensa-allyesconfig (attached as .config) compiler: xtensa-linux-gcc (GCC) 7.2.0 reproduce: wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross git checkout 917538e212a2c080af95ccb4376c5387fac08176 # save the attached .config to linux build tree make.cross ARCH=xtensa All errors (new ones prefixed by >>): In file included from /kbuild/src/consumer/include/linux/slab.h:129:0, from /kbuild/src/consumer/include/linux/irq.h:26, from /kbuild/src/consumer/include/asm-generic/hardirq.h:13, from ./arch/xtensa/include/generated/asm/hardirq.h:1, from /kbuild/src/consumer/include/linux/hardirq.h:9, from /kbuild/src/consumer/include/linux/interrupt.h:13, from /kbuild/src/consumer/drivers//w1/masters/matrox_w1.c:30: /kbuild/src/consumer/include/linux/kasan.h: In function 'kasan_mem_to_shadow': >> /kbuild/src/consumer/include/linux/kasan.h:28:41: error: >> 'KASAN_SHADOW_SCALE_SHIFT' undeclared (first use in this function); did you >> mean 'KASAN_SHADOW_START'? return (void *)((unsigned long)addr >> KASAN_SHADOW_SCALE_SHIFT) ^~~~ KASAN_SHADOW_START /kbuild/src/consumer/include/linux/kasan.h:28:41: note: each undeclared identifier is reported only once for each function it appears in -- In file included from /kbuild/src/consumer/include/linux/slab.h:129:0, from /kbuild/src/consumer/include/linux/irq.h:26, from /kbuild/src/consumer/include/asm-generic/hardirq.h:13, from ./arch/xtensa/include/generated/asm/hardirq.h:1, from /kbuild/src/consumer/include/linux/hardirq.h:9, from /kbuild/src/consumer/include/linux/interrupt.h:13, from /kbuild/src/consumer/drivers//scsi/sym53c8xx_2/sym_glue.h:45, from /kbuild/src/consumer/drivers//scsi/sym53c8xx_2/sym_fw.c:40: /kbuild/src/consumer/include/linux/kasan.h: In function 'kasan_mem_to_shadow': >> /kbuild/src/consumer/include/linux/kasan.h:28:41: error: >> 'KASAN_SHADOW_SCALE_SHIFT' undeclared (first use in this function); did you >> mean 'KASAN_SHADOW_START'? return (void *)((unsigned long)addr >> KASAN_SHADOW_SCALE_SHIFT) ^~~~ KASAN_SHADOW_START /kbuild/src/consumer/include/linux/kasan.h:28:41: note: each undeclared identifier is reported only once for each function it appears in In file included from /kbuild/src/consumer/drivers//scsi/sym53c8xx_2/sym_glue.h:64:0, from /kbuild/src/consumer/drivers//scsi/sym53c8xx_2/sym_fw.c:40: /kbuild/src/consumer/drivers//scsi/sym53c8xx_2/sym_defs.h: At top level: /kbuild/src/consumer/drivers//scsi/sym53c8xx_2/sym_defs.h:109:0: warning: "WSR" redefined #define WSR 0x01 /* sta: wide scsi received [W]*/ In file included from /kbuild/src/consumer/arch/xtensa/include/asm/bitops.h:22:0, from /kbuild/src/consumer/include/linux/bitops.h:38, from /kbuild/src/consumer/include/linux/kernel.h:11, from /kbuild/src/consumer/include/linux/list.h:9, from /kbuild/src/consumer/include/linux/wait.h:7, from /kbuild/src/consumer/include/linux/completion.h:12, from /kbuild/src/consumer/drivers//scsi/sym53c8xx_2/sym_glue.h:43, from /kbuild/src/consumer/drivers//scsi/sym53c8xx_2/sym_fw.c:40: /kbuild/src/consumer/arch/xtensa/include/asm/processor.h:220:0: note: this is the location of the previous definition #define WSR(v,sr) __asm__ __volatile__ ("wsr %0,"__stringify(sr) :: "a"(v)); -- In file included from /kbuild/src/consumer/include/linux/slab.h:129:0, from /kbuild/src/consumer/include/linux/irq.h:26, from /kbuild/src/consumer/include/asm-generic/hardirq.h:13, from ./arch/xtensa/include/generated/asm/hardirq.h:1, from /kbuild/src/consumer/include/linux/hardirq.h:9, from /kbuild/src/consumer/include/linux/interrupt.h:13, from /kbuild/src/consumer/drivers/infiniband/hw/bnxt_re/ib_verbs.c:39: /kbuild/src/consumer/include/linux/kasan.h: In function 'kasan_mem_to_shadow': >> /kbuild/src/consumer/include/linux/kasan.h:28:41: error: >> 'KASAN_SHADOW_SCALE_SHIFT'
/kbuild/src/consumer/include/linux/kasan.h:28:41: error: 'KASAN_SHADOW_SCALE_SHIFT' undeclared; did you mean 'KASAN_SHADOW_START'?
tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master head: d48fcbd864a008802a90c58a9ceddd9436d11a49 commit: 917538e212a2c080af95ccb4376c5387fac08176 kasan: clean up KASAN_SHADOW_SCALE_SHIFT usage date: 4 days ago config: xtensa-allyesconfig (attached as .config) compiler: xtensa-linux-gcc (GCC) 7.2.0 reproduce: wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross git checkout 917538e212a2c080af95ccb4376c5387fac08176 # save the attached .config to linux build tree make.cross ARCH=xtensa All errors (new ones prefixed by >>): In file included from /kbuild/src/consumer/include/linux/slab.h:129:0, from /kbuild/src/consumer/include/linux/irq.h:26, from /kbuild/src/consumer/include/asm-generic/hardirq.h:13, from ./arch/xtensa/include/generated/asm/hardirq.h:1, from /kbuild/src/consumer/include/linux/hardirq.h:9, from /kbuild/src/consumer/include/linux/interrupt.h:13, from /kbuild/src/consumer/drivers//w1/masters/matrox_w1.c:30: /kbuild/src/consumer/include/linux/kasan.h: In function 'kasan_mem_to_shadow': >> /kbuild/src/consumer/include/linux/kasan.h:28:41: error: >> 'KASAN_SHADOW_SCALE_SHIFT' undeclared (first use in this function); did you >> mean 'KASAN_SHADOW_START'? return (void *)((unsigned long)addr >> KASAN_SHADOW_SCALE_SHIFT) ^~~~ KASAN_SHADOW_START /kbuild/src/consumer/include/linux/kasan.h:28:41: note: each undeclared identifier is reported only once for each function it appears in -- In file included from /kbuild/src/consumer/include/linux/slab.h:129:0, from /kbuild/src/consumer/include/linux/irq.h:26, from /kbuild/src/consumer/include/asm-generic/hardirq.h:13, from ./arch/xtensa/include/generated/asm/hardirq.h:1, from /kbuild/src/consumer/include/linux/hardirq.h:9, from /kbuild/src/consumer/include/linux/interrupt.h:13, from /kbuild/src/consumer/drivers//scsi/sym53c8xx_2/sym_glue.h:45, from /kbuild/src/consumer/drivers//scsi/sym53c8xx_2/sym_fw.c:40: /kbuild/src/consumer/include/linux/kasan.h: In function 'kasan_mem_to_shadow': >> /kbuild/src/consumer/include/linux/kasan.h:28:41: error: >> 'KASAN_SHADOW_SCALE_SHIFT' undeclared (first use in this function); did you >> mean 'KASAN_SHADOW_START'? return (void *)((unsigned long)addr >> KASAN_SHADOW_SCALE_SHIFT) ^~~~ KASAN_SHADOW_START /kbuild/src/consumer/include/linux/kasan.h:28:41: note: each undeclared identifier is reported only once for each function it appears in In file included from /kbuild/src/consumer/drivers//scsi/sym53c8xx_2/sym_glue.h:64:0, from /kbuild/src/consumer/drivers//scsi/sym53c8xx_2/sym_fw.c:40: /kbuild/src/consumer/drivers//scsi/sym53c8xx_2/sym_defs.h: At top level: /kbuild/src/consumer/drivers//scsi/sym53c8xx_2/sym_defs.h:109:0: warning: "WSR" redefined #define WSR 0x01 /* sta: wide scsi received [W]*/ In file included from /kbuild/src/consumer/arch/xtensa/include/asm/bitops.h:22:0, from /kbuild/src/consumer/include/linux/bitops.h:38, from /kbuild/src/consumer/include/linux/kernel.h:11, from /kbuild/src/consumer/include/linux/list.h:9, from /kbuild/src/consumer/include/linux/wait.h:7, from /kbuild/src/consumer/include/linux/completion.h:12, from /kbuild/src/consumer/drivers//scsi/sym53c8xx_2/sym_glue.h:43, from /kbuild/src/consumer/drivers//scsi/sym53c8xx_2/sym_fw.c:40: /kbuild/src/consumer/arch/xtensa/include/asm/processor.h:220:0: note: this is the location of the previous definition #define WSR(v,sr) __asm__ __volatile__ ("wsr %0,"__stringify(sr) :: "a"(v)); -- In file included from /kbuild/src/consumer/include/linux/slab.h:129:0, from /kbuild/src/consumer/include/linux/irq.h:26, from /kbuild/src/consumer/include/asm-generic/hardirq.h:13, from ./arch/xtensa/include/generated/asm/hardirq.h:1, from /kbuild/src/consumer/include/linux/hardirq.h:9, from /kbuild/src/consumer/include/linux/interrupt.h:13, from /kbuild/src/consumer/drivers/infiniband/hw/bnxt_re/ib_verbs.c:39: /kbuild/src/consumer/include/linux/kasan.h: In function 'kasan_mem_to_shadow': >> /kbuild/src/consumer/include/linux/kasan.h:28:41: error: >> 'KASAN_SHADOW_SCALE_SHIFT'
Re: [PATCHv2 1/2] zsmalloc: introduce zs_huge_object() function
Some more nitpicks :) On Sat, Feb 10, 2018 at 05:23:21PM +0900, Sergey Senozhatsky wrote: > Not every object can be share its zspage with other objects, e.g. > when the object is as big as zspage or nearly as big a zspage. > For such objects zsmalloc has a so called huge class - every object > which belongs to huge class consumes the entire zspage (which > consists of a physical page). On x86_64, PAGE_SHIFT 12 box, the > first non-huge class size is 3264, so starting down from size 3264, > objects can share page(-s) and thus minimize memory wastage. > > ZRAM, however, has its own statically defined watermark for huge > objects - "3 * PAGE_SIZE / 4 = 3072", and forcibly stores every > object larger than this watermark (3072) as a PAGE_SIZE object, > in other words, to a huge class, while zsmalloc can keep some of > those objects in non-huge classes. This results in increased > memory consumption. > > zsmalloc knows better if the object is huge or not. Introduce > zs_huge_object() function which tells if the given object can be > stored in one of non-huge classes or not. This will let us to drop > ZRAM's huge object watermark and fully rely on zsmalloc when we > decide if the object is huge. > > Signed-off-by: Sergey Senozhatsky> --- > include/linux/zsmalloc.h | 2 ++ > mm/zsmalloc.c| 26 ++ > 2 files changed, 28 insertions(+) > > diff --git a/include/linux/zsmalloc.h b/include/linux/zsmalloc.h > index 57a8e98f2708..9a1baf673cc1 100644 > --- a/include/linux/zsmalloc.h > +++ b/include/linux/zsmalloc.h > @@ -47,6 +47,8 @@ void zs_destroy_pool(struct zs_pool *pool); > unsigned long zs_malloc(struct zs_pool *pool, size_t size, gfp_t flags); > void zs_free(struct zs_pool *pool, unsigned long obj); > > +bool zs_huge_object(size_t sz); > + > void *zs_map_object(struct zs_pool *pool, unsigned long handle, > enum zs_mapmode mm); > void zs_unmap_object(struct zs_pool *pool, unsigned long handle); > diff --git a/mm/zsmalloc.c b/mm/zsmalloc.c > index c3013505c305..922180183ca3 100644 > --- a/mm/zsmalloc.c > +++ b/mm/zsmalloc.c > @@ -192,6 +192,7 @@ static struct vfsmount *zsmalloc_mnt; > * (see: fix_fullness_group()) > */ > static const int fullness_threshold_frac = 4; > +static size_t zs_huge_class_size; > > struct size_class { > spinlock_t lock; > @@ -1417,6 +1418,28 @@ void zs_unmap_object(struct zs_pool *pool, unsigned > long handle) > } > EXPORT_SYMBOL_GPL(zs_unmap_object); > > +/** > + * zs_huge_object() - Test if a compressed object's size is too big for > normal > + *zspool classes and it shall be stored in a huge class. I think "is should be stored" is more appropriate > + * @sz: Size of the compressed object (in bytes). > + * > + * The function checks if the object's size falls into huge_class > + * area. We must take handle size into account and test the actual > + * size we are going to use, because zs_malloc() unconditionally > + * adds %ZS_HANDLE_SIZE before it performs %size_class lookup. ^ _class ;-) > + * > + * Context: Any context. > + * > + * Return: > + * * true - The object's size is too big, it will be stored in a huge class. > + * * false - The object will be store in normal zspool classes. > + */ > +bool zs_huge_object(size_t sz) > +{ > + return sz + ZS_HANDLE_SIZE >= zs_huge_class_size; > +} > +EXPORT_SYMBOL_GPL(zs_huge_object); > + > static unsigned long obj_malloc(struct size_class *class, > struct zspage *zspage, unsigned long handle) > { > @@ -2404,6 +2427,9 @@ struct zs_pool *zs_create_pool(const char *name) > INIT_LIST_HEAD(>fullness_list[fullness]); > > prev_class = class; > + if (pages_per_zspage == 1 && objs_per_zspage == 1 > + && !zs_huge_class_size) > + zs_huge_class_size = size; > } > > /* debug only, don't abort if it fails */ > -- > 2.16.1 > -- Sincerely yours, Mike.
Re: [PATCHv2 1/2] zsmalloc: introduce zs_huge_object() function
Some more nitpicks :) On Sat, Feb 10, 2018 at 05:23:21PM +0900, Sergey Senozhatsky wrote: > Not every object can be share its zspage with other objects, e.g. > when the object is as big as zspage or nearly as big a zspage. > For such objects zsmalloc has a so called huge class - every object > which belongs to huge class consumes the entire zspage (which > consists of a physical page). On x86_64, PAGE_SHIFT 12 box, the > first non-huge class size is 3264, so starting down from size 3264, > objects can share page(-s) and thus minimize memory wastage. > > ZRAM, however, has its own statically defined watermark for huge > objects - "3 * PAGE_SIZE / 4 = 3072", and forcibly stores every > object larger than this watermark (3072) as a PAGE_SIZE object, > in other words, to a huge class, while zsmalloc can keep some of > those objects in non-huge classes. This results in increased > memory consumption. > > zsmalloc knows better if the object is huge or not. Introduce > zs_huge_object() function which tells if the given object can be > stored in one of non-huge classes or not. This will let us to drop > ZRAM's huge object watermark and fully rely on zsmalloc when we > decide if the object is huge. > > Signed-off-by: Sergey Senozhatsky > --- > include/linux/zsmalloc.h | 2 ++ > mm/zsmalloc.c| 26 ++ > 2 files changed, 28 insertions(+) > > diff --git a/include/linux/zsmalloc.h b/include/linux/zsmalloc.h > index 57a8e98f2708..9a1baf673cc1 100644 > --- a/include/linux/zsmalloc.h > +++ b/include/linux/zsmalloc.h > @@ -47,6 +47,8 @@ void zs_destroy_pool(struct zs_pool *pool); > unsigned long zs_malloc(struct zs_pool *pool, size_t size, gfp_t flags); > void zs_free(struct zs_pool *pool, unsigned long obj); > > +bool zs_huge_object(size_t sz); > + > void *zs_map_object(struct zs_pool *pool, unsigned long handle, > enum zs_mapmode mm); > void zs_unmap_object(struct zs_pool *pool, unsigned long handle); > diff --git a/mm/zsmalloc.c b/mm/zsmalloc.c > index c3013505c305..922180183ca3 100644 > --- a/mm/zsmalloc.c > +++ b/mm/zsmalloc.c > @@ -192,6 +192,7 @@ static struct vfsmount *zsmalloc_mnt; > * (see: fix_fullness_group()) > */ > static const int fullness_threshold_frac = 4; > +static size_t zs_huge_class_size; > > struct size_class { > spinlock_t lock; > @@ -1417,6 +1418,28 @@ void zs_unmap_object(struct zs_pool *pool, unsigned > long handle) > } > EXPORT_SYMBOL_GPL(zs_unmap_object); > > +/** > + * zs_huge_object() - Test if a compressed object's size is too big for > normal > + *zspool classes and it shall be stored in a huge class. I think "is should be stored" is more appropriate > + * @sz: Size of the compressed object (in bytes). > + * > + * The function checks if the object's size falls into huge_class > + * area. We must take handle size into account and test the actual > + * size we are going to use, because zs_malloc() unconditionally > + * adds %ZS_HANDLE_SIZE before it performs %size_class lookup. ^ _class ;-) > + * > + * Context: Any context. > + * > + * Return: > + * * true - The object's size is too big, it will be stored in a huge class. > + * * false - The object will be store in normal zspool classes. > + */ > +bool zs_huge_object(size_t sz) > +{ > + return sz + ZS_HANDLE_SIZE >= zs_huge_class_size; > +} > +EXPORT_SYMBOL_GPL(zs_huge_object); > + > static unsigned long obj_malloc(struct size_class *class, > struct zspage *zspage, unsigned long handle) > { > @@ -2404,6 +2427,9 @@ struct zs_pool *zs_create_pool(const char *name) > INIT_LIST_HEAD(>fullness_list[fullness]); > > prev_class = class; > + if (pages_per_zspage == 1 && objs_per_zspage == 1 > + && !zs_huge_class_size) > + zs_huge_class_size = size; > } > > /* debug only, don't abort if it fails */ > -- > 2.16.1 > -- Sincerely yours, Mike.
[PATCH v2] Input: gpio_keys: Add level trigger support for GPIO keys
On some platforms (such as Spreadtrum platform), the GPIO keys can only be triggered by level type. So this patch introduces one property to indicate if the GPIO trigger type is level trigger or edge trigger. Signed-off-by: Baolin Wang--- Changes since v1: - Diable the GPIO irq until reversing the GPIO level type. --- .../devicetree/bindings/input/gpio-keys.txt|2 ++ drivers/input/keyboard/gpio_keys.c | 26 +++- include/linux/gpio_keys.h |1 + 3 files changed, 28 insertions(+), 1 deletion(-) diff --git a/Documentation/devicetree/bindings/input/gpio-keys.txt b/Documentation/devicetree/bindings/input/gpio-keys.txt index a949404..e3104bd 100644 --- a/Documentation/devicetree/bindings/input/gpio-keys.txt +++ b/Documentation/devicetree/bindings/input/gpio-keys.txt @@ -29,6 +29,8 @@ Optional subnode-properties: - linux,can-disable: Boolean, indicates that button is connected to dedicated (not shared) interrupt which can be disabled to suppress events from the button. + - gpio-key,level-trigger: Boolean, indicates that button's interrupt + type is level trigger. Otherwise it is edge trigger as default. Example nodes: diff --git a/drivers/input/keyboard/gpio_keys.c b/drivers/input/keyboard/gpio_keys.c index 87e613d..218698a 100644 --- a/drivers/input/keyboard/gpio_keys.c +++ b/drivers/input/keyboard/gpio_keys.c @@ -385,6 +385,20 @@ static void gpio_keys_gpio_work_func(struct work_struct *work) struct gpio_button_data *bdata = container_of(work, struct gpio_button_data, work.work); + if (bdata->button->level_trigger) { + unsigned int trigger = + irq_get_trigger_type(bdata->irq) & ~IRQF_TRIGGER_MASK; + int state = gpiod_get_raw_value_cansleep(bdata->gpiod); + + if (state) + trigger |= IRQF_TRIGGER_LOW; + else + trigger |= IRQF_TRIGGER_HIGH; + + irq_set_irq_type(bdata->irq, trigger); + enable_irq(bdata->irq); + } + gpio_keys_gpio_report_event(bdata); if (bdata->button->wakeup) @@ -397,6 +411,9 @@ static irqreturn_t gpio_keys_gpio_isr(int irq, void *dev_id) BUG_ON(irq != bdata->irq); + if (bdata->button->level_trigger) + disable_irq_nosync(bdata->irq); + if (bdata->button->wakeup) { const struct gpio_keys_button *button = bdata->button; @@ -566,7 +583,11 @@ static int gpio_keys_setup_key(struct platform_device *pdev, INIT_DELAYED_WORK(>work, gpio_keys_gpio_work_func); isr = gpio_keys_gpio_isr; - irqflags = IRQF_TRIGGER_RISING | IRQF_TRIGGER_FALLING; + if (button->level_trigger) + irqflags = gpiod_is_active_low(bdata->gpiod) ? + IRQF_TRIGGER_LOW : IRQF_TRIGGER_HIGH; + else + irqflags = IRQF_TRIGGER_RISING | IRQF_TRIGGER_FALLING; } else { if (!button->irq) { @@ -721,6 +742,9 @@ static void gpio_keys_close(struct input_dev *input) button->can_disable = fwnode_property_read_bool(child, "linux,can-disable"); + button->level_trigger = + fwnode_property_read_bool(child, "gpio-key,level-trigger"); + if (fwnode_property_read_u32(child, "debounce-interval", >debounce_interval)) button->debounce_interval = 5; diff --git a/include/linux/gpio_keys.h b/include/linux/gpio_keys.h index d06bf77..5095645 100644 --- a/include/linux/gpio_keys.h +++ b/include/linux/gpio_keys.h @@ -28,6 +28,7 @@ struct gpio_keys_button { int wakeup; int debounce_interval; bool can_disable; + bool level_trigger; int value; unsigned int irq; }; -- 1.7.9.5
[PATCH v2] Input: gpio_keys: Add level trigger support for GPIO keys
On some platforms (such as Spreadtrum platform), the GPIO keys can only be triggered by level type. So this patch introduces one property to indicate if the GPIO trigger type is level trigger or edge trigger. Signed-off-by: Baolin Wang --- Changes since v1: - Diable the GPIO irq until reversing the GPIO level type. --- .../devicetree/bindings/input/gpio-keys.txt|2 ++ drivers/input/keyboard/gpio_keys.c | 26 +++- include/linux/gpio_keys.h |1 + 3 files changed, 28 insertions(+), 1 deletion(-) diff --git a/Documentation/devicetree/bindings/input/gpio-keys.txt b/Documentation/devicetree/bindings/input/gpio-keys.txt index a949404..e3104bd 100644 --- a/Documentation/devicetree/bindings/input/gpio-keys.txt +++ b/Documentation/devicetree/bindings/input/gpio-keys.txt @@ -29,6 +29,8 @@ Optional subnode-properties: - linux,can-disable: Boolean, indicates that button is connected to dedicated (not shared) interrupt which can be disabled to suppress events from the button. + - gpio-key,level-trigger: Boolean, indicates that button's interrupt + type is level trigger. Otherwise it is edge trigger as default. Example nodes: diff --git a/drivers/input/keyboard/gpio_keys.c b/drivers/input/keyboard/gpio_keys.c index 87e613d..218698a 100644 --- a/drivers/input/keyboard/gpio_keys.c +++ b/drivers/input/keyboard/gpio_keys.c @@ -385,6 +385,20 @@ static void gpio_keys_gpio_work_func(struct work_struct *work) struct gpio_button_data *bdata = container_of(work, struct gpio_button_data, work.work); + if (bdata->button->level_trigger) { + unsigned int trigger = + irq_get_trigger_type(bdata->irq) & ~IRQF_TRIGGER_MASK; + int state = gpiod_get_raw_value_cansleep(bdata->gpiod); + + if (state) + trigger |= IRQF_TRIGGER_LOW; + else + trigger |= IRQF_TRIGGER_HIGH; + + irq_set_irq_type(bdata->irq, trigger); + enable_irq(bdata->irq); + } + gpio_keys_gpio_report_event(bdata); if (bdata->button->wakeup) @@ -397,6 +411,9 @@ static irqreturn_t gpio_keys_gpio_isr(int irq, void *dev_id) BUG_ON(irq != bdata->irq); + if (bdata->button->level_trigger) + disable_irq_nosync(bdata->irq); + if (bdata->button->wakeup) { const struct gpio_keys_button *button = bdata->button; @@ -566,7 +583,11 @@ static int gpio_keys_setup_key(struct platform_device *pdev, INIT_DELAYED_WORK(>work, gpio_keys_gpio_work_func); isr = gpio_keys_gpio_isr; - irqflags = IRQF_TRIGGER_RISING | IRQF_TRIGGER_FALLING; + if (button->level_trigger) + irqflags = gpiod_is_active_low(bdata->gpiod) ? + IRQF_TRIGGER_LOW : IRQF_TRIGGER_HIGH; + else + irqflags = IRQF_TRIGGER_RISING | IRQF_TRIGGER_FALLING; } else { if (!button->irq) { @@ -721,6 +742,9 @@ static void gpio_keys_close(struct input_dev *input) button->can_disable = fwnode_property_read_bool(child, "linux,can-disable"); + button->level_trigger = + fwnode_property_read_bool(child, "gpio-key,level-trigger"); + if (fwnode_property_read_u32(child, "debounce-interval", >debounce_interval)) button->debounce_interval = 5; diff --git a/include/linux/gpio_keys.h b/include/linux/gpio_keys.h index d06bf77..5095645 100644 --- a/include/linux/gpio_keys.h +++ b/include/linux/gpio_keys.h @@ -28,6 +28,7 @@ struct gpio_keys_button { int wakeup; int debounce_interval; bool can_disable; + bool level_trigger; int value; unsigned int irq; }; -- 1.7.9.5
The usage of page_mapping() in architecture code
Sorry for bothering, forget to Cc LKML in the original email. Hi, All, To optimize the scalability of swap cache, it is made more dynamic than before. That is, after being swapped off, the address space of the swap device will be freed too. So the usage of page_mapping() need to be audited to make sure the address space of the swap device will not be used after it is freed. For most cases it is OK, because to call page_mapping(), the page, page table, or LRU list will be locked. But I found at least one usage isn't safe. When page_mapping() is called in architecture specific code to flush dcache or sync between dcache and icache. The typical usage models are, 1) Check whether page_mapping() is NULL, which is safe 2) Call mapping_mapped() to check whether the backing file is mapped to user space. 3) Iterate all vmas via the interval tree (mapping->i_mmap) to flush dcache 2) and 3) isn't safe, because no lock to prevent swap device from swapping off is held. But I found the code is for file address space only, not for swap cache. For example, for flush_dcache_page() in arch/parisc/kernel/cache.c, void flush_dcache_page(struct page *page) { struct address_space *mapping = page_mapping(page); struct vm_area_struct *mpnt; unsigned long offset; unsigned long addr, old_addr = 0; pgoff_t pgoff; if (mapping && !mapping_mapped(mapping)) { set_bit(PG_dcache_dirty, >flags); return; } flush_kernel_dcache_page(page); if (!mapping) return; pgoff = page->index; /* We have carefully arranged in arch_get_unmapped_area() that * *any* mappings of a file are always congruently mapped (whether * declared as MAP_PRIVATE or MAP_SHARED), so we only need * to flush one address here for them all to become coherent */ flush_dcache_mmap_lock(mapping); vma_interval_tree_foreach(mpnt, >i_mmap, pgoff, pgoff) { offset = (pgoff - mpnt->vm_pgoff) << PAGE_SHIFT; addr = mpnt->vm_start + offset; /* The TLB is the engine of coherence on parisc: The * CPU is entitled to speculate any page with a TLB * mapping, so here we kill the mapping then flush the * page along a special flush only alias mapping. * This guarantees that the page is no-longer in the * cache for any process and nor may it be * speculatively read in (until the user or kernel * specifically accesses it, of course) */ flush_tlb_page(mpnt, addr); if (old_addr == 0 || (old_addr & (SHM_COLOUR - 1)) != (addr & (SHM_COLOUR - 1))) { __flush_cache_page(mpnt, addr, page_to_phys(page)); if (old_addr) printk(KERN_ERR "INEQUIVALENT ALIASES 0x%lx and 0x%lx in file %pD\n", old_addr, addr, mpnt->vm_file); old_addr = addr; } } flush_dcache_mmap_unlock(mapping); } if page is an anonymous page in swap cache, "mapping && !mapping_mapped()" will be true, so we will delay flushing. But if my understanding of the code were correct, we should call flush_kernel_dcache() because the kernel may access the page during swapping in/out. The code in other architectures follow the similar logic. Would it be better for page_mapping() here to return NULL for anonymous pages even if they are in swap cache? Of course we need to change the function name. page_file_mapping() appears a good name, but that has been used already. Any suggestion? Is my understanding correct? Could you help me on this? Best Regards, Huang, Ying
The usage of page_mapping() in architecture code
Sorry for bothering, forget to Cc LKML in the original email. Hi, All, To optimize the scalability of swap cache, it is made more dynamic than before. That is, after being swapped off, the address space of the swap device will be freed too. So the usage of page_mapping() need to be audited to make sure the address space of the swap device will not be used after it is freed. For most cases it is OK, because to call page_mapping(), the page, page table, or LRU list will be locked. But I found at least one usage isn't safe. When page_mapping() is called in architecture specific code to flush dcache or sync between dcache and icache. The typical usage models are, 1) Check whether page_mapping() is NULL, which is safe 2) Call mapping_mapped() to check whether the backing file is mapped to user space. 3) Iterate all vmas via the interval tree (mapping->i_mmap) to flush dcache 2) and 3) isn't safe, because no lock to prevent swap device from swapping off is held. But I found the code is for file address space only, not for swap cache. For example, for flush_dcache_page() in arch/parisc/kernel/cache.c, void flush_dcache_page(struct page *page) { struct address_space *mapping = page_mapping(page); struct vm_area_struct *mpnt; unsigned long offset; unsigned long addr, old_addr = 0; pgoff_t pgoff; if (mapping && !mapping_mapped(mapping)) { set_bit(PG_dcache_dirty, >flags); return; } flush_kernel_dcache_page(page); if (!mapping) return; pgoff = page->index; /* We have carefully arranged in arch_get_unmapped_area() that * *any* mappings of a file are always congruently mapped (whether * declared as MAP_PRIVATE or MAP_SHARED), so we only need * to flush one address here for them all to become coherent */ flush_dcache_mmap_lock(mapping); vma_interval_tree_foreach(mpnt, >i_mmap, pgoff, pgoff) { offset = (pgoff - mpnt->vm_pgoff) << PAGE_SHIFT; addr = mpnt->vm_start + offset; /* The TLB is the engine of coherence on parisc: The * CPU is entitled to speculate any page with a TLB * mapping, so here we kill the mapping then flush the * page along a special flush only alias mapping. * This guarantees that the page is no-longer in the * cache for any process and nor may it be * speculatively read in (until the user or kernel * specifically accesses it, of course) */ flush_tlb_page(mpnt, addr); if (old_addr == 0 || (old_addr & (SHM_COLOUR - 1)) != (addr & (SHM_COLOUR - 1))) { __flush_cache_page(mpnt, addr, page_to_phys(page)); if (old_addr) printk(KERN_ERR "INEQUIVALENT ALIASES 0x%lx and 0x%lx in file %pD\n", old_addr, addr, mpnt->vm_file); old_addr = addr; } } flush_dcache_mmap_unlock(mapping); } if page is an anonymous page in swap cache, "mapping && !mapping_mapped()" will be true, so we will delay flushing. But if my understanding of the code were correct, we should call flush_kernel_dcache() because the kernel may access the page during swapping in/out. The code in other architectures follow the similar logic. Would it be better for page_mapping() here to return NULL for anonymous pages even if they are in swap cache? Of course we need to change the function name. page_file_mapping() appears a good name, but that has been used already. Any suggestion? Is my understanding correct? Could you help me on this? Best Regards, Huang, Ying
drivers/net/ethernet/intel/i40e/i40e_ethtool.c:4326:6: error: implicit declaration of function 'cmpxchg64'; did you mean 'cmpxchg'?
