[PATCH 4.14 082/109] scsi: core: scsi_get_device_flags_keyed(): Always return device flags
4.14-stable review patch. If anyone has any objections, please let me know. -- From: Bart Van Assche[ Upstream commit a44c9d36509c83cf64f33b93f6ab2e63822c01eb ] Since scsi_get_device_flags_keyed() callers do not check whether or not the returned value is an error code, change that function such that it returns a flags value even if the 'key' argument is invalid. Note: since commit 28a0bc4120d3 ("scsi: sd: Implement blacklist option for WRITE SAME w/ UNMAP") bit 31 is a valid device information flag so checking whether bit 31 is set in the return value is not sufficient to tell the difference between an error code and a flags value. Signed-off-by: Bart Van Assche Cc: Christoph Hellwig Cc: Hannes Reinecke Cc: Johannes Thumshirn Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/scsi/scsi_devinfo.c |7 +-- 1 file changed, 1 insertion(+), 6 deletions(-) --- a/drivers/scsi/scsi_devinfo.c +++ b/drivers/scsi/scsi_devinfo.c @@ -595,17 +595,12 @@ int scsi_get_device_flags_keyed(struct s int key) { struct scsi_dev_info_list *devinfo; - int err; devinfo = scsi_dev_info_list_find(vendor, model, key); if (!IS_ERR(devinfo)) return devinfo->flags; - err = PTR_ERR(devinfo); - if (err != -ENOENT) - return err; - - /* nothing found, return nothing */ + /* key or device not found: return nothing */ if (key != SCSI_DEVINFO_GLOBAL) return 0;
[PATCH 4.14 073/109] perf annotate: Fix objdump comment parsing for Intel mov dissassembly
4.14-stable review patch. If anyone has any objections, please let me know. -- From: Thomas Richter[ Upstream commit 35a8a148d8c1ee9e5ae18f9565a880490f816f89 ] The command 'perf annotate' parses the output of objdump and also investigates the comments produced by objdump. For example the output of objdump produces (on x86): 23eee: 4c 8b 3d 13 01 21 00 mov 0x210113(%rip),%r15 # 234008 and the function mov__parse() is called to investigate the complete line. Mov__parse() breaks this line into several parts and finally calls function comment__symbol() to parse the data after the comment character '#'. Comment__symbol() expects a hexadecimal address followed by a symbol in '<' and '>' brackets. However the 2nd parameter given to function comment__symbol() always points to the comment character '#'. The address parsing always returns 0 because the character '#' is not a digit and strtoull() fails without being noticed. Fix this by advancing the second parameter to function comment__symbol() by one byte before invocation and add an error check after strtoull() has been called. Signed-off-by: Thomas Richter Reviewed-by: Hendrik Brueckner Acked-by: Ravi Bangoria Cc: Heiko Carstens Cc: Martin Schwidefsky Fixes: 6de783b6f50f ("perf annotate: Resolve symbols using objdump comment") Link: http://lkml.kernel.org/r/20171128075632.72182-1-tmri...@linux.vnet.ibm.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- tools/perf/util/annotate.c |8 +--- 1 file changed, 5 insertions(+), 3 deletions(-) --- a/tools/perf/util/annotate.c +++ b/tools/perf/util/annotate.c @@ -323,6 +323,8 @@ static int comment__symbol(char *raw, ch return 0; *addrp = strtoull(comment, , 16); + if (endptr == comment) + return 0; name = strchr(endptr, '<'); if (name == NULL) return -1; @@ -436,8 +438,8 @@ static int mov__parse(struct arch *arch, return 0; comment = ltrim(comment); - comment__symbol(ops->source.raw, comment, >source.addr, >source.name); - comment__symbol(ops->target.raw, comment, >target.addr, >target.name); + comment__symbol(ops->source.raw, comment + 1, >source.addr, >source.name); + comment__symbol(ops->target.raw, comment + 1, >target.addr, >target.name); return 0; @@ -481,7 +483,7 @@ static int dec__parse(struct arch *arch return 0; comment = ltrim(comment); - comment__symbol(ops->target.raw, comment, >target.addr, >target.name); + comment__symbol(ops->target.raw, comment + 1, >target.addr, >target.name); return 0; }
Re: [virtio-dev] [pci PATCH v7 2/5] virtio_pci: Add support for unmanaged SR-IOV on virtio_pci devices
On Fri, Mar 16, 2018 at 9:34 AM, Michael S. Tsirkinwrote: > On Thu, Mar 15, 2018 at 11:42:41AM -0700, Alexander Duyck wrote: >> From: Alexander Duyck >> >> Hardware-realized virtio_pci devices can implement SR-IOV, so this >> patch enables its use. The device in question is an upcoming Intel >> NIC that implements both a virtio_net PF and virtio_net VFs. These >> are hardware realizations of what has been up to now been a software >> interface. >> >> The device in question has the following 4-part PCI IDs: >> >> PF: vendor: 1af4 device: 1041 subvendor: 8086 subdevice: 15fe >> VF: vendor: 1af4 device: 1041 subvendor: 8086 subdevice: 05fe >> >> The patch currently needs no check for device ID, because the callback >> will never be made for devices that do not assert the capability or >> when run on a platform incapable of SR-IOV. >> >> One reason for this patch is because the hardware requires the >> vendor ID of a VF to be the same as the vendor ID of the PF that >> created it. So it seemed logical to simply have a fully-functioning >> virtio_net PF create the VFs. This patch makes that possible. >> >> Reviewed-by: Christoph Hellwig >> Signed-off-by: Mark Rustad >> Signed-off-by: Alexander Duyck > > So if and when virtio PFs can manage the VFs, then we can > add a feature bit for that? > Seems reasonable. Yes. If nothing else you may not even need a feature bit depending on how things go. One of the reasons why Mark called out the subvendor/subdevice was because that might be able to be used to identify the specific hardware that is providing the SR-IOV feature so in the future if it is added to virtio itself then you could exclude devices like this by just limiting things based on subvendor/subdevice IDs. > Also, I am guessing that hardware implementations will want > to add things like stong memory barriers - I guess we > will add new feature bits for that too down the road? That piece I don't have visibility into at this time. Perhaps Dan might have more visibility into future plans on what this might need. Thanks. - Alex
Re: [RFC 0/3] seccomp trap to userspace
On Fri, Mar 16, 2018 at 09:01:47AM -0700, Andy Lutomirski wrote: > > > > On Mar 16, 2018, at 7:47 AM, Christian Brauner > >wrote: > > > >> On Fri, Mar 16, 2018 at 12:46:55AM +, Andy Lutomirski wrote: > > > I bet I confused everyone with a blatant typo: > > >> > >> Hmm, I think we have to be very careful to avoid nasty races. I think > >> the correct approach is to notice the signal and send a message to the > >> listener that a signal is pending but to take no additional action. > >> If the handler ends up completing the syscall with a successful > >> return, we don't want to replace it with -EINTR. IOW the code looks > >> kind of like: > >> > >> send_to_listener("hey I got a signal"); > > That should be “hey I got a syscall”. D’oh! Ha ok, that's what led me to believe that listener != handler and I was trying to make sense of thise. :) Thanks! Christian > > >> wait_ret = wait_interruptible for the listener to reply; > >> if (wait_ret == -EINTR) { > > > > Hm, so from the pseudo-code it looks like: The handler would inform the > > listener that it received a signal (either from the syscall requester or > > from somewhere else) and then wait for the listener to reply to that > > message. This would allow the listener to decide what action it wants > > the handler to take based on the signal, i.e. either cancel the request > > or retry? The comment makes it sound like that the handler doesn't > > really wait on the listener when it receives a signal it simply moves > > on. > > It keeps waiting killably but not interruptibly. > > > So no "taking no additional action" here means not have the handler > > decide to abort but the listener? > > If by “handler” you mean kernel, then yes. > > There’s no userspace syscall handler involved. From the kernel’s perspective, > a syscall is never still in progress when a signal handler is invoked — we > only actually invoke syscall handlers in prepare_exit_to_usermode() or the > non-x86 equivalent and the functions it calls. While a syscall is running, > the kernel might notice that a signal is pending and do one of a few things: > > 1. Just keep going. Not all syscalls can be interrupted. > > 2. Try to finish early. If a send() call has already sent some but not all > data, it can stop waiting and return the number of bytes sent. > > 3. Abort with -EINTR. > > 4. Abort with -ERESTARTSYS or one of its relatives. These fiddle with user > registers in a somewhat unpleasant way to pretend that the syscall never > actually happened. This works for syscalls that wait with an absolute > timeout, for example. > > 5. Set up restart_syscall() magic, rewrite regs so it looks like the user was > about to call restart_syscall() when the signal happened, and abort. > > In all cases, the signal is dealt with afterwards. This could result in > changing regs to call the handler or in simply returning. > > 1-3 should work fully in seccomp. The only issue is that the kernel doesn’t > know *which* to do, nor can the kernel force the listener to abort cleanly, > so I think we have no real choice but to let the listener decide. > > 4 could be supported just like 1-3. 5 is awful, and I don’t think we should > support it for user listeners.
[PATCH 4.14 031/109] HID: elo: clear BTN_LEFT mapping
4.14-stable review patch. If anyone has any objections, please let me know. -- From: Jiri Kosina[ Upstream commit 9abd04af951e5734c9d5cfee9b49790844b734cf ] ELO devices have one Button usage in GenDesk field, which makes hid-input map it to BTN_LEFT; that confuses userspace, which then considers the device to be a mouse/touchpad instead of touchscreen. Fix that by unmapping BTN_LEFT and keeping only BTN_TOUCH in place. Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/hid/hid-elo.c |6 ++ 1 file changed, 6 insertions(+) --- a/drivers/hid/hid-elo.c +++ b/drivers/hid/hid-elo.c @@ -42,6 +42,12 @@ static int elo_input_configured(struct h { struct input_dev *input = hidinput->input; + /* +* ELO devices have one Button usage in GenDesk field, which makes +* hid-input map it to BTN_LEFT; that confuses userspace, which then +* considers the device to be a mouse/touchpad instead of touchscreen. +*/ + clear_bit(BTN_LEFT, input->keybit); set_bit(BTN_TOUCH, input->keybit); set_bit(ABS_PRESSURE, input->absbit); input_set_abs_params(input, ABS_PRESSURE, 0, 256, 0, 0);
Re: [PATCH 2/2] kprobe: fix: Add ftrace_ops_assist_func to kprobe blacklist