Hi Alice, FYI, the error/warning still remains. tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master head: d48fcbd864a008802a90c58a9ceddd9436d11a49 commit: 60f481b9703867330dc6010868054f68f6d52f7a i40e: change flags to use 64 bits date: 2 weeks ago config: mips-allyesconfig (attached as .config) compiler: mips-linux-gnu-gcc (Debian 7.2.0-11) 7.2.0 reproduce: wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross git checkout 60f481b9703867330dc6010868054f68f6d52f7a # save the attached .config to linux build tree make.cross ARCH=mips All errors (new ones prefixed by >>): drivers/net/ethernet/intel/i40e/i40e_ethtool.c: In function 'i40e_set_priv_flags': >> drivers/net/ethernet/intel/i40e/i40e_ethtool.c:4326:6: error: implicit >> declaration of function 'cmpxchg64'; did you mean 'cmpxchg'? >> [-Werror=implicit-function-declaration] if (cmpxchg64(>flags, orig_flags, new_flags) != orig_flags) { ^ cmpxchg cc1: some warnings being treated as errors vim +4326 drivers/net/ethernet/intel/i40e/i40e_ethtool.c 4258 4259 /** 4260 * i40e_set_priv_flags - set private flags 4261 * @dev: network interface device structure 4262 * @flags: bit flags to be set 4263 **/ 4264 static int i40e_set_priv_flags(struct net_device *dev, u32 flags) 4265 { 4266 struct i40e_netdev_priv *np = netdev_priv(dev); 4267 struct i40e_vsi *vsi = np->vsi; 4268 struct i40e_pf *pf = vsi->back; 4269 u64 orig_flags, new_flags, changed_flags; 4270 u32 i, j; 4271 4272 orig_flags = READ_ONCE(pf->flags); 4273 new_flags = orig_flags; 4274 4275 for (i = 0; i < I40E_PRIV_FLAGS_STR_LEN; i++) { 4276 const struct i40e_priv_flags *priv_flags; 4277 4278 priv_flags = _gstrings_priv_flags[i]; 4279 4280 if (flags & BIT(i)) 4281 new_flags |= priv_flags->flag; 4282 else 4283 new_flags &= ~(priv_flags->flag); 4284 4285 /* If this is a read-only flag, it can't be changed */ 4286 if (priv_flags->read_only && 4287 ((orig_flags ^ new_flags) & ~BIT(i))) 4288 return -EOPNOTSUPP; 4289 } 4290 4291 if (pf->hw.pf_id != 0) 4292 goto flags_complete; 4293 4294 for (j = 0; j < I40E_GL_PRIV_FLAGS_STR_LEN; j++) { 4295 const struct i40e_priv_flags *priv_flags; 4296 4297 priv_flags = _gl_gstrings_priv_flags[j]; 4298 4299 if (flags & BIT(i + j)) 4300 new_flags |= priv_flags->flag; 4301 else 4302 new_flags &= ~(priv_flags->flag); 4303 4304 /* If this is a read-only flag, it can't be changed */ 4305 if (priv_flags->read_only && 4306 ((orig_flags ^ new_flags) & ~BIT(i))) 4307 return -EOPNOTSUPP; 4308 } 4309 4310 flags_complete: 4311 /* Before we finalize any flag changes, we need to perform some 4312 * checks to ensure that the changes are supported and safe. 4313 */ 4314 4315 /* ATR eviction is not supported on all devices */ 4316 if ((new_flags & I40E_FLAG_HW_ATR_EVICT_ENABLED) && 4317 !(pf->hw_features & I40E_HW_ATR_EVICT_CAPABLE)) 4318 return -EOPNOTSUPP; 4319 4320 /* Compare and exchange the new flags into place. If we failed, that 4321 * is if cmpxchg returns anything but the old value, this means that 4322 * something else has modified the flags variable since we copied it 4323 * originally. We'll just punt with an error and log something in the 4324 * message buffer. 4325 */ > 4326 if (cmpxchg64(>flags, orig_flags, new_flags) != orig_flags) > { 4327 dev_warn(>pdev->dev, 4328 "Unable to update pf->flags as it was modified by another thread...\n"); 4329 return -EAGAIN; 4330 } 4331 4332 changed_flags = orig_flags ^ new_flags; 4333 4334 /* Process any additional changes needed as a result of flag changes. 4335 * The changed_flags value reflects the list of bits that were 4336 * changed in the code above. 4337 */ 4338 4339 /* Flush current ATR settings if ATR was disabled */ 4340 if ((changed_flags & I40E_FLAG_FD_ATR_ENABLED) && 4341 !(pf->flags & I40E_FLAG_FD_ATR_ENABLED)) { 4342
drivers/net/ethernet/intel/i40e/i40e_ethtool.c:4326:6: error: implicit declaration of function 'cmpxchg64'; did you mean 'cmpxchg'?
Hi Alice, FYI, the error/warning still remains. tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master head: d48fcbd864a008802a90c58a9ceddd9436d11a49 commit: 60f481b9703867330dc6010868054f68f6d52f7a i40e: change flags to use 64 bits date: 2 weeks ago config: mips-allyesconfig (attached as .config) compiler: mips-linux-gnu-gcc (Debian 7.2.0-11) 7.2.0 reproduce: wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross git checkout 60f481b9703867330dc6010868054f68f6d52f7a # save the attached .config to linux build tree make.cross ARCH=mips All errors (new ones prefixed by >>): drivers/net/ethernet/intel/i40e/i40e_ethtool.c: In function 'i40e_set_priv_flags': >> drivers/net/ethernet/intel/i40e/i40e_ethtool.c:4326:6: error: implicit >> declaration of function 'cmpxchg64'; did you mean 'cmpxchg'? >> [-Werror=implicit-function-declaration] if (cmpxchg64(>flags, orig_flags, new_flags) != orig_flags) { ^ cmpxchg cc1: some warnings being treated as errors vim +4326 drivers/net/ethernet/intel/i40e/i40e_ethtool.c 4258 4259 /** 4260 * i40e_set_priv_flags - set private flags 4261 * @dev: network interface device structure 4262 * @flags: bit flags to be set 4263 **/ 4264 static int i40e_set_priv_flags(struct net_device *dev, u32 flags) 4265 { 4266 struct i40e_netdev_priv *np = netdev_priv(dev); 4267 struct i40e_vsi *vsi = np->vsi; 4268 struct i40e_pf *pf = vsi->back; 4269 u64 orig_flags, new_flags, changed_flags; 4270 u32 i, j; 4271 4272 orig_flags = READ_ONCE(pf->flags); 4273 new_flags = orig_flags; 4274 4275 for (i = 0; i < I40E_PRIV_FLAGS_STR_LEN; i++) { 4276 const struct i40e_priv_flags *priv_flags; 4277 4278 priv_flags = _gstrings_priv_flags[i]; 4279 4280 if (flags & BIT(i)) 4281 new_flags |= priv_flags->flag; 4282 else 4283 new_flags &= ~(priv_flags->flag); 4284 4285 /* If this is a read-only flag, it can't be changed */ 4286 if (priv_flags->read_only && 4287 ((orig_flags ^ new_flags) & ~BIT(i))) 4288 return -EOPNOTSUPP; 4289 } 4290 4291 if (pf->hw.pf_id != 0) 4292 goto flags_complete; 4293 4294 for (j = 0; j < I40E_GL_PRIV_FLAGS_STR_LEN; j++) { 4295 const struct i40e_priv_flags *priv_flags; 4296 4297 priv_flags = _gl_gstrings_priv_flags[j]; 4298 4299 if (flags & BIT(i + j)) 4300 new_flags |= priv_flags->flag; 4301 else 4302 new_flags &= ~(priv_flags->flag); 4303 4304 /* If this is a read-only flag, it can't be changed */ 4305 if (priv_flags->read_only && 4306 ((orig_flags ^ new_flags) & ~BIT(i))) 4307 return -EOPNOTSUPP; 4308 } 4309 4310 flags_complete: 4311 /* Before we finalize any flag changes, we need to perform some 4312 * checks to ensure that the changes are supported and safe. 4313 */ 4314 4315 /* ATR eviction is not supported on all devices */ 4316 if ((new_flags & I40E_FLAG_HW_ATR_EVICT_ENABLED) && 4317 !(pf->hw_features & I40E_HW_ATR_EVICT_CAPABLE)) 4318 return -EOPNOTSUPP; 4319 4320 /* Compare and exchange the new flags into place. If we failed, that 4321 * is if cmpxchg returns anything but the old value, this means that 4322 * something else has modified the flags variable since we copied it 4323 * originally. We'll just punt with an error and log something in the 4324 * message buffer. 4325 */ > 4326 if (cmpxchg64(>flags, orig_flags, new_flags) != orig_flags) > { 4327 dev_warn(>pdev->dev, 4328 "Unable to update pf->flags as it was modified by another thread...\n"); 4329 return -EAGAIN; 4330 } 4331 4332 changed_flags = orig_flags ^ new_flags; 4333 4334 /* Process any additional changes needed as a result of flag changes. 4335 * The changed_flags value reflects the list of bits that were 4336 * changed in the code above. 4337 */ 4338 4339 /* Flush current ATR settings if ATR was disabled */ 4340 if ((changed_flags & I40E_FLAG_FD_ATR_ENABLED) && 4341 !(pf->flags & I40E_FLAG_FD_ATR_ENABLED)) { 4342
Re: [PATCH] f2fs: set_code_data in move_data_block
OK, Got it. On 2018/2/11 11:50, Chao Yu wrote: On 2018/2/11 11:34, Yunlong Song wrote: Ping... move_data_block misses set_cold_data, then the F2FS_WB_CP_DATA will lack these data pages in move_data_block, and write_checkpoint can not make sure this pages committed to the flash. Hmm.. data block migration is running based on meta inode, so it will be safe since checkpoint will flush all meta pages including encrypted pages cached in meta inode? Thanks, On 2018/2/8 20:33, Yunlong Song wrote: Signed-off-by: Yunlong Song--- fs/f2fs/gc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c index b9d93fd..2095630 100644 --- a/fs/f2fs/gc.c +++ b/fs/f2fs/gc.c @@ -692,6 +692,7 @@ static void move_data_block(struct inode *inode, block_t bidx, fio.op = REQ_OP_WRITE; fio.op_flags = REQ_SYNC; fio.new_blkaddr = newaddr; + set_cold_data(fio.page); err = f2fs_submit_page_write(); if (err) { if (PageWriteback(fio.encrypted_page)) . -- Thanks, Yunlong Song
Re: [PATCH] f2fs: set_code_data in move_data_block
OK, Got it. On 2018/2/11 11:50, Chao Yu wrote: On 2018/2/11 11:34, Yunlong Song wrote: Ping... move_data_block misses set_cold_data, then the F2FS_WB_CP_DATA will lack these data pages in move_data_block, and write_checkpoint can not make sure this pages committed to the flash. Hmm.. data block migration is running based on meta inode, so it will be safe since checkpoint will flush all meta pages including encrypted pages cached in meta inode? Thanks, On 2018/2/8 20:33, Yunlong Song wrote: Signed-off-by: Yunlong Song --- fs/f2fs/gc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c index b9d93fd..2095630 100644 --- a/fs/f2fs/gc.c +++ b/fs/f2fs/gc.c @@ -692,6 +692,7 @@ static void move_data_block(struct inode *inode, block_t bidx, fio.op = REQ_OP_WRITE; fio.op_flags = REQ_SYNC; fio.new_blkaddr = newaddr; + set_cold_data(fio.page); err = f2fs_submit_page_write(); if (err) { if (PageWriteback(fio.encrypted_page)) . -- Thanks, Yunlong Song
Re: [PATCH] seq_file: remove redundant assignment of index to m->index
On Sun, Feb 11, 2018 at 9:02 AM, Matthew Wilcoxwrote: > On Sat, Feb 10, 2018 at 10:04:23AM -0800, Joe Perches wrote: >> > @@ -120,14 +120,12 @@ static int traverse(struct seq_file *m, loff_t >> > offset) >> > if (pos + m->count > offset) { >> > m->from = offset - pos; >> > m->count -= m->from; >> > -m->index = index; >> > break; >> > } >> > pos += m->count; >> > m->count = 0; >> > if (pos == offset) { >> > index++; >> > -m->index = index; >> > break; >> > } >> > p = m->op->next(m, p, ); >> >> Of course this looks correct, but how >> are you _absolutely sure_ about this? >> >> Perhaps the m->op->stop(m, p) call below >> the break, which takes m as an argument, >> needs an updated m->index. > > Not only that, but ->next might also look at m->index. I think there is no chance to call op->next, because the loop will break immediately after the assignment.
Re: [PATCH] seq_file: remove redundant assignment of index to m->index
On Sun, Feb 11, 2018 at 9:02 AM, Matthew Wilcox wrote: > On Sat, Feb 10, 2018 at 10:04:23AM -0800, Joe Perches wrote: >> > @@ -120,14 +120,12 @@ static int traverse(struct seq_file *m, loff_t >> > offset) >> > if (pos + m->count > offset) { >> > m->from = offset - pos; >> > m->count -= m->from; >> > -m->index = index; >> > break; >> > } >> > pos += m->count; >> > m->count = 0; >> > if (pos == offset) { >> > index++; >> > -m->index = index; >> > break; >> > } >> > p = m->op->next(m, p, ); >> >> Of course this looks correct, but how >> are you _absolutely sure_ about this? >> >> Perhaps the m->op->stop(m, p) call below >> the break, which takes m as an argument, >> needs an updated m->index. > > Not only that, but ->next might also look at m->index. I think there is no chance to call op->next, because the loop will break immediately after the assignment.