On Fri, 16 Mar 2018 12:28:59 -0400 (EDT) Mathieu Desnoyerswrote: > > We probably didn't discuss it (as there was a lot to discuss, and this > > was probably overshadowed by that). But yes, you should not probe > > ftrace called functions. That is guaranteed to crash and that crash is > > not a bug, but a feature. > > Are you really arguing that crashing the kernel from an ABI visible from > userspace (even if it's only root user) is not a bug ? You are joking right ? > Is there an EXPERIMENTAL config option that people need to select in order to > make sure those ftrace interfaces don't end up on production systems ? No I'm not. And yes there is. Disable kprobes. kprobes is much more dangerous than ftrace, and its kprobes that is crashing not ftrace. Heck we have "echo c > /proc/sysrq-trigger" So yes, you can easily crash the kernel via root. If you can load a module, you can crash the kernel. There's a thousand ways to crash a kernel. This is why most of the fuzzer testing is done as non-root, because doing it as root will do more than just crash the system, it may corrupt it enough that you can no longer boot it. I see below you are doing fuzzing testing too as root. Hopefully you limit those tests because yes, things can get really bad. > > > > > The ftrace and ring buffer files should be blacklisted from being > > probed. Perhaps the entire directory. > > All code reachable from a kprobe handler should be blacklisted from > kprobes, yes. The problem is that that list constantly changes. There's been cases we try to prevent things called by nmi do not get called, but it ended up being every helper utility can be called in that context. > > > > > Anyway, I don't see this as much of an urgent matter, as it's one of > > those "Patient: Doc, it hurts when I do this. Doc: Don't do that" > > cases. And there's a lot of urgent issues that currently need to be > > dealt with. > > OK, short-term we'll remove everything related to ftrace functions > from our CI fuzzer coverage. Arguably, the fact that a root user can > crash the kernel through tracefs files is not that great security-wise > though. Note, probes are not a normal API. I test the hell out of the other ftrace interfaces and if it blows up I fix it. But adding probes into random parts of the kernel is very dangerous, and not something I care to test. And sure, if you are worried about root killing the system, disable kprobes. > > Considering that our current focus is to test the kprobe instrumentation > layer (and not ftrace per se), we will move our fuzzer to the LTTng ABI > instead, which should take care of removing crashes introduced by ftrace > from our fuzzing results. Yes, kprobes are dangerous. I'm not saying it shouldn't be fixed, I'm saying that I don't have time to fix it now, but would be happy to accept patches if someone else does so. -- Steve
[PATCH 4.14 038/109] typec: tcpm: fusb302: Resolve out of order messaging events
4.14-stable review patch. If anyone has any objections, please let me know. -- From: Adam Thomson[ Upstream commit ab69f61321140ff632d560775bc226259a78dfa2 ] The expectation in the FUSB302 driver is that a TX_SUCCESS event should occur after a message has been sent, but before a GCRCSENT event is raised to indicate successful receipt of a message from the partner. However in some circumstances it is possible to see the hardware raise a GCRCSENT event before a TX_SUCCESS event is raised. The upshot of this is that the GCRCSENT handling portion of code ends up reporting the GoodCRC message to TCPM because the TX_SUCCESS event hasn't yet arrived to trigger a consumption of it. When TX_SUCCESS is then raised by the chip it ends up consuming the actual message that was meant for TCPM, and this incorrect sequence results in a hard reset from TCPM. To avoid this problem, this commit updates the message reading code to check whether a GoodCRC message was received or not. Based on this check it will either report that the previous transmission has completed or it will pass the msg data to TCPM for futher processing. This way the incorrect ordering of the events no longer matters. Signed-off-by: Adam Thomson Reviewed-by: Guenter Roeck Acked-by: Heikki Krogerus Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/staging/typec/fusb302/fusb302.c | 21 + 1 file changed, 17 insertions(+), 4 deletions(-) --- a/drivers/staging/typec/fusb302/fusb302.c +++ b/drivers/staging/typec/fusb302/fusb302.c @@ -1552,6 +1552,21 @@ static int fusb302_pd_read_message(struc fusb302_log(chip, "PD message header: %x", msg->header); fusb302_log(chip, "PD message len: %d", len); + /* +* Check if we've read off a GoodCRC message. If so then indicate to +* TCPM that the previous transmission has completed. Otherwise we pass +* the received message over to TCPM for processing. +* +* We make this check here instead of basing the reporting decision on +* the IRQ event type, as it's possible for the chip to report the +* TX_SUCCESS and GCRCSENT events out of order on occasion, so we need +* to check the message type to ensure correct reporting to TCPM. +*/ + if ((!len) && (pd_header_type_le(msg->header) == PD_CTRL_GOOD_CRC)) + tcpm_pd_transmit_complete(chip->tcpm_port, TCPC_TX_SUCCESS); + else + tcpm_pd_receive(chip->tcpm_port, msg); + return ret; } @@ -1659,13 +1674,12 @@ static irqreturn_t fusb302_irq_intn(int if (interrupta & FUSB_REG_INTERRUPTA_TX_SUCCESS) { fusb302_log(chip, "IRQ: PD tx success"); - /* read out the received good CRC */ ret = fusb302_pd_read_message(chip, _msg); if (ret < 0) { - fusb302_log(chip, "cannot read in GCRC, ret=%d", ret); + fusb302_log(chip, + "cannot read in PD message, ret=%d", ret); goto done; } - tcpm_pd_transmit_complete(chip->tcpm_port, TCPC_TX_SUCCESS); } if (interrupta & FUSB_REG_INTERRUPTA_HARDRESET) { @@ -1686,7 +1700,6 @@ static irqreturn_t fusb302_irq_intn(int "cannot read in PD message, ret=%d", ret); goto done; } - tcpm_pd_receive(chip->tcpm_port, _msg); } done: mutex_unlock(>lock);
[PATCH 4.14 040/109] sched: Stop switched_to_rt() from sending IPIs to offline CPUs
4.14-stable review patch. If anyone has any objections, please let me know. -- From: "Paul E. McKenney"[ Upstream commit 2fe2582649aa2355f79acddb86bd4d6c5363eb63 ] The rcutorture test suite occasionally provokes a splat due to invoking rt_mutex_lock() which needs to boost the priority of a task currently sitting on a runqueue that belongs to an offline CPU: WARNING: CPU: 0 PID: 12 at /home/paulmck/public_git/linux-rcu/arch/x86/kernel/smp.c:128 native_smp_send_reschedule+0x37/0x40 Modules linked in: CPU: 0 PID: 12 Comm: rcub/7 Not tainted 4.14.0-rc4+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 task: 9ed3de5f8cc0 task.stack: bbf80012c000 RIP: 0010:native_smp_send_reschedule+0x37/0x40 RSP: 0018:bbf80012fd10 EFLAGS: 00010082 RAX: 002f RBX: 9ed3dd9cb300 RCX: 0004 RDX: 8004 RSI: 0086 RDI: RBP: bbf80012fd10 R08: 0009da7a R09: 7b9d R10: 0001 R11: bb57c2cd R12: 000d R13: 9ed3de5f8cc0 R14: 0061 R15: 9ed3ded59200 FS: () GS:9ed3dea0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 080686f0 CR3: 1b9e CR4: 06f0 Call Trace: resched_curr+0x61/0xd0 switched_to_rt+0x8f/0xa0 rt_mutex_setprio+0x25c/0x410 task_blocks_on_rt_mutex+0x1b3/0x1f0 rt_mutex_slowlock+0xa9/0x1e0 rt_mutex_lock+0x29/0x30 rcu_boost_kthread+0x127/0x3c0 kthread+0x104/0x140 ? rcu_report_unblock_qs_rnp+0x90/0x90 ? kthread_create_on_node+0x40/0x40 ret_from_fork+0x22/0x30 Code: f0 00 0f 92 c0 84 c0 74 14 48 8b 05 34 74 c5 00 be fd 00 00 00 ff 90 a0 00 00 00 5d c3 89 fe 48 c7 c7 a0 c6 fc b9 e8 d5 b5 06 00 <0f> ff 5d c3 0f 1f 44 00 00 8b 05 a2 d1 13 02 85 c0 75 38 55 48 But the target task's priority has already been adjusted, so the only purpose of switched_to_rt() invoking resched_curr() is to wake up the CPU running some task that needs to be preempted by the boosted task. But the CPU is offline, which presumably means that the task must be migrated to some other CPU, and that this other CPU will undertake any needed preemption at the time of migration. Because the runqueue lock is held when resched_curr() is invoked, we know that the boosted task cannot go anywhere, so it is not necessary to invoke resched_curr() in this particular case. This commit therefore makes switched_to_rt() refrain from invoking resched_curr() when the target CPU is offline. Signed-off-by: Paul E. McKenney Cc: Ingo Molnar Cc: Peter Zijlstra Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- kernel/sched/rt.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/kernel/sched/rt.c +++ b/kernel/sched/rt.c @@ -2218,7 +2218,7 @@ static void switched_to_rt(struct rq *rq if (p->nr_cpus_allowed > 1 && rq->rt.overloaded) queue_push_tasks(rq); #endif /* CONFIG_SMP */ - if (p->prio < rq->curr->prio) + if (p->prio < rq->curr->prio && cpu_online(cpu_of(rq))) resched_curr(rq); } }
Re: [PATCH 0/2] irqchip/gic*: Complain about the use of IRQ_TYPE_NONE
On 16/03/18 16:39, Marc Zyngier wrote: On 16/03/18 16:19, Robin Murphy wrote: On 16/03/18 14:55, Marc Zyngier wrote: Grepping through the dts files, the documentation, and reviewing patches, one can only notice the use of IRQ_TYPE_NONE in interrupt specifiers. At least for the GIC, this doesn't mean anything. The unsuspecting driver will end-up with whatever was there before, and there is a 50% probability that it is not what it wants. I'd love to fix it myself, but I also have a 50% probability of getting it wrong. In order to make the user aware they are walking on thin ice, let's add some warnings. Hopefully, they'll be annoying enough that people will fix their firmware. Croudsourcing debugging... I guess there's also the alternative nuclear option of breaking their build ;) Robin. ->8- diff --git a/include/dt-bindings/interrupt-controller/irq.h b/include/dt-bindings/interrupt-controller/irq.h index a8b310555f14..de79af80d01e 100644 --- a/include/dt-bindings/interrupt-controller/irq.h +++ b/include/dt-bindings/interrupt-controller/irq.h @@ -10,7 +10,7 @@ #ifndef _DT_BINDINGS_INTERRUPT_CONTROLLER_IRQ_H #define _DT_BINDINGS_INTERRUPT_CONTROLLER_IRQ_H -#define IRQ_TYPE_NONE 0 +#define IRQ_TYPE_NONE "This is nonsense and needs fixing" #define IRQ_TYPE_EDGE_RISING 1 #define IRQ_TYPE_EDGE_FALLING2 #define IRQ_TYPE_EDGE_BOTH (IRQ_TYPE_EDGE_FALLING | IRQ_TYPE_EDGE_RISING) What really annoys me with this patch is that you haven't put a SoB on it... On a more serious note, though, it dawns on me that this might be something DTC could realistically scream about for us, although I guess not all irqchip bindings include a type specifier so it would probably need to special-case known ones. Robin.
[PATCH 4.14 019/109] usb: usbmon: Read text within supplied buffer size
4.14-stable review patch. If anyone has any objections, please let me know. -- From: Pete Zaitcevcommit a5f596830e27e15f7a0ecd6be55e433d776986d8 upstream. This change fixes buffer overflows and silent data corruption with the usbmon device driver text file read operations. Signed-off-by: Fredrik Noring Signed-off-by: Pete Zaitcev Cc: stable Signed-off-by: Greg Kroah-Hartman --- drivers/usb/mon/mon_text.c | 124 +++-- 1 file changed, 77 insertions(+), 47 deletions(-) --- a/drivers/usb/mon/mon_text.c +++ b/drivers/usb/mon/mon_text.c @@ -85,6 +85,8 @@ struct mon_reader_text { wait_queue_head_t wait; int printf_size; + size_t printf_offset; + size_t printf_togo; char *printf_buf; struct mutex printf_lock; @@ -376,75 +378,103 @@ err_alloc: return rc; } -/* - * For simplicity, we read one record in one system call and throw out - * what does not fit. This means that the following does not work: - * dd if=/dbg/usbmon/0t bs=10 - * Also, we do not allow seeks and do not bother advancing the offset. - */ +static ssize_t mon_text_copy_to_user(struct mon_reader_text *rp, +char __user * const buf, const size_t nbytes) +{ + const size_t togo = min(nbytes, rp->printf_togo); + + if (copy_to_user(buf, >printf_buf[rp->printf_offset], togo)) + return -EFAULT; + rp->printf_togo -= togo; + rp->printf_offset += togo; + return togo; +} + +/* ppos is not advanced since the llseek operation is not permitted. */ static ssize_t mon_text_read_t(struct file *file, char __user *buf, - size_t nbytes, loff_t *ppos) +size_t nbytes, loff_t *ppos) { struct mon_reader_text *rp = file->private_data; struct mon_event_text *ep; struct mon_text_ptr ptr; + ssize_t ret; - ep = mon_text_read_wait(rp, file); - if (IS_ERR(ep)) - return PTR_ERR(ep); mutex_lock(>printf_lock); - ptr.cnt = 0; - ptr.pbuf = rp->printf_buf; - ptr.limit = rp->printf_size; - - mon_text_read_head_t(rp, , ep); - mon_text_read_statset(rp, , ep); - ptr.cnt += snprintf(ptr.pbuf + ptr.cnt, ptr.limit - ptr.cnt, - " %d", ep->length); - mon_text_read_data(rp, , ep); - if (copy_to_user(buf, rp->printf_buf, ptr.cnt)) - ptr.cnt = -EFAULT; + if (rp->printf_togo == 0) { + + ep = mon_text_read_wait(rp, file); + if (IS_ERR(ep)) { + mutex_unlock(>printf_lock); + return PTR_ERR(ep); + } + ptr.cnt = 0; + ptr.pbuf = rp->printf_buf; + ptr.limit = rp->printf_size; + + mon_text_read_head_t(rp, , ep); + mon_text_read_statset(rp, , ep); + ptr.cnt += snprintf(ptr.pbuf + ptr.cnt, ptr.limit - ptr.cnt, + " %d", ep->length); + mon_text_read_data(rp, , ep); + + rp->printf_togo = ptr.cnt; + rp->printf_offset = 0; + + kmem_cache_free(rp->e_slab, ep); + } + + ret = mon_text_copy_to_user(rp, buf, nbytes); mutex_unlock(>printf_lock); - kmem_cache_free(rp->e_slab, ep); - return ptr.cnt; + return ret; } +/* ppos is not advanced since the llseek operation is not permitted. */ static ssize_t mon_text_read_u(struct file *file, char __user *buf, - size_t nbytes, loff_t *ppos) +size_t nbytes, loff_t *ppos) { struct mon_reader_text *rp = file->private_data; struct mon_event_text *ep; struct mon_text_ptr ptr; + ssize_t ret; - ep = mon_text_read_wait(rp, file); - if (IS_ERR(ep)) - return PTR_ERR(ep); mutex_lock(>printf_lock); - ptr.cnt = 0; - ptr.pbuf = rp->printf_buf; - ptr.limit = rp->printf_size; - mon_text_read_head_u(rp, , ep); - if (ep->type == 'E') { - mon_text_read_statset(rp, , ep); - } else if (ep->xfertype == USB_ENDPOINT_XFER_ISOC) { - mon_text_read_isostat(rp, , ep); - mon_text_read_isodesc(rp, , ep); - } else if (ep->xfertype == USB_ENDPOINT_XFER_INT) { - mon_text_read_intstat(rp, , ep); - } else { - mon_text_read_statset(rp, , ep); + if (rp->printf_togo == 0) { + + ep = mon_text_read_wait(rp, file); + if (IS_ERR(ep)) { + mutex_unlock(>printf_lock); + return PTR_ERR(ep); + } + ptr.cnt = 0; + ptr.pbuf = rp->printf_buf; + ptr.limit = rp->printf_size; + + mon_text_read_head_u(rp, , ep); +
[PATCH 4.14 002/109] net: phy: Restore phy_resume() locking assumption
4.14-stable review patch. If anyone has any objections, please let me know. -- From: Andrew Lunncommit 9c2c2e62df3fa30fb13fbeb7512a4eede729383b upstream. commit f5e64032a799 ("net: phy: fix resume handling") changes the locking semantics for phy_resume() such that the caller now needs to hold the phy mutex. Not all call sites were adopted to this new semantic, resulting in warnings from the added WARN_ON(!mutex_is_locked(>lock)). Rather than change the semantics, add a __phy_resume() and restore the old behavior of phy_resume(). Reported-by: Heiner Kallweit Fixes: f5e64032a799 ("net: phy: fix resume handling") Signed-off-by: Andrew Lunn Reviewed-by: Florian Fainelli Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- drivers/net/phy/phy.c|2 +- drivers/net/phy/phy_device.c | 18 +- include/linux/phy.h |1 + 3 files changed, 15 insertions(+), 6 deletions(-) --- a/drivers/net/phy/phy.c +++ b/drivers/net/phy/phy.c @@ -841,7 +841,7 @@ void phy_start(struct phy_device *phydev break; case PHY_HALTED: /* if phy was suspended, bring the physical link up again */ - phy_resume(phydev); + __phy_resume(phydev); /* make sure interrupts are re-enabled for the PHY */ if (phy_interrupt_is_valid(phydev)) { --- a/drivers/net/phy/phy_device.c +++ b/drivers/net/phy/phy_device.c @@ -135,9 +135,7 @@ static int mdio_bus_phy_resume(struct de if (!mdio_bus_phy_may_suspend(phydev)) goto no_resume; - mutex_lock(>lock); ret = phy_resume(phydev); - mutex_unlock(>lock); if (ret < 0) return ret; @@ -1028,9 +1026,7 @@ int phy_attach_direct(struct net_device if (err) goto error; - mutex_lock(>lock); phy_resume(phydev); - mutex_unlock(>lock); phy_led_triggers_register(phydev); return err; @@ -1156,7 +1152,7 @@ int phy_suspend(struct phy_device *phyde } EXPORT_SYMBOL(phy_suspend); -int phy_resume(struct phy_device *phydev) +int __phy_resume(struct phy_device *phydev) { struct phy_driver *phydrv = to_phy_driver(phydev->mdio.dev.driver); int ret = 0; @@ -1173,6 +1169,18 @@ int phy_resume(struct phy_device *phydev return ret; } +EXPORT_SYMBOL(__phy_resume); + +int phy_resume(struct phy_device *phydev) +{ + int ret; + + mutex_lock(>lock); + ret = __phy_resume(phydev); + mutex_unlock(>lock); + + return ret; +} EXPORT_SYMBOL(phy_resume); int phy_loopback(struct phy_device *phydev, bool enable) --- a/include/linux/phy.h +++ b/include/linux/phy.h @@ -817,6 +817,7 @@ void phy_device_remove(struct phy_device int phy_init_hw(struct phy_device *phydev); int phy_suspend(struct phy_device *phydev); int phy_resume(struct phy_device *phydev); +int __phy_resume(struct phy_device *phydev); int phy_loopback(struct phy_device *phydev, bool enable); struct phy_device *phy_attach(struct net_device *dev, const char *bus_id, phy_interface_t interface);
[PATCH 4.14 020/109] usb: gadget: f_fs: Fix use-after-free in ffs_fs_kill_sb()
4.14-stable review patch. If anyone has any objections, please let me know. -- From: Xinyongcommit 1a087f032111a88e826877449dfb93ceb22b78b9 upstream. When I debug a kernel crash issue in funcitonfs, found ffs_data.ref overflowed, While functionfs is unmounting, ffs_data is put twice. Commit 43938613c6fd ("drivers, usb: convert ffs_data.ref from atomic_t to refcount_t") can avoid refcount overflow, but that is risk some situations. So no need put ffs data in ffs_fs_kill_sb, already put in ffs_data_closed. The issue can be reproduced in Mediatek mt6763 SoC, ffs for ADB device. KASAN enabled configuration reports use-after-free errro. BUG: KASAN: use-after-free in refcount_dec_and_test+0x14/0xe0 at addr ffc0579386a0 Read of size 4 by task umount/4650 BUG kmalloc-512 (Tainted: PW O ): kasan: bad access detected - INFO: Allocated in ffs_fs_mount+0x194/0x844 age=22856 cpu=2 pid=566 alloc_debug_processing+0x1ac/0x1e8 ___slab_alloc.constprop.63+0x640/0x648 __slab_alloc.isra.57.constprop.62+0x24/0x34 kmem_cache_alloc_trace+0x1a8/0x2bc ffs_fs_mount+0x194/0x844 mount_fs+0x6c/0x1d0 vfs_kern_mount+0x50/0x1b4 do_mount+0x258/0x1034 INFO: Freed in ffs_data_put+0x25c/0x320 age=0 cpu=3 pid=4650 free_debug_processing+0x22c/0x434 __slab_free+0x2d8/0x3a0 kfree+0x254/0x264 ffs_data_put+0x25c/0x320 ffs_data_closed+0x124/0x15c ffs_fs_kill_sb+0xb8/0x110 deactivate_locked_super+0x6c/0x98 deactivate_super+0xb0/0xbc INFO: Object 0xffc057938600 @offset=1536 fp=0x (null) .. Call trace: [] dump_backtrace+0x0/0x250 [] show_stack+0x14/0x1c [] dump_stack+0xa0/0xc8 [] print_trailer+0x158/0x260 [] object_err+0x3c/0x40 [] kasan_report_error+0x2a8/0x754 [] kasan_report+0x5c/0x60 [] __asan_load4+0x70/0x88 [] refcount_dec_and_test+0x14/0xe0 [] ffs_data_put+0x80/0x320 [] ffs_fs_kill_sb+0xc8/0x110 [] deactivate_locked_super+0x6c/0x98 [] deactivate_super+0xb0/0xbc [] cleanup_mnt+0x64/0xec [] __cleanup_mnt+0x10/0x18 [] task_work_run+0xcc/0x124 [] do_notify_resume+0x60/0x70 [] work_pending+0x10/0x14 Cc: sta...@vger.kernel.org Signed-off-by: Xinyong Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman --- drivers/usb/gadget/function/f_fs.c |1 - 1 file changed, 1 deletion(-) --- a/drivers/usb/gadget/function/f_fs.c +++ b/drivers/usb/gadget/function/f_fs.c @@ -1539,7 +1539,6 @@ ffs_fs_kill_sb(struct super_block *sb) if (sb->s_fs_info) { ffs_release_dev(sb->s_fs_info); ffs_data_closed(sb->s_fs_info); - ffs_data_put(sb->s_fs_info); } }
Re: arm64 kvm built with clang doesn't boot
+ Sami (Google), Takahiro (Linaro) Just so I fully understand the problem enough to articulate it, we'd be looking for the compiler to keep the jump tables for speed (I would guess -fno-jump-tables would emit an if-else chain) but only emit relative jumps (not absolute jumps)? > Perhaps Nick can comment on whether something like -fno-absolute-addressing would be feasible in clang. Checked with some of my LLVM friends. They mentioned that this is tricky because you need to move the addresses of the jump table from a data section back into the text section. Looks like LLVM has an interesting method `shouldPutJumpTableInFunctionSection` [0]. Unfortunately, it gets overridden for ELF to always return false. [1] It looks like there's also a flag `no-jump-tables` [2]. Looks like Sami has used this in the past in kvm. [3] It's still probably possible to add this to LLVM, so I can pursue that with LLVM devs. > But just for the reference, I'm using 4.16-rc4 with a patch to fix SMCCC issues that you mentioned. Is this in regards to: commit "arm64: Add ARM_SMCCC_ARCH_WORKAROUND_1 BP hardening support"? Has anyone tried to upstream a fix for this? We probably want to be very explicit with register widths here. [0] https://github.com/llvm-mirror/llvm/blob/a5bd54307b1adacb3df297b9b8010979b9afa4d7/lib/Target/TargetLoweringObjectFile.cpp#L280 [1] https://github.com/llvm-mirror/llvm/blob/e7676fec11b02e4b698b5ffc99e1901246a7bf66/lib/CodeGen/TargetLoweringObjectFileImpl.cpp#L494 [2] https://github.com/llvm-mirror/llvm/blob/11f5adb29bf90bc1a40b8bb512afcff4b1ac0f56/lib/Transforms/Utils/SimplifyCFG.cpp#L5233 [3] https://patchwork.kernel.org/patch/10060301/ -- Thanks, ~Nick Desaulniers
[PATCH 4.9 40/86] Revert "x86/retpoline: Simplify vmexit_fill_RSB()"
4.9-stable review patch. If anyone has any objections, please let me know. -- From: David Woodhousecommit d1c99108af3c5992640aa2afa7d2e88c3775c06e upstream. This reverts commit 1dde7415e99933bb7293d6b2843752cbdb43ec11. By putting the RSB filling out of line and calling it, we waste one RSB slot for returning from the function itself, which means one fewer actual function call we can make if we're doing the Skylake abomination of call-depth counting. It also changed the number of RSB stuffings we do on vmexit from 32, which was correct, to 16. Let's just stop with the bikeshedding; it didn't actually *fix* anything anyway. Signed-off-by: David Woodhouse Acked-by: Thomas Gleixner Cc: Linus Torvalds Cc: Peter Zijlstra Cc: arjan.van.de@intel.com Cc: b...@alien8.de Cc: dave.han...@intel.com Cc: jmatt...@google.com Cc: karah...@amazon.de Cc: k...@vger.kernel.org Cc: pbonz...@redhat.com Cc: rkrc...@redhat.com Link: http://lkml.kernel.org/r/1519037457-7643-4-git-send-email-d...@amazon.co.uk Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman --- arch/x86/entry/entry_32.S |3 - arch/x86/entry/entry_64.S |3 - arch/x86/include/asm/asm-prototypes.h |3 - arch/x86/include/asm/nospec-branch.h | 70 ++ arch/x86/lib/Makefile |1 arch/x86/lib/retpoline.S | 56 --- 6 files changed, 65 insertions(+), 71 deletions(-) --- a/arch/x86/entry/entry_32.S +++ b/arch/x86/entry/entry_32.S @@ -237,8 +237,7 @@ ENTRY(__switch_to_asm) * exist, overwrite the RSB with entries which capture * speculative execution to prevent attack. */ - /* Clobbers %ebx */ - FILL_RETURN_BUFFER RSB_CLEAR_LOOPS, X86_FEATURE_RSB_CTXSW + FILL_RETURN_BUFFER %ebx, RSB_CLEAR_LOOPS, X86_FEATURE_RSB_CTXSW #endif /* restore callee-saved registers */ --- a/arch/x86/entry/entry_64.S +++ b/arch/x86/entry/entry_64.S @@ -331,8 +331,7 @@ ENTRY(__switch_to_asm) * exist, overwrite the RSB with entries which capture * speculative execution to prevent attack. */ - /* Clobbers %rbx */ - FILL_RETURN_BUFFER RSB_CLEAR_LOOPS, X86_FEATURE_RSB_CTXSW + FILL_RETURN_BUFFER %r12, RSB_CLEAR_LOOPS, X86_FEATURE_RSB_CTXSW #endif /* restore callee-saved registers */ --- a/arch/x86/include/asm/asm-prototypes.h +++ b/arch/x86/include/asm/asm-prototypes.h @@ -37,7 +37,4 @@ INDIRECT_THUNK(dx) INDIRECT_THUNK(si) INDIRECT_THUNK(di) INDIRECT_THUNK(bp) -asmlinkage void __fill_rsb(void); -asmlinkage void __clear_rsb(void); - #endif /* CONFIG_RETPOLINE */ --- a/arch/x86/include/asm/nospec-branch.h +++ b/arch/x86/include/asm/nospec-branch.h @@ -8,6 +8,50 @@ #include #include +/* + * Fill the CPU return stack buffer. + * + * Each entry in the RSB, if used for a speculative 'ret', contains an + * infinite 'pause; lfence; jmp' loop to capture speculative execution. + * + * This is required in various cases for retpoline and IBRS-based + * mitigations for the Spectre variant 2 vulnerability. Sometimes to + * eliminate potentially bogus entries from the RSB, and sometimes + * purely to ensure that it doesn't get empty, which on some CPUs would + * allow predictions from other (unwanted!) sources to be used. + * + * We define a CPP macro such that it can be used from both .S files and + * inline assembly. It's possible to do a .macro and then include that + * from C via asm(".include ") but let's not go there. + */ + +#define RSB_CLEAR_LOOPS32 /* To forcibly overwrite all entries */ +#define RSB_FILL_LOOPS 16 /* To avoid underflow */ + +/* + * Google experimented with loop-unrolling and this turned out to be + * the optimal version — two calls, each with their own speculation + * trap should their return address end up getting used, in a loop. + */ +#define __FILL_RETURN_BUFFER(reg, nr, sp) \ + mov $(nr/2), reg; \ +771: \ + call772f; \ +773: /* speculation trap */ \ + pause; \ + lfence; \ + jmp 773b; \ +772: \ + call774f; \ +775: /* speculation trap */ \ + pause; \ + lfence; \ + jmp 775b; \ +774: \ + dec reg;\ + jnz 771b; \ + add $(BITS_PER_LONG/8) * nr,