Re: [kselftests] compaction_test is blocked
On 02/10/2018 05:11 AM, Dan Rue wrote: On Fri, Feb 09, 2018 at 03:53:59PM +0800, Li Zhijian wrote: Hi kselftests is integrated Intel 0Day project. Sometimes we found compaction_test is blocked for more than 1 hours until i kill it. Try to figure out where it is running, i added some log to this case. the test log is like: --- [ 111.750543] main: 248 [ 111.750544]- [ 111.750821] check_compaction: 98 [ 111.750822]- [ 111.751102] check_compaction: 105 [ 111.751103]- [ 111.751362] check_compaction: 111 [ 111.751363]- [ 111.751621] check_compaction: 118 [ 111.751622]- [ 111.751879] check_compaction: 123 [ 111.751880]- --- 118 fprintf(stderr, "%s: %d\n", __func__, __LINE__); 119 lseek(fd, 0, SEEK_SET); 120 121 /* Request a large number of huge pages. The Kernel will allocate 122as much as it can */ 123 fprintf(stderr, "%s: %d\n", __func__, __LINE__); <<< the last line we can catch. 124 if (write(fd, "10", (6*sizeof(char))) != (6*sizeof(char))) { blocking position 125 perror("Failed to write 10 to /proc/sys/vm/nr_hugepages\n"); 126 goto close_fd; 127 } 128 129 lseek(fd, 0, SEEK_SET); 130 131 fprintf(stderr, "%s: %d\n", __func__, __LINE__); 132 if (read(fd, nr_hugepages, sizeof(nr_hugepages)) <= 0) { 133 perror("Failed to re-read from /proc/sys/vm/nr_hugepages\n"); 134 goto close_fd; 135 } --- According to above log and code, it most likely it is blocking at the writing operation. my environment is like: OS: debian kernel: v4.15 model: Ivytown Ivy Bridge-EP nr_cpu: 48 memory: 64G Hi Zhijian, Please try this patch in mainline: 4c1baad22390 kselftest: fix OOM in memory compaction test Hi Dan Thanks for your replies. I run this case on v4.15, looks this patch is already merged to v4.15. lizhijian@inn:~/linux$ git describe 4c1baad v4.15-rc2-2-g4c1baad223906 Thanks Dan NOTE: 0Day can reproduce this issue in 20% on 0Day. Anybody can help have a look? Thanks Zhjian -- To unsubscribe from this list: send the line "unsubscribe linux-kselftest" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html . -- Best regards. Li Zhijian (8528)
Re: [kselftests] compaction_test is blocked
On 02/10/2018 05:11 AM, Dan Rue wrote: On Fri, Feb 09, 2018 at 03:53:59PM +0800, Li Zhijian wrote: Hi kselftests is integrated Intel 0Day project. Sometimes we found compaction_test is blocked for more than 1 hours until i kill it. Try to figure out where it is running, i added some log to this case. the test log is like: --- [ 111.750543] main: 248 [ 111.750544]- [ 111.750821] check_compaction: 98 [ 111.750822]- [ 111.751102] check_compaction: 105 [ 111.751103]- [ 111.751362] check_compaction: 111 [ 111.751363]- [ 111.751621] check_compaction: 118 [ 111.751622]- [ 111.751879] check_compaction: 123 [ 111.751880]- --- 118 fprintf(stderr, "%s: %d\n", __func__, __LINE__); 119 lseek(fd, 0, SEEK_SET); 120 121 /* Request a large number of huge pages. The Kernel will allocate 122as much as it can */ 123 fprintf(stderr, "%s: %d\n", __func__, __LINE__); <<< the last line we can catch. 124 if (write(fd, "10", (6*sizeof(char))) != (6*sizeof(char))) { blocking position 125 perror("Failed to write 10 to /proc/sys/vm/nr_hugepages\n"); 126 goto close_fd; 127 } 128 129 lseek(fd, 0, SEEK_SET); 130 131 fprintf(stderr, "%s: %d\n", __func__, __LINE__); 132 if (read(fd, nr_hugepages, sizeof(nr_hugepages)) <= 0) { 133 perror("Failed to re-read from /proc/sys/vm/nr_hugepages\n"); 134 goto close_fd; 135 } --- According to above log and code, it most likely it is blocking at the writing operation. my environment is like: OS: debian kernel: v4.15 model: Ivytown Ivy Bridge-EP nr_cpu: 48 memory: 64G Hi Zhijian, Please try this patch in mainline: 4c1baad22390 kselftest: fix OOM in memory compaction test Hi Dan Thanks for your replies. I run this case on v4.15, looks this patch is already merged to v4.15. lizhijian@inn:~/linux$ git describe 4c1baad v4.15-rc2-2-g4c1baad223906 Thanks Dan NOTE: 0Day can reproduce this issue in 20% on 0Day. Anybody can help have a look? Thanks Zhjian -- To unsubscribe from this list: send the line "unsubscribe linux-kselftest" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html . -- Best regards. Li Zhijian (8528)
Re: [PATCH] KVM: lapic: stop advertising DIRECTED_EOI when in-kernel IOAPIC is in use
On Fri, Feb 09, 2018 at 02:01:33PM +0100, Vitaly Kuznetsov wrote: > Devices which use level-triggered interrupts under Windows 2016 with > Hyper-V role enabled don't work: Windows disables EOI broadcast in SPIV > unconditionally. Our in-kernel IOAPIC implementation emulates an old IOAPIC > version which has no EOI register so EOI never happens. > > The issue was discovered and discussed a while ago: > https://www.spinics.net/lists/kvm/msg148098.html > > While this is a guest OS bug (it should check that IOAPIC has the required > capabilities before disabling EOI broadcast) we can workaround it in KVM: > advertising DIRECTED_EOI with in-kernel IOAPIC makes little sense anyway. > > Signed-off-by: Vitaly Kuznetsov> --- > - Radim's suggestion was to disable DIRECTED_EOI unconditionally but I'm not > that radical :-) In theory, we may have multiple IOAPICs in userspace in > future and DIRECTED_EOI can be leveraged. I sort of agree on this, especially considering that we already have IOAPIC version 0x20 support in QEMU already. > --- > arch/x86/kvm/lapic.c | 10 +- > 1 file changed, 9 insertions(+), 1 deletion(-) > > diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c > index 924ac8ce9d50..5339287fee63 100644 > --- a/arch/x86/kvm/lapic.c > +++ b/arch/x86/kvm/lapic.c > @@ -321,8 +321,16 @@ void kvm_apic_set_version(struct kvm_vcpu *vcpu) > if (!lapic_in_kernel(vcpu)) > return; > > + /* > + * KVM emulates 82093AA datasheet (with in-kernel IOAPIC implementation) > + * which doesn't have EOI register; Some buggy OSes (e.g. Windows with > + * Hyper-V role) disable EOI broadcast in lapic not checking for IOAPIC > + * version first and level-triggered interrupts never get EOIed in > + * IOAPIC. > + */ > feat = kvm_find_cpuid_entry(apic->vcpu, 0x1, 0); > - if (feat && (feat->ecx & (1 << (X86_FEATURE_X2APIC & 31 > + if (feat && (feat->ecx & (1 << (X86_FEATURE_X2APIC & 31))) && > + !ioapic_in_kernel(vcpu->kvm)) > v |= APIC_LVR_DIRECTED_EOI; > kvm_lapic_set_reg(apic, APIC_LVR, v); > } > -- > 2.14.3 > Does this mean that we can avoid the migration problem that Radim raised in previous discussion? Basically the OSs should only probe this version once for each boot, if so I think it should be fine. But since you didn't mention that in either commit message and comment, I would like to ask and confirm. For the change itself, it looks sane to me. Thanks, -- Peter Xu
Re: [PATCH] KVM: lapic: stop advertising DIRECTED_EOI when in-kernel IOAPIC is in use
On Fri, Feb 09, 2018 at 02:01:33PM +0100, Vitaly Kuznetsov wrote: > Devices which use level-triggered interrupts under Windows 2016 with > Hyper-V role enabled don't work: Windows disables EOI broadcast in SPIV > unconditionally. Our in-kernel IOAPIC implementation emulates an old IOAPIC > version which has no EOI register so EOI never happens. > > The issue was discovered and discussed a while ago: > https://www.spinics.net/lists/kvm/msg148098.html > > While this is a guest OS bug (it should check that IOAPIC has the required > capabilities before disabling EOI broadcast) we can workaround it in KVM: > advertising DIRECTED_EOI with in-kernel IOAPIC makes little sense anyway. > > Signed-off-by: Vitaly Kuznetsov > --- > - Radim's suggestion was to disable DIRECTED_EOI unconditionally but I'm not > that radical :-) In theory, we may have multiple IOAPICs in userspace in > future and DIRECTED_EOI can be leveraged. I sort of agree on this, especially considering that we already have IOAPIC version 0x20 support in QEMU already. > --- > arch/x86/kvm/lapic.c | 10 +- > 1 file changed, 9 insertions(+), 1 deletion(-) > > diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c > index 924ac8ce9d50..5339287fee63 100644 > --- a/arch/x86/kvm/lapic.c > +++ b/arch/x86/kvm/lapic.c > @@ -321,8 +321,16 @@ void kvm_apic_set_version(struct kvm_vcpu *vcpu) > if (!lapic_in_kernel(vcpu)) > return; > > + /* > + * KVM emulates 82093AA datasheet (with in-kernel IOAPIC implementation) > + * which doesn't have EOI register; Some buggy OSes (e.g. Windows with > + * Hyper-V role) disable EOI broadcast in lapic not checking for IOAPIC > + * version first and level-triggered interrupts never get EOIed in > + * IOAPIC. > + */ > feat = kvm_find_cpuid_entry(apic->vcpu, 0x1, 0); > - if (feat && (feat->ecx & (1 << (X86_FEATURE_X2APIC & 31 > + if (feat && (feat->ecx & (1 << (X86_FEATURE_X2APIC & 31))) && > + !ioapic_in_kernel(vcpu->kvm)) > v |= APIC_LVR_DIRECTED_EOI; > kvm_lapic_set_reg(apic, APIC_LVR, v); > } > -- > 2.14.3 > Does this mean that we can avoid the migration problem that Radim raised in previous discussion? Basically the OSs should only probe this version once for each boot, if so I think it should be fine. But since you didn't mention that in either commit message and comment, I would like to ask and confirm. For the change itself, it looks sane to me. Thanks, -- Peter Xu
[PATCH 3.2 08/79] KVM: nVMX: set IDTR and GDTR limits when loading L1 host state
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Ladi Prosekcommit 21f2d551183847bc7fbe8d866151d00cdad18752 upstream. Intel SDM 27.5.2 Loading Host Segment and Descriptor-Table Registers: "The GDTR and IDTR limits are each set to H." Signed-off-by: Ladi Prosek Signed-off-by: Paolo Bonzini [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings --- arch/x86/kvm/vmx.c | 2 ++ 1 file changed, 2 insertions(+) --- a/arch/x86/kvm/vmx.c +++ b/arch/x86/kvm/vmx.c @@ -7076,6 +7076,8 @@ void load_vmcs12_host_state(struct kvm_v vmcs_writel(GUEST_SYSENTER_EIP, vmcs12->host_ia32_sysenter_eip); vmcs_writel(GUEST_IDTR_BASE, vmcs12->host_idtr_base); vmcs_writel(GUEST_GDTR_BASE, vmcs12->host_gdtr_base); + vmcs_write32(GUEST_IDTR_LIMIT, 0x); + vmcs_write32(GUEST_GDTR_LIMIT, 0x); vmcs_writel(GUEST_TR_BASE, vmcs12->host_tr_base); vmcs_writel(GUEST_GS_BASE, vmcs12->host_gs_base); vmcs_writel(GUEST_FS_BASE, vmcs12->host_fs_base);
[PATCH 3.2 04/79] PCI/AER: Report non-fatal errors only to the affected endpoint
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Gabriele Paolonicommit 86acc790717fb60fb51ea3095084e331d8711c74 upstream. Previously, if an non-fatal error was reported by an endpoint, we called report_error_detected() for the endpoint, every sibling on the bus, and their descendents. If any of them did not implement the .error_detected() method, do_recovery() failed, leaving all these devices unrecovered. For example, the system described in the bugzilla below has two devices: :74:02.0 [19e5:a230] SAS controller, driver has .error_detected() :74:03.0 [19e5:a235] SATA controller, driver lacks .error_detected() When a device such as 74:02.0 reported a non-fatal error, do_recovery() failed because 74:03.0 lacked an .error_detected() method. But per PCIe r3.1, sec 6.2.2.2.2, such an error does not compromise the Link and does not affect 74:03.0: Non-fatal errors are uncorrectable errors which cause a particular transaction to be unreliable but the Link is otherwise fully functional. Isolating Non-fatal from Fatal errors provides Requester/Receiver logic in a device or system management software the opportunity to recover from the error without resetting the components on the Link and disturbing other transactions in progress. Devices not associated with the transaction in error are not impacted by the error. Report non-fatal errors only to the endpoint that reported them. We really want to check for AER_NONFATAL here, but the current code structure doesn't allow that. Looking for pci_channel_io_normal is the best we can do now. Link: https://bugzilla.kernel.org/show_bug.cgi?id=197055 Fixes: 6c2b374d7485 ("PCI-Express AER implemetation: AER core and aerdriver") Signed-off-by: Gabriele Paoloni Signed-off-by: Dongdong Liu [bhelgaas: changelog] Signed-off-by: Bjorn Helgaas Signed-off-by: Ben Hutchings --- drivers/pci/pcie/aer/aerdrv_core.c | 9 - 1 file changed, 8 insertions(+), 1 deletion(-) --- a/drivers/pci/pcie/aer/aerdrv_core.c +++ b/drivers/pci/pcie/aer/aerdrv_core.c @@ -367,7 +367,14 @@ static pci_ers_result_t broadcast_error_ * If the error is reported by an end point, we think this * error is related to the upstream link of the end point. */ - pci_walk_bus(dev->bus, cb, _data); + if (state == pci_channel_io_normal) + /* +* the error is non fatal so the bus is ok, just invoke +* the callback for the function that logged the error. +*/ + cb(dev, _data); + else + pci_walk_bus(dev->bus, cb, _data); } return result_data.result;
[PATCH 3.2 79/79] kaiser: Set _PAGE_NX only if supported
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Lepton WuThis finally resolve crash if loaded under qemu + haxm. Haitao Shan pointed out that the reason of that crash is that NX bit get set for page tables. It seems we missed checking if _PAGE_NX is supported in kaiser_add_user_map Link: https://www.spinics.net/lists/kernel/msg2689835.html Reviewed-by: Guenter Roeck Signed-off-by: Lepton Wu Signed-off-by: Greg Kroah-Hartman (backported from Greg K-H's 4.4 stable-queue) Signed-off-by: Juerg Haefliger Signed-off-by: Ben Hutchings --- arch/x86/mm/kaiser.c | 2 ++ 1 file changed, 2 insertions(+) --- a/arch/x86/mm/kaiser.c +++ b/arch/x86/mm/kaiser.c @@ -189,6 +189,8 @@ static int kaiser_add_user_map(const voi * requires that not to be #defined to 0): so mask it off here. */ flags &= ~_PAGE_GLOBAL; + if (!(__supported_pte_mask & _PAGE_NX)) + flags &= ~_PAGE_NX; if (flags & _PAGE_USER) BUG_ON(address < FIXADDR_START || end_addr >= FIXADDR_TOP);
[PATCH 3.2 08/79] KVM: nVMX: set IDTR and GDTR limits when loading L1 host state
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Ladi Prosek commit 21f2d551183847bc7fbe8d866151d00cdad18752 upstream. Intel SDM 27.5.2 Loading Host Segment and Descriptor-Table Registers: "The GDTR and IDTR limits are each set to H." Signed-off-by: Ladi Prosek Signed-off-by: Paolo Bonzini [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings --- arch/x86/kvm/vmx.c | 2 ++ 1 file changed, 2 insertions(+) --- a/arch/x86/kvm/vmx.c +++ b/arch/x86/kvm/vmx.c @@ -7076,6 +7076,8 @@ void load_vmcs12_host_state(struct kvm_v vmcs_writel(GUEST_SYSENTER_EIP, vmcs12->host_ia32_sysenter_eip); vmcs_writel(GUEST_IDTR_BASE, vmcs12->host_idtr_base); vmcs_writel(GUEST_GDTR_BASE, vmcs12->host_gdtr_base); + vmcs_write32(GUEST_IDTR_LIMIT, 0x); + vmcs_write32(GUEST_GDTR_LIMIT, 0x); vmcs_writel(GUEST_TR_BASE, vmcs12->host_tr_base); vmcs_writel(GUEST_GS_BASE, vmcs12->host_gs_base); vmcs_writel(GUEST_FS_BASE, vmcs12->host_fs_base);
[PATCH 3.2 04/79] PCI/AER: Report non-fatal errors only to the affected endpoint
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Gabriele Paoloni commit 86acc790717fb60fb51ea3095084e331d8711c74 upstream. Previously, if an non-fatal error was reported by an endpoint, we called report_error_detected() for the endpoint, every sibling on the bus, and their descendents. If any of them did not implement the .error_detected() method, do_recovery() failed, leaving all these devices unrecovered. For example, the system described in the bugzilla below has two devices: :74:02.0 [19e5:a230] SAS controller, driver has .error_detected() :74:03.0 [19e5:a235] SATA controller, driver lacks .error_detected() When a device such as 74:02.0 reported a non-fatal error, do_recovery() failed because 74:03.0 lacked an .error_detected() method. But per PCIe r3.1, sec 6.2.2.2.2, such an error does not compromise the Link and does not affect 74:03.0: Non-fatal errors are uncorrectable errors which cause a particular transaction to be unreliable but the Link is otherwise fully functional. Isolating Non-fatal from Fatal errors provides Requester/Receiver logic in a device or system management software the opportunity to recover from the error without resetting the components on the Link and disturbing other transactions in progress. Devices not associated with the transaction in error are not impacted by the error. Report non-fatal errors only to the endpoint that reported them. We really want to check for AER_NONFATAL here, but the current code structure doesn't allow that. Looking for pci_channel_io_normal is the best we can do now. Link: https://bugzilla.kernel.org/show_bug.cgi?id=197055 Fixes: 6c2b374d7485 ("PCI-Express AER implemetation: AER core and aerdriver") Signed-off-by: Gabriele Paoloni Signed-off-by: Dongdong Liu [bhelgaas: changelog] Signed-off-by: Bjorn Helgaas Signed-off-by: Ben Hutchings --- drivers/pci/pcie/aer/aerdrv_core.c | 9 - 1 file changed, 8 insertions(+), 1 deletion(-) --- a/drivers/pci/pcie/aer/aerdrv_core.c +++ b/drivers/pci/pcie/aer/aerdrv_core.c @@ -367,7 +367,14 @@ static pci_ers_result_t broadcast_error_ * If the error is reported by an end point, we think this * error is related to the upstream link of the end point. */ - pci_walk_bus(dev->bus, cb, _data); + if (state == pci_channel_io_normal) + /* +* the error is non fatal so the bus is ok, just invoke +* the callback for the function that logged the error. +*/ + cb(dev, _data); + else + pci_walk_bus(dev->bus, cb, _data); } return result_data.result;
[PATCH 3.2 79/79] kaiser: Set _PAGE_NX only if supported
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Lepton Wu This finally resolve crash if loaded under qemu + haxm. Haitao Shan pointed out that the reason of that crash is that NX bit get set for page tables. It seems we missed checking if _PAGE_NX is supported in kaiser_add_user_map Link: https://www.spinics.net/lists/kernel/msg2689835.html Reviewed-by: Guenter Roeck Signed-off-by: Lepton Wu Signed-off-by: Greg Kroah-Hartman (backported from Greg K-H's 4.4 stable-queue) Signed-off-by: Juerg Haefliger Signed-off-by: Ben Hutchings --- arch/x86/mm/kaiser.c | 2 ++ 1 file changed, 2 insertions(+) --- a/arch/x86/mm/kaiser.c +++ b/arch/x86/mm/kaiser.c @@ -189,6 +189,8 @@ static int kaiser_add_user_map(const voi * requires that not to be #defined to 0): so mask it off here. */ flags &= ~_PAGE_GLOBAL; + if (!(__supported_pte_mask & _PAGE_NX)) + flags &= ~_PAGE_NX; if (flags & _PAGE_USER) BUG_ON(address < FIXADDR_START || end_addr >= FIXADDR_TOP);
[PATCH 3.2 06/79] USB: serial: garmin_gps: fix memory leak on probe errors
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Johan Hovoldcommit 74d471b598444b7f2d964930f7234779c80960a0 upstream. Make sure to free the port private data before returning after a failed probe attempt. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reviewed-by: Greg Kroah-Hartman Signed-off-by: Johan Hovold Signed-off-by: Ben Hutchings --- drivers/usb/serial/garmin_gps.c | 6 ++ 1 file changed, 6 insertions(+) --- a/drivers/usb/serial/garmin_gps.c +++ b/drivers/usb/serial/garmin_gps.c @@ -1476,6 +1476,12 @@ static int garmin_attach(struct usb_seri usb_set_serial_port_data(port, garmin_data_p); status = garmin_init_session(port); + if (status) + goto err_free; + + return 0; +err_free: + kfree(garmin_data_p); return status; }
[PATCH 3.2 01/79] Input: adxl34x - do not treat FIFO_MODE() as boolean
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Arnd Bergmanncommit 1dbc080c9ef6bcfba652ef0d6ae919b8c7c85a1d upstream. FIFO_MODE() is a macro expression with a '<<' operator, which gcc points out could be misread as a '<': drivers/input/misc/adxl34x.c: In function 'adxl34x_probe': drivers/input/misc/adxl34x.c:799:36: error: '<<' in boolean context, did you mean '<' ? [-Werror=int-in-bool-context] While utility of this warning is being disputed (Chief Penguin: "This warning is clearly pure garbage.") FIFO_MODE() extracts range of values, with 0 being FIFO_BYPASS, and not something that is logically boolean. This converts the test to an explicit comparison with FIFO_BYPASS, making it clearer to gcc and the reader what is intended. Fixes: e27c729219ad ("Input: add driver for ADXL345/346 Digital Accelerometers") Signed-off-by: Arnd Bergmann Signed-off-by: Dmitry Torokhov Signed-off-by: Ben Hutchings --- drivers/input/misc/adxl34x.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/input/misc/adxl34x.c +++ b/drivers/input/misc/adxl34x.c @@ -797,7 +797,7 @@ struct adxl34x *adxl34x_probe(struct dev if (pdata->watermark) { ac->int_mask |= WATERMARK; - if (!FIFO_MODE(pdata->fifo_mode)) + if (FIFO_MODE(pdata->fifo_mode) == FIFO_BYPASS) ac->pdata.fifo_mode |= FIFO_STREAM; } else { ac->int_mask |= DATA_READY;
[PATCH 3.2 06/79] USB: serial: garmin_gps: fix memory leak on probe errors
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Johan Hovold commit 74d471b598444b7f2d964930f7234779c80960a0 upstream. Make sure to free the port private data before returning after a failed probe attempt. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reviewed-by: Greg Kroah-Hartman Signed-off-by: Johan Hovold Signed-off-by: Ben Hutchings --- drivers/usb/serial/garmin_gps.c | 6 ++ 1 file changed, 6 insertions(+) --- a/drivers/usb/serial/garmin_gps.c +++ b/drivers/usb/serial/garmin_gps.c @@ -1476,6 +1476,12 @@ static int garmin_attach(struct usb_seri usb_set_serial_port_data(port, garmin_data_p); status = garmin_init_session(port); + if (status) + goto err_free; + + return 0; +err_free: + kfree(garmin_data_p); return status; }
[PATCH 3.2 01/79] Input: adxl34x - do not treat FIFO_MODE() as boolean
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Arnd Bergmann commit 1dbc080c9ef6bcfba652ef0d6ae919b8c7c85a1d upstream. FIFO_MODE() is a macro expression with a '<<' operator, which gcc points out could be misread as a '<': drivers/input/misc/adxl34x.c: In function 'adxl34x_probe': drivers/input/misc/adxl34x.c:799:36: error: '<<' in boolean context, did you mean '<' ? [-Werror=int-in-bool-context] While utility of this warning is being disputed (Chief Penguin: "This warning is clearly pure garbage.") FIFO_MODE() extracts range of values, with 0 being FIFO_BYPASS, and not something that is logically boolean. This converts the test to an explicit comparison with FIFO_BYPASS, making it clearer to gcc and the reader what is intended. Fixes: e27c729219ad ("Input: add driver for ADXL345/346 Digital Accelerometers") Signed-off-by: Arnd Bergmann Signed-off-by: Dmitry Torokhov Signed-off-by: Ben Hutchings --- drivers/input/misc/adxl34x.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/input/misc/adxl34x.c +++ b/drivers/input/misc/adxl34x.c @@ -797,7 +797,7 @@ struct adxl34x *adxl34x_probe(struct dev if (pdata->watermark) { ac->int_mask |= WATERMARK; - if (!FIFO_MODE(pdata->fifo_mode)) + if (FIFO_MODE(pdata->fifo_mode) == FIFO_BYPASS) ac->pdata.fifo_mode |= FIFO_STREAM; } else { ac->int_mask |= DATA_READY;
[PATCH 3.2 00/79] 3.2.99-rc1 review