[PATCH -next 20/22] net: socket: add __compat_sys_getsockopt() helper; remove in-kernel call to compat syscall
Using the net-internal helper __compat_sys_getsockopt() allows us to avoid the internal calls to the compat_sys_getsockopt() syscall. Cc: David S. MillerCc: net...@vger.kernel.org Signed-off-by: Dominik Brodowski --- net/compat.c | 16 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/net/compat.c b/net/compat.c index 75bfcbbb2e3e..cdf5b0c1b962 100644 --- a/net/compat.c +++ b/net/compat.c @@ -509,8 +509,9 @@ int compat_sock_get_timestampns(struct sock *sk, struct timespec __user *usersta } EXPORT_SYMBOL(compat_sock_get_timestampns); -COMPAT_SYSCALL_DEFINE5(getsockopt, int, fd, int, level, int, optname, - char __user *, optval, int __user *, optlen) +static int __compat_sys_getsockopt(int fd, int level, int optname, + char __user *optval, + int __user *optlen) { int err; struct socket *sock = sockfd_lookup(fd, ); @@ -536,6 +537,12 @@ COMPAT_SYSCALL_DEFINE5(getsockopt, int, fd, int, level, int, optname, return err; } +COMPAT_SYSCALL_DEFINE5(getsockopt, int, fd, int, level, int, optname, + char __user *, optval, int __user *, optlen) +{ + return __compat_sys_getsockopt(fd, level, optname, optval, optlen); +} + struct compat_group_req { __u32gr_interface; struct __kernel_sockaddr_storage gr_group @@ -874,8 +881,9 @@ COMPAT_SYSCALL_DEFINE2(socketcall, int, call, u32 __user *, args) compat_ptr(a[3]), a[4]); break; case SYS_GETSOCKOPT: - ret = compat_sys_getsockopt(a0, a1, a[2], - compat_ptr(a[3]), compat_ptr(a[4])); + ret = __compat_sys_getsockopt(a0, a1, a[2], + compat_ptr(a[3]), + compat_ptr(a[4])); break; case SYS_SENDMSG: ret = compat_sys_sendmsg(a0, compat_ptr(a1), a[2]); -- 2.16.2
[PATCH 4.9 38/86] nospec: Kill array_index_nospec_mask_check()
4.9-stable review patch. If anyone has any objections, please let me know. -- From: Dan Williamscommit 1d91c1d2c80cb70e2e553845e278b87a960c04da upstream. There are multiple problems with the dynamic sanity checking in array_index_nospec_mask_check(): * It causes unnecessary overhead in the 32-bit case since integer sized @index values will no longer cause the check to be compiled away like in the 64-bit case. * In the 32-bit case it may trigger with user controllable input when the expectation is that should only trigger during development of new kernel enabling. * The macro reuses the input parameter in multiple locations which is broken if someone passes an expression like 'index++' to array_index_nospec(). Reported-by: Linus Torvalds Signed-off-by: Dan Williams Cc: Andy Lutomirski Cc: Arjan van de Ven Cc: Borislav Petkov Cc: Dave Hansen Cc: David Woodhouse Cc: Greg Kroah-Hartman Cc: Josh Poimboeuf Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: Will Deacon Cc: linux-a...@vger.kernel.org Link: http://lkml.kernel.org/r/151881604278.17395.6605847763178076520.st...@dwillia2-desk3.amr.corp.intel.com Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman --- include/linux/nospec.h | 22 +- 1 file changed, 1 insertion(+), 21 deletions(-) --- a/include/linux/nospec.h +++ b/include/linux/nospec.h @@ -30,26 +30,6 @@ static inline unsigned long array_index_ #endif /* - * Warn developers about inappropriate array_index_nospec() usage. - * - * Even if the CPU speculates past the WARN_ONCE branch, the - * sign bit of @index is taken into account when generating the - * mask. - * - * This warning is compiled out when the compiler can infer that - * @index and @size are less than LONG_MAX. - */ -#define array_index_mask_nospec_check(index, size) \ -({ \ - if (WARN_ONCE(index > LONG_MAX || size > LONG_MAX, \ - "array_index_nospec() limited to range of [0, LONG_MAX]\n")) \ - _mask = 0; \ - else \ - _mask = array_index_mask_nospec(index, size); \ - _mask; \ -}) - -/* * array_index_nospec - sanitize an array index after a bounds check * * For a code sequence like: @@ -67,7 +47,7 @@ static inline unsigned long array_index_ ({ \ typeof(index) _i = (index); \ typeof(size) _s = (size); \ - unsigned long _mask = array_index_mask_nospec_check(_i, _s);\ + unsigned long _mask = array_index_mask_nospec(_i, _s); \ \ BUILD_BUG_ON(sizeof(_i) > sizeof(long));\ BUILD_BUG_ON(sizeof(_s) > sizeof(long));\
[PATCH 4.9 39/86] nospec: Include dependency
4.9-stable review patch. If anyone has any objections, please let me know. -- From: Dan Williamscommit eb6174f6d1be16b19cfa43dac296bfed003ce1a6 upstream. The nospec.h header expects the per-architecture header file to optionally define array_index_mask_nospec(). Include that dependency to prevent inadvertent fallback to the default array_index_mask_nospec() implementation. The default implementation may not provide a full mitigation on architectures that perform data value speculation. Reported-by: Christian Borntraeger Signed-off-by: Dan Williams Cc: Andy Lutomirski Cc: Arjan van de Ven Cc: Borislav Petkov Cc: Dave Hansen Cc: David Woodhouse Cc: Greg Kroah-Hartman Cc: Josh Poimboeuf Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: Will Deacon Cc: linux-a...@vger.kernel.org Link: http://lkml.kernel.org/r/151881605404.17395.1341935530792574707.st...@dwillia2-desk3.amr.corp.intel.com Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman --- include/linux/nospec.h |1 + 1 file changed, 1 insertion(+) --- a/include/linux/nospec.h +++ b/include/linux/nospec.h @@ -5,6 +5,7 @@ #ifndef _LINUX_NOSPEC_H #define _LINUX_NOSPEC_H +#include /** * array_index_mask_nospec() - generate a ~0 mask when index < size, 0 otherwise
[PATCH -next 06/22] net: socket: add __sys_connect() helper; remove in-kernel call to syscall
Using the net-internal helper __sys_connect() allows us to avoid the internal calls to the sys_connect() syscall. Cc: David S. MillerCc: net...@vger.kernel.org Signed-off-by: Dominik Brodowski --- include/linux/socket.h | 2 ++ net/compat.c | 2 +- net/socket.c | 11 --- 3 files changed, 11 insertions(+), 4 deletions(-) diff --git a/include/linux/socket.h b/include/linux/socket.h index e9cee272da13..7daa344d7320 100644 --- a/include/linux/socket.h +++ b/include/linux/socket.h @@ -365,5 +365,7 @@ extern int __sys_accept4(int fd, struct sockaddr __user *upeer_sockaddr, int __user *upeer_addrlen, int flags); extern int __sys_socket(int family, int type, int protocol); extern int __sys_bind(int fd, struct sockaddr __user *umyaddr, int addrlen); +extern int __sys_connect(int fd, struct sockaddr __user *uservaddr, +int addrlen); #endif /* _LINUX_SOCKET_H */ diff --git a/net/compat.c b/net/compat.c index bba555b1d863..7ab6352268f3 100644 --- a/net/compat.c +++ b/net/compat.c @@ -817,7 +817,7 @@ COMPAT_SYSCALL_DEFINE2(socketcall, int, call, u32 __user *, args) ret = __sys_bind(a0, compat_ptr(a1), a[2]); break; case SYS_CONNECT: - ret = sys_connect(a0, compat_ptr(a1), a[2]); + ret = __sys_connect(a0, compat_ptr(a1), a[2]); break; case SYS_LISTEN: ret = sys_listen(a0, a1); diff --git a/net/socket.c b/net/socket.c index 291cdae97341..64bdfdf6c6e7 100644 --- a/net/socket.c +++ b/net/socket.c @@ -1633,8 +1633,7 @@ SYSCALL_DEFINE3(accept, int, fd, struct sockaddr __user *, upeer_sockaddr, * include the -EINPROGRESS status for such sockets. */ -SYSCALL_DEFINE3(connect, int, fd, struct sockaddr __user *, uservaddr, - int, addrlen) +int __sys_connect(int fd, struct sockaddr __user *uservaddr, int addrlen) { struct socket *sock; struct sockaddr_storage address; @@ -1660,6 +1659,12 @@ SYSCALL_DEFINE3(connect, int, fd, struct sockaddr __user *, uservaddr, return err; } +SYSCALL_DEFINE3(connect, int, fd, struct sockaddr __user *, uservaddr, + int, addrlen) +{ + return __sys_connect(fd, uservaddr, addrlen); +} + /* * Get the local address ('name') of a socket object. Move the obtained * name to user space. @@ -2479,7 +2484,7 @@ SYSCALL_DEFINE2(socketcall, int, call, unsigned long __user *, args) err = __sys_bind(a0, (struct sockaddr __user *)a1, a[2]); break; case SYS_CONNECT: - err = sys_connect(a0, (struct sockaddr __user *)a1, a[2]); + err = __sys_connect(a0, (struct sockaddr __user *)a1, a[2]); break; case SYS_LISTEN: err = sys_listen(a0, a1); -- 2.16.2
[PATCH 4.9 37/86] ALSA: hda: add dock and led support for HP ProBook 640 G2
4.9-stable review patch. If anyone has any objections, please let me know. -- From: Dennis Wassenbergcommit 099fd6ca0ad25bc19c5ade2ea4b25b8fadaa11b3 upstream. This patch adds missing initialisation for HP 2013 UltraSlim Dock Line-In/Out PINs and activates keyboard mute/micmute leds for HP ProBook 640 G2 Signed-off-by: Dennis Wassenberg Cc: Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman --- sound/pci/hda/patch_conexant.c |1 + 1 file changed, 1 insertion(+) --- a/sound/pci/hda/patch_conexant.c +++ b/sound/pci/hda/patch_conexant.c @@ -850,6 +850,7 @@ static const struct snd_pci_quirk cxt506 SND_PCI_QUIRK(0x1025, 0x054f, "Acer Aspire 4830T", CXT_FIXUP_ASPIRE_DMIC), SND_PCI_QUIRK(0x103c, 0x8079, "HP EliteBook 840 G3", CXT_FIXUP_HP_DOCK), SND_PCI_QUIRK(0x103c, 0x807C, "HP EliteBook 820 G3", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x80FD, "HP ProBook 640 G2", CXT_FIXUP_HP_DOCK), SND_PCI_QUIRK(0x103c, 0x8174, "HP Spectre x360", CXT_FIXUP_HP_SPECTRE), SND_PCI_QUIRK(0x103c, 0x8115, "HP Z1 Gen3", CXT_FIXUP_HP_GATE_MIC), SND_PCI_QUIRK(0x1043, 0x138d, "Asus", CXT_FIXUP_HEADPHONE_MIC_PIN),
[PATCH 4.9 33/86] ALSA: hda/realtek - Make dock sound work on ThinkPad L570
4.9-stable review patch. If anyone has any objections, please let me know. -- From: Dennis Wassenbergcommit e4c07b3b66b7d6a24c2fe3b1ddeff5cd9b378b3a upstream. One version of Lenovo Thinkpad T570 did not use ALC298 (like other Kaby Lake devices). Instead it uses ALC292. In order to make the Lenovo dock working with that codec the dock quirk for ALC292 will be used. Signed-off-by: Dennis Wassenberg Cc: Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman --- sound/pci/hda/patch_realtek.c |1 + 1 file changed, 1 insertion(+) --- a/sound/pci/hda/patch_realtek.c +++ b/sound/pci/hda/patch_realtek.c @@ -5801,6 +5801,7 @@ static const struct snd_pci_quirk alc269 SND_PCI_QUIRK(0x17aa, 0x2245, "Thinkpad T470", ALC298_FIXUP_TPT470_DOCK), SND_PCI_QUIRK(0x17aa, 0x2246, "Thinkpad", ALC298_FIXUP_TPT470_DOCK), SND_PCI_QUIRK(0x17aa, 0x2247, "Thinkpad", ALC298_FIXUP_TPT470_DOCK), + SND_PCI_QUIRK(0x17aa, 0x2249, "Thinkpad", ALC292_FIXUP_TPT460), SND_PCI_QUIRK(0x17aa, 0x224b, "Thinkpad", ALC298_FIXUP_TPT470_DOCK), SND_PCI_QUIRK(0x17aa, 0x224c, "Thinkpad", ALC298_FIXUP_TPT470_DOCK), SND_PCI_QUIRK(0x17aa, 0x224d, "Thinkpad", ALC298_FIXUP_TPT470_DOCK),
[PATCH 4.9 36/86] ALSA: hda: add dock and led support for HP EliteBook 820 G3
4.9-stable review patch. If anyone has any objections, please let me know. -- From: Dennis Wassenbergcommit aea808172018ca01abf53db808323aed23281835 upstream. This patch adds missing initialisation for HP 2013 UltraSlim Dock Line-In/Out PINs and activates keyboard mute/micmute leds for HP EliteBook 820 G3 Signed-off-by: Dennis Wassenberg Cc: Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman --- sound/pci/hda/patch_conexant.c |1 + 1 file changed, 1 insertion(+) --- a/sound/pci/hda/patch_conexant.c +++ b/sound/pci/hda/patch_conexant.c @@ -849,6 +849,7 @@ static const struct snd_pci_quirk cxt506 SND_PCI_QUIRK(0x1025, 0x054c, "Acer Aspire 3830TG", CXT_FIXUP_ASPIRE_DMIC), SND_PCI_QUIRK(0x1025, 0x054f, "Acer Aspire 4830T", CXT_FIXUP_ASPIRE_DMIC), SND_PCI_QUIRK(0x103c, 0x8079, "HP EliteBook 840 G3", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x807C, "HP EliteBook 820 G3", CXT_FIXUP_HP_DOCK), SND_PCI_QUIRK(0x103c, 0x8174, "HP Spectre x360", CXT_FIXUP_HP_SPECTRE), SND_PCI_QUIRK(0x103c, 0x8115, "HP Z1 Gen3", CXT_FIXUP_HP_GATE_MIC), SND_PCI_QUIRK(0x1043, 0x138d, "Asus", CXT_FIXUP_HEADPHONE_MIC_PIN),
[PATCH 4.4 50/63] x86/module: Detect and skip invalid relocations