This is the start of the stable review cycle for the 3.2.99 release. There are 79 patches in this series, which will be posted as responses to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Tue Feb 13 12:00:00 UTC 2018. Anything received after that time might be too late. All the patches have also been committed to the linux-3.2.y-rc branch of https://git.kernel.org/pub/scm/linux/kernel/git/bwh/linux-stable-rc.git . A shortlog and diffstat can be found below. Ben. - Al Viro (2): autofs4: autofs4_wait() vs. autofs4_catatonic_mode() race [4041bcdc7bef06a2fb29c57394c713a74bd13b08] autofs4: catatonic_mode vs. notify_daemon race [875266be67ff3a984ac1f6566d31c260bee4] Alan (1): usbip: Fix sscanf handling [2d32927127f44d755780aa5fa88c8c34e72558f8] Alan Stern (1): USB: usbfs: compute urb->actual_length for isochronous [2ef47001b3ee3ded579b7532ebdcf8680e4d8c54] Alex Chen (1): ocfs2: should wait dio before inode lock in ocfs2_setattr() [28f5a8a7c033cbf3e32277f4cc9c6afd74f05300] Alexander Potapenko (1): sctp: fully initialize the IPv6 address in sctp_v6_to_addr() [15339e441ec46fbc3bf3486bb1ae4845b0f1bb8d] Alexander Steffen (1): tpm-dev-common: Reject too short writes [ee70bc1e7b63ac8023c9ff9475d8741e397316e7] Alexandre Belloni (1): rtc: set the alarm to the next expiring timer [74717b28cb32e1ad3c1042cafd76b264c8c0f68d] Andreas Rohner (1): nilfs2: fix race condition that causes file system corruption [31ccb1f7ba3cfe29631587d451cf5bb8ab593550] Arnd Bergmann (2): Input: adxl34x - do not treat FIFO_MODE() as boolean [1dbc080c9ef6bcfba652ef0d6ae919b8c7c85a1d] isofs: fix timestamps beyond 2027 [34be4dbf87fc3e474a842305394534216d428f5d] Bart Van Assche (1): IB/srp: Avoid that a cable pull can trigger a kernel crash [8a0d18c62121d3c554a83eb96e2752861d84d937] Bart Westgeest (1): staging: usbip: removed #if 0'd out code [34c09578179f5838e5958c45e8aed4edc9c6c3b8] Bernhard Rosenkraenzer (1): USB: Add delay-init quirk for Corsair K70 LUX keyboards [a0fea6027f19c62727315aba1a7fae75a9caa842] Brent Taylor (1): mtd: nand: Fix writing mtdoops to nand flash. [30863e38ebeb500a31cecee8096fb5002677dd9b] Chuck Lever (1): nfs: Fix ugly referral attributes [c05cefcc72416a37eba5a2b35f0704ed758a9145] Colin Ian King (1): rtc: interface: ignore expired timers when enqueuing new timers [2b2f5ff00f63847d95adad6289bd8b05f5983dd5] Dan Carpenter (2): eCryptfs: use after free in ecryptfs_release_messaging() [db86be3a12d0b6e5c5b51c2ab2a48f06329cb590] scsi: bfa: integer overflow in debugfs [3e351275655d3c84dc28abf170def9786db5176d] Eric Biggers (1): dm bufio: fix integer overflow when limiting maximum cache size [74d4108d9e681dbbe4a2940ed8fdff1f6868184c] Eric Dumazet (1): netfilter: xt_TCPMSS: add more sanity tests on tcph->doff [2638fd0f92d4397884fd991d8f4925cb3f081901] Eric W. Biederman (1): net/sctp: Always set scope_id in sctp_inet6_skb_msgname [7c8a61d9ee1df0fb4747879fa67a99614eb62fec] Felipe Balbi (1): usb: add helper to extract bits 12:11 of wMaxPacketSize [541b6fe63023f3059cf85d47ff2767a3e42a8e44] Gabriele Paoloni (1): PCI/AER: Report non-fatal errors only to the affected endpoint [86acc790717fb60fb51ea3095084e331d8711c74] Guenter Roeck (1): kaiser: Set _PAGE_NX only if supported [61e9b3671007a5da8127955a1a3bda7e0d5f42e8] Guillaume Nault (5): l2tp: don't register sessions in l2tp_session_create() [3953ae7b218df4d1e544b98a393666f9ae58a78c] l2tp: ensure sessions are freed after their PPPOL2TP socket [cdd10c9627496ad25c87ce6394e29752253c69d3] l2tp: initialise PPP sessions before registering them [f98be6c6359e7e4a61aaefb9964c1db31cb9ec0c] l2tp: initialise l2tp_eth sessions before registering them [ee28de6bbd78c2e18111a0aef43ea746f28d2073] l2tp: protect sock pointer of struct pppol2tp_session with RCU [ee40fb2e1eb5bc0ddd3f2f83c6e39a454ef5a741] Hou Tao (1): dm: fix race between dm_get_from_kobject() and __dm_destroy() [b9a41d21dceadf8104812626ef85dc56ee8a60ed] Jan Harkes (1): coda: fix 'kernel memory exposure attempt' in fsync [d337b66a4c52c7b04eec661d86c2ef6e168965a2] Jason Gunthorpe (1): sctp: Fixup v4mapped behaviour to comply with Sock API [299ee123e19889d511092347f5fc14db0f10e3a6] Jens Axboe (1): blktrace: fix unlocked access to init/start-stop/teardown [1f2cac107c591c24b60b115d6050adc213d10fc0] Johan Hovold (2): USB: serial: garmin_gps: fix I/O after failed probe and remove [19a565d9af6e0d828bd0d521d3bafd5017f4ce52]
[PATCH 3.2 03/79] rtc: set the alarm to the next expiring timer
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Alexandre Bellonicommit 74717b28cb32e1ad3c1042cafd76b264c8c0f68d upstream. If there is any non expired timer in the queue, the RTC alarm is never set. This is an issue when adding a timer that expires before the next non expired timer. Ensure the RTC alarm is set in that case. Fixes: 2b2f5ff00f63 ("rtc: interface: ignore expired timers when enqueuing new timers") Signed-off-by: Alexandre Belloni [bwh: Backported to 3.2: open-code ktime_before()] Signed-off-by: Ben Hutchings --- drivers/rtc/interface.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/rtc/interface.c +++ b/drivers/rtc/interface.c @@ -765,7 +765,7 @@ static int rtc_timer_enqueue(struct rtc_ } timerqueue_add(>timerqueue, >node); - if (!next) { + if (!next || timer->node.expires.tv64 < next->expires.tv64) { struct rtc_wkalrm alarm; int err; alarm.time = rtc_ktime_to_tm(timer->node.expires);
[PATCH 3.2 02/79] rtc: interface: ignore expired timers when enqueuing new timers
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Colin Ian Kingcommit 2b2f5ff00f63847d95adad6289bd8b05f5983dd5 upstream. This patch fixes a RTC wakealarm issue, namely, the event fires during hibernate and is not cleared from the list, causing hwclock to block. The current enqueuing does not trigger an alarm if any expired timers already exist on the timerqueue. This can occur when a RTC wake alarm is used to wake a machine out of hibernate and the resumed state has old expired timers that have not been removed from the timer queue. This fix skips over any expired timers and triggers an alarm if there are no pending timers on the timerqueue. Note that the skipped expired timer will get reaped later on, so there is no need to clean it up immediately. The issue can be reproduced by putting a machine into hibernate and waking it with the RTC wakealarm. Running the example RTC test program from tools/testing/selftests/timers/rtctest.c after the hibernate will block indefinitely. With the fix, it no longer blocks after the hibernate resume. BugLink: http://bugs.launchpad.net/bugs/1333569 Signed-off-by: Colin Ian King Signed-off-by: Alexandre Belloni Signed-off-by: Ben Hutchings --- drivers/rtc/interface.c | 16 +++- 1 file changed, 15 insertions(+), 1 deletion(-) --- a/drivers/rtc/interface.c +++ b/drivers/rtc/interface.c @@ -749,9 +749,23 @@ EXPORT_SYMBOL_GPL(rtc_irq_set_freq); */ static int rtc_timer_enqueue(struct rtc_device *rtc, struct rtc_timer *timer) { + struct timerqueue_node *next = timerqueue_getnext(>timerqueue); + struct rtc_time tm; + ktime_t now; + timer->enabled = 1; + __rtc_read_time(rtc, ); + now = rtc_tm_to_ktime(tm); + + /* Skip over expired timers */ + while (next) { + if (next->expires.tv64 >= now.tv64) + break; + next = timerqueue_iterate_next(next); + } + timerqueue_add(>timerqueue, >node); - if (>node == timerqueue_getnext(>timerqueue)) { + if (!next) { struct rtc_wkalrm alarm; int err; alarm.time = rtc_ktime_to_tm(timer->node.expires);
[PATCH 3.2 00/79] 3.2.99-rc1 review
This is the start of the stable review cycle for the 3.2.99 release. There are 79 patches in this series, which will be posted as responses to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Tue Feb 13 12:00:00 UTC 2018. Anything received after that time might be too late. All the patches have also been committed to the linux-3.2.y-rc branch of https://git.kernel.org/pub/scm/linux/kernel/git/bwh/linux-stable-rc.git . A shortlog and diffstat can be found below. Ben. - Al Viro (2): autofs4: autofs4_wait() vs. autofs4_catatonic_mode() race [4041bcdc7bef06a2fb29c57394c713a74bd13b08] autofs4: catatonic_mode vs. notify_daemon race [875266be67ff3a984ac1f6566d31c260bee4] Alan (1): usbip: Fix sscanf handling [2d32927127f44d755780aa5fa88c8c34e72558f8] Alan Stern (1): USB: usbfs: compute urb->actual_length for isochronous [2ef47001b3ee3ded579b7532ebdcf8680e4d8c54] Alex Chen (1): ocfs2: should wait dio before inode lock in ocfs2_setattr() [28f5a8a7c033cbf3e32277f4cc9c6afd74f05300] Alexander Potapenko (1): sctp: fully initialize the IPv6 address in sctp_v6_to_addr() [15339e441ec46fbc3bf3486bb1ae4845b0f1bb8d] Alexander Steffen (1): tpm-dev-common: Reject too short writes [ee70bc1e7b63ac8023c9ff9475d8741e397316e7] Alexandre Belloni (1): rtc: set the alarm to the next expiring timer [74717b28cb32e1ad3c1042cafd76b264c8c0f68d] Andreas Rohner (1): nilfs2: fix race condition that causes file system corruption [31ccb1f7ba3cfe29631587d451cf5bb8ab593550] Arnd Bergmann (2): Input: adxl34x - do not treat FIFO_MODE() as boolean [1dbc080c9ef6bcfba652ef0d6ae919b8c7c85a1d] isofs: fix timestamps beyond 2027 [34be4dbf87fc3e474a842305394534216d428f5d] Bart Van Assche (1): IB/srp: Avoid that a cable pull can trigger a kernel crash [8a0d18c62121d3c554a83eb96e2752861d84d937] Bart Westgeest (1): staging: usbip: removed #if 0'd out code [34c09578179f5838e5958c45e8aed4edc9c6c3b8] Bernhard Rosenkraenzer (1): USB: Add delay-init quirk for Corsair K70 LUX keyboards [a0fea6027f19c62727315aba1a7fae75a9caa842] Brent Taylor (1): mtd: nand: Fix writing mtdoops to nand flash. [30863e38ebeb500a31cecee8096fb5002677dd9b] Chuck Lever (1): nfs: Fix ugly referral attributes [c05cefcc72416a37eba5a2b35f0704ed758a9145] Colin Ian King (1): rtc: interface: ignore expired timers when enqueuing new timers [2b2f5ff00f63847d95adad6289bd8b05f5983dd5] Dan Carpenter (2): eCryptfs: use after free in ecryptfs_release_messaging() [db86be3a12d0b6e5c5b51c2ab2a48f06329cb590] scsi: bfa: integer overflow in debugfs [3e351275655d3c84dc28abf170def9786db5176d] Eric Biggers (1): dm bufio: fix integer overflow when limiting maximum cache size [74d4108d9e681dbbe4a2940ed8fdff1f6868184c] Eric Dumazet (1): netfilter: xt_TCPMSS: add more sanity tests on tcph->doff [2638fd0f92d4397884fd991d8f4925cb3f081901] Eric W. Biederman (1): net/sctp: Always set scope_id in sctp_inet6_skb_msgname [7c8a61d9ee1df0fb4747879fa67a99614eb62fec] Felipe Balbi (1): usb: add helper to extract bits 12:11 of wMaxPacketSize [541b6fe63023f3059cf85d47ff2767a3e42a8e44] Gabriele Paoloni (1): PCI/AER: Report non-fatal errors only to the affected endpoint [86acc790717fb60fb51ea3095084e331d8711c74] Guenter Roeck (1): kaiser: Set _PAGE_NX only if supported [61e9b3671007a5da8127955a1a3bda7e0d5f42e8] Guillaume Nault (5): l2tp: don't register sessions in l2tp_session_create() [3953ae7b218df4d1e544b98a393666f9ae58a78c] l2tp: ensure sessions are freed after their PPPOL2TP socket [cdd10c9627496ad25c87ce6394e29752253c69d3] l2tp: initialise PPP sessions before registering them [f98be6c6359e7e4a61aaefb9964c1db31cb9ec0c] l2tp: initialise l2tp_eth sessions before registering them [ee28de6bbd78c2e18111a0aef43ea746f28d2073] l2tp: protect sock pointer of struct pppol2tp_session with RCU [ee40fb2e1eb5bc0ddd3f2f83c6e39a454ef5a741] Hou Tao (1): dm: fix race between dm_get_from_kobject() and __dm_destroy() [b9a41d21dceadf8104812626ef85dc56ee8a60ed] Jan Harkes (1): coda: fix 'kernel memory exposure attempt' in fsync [d337b66a4c52c7b04eec661d86c2ef6e168965a2] Jason Gunthorpe (1): sctp: Fixup v4mapped behaviour to comply with Sock API [299ee123e19889d511092347f5fc14db0f10e3a6] Jens Axboe (1): blktrace: fix unlocked access to init/start-stop/teardown [1f2cac107c591c24b60b115d6050adc213d10fc0] Johan Hovold (2): USB: serial: garmin_gps: fix I/O after failed probe and remove [19a565d9af6e0d828bd0d521d3bafd5017f4ce52]
[PATCH 3.2 03/79] rtc: set the alarm to the next expiring timer
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Alexandre Belloni commit 74717b28cb32e1ad3c1042cafd76b264c8c0f68d upstream. If there is any non expired timer in the queue, the RTC alarm is never set. This is an issue when adding a timer that expires before the next non expired timer. Ensure the RTC alarm is set in that case. Fixes: 2b2f5ff00f63 ("rtc: interface: ignore expired timers when enqueuing new timers") Signed-off-by: Alexandre Belloni [bwh: Backported to 3.2: open-code ktime_before()] Signed-off-by: Ben Hutchings --- drivers/rtc/interface.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/rtc/interface.c +++ b/drivers/rtc/interface.c @@ -765,7 +765,7 @@ static int rtc_timer_enqueue(struct rtc_ } timerqueue_add(>timerqueue, >node); - if (!next) { + if (!next || timer->node.expires.tv64 < next->expires.tv64) { struct rtc_wkalrm alarm; int err; alarm.time = rtc_ktime_to_tm(timer->node.expires);
[PATCH 3.2 02/79] rtc: interface: ignore expired timers when enqueuing new timers
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Colin Ian King commit 2b2f5ff00f63847d95adad6289bd8b05f5983dd5 upstream. This patch fixes a RTC wakealarm issue, namely, the event fires during hibernate and is not cleared from the list, causing hwclock to block. The current enqueuing does not trigger an alarm if any expired timers already exist on the timerqueue. This can occur when a RTC wake alarm is used to wake a machine out of hibernate and the resumed state has old expired timers that have not been removed from the timer queue. This fix skips over any expired timers and triggers an alarm if there are no pending timers on the timerqueue. Note that the skipped expired timer will get reaped later on, so there is no need to clean it up immediately. The issue can be reproduced by putting a machine into hibernate and waking it with the RTC wakealarm. Running the example RTC test program from tools/testing/selftests/timers/rtctest.c after the hibernate will block indefinitely. With the fix, it no longer blocks after the hibernate resume. BugLink: http://bugs.launchpad.net/bugs/1333569 Signed-off-by: Colin Ian King Signed-off-by: Alexandre Belloni Signed-off-by: Ben Hutchings --- drivers/rtc/interface.c | 16 +++- 1 file changed, 15 insertions(+), 1 deletion(-) --- a/drivers/rtc/interface.c +++ b/drivers/rtc/interface.c @@ -749,9 +749,23 @@ EXPORT_SYMBOL_GPL(rtc_irq_set_freq); */ static int rtc_timer_enqueue(struct rtc_device *rtc, struct rtc_timer *timer) { + struct timerqueue_node *next = timerqueue_getnext(>timerqueue); + struct rtc_time tm; + ktime_t now; + timer->enabled = 1; + __rtc_read_time(rtc, ); + now = rtc_tm_to_ktime(tm); + + /* Skip over expired timers */ + while (next) { + if (next->expires.tv64 >= now.tv64) + break; + next = timerqueue_iterate_next(next); + } + timerqueue_add(>timerqueue, >node); - if (>node == timerqueue_getnext(>timerqueue)) { + if (!next) { struct rtc_wkalrm alarm; int err; alarm.time = rtc_ktime_to_tm(timer->node.expires);
[PATCH 3.2 17/79] l2tp: ensure sessions are freed after their PPPOL2TP socket
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Guillaume Naultcommit cdd10c9627496ad25c87ce6394e29752253c69d3 upstream. If l2tp_tunnel_delete() or l2tp_tunnel_closeall() deletes a session right after pppol2tp_release() orphaned its socket, then the 'sock' variable of the pppol2tp_session_close() callback is NULL. Yet the session is still used by pppol2tp_release(). Therefore we need to take an extra reference in any case, to prevent l2tp_tunnel_delete() or l2tp_tunnel_closeall() from freeing the session. Since the pppol2tp_session_close() callback is only set if the session is associated to a PPPOL2TP socket and that both l2tp_tunnel_delete() and l2tp_tunnel_closeall() hold the PPPOL2TP socket before calling pppol2tp_session_close(), we're sure that pppol2tp_session_close() and pppol2tp_session_destruct() are paired and called in the right order. So the reference taken by the former will be released by the later. Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings --- net/l2tp/l2tp_ppp.c | 8 1 file changed, 4 insertions(+), 4 deletions(-) --- a/net/l2tp/l2tp_ppp.c +++ b/net/l2tp/l2tp_ppp.c @@ -466,11 +466,11 @@ static void pppol2tp_session_close(struc BUG_ON(session->magic != L2TP_SESSION_MAGIC); - if (sock) { + if (sock) inet_shutdown(sock, 2); - /* Don't let the session go away before our socket does */ - l2tp_session_inc_refcount(session); - } + + /* Don't let the session go away before our socket does */ + l2tp_session_inc_refcount(session); return; }
[PATCH 3.2 17/79] l2tp: ensure sessions are freed after their PPPOL2TP socket
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Guillaume Nault commit cdd10c9627496ad25c87ce6394e29752253c69d3 upstream. If l2tp_tunnel_delete() or l2tp_tunnel_closeall() deletes a session right after pppol2tp_release() orphaned its socket, then the 'sock' variable of the pppol2tp_session_close() callback is NULL. Yet the session is still used by pppol2tp_release(). Therefore we need to take an extra reference in any case, to prevent l2tp_tunnel_delete() or l2tp_tunnel_closeall() from freeing the session. Since the pppol2tp_session_close() callback is only set if the session is associated to a PPPOL2TP socket and that both l2tp_tunnel_delete() and l2tp_tunnel_closeall() hold the PPPOL2TP socket before calling pppol2tp_session_close(), we're sure that pppol2tp_session_close() and pppol2tp_session_destruct() are paired and called in the right order. So the reference taken by the former will be released by the later. Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings --- net/l2tp/l2tp_ppp.c | 8 1 file changed, 4 insertions(+), 4 deletions(-) --- a/net/l2tp/l2tp_ppp.c +++ b/net/l2tp/l2tp_ppp.c @@ -466,11 +466,11 @@ static void pppol2tp_session_close(struc BUG_ON(session->magic != L2TP_SESSION_MAGIC); - if (sock) { + if (sock) inet_shutdown(sock, 2); - /* Don't let the session go away before our socket does */ - l2tp_session_inc_refcount(session); - } + + /* Don't let the session go away before our socket does */ + l2tp_session_inc_refcount(session); return; }
[PATCH 3.2 16/79] l2tp: push all ppp pseudowire shutdown through .release handler
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Tom Parkincommit cf2f5c886a209377daefd5d2ba0bcd49c3887813 upstream. If userspace deletes a ppp pseudowire using the netlink API, either by directly deleting the session or by deleting the tunnel that contains the session, we need to tear down the corresponding pppox channel. Rather than trying to manage two pppox unbind codepaths, switch the netlink and l2tp_core session_close handlers to close via. the l2tp_ppp socket .release handler. Signed-off-by: Tom Parkin Signed-off-by: James Chapman Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings --- net/l2tp/l2tp_ppp.c | 53 ++--- 1 file changed, 10 insertions(+), 43 deletions(-) --- a/net/l2tp/l2tp_ppp.c +++ b/net/l2tp/l2tp_ppp.c @@ -95,6 +95,7 @@ #include #include #include +#include #include #include @@ -460,34 +461,16 @@ static void pppol2tp_session_close(struc { struct pppol2tp_session *ps = l2tp_session_priv(session); struct sock *sk = ps->sock; - struct sk_buff *skb; + struct socket *sock = sk->sk_socket; BUG_ON(session->magic != L2TP_SESSION_MAGIC); - if (session->session_id == 0) - goto out; - - if (sk != NULL) { - lock_sock(sk); - - if (sk->sk_state & (PPPOX_CONNECTED | PPPOX_BOUND)) { - pppox_unbind_sock(sk); - sk->sk_state = PPPOX_DEAD; - sk->sk_state_change(sk); - } - - /* Purge any queued data */ - skb_queue_purge(>sk_receive_queue); - skb_queue_purge(>sk_write_queue); - while ((skb = skb_dequeue(>reorder_q))) { - kfree_skb(skb); - sock_put(sk); - } - release_sock(sk); + if (sock) { + inet_shutdown(sock, 2); + /* Don't let the session go away before our socket does */ + l2tp_session_inc_refcount(session); } - -out: return; } @@ -538,16 +521,12 @@ static int pppol2tp_release(struct socke session = pppol2tp_sock_to_session(sk); /* Purge any queued data */ - skb_queue_purge(>sk_receive_queue); - skb_queue_purge(>sk_write_queue); if (session != NULL) { - struct sk_buff *skb; - while ((skb = skb_dequeue(>reorder_q))) { - kfree_skb(skb); - sock_put(sk); - } + l2tp_session_queue_purge(session); sock_put(sk); } + skb_queue_purge(>sk_receive_queue); + skb_queue_purge(>sk_write_queue); release_sock(sk); @@ -872,18 +851,6 @@ out: return error; } -/* Called when deleting sessions via the netlink interface. - */ -static int pppol2tp_session_delete(struct l2tp_session *session) -{ - struct pppol2tp_session *ps = l2tp_session_priv(session); - - if (ps->sock == NULL) - l2tp_session_dec_refcount(session); - - return 0; -} - #endif /* CONFIG_L2TP_V3 */ /* getname() support. @@ -1801,7 +1768,7 @@ static const struct pppox_proto pppol2tp static const struct l2tp_nl_cmd_ops pppol2tp_nl_cmd_ops = { .session_create = pppol2tp_session_create, - .session_delete = pppol2tp_session_delete, + .session_delete = l2tp_session_delete, }; #endif /* CONFIG_L2TP_V3 */
[PATCH 3.2 16/79] l2tp: push all ppp pseudowire shutdown through .release handler
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Tom Parkin commit cf2f5c886a209377daefd5d2ba0bcd49c3887813 upstream. If userspace deletes a ppp pseudowire using the netlink API, either by directly deleting the session or by deleting the tunnel that contains the session, we need to tear down the corresponding pppox channel. Rather than trying to manage two pppox unbind codepaths, switch the netlink and l2tp_core session_close handlers to close via. the l2tp_ppp socket .release handler. Signed-off-by: Tom Parkin Signed-off-by: James Chapman Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings --- net/l2tp/l2tp_ppp.c | 53 ++--- 1 file changed, 10 insertions(+), 43 deletions(-) --- a/net/l2tp/l2tp_ppp.c +++ b/net/l2tp/l2tp_ppp.c @@ -95,6 +95,7 @@ #include #include #include +#include #include #include @@ -460,34 +461,16 @@ static void pppol2tp_session_close(struc { struct pppol2tp_session *ps = l2tp_session_priv(session); struct sock *sk = ps->sock; - struct sk_buff *skb; + struct socket *sock = sk->sk_socket; BUG_ON(session->magic != L2TP_SESSION_MAGIC); - if (session->session_id == 0) - goto out; - - if (sk != NULL) { - lock_sock(sk); - - if (sk->sk_state & (PPPOX_CONNECTED | PPPOX_BOUND)) { - pppox_unbind_sock(sk); - sk->sk_state = PPPOX_DEAD; - sk->sk_state_change(sk); - } - - /* Purge any queued data */ - skb_queue_purge(>sk_receive_queue); - skb_queue_purge(>sk_write_queue); - while ((skb = skb_dequeue(>reorder_q))) { - kfree_skb(skb); - sock_put(sk); - } - release_sock(sk); + if (sock) { + inet_shutdown(sock, 2); + /* Don't let the session go away before our socket does */ + l2tp_session_inc_refcount(session); } - -out: return; } @@ -538,16 +521,12 @@ static int pppol2tp_release(struct socke session = pppol2tp_sock_to_session(sk); /* Purge any queued data */ - skb_queue_purge(>sk_receive_queue); - skb_queue_purge(>sk_write_queue); if (session != NULL) { - struct sk_buff *skb; - while ((skb = skb_dequeue(>reorder_q))) { - kfree_skb(skb); - sock_put(sk); - } + l2tp_session_queue_purge(session); sock_put(sk); } + skb_queue_purge(>sk_receive_queue); + skb_queue_purge(>sk_write_queue); release_sock(sk); @@ -872,18 +851,6 @@ out: return error; } -/* Called when deleting sessions via the netlink interface. - */ -static int pppol2tp_session_delete(struct l2tp_session *session) -{ - struct pppol2tp_session *ps = l2tp_session_priv(session); - - if (ps->sock == NULL) - l2tp_session_dec_refcount(session); - - return 0; -} - #endif /* CONFIG_L2TP_V3 */ /* getname() support. @@ -1801,7 +1768,7 @@ static const struct pppox_proto pppol2tp static const struct l2tp_nl_cmd_ops pppol2tp_nl_cmd_ops = { .session_create = pppol2tp_session_create, - .session_delete = pppol2tp_session_delete, + .session_delete = l2tp_session_delete, }; #endif /* CONFIG_L2TP_V3 */
[PATCH 3.2 68/79] RDS: null pointer dereference in rds_atomic_free_op
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Mohamed Ghannamcommit 7d11f77f84b27cef452cee332f4e469503084737 upstream. set rm->atomic.op_active to 0 when rds_pin_pages() fails or the user supplied address is invalid, this prevents a NULL pointer usage in rds_atomic_free_op() Signed-off-by: Mohamed Ghannam Acked-by: Santosh Shilimkar Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings --- net/rds/rdma.c | 1 + 1 file changed, 1 insertion(+) --- a/net/rds/rdma.c +++ b/net/rds/rdma.c @@ -855,6 +855,7 @@ int rds_cmsg_atomic(struct rds_sock *rs, err: if (page) put_page(page); + rm->atomic.op_active = 0; kfree(rm->atomic.op_notifier); return ret;
[PATCH 3.2 78/79] kaiser: Set _PAGE_NX only if supported