4.4-stable review patch. If anyone has any objections, please let me know. -- From: Josh Poimboeufcommit eda9cec4c9a12208a6f69fbe68f72a6311d50032 upstream. There have been some cases where external tooling (e.g., kpatch-build) creates a corrupt relocation which targets the wrong address. This is a silent failure which can corrupt memory in unexpected places. On x86, the bytes of data being overwritten by relocations are always initialized to zero beforehand. Use that knowledge to add sanity checks to detect such cases before they corrupt memory. Signed-off-by: Josh Poimboeuf Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: j...@kernel.org Cc: live-patch...@vger.kernel.org Link: http://lkml.kernel.org/r/37450d6c6225e54db107fba447ce9e56e5f758e9.1509713553.git.jpoim...@redhat.com [ Restructured the messages, as it's unclear whether the relocation or the target is corrupted. ] Signed-off-by: Ingo Molnar Cc: Matthias Kaehlcke Signed-off-by: Greg Kroah-Hartman --- arch/x86/kernel/module.c | 13 + 1 file changed, 13 insertions(+) --- a/arch/x86/kernel/module.c +++ b/arch/x86/kernel/module.c @@ -170,19 +170,27 @@ int apply_relocate_add(Elf64_Shdr *sechd case R_X86_64_NONE: break; case R_X86_64_64: + if (*(u64 *)loc != 0) + goto invalid_relocation; *(u64 *)loc = val; break; case R_X86_64_32: + if (*(u32 *)loc != 0) + goto invalid_relocation; *(u32 *)loc = val; if (val != *(u32 *)loc) goto overflow; break; case R_X86_64_32S: + if (*(s32 *)loc != 0) + goto invalid_relocation; *(s32 *)loc = val; if ((s64)val != *(s32 *)loc) goto overflow; break; case R_X86_64_PC32: + if (*(u32 *)loc != 0) + goto invalid_relocation; val -= (u64)loc; *(u32 *)loc = val; #if 0 @@ -198,6 +206,11 @@ int apply_relocate_add(Elf64_Shdr *sechd } return 0; +invalid_relocation: + pr_err("x86/modules: Skipping invalid relocation target, existing value is nonzero for type %d, loc %p, val %Lx\n", + (int)ELF64_R_TYPE(rel[i].r_info), loc, val); + return -ENOEXEC; + overflow: pr_err("overflow in relocation type %d val %Lx\n", (int)ELF64_R_TYPE(rel[i].r_info), val);
[PATCH 4.4 49/63] Revert "ARM: dts: LogicPD Torpedo: Fix I2C1 pinmux"
4.4-stable review patch. If anyone has any objections, please let me know. -- From: Greg Kroah-HartmanThis reverts commit c86bfc7b7b01c4b98c29a39bd60e61fa8e337ebf which was commit 74402055a2d3ec998a1ded599e86185a27d9bbf4 upstream. The backport merged incorrectly, so I'm dropping it. Reported-by: Ben Hutchings Cc: Adam Ford Cc: Tony Lindgren Signed-off-by: Greg Kroah-Hartman --- arch/arm/boot/dts/logicpd-torpedo-som.dtsi |8 1 file changed, 8 deletions(-) --- a/arch/arm/boot/dts/logicpd-torpedo-som.dtsi +++ b/arch/arm/boot/dts/logicpd-torpedo-som.dtsi @@ -90,8 +90,6 @@ }; { - pinctrl-names = "default"; - pinctrl-0 = <_pins>; clock-frequency = <260>; twl: twl@48 { @@ -148,12 +146,6 @@ OMAP3630_CORE2_IOPAD(0x25da, PIN_INPUT_PULLUP | MUX_MODE2) /* etk_ctl.sdmmc3_cmd */ >; }; - i2c1_pins: pinmux_i2c1_pins { - pinctrl-single,pins = < - OMAP3_CORE1_IOPAD(0x21ba, PIN_INPUT | MUX_MODE0) /* i2c1_scl.i2c1_scl */ - OMAP3_CORE1_IOPAD(0x21bc, PIN_INPUT | MUX_MODE0) /* i2c1_sda.i2c1_sda */ - >; - }; }; #include "twl4030.dtsi"
[PATCH 4.4 52/63] serial: sh-sci: prevent lockup on full TTY buffers
4.4-stable review patch. If anyone has any objections, please let me know. -- From: Ulrich Hechtcommit 7842055bfce4bf0170d0f61df8b2add8399697be upstream. When the TTY buffers fill up to the configured maximum, a system lockup occurs: [ 598.820128] INFO: rcu_preempt detected stalls on CPUs/tasks: [ 598.825796] 0-...!: (1 GPs behind) idle=5a6/2/0 softirq=1974/1974 fqs=1 [ 598.832577] (detected by 3, t=62517 jiffies, g=296, c=295, q=126) [ 598.838755] Task dump for CPU 0: [ 598.841977] swapper/0 R running task0 0 0 0x0022 [ 598.849023] Call trace: [ 598.851476] __switch_to+0x98/0xb0 [ 598.854870](null) This can be prevented by doing a dummy read of the RX data register. This issue affects both HSCIF and SCIF ports. Reported for R-Car H3 ES2.0; reproduced and fixed on H3 ES1.1. Probably affects other R-Car platforms as well. Reported-by: Yoshihiro Shimoda Signed-off-by: Ulrich Hecht Reviewed-by: Geert Uytterhoeven Cc: stable Tested-by: Nguyen Viet Dung Signed-off-by: Greg Kroah-Hartman --- drivers/tty/serial/sh-sci.c |2 ++ 1 file changed, 2 insertions(+) --- a/drivers/tty/serial/sh-sci.c +++ b/drivers/tty/serial/sh-sci.c @@ -847,6 +847,8 @@ static void sci_receive_chars(struct uar /* Tell the rest of the system the news. New characters! */ tty_flip_buffer_push(tport); } else { + /* TTY buffers full; read from RX reg to prevent lockup */ + serial_port_in(port, SCxRDR); serial_port_in(port, SCxSR); /* dummy read */ sci_clear_SCxSR(port, SCxSR_RDxF_CLEAR(port)); }
[PATCH 4.4 19/63] bcache: dont attach backing with duplicate UUID
4.4-stable review patch. If anyone has any objections, please let me know. -- From: Michael Lylecommit 86755b7a96faed57f910f9e6b8061e019ac1ec08 upstream. This can happen e.g. during disk cloning. This is an incomplete fix: it does not catch duplicate UUIDs earlier when things are still unattached. It does not unregister the device. Further changes to cope better with this are planned but conflict with Coly's ongoing improvements to handling device errors. In the meantime, one can manually stop the device after this has happened. Attempts to attach a duplicate device result in: [ 136.372404] loop: module loaded [ 136.424461] bcache: register_bdev() registered backing device loop0 [ 136.424464] bcache: bch_cached_dev_attach() Tried to attach loop0 but duplicate UUID already attached My test procedure is: dd if=/dev/sdb1 of=imgfile bs=1024 count=262144 losetup -f imgfile Signed-off-by: Michael Lyle Reviewed-by: Tang Junhui Cc: Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman --- drivers/md/bcache/super.c | 11 +++ 1 file changed, 11 insertions(+) --- a/drivers/md/bcache/super.c +++ b/drivers/md/bcache/super.c @@ -935,6 +935,7 @@ int bch_cached_dev_attach(struct cached_ uint32_t rtime = cpu_to_le32(get_seconds()); struct uuid_entry *u; char buf[BDEVNAME_SIZE]; + struct cached_dev *exist_dc, *t; bdevname(dc->bdev, buf); @@ -958,6 +959,16 @@ int bch_cached_dev_attach(struct cached_ return -EINVAL; } + /* Check whether already attached */ + list_for_each_entry_safe(exist_dc, t, >cached_devs, list) { + if (!memcmp(dc->sb.uuid, exist_dc->sb.uuid, 16)) { + pr_err("Tried to attach %s but duplicate UUID already attached", + buf); + + return -EINVAL; + } + } + u = uuid_find(c, dc->sb.uuid); if (u &&
Re: arc_usr_cmpxchg and preemption
Hi Peter, Vineet, On Wed, 2018-03-14 at 18:53 +0100, Peter Zijlstra wrote: > On Wed, Mar 14, 2018 at 09:58:19AM -0700, Vineet Gupta wrote: > > > Well it is broken wrt the semantics the syscall is supposed to provide. > > Preemption disabling is what prevents a concurrent thread from coming in and > > modifying the same location (Imagine a variable which is being cmpxchg > > concurrently by 2 threads). > > > > One approach is to do it the MIPS way, emulate the llsc flag - set it under > > preemption disabled section and clear it in switch_to > > *shudder*... just catch the -EFAULT, force the write fault and retry. More I look at this initially quite simple thing more it looks like a can of worms... > Something like: > > int sys_cmpxchg(u32 __user *user_ptr, u32 old, u32 new) > { That functions is supposed to return old value stored in memory. At least that's how it is used in case of ARC and M68K. Remember there's already libc that relies on that established API and we cannot just change it... even though it might be a good idea. For example return "errno" and pass old value via pointer in an argument. But now I guess it's better to use what we have now. > u32 val; > int ret; > > again: > ret = 0; > > preempt_disable(); > val = get_user(user_ptr); What if get_user() fails? In Peter's implementation we will return 0, in Vineet's we will return -EFAULT... and who knows what kind of unexpected behavior happens further down the line in user-space... so I think it would be safer to kill the process then. And that's my take: -->8 int sys_cmpxchg(u32 __user *user_ptr, u32 old, u32 new) { u32 val; int ret; again: ret = 0; preempt_disable(); ret = get_user(val, user_ptr); if(ret == -EFAULT) { struct page *page; preempt_enable(); ret = get_user_pages_fast((unsigned long)user_ptr, 1, 1, ); if (ret < 0) { force_sig(SIGSEGV, current); return ret; } put_page(page); goto again; } if (val == old) ret = put_user(new, user_ptr); preempt_enable(); if (ret == -EFAULT) { struct page *page; ret = get_user_pages_fast((unsigned long)user_ptr, 1, 1, ); if (ret < 0) { force_sig(SIGSEGV, current); return ret; } put_page(page); goto again; } return ret; } -->8 -Alexey
[PATCH 4.4 20/63] x86/MCE: Serialize sysfs changes
4.4-stable review patch. If anyone has any objections, please let me know. -- From: Seunghun Hancommit b3b7c4795ccab5be71f080774c45bbbcc75c2aaf upstream. The check_interval file in /sys/devices/system/machinecheck/machinecheck directory is a global timer value for MCE polling. If it is changed by one CPU, mce_restart() broadcasts the event to other CPUs to delete and restart the MCE polling timer and __mcheck_cpu_init_timer() reinitializes the mce_timer variable. If more than one CPU writes a specific value to the check_interval file concurrently, mce_timer is not protected from such concurrent accesses and all kinds of explosions happen. Since only root can write to those sysfs variables, the issue is not a big deal security-wise. However, concurrent writes to these configuration variables is void of reason so the proper thing to do is to serialize the access with a mutex. Boris: - Make store_int_with_restart() use device_store_ulong() to filter out negative intervals - Limit min interval to 1 second - Correct locking - Massage commit message Signed-off-by: Seunghun Han Signed-off-by: Borislav Petkov Signed-off-by: Thomas Gleixner Cc: Greg Kroah-Hartman Cc: Tony Luck Cc: linux-edac Cc: sta...@vger.kernel.org Link: http://lkml.kernel.org/r/20180302202706.9434-1-kkama...@gmail.com Signed-off-by: Greg Kroah-Hartman --- arch/x86/kernel/cpu/mcheck/mce.c | 22 +- 1 file changed, 21 insertions(+), 1 deletion(-) --- a/arch/x86/kernel/cpu/mcheck/mce.c +++ b/arch/x86/kernel/cpu/mcheck/mce.c @@ -60,6 +60,9 @@ static DEFINE_MUTEX(mce_chrdev_read_mute smp_load_acquire(&(p)); \ }) +/* sysfs synchronization */ +static DEFINE_MUTEX(mce_sysfs_mutex); + #define CREATE_TRACE_POINTS #include @@ -2220,6 +2223,7 @@ static ssize_t set_ignore_ce(struct devi if (kstrtou64(buf, 0, ) < 0) return -EINVAL; + mutex_lock(_sysfs_mutex); if (mca_cfg.ignore_ce ^ !!new) { if (new) { /* disable ce features */ @@ -2232,6 +2236,8 @@ static ssize_t set_ignore_ce(struct devi on_each_cpu(mce_enable_ce, (void *)1, 1); } } + mutex_unlock(_sysfs_mutex); + return size; } @@ -2244,6 +2250,7 @@ static ssize_t set_cmci_disabled(struct if (kstrtou64(buf, 0, ) < 0) return -EINVAL; + mutex_lock(_sysfs_mutex); if (mca_cfg.cmci_disabled ^ !!new) { if (new) { /* disable cmci */ @@ -2255,6 +2262,8 @@ static ssize_t set_cmci_disabled(struct on_each_cpu(mce_enable_ce, NULL, 1); } } + mutex_unlock(_sysfs_mutex); + return size; } @@ -2262,8 +2271,19 @@ static ssize_t store_int_with_restart(st struct device_attribute *attr, const char *buf, size_t size) { - ssize_t ret = device_store_int(s, attr, buf, size); + unsigned long old_check_interval = check_interval; + ssize_t ret = device_store_ulong(s, attr, buf, size); + + if (check_interval == old_check_interval) + return ret; + + if (check_interval < 1) + check_interval = 1; + + mutex_lock(_sysfs_mutex); mce_restart(); + mutex_unlock(_sysfs_mutex); + return ret; }
[PATCH 4.4 10/63] drm/amdgpu: Notify sbios device ready before send request