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Guenter RoeckThis resolves a crash if loaded under qemu + haxm under windows. See https://www.spinics.net/lists/kernel/msg2689835.html for details. Here is a boot log (the log is from chromeos-4.4, but Tao Wu says that the same log is also seen with vanilla v4.4.110-rc1). [0.712750] Freeing unused kernel memory: 552K [0.721821] init: Corrupted page table at address 57b029b332e0 [0.722761] PGD 8000bb238067 PUD bc36a067 PMD bc369067 PTE 45d2067 [0.722761] Bad pagetable: 000b [#1] PREEMPT SMP [0.722761] Modules linked in: [0.722761] CPU: 1 PID: 1 Comm: init Not tainted 4.4.96 #31 [0.722761] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5.1-0-g8936dbb-20141113_115728-nilsson.home.kraxel.org 04/01/2014 [0.722761] task: 8800bc29 ti: 8800bc28c000 task.ti: 8800bc28c000 [0.722761] RIP: 0010:[] [] __clear_user+0x42/0x67 [0.722761] RSP: :8800bc28fcf8 EFLAGS: 00010202 [0.722761] RAX: RBX: 01a4 RCX: 01a4 [0.722761] RDX: RSI: 0008 RDI: 57b029b332e0 [0.722761] RBP: 8800bc28fd08 R08: 8800bc29 R09: 8800bb2f4000 [0.722761] R10: 8800bc29 R11: 8800bb2f4000 R12: 57b029b332e0 [0.722761] R13: R14: 57b029b33340 R15: 8800bb1e2a00 [0.722761] FS: () GS:8800bfb0() knlGS: [0.722761] CS: 0010 DS: ES: CR0: 8005003b [0.722761] CR2: 57b029b332e0 CR3: bb2f8000 CR4: 06e0 [0.722761] Stack: [0.722761] 57b029b332e0 8800bb95fa80 8800bc28fd18 83f4120c [0.722761] 8800bc28fe18 83e9e7a1 8800bc28fd68 [0.722761] 8800bc29 8800bc29 8800bc29 8800bc29 [0.722761] Call Trace: [0.722761] [] clear_user+0x2e/0x30 [0.722761] [] load_elf_binary+0xa7f/0x18f7 [0.722761] [] search_binary_handler+0x86/0x19c [0.722761] [] do_execveat_common.isra.26+0x909/0xf98 [0.722761] [] ? rest_init+0x87/0x87 [0.722761] [] do_execve+0x23/0x25 [0.722761] [] run_init_process+0x2b/0x2d [0.722761] [] kernel_init+0x6d/0xda [0.722761] [] ret_from_fork+0x3f/0x70 [0.722761] [] ? rest_init+0x87/0x87 [0.722761] Code: 86 84 be 12 00 00 00 e8 87 0d e8 ff 66 66 90 48 89 d8 48 c1 eb 03 4c 89 e7 83 e0 07 48 89 d9 be 08 00 00 00 31 d2 48 85 c9 74 0a <48> 89 17 48 01 f7 ff c9 75 f6 48 89 c1 85 c9 74 09 88 17 48 ff [0.722761] RIP [] __clear_user+0x42/0x67 [0.722761] RSP [0.722761] ---[ end trace def703879b4ff090 ]--- [0.722761] BUG: sleeping function called from invalid context at /mnt/host/source/src/third_party/kernel/v4.4/kernel/locking/rwsem.c:21 [0.722761] in_atomic(): 0, irqs_disabled(): 1, pid: 1, name: init [0.722761] CPU: 1 PID: 1 Comm: init Tainted: G D 4.4.96 #31 [0.722761] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5.1-0-g8936dbb-20141113_115728-nilsson.home.kraxel.org 04/01/2014 [0.722761] 0086 dcb5d76098c89836 8800bc28fa30 83f34004 [0.722761] 84839dc2 0015 8800bc28fa40 83d57dc9 [0.722761] 8800bc28fa68 83d57e6a 84a53640 [0.722761] Call Trace: [0.722761] [] dump_stack+0x4d/0x63 [0.722761] [] ___might_sleep+0x13a/0x13c [0.722761] [] __might_sleep+0x9f/0xa6 [0.722761] [] down_read+0x20/0x31 [0.722761] [] __blocking_notifier_call_chain+0x35/0x63 [0.722761] [] blocking_notifier_call_chain+0x14/0x16 [0.800374] usb 1-1: new full-speed USB device number 2 using uhci_hcd [0.722761] [] profile_task_exit+0x1a/0x1c [0.802309] [] do_exit+0x39/0xe7f [0.802309] [] ? vprintk_default+0x1d/0x1f [0.802309] [] ? printk+0x57/0x73 [0.802309] [] oops_end+0x80/0x85 [0.802309] [] pgtable_bad+0x8a/0x95 [0.802309] [] __do_page_fault+0x8c/0x352 [0.802309] [] ? file_has_perm+0xc4/0xe5 [0.802309] [] do_page_fault+0xc/0xe [0.802309] [] page_fault+0x22/0x30 [0.802309] [] ? __clear_user+0x42/0x67 [0.802309] [] ? __clear_user+0x23/0x67 [0.802309] [] clear_user+0x2e/0x30 [0.802309] [] load_elf_binary+0xa7f/0x18f7 [0.802309] [] search_binary_handler+0x86/0x19c [0.802309] [] do_execveat_common.isra.26+0x909/0xf98 [0.802309] [] ? rest_init+0x87/0x87 [0.802309] [] do_execve+0x23/0x25 [0.802309] [] run_init_process+0x2b/0x2d [0.802309] [] kernel_init+0x6d/0xda [0.802309] [] ret_from_fork+0x3f/0x70 [0.802309] [] ? rest_init+0x87/0x87 [0.830559] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0009 [0.830559] [0.831305] Kernel Offset:
[PATCH 3.2 10/79] IB/srp: Avoid that a cable pull can trigger a kernel crash
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Bart Van Asschecommit 8a0d18c62121d3c554a83eb96e2752861d84d937 upstream. This patch fixes the following kernel crash: general protection fault: [#1] PREEMPT SMP Workqueue: ib_mad2 timeout_sends [ib_core] Call Trace: ib_sa_path_rec_callback+0x1c4/0x1d0 [ib_core] send_handler+0xb2/0xd0 [ib_core] timeout_sends+0x14d/0x220 [ib_core] process_one_work+0x200/0x630 worker_thread+0x4e/0x3b0 kthread+0x113/0x150 Fixes: commit aef9ec39c47f ("IB: Add SCSI RDMA Protocol (SRP) initiator") Signed-off-by: Bart Van Assche Reviewed-by: Sagi Grimberg Signed-off-by: Doug Ledford [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings --- --- a/drivers/infiniband/ulp/srp/ib_srp.c +++ b/drivers/infiniband/ulp/srp/ib_srp.c @@ -310,10 +310,19 @@ static void srp_path_rec_completion(int static int srp_lookup_path(struct srp_target_port *target) { + int ret = -ENODEV; + target->path.numb_path = 1; init_completion(>done); + /* +* Avoid that the SCSI host can be removed by srp_remove_target() +* before srp_path_rec_completion() is called. +*/ + if (!scsi_host_get(target->scsi_host)) + goto out; + target->path_query_id = ib_sa_path_rec_get(_sa_client, target->srp_host->srp_dev->dev, target->srp_host->port, @@ -327,16 +336,22 @@ static int srp_lookup_path(struct srp_ta GFP_KERNEL, srp_path_rec_completion, target, >path_query); - if (target->path_query_id < 0) - return target->path_query_id; + ret = target->path_query_id; + if (ret < 0) + goto put; wait_for_completion(>done); - if (target->status < 0) + ret = target->status; + if (ret < 0) shost_printk(KERN_WARNING, target->scsi_host, PFX "Path record query failed\n"); - return target->status; +put: + scsi_host_put(target->scsi_host); + +out: + return ret; } static int srp_send_req(struct srp_target_port *target)
[PATCH 3.2 68/79] RDS: null pointer dereference in rds_atomic_free_op
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Mohamed Ghannam commit 7d11f77f84b27cef452cee332f4e469503084737 upstream. set rm->atomic.op_active to 0 when rds_pin_pages() fails or the user supplied address is invalid, this prevents a NULL pointer usage in rds_atomic_free_op() Signed-off-by: Mohamed Ghannam Acked-by: Santosh Shilimkar Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings --- net/rds/rdma.c | 1 + 1 file changed, 1 insertion(+) --- a/net/rds/rdma.c +++ b/net/rds/rdma.c @@ -855,6 +855,7 @@ int rds_cmsg_atomic(struct rds_sock *rs, err: if (page) put_page(page); + rm->atomic.op_active = 0; kfree(rm->atomic.op_notifier); return ret;
[PATCH 3.2 78/79] kaiser: Set _PAGE_NX only if supported
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Guenter Roeck This resolves a crash if loaded under qemu + haxm under windows. See https://www.spinics.net/lists/kernel/msg2689835.html for details. Here is a boot log (the log is from chromeos-4.4, but Tao Wu says that the same log is also seen with vanilla v4.4.110-rc1). [0.712750] Freeing unused kernel memory: 552K [0.721821] init: Corrupted page table at address 57b029b332e0 [0.722761] PGD 8000bb238067 PUD bc36a067 PMD bc369067 PTE 45d2067 [0.722761] Bad pagetable: 000b [#1] PREEMPT SMP [0.722761] Modules linked in: [0.722761] CPU: 1 PID: 1 Comm: init Not tainted 4.4.96 #31 [0.722761] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5.1-0-g8936dbb-20141113_115728-nilsson.home.kraxel.org 04/01/2014 [0.722761] task: 8800bc29 ti: 8800bc28c000 task.ti: 8800bc28c000 [0.722761] RIP: 0010:[] [] __clear_user+0x42/0x67 [0.722761] RSP: :8800bc28fcf8 EFLAGS: 00010202 [0.722761] RAX: RBX: 01a4 RCX: 01a4 [0.722761] RDX: RSI: 0008 RDI: 57b029b332e0 [0.722761] RBP: 8800bc28fd08 R08: 8800bc29 R09: 8800bb2f4000 [0.722761] R10: 8800bc29 R11: 8800bb2f4000 R12: 57b029b332e0 [0.722761] R13: R14: 57b029b33340 R15: 8800bb1e2a00 [0.722761] FS: () GS:8800bfb0() knlGS: [0.722761] CS: 0010 DS: ES: CR0: 8005003b [0.722761] CR2: 57b029b332e0 CR3: bb2f8000 CR4: 06e0 [0.722761] Stack: [0.722761] 57b029b332e0 8800bb95fa80 8800bc28fd18 83f4120c [0.722761] 8800bc28fe18 83e9e7a1 8800bc28fd68 [0.722761] 8800bc29 8800bc29 8800bc29 8800bc29 [0.722761] Call Trace: [0.722761] [] clear_user+0x2e/0x30 [0.722761] [] load_elf_binary+0xa7f/0x18f7 [0.722761] [] search_binary_handler+0x86/0x19c [0.722761] [] do_execveat_common.isra.26+0x909/0xf98 [0.722761] [] ? rest_init+0x87/0x87 [0.722761] [] do_execve+0x23/0x25 [0.722761] [] run_init_process+0x2b/0x2d [0.722761] [] kernel_init+0x6d/0xda [0.722761] [] ret_from_fork+0x3f/0x70 [0.722761] [] ? rest_init+0x87/0x87 [0.722761] Code: 86 84 be 12 00 00 00 e8 87 0d e8 ff 66 66 90 48 89 d8 48 c1 eb 03 4c 89 e7 83 e0 07 48 89 d9 be 08 00 00 00 31 d2 48 85 c9 74 0a <48> 89 17 48 01 f7 ff c9 75 f6 48 89 c1 85 c9 74 09 88 17 48 ff [0.722761] RIP [] __clear_user+0x42/0x67 [0.722761] RSP [0.722761] ---[ end trace def703879b4ff090 ]--- [0.722761] BUG: sleeping function called from invalid context at /mnt/host/source/src/third_party/kernel/v4.4/kernel/locking/rwsem.c:21 [0.722761] in_atomic(): 0, irqs_disabled(): 1, pid: 1, name: init [0.722761] CPU: 1 PID: 1 Comm: init Tainted: G D 4.4.96 #31 [0.722761] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5.1-0-g8936dbb-20141113_115728-nilsson.home.kraxel.org 04/01/2014 [0.722761] 0086 dcb5d76098c89836 8800bc28fa30 83f34004 [0.722761] 84839dc2 0015 8800bc28fa40 83d57dc9 [0.722761] 8800bc28fa68 83d57e6a 84a53640 [0.722761] Call Trace: [0.722761] [] dump_stack+0x4d/0x63 [0.722761] [] ___might_sleep+0x13a/0x13c [0.722761] [] __might_sleep+0x9f/0xa6 [0.722761] [] down_read+0x20/0x31 [0.722761] [] __blocking_notifier_call_chain+0x35/0x63 [0.722761] [] blocking_notifier_call_chain+0x14/0x16 [0.800374] usb 1-1: new full-speed USB device number 2 using uhci_hcd [0.722761] [] profile_task_exit+0x1a/0x1c [0.802309] [] do_exit+0x39/0xe7f [0.802309] [] ? vprintk_default+0x1d/0x1f [0.802309] [] ? printk+0x57/0x73 [0.802309] [] oops_end+0x80/0x85 [0.802309] [] pgtable_bad+0x8a/0x95 [0.802309] [] __do_page_fault+0x8c/0x352 [0.802309] [] ? file_has_perm+0xc4/0xe5 [0.802309] [] do_page_fault+0xc/0xe [0.802309] [] page_fault+0x22/0x30 [0.802309] [] ? __clear_user+0x42/0x67 [0.802309] [] ? __clear_user+0x23/0x67 [0.802309] [] clear_user+0x2e/0x30 [0.802309] [] load_elf_binary+0xa7f/0x18f7 [0.802309] [] search_binary_handler+0x86/0x19c [0.802309] [] do_execveat_common.isra.26+0x909/0xf98 [0.802309] [] ? rest_init+0x87/0x87 [0.802309] [] do_execve+0x23/0x25 [0.802309] [] run_init_process+0x2b/0x2d [0.802309] [] kernel_init+0x6d/0xda [0.802309] [] ret_from_fork+0x3f/0x70 [0.802309] [] ? rest_init+0x87/0x87 [0.830559] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0009 [0.830559] [0.831305] Kernel Offset: 0x2c0 from
[PATCH 3.2 10/79] IB/srp: Avoid that a cable pull can trigger a kernel crash
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Bart Van Assche commit 8a0d18c62121d3c554a83eb96e2752861d84d937 upstream. This patch fixes the following kernel crash: general protection fault: [#1] PREEMPT SMP Workqueue: ib_mad2 timeout_sends [ib_core] Call Trace: ib_sa_path_rec_callback+0x1c4/0x1d0 [ib_core] send_handler+0xb2/0xd0 [ib_core] timeout_sends+0x14d/0x220 [ib_core] process_one_work+0x200/0x630 worker_thread+0x4e/0x3b0 kthread+0x113/0x150 Fixes: commit aef9ec39c47f ("IB: Add SCSI RDMA Protocol (SRP) initiator") Signed-off-by: Bart Van Assche Reviewed-by: Sagi Grimberg Signed-off-by: Doug Ledford [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings --- --- a/drivers/infiniband/ulp/srp/ib_srp.c +++ b/drivers/infiniband/ulp/srp/ib_srp.c @@ -310,10 +310,19 @@ static void srp_path_rec_completion(int static int srp_lookup_path(struct srp_target_port *target) { + int ret = -ENODEV; + target->path.numb_path = 1; init_completion(>done); + /* +* Avoid that the SCSI host can be removed by srp_remove_target() +* before srp_path_rec_completion() is called. +*/ + if (!scsi_host_get(target->scsi_host)) + goto out; + target->path_query_id = ib_sa_path_rec_get(_sa_client, target->srp_host->srp_dev->dev, target->srp_host->port, @@ -327,16 +336,22 @@ static int srp_lookup_path(struct srp_ta GFP_KERNEL, srp_path_rec_completion, target, >path_query); - if (target->path_query_id < 0) - return target->path_query_id; + ret = target->path_query_id; + if (ret < 0) + goto put; wait_for_completion(>done); - if (target->status < 0) + ret = target->status; + if (ret < 0) shost_printk(KERN_WARNING, target->scsi_host, PFX "Path record query failed\n"); - return target->status; +put: + scsi_host_put(target->scsi_host); + +out: + return ret; } static int srp_send_req(struct srp_target_port *target)
[PATCH 3.2 14/79] l2tp: add session reorder queue purge function to core
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Tom Parkincommit 48f72f92b31431c40279b0fba6c5588e07e67d95 upstream. If an l2tp session is deleted, it is necessary to delete skbs in-flight on the session's reorder queue before taking it down. Rather than having each pseudowire implementation reaching into the l2tp_session struct to handle this itself, provide a function in l2tp_core to purge the session queue. Signed-off-by: Tom Parkin Signed-off-by: James Chapman Signed-off-by: David S. Miller [bwh: Backported to 3.2: use non-atomic increment on rx_errors] Signed-off-by: Ben Hutchings --- net/l2tp/l2tp_core.c | 17 + net/l2tp/l2tp_core.h | 1 + 2 files changed, 18 insertions(+) --- a/net/l2tp/l2tp_core.c +++ b/net/l2tp/l2tp_core.c @@ -830,6 +830,23 @@ discard: } EXPORT_SYMBOL(l2tp_recv_common); +/* Drop skbs from the session's reorder_q + */ +int l2tp_session_queue_purge(struct l2tp_session *session) +{ + struct sk_buff *skb = NULL; + BUG_ON(!session); + BUG_ON(session->magic != L2TP_SESSION_MAGIC); + while ((skb = skb_dequeue(>reorder_q))) { + session->stats.rx_errors++; + kfree_skb(skb); + if (session->deref) + (*session->deref)(session); + } + return 0; +} +EXPORT_SYMBOL_GPL(l2tp_session_queue_purge); + /* Internal UDP receive frame. Do the real work of receiving an L2TP data frame * here. The skb is not on a list when we get here. * Returns 0 if the packet was a data packet and was successfully passed on. --- a/net/l2tp/l2tp_core.h +++ b/net/l2tp/l2tp_core.h @@ -249,6 +249,7 @@ extern struct l2tp_session *l2tp_session extern int l2tp_session_delete(struct l2tp_session *session); extern void l2tp_session_free(struct l2tp_session *session); extern void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb, unsigned char *ptr, unsigned char *optr, u16 hdrflags, int length, int (*payload_hook)(struct sk_buff *skb)); +extern int l2tp_session_queue_purge(struct l2tp_session *session); extern int l2tp_udp_encap_recv(struct sock *sk, struct sk_buff *skb); extern int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb, int hdr_len);
[PATCH 3.2 14/79] l2tp: add session reorder queue purge function to core
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Tom Parkin commit 48f72f92b31431c40279b0fba6c5588e07e67d95 upstream. If an l2tp session is deleted, it is necessary to delete skbs in-flight on the session's reorder queue before taking it down. Rather than having each pseudowire implementation reaching into the l2tp_session struct to handle this itself, provide a function in l2tp_core to purge the session queue. Signed-off-by: Tom Parkin Signed-off-by: James Chapman Signed-off-by: David S. Miller [bwh: Backported to 3.2: use non-atomic increment on rx_errors] Signed-off-by: Ben Hutchings --- net/l2tp/l2tp_core.c | 17 + net/l2tp/l2tp_core.h | 1 + 2 files changed, 18 insertions(+) --- a/net/l2tp/l2tp_core.c +++ b/net/l2tp/l2tp_core.c @@ -830,6 +830,23 @@ discard: } EXPORT_SYMBOL(l2tp_recv_common); +/* Drop skbs from the session's reorder_q + */ +int l2tp_session_queue_purge(struct l2tp_session *session) +{ + struct sk_buff *skb = NULL; + BUG_ON(!session); + BUG_ON(session->magic != L2TP_SESSION_MAGIC); + while ((skb = skb_dequeue(>reorder_q))) { + session->stats.rx_errors++; + kfree_skb(skb); + if (session->deref) + (*session->deref)(session); + } + return 0; +} +EXPORT_SYMBOL_GPL(l2tp_session_queue_purge); + /* Internal UDP receive frame. Do the real work of receiving an L2TP data frame * here. The skb is not on a list when we get here. * Returns 0 if the packet was a data packet and was successfully passed on. --- a/net/l2tp/l2tp_core.h +++ b/net/l2tp/l2tp_core.h @@ -249,6 +249,7 @@ extern struct l2tp_session *l2tp_session extern int l2tp_session_delete(struct l2tp_session *session); extern void l2tp_session_free(struct l2tp_session *session); extern void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb, unsigned char *ptr, unsigned char *optr, u16 hdrflags, int length, int (*payload_hook)(struct sk_buff *skb)); +extern int l2tp_session_queue_purge(struct l2tp_session *session); extern int l2tp_udp_encap_recv(struct sock *sk, struct sk_buff *skb); extern int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb, int hdr_len);
[PATCH 3.16 020/136] elf_fdpic: fix unused variable warning
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Arnd Bergmanncommit 11e3e8d6d9274bf630859b4c47bc4e4d76f289db upstream. The elf_fdpic code shows a harmless warning when built with MMU disabled, I ran into this now that fdpic is available on ARM randconfig builds since commit 50b2b2e691cd ("ARM: add ELF_FDPIC support"). fs/binfmt_elf_fdpic.c: In function 'elf_fdpic_dump_segments': fs/binfmt_elf_fdpic.c:1501:17: error: unused variable 'addr' [-Werror=unused-variable] This adds another #ifdef around the variable declaration to shut up the warning. Fixes: e6c1baa9b562 ("convert the rest of binfmt_elf_fdpic to dump_emit()") Acked-by: Nicolas Pitre Signed-off-by: Arnd Bergmann Signed-off-by: Al Viro Signed-off-by: Ben Hutchings --- fs/binfmt_elf_fdpic.c | 2 ++ 1 file changed, 2 insertions(+) --- a/fs/binfmt_elf_fdpic.c +++ b/fs/binfmt_elf_fdpic.c @@ -1487,7 +1487,9 @@ static bool elf_fdpic_dump_segments(stru struct vm_area_struct *vma; for (vma = current->mm->mmap; vma; vma = vma->vm_next) { +#ifdef CONFIG_MMU unsigned long addr; +#endif if (!maydump(vma, cprm->mm_flags)) continue;
[PATCH 3.16 060/136] ACPI / APEI: Replace ioremap_page_range() with fixmap
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: James Morsecommit 4f89fa286f6729312e227e7c2d764e8e7b9d340e upstream. Replace ghes_io{re,un}map_pfn_{nmi,irq}()s use of ioremap_page_range() with __set_fixmap() as ioremap_page_range() may sleep to allocate a new level of page-table, even if its passed an existing final-address to use in the mapping. The GHES driver can only be enabled for architectures that select HAVE_ACPI_APEI: Add fixmap entries to both x86 and arm64. clear_fixmap() does the TLB invalidation in __set_fixmap() for arm64 and __set_pte_vaddr() for x86. In each case its the same as the respective arch_apei_flush_tlb_one(). Reported-by: Fengguang Wu Suggested-by: Linus Torvalds Signed-off-by: James Morse Reviewed-by: Borislav Petkov Tested-by: Tyler Baicar Tested-by: Toshi Kani [ For the arm64 bits: ] Acked-by: Will Deacon [ For the x86 bits: ] Acked-by: Ingo Molnar Signed-off-by: Rafael J. Wysocki [bwh: Backported to 3.16: - Drop arm64 changes; ghes is x86-only here - Don't use page or prot variables in ghes_ioremap_fn_{nmi,irq}() - Adjust context] Signed-off-by: Ben Hutchings --- --- a/arch/x86/include/asm/fixmap.h +++ b/arch/x86/include/asm/fixmap.h @@ -103,6 +103,12 @@ enum fixed_addresses { #ifdef CONFIG_X86_INTEL_MID FIX_LNW_VRTC, #endif +#ifdef CONFIG_ACPI_APEI_GHES + /* Used for GHES mapping from assorted contexts */ + FIX_APEI_GHES_IRQ, + FIX_APEI_GHES_NMI, +#endif + __end_of_permanent_fixed_addresses, /* --- a/drivers/acpi/apei/ghes.c +++ b/drivers/acpi/apei/ghes.c @@ -49,6 +49,7 @@ #include #include +#include #include #include #include @@ -110,7 +111,7 @@ static DEFINE_RAW_SPINLOCK(ghes_nmi_lock * Because the memory area used to transfer hardware error information * from BIOS to Linux can be determined only in NMI, IRQ or timer * handler, but general ioremap can not be used in atomic context, so - * a special version of atomic ioremap is implemented for that. + * the fixmap is used instead. */ /* @@ -124,8 +125,8 @@ static DEFINE_RAW_SPINLOCK(ghes_nmi_lock /* virtual memory area for atomic ioremap */ static struct vm_struct *ghes_ioremap_area; /* - * These 2 spinlock is used to prevent atomic ioremap virtual memory - * area from being mapped simultaneously. + * These 2 spinlocks are used to prevent the fixmap entries from being used + * simultaneously. */ static DEFINE_RAW_SPINLOCK(ghes_ioremap_lock_nmi); static DEFINE_SPINLOCK(ghes_ioremap_lock_irq); @@ -165,44 +166,26 @@ static void ghes_ioremap_exit(void) static void __iomem *ghes_ioremap_pfn_nmi(u64 pfn) { - unsigned long vaddr; + __set_fixmap(FIX_APEI_GHES_NMI, pfn << PAGE_SHIFT, PAGE_KERNEL); - vaddr = (unsigned long)GHES_IOREMAP_NMI_PAGE(ghes_ioremap_area->addr); - ioremap_page_range(vaddr, vaddr + PAGE_SIZE, - pfn << PAGE_SHIFT, PAGE_KERNEL); - - return (void __iomem *)vaddr; + return (void __iomem *) fix_to_virt(FIX_APEI_GHES_NMI); } static void __iomem *ghes_ioremap_pfn_irq(u64 pfn) { - unsigned long vaddr; - - vaddr = (unsigned long)GHES_IOREMAP_IRQ_PAGE(ghes_ioremap_area->addr); - ioremap_page_range(vaddr, vaddr + PAGE_SIZE, - pfn << PAGE_SHIFT, PAGE_KERNEL); + __set_fixmap(FIX_APEI_GHES_IRQ, pfn << PAGE_SHIFT, PAGE_KERNEL); - return (void __iomem *)vaddr; + return (void __iomem *) fix_to_virt(FIX_APEI_GHES_IRQ); } -static void ghes_iounmap_nmi(void __iomem *vaddr_ptr) +static void ghes_iounmap_nmi(void) { - unsigned long vaddr = (unsigned long __force)vaddr_ptr; - void *base = ghes_ioremap_area->addr; - - BUG_ON(vaddr != (unsigned long)GHES_IOREMAP_NMI_PAGE(base)); - unmap_kernel_range_noflush(vaddr, PAGE_SIZE); - __flush_tlb_one(vaddr); + clear_fixmap(FIX_APEI_GHES_NMI); } -static void ghes_iounmap_irq(void __iomem *vaddr_ptr) +static void ghes_iounmap_irq(void) { - unsigned long vaddr = (unsigned long __force)vaddr_ptr; - void *base = ghes_ioremap_area->addr; - - BUG_ON(vaddr != (unsigned long)GHES_IOREMAP_IRQ_PAGE(base)); - unmap_kernel_range_noflush(vaddr, PAGE_SIZE); - __flush_tlb_one(vaddr); + clear_fixmap(FIX_APEI_GHES_IRQ); } static int ghes_estatus_pool_init(void) @@ -341,10 +324,10 @@ static void ghes_copy_tofrom_phys(void * paddr += trunk; buffer += trunk; if (in_nmi) { - ghes_iounmap_nmi(vaddr); + ghes_iounmap_nmi(); raw_spin_unlock(_ioremap_lock_nmi); } else { -
[PATCH 3.16 067/136] ima: fix hash algorithm initialization
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Boshi Wangcommit ebe7c0a7be92bbd34c6ff5b55810546a0ee05bee upstream. The hash_setup function always sets the hash_setup_done flag, even when the hash algorithm is invalid. This prevents the default hash algorithm defined as CONFIG_IMA_DEFAULT_HASH from being used. This patch sets hash_setup_done flag only for valid hash algorithms. Fixes: e7a2ad7eb6f4 "ima: enable support for larger default filedata hash algorithms" Signed-off-by: Boshi Wang Signed-off-by: Mimi Zohar Signed-off-by: Ben Hutchings --- security/integrity/ima/ima_main.c | 4 1 file changed, 4 insertions(+) --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -52,6 +52,8 @@ static int __init hash_setup(char *str) ima_hash_algo = HASH_ALGO_SHA1; else if (strncmp(str, "md5", 3) == 0) ima_hash_algo = HASH_ALGO_MD5; + else + return 1; goto out; } @@ -61,6 +63,8 @@ static int __init hash_setup(char *str) break; } } + if (i == HASH_ALGO__LAST) + return 1; out: hash_setup_done = 1; return 1;
[PATCH 3.16 020/136] elf_fdpic: fix unused variable warning
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Arnd Bergmann commit 11e3e8d6d9274bf630859b4c47bc4e4d76f289db upstream. The elf_fdpic code shows a harmless warning when built with MMU disabled, I ran into this now that fdpic is available on ARM randconfig builds since commit 50b2b2e691cd ("ARM: add ELF_FDPIC support"). fs/binfmt_elf_fdpic.c: In function 'elf_fdpic_dump_segments': fs/binfmt_elf_fdpic.c:1501:17: error: unused variable 'addr' [-Werror=unused-variable] This adds another #ifdef around the variable declaration to shut up the warning. Fixes: e6c1baa9b562 ("convert the rest of binfmt_elf_fdpic to dump_emit()") Acked-by: Nicolas Pitre Signed-off-by: Arnd Bergmann Signed-off-by: Al Viro Signed-off-by: Ben Hutchings --- fs/binfmt_elf_fdpic.c | 2 ++ 1 file changed, 2 insertions(+) --- a/fs/binfmt_elf_fdpic.c +++ b/fs/binfmt_elf_fdpic.c @@ -1487,7 +1487,9 @@ static bool elf_fdpic_dump_segments(stru struct vm_area_struct *vma; for (vma = current->mm->mmap; vma; vma = vma->vm_next) { +#ifdef CONFIG_MMU unsigned long addr; +#endif if (!maydump(vma, cprm->mm_flags)) continue;
[PATCH 3.16 060/136] ACPI / APEI: Replace ioremap_page_range() with fixmap
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: James Morse commit 4f89fa286f6729312e227e7c2d764e8e7b9d340e upstream. Replace ghes_io{re,un}map_pfn_{nmi,irq}()s use of ioremap_page_range() with __set_fixmap() as ioremap_page_range() may sleep to allocate a new level of page-table, even if its passed an existing final-address to use in the mapping. The GHES driver can only be enabled for architectures that select HAVE_ACPI_APEI: Add fixmap entries to both x86 and arm64. clear_fixmap() does the TLB invalidation in __set_fixmap() for arm64 and __set_pte_vaddr() for x86. In each case its the same as the respective arch_apei_flush_tlb_one(). Reported-by: Fengguang Wu Suggested-by: Linus Torvalds Signed-off-by: James Morse Reviewed-by: Borislav Petkov Tested-by: Tyler Baicar Tested-by: Toshi Kani [ For the arm64 bits: ] Acked-by: Will Deacon [ For the x86 bits: ] Acked-by: Ingo Molnar Signed-off-by: Rafael J. Wysocki [bwh: Backported to 3.16: - Drop arm64 changes; ghes is x86-only here - Don't use page or prot variables in ghes_ioremap_fn_{nmi,irq}() - Adjust context] Signed-off-by: Ben Hutchings --- --- a/arch/x86/include/asm/fixmap.h +++ b/arch/x86/include/asm/fixmap.h @@ -103,6 +103,12 @@ enum fixed_addresses { #ifdef CONFIG_X86_INTEL_MID FIX_LNW_VRTC, #endif +#ifdef CONFIG_ACPI_APEI_GHES + /* Used for GHES mapping from assorted contexts */ + FIX_APEI_GHES_IRQ, + FIX_APEI_GHES_NMI, +#endif + __end_of_permanent_fixed_addresses, /* --- a/drivers/acpi/apei/ghes.c +++ b/drivers/acpi/apei/ghes.c @@ -49,6 +49,7 @@ #include #include +#include #include #include #include @@ -110,7 +111,7 @@ static DEFINE_RAW_SPINLOCK(ghes_nmi_lock * Because the memory area used to transfer hardware error information * from BIOS to Linux can be determined only in NMI, IRQ or timer * handler, but general ioremap can not be used in atomic context, so - * a special version of atomic ioremap is implemented for that. + * the fixmap is used instead. */ /* @@ -124,8 +125,8 @@ static DEFINE_RAW_SPINLOCK(ghes_nmi_lock /* virtual memory area for atomic ioremap */ static struct vm_struct *ghes_ioremap_area; /* - * These 2 spinlock is used to prevent atomic ioremap virtual memory - * area from being mapped simultaneously. + * These 2 spinlocks are used to prevent the fixmap entries from being used + * simultaneously. */ static DEFINE_RAW_SPINLOCK(ghes_ioremap_lock_nmi); static DEFINE_SPINLOCK(ghes_ioremap_lock_irq); @@ -165,44 +166,26 @@ static void ghes_ioremap_exit(void) static void __iomem *ghes_ioremap_pfn_nmi(u64 pfn) { - unsigned long vaddr; + __set_fixmap(FIX_APEI_GHES_NMI, pfn << PAGE_SHIFT, PAGE_KERNEL); - vaddr = (unsigned long)GHES_IOREMAP_NMI_PAGE(ghes_ioremap_area->addr); - ioremap_page_range(vaddr, vaddr + PAGE_SIZE, - pfn << PAGE_SHIFT, PAGE_KERNEL); - - return (void __iomem *)vaddr; + return (void __iomem *) fix_to_virt(FIX_APEI_GHES_NMI); } static void __iomem *ghes_ioremap_pfn_irq(u64 pfn) { - unsigned long vaddr; - - vaddr = (unsigned long)GHES_IOREMAP_IRQ_PAGE(ghes_ioremap_area->addr); - ioremap_page_range(vaddr, vaddr + PAGE_SIZE, - pfn << PAGE_SHIFT, PAGE_KERNEL); + __set_fixmap(FIX_APEI_GHES_IRQ, pfn << PAGE_SHIFT, PAGE_KERNEL); - return (void __iomem *)vaddr; + return (void __iomem *) fix_to_virt(FIX_APEI_GHES_IRQ); } -static void ghes_iounmap_nmi(void __iomem *vaddr_ptr) +static void ghes_iounmap_nmi(void) { - unsigned long vaddr = (unsigned long __force)vaddr_ptr; - void *base = ghes_ioremap_area->addr; - - BUG_ON(vaddr != (unsigned long)GHES_IOREMAP_NMI_PAGE(base)); - unmap_kernel_range_noflush(vaddr, PAGE_SIZE); - __flush_tlb_one(vaddr); + clear_fixmap(FIX_APEI_GHES_NMI); } -static void ghes_iounmap_irq(void __iomem *vaddr_ptr) +static void ghes_iounmap_irq(void) { - unsigned long vaddr = (unsigned long __force)vaddr_ptr; - void *base = ghes_ioremap_area->addr; - - BUG_ON(vaddr != (unsigned long)GHES_IOREMAP_IRQ_PAGE(base)); - unmap_kernel_range_noflush(vaddr, PAGE_SIZE); - __flush_tlb_one(vaddr); + clear_fixmap(FIX_APEI_GHES_IRQ); } static int ghes_estatus_pool_init(void) @@ -341,10 +324,10 @@ static void ghes_copy_tofrom_phys(void * paddr += trunk; buffer += trunk; if (in_nmi) { - ghes_iounmap_nmi(vaddr); + ghes_iounmap_nmi(); raw_spin_unlock(_ioremap_lock_nmi); } else { - ghes_iounmap_irq(vaddr); + ghes_iounmap_irq(); spin_unlock_irqrestore(_ioremap_lock_irq, flags); } }
[PATCH 3.16 067/136] ima: fix hash algorithm initialization
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Boshi Wang commit ebe7c0a7be92bbd34c6ff5b55810546a0ee05bee upstream. The hash_setup function always sets the hash_setup_done flag, even when the hash algorithm is invalid. This prevents the default hash algorithm defined as CONFIG_IMA_DEFAULT_HASH from being used. This patch sets hash_setup_done flag only for valid hash algorithms. Fixes: e7a2ad7eb6f4 "ima: enable support for larger default filedata hash algorithms" Signed-off-by: Boshi Wang Signed-off-by: Mimi Zohar Signed-off-by: Ben Hutchings --- security/integrity/ima/ima_main.c | 4 1 file changed, 4 insertions(+) --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -52,6 +52,8 @@ static int __init hash_setup(char *str) ima_hash_algo = HASH_ALGO_SHA1; else if (strncmp(str, "md5", 3) == 0) ima_hash_algo = HASH_ALGO_MD5; + else + return 1; goto out; } @@ -61,6 +63,8 @@ static int __init hash_setup(char *str) break; } } + if (i == HASH_ALGO__LAST) + return 1; out: hash_setup_done = 1; return 1;
[PATCH 3.16 028/136] net/9p: Switch to wait_event_killable()
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Tuomas Tynkkynencommit 9523feac272ccad2ad8186ba4fcc89103754de52 upstream. Because userspace gets Very Unhappy when calls like stat() and execve() return -EINTR on 9p filesystem mounts. For instance, when bash is looking in PATH for things to execute and some SIGCHLD interrupts stat(), bash can throw a spurious 'command not found' since it doesn't retry the stat(). In practice, hitting the problem is rare and needs a really slow/bogged down 9p server. Signed-off-by: Tuomas Tynkkynen Signed-off-by: Al Viro [bwh: Backported to 3.16: drop changes in trans_xen.c] Signed-off-by: Ben Hutchings --- --- a/net/9p/client.c +++ b/net/9p/client.c @@ -753,8 +753,7 @@ p9_client_rpc(struct p9_client *c, int8_ } again: /* Wait for the response */ - err = wait_event_interruptible(*req->wq, - req->status >= REQ_STATUS_RCVD); + err = wait_event_killable(*req->wq, req->status >= REQ_STATUS_RCVD); /* * Make sure our req is coherent with regard to updates in other --- a/net/9p/trans_virtio.c +++ b/net/9p/trans_virtio.c @@ -292,8 +292,8 @@ req_retry: if (err == -ENOSPC) { chan->ring_bufs_avail = 0; spin_unlock_irqrestore(>lock, flags); - err = wait_event_interruptible(*chan->vc_wq, - chan->ring_bufs_avail); + err = wait_event_killable(*chan->vc_wq, + chan->ring_bufs_avail); if (err == -ERESTARTSYS) return err; @@ -324,7 +324,7 @@ static int p9_get_mapped_pages(struct vi * Other zc request to finish here */ if (atomic_read(_pinned) >= chan->p9_max_pages) { - err = wait_event_interruptible(vp_wq, + err = wait_event_killable(vp_wq, (atomic_read(_pinned) < chan->p9_max_pages)); if (err == -ERESTARTSYS) return err; @@ -454,8 +454,8 @@ req_retry_pinned: if (err == -ENOSPC) { chan->ring_bufs_avail = 0; spin_unlock_irqrestore(>lock, flags); - err = wait_event_interruptible(*chan->vc_wq, - chan->ring_bufs_avail); + err = wait_event_killable(*chan->vc_wq, + chan->ring_bufs_avail); if (err == -ERESTARTSYS) goto err_out; @@ -472,8 +472,7 @@ req_retry_pinned: virtqueue_kick(chan->vq); spin_unlock_irqrestore(>lock, flags); p9_debug(P9_DEBUG_TRANS, "virtio request kicked\n"); - err = wait_event_interruptible(*req->wq, - req->status >= REQ_STATUS_RCVD); + err = wait_event_killable(*req->wq, req->status >= REQ_STATUS_RCVD); /* * Non kernel buffers are pinned, unpin them */
[PATCH 3.16 028/136] net/9p: Switch to wait_event_killable()
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Tuomas Tynkkynen commit 9523feac272ccad2ad8186ba4fcc89103754de52 upstream. Because userspace gets Very Unhappy when calls like stat() and execve() return -EINTR on 9p filesystem mounts. For instance, when bash is looking in PATH for things to execute and some SIGCHLD interrupts stat(), bash can throw a spurious 'command not found' since it doesn't retry the stat(). In practice, hitting the problem is rare and needs a really slow/bogged down 9p server. Signed-off-by: Tuomas Tynkkynen Signed-off-by: Al Viro [bwh: Backported to 3.16: drop changes in trans_xen.c] Signed-off-by: Ben Hutchings --- --- a/net/9p/client.c +++ b/net/9p/client.c @@ -753,8 +753,7 @@ p9_client_rpc(struct p9_client *c, int8_ } again: /* Wait for the response */ - err = wait_event_interruptible(*req->wq, - req->status >= REQ_STATUS_RCVD); + err = wait_event_killable(*req->wq, req->status >= REQ_STATUS_RCVD); /* * Make sure our req is coherent with regard to updates in other --- a/net/9p/trans_virtio.c +++ b/net/9p/trans_virtio.c @@ -292,8 +292,8 @@ req_retry: if (err == -ENOSPC) { chan->ring_bufs_avail = 0; spin_unlock_irqrestore(>lock, flags); - err = wait_event_interruptible(*chan->vc_wq, - chan->ring_bufs_avail); + err = wait_event_killable(*chan->vc_wq, + chan->ring_bufs_avail); if (err == -ERESTARTSYS) return err; @@ -324,7 +324,7 @@ static int p9_get_mapped_pages(struct vi * Other zc request to finish here */ if (atomic_read(_pinned) >= chan->p9_max_pages) { - err = wait_event_interruptible(vp_wq, + err = wait_event_killable(vp_wq, (atomic_read(_pinned) < chan->p9_max_pages)); if (err == -ERESTARTSYS) return err; @@ -454,8 +454,8 @@ req_retry_pinned: if (err == -ENOSPC) { chan->ring_bufs_avail = 0; spin_unlock_irqrestore(>lock, flags); - err = wait_event_interruptible(*chan->vc_wq, - chan->ring_bufs_avail); + err = wait_event_killable(*chan->vc_wq, + chan->ring_bufs_avail); if (err == -ERESTARTSYS) goto err_out; @@ -472,8 +472,7 @@ req_retry_pinned: virtqueue_kick(chan->vq); spin_unlock_irqrestore(>lock, flags); p9_debug(P9_DEBUG_TRANS, "virtio request kicked\n"); - err = wait_event_interruptible(*req->wq, - req->status >= REQ_STATUS_RCVD); + err = wait_event_killable(*req->wq, req->status >= REQ_STATUS_RCVD); /* * Non kernel buffers are pinned, unpin them */
[PATCH 3.16 034/136] l2tp: initialise l2tp_eth sessions before registering them
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Guillaume Naultcommit ee28de6bbd78c2e18111a0aef43ea746f28d2073 upstream. Sessions must be initialised before being made externally visible by l2tp_session_register(). Otherwise the session may be concurrently deleted before being initialised, which can confuse the deletion path and eventually lead to kernel oops. Therefore, we need to move l2tp_session_register() down in l2tp_eth_create(), but also handle the intermediate step where only the session or the netdevice has been registered. We can't just call l2tp_session_register() in ->ndo_init() because we'd have no way to properly undo this operation in ->ndo_uninit(). Instead, let's register the session and the netdevice in two different steps and protect the session's device pointer with RCU. And now that we allow the session's .dev field to be NULL, we don't need to prevent the netdevice from being removed anymore. So we can drop the dev_hold() and dev_put() calls in l2tp_eth_create() and l2tp_eth_dev_uninit(). Fixes: d9e31d17ceba ("l2tp: Add L2TP ethernet pseudowire support") Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller [bwh: Backported to 3.16: - Update another 'goto out' in l2tp_eth_create() - Adjust context] Signed-off-by: Ben Hutchings --- --- a/net/l2tp/l2tp_eth.c +++ b/net/l2tp/l2tp_eth.c @@ -51,7 +51,7 @@ struct l2tp_eth { /* via l2tp_session_priv() */ struct l2tp_eth_sess { - struct net_device *dev; + struct net_device __rcu *dev; }; @@ -69,7 +69,14 @@ static int l2tp_eth_dev_init(struct net_ static void l2tp_eth_dev_uninit(struct net_device *dev) { - dev_put(dev); + struct l2tp_eth *priv = netdev_priv(dev); + struct l2tp_eth_sess *spriv; + + spriv = l2tp_session_priv(priv->session); + RCU_INIT_POINTER(spriv->dev, NULL); + /* No need for synchronize_net() here. We're called by +* unregister_netdev*(), which does the synchronisation for us. +*/ } static int l2tp_eth_dev_xmit(struct sk_buff *skb, struct net_device *dev) @@ -123,8 +130,8 @@ static void l2tp_eth_dev_setup(struct ne static void l2tp_eth_dev_recv(struct l2tp_session *session, struct sk_buff *skb, int data_len) { struct l2tp_eth_sess *spriv = l2tp_session_priv(session); - struct net_device *dev = spriv->dev; - struct l2tp_eth *priv = netdev_priv(dev); + struct net_device *dev; + struct l2tp_eth *priv; if (session->debug & L2TP_MSG_DATA) { unsigned int length; @@ -148,16 +155,25 @@ static void l2tp_eth_dev_recv(struct l2t skb_dst_drop(skb); nf_reset(skb); + rcu_read_lock(); + dev = rcu_dereference(spriv->dev); + if (!dev) + goto error_rcu; + + priv = netdev_priv(dev); if (dev_forward_skb(dev, skb) == NET_RX_SUCCESS) { atomic_long_inc(>rx_packets); atomic_long_add(data_len, >rx_bytes); } else { atomic_long_inc(>rx_errors); } + rcu_read_unlock(); + return; +error_rcu: + rcu_read_unlock(); error: - atomic_long_inc(>rx_errors); kfree_skb(skb); } @@ -168,11 +184,15 @@ static void l2tp_eth_delete(struct l2tp_ if (session) { spriv = l2tp_session_priv(session); - dev = spriv->dev; + + rtnl_lock(); + dev = rtnl_dereference(spriv->dev); if (dev) { - unregister_netdev(dev); - spriv->dev = NULL; + unregister_netdevice(dev); + rtnl_unlock(); module_put(THIS_MODULE); + } else { + rtnl_unlock(); } } } @@ -182,9 +202,20 @@ static void l2tp_eth_show(struct seq_fil { struct l2tp_session *session = arg; struct l2tp_eth_sess *spriv = l2tp_session_priv(session); - struct net_device *dev = spriv->dev; + struct net_device *dev; + + rcu_read_lock(); + dev = rcu_dereference(spriv->dev); + if (!dev) { + rcu_read_unlock(); + return; + } + dev_hold(dev); + rcu_read_unlock(); seq_printf(m, " interface %s\n", dev->name); + + dev_put(dev); } #endif @@ -204,7 +235,7 @@ static int l2tp_eth_create(struct net *n if (dev) { dev_put(dev); rc = -EEXIST; - goto out; + goto err; } strlcpy(name, cfg->ifname, IFNAMSIZ); } else @@ -214,20 +245,13 @@ static int l2tp_eth_create(struct net *n peer_session_id, cfg); if (IS_ERR(session)) {
[PATCH 3.16 062/136] kprobes, x86/alternatives: Use text_mutex to protect smp_alt_modules
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Zhou Chengmingcommit e846d13958066828a9483d862cc8370a72fadbb6 upstream. We use alternatives_text_reserved() to check if the address is in the fixed pieces of alternative reserved, but the problem is that we don't hold the smp_alt mutex when call this function. So the list traversal may encounter a deleted list_head if another path is doing alternatives_smp_module_del(). One solution is that we can hold smp_alt mutex before call this function, but the difficult point is that the callers of this functions, arch_prepare_kprobe() and arch_prepare_optimized_kprobe(), are called inside the text_mutex. So we must hold smp_alt mutex before we go into these arch dependent code. But we can't now, the smp_alt mutex is the arch dependent part, only x86 has it. Maybe we can export another arch dependent callback to solve this. But there is a simpler way to handle this problem. We can reuse the text_mutex to protect smp_alt_modules instead of using another mutex. And all the arch dependent checks of kprobes are inside the text_mutex, so it's safe now. Signed-off-by: Zhou Chengming Reviewed-by: Masami Hiramatsu Acked-by: Steven Rostedt (VMware) Cc: Andy Lutomirski Cc: Borislav Petkov Cc: Brian Gerst Cc: Denys Vlasenko Cc: H. Peter Anvin Cc: Josh Poimboeuf Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: b...@suse.de Fixes: 2cfa197 "ftrace/alternatives: Introducing *_text_reserved functions" Link: http://lkml.kernel.org/r/1509585501-79466-1-git-send-email-zhouchengmi...@huawei.com Signed-off-by: Ingo Molnar Signed-off-by: Ben Hutchings --- arch/x86/kernel/alternative.c | 26 +- kernel/extable.c | 2 ++ 2 files changed, 15 insertions(+), 13 deletions(-) --- a/arch/x86/kernel/alternative.c +++ b/arch/x86/kernel/alternative.c @@ -409,7 +409,6 @@ static void alternatives_smp_lock(const { const s32 *poff; - mutex_lock(_mutex); for (poff = start; poff < end; poff++) { u8 *ptr = (u8 *)poff + *poff; @@ -419,7 +418,6 @@ static void alternatives_smp_lock(const if (*ptr == 0x3e) text_poke(ptr, ((unsigned char []){0xf0}), 1); } - mutex_unlock(_mutex); } static void alternatives_smp_unlock(const s32 *start, const s32 *end, @@ -427,7 +425,6 @@ static void alternatives_smp_unlock(cons { const s32 *poff; - mutex_lock(_mutex); for (poff = start; poff < end; poff++) { u8 *ptr = (u8 *)poff + *poff; @@ -437,7 +434,6 @@ static void alternatives_smp_unlock(cons if (*ptr == 0xf0) text_poke(ptr, ((unsigned char []){0x3E}), 1); } - mutex_unlock(_mutex); } struct smp_alt_module { @@ -456,8 +452,7 @@ struct smp_alt_module { struct list_head next; }; static LIST_HEAD(smp_alt_modules); -static DEFINE_MUTEX(smp_alt); -static bool uniproc_patched = false; /* protected by smp_alt */ +static bool uniproc_patched = false; /* protected by text_mutex */ void __init_or_module alternatives_smp_module_add(struct module *mod, char *name, @@ -466,7 +461,7 @@ void __init_or_module alternatives_smp_m { struct smp_alt_module *smp; - mutex_lock(_alt); + mutex_lock(_mutex); if (!uniproc_patched) goto unlock; @@ -493,14 +488,14 @@ void __init_or_module alternatives_smp_m smp_unlock: alternatives_smp_unlock(locks, locks_end, text, text_end); unlock: - mutex_unlock(_alt); + mutex_unlock(_mutex); } void __init_or_module alternatives_smp_module_del(struct module *mod) { struct smp_alt_module *item; - mutex_lock(_alt); + mutex_lock(_mutex); list_for_each_entry(item, _alt_modules, next) { if (mod != item->mod) continue; @@ -508,7 +503,7 @@ void __init_or_module alternatives_smp_m kfree(item); break; } - mutex_unlock(_alt); + mutex_unlock(_mutex); } void alternatives_enable_smp(void) @@ -518,7 +513,7 @@ void alternatives_enable_smp(void) /* Why bother if there are no other CPUs? */ BUG_ON(num_possible_cpus() == 1); - mutex_lock(_alt); + mutex_lock(_mutex); if (uniproc_patched) { pr_info("switching to SMP code\n"); @@ -530,10 +525,13 @@ void alternatives_enable_smp(void) mod->text, mod->text_end);
[PATCH 3.16 062/136] kprobes, x86/alternatives: Use text_mutex to protect smp_alt_modules
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Zhou Chengming commit e846d13958066828a9483d862cc8370a72fadbb6 upstream. We use alternatives_text_reserved() to check if the address is in the fixed pieces of alternative reserved, but the problem is that we don't hold the smp_alt mutex when call this function. So the list traversal may encounter a deleted list_head if another path is doing alternatives_smp_module_del(). One solution is that we can hold smp_alt mutex before call this function, but the difficult point is that the callers of this functions, arch_prepare_kprobe() and arch_prepare_optimized_kprobe(), are called inside the text_mutex. So we must hold smp_alt mutex before we go into these arch dependent code. But we can't now, the smp_alt mutex is the arch dependent part, only x86 has it. Maybe we can export another arch dependent callback to solve this. But there is a simpler way to handle this problem. We can reuse the text_mutex to protect smp_alt_modules instead of using another mutex. And all the arch dependent checks of kprobes are inside the text_mutex, so it's safe now. Signed-off-by: Zhou Chengming Reviewed-by: Masami Hiramatsu Acked-by: Steven Rostedt (VMware) Cc: Andy Lutomirski Cc: Borislav Petkov Cc: Brian Gerst Cc: Denys Vlasenko Cc: H. Peter Anvin Cc: Josh Poimboeuf Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: b...@suse.de Fixes: 2cfa197 "ftrace/alternatives: Introducing *_text_reserved functions" Link: http://lkml.kernel.org/r/1509585501-79466-1-git-send-email-zhouchengmi...@huawei.com Signed-off-by: Ingo Molnar Signed-off-by: Ben Hutchings --- arch/x86/kernel/alternative.c | 26 +- kernel/extable.c | 2 ++ 2 files changed, 15 insertions(+), 13 deletions(-) --- a/arch/x86/kernel/alternative.c +++ b/arch/x86/kernel/alternative.c @@ -409,7 +409,6 @@ static void alternatives_smp_lock(const { const s32 *poff; - mutex_lock(_mutex); for (poff = start; poff < end; poff++) { u8 *ptr = (u8 *)poff + *poff; @@ -419,7 +418,6 @@ static void alternatives_smp_lock(const if (*ptr == 0x3e) text_poke(ptr, ((unsigned char []){0xf0}), 1); } - mutex_unlock(_mutex); } static void alternatives_smp_unlock(const s32 *start, const s32 *end, @@ -427,7 +425,6 @@ static void alternatives_smp_unlock(cons { const s32 *poff; - mutex_lock(_mutex); for (poff = start; poff < end; poff++) { u8 *ptr = (u8 *)poff + *poff; @@ -437,7 +434,6 @@ static void alternatives_smp_unlock(cons if (*ptr == 0xf0) text_poke(ptr, ((unsigned char []){0x3E}), 1); } - mutex_unlock(_mutex); } struct smp_alt_module { @@ -456,8 +452,7 @@ struct smp_alt_module { struct list_head next; }; static LIST_HEAD(smp_alt_modules); -static DEFINE_MUTEX(smp_alt); -static bool uniproc_patched = false; /* protected by smp_alt */ +static bool uniproc_patched = false; /* protected by text_mutex */ void __init_or_module alternatives_smp_module_add(struct module *mod, char *name, @@ -466,7 +461,7 @@ void __init_or_module alternatives_smp_m { struct smp_alt_module *smp; - mutex_lock(_alt); + mutex_lock(_mutex); if (!uniproc_patched) goto unlock; @@ -493,14 +488,14 @@ void __init_or_module alternatives_smp_m smp_unlock: alternatives_smp_unlock(locks, locks_end, text, text_end); unlock: - mutex_unlock(_alt); + mutex_unlock(_mutex); } void __init_or_module alternatives_smp_module_del(struct module *mod) { struct smp_alt_module *item; - mutex_lock(_alt); + mutex_lock(_mutex); list_for_each_entry(item, _alt_modules, next) { if (mod != item->mod) continue; @@ -508,7 +503,7 @@ void __init_or_module alternatives_smp_m kfree(item); break; } - mutex_unlock(_alt); + mutex_unlock(_mutex); } void alternatives_enable_smp(void) @@ -518,7 +513,7 @@ void alternatives_enable_smp(void) /* Why bother if there are no other CPUs? */ BUG_ON(num_possible_cpus() == 1); - mutex_lock(_alt); + mutex_lock(_mutex); if (uniproc_patched) { pr_info("switching to SMP code\n"); @@ -530,10 +525,13 @@ void alternatives_enable_smp(void) mod->text, mod->text_end); uniproc_patched = false; } - mutex_unlock(_alt); + mutex_unlock(_mutex); } -/* Return 1 if the address range is reserved for smp-alternatives */ +/* + * Return 1 if the address range is reserved for SMP-alternatives. + * Must hold text_mutex. + */ int alternatives_text_reserved(void *start, void *end) {
[PATCH 3.16 034/136] l2tp: initialise l2tp_eth sessions before registering them
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Guillaume Nault commit ee28de6bbd78c2e18111a0aef43ea746f28d2073 upstream. Sessions must be initialised before being made externally visible by l2tp_session_register(). Otherwise the session may be concurrently deleted before being initialised, which can confuse the deletion path and eventually lead to kernel oops. Therefore, we need to move l2tp_session_register() down in l2tp_eth_create(), but also handle the intermediate step where only the session or the netdevice has been registered. We can't just call l2tp_session_register() in ->ndo_init() because we'd have no way to properly undo this operation in ->ndo_uninit(). Instead, let's register the session and the netdevice in two different steps and protect the session's device pointer with RCU. And now that we allow the session's .dev field to be NULL, we don't need to prevent the netdevice from being removed anymore. So we can drop the dev_hold() and dev_put() calls in l2tp_eth_create() and l2tp_eth_dev_uninit(). Fixes: d9e31d17ceba ("l2tp: Add L2TP ethernet pseudowire support") Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller [bwh: Backported to 3.16: - Update another 'goto out' in l2tp_eth_create() - Adjust context] Signed-off-by: Ben Hutchings --- --- a/net/l2tp/l2tp_eth.c +++ b/net/l2tp/l2tp_eth.c @@ -51,7 +51,7 @@ struct l2tp_eth { /* via l2tp_session_priv() */ struct l2tp_eth_sess { - struct net_device *dev; + struct net_device __rcu *dev; }; @@ -69,7 +69,14 @@ static int l2tp_eth_dev_init(struct net_ static void l2tp_eth_dev_uninit(struct net_device *dev) { - dev_put(dev); + struct l2tp_eth *priv = netdev_priv(dev); + struct l2tp_eth_sess *spriv; + + spriv = l2tp_session_priv(priv->session); + RCU_INIT_POINTER(spriv->dev, NULL); + /* No need for synchronize_net() here. We're called by +* unregister_netdev*(), which does the synchronisation for us. +*/ } static int l2tp_eth_dev_xmit(struct sk_buff *skb, struct net_device *dev) @@ -123,8 +130,8 @@ static void l2tp_eth_dev_setup(struct ne static void l2tp_eth_dev_recv(struct l2tp_session *session, struct sk_buff *skb, int data_len) { struct l2tp_eth_sess *spriv = l2tp_session_priv(session); - struct net_device *dev = spriv->dev; - struct l2tp_eth *priv = netdev_priv(dev); + struct net_device *dev; + struct l2tp_eth *priv; if (session->debug & L2TP_MSG_DATA) { unsigned int length; @@ -148,16 +155,25 @@ static void l2tp_eth_dev_recv(struct l2t skb_dst_drop(skb); nf_reset(skb); + rcu_read_lock(); + dev = rcu_dereference(spriv->dev); + if (!dev) + goto error_rcu; + + priv = netdev_priv(dev); if (dev_forward_skb(dev, skb) == NET_RX_SUCCESS) { atomic_long_inc(>rx_packets); atomic_long_add(data_len, >rx_bytes); } else { atomic_long_inc(>rx_errors); } + rcu_read_unlock(); + return; +error_rcu: + rcu_read_unlock(); error: - atomic_long_inc(>rx_errors); kfree_skb(skb); } @@ -168,11 +184,15 @@ static void l2tp_eth_delete(struct l2tp_ if (session) { spriv = l2tp_session_priv(session); - dev = spriv->dev; + + rtnl_lock(); + dev = rtnl_dereference(spriv->dev); if (dev) { - unregister_netdev(dev); - spriv->dev = NULL; + unregister_netdevice(dev); + rtnl_unlock(); module_put(THIS_MODULE); + } else { + rtnl_unlock(); } } } @@ -182,9 +202,20 @@ static void l2tp_eth_show(struct seq_fil { struct l2tp_session *session = arg; struct l2tp_eth_sess *spriv = l2tp_session_priv(session); - struct net_device *dev = spriv->dev; + struct net_device *dev; + + rcu_read_lock(); + dev = rcu_dereference(spriv->dev); + if (!dev) { + rcu_read_unlock(); + return; + } + dev_hold(dev); + rcu_read_unlock(); seq_printf(m, " interface %s\n", dev->name); + + dev_put(dev); } #endif @@ -204,7 +235,7 @@ static int l2tp_eth_create(struct net *n if (dev) { dev_put(dev); rc = -EEXIST; - goto out; + goto err; } strlcpy(name, cfg->ifname, IFNAMSIZ); } else @@ -214,20 +245,13 @@ static int l2tp_eth_create(struct net *n peer_session_id, cfg); if (IS_ERR(session)) { rc = PTR_ERR(session); - goto out; - } - -