4.4-stable review patch. If anyone has any objections, please let me know. -- From: Rex Zhucommit 1bced75f4ab04bec55aecb57d99435dc6d0ae5a0 upstream. it is required if a platform supports PCIe root complex core voltage reduction. After receiving this notification, SBIOS can apply default PCIe root complex power policy. Reviewed-by: Alex Deucher Signed-off-by: Rex Zhu Signed-off-by: Alex Deucher Cc: sta...@vger.kernel.org Signed-off-by: Greg Kroah-Hartman --- drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c |3 +++ 1 file changed, 3 insertions(+) --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c @@ -585,6 +585,9 @@ int amdgpu_acpi_pcie_performance_request size_t size; u32 retry = 3; + if (amdgpu_acpi_pcie_notify_device_ready(adev)) + return -EINVAL; + /* Get the device handle */ handle = ACPI_HANDLE(>pdev->dev); if (!handle)
[PATCH 3.18 04/25] x86/MCE: Serialize sysfs changes
3.18-stable review patch. If anyone has any objections, please let me know. -- From: Seunghun Hancommit b3b7c4795ccab5be71f080774c45bbbcc75c2aaf upstream. The check_interval file in /sys/devices/system/machinecheck/machinecheck directory is a global timer value for MCE polling. If it is changed by one CPU, mce_restart() broadcasts the event to other CPUs to delete and restart the MCE polling timer and __mcheck_cpu_init_timer() reinitializes the mce_timer variable. If more than one CPU writes a specific value to the check_interval file concurrently, mce_timer is not protected from such concurrent accesses and all kinds of explosions happen. Since only root can write to those sysfs variables, the issue is not a big deal security-wise. However, concurrent writes to these configuration variables is void of reason so the proper thing to do is to serialize the access with a mutex. Boris: - Make store_int_with_restart() use device_store_ulong() to filter out negative intervals - Limit min interval to 1 second - Correct locking - Massage commit message Signed-off-by: Seunghun Han Signed-off-by: Borislav Petkov Signed-off-by: Thomas Gleixner Cc: Greg Kroah-Hartman Cc: Tony Luck Cc: linux-edac Cc: sta...@vger.kernel.org Link: http://lkml.kernel.org/r/20180302202706.9434-1-kkama...@gmail.com Signed-off-by: Greg Kroah-Hartman --- arch/x86/kernel/cpu/mcheck/mce.c | 22 +- 1 file changed, 21 insertions(+), 1 deletion(-) --- a/arch/x86/kernel/cpu/mcheck/mce.c +++ b/arch/x86/kernel/cpu/mcheck/mce.c @@ -56,6 +56,9 @@ static DEFINE_MUTEX(mce_chrdev_read_mute rcu_read_lock_sched_held() || \ lockdep_is_held(_chrdev_read_mutex)) +/* sysfs synchronization */ +static DEFINE_MUTEX(mce_sysfs_mutex); + #define CREATE_TRACE_POINTS #include @@ -2183,6 +2186,7 @@ static ssize_t set_ignore_ce(struct devi if (kstrtou64(buf, 0, ) < 0) return -EINVAL; + mutex_lock(_sysfs_mutex); if (mca_cfg.ignore_ce ^ !!new) { if (new) { /* disable ce features */ @@ -2195,6 +2199,8 @@ static ssize_t set_ignore_ce(struct devi on_each_cpu(mce_enable_ce, (void *)1, 1); } } + mutex_unlock(_sysfs_mutex); + return size; } @@ -2207,6 +2213,7 @@ static ssize_t set_cmci_disabled(struct if (kstrtou64(buf, 0, ) < 0) return -EINVAL; + mutex_lock(_sysfs_mutex); if (mca_cfg.cmci_disabled ^ !!new) { if (new) { /* disable cmci */ @@ -2218,6 +2225,8 @@ static ssize_t set_cmci_disabled(struct on_each_cpu(mce_enable_ce, NULL, 1); } } + mutex_unlock(_sysfs_mutex); + return size; } @@ -2225,8 +2234,19 @@ static ssize_t store_int_with_restart(st struct device_attribute *attr, const char *buf, size_t size) { - ssize_t ret = device_store_int(s, attr, buf, size); + unsigned long old_check_interval = check_interval; + ssize_t ret = device_store_ulong(s, attr, buf, size); + + if (check_interval == old_check_interval) + return ret; + + if (check_interval < 1) + check_interval = 1; + + mutex_lock(_sysfs_mutex); mce_restart(); + mutex_unlock(_sysfs_mutex); + return ret; }
[PATCH 3.18 03/25] Input: matrix_keypad - fix race when disabling interrupts
3.18-stable review patch. If anyone has any objections, please let me know. -- From: Zhang Bocommit ea4f7bd2aca9f68470e9aac0fc9432fd180b1fe7 upstream. If matrix_keypad_stop() is executing and the keypad interrupt is triggered, disable_row_irqs() may be called by both matrix_keypad_interrupt() and matrix_keypad_stop() at the same time, causing interrupts to be disabled twice and the keypad being "stuck" after resuming. Take lock when setting keypad->stopped to ensure that ISR will not race with matrix_keypad_stop() disabling interrupts. Signed-off-by: Zhang Bo Cc: sta...@vger.kernel.org Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman --- drivers/input/keyboard/matrix_keypad.c |4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/drivers/input/keyboard/matrix_keypad.c +++ b/drivers/input/keyboard/matrix_keypad.c @@ -216,8 +216,10 @@ static void matrix_keypad_stop(struct in { struct matrix_keypad *keypad = input_get_drvdata(dev); + spin_lock_irq(>lock); keypad->stopped = true; - mb(); + spin_unlock_irq(>lock); + flush_work(>work.work); /* * matrix_keypad_scan() will leave IRQs enabled;
RE: [PATCH v5 0/2] Remove false-positive VLAs when using max()
From: Linus Torvalds > Sent: 16 March 2018 17:29 > On Fri, Mar 16, 2018 at 4:47 AM, Florian Weimerwrote: > > > > If you want to catch stack frames which have unbounded size, > > -Werror=stack-usage=1000 or -Werror=vla-larger-than=1000 (with the constant > > adjusted as needed) might be the better approach. > > No, we want to catch *variable* stack sizes. > > Does "-Werror=vla-larger-than=0" perhaps work for that? No, because > the stupid compiler says that is "meaningless". > > And no, using "-Werror=vla-larger-than=1" doesn't work either, because > the moronic compiler continues to think that "vla" is about the > _type_, not the code: > >t.c: In function ‘test’: >t.c:6:6: error: argument to variable-length array is too large > [-Werror=vla-larger-than=] > int array[(1,100)]; > > Gcc people are crazy. > > Is there really no way to just say "shut up about the stupid _syntax_ > issue that is entirely irrelevant, and give us the _code_ issue". I looked at the generated code for one of the constant sized VLA that the compiler barfed at. It seemed to subtract constants from %sp separately for the VLA. So it looks like the compiler treats them as VLA even though it knows the size. That is probably missing optimisation. David
[PATCH 4.14 036/109] drm/amdgpu: fix get_max_engine_clock_in_mhz
4.14-stable review patch. If anyone has any objections, please let me know. -- From: Felix Kuehling[ Upstream commit a9efcc19161e20623c285fac967a32842972cebe ] Use proper powerplay function. This fixes OpenCL initialization problems. Signed-off-by: Felix Kuehling Acked-by: Oded Gabbay Signed-off-by: Oded Gabbay Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c |7 +-- 1 file changed, 5 insertions(+), 2 deletions(-) --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c @@ -265,6 +265,9 @@ uint32_t get_max_engine_clock_in_mhz(str { struct amdgpu_device *adev = (struct amdgpu_device *)kgd; - /* The sclk is in quantas of 10kHz */ - return adev->pm.dpm.dyn_state.max_clock_voltage_on_ac.sclk / 100; + /* the sclk is in quantas of 10kHz */ + if (amdgpu_sriov_vf(adev)) + return adev->clock.default_sclk / 100; + + return amdgpu_dpm_get_sclk(adev, false) / 100; }
[PATCH 4.14 037/109] staging: rtl8822be: fix missing null check on dev_alloc_skb return
4.14-stable review patch. If anyone has any objections, please let me know. -- From: Colin Ian King[ Upstream commit 3eb23426e1749a0483bc4c9b18e51f657569e3ed ] dev_alloc_skb can potentially return NULL, so add a null check to avoid a null pointer dereference on skb Detected by CoverityScan, CID#1454558 ("Dereference on null return") Fixes: 7e5b796cde7e ("staging: r8822be: Add the driver code") Signed-off-by: Colin Ian King Acked-by: Larry Finger Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/staging/rtlwifi/rtl8822be/fw.c |2 ++ 1 file changed, 2 insertions(+) --- a/drivers/staging/rtlwifi/rtl8822be/fw.c +++ b/drivers/staging/rtlwifi/rtl8822be/fw.c @@ -464,6 +464,8 @@ bool rtl8822b_halmac_cb_write_data_rsvd_ int count; skb = dev_alloc_skb(size); + if (!skb) + return false; memcpy((u8 *)skb_put(skb, size), buf, size); if (!_rtl8822be_send_bcn_or_cmd_packet(rtlpriv->hw, skb, BEACON_QUEUE))
[PATCH 4.14 005/109] ASoC: sgtl5000: Fix suspend/resume
4.14-stable review patch. If anyone has any objections, please let me know. -- From: Fabio Estevamcommit a8992973edbb2555e956b90f6fe97c4bc14d761d upstream. Commit 8419caa72702 ("ASoC: sgtl5000: Do not disable regulators in SND_SOC_BIAS_OFF") causes the sgtl5000 to fail after a suspend/resume sequence: Playing WAVE '/media/a2002011001-e02.wav' : Signed 16 bit Little Endian, Rate 44100 Hz, Stereo aplay: pcm_write:2051: write error: Input/output error The problem is caused by the fact that the aforementioned commit dropped the cache handling, so re-introduce the register map resync to fix the problem. Suggested-by: Mark Brown Signed-off-by: Fabio Estevam Signed-off-by: Mark Brown Cc: Signed-off-by: Greg Kroah-Hartman --- sound/soc/codecs/sgtl5000.c | 11 +++ 1 file changed, 11 insertions(+) --- a/sound/soc/codecs/sgtl5000.c +++ b/sound/soc/codecs/sgtl5000.c @@ -871,15 +871,26 @@ static int sgtl5000_pcm_hw_params(struct static int sgtl5000_set_bias_level(struct snd_soc_codec *codec, enum snd_soc_bias_level level) { + struct sgtl5000_priv *sgtl = snd_soc_codec_get_drvdata(codec); + int ret; + switch (level) { case SND_SOC_BIAS_ON: case SND_SOC_BIAS_PREPARE: case SND_SOC_BIAS_STANDBY: + regcache_cache_only(sgtl->regmap, false); + ret = regcache_sync(sgtl->regmap); + if (ret) { + regcache_cache_only(sgtl->regmap, true); + return ret; + } + snd_soc_update_bits(codec, SGTL5000_CHIP_ANA_POWER, SGTL5000_REFTOP_POWERUP, SGTL5000_REFTOP_POWERUP); break; case SND_SOC_BIAS_OFF: + regcache_cache_only(sgtl->regmap, true); snd_soc_update_bits(codec, SGTL5000_CHIP_ANA_POWER, SGTL5000_REFTOP_POWERUP, 0); break;
[PATCH 4.14 046/109] rtc: brcmstb-waketimer: fix error handling in brcmstb_waketmr_probe()
4.14-stable review patch. If anyone has any objections, please let me know. -- From: Alexey Khoroshilov[ Upstream commit f2eef045de9defbc6fc6b72b17f0941cbe26c81d ] brcmstb_waketmr_probe() does not disable timer->clk on error paths. Found by Linux Driver Verification project (linuxtesting.org). Fixes: c4f07ecee22e ("rtc: brcmstb-waketimer: Add Broadcom STB wake-timer") Signed-off-by: Alexey Khoroshilov Reviewed-by: Florian Fainelli Signed-off-by: Alexandre Belloni Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/rtc/rtc-brcmstb-waketimer.c | 15 --- 1 file changed, 12 insertions(+), 3 deletions(-) --- a/drivers/rtc/rtc-brcmstb-waketimer.c +++ b/drivers/rtc/rtc-brcmstb-waketimer.c @@ -253,7 +253,7 @@ static int brcmstb_waketmr_probe(struct ret = devm_request_irq(dev, timer->irq, brcmstb_waketmr_irq, 0, "brcmstb-waketimer", timer); if (ret < 0) - return ret; + goto err_clk; timer->reboot_notifier.notifier_call = brcmstb_waketmr_reboot; register_reboot_notifier(>reboot_notifier); @@ -262,12 +262,21 @@ static int brcmstb_waketmr_probe(struct _waketmr_ops, THIS_MODULE); if (IS_ERR(timer->rtc)) { dev_err(dev, "unable to register device\n"); - unregister_reboot_notifier(>reboot_notifier); - return PTR_ERR(timer->rtc); + ret = PTR_ERR(timer->rtc); + goto err_notifier; } dev_info(dev, "registered, with irq %d\n", timer->irq); + return 0; + +err_notifier: + unregister_reboot_notifier(>reboot_notifier); + +err_clk: + if (timer->clk) + clk_disable_unprepare(timer->clk); + return ret; }
[PATCH 4.14 030/109] HID: multitouch: Only look at non touch fields in first packet of a frame
4.14-stable review patch. If anyone has any objections, please let me know. -- From: Hans de Goede[ Upstream commit 55746d28d66860bccaae20a67b55b9d5db7c14af ] Devices in "single finger hybrid mode" will send one report per finger, on some devices only the first report of such a multi-packet frame will contain a value for BTN_LEFT, in subsequent reports (if multiple fingers are down) the value is always 0, causing hid-mt to report BTN_LEFT going 1 - 0 - 1 - 0 when pressing a clickpad and putting down a second finger. This happens for example on USB 0603:0002 mt touchpads. This commit fixes this by only reporting non touch fields for the first packet of a (possibly) multi-packet frame. Signed-off-by: Hans de Goede Reviewed-by: Benjamin Tissoires Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/hid/hid-multitouch.c | 17 +++-- 1 file changed, 15 insertions(+), 2 deletions(-) --- a/drivers/hid/hid-multitouch.c +++ b/drivers/hid/hid-multitouch.c @@ -738,9 +738,11 @@ static int mt_touch_event(struct hid_dev } static void mt_process_mt_event(struct hid_device *hid, struct hid_field *field, - struct hid_usage *usage, __s32 value) + struct hid_usage *usage, __s32 value, + bool first_packet) { struct mt_device *td = hid_get_drvdata(hid); + __s32 cls = td->mtclass.name; __s32 quirks = td->mtclass.quirks; struct input_dev *input = field->hidinput->input; @@ -794,6 +796,15 @@ static void mt_process_mt_event(struct h break; default: + /* +* For Win8 PTP touchpads we should only look at +* non finger/touch events in the first_packet of +* a (possible) multi-packet frame. +*/ + if ((cls == MT_CLS_WIN_8 || cls == MT_CLS_WIN_8_DUAL) && + !first_packet) + return; + if (usage->type) input_event(input, usage->type, usage->code, value); @@ -813,6 +824,7 @@ static void mt_touch_report(struct hid_d { struct mt_device *td = hid_get_drvdata(hid); struct hid_field *field; + bool first_packet; unsigned count; int r, n; @@ -831,6 +843,7 @@ static void mt_touch_report(struct hid_d td->num_expected = value; } + first_packet = td->num_received == 0; for (r = 0; r < report->maxfield; r++) { field = report->field[r]; count = field->report_count; @@ -840,7 +853,7 @@ static void mt_touch_report(struct hid_d for (n = 0; n < count; n++) mt_process_mt_event(hid, field, >usage[n], - field->value[n]); + field->value[n], first_packet); } if (td->num_received >= td->num_expected)
[PATCH 4.14 032/109] iwlwifi: mvm: rs: dont override the rate history in the search cycle
4.14-stable review patch. If anyone has any objections, please let me know. -- From: Emmanuel Grumbach[ Upstream commit 992172e3aec19e5b0ea5b757ba40a146b9282d1e ] When we are in a search cycle, we try different combinations of parameters. Those combinations are called 'columns'. When we switch to a new column, we first need to check if this column has a suitable rate, if not, we can't try it. This means we must not erase the statistics we gathered for the previous column until we are sure that we are indeed switching column. The code that tries to switch to a new column first sets a whole bunch of things for the new column, and only then checks that we can find suitable rates in that column. While doing that, the code mistakenly erased the rate statistics. This code was right until struct iwl_scale_tbl_info grew up for TPC. Fix this to make sure we don't erase the rate statistics until we are sure that we can indeed switch to the new column. Note that this bug is really harmless since it causes a change in the behavior only when we can't find any rate in the new column which should really not happen. In the case we do find a suitable we reset the rate statistics a few lines later anyway. Signed-off-by: Emmanuel Grumbach Signed-off-by: Luca Coelho Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/net/wireless/intel/iwlwifi/mvm/rs.c |4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) --- a/drivers/net/wireless/intel/iwlwifi/mvm/rs.c +++ b/drivers/net/wireless/intel/iwlwifi/mvm/rs.c @@ -1881,12 +1881,10 @@ static int rs_switch_to_column(struct iw struct rs_rate *rate = _tbl->rate; const struct rs_tx_column *column = _tx_columns[col_id]; const struct rs_tx_column *curr_column = _tx_columns[tbl->column]; - u32 sz = (sizeof(struct iwl_scale_tbl_info) - - (sizeof(struct iwl_rate_scale_data) * IWL_RATE_COUNT)); unsigned long rate_mask = 0; u32 rate_idx = 0; - memcpy(search_tbl, tbl, sz); + memcpy(search_tbl, tbl, offsetof(struct iwl_scale_tbl_info, win)); rate->sgi = column->sgi; rate->ant = column->ant;
[PATCH 4.14 077/109] mwifiex: cfg80211: do not change virtual interface during scan processing
4.14-stable review patch. If anyone has any objections, please let me know. -- From: Limin Zhu[ Upstream commit c61cfe49f0f0f0d1f8b56d0b045838d597e8c3a3 ] (1) Change virtual interface operation in cfg80211 process reset and reinitilize private data structure. (2) Scan result event processed in main process will dereference private data structure concurrently, ocassionly crash the kernel. The cornel case could be trigger by below steps: (1) wpa_cli mlan0 scan (2) ./hostapd mlan0.conf Cfg80211 asynchronous scan procedure is not all the time operated under rtnl lock, here we add the protect to serialize the cfg80211 scan and change_virtual interface operation. Signed-off-by: Limin Zhu Signed-off-by: Xinming Hu Signed-off-by: Kalle Valo Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/net/wireless/marvell/mwifiex/cfg80211.c |6 ++ 1 file changed, 6 insertions(+) --- a/drivers/net/wireless/marvell/mwifiex/cfg80211.c +++ b/drivers/net/wireless/marvell/mwifiex/cfg80211.c @@ -1116,6 +1116,12 @@ mwifiex_cfg80211_change_virtual_intf(str struct mwifiex_private *priv = mwifiex_netdev_get_priv(dev); enum nl80211_iftype curr_iftype = dev->ieee80211_ptr->iftype; + if (priv->scan_request) { + mwifiex_dbg(priv->adapter, ERROR, + "change virtual interface: scan in process\n"); + return -EBUSY; + } + switch (curr_iftype) { case NL80211_IFTYPE_ADHOC: switch (type) {
[PATCH 4.14 056/109] clk: ti: clkctrl: add support for retrying failed init
4.14-stable review patch. If anyone has any objections, please let me know. -- From: Tero Kristo[ Upstream commit 729e13bf58e643b9accd2a14c55b555958702fb0 ] In case the clkctrl node contains assigned-clock-* entries, registering the provider can fail with -EPROBE_DEFER. In this case, add the provider to the retry_init clock list so it will be cleaned up later. Signed-off-by: Tero Kristo Acked-by: Stephen Boyd Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/clk/ti/clkctrl.c | 12 +++- 1 file changed, 11 insertions(+), 1 deletion(-) --- a/drivers/clk/ti/clkctrl.c +++ b/drivers/clk/ti/clkctrl.c @@ -400,6 +400,12 @@ _ti_clkctrl_setup_subclks(struct omap_cl } } +static void __init _clkctrl_add_provider(void *data, +struct device_node *np) +{ + of_clk_add_hw_provider(np, _ti_omap4_clkctrl_xlate, data); +} + static void __init _ti_omap4_clkctrl_setup(struct device_node *node) { struct omap_clkctrl_provider *provider; @@ -411,6 +417,7 @@ static void __init _ti_omap4_clkctrl_set struct omap_clkctrl_clk *clkctrl_clk; const __be32 *addrp; u32 addr; + int ret; addrp = of_get_address(node, 0, NULL, NULL); addr = (u32)of_translate_address(node, addrp); @@ -485,7 +492,10 @@ static void __init _ti_omap4_clkctrl_set reg_data++; } - of_clk_add_hw_provider(node, _ti_omap4_clkctrl_xlate, provider); + ret = of_clk_add_hw_provider(node, _ti_omap4_clkctrl_xlate, provider); + if (ret == -EPROBE_DEFER) + ti_clk_retry_init(node, provider, _clkctrl_add_provider); + return; cleanup:
[PATCH 4.14 055/109] leds: pm8058: Silence pointer to integer size warning
4.14-stable review patch. If anyone has any objections, please let me know. -- From: Bjorn Andersson[ Upstream commit 8f52df50d9366f770a894d14ef724e5e04574e98 ] The pointer returned by of_device_get_match_data() doesn't have the same size as u32 on 64-bit architectures, causing a compile warning when compile-testing the driver on such platform. Cast the return value of of_device_get_match_data() to unsigned long and then to u32 to silence this warning. Fixes: 7f866986e705 ("leds: add PM8058 LEDs driver") Signed-off-by: Bjorn Andersson Reviewed-by: Linus Walleij Acked-by: Pavel Machek Signed-off-by: Lee Jones Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/leds/leds-pm8058.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/leds/leds-pm8058.c +++ b/drivers/leds/leds-pm8058.c @@ -106,7 +106,7 @@ static int pm8058_led_probe(struct platf if (!led) return -ENOMEM; - led->ledtype = (u32)of_device_get_match_data(>dev); + led->ledtype = (u32)(unsigned long)of_device_get_match_data(>dev); map = dev_get_regmap(pdev->dev.parent, NULL); if (!map) {
[PATCH 4.14 053/109] userns: Dont fail follow_automount based on s_user_ns
4.14-stable review patch. If anyone has any objections, please let me know. -- From: "Eric W. Biederman"[ Upstream commit bbc3e471011417598e598707486f5d8814ec9c01 ] When vfs_submount was added the test to limit automounts from filesystems that with s_user_ns != _user_ns accidentially left in follow_automount. The test was never about any security concerns and was always about how do we implement this for filesystems whose s_user_ns != _user_ns. At the moment this check makes no difference as there are no filesystems that both set FS_USERNS_MOUNT and implement d_automount. Remove this check now while I am thinking about it so there will not be odd booby traps for someone who does want to make this combination work. vfs_submount still needs improvements to allow this combination to work, and vfs_submount contains a check that presents a warning. The autofs4 filesystem could be modified to set FS_USERNS_MOUNT and it would need not work on this code path, as userspace performs the mounts. Fixes: 93faccbbfa95 ("fs: Better permission checking for submounts") Fixes: aeaa4a79ff6a ("fs: Call d_automount with the filesystems creds") Acked-by: Ian Kent Signed-off-by: "Eric W. Biederman" Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- fs/namei.c |3 --- 1 file changed, 3 deletions(-) --- a/fs/namei.c +++ b/fs/namei.c @@ -1133,9 +1133,6 @@ static int follow_automount(struct path path->dentry->d_inode) return -EISDIR; - if (path->dentry->d_sb->s_user_ns != _user_ns) - return -EACCES; - nd->total_link_count++; if (nd->total_link_count >= 40) return -ELOOP;
[PATCH 4.14 057/109] power: supply: ab8500_charger: Fix an error handling path
4.14-stable review patch. If anyone has any objections, please let me know. -- From: Christophe JAILLET[ Upstream commit bf59fddde1c3eab89eb8dca8f3d3dc097887d2bb ] 'ret' is know to be 0 at this point, because it has not been updated by the the previous call to 'abx500_mask_and_set_register_interruptible()'. Fix it by updating 'ret' before checking if an error occurred. Fixes: 84edbeeab67c ("ab8500-charger: AB8500 charger driver") Signed-off-by: Christophe JAILLET Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/power/supply/ab8500_charger.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/power/supply/ab8500_charger.c +++ b/drivers/power/supply/ab8500_charger.c @@ -3218,7 +3218,7 @@ static int ab8500_charger_init_hw_regist } /* Enable backup battery charging */ - abx500_mask_and_set_register_interruptible(di->dev, + ret = abx500_mask_and_set_register_interruptible(di->dev, AB8500_RTC, AB8500_RTC_CTRL_REG, RTC_BUP_CH_ENA, RTC_BUP_CH_ENA); if (ret < 0)
[PATCH 4.15 125/128] ima: relax requiring a file signature for new files with zero length
4.15-stable review patch. If anyone has any objections, please let me know. -- From: Mimi Zohar[ Upstream commit b7e27bc1d42e8e0cc58b602b529c25cd0071b336 ] Custom policies can require file signatures based on LSM labels. These files are normally created and only afterwards labeled, requiring them to be signed. Instead of requiring file signatures based on LSM labels, entire filesystems could require file signatures. In this case, we need the ability of writing new files without requiring file signatures. The definition of a "new" file was originally defined as any file with a length of zero. Subsequent patches redefined a "new" file to be based on the FILE_CREATE open flag. By combining the open flag with a file size of zero, this patch relaxes the file signature requirement. Fixes: 1ac202e978e1 ima: accept previously set IMA_NEW_FILE Signed-off-by: Mimi Zohar Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- security/integrity/ima/ima_appraise.c |3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/security/integrity/ima/ima_appraise.c +++ b/security/integrity/ima/ima_appraise.c @@ -223,7 +223,8 @@ int ima_appraise_measurement(enum ima_ho if (opened & FILE_CREATED) iint->flags |= IMA_NEW_FILE; if ((iint->flags & IMA_NEW_FILE) && - !(iint->flags & IMA_DIGSIG_REQUIRED)) + (!(iint->flags & IMA_DIGSIG_REQUIRED) || +(inode->i_size == 0))) status = INTEGRITY_PASS; goto out; }