[PATCH 3.16 025/136] IB/srp: Avoid that a cable pull can trigger a kernel crash
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Bart Van Asschecommit 8a0d18c62121d3c554a83eb96e2752861d84d937 upstream. This patch fixes the following kernel crash: general protection fault: [#1] PREEMPT SMP Workqueue: ib_mad2 timeout_sends [ib_core] Call Trace: ib_sa_path_rec_callback+0x1c4/0x1d0 [ib_core] send_handler+0xb2/0xd0 [ib_core] timeout_sends+0x14d/0x220 [ib_core] process_one_work+0x200/0x630 worker_thread+0x4e/0x3b0 kthread+0x113/0x150 Fixes: commit aef9ec39c47f ("IB: Add SCSI RDMA Protocol (SRP) initiator") Signed-off-by: Bart Van Assche Reviewed-by: Sagi Grimberg Signed-off-by: Doug Ledford [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings --- --- a/drivers/infiniband/ulp/srp/ib_srp.c +++ b/drivers/infiniband/ulp/srp/ib_srp.c @@ -600,12 +600,19 @@ static void srp_path_rec_completion(int static int srp_lookup_path(struct srp_target_port *target) { - int ret; + int ret = -ENODEV; target->path.numb_path = 1; init_completion(>done); + /* +* Avoid that the SCSI host can be removed by srp_remove_target() +* before srp_path_rec_completion() is called. +*/ + if (!scsi_host_get(target->scsi_host)) + goto out; + target->path_query_id = ib_sa_path_rec_get(_sa_client, target->srp_host->srp_dev->dev, target->srp_host->port, @@ -619,18 +626,24 @@ static int srp_lookup_path(struct srp_ta GFP_KERNEL, srp_path_rec_completion, target, >path_query); - if (target->path_query_id < 0) - return target->path_query_id; + ret = target->path_query_id; + if (ret < 0) + goto put; ret = wait_for_completion_interruptible(>done); if (ret < 0) return ret; - if (target->status < 0) + ret = target->status; + if (ret < 0) shost_printk(KERN_WARNING, target->scsi_host, PFX "Path record query failed\n"); - return target->status; +put: + scsi_host_put(target->scsi_host); + +out: + return ret; } static int srp_send_req(struct srp_target_port *target)
[PATCH 3.16 025/136] IB/srp: Avoid that a cable pull can trigger a kernel crash
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Bart Van Assche commit 8a0d18c62121d3c554a83eb96e2752861d84d937 upstream. This patch fixes the following kernel crash: general protection fault: [#1] PREEMPT SMP Workqueue: ib_mad2 timeout_sends [ib_core] Call Trace: ib_sa_path_rec_callback+0x1c4/0x1d0 [ib_core] send_handler+0xb2/0xd0 [ib_core] timeout_sends+0x14d/0x220 [ib_core] process_one_work+0x200/0x630 worker_thread+0x4e/0x3b0 kthread+0x113/0x150 Fixes: commit aef9ec39c47f ("IB: Add SCSI RDMA Protocol (SRP) initiator") Signed-off-by: Bart Van Assche Reviewed-by: Sagi Grimberg Signed-off-by: Doug Ledford [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings --- --- a/drivers/infiniband/ulp/srp/ib_srp.c +++ b/drivers/infiniband/ulp/srp/ib_srp.c @@ -600,12 +600,19 @@ static void srp_path_rec_completion(int static int srp_lookup_path(struct srp_target_port *target) { - int ret; + int ret = -ENODEV; target->path.numb_path = 1; init_completion(>done); + /* +* Avoid that the SCSI host can be removed by srp_remove_target() +* before srp_path_rec_completion() is called. +*/ + if (!scsi_host_get(target->scsi_host)) + goto out; + target->path_query_id = ib_sa_path_rec_get(_sa_client, target->srp_host->srp_dev->dev, target->srp_host->port, @@ -619,18 +626,24 @@ static int srp_lookup_path(struct srp_ta GFP_KERNEL, srp_path_rec_completion, target, >path_query); - if (target->path_query_id < 0) - return target->path_query_id; + ret = target->path_query_id; + if (ret < 0) + goto put; ret = wait_for_completion_interruptible(>done); if (ret < 0) return ret; - if (target->status < 0) + ret = target->status; + if (ret < 0) shost_printk(KERN_WARNING, target->scsi_host, PFX "Path record query failed\n"); - return target->status; +put: + scsi_host_put(target->scsi_host); + +out: + return ret; } static int srp_send_req(struct srp_target_port *target)
[PATCH 3.16 030/136] f2fs: expose some sectors to user in inline data or dentry case
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Jaegeuk Kimcommit 5b4267d195dd887c4412e34b5a7365baa741b679 upstream. If there's some data written through inline data or dentry, we need to shouw st_blocks. This fixes reporting zero blocks even though there is small written data. Reviewed-by: Chao Yu [Jaegeuk Kim: avoid link file for quotacheck] Signed-off-by: Jaegeuk Kim [bwh: Backported to 3.16: - Inline dentries are not supported - Adjust context] Signed-off-by: Ben Hutchings --- --- a/fs/f2fs/file.c +++ b/fs/f2fs/file.c @@ -460,6 +460,11 @@ int f2fs_getattr(struct vfsmount *mnt, struct inode *inode = dentry->d_inode; generic_fillattr(inode, stat); stat->blocks <<= 3; + + /* we need to show initial sectors used for inline_data/dentries */ + if (S_ISREG(inode->i_mode) && f2fs_has_inline_data(inode)) + stat->blocks += (stat->size + 511) >> 9; + return 0; }
[PATCH 3.16 030/136] f2fs: expose some sectors to user in inline data or dentry case
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Jaegeuk Kim commit 5b4267d195dd887c4412e34b5a7365baa741b679 upstream. If there's some data written through inline data or dentry, we need to shouw st_blocks. This fixes reporting zero blocks even though there is small written data. Reviewed-by: Chao Yu [Jaegeuk Kim: avoid link file for quotacheck] Signed-off-by: Jaegeuk Kim [bwh: Backported to 3.16: - Inline dentries are not supported - Adjust context] Signed-off-by: Ben Hutchings --- --- a/fs/f2fs/file.c +++ b/fs/f2fs/file.c @@ -460,6 +460,11 @@ int f2fs_getattr(struct vfsmount *mnt, struct inode *inode = dentry->d_inode; generic_fillattr(inode, stat); stat->blocks <<= 3; + + /* we need to show initial sectors used for inline_data/dentries */ + if (S_ISREG(inode->i_mode) && f2fs_has_inline_data(inode)) + stat->blocks += (stat->size + 511) >> 9; + return 0; }
[PATCH 3.16 024/136] IB/srpt: Do not accept invalid initiator port names
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Bart Van Asschecommit c70ca38960399a63d5c048b7b700612ea321d17e upstream. Make srpt_parse_i_port_id() return a negative value if hex2bin() fails. Fixes: commit a42d985bd5b2 ("ib_srpt: Initial SRP Target merge for v3.3-rc1") Signed-off-by: Bart Van Assche Signed-off-by: Doug Ledford Signed-off-by: Ben Hutchings --- drivers/infiniband/ulp/srpt/ib_srpt.c | 9 - 1 file changed, 4 insertions(+), 5 deletions(-) --- a/drivers/infiniband/ulp/srpt/ib_srpt.c +++ b/drivers/infiniband/ulp/srpt/ib_srpt.c @@ -3521,7 +3521,7 @@ static int srpt_parse_i_port_id(u8 i_por { const char *p; unsigned len, count, leading_zero_bytes; - int ret, rc; + int ret; p = name; if (strnicmp(p, "0x", 2) == 0) @@ -3533,10 +3533,9 @@ static int srpt_parse_i_port_id(u8 i_por count = min(len / 2, 16U); leading_zero_bytes = 16 - count; memset(i_port_id, 0, leading_zero_bytes); - rc = hex2bin(i_port_id + leading_zero_bytes, p, count); - if (rc < 0) - pr_debug("hex2bin failed for srpt_parse_i_port_id: %d\n", rc); - ret = 0; + ret = hex2bin(i_port_id + leading_zero_bytes, p, count); + if (ret < 0) + pr_debug("hex2bin failed for srpt_parse_i_port_id: %d\n", ret); out: return ret; }
[PATCH 3.16 024/136] IB/srpt: Do not accept invalid initiator port names
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Bart Van Assche commit c70ca38960399a63d5c048b7b700612ea321d17e upstream. Make srpt_parse_i_port_id() return a negative value if hex2bin() fails. Fixes: commit a42d985bd5b2 ("ib_srpt: Initial SRP Target merge for v3.3-rc1") Signed-off-by: Bart Van Assche Signed-off-by: Doug Ledford Signed-off-by: Ben Hutchings --- drivers/infiniband/ulp/srpt/ib_srpt.c | 9 - 1 file changed, 4 insertions(+), 5 deletions(-) --- a/drivers/infiniband/ulp/srpt/ib_srpt.c +++ b/drivers/infiniband/ulp/srpt/ib_srpt.c @@ -3521,7 +3521,7 @@ static int srpt_parse_i_port_id(u8 i_por { const char *p; unsigned len, count, leading_zero_bytes; - int ret, rc; + int ret; p = name; if (strnicmp(p, "0x", 2) == 0) @@ -3533,10 +3533,9 @@ static int srpt_parse_i_port_id(u8 i_por count = min(len / 2, 16U); leading_zero_bytes = 16 - count; memset(i_port_id, 0, leading_zero_bytes); - rc = hex2bin(i_port_id + leading_zero_bytes, p, count); - if (rc < 0) - pr_debug("hex2bin failed for srpt_parse_i_port_id: %d\n", rc); - ret = 0; + ret = hex2bin(i_port_id + leading_zero_bytes, p, count); + if (ret < 0) + pr_debug("hex2bin failed for srpt_parse_i_port_id: %d\n", ret); out: return ret; }
[PATCH 3.16 036/136] l2tp: initialise PPP sessions before registering them
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Guillaume Naultcommit f98be6c6359e7e4a61aaefb9964c1db31cb9ec0c upstream. pppol2tp_connect() initialises L2TP sessions after they've been exposed to the rest of the system by l2tp_session_register(). This puts sessions into transient states that are the source of several races, in particular with session's deletion path. This patch centralises the initialisation code into pppol2tp_session_init(), which is called before the registration phase. The only field that can't be set before session registration is the pppol2tp socket pointer, which has already been converted to RCU. So pppol2tp_connect() should now be race-free. The session's .session_close() callback is now set before registration. Therefore, it's always called when l2tp_core deletes the session, even if it was created by pppol2tp_session_create() and hasn't been plugged to a pppol2tp socket yet. That'd prevent session free because the extra reference taken by pppol2tp_session_close() wouldn't be dropped by the socket's ->sk_destruct() callback (pppol2tp_session_destruct()). We could set .session_close() only while connecting a session to its pppol2tp socket, or teach pppol2tp_session_close() to avoid grabbing a reference when the session isn't connected, but that'd require adding some form of synchronisation to be race free. Instead of that, we can just let the pppol2tp socket hold a reference on the session as soon as it starts depending on it (that is, in pppol2tp_connect()). Then we don't need to utilise pppol2tp_session_close() to hold a reference at the last moment to prevent l2tp_core from dropping it. When releasing the socket, pppol2tp_release() now deletes the session using the standard l2tp_session_delete() function, instead of merely removing it from hash tables. l2tp_session_delete() drops the reference the sessions holds on itself, but also makes sure it doesn't remove a session twice. So it can safely be called, even if l2tp_core already tried, or is concurrently trying, to remove the session. Finally, pppol2tp_session_destruct() drops the reference held by the socket. Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts") Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings --- net/l2tp/l2tp_ppp.c | 69 + 1 file changed, 38 insertions(+), 31 deletions(-) --- a/net/l2tp/l2tp_ppp.c +++ b/net/l2tp/l2tp_ppp.c @@ -468,9 +468,6 @@ static void pppol2tp_session_close(struc inet_shutdown(sk->sk_socket, SEND_SHUTDOWN); sock_put(sk); } - - /* Don't let the session go away before our socket does */ - l2tp_session_inc_refcount(session); } /* Really kill the session socket. (Called from sock_put() if @@ -526,8 +523,7 @@ static int pppol2tp_release(struct socke if (session != NULL) { struct pppol2tp_session *ps; - __l2tp_session_unhash(session); - l2tp_session_queue_purge(session); + l2tp_session_delete(session); ps = l2tp_session_priv(session); mutex_lock(>sk_lock); @@ -619,6 +615,35 @@ static void pppol2tp_show(struct seq_fil } #endif +static void pppol2tp_session_init(struct l2tp_session *session) +{ + struct pppol2tp_session *ps; + struct dst_entry *dst; + + session->recv_skb = pppol2tp_recv; + session->session_close = pppol2tp_session_close; +#if IS_ENABLED(CONFIG_L2TP_DEBUGFS) + session->show = pppol2tp_show; +#endif + + ps = l2tp_session_priv(session); + mutex_init(>sk_lock); + ps->tunnel_sock = session->tunnel->sock; + ps->owner = current->pid; + + /* If PMTU discovery was enabled, use the MTU that was discovered */ + dst = sk_dst_get(session->tunnel->sock); + if (dst) { + u32 pmtu = dst_mtu(dst); + + if (pmtu) { + session->mtu = pmtu - PPPOL2TP_HEADER_OVERHEAD; + session->mru = pmtu - PPPOL2TP_HEADER_OVERHEAD; + } + dst_release(dst); + } +} + /* connect() handler. Attach a PPPoX socket to a tunnel UDP socket */ static int pppol2tp_connect(struct socket *sock, struct sockaddr *uservaddr, @@ -630,7 +655,6 @@ static int pppol2tp_connect(struct socke struct l2tp_session *session = NULL; struct l2tp_tunnel *tunnel; struct pppol2tp_session *ps; - struct dst_entry *dst; struct l2tp_session_cfg cfg = { 0, }; int error = 0; u32 tunnel_id, peer_tunnel_id; @@ -775,8 +799,8 @@ static int pppol2tp_connect(struct socke goto end; } +
[PATCH 3.16 036/136] l2tp: initialise PPP sessions before registering them
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Guillaume Nault commit f98be6c6359e7e4a61aaefb9964c1db31cb9ec0c upstream. pppol2tp_connect() initialises L2TP sessions after they've been exposed to the rest of the system by l2tp_session_register(). This puts sessions into transient states that are the source of several races, in particular with session's deletion path. This patch centralises the initialisation code into pppol2tp_session_init(), which is called before the registration phase. The only field that can't be set before session registration is the pppol2tp socket pointer, which has already been converted to RCU. So pppol2tp_connect() should now be race-free. The session's .session_close() callback is now set before registration. Therefore, it's always called when l2tp_core deletes the session, even if it was created by pppol2tp_session_create() and hasn't been plugged to a pppol2tp socket yet. That'd prevent session free because the extra reference taken by pppol2tp_session_close() wouldn't be dropped by the socket's ->sk_destruct() callback (pppol2tp_session_destruct()). We could set .session_close() only while connecting a session to its pppol2tp socket, or teach pppol2tp_session_close() to avoid grabbing a reference when the session isn't connected, but that'd require adding some form of synchronisation to be race free. Instead of that, we can just let the pppol2tp socket hold a reference on the session as soon as it starts depending on it (that is, in pppol2tp_connect()). Then we don't need to utilise pppol2tp_session_close() to hold a reference at the last moment to prevent l2tp_core from dropping it. When releasing the socket, pppol2tp_release() now deletes the session using the standard l2tp_session_delete() function, instead of merely removing it from hash tables. l2tp_session_delete() drops the reference the sessions holds on itself, but also makes sure it doesn't remove a session twice. So it can safely be called, even if l2tp_core already tried, or is concurrently trying, to remove the session. Finally, pppol2tp_session_destruct() drops the reference held by the socket. Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts") Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings --- net/l2tp/l2tp_ppp.c | 69 + 1 file changed, 38 insertions(+), 31 deletions(-) --- a/net/l2tp/l2tp_ppp.c +++ b/net/l2tp/l2tp_ppp.c @@ -468,9 +468,6 @@ static void pppol2tp_session_close(struc inet_shutdown(sk->sk_socket, SEND_SHUTDOWN); sock_put(sk); } - - /* Don't let the session go away before our socket does */ - l2tp_session_inc_refcount(session); } /* Really kill the session socket. (Called from sock_put() if @@ -526,8 +523,7 @@ static int pppol2tp_release(struct socke if (session != NULL) { struct pppol2tp_session *ps; - __l2tp_session_unhash(session); - l2tp_session_queue_purge(session); + l2tp_session_delete(session); ps = l2tp_session_priv(session); mutex_lock(>sk_lock); @@ -619,6 +615,35 @@ static void pppol2tp_show(struct seq_fil } #endif +static void pppol2tp_session_init(struct l2tp_session *session) +{ + struct pppol2tp_session *ps; + struct dst_entry *dst; + + session->recv_skb = pppol2tp_recv; + session->session_close = pppol2tp_session_close; +#if IS_ENABLED(CONFIG_L2TP_DEBUGFS) + session->show = pppol2tp_show; +#endif + + ps = l2tp_session_priv(session); + mutex_init(>sk_lock); + ps->tunnel_sock = session->tunnel->sock; + ps->owner = current->pid; + + /* If PMTU discovery was enabled, use the MTU that was discovered */ + dst = sk_dst_get(session->tunnel->sock); + if (dst) { + u32 pmtu = dst_mtu(dst); + + if (pmtu) { + session->mtu = pmtu - PPPOL2TP_HEADER_OVERHEAD; + session->mru = pmtu - PPPOL2TP_HEADER_OVERHEAD; + } + dst_release(dst); + } +} + /* connect() handler. Attach a PPPoX socket to a tunnel UDP socket */ static int pppol2tp_connect(struct socket *sock, struct sockaddr *uservaddr, @@ -630,7 +655,6 @@ static int pppol2tp_connect(struct socke struct l2tp_session *session = NULL; struct l2tp_tunnel *tunnel; struct pppol2tp_session *ps; - struct dst_entry *dst; struct l2tp_session_cfg cfg = { 0, }; int error = 0; u32 tunnel_id, peer_tunnel_id; @@ -775,8 +799,8 @@ static int pppol2tp_connect(struct socke goto end; } + pppol2tp_session_init(session); ps = l2tp_session_priv(session); -
[PATCH 3.16 021/136] USB: serial: metro-usb: stop I/O after failed open
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Johan Hovoldcommit 2339536d229df25c71c0900fc619289229bfecf6 upstream. Make sure to kill the interrupt-in URB after a failed open request. Apart from saving power (and avoiding stale input after a later successful open), this also prevents a NULL-deref in the completion handler if the port is manually unbound. Reviewed-by: Greg Kroah-Hartman Fixes: 704577861d5e ("USB: serial: metro-usb: get data from device in Uni-Directional mode.") Signed-off-by: Johan Hovold [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings --- drivers/usb/serial/metro-usb.c | 11 --- 1 file changed, 8 insertions(+), 3 deletions(-) --- a/drivers/usb/serial/metro-usb.c +++ b/drivers/usb/serial/metro-usb.c @@ -217,7 +217,7 @@ static int metrousb_open(struct tty_stru dev_err(>dev, "%s - failed submitting interrupt in urb, error code=%d\n", __func__, result); - goto exit; + return result; } /* Send activate cmd to device */ @@ -226,11 +226,16 @@ static int metrousb_open(struct tty_stru dev_err(>dev, "%s - failed to configure device, error code=%d\n", __func__, result); - goto exit; + goto err_kill_urb; } dev_dbg(>dev, "%s - port open\n", __func__); -exit: + + return 0; + +err_kill_urb: + usb_kill_urb(port->interrupt_in_urb); + return result; }
[PATCH 3.16 021/136] USB: serial: metro-usb: stop I/O after failed open
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Johan Hovold commit 2339536d229df25c71c0900fc619289229bfecf6 upstream. Make sure to kill the interrupt-in URB after a failed open request. Apart from saving power (and avoiding stale input after a later successful open), this also prevents a NULL-deref in the completion handler if the port is manually unbound. Reviewed-by: Greg Kroah-Hartman Fixes: 704577861d5e ("USB: serial: metro-usb: get data from device in Uni-Directional mode.") Signed-off-by: Johan Hovold [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings --- drivers/usb/serial/metro-usb.c | 11 --- 1 file changed, 8 insertions(+), 3 deletions(-) --- a/drivers/usb/serial/metro-usb.c +++ b/drivers/usb/serial/metro-usb.c @@ -217,7 +217,7 @@ static int metrousb_open(struct tty_stru dev_err(>dev, "%s - failed submitting interrupt in urb, error code=%d\n", __func__, result); - goto exit; + return result; } /* Send activate cmd to device */ @@ -226,11 +226,16 @@ static int metrousb_open(struct tty_stru dev_err(>dev, "%s - failed to configure device, error code=%d\n", __func__, result); - goto exit; + goto err_kill_urb; } dev_dbg(>dev, "%s - port open\n", __func__); -exit: + + return 0; + +err_kill_urb: + usb_kill_urb(port->interrupt_in_urb); + return result; }
[PATCH 3.16 059/136] powerpc/powernv/cpufreq: Fix the frequency read by /proc/cpuinfo
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Shriyacommit cd77b5ce208c153260ed7882d8910f2395bfaabd upstream. The call to /proc/cpuinfo in turn calls cpufreq_quick_get() which returns the last frequency requested by the kernel, but may not reflect the actual frequency the processor is running at. This patch makes a call to cpufreq_get() instead which returns the current frequency reported by the hardware. Fixes: fb5153d05a7d ("powerpc: powernv: Implement ppc_md.get_proc_freq()") Signed-off-by: Shriya Signed-off-by: Michael Ellerman Signed-off-by: Ben Hutchings --- arch/powerpc/platforms/powernv/setup.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/arch/powerpc/platforms/powernv/setup.c +++ b/arch/powerpc/platforms/powernv/setup.c @@ -309,7 +309,7 @@ unsigned long pnv_get_proc_freq(unsigned { unsigned long ret_freq; - ret_freq = cpufreq_quick_get(cpu) * 1000ul; + ret_freq = cpufreq_get(cpu) * 1000ul; /* * If the backend cpufreq driver does not exist,
[PATCH 3.16 027/136] fs/9p: Compare qid.path in v9fs_test_inode
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Tuomas Tynkkynencommit 8ee031631546cf2f7859cc69593bd60bbdd70b46 upstream. Commit fd2421f54423 ("fs/9p: When doing inode lookup compare qid details and inode mode bits.") transformed v9fs_qid_iget() to use iget5_locked() instead of iget_locked(). However, the test() callback is not checking fid.path at all, which means that a lookup in the inode cache can now accidentally locate a completely wrong inode from the same inode hash bucket if the other fields (qid.type and qid.version) match. Fixes: fd2421f54423 ("fs/9p: When doing inode lookup compare qid details and inode mode bits.") Reviewed-by: Latchesar Ionkov Signed-off-by: Tuomas Tynkkynen Signed-off-by: Al Viro Signed-off-by: Ben Hutchings --- fs/9p/vfs_inode.c | 3 +++ fs/9p/vfs_inode_dotl.c | 3 +++ 2 files changed, 6 insertions(+) --- a/fs/9p/vfs_inode.c +++ b/fs/9p/vfs_inode.c @@ -483,6 +483,9 @@ static int v9fs_test_inode(struct inode if (v9inode->qid.type != st->qid.type) return 0; + + if (v9inode->qid.path != st->qid.path) + return 0; return 1; } --- a/fs/9p/vfs_inode_dotl.c +++ b/fs/9p/vfs_inode_dotl.c @@ -87,6 +87,9 @@ static int v9fs_test_inode_dotl(struct i if (v9inode->qid.type != st->qid.type) return 0; + + if (v9inode->qid.path != st->qid.path) + return 0; return 1; }
[PATCH 3.16 059/136] powerpc/powernv/cpufreq: Fix the frequency read by /proc/cpuinfo
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Shriya commit cd77b5ce208c153260ed7882d8910f2395bfaabd upstream. The call to /proc/cpuinfo in turn calls cpufreq_quick_get() which returns the last frequency requested by the kernel, but may not reflect the actual frequency the processor is running at. This patch makes a call to cpufreq_get() instead which returns the current frequency reported by the hardware. Fixes: fb5153d05a7d ("powerpc: powernv: Implement ppc_md.get_proc_freq()") Signed-off-by: Shriya Signed-off-by: Michael Ellerman Signed-off-by: Ben Hutchings --- arch/powerpc/platforms/powernv/setup.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/arch/powerpc/platforms/powernv/setup.c +++ b/arch/powerpc/platforms/powernv/setup.c @@ -309,7 +309,7 @@ unsigned long pnv_get_proc_freq(unsigned { unsigned long ret_freq; - ret_freq = cpufreq_quick_get(cpu) * 1000ul; + ret_freq = cpufreq_get(cpu) * 1000ul; /* * If the backend cpufreq driver does not exist,
[PATCH 3.16 027/136] fs/9p: Compare qid.path in v9fs_test_inode
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Tuomas Tynkkynen commit 8ee031631546cf2f7859cc69593bd60bbdd70b46 upstream. Commit fd2421f54423 ("fs/9p: When doing inode lookup compare qid details and inode mode bits.") transformed v9fs_qid_iget() to use iget5_locked() instead of iget_locked(). However, the test() callback is not checking fid.path at all, which means that a lookup in the inode cache can now accidentally locate a completely wrong inode from the same inode hash bucket if the other fields (qid.type and qid.version) match. Fixes: fd2421f54423 ("fs/9p: When doing inode lookup compare qid details and inode mode bits.") Reviewed-by: Latchesar Ionkov Signed-off-by: Tuomas Tynkkynen Signed-off-by: Al Viro Signed-off-by: Ben Hutchings --- fs/9p/vfs_inode.c | 3 +++ fs/9p/vfs_inode_dotl.c | 3 +++ 2 files changed, 6 insertions(+) --- a/fs/9p/vfs_inode.c +++ b/fs/9p/vfs_inode.c @@ -483,6 +483,9 @@ static int v9fs_test_inode(struct inode if (v9inode->qid.type != st->qid.type) return 0; + + if (v9inode->qid.path != st->qid.path) + return 0; return 1; } --- a/fs/9p/vfs_inode_dotl.c +++ b/fs/9p/vfs_inode_dotl.c @@ -87,6 +87,9 @@ static int v9fs_test_inode_dotl(struct i if (v9inode->qid.type != st->qid.type) return 0; + + if (v9inode->qid.path != st->qid.path) + return 0; return 1; }
[PATCH 3.16 056/136] powerpc/pseries/vio: Dispose of virq mapping on vdevice unregister
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Tyrel Datwylercommit b8f89fea599d91e674497aad572613eb63181f31 upstream. When a vdevice is DLPAR removed from the system the vio subsystem doesn't bother unmapping the virq from the irq_domain. As a result we have a virq mapped to a hardware irq that is no longer valid for the irq_domain. A side effect is that we are left with /proc/irq/ affinity entries, and attempts to modify the smp_affinity of the irq will fail. In the following observed example the kernel log is spammed by ics_rtas_set_affinity errors after the removal of a VSCSI adapter. This is a result of irqbalance trying to adjust the affinity every 10 seconds. rpadlpar_io: slot U8408.E8E.10A7ACV-V5-C25 removed ics_rtas_set_affinity: ibm,set-xive irq=655385 returns -3 ics_rtas_set_affinity: ibm,set-xive irq=655385 returns -3 This patch fixes the issue by calling irq_dispose_mapping() on the virq of the viodev on unregister. Fixes: f2ab6219969f ("powerpc/pseries: Add PFO support to the VIO bus") Signed-off-by: Tyrel Datwyler Signed-off-by: Michael Ellerman [bwh: Backported to 3.16: adjust filename] Signed-off-by: Ben Hutchings --- arch/powerpc/kernel/vio.c | 2 ++ 1 file changed, 2 insertions(+) --- a/arch/powerpc/kernel/vio.c +++ b/arch/powerpc/kernel/vio.c @@ -1572,6 +1572,8 @@ static struct device_attribute vio_dev_a void vio_unregister_device(struct vio_dev *viodev) { device_unregister(>dev); + if (viodev->family == VDEVICE) + irq_dispose_mapping(viodev->irq); } EXPORT_SYMBOL(vio_unregister_device);
[PATCH 3.16 056/136] powerpc/pseries/vio: Dispose of virq mapping on vdevice unregister
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Tyrel Datwyler commit b8f89fea599d91e674497aad572613eb63181f31 upstream. When a vdevice is DLPAR removed from the system the vio subsystem doesn't bother unmapping the virq from the irq_domain. As a result we have a virq mapped to a hardware irq that is no longer valid for the irq_domain. A side effect is that we are left with /proc/irq/ affinity entries, and attempts to modify the smp_affinity of the irq will fail. In the following observed example the kernel log is spammed by ics_rtas_set_affinity errors after the removal of a VSCSI adapter. This is a result of irqbalance trying to adjust the affinity every 10 seconds. rpadlpar_io: slot U8408.E8E.10A7ACV-V5-C25 removed ics_rtas_set_affinity: ibm,set-xive irq=655385 returns -3 ics_rtas_set_affinity: ibm,set-xive irq=655385 returns -3 This patch fixes the issue by calling irq_dispose_mapping() on the virq of the viodev on unregister. Fixes: f2ab6219969f ("powerpc/pseries: Add PFO support to the VIO bus") Signed-off-by: Tyrel Datwyler Signed-off-by: Michael Ellerman [bwh: Backported to 3.16: adjust filename] Signed-off-by: Ben Hutchings --- arch/powerpc/kernel/vio.c | 2 ++ 1 file changed, 2 insertions(+) --- a/arch/powerpc/kernel/vio.c +++ b/arch/powerpc/kernel/vio.c @@ -1572,6 +1572,8 @@ static struct device_attribute vio_dev_a void vio_unregister_device(struct vio_dev *viodev) { device_unregister(>dev); + if (viodev->family == VDEVICE) + irq_dispose_mapping(viodev->irq); } EXPORT_SYMBOL(vio_unregister_device);
[PATCH 3.16 038/136] bcache: only permit to recovery read error when cache device is clean
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Coly Licommit d59b23795933678c9638fd20c942d2b4f3cd6185 upstream. When bcache does read I/Os, for example in writeback or writethrough mode, if a read request on cache device is failed, bcache will try to recovery the request by reading from cached device. If the data on cached device is not synced with cache device, then requester will get a stale data. For critical storage system like database, providing stale data from recovery may result an application level data corruption, which is unacceptible. With this patch, for a failed read request in writeback or writethrough mode, recovery a recoverable read request only happens when cache device is clean. That is to say, all data on cached device is up to update. For other cache modes in bcache, read request will never hit cached_dev_read_error(), they don't need this patch. Please note, because cache mode can be switched arbitrarily in run time, a writethrough mode might be switched from a writeback mode. Therefore checking dc->has_data in writethrough mode still makes sense. Changelog: V4: Fix parens error pointed by Michael Lyle. v3: By response from Kent Oversteet, he thinks recovering stale data is a bug to fix, and option to permit it is unnecessary. So this version the sysfs file is removed. v2: rename sysfs entry from allow_stale_data_on_failure to allow_stale_data_on_failure, and fix the confusing commit log. v1: initial patch posted. [small change to patch comment spelling by mlyle] Signed-off-by: Coly Li Signed-off-by: Michael Lyle Reported-by: Arne Wolf Reviewed-by: Michael Lyle Cc: Kent Overstreet Cc: Nix Cc: Kai Krakow Cc: Eric Wheeler Cc: Junhui Tang Signed-off-by: Jens Axboe Signed-off-by: Ben Hutchings --- drivers/md/bcache/request.c | 10 +- 1 file changed, 9 insertions(+), 1 deletion(-) --- a/drivers/md/bcache/request.c +++ b/drivers/md/bcache/request.c @@ -698,8 +698,16 @@ static void cached_dev_read_error(struct { struct search *s = container_of(cl, struct search, cl); struct bio *bio = >bio.bio; + struct cached_dev *dc = container_of(s->d, struct cached_dev, disk); - if (s->recoverable) { + /* +* If cache device is dirty (dc->has_dirty is non-zero), then +* recovery a failed read request from cached device may get a +* stale data back. So read failure recovery is only permitted +* when cache device is clean. +*/ + if (s->recoverable && + (dc && !atomic_read(>has_dirty))) { /* Retry from the backing device: */ trace_bcache_read_retry(s->orig_bio);
[PATCH 3.16 038/136] bcache: only permit to recovery read error when cache device is clean
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Coly Li commit d59b23795933678c9638fd20c942d2b4f3cd6185 upstream. When bcache does read I/Os, for example in writeback or writethrough mode, if a read request on cache device is failed, bcache will try to recovery the request by reading from cached device. If the data on cached device is not synced with cache device, then requester will get a stale data. For critical storage system like database, providing stale data from recovery may result an application level data corruption, which is unacceptible. With this patch, for a failed read request in writeback or writethrough mode, recovery a recoverable read request only happens when cache device is clean. That is to say, all data on cached device is up to update. For other cache modes in bcache, read request will never hit cached_dev_read_error(), they don't need this patch. Please note, because cache mode can be switched arbitrarily in run time, a writethrough mode might be switched from a writeback mode. Therefore checking dc->has_data in writethrough mode still makes sense. Changelog: V4: Fix parens error pointed by Michael Lyle. v3: By response from Kent Oversteet, he thinks recovering stale data is a bug to fix, and option to permit it is unnecessary. So this version the sysfs file is removed. v2: rename sysfs entry from allow_stale_data_on_failure to allow_stale_data_on_failure, and fix the confusing commit log. v1: initial patch posted. [small change to patch comment spelling by mlyle] Signed-off-by: Coly Li Signed-off-by: Michael Lyle Reported-by: Arne Wolf Reviewed-by: Michael Lyle Cc: Kent Overstreet Cc: Nix Cc: Kai Krakow Cc: Eric Wheeler Cc: Junhui Tang Signed-off-by: Jens Axboe Signed-off-by: Ben Hutchings --- drivers/md/bcache/request.c | 10 +- 1 file changed, 9 insertions(+), 1 deletion(-) --- a/drivers/md/bcache/request.c +++ b/drivers/md/bcache/request.c @@ -698,8 +698,16 @@ static void cached_dev_read_error(struct { struct search *s = container_of(cl, struct search, cl); struct bio *bio = >bio.bio; + struct cached_dev *dc = container_of(s->d, struct cached_dev, disk); - if (s->recoverable) { + /* +* If cache device is dirty (dc->has_dirty is non-zero), then +* recovery a failed read request from cached device may get a +* stale data back. So read failure recovery is only permitted +* when cache device is clean. +*/ + if (s->recoverable && + (dc && !atomic_read(>has_dirty))) { /* Retry from the backing device: */ trace_bcache_read_retry(s->orig_bio);
[PATCH 3.16 026/136] tpm-dev-common: Reject too short writes
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Alexander Steffencommit ee70bc1e7b63ac8023c9ff9475d8741e397316e7 upstream. tpm_transmit() does not offer an explicit interface to indicate the number of valid bytes in the communication buffer. Instead, it relies on the commandSize field in the TPM header that is encoded within the buffer. Therefore, ensure that a) enough data has been written to the buffer, so that the commandSize field is present and b) the commandSize field does not announce more data than has been written to the buffer. This should have been fixed with CVE-2011-1161 long ago, but apparently a correct version of that patch never made it into the kernel. Signed-off-by: Alexander Steffen Reviewed-by: Jarkko Sakkinen Tested-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen [bwh: Backported to 3.16: adjust filename, context] Signed-off-by: Ben Hutchings --- drivers/char/tpm/tpm-dev.c | 6 ++ 1 file changed, 6 insertions(+) --- a/drivers/char/tpm/tpm-dev.c +++ b/drivers/char/tpm/tpm-dev.c @@ -139,6 +139,12 @@ static ssize_t tpm_write(struct file *fi return -EFAULT; } + if (in_size < 6 || + in_size < be32_to_cpu(*((__be32 *) (priv->data_buffer + 2 { + mutex_unlock(>buffer_mutex); + return -EINVAL; + } + /* atomic tpm command send and result receive */ out_size = tpm_transmit(priv->chip, priv->data_buffer, sizeof(priv->data_buffer));
[PATCH 3.16 026/136] tpm-dev-common: Reject too short writes
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Alexander Steffen commit ee70bc1e7b63ac8023c9ff9475d8741e397316e7 upstream. tpm_transmit() does not offer an explicit interface to indicate the number of valid bytes in the communication buffer. Instead, it relies on the commandSize field in the TPM header that is encoded within the buffer. Therefore, ensure that a) enough data has been written to the buffer, so that the commandSize field is present and b) the commandSize field does not announce more data than has been written to the buffer. This should have been fixed with CVE-2011-1161 long ago, but apparently a correct version of that patch never made it into the kernel. Signed-off-by: Alexander Steffen Reviewed-by: Jarkko Sakkinen Tested-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen [bwh: Backported to 3.16: adjust filename, context] Signed-off-by: Ben Hutchings --- drivers/char/tpm/tpm-dev.c | 6 ++ 1 file changed, 6 insertions(+) --- a/drivers/char/tpm/tpm-dev.c +++ b/drivers/char/tpm/tpm-dev.c @@ -139,6 +139,12 @@ static ssize_t tpm_write(struct file *fi return -EFAULT; } + if (in_size < 6 || + in_size < be32_to_cpu(*((__be32 *) (priv->data_buffer + 2 { + mutex_unlock(>buffer_mutex); + return -EINVAL; + } + /* atomic tpm command send and result receive */ out_size = tpm_transmit(priv->chip, priv->data_buffer, sizeof(priv->data_buffer));
[PATCH 3.16 022/136] bcache: check ca->alloc_thread initialized before wake up it
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Coly Licommit 91af8300d9c1d7c6b6a2fd754109e08d4798b8d8 upstream. In bcache code, sysfs entries are created before all resources get allocated, e.g. allocation thread of a cache set. There is posibility for NULL pointer deference if a resource is accessed but which is not initialized yet. Indeed Jorg Bornschein catches one on cache set allocation thread and gets a kernel oops. The reason for this bug is, when bch_bucket_alloc() is called during cache set registration and attaching, ca->alloc_thread is not properly allocated and initialized yet, call wake_up_process() on ca->alloc_thread triggers NULL pointer deference failure. A simple and fast fix is, before waking up ca->alloc_thread, checking whether it is allocated, and only wake up ca->alloc_thread when it is not NULL. Signed-off-by: Coly Li Reported-by: Jorg Bornschein Cc: Kent Overstreet Reviewed-by: Michael Lyle Signed-off-by: Jens Axboe Signed-off-by: Ben Hutchings --- drivers/md/bcache/alloc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/drivers/md/bcache/alloc.c +++ b/drivers/md/bcache/alloc.c @@ -406,7 +406,8 @@ long bch_bucket_alloc(struct cache *ca, finish_wait(>set->bucket_wait, ); out: - wake_up_process(ca->alloc_thread); + if (ca->alloc_thread) + wake_up_process(ca->alloc_thread); trace_bcache_alloc(ca, reserve);
[PATCH 3.16 022/136] bcache: check ca->alloc_thread initialized before wake up it
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Coly Li commit 91af8300d9c1d7c6b6a2fd754109e08d4798b8d8 upstream. In bcache code, sysfs entries are created before all resources get allocated, e.g. allocation thread of a cache set. There is posibility for NULL pointer deference if a resource is accessed but which is not initialized yet. Indeed Jorg Bornschein catches one on cache set allocation thread and gets a kernel oops. The reason for this bug is, when bch_bucket_alloc() is called during cache set registration and attaching, ca->alloc_thread is not properly allocated and initialized yet, call wake_up_process() on ca->alloc_thread triggers NULL pointer deference failure. A simple and fast fix is, before waking up ca->alloc_thread, checking whether it is allocated, and only wake up ca->alloc_thread when it is not NULL. Signed-off-by: Coly Li Reported-by: Jorg Bornschein Cc: Kent Overstreet Reviewed-by: Michael Lyle Signed-off-by: Jens Axboe Signed-off-by: Ben Hutchings --- drivers/md/bcache/alloc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/drivers/md/bcache/alloc.c +++ b/drivers/md/bcache/alloc.c @@ -406,7 +406,8 @@ long bch_bucket_alloc(struct cache *ca, finish_wait(>set->bucket_wait, ); out: - wake_up_process(ca->alloc_thread); + if (ca->alloc_thread) + wake_up_process(ca->alloc_thread); trace_bcache_alloc(ca, reserve);
[PATCH 3.16 052/136] coda: fix 'kernel memory exposure attempt' in fsync
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Jan Harkescommit d337b66a4c52c7b04eec661d86c2ef6e168965a2 upstream. When an application called fsync on a file in Coda a small request with just the file identifier was allocated, but the declared length was set to the size of union of all possible upcall requests. This bug has been around for a very long time and is now caught by the extra checking in usercopy that was introduced in Linux-4.8. The exposure happens when the Coda cache manager process reads the fsync upcall request at which point it is killed. As a result there is nobody servicing any further upcalls, trapping any processes that try to access the mounted Coda filesystem. Signed-off-by: Jan Harkes Signed-off-by: Al Viro Signed-off-by: Ben Hutchings --- fs/coda/upcall.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) --- a/fs/coda/upcall.c +++ b/fs/coda/upcall.c @@ -446,8 +446,7 @@ int venus_fsync(struct super_block *sb, UPARG(CODA_FSYNC); inp->coda_fsync.VFid = *fid; - error = coda_upcall(coda_vcp(sb), sizeof(union inputArgs), - , inp); + error = coda_upcall(coda_vcp(sb), insize, , inp); CODA_FREE(inp, insize); return error;
[PATCH 3.16 070/136] MIPS: Fix an n32 core file generation regset support regression
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: "Maciej W. Rozycki"commit 547da673173de51f73887377eb275304775064ad upstream. Fix a commit 7aeb753b5353 ("MIPS: Implement task_user_regset_view.") regression, then activated by commit 6a9c001b7ec3 ("MIPS: Switch ELF core dumper to use regsets.)", that caused n32 processes to dump o32 core files by failing to set the EF_MIPS_ABI2 flag in the ELF core file header's `e_flags' member: $ file tls-core tls-core: ELF 32-bit MSB executable, MIPS, N32 MIPS64 rel2 version 1 (SYSV), [...] $ ./tls-core Aborted (core dumped) $ file core core: ELF 32-bit MSB core file MIPS, MIPS-I version 1 (SYSV), SVR4-style $ Previously the flag was set as the result of a: statement placed in arch/mips/kernel/binfmt_elfn32.c, however in the regset case, i.e. when CORE_DUMP_USE_REGSET is set, ELF_CORE_EFLAGS is no longer used by `fill_note_info' in fs/binfmt_elf.c, and instead the `->e_flags' member of the regset view chosen is. We have the views defined in arch/mips/kernel/ptrace.c, however only an o32 and an n64 one, and the latter is used for n32 as well. Consequently an o32 core file is incorrectly dumped from n32 processes (the ELF32 vs ELF64 class is chosen elsewhere, and the 32-bit one is correctly selected for n32). Correct the issue then by defining an n32 regset view and using it as appropriate. Issue discovered in GDB testing. Fixes: 7aeb753b5353 ("MIPS: Implement task_user_regset_view.") Signed-off-by: Maciej W. Rozycki Cc: Ralf Baechle Cc: Djordje Todorovic Cc: linux-m...@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/17617/ Signed-off-by: James Hogan Signed-off-by: Ben Hutchings --- arch/mips/kernel/ptrace.c | 17 + 1 file changed, 17 insertions(+) --- a/arch/mips/kernel/ptrace.c +++ b/arch/mips/kernel/ptrace.c @@ -522,6 +522,19 @@ static const struct user_regset_view use .n = ARRAY_SIZE(mips64_regsets), }; +#ifdef CONFIG_MIPS32_N32 + +static const struct user_regset_view user_mipsn32_view = { + .name = "mipsn32", + .e_flags= EF_MIPS_ABI2, + .e_machine = ELF_ARCH, + .ei_osabi = ELF_OSABI, + .regsets= mips64_regsets, + .n = ARRAY_SIZE(mips64_regsets), +}; + +#endif /* CONFIG_MIPS32_N32 */ + #endif /* CONFIG_64BIT */ const struct user_regset_view *task_user_regset_view(struct task_struct *task) @@ -533,6 +546,10 @@ const struct user_regset_view *task_user if (test_tsk_thread_flag(task, TIF_32BIT_REGS)) return _mips_view; #endif +#ifdef CONFIG_MIPS32_N32 + if (test_tsk_thread_flag(task, TIF_32BIT_ADDR)) + return _mipsn32_view; +#endif return _mips64_view; #endif }
[PATCH 3.16 052/136] coda: fix 'kernel memory exposure attempt' in fsync
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Jan Harkes commit d337b66a4c52c7b04eec661d86c2ef6e168965a2 upstream. When an application called fsync on a file in Coda a small request with just the file identifier was allocated, but the declared length was set to the size of union of all possible upcall requests. This bug has been around for a very long time and is now caught by the extra checking in usercopy that was introduced in Linux-4.8. The exposure happens when the Coda cache manager process reads the fsync upcall request at which point it is killed. As a result there is nobody servicing any further upcalls, trapping any processes that try to access the mounted Coda filesystem. Signed-off-by: Jan Harkes Signed-off-by: Al Viro Signed-off-by: Ben Hutchings --- fs/coda/upcall.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) --- a/fs/coda/upcall.c +++ b/fs/coda/upcall.c @@ -446,8 +446,7 @@ int venus_fsync(struct super_block *sb, UPARG(CODA_FSYNC); inp->coda_fsync.VFid = *fid; - error = coda_upcall(coda_vcp(sb), sizeof(union inputArgs), - , inp); + error = coda_upcall(coda_vcp(sb), insize, , inp); CODA_FREE(inp, insize); return error;
[PATCH 3.16 070/136] MIPS: Fix an n32 core file generation regset support regression
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: "Maciej W. Rozycki" commit 547da673173de51f73887377eb275304775064ad upstream. Fix a commit 7aeb753b5353 ("MIPS: Implement task_user_regset_view.") regression, then activated by commit 6a9c001b7ec3 ("MIPS: Switch ELF core dumper to use regsets.)", that caused n32 processes to dump o32 core files by failing to set the EF_MIPS_ABI2 flag in the ELF core file header's `e_flags' member: $ file tls-core tls-core: ELF 32-bit MSB executable, MIPS, N32 MIPS64 rel2 version 1 (SYSV), [...] $ ./tls-core Aborted (core dumped) $ file core core: ELF 32-bit MSB core file MIPS, MIPS-I version 1 (SYSV), SVR4-style $ Previously the flag was set as the result of a: statement placed in arch/mips/kernel/binfmt_elfn32.c, however in the regset case, i.e. when CORE_DUMP_USE_REGSET is set, ELF_CORE_EFLAGS is no longer used by `fill_note_info' in fs/binfmt_elf.c, and instead the `->e_flags' member of the regset view chosen is. We have the views defined in arch/mips/kernel/ptrace.c, however only an o32 and an n64 one, and the latter is used for n32 as well. Consequently an o32 core file is incorrectly dumped from n32 processes (the ELF32 vs ELF64 class is chosen elsewhere, and the 32-bit one is correctly selected for n32). Correct the issue then by defining an n32 regset view and using it as appropriate. Issue discovered in GDB testing. Fixes: 7aeb753b5353 ("MIPS: Implement task_user_regset_view.") Signed-off-by: Maciej W. Rozycki Cc: Ralf Baechle Cc: Djordje Todorovic Cc: linux-m...@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/17617/ Signed-off-by: James Hogan Signed-off-by: Ben Hutchings --- arch/mips/kernel/ptrace.c | 17 + 1 file changed, 17 insertions(+) --- a/arch/mips/kernel/ptrace.c +++ b/arch/mips/kernel/ptrace.c @@ -522,6 +522,19 @@ static const struct user_regset_view use .n = ARRAY_SIZE(mips64_regsets), }; +#ifdef CONFIG_MIPS32_N32 + +static const struct user_regset_view user_mipsn32_view = { + .name = "mipsn32", + .e_flags= EF_MIPS_ABI2, + .e_machine = ELF_ARCH, + .ei_osabi = ELF_OSABI, + .regsets= mips64_regsets, + .n = ARRAY_SIZE(mips64_regsets), +}; + +#endif /* CONFIG_MIPS32_N32 */ + #endif /* CONFIG_64BIT */ const struct user_regset_view *task_user_regset_view(struct task_struct *task) @@ -533,6 +546,10 @@ const struct user_regset_view *task_user if (test_tsk_thread_flag(task, TIF_32BIT_REGS)) return _mips_view; #endif +#ifdef CONFIG_MIPS32_N32 + if (test_tsk_thread_flag(task, TIF_32BIT_ADDR)) + return _mipsn32_view; +#endif return _mips64_view; #endif }
[PATCH 3.2 67/79] RDS: Heap OOB write in rds_message_alloc_sgs()
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Mohamed Ghannamcommit c095508770aebf1b9218e77026e48345d719b17c upstream. When args->nr_local is 0, nr_pages gets also 0 due some size calculation via rds_rm_size(), which is later used to allocate pages for DMA, this bug produces a heap Out-Of-Bound write access to a specific memory region. Signed-off-by: Mohamed Ghannam Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings --- net/rds/rdma.c | 3 +++ 1 file changed, 3 insertions(+) --- a/net/rds/rdma.c +++ b/net/rds/rdma.c @@ -516,6 +516,9 @@ int rds_rdma_extra_size(struct rds_rdma_ local_vec = (struct rds_iovec __user *)(unsigned long) args->local_vec_addr; + if (args->nr_local == 0) + return -EINVAL; + /* figure out the number of pages in the vector */ for (i = 0; i < args->nr_local; i++) { if (copy_from_user(, _vec[i],
[PATCH 3.2 67/79] RDS: Heap OOB write in rds_message_alloc_sgs()
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Mohamed Ghannam commit c095508770aebf1b9218e77026e48345d719b17c upstream. When args->nr_local is 0, nr_pages gets also 0 due some size calculation via rds_rm_size(), which is later used to allocate pages for DMA, this bug produces a heap Out-Of-Bound write access to a specific memory region. Signed-off-by: Mohamed Ghannam Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings --- net/rds/rdma.c | 3 +++ 1 file changed, 3 insertions(+) --- a/net/rds/rdma.c +++ b/net/rds/rdma.c @@ -516,6 +516,9 @@ int rds_rdma_extra_size(struct rds_rdma_ local_vec = (struct rds_iovec __user *)(unsigned long) args->local_vec_addr; + if (args->nr_local == 0) + return -EINVAL; + /* figure out the number of pages in the vector */ for (i = 0; i < args->nr_local; i++) { if (copy_from_user(, _vec[i],