[PATCH 4.15 109/128] net: sched: drop qdisc_reset from dev_graft_qdisc
4.15-stable review patch. If anyone has any objections, please let me know. -- From: John Fastabend[ Upstream commit 7bbde83b1860c28a1cc35516352c4e7e5172c29a ] In qdisc_graft_qdisc a "new" qdisc is attached and the 'qdisc_destroy' operation is called on the old qdisc. The destroy operation will wait a rcu grace period and call qdisc_rcu_free(). At which point gso_cpu_skb is free'd along with all stats so no need to zero stats and gso_cpu_skb from the graft operation itself. Further after dropping the qdisc locks we can not continue to call qdisc_reset before waiting an rcu grace period so that the qdisc is detached from all cpus. By removing the qdisc_reset() here we get the correct property of waiting an rcu grace period and letting the qdisc_destroy operation clean up the qdisc correctly. Note, a refcnt greater than 1 would cause the destroy operation to be aborted however if this ever happened the reference to the qdisc would be lost and we would have a memory leak. Signed-off-by: John Fastabend Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- net/sched/sch_generic.c | 28 +++- 1 file changed, 19 insertions(+), 9 deletions(-) --- a/net/sched/sch_generic.c +++ b/net/sched/sch_generic.c @@ -762,10 +762,6 @@ struct Qdisc *dev_graft_qdisc(struct net root_lock = qdisc_lock(oqdisc); spin_lock_bh(root_lock); - /* Prune old scheduler */ - if (oqdisc && refcount_read(>refcnt) <= 1) - qdisc_reset(oqdisc); - /* ... and graft new one */ if (qdisc == NULL) qdisc = _qdisc; @@ -916,6 +912,16 @@ static bool some_qdisc_is_busy(struct ne return false; } +static void dev_qdisc_reset(struct net_device *dev, + struct netdev_queue *dev_queue, + void *none) +{ + struct Qdisc *qdisc = dev_queue->qdisc_sleeping; + + if (qdisc) + qdisc_reset(qdisc); +} + /** * dev_deactivate_many - deactivate transmissions on several devices * @head: list of devices to deactivate @@ -926,7 +932,6 @@ static bool some_qdisc_is_busy(struct ne void dev_deactivate_many(struct list_head *head) { struct net_device *dev; - bool sync_needed = false; list_for_each_entry(dev, head, close_list) { netdev_for_each_tx_queue(dev, dev_deactivate_queue, @@ -936,20 +941,25 @@ void dev_deactivate_many(struct list_hea _qdisc); dev_watchdog_down(dev); - sync_needed |= !dev->dismantle; } /* Wait for outstanding qdisc-less dev_queue_xmit calls. * This is avoided if all devices are in dismantle phase : * Caller will call synchronize_net() for us */ - if (sync_needed) - synchronize_net(); + synchronize_net(); /* Wait for outstanding qdisc_run calls. */ - list_for_each_entry(dev, head, close_list) + list_for_each_entry(dev, head, close_list) { while (some_qdisc_is_busy(dev)) yield(); + /* The new qdisc is assigned at this point so we can safely +* unwind stale skb lists and qdisc statistics +*/ + netdev_for_each_tx_queue(dev, dev_qdisc_reset, NULL); + if (dev_ingress_queue(dev)) + dev_qdisc_reset(dev, dev_ingress_queue(dev), NULL); + } } void dev_deactivate(struct net_device *dev)
[PATCH 4.15 085/128] pinctrl: sh-pfc: r8a7791: Add can_clk function
4.15-stable review patch. If anyone has any objections, please let me know. -- From: Fabrizio Castro[ Upstream commit 57eec02caee60332b8052615e7257f932ae07abc ] This patch adds can_clk function to r8a7743/r8a7791 which is cleaner, and allows for independent configuration. We keep the can_clk* pins definitions from within can0_groups and can1_groups for uniformity and backwards compatibility. Signed-off-by: Fabrizio Castro Reviewed-by: Ramesh Shanmugasundaram Signed-off-by: Geert Uytterhoeven Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/pinctrl/sh-pfc/pfc-r8a7791.c | 22 +- 1 file changed, 21 insertions(+), 1 deletion(-) --- a/drivers/pinctrl/sh-pfc/pfc-r8a7791.c +++ b/drivers/pinctrl/sh-pfc/pfc-r8a7791.c @@ -4826,6 +4826,10 @@ static const char * const can0_groups[] "can0_data_d", "can0_data_e", "can0_data_f", + /* +* Retained for backwards compatibility, use can_clk_groups in new +* designs. +*/ "can_clk", "can_clk_b", "can_clk_c", @@ -4837,6 +4841,21 @@ static const char * const can1_groups[] "can1_data_b", "can1_data_c", "can1_data_d", + /* +* Retained for backwards compatibility, use can_clk_groups in new +* designs. +*/ + "can_clk", + "can_clk_b", + "can_clk_c", + "can_clk_d", +}; + +/* + * can_clk_groups allows for independent configuration, use can_clk function + * in new designs. + */ +static const char * const can_clk_groups[] = { "can_clk", "can_clk_b", "can_clk_c", @@ -5308,7 +5327,7 @@ static const char * const vin2_groups[] }; static const struct { - struct sh_pfc_function common[56]; + struct sh_pfc_function common[57]; struct sh_pfc_function r8a779x[2]; } pinmux_functions = { .common = { @@ -5316,6 +5335,7 @@ static const struct { SH_PFC_FUNCTION(avb), SH_PFC_FUNCTION(can0), SH_PFC_FUNCTION(can1), + SH_PFC_FUNCTION(can_clk), SH_PFC_FUNCTION(du), SH_PFC_FUNCTION(du0), SH_PFC_FUNCTION(du1),
[PATCH 4.15 116/128] mac80211_hwsim: enforce PS_MANUAL_POLL to be set after PS_ENABLED
4.15-stable review patch. If anyone has any objections, please let me know. -- From: Adiel Aloni[ Upstream commit e16ea4bb516bc21ea2202f2107718b29218bea59 ] Enforce using PS_MANUAL_POLL in ps hwsim debugfs to trigger a poll, only if PS_ENABLED was set before. This is required due to commit c9491367b759 ("mac80211: always update the PM state of a peer on MGMT / DATA frames") that enforces the ap to check only mgmt/data frames ps bit, and then update station's power save accordingly. When sending only ps-poll (control frame) the ap will not be aware that the station entered power save. Setting ps enable before triggering ps_poll, will send NDP with PM bit enabled first. Signed-off-by: Adiel Aloni Signed-off-by: Luca Coelho Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/net/wireless/mac80211_hwsim.c | 17 +++-- 1 file changed, 11 insertions(+), 6 deletions(-) --- a/drivers/net/wireless/mac80211_hwsim.c +++ b/drivers/net/wireless/mac80211_hwsim.c @@ -729,16 +729,21 @@ static int hwsim_fops_ps_write(void *dat val != PS_MANUAL_POLL) return -EINVAL; - old_ps = data->ps; - data->ps = val; - - local_bh_disable(); if (val == PS_MANUAL_POLL) { + if (data->ps != PS_ENABLED) + return -EINVAL; + local_bh_disable(); ieee80211_iterate_active_interfaces_atomic( data->hw, IEEE80211_IFACE_ITER_NORMAL, hwsim_send_ps_poll, data); - data->ps_poll_pending = true; - } else if (old_ps == PS_DISABLED && val != PS_DISABLED) { + local_bh_enable(); + return 0; + } + old_ps = data->ps; + data->ps = val; + + local_bh_disable(); + if (old_ps == PS_DISABLED && val != PS_DISABLED) { ieee80211_iterate_active_interfaces_atomic( data->hw, IEEE80211_IFACE_ITER_NORMAL, hwsim_send_nullfunc_ps, data);
[PATCH 4.15 119/128] ASoC: nuc900: Fix a loop timeout test
4.15-stable review patch. If anyone has any objections, please let me know. -- From: Dan Carpenter[ Upstream commit 65a12b3aafed5fc59f4ce41b22b752b1729e6701 ] We should be finishing the loop with timeout set to zero but because this is a post-op we finish with timeout == -1. Fixes: 1082e2703a2d ("ASoC: NUC900/audio: add nuc900 audio driver support") Signed-off-by: Dan Carpenter Signed-off-by: Mark Brown Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- sound/soc/nuc900/nuc900-ac97.c |4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/sound/soc/nuc900/nuc900-ac97.c +++ b/sound/soc/nuc900/nuc900-ac97.c @@ -67,7 +67,7 @@ static unsigned short nuc900_ac97_read(s /* polling the AC_R_FINISH */ while (!(AUDIO_READ(nuc900_audio->mmio + ACTL_ACCON) & AC_R_FINISH) - && timeout--) + && --timeout) mdelay(1); if (!timeout) { @@ -121,7 +121,7 @@ static void nuc900_ac97_write(struct snd /* polling the AC_W_FINISH */ while ((AUDIO_READ(nuc900_audio->mmio + ACTL_ACCON) & AC_W_FINISH) - && timeout--) + && --timeout) mdelay(1); if (!timeout)
[PATCH 4.15 113/128] powerpc/64: Dont trace irqs-off at interrupt return to soft-disabled context
4.15-stable review patch. If anyone has any objections, please let me know. -- From: Nicholas Piggin[ Upstream commit acb1feab320e38588fccc568e3767761f494976f ] When an interrupt is returning to a soft-disabled context (which can happen for non-maskable interrupts or synchronous interrupts), it goes through the motions of soft-disabling again, including calling TRACE_DISABLE_INTS (i.e., trace_hardirqs_off()). This is not necessary, because we must already be soft-disabled in the interrupt context, it also may be causing crashes in the irq tracing code to re-enter as an nmi. Replace it with a warning to ensure that soft-interrupts are still disabled. Fixes: 7c0482e3d055 ("powerpc/irq: Fix another case of lazy IRQ state getting out of sync") Signed-off-by: Nicholas Piggin Signed-off-by: Michael Ellerman Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- arch/powerpc/kernel/entry_64.S | 10 +++--- 1 file changed, 7 insertions(+), 3 deletions(-) --- a/arch/powerpc/kernel/entry_64.S +++ b/arch/powerpc/kernel/entry_64.S @@ -939,9 +939,13 @@ END_FTR_SECTION_IFSET(CPU_FTR_HAS_PPR) beq 1f rlwinm r7,r7,0,~PACA_IRQ_HARD_DIS stb r7,PACAIRQHAPPENED(r13) -1: li r0,0 - stb r0,PACASOFTIRQEN(r13); - TRACE_DISABLE_INTS +1: +#if defined(CONFIG_TRACE_IRQFLAGS) && defined(CONFIG_BUG) + /* The interrupt should not have soft enabled. */ + lbz r7,PACASOFTIRQEN(r13) +1: tdnei r7,0 + EMIT_BUG_ENTRY 1b,__FILE__,__LINE__,BUGFLAG_WARNING +#endif b .Ldo_restore /*
[PATCH v12 0/9] Add io{read|write}64 to io-64-atomic headers
This is v12 of my cleanup series to push a number of instances of people defining their own io{read|write}64 functions into common headers seing they don't exist in non-64bit systems. This series adds inline functions to the io-64-nonatomic headers and then cleans up the drivers that defined their own copies. This cleanup was originally requested by Greg after he reviewed my Switchtec NTB code. And I hope someone can pick it up or at least give feedback on it soon as it's been around relatively unchanged for a few cycles now and I'm getting a bit tired of resubmitting it with little to no interest. Thanks, Logan -- Changes since v11: - Rebased onto v4.16-rc5 - Added a patch (0001) to fix some old and new sparse warnings that the kbuild robot warned about this cycle. The latest version of sparse was required to reproduce these. - Added a patch (0002) to add io{read|write}64 to parisc which the kbuild robot also found errors for this cycle Changes since v10: - Rebased onto v4.16-rc4, this droped the drm/tilcdc patch which was picked up by that tree and is already in 4.16. Changes since v9: - Rebased onto v4.15-rc6 - Fixed a couple of issues in the new version of the CAAM patch as pointed out by Horia Changes since v8: - Rebased onto v4.15-rc2, as a result rewrote patch 7 seeing someone did some similar cleanup in that area. - Added a patch to clean up the Switchtec NTB driver which landed in v4.15-rc1 Changes since v7: - Fix minor nits from Andy Shevchenko - Rebased onto v4.14-rc1 Changes since v6: ** none ** Changes since v5: - Added a fix to the tilcdc driver to ensure it doesn't use the non-atomic operation. (This includes adding io{read|write}64[be]_is_nonatomic defines). Changes since v4: - Add functions so the powerpc implementation of iomap.c compiles. (As noticed by Horia) Changes since v3: - I noticed powerpc didn't use the appropriate functions seeing readq/writeq were not defined when iomap.h was included. Thus I've included a patch to adjust this - Fixed some mistakes with a couple of the defines in io-64-nonatomic* headers - Fixed a typo noticed by Horia. (earlier versions were drastically different) -- Logan Gunthorpe (9): iomap: Fix sparse endian check warnings parisc: iomap: introduce io{read|write}64 powerpc: io.h: move iomap.h include so that it can use readq/writeq defs powerpc: iomap.c: introduce io{read|write}64_{lo_hi|hi_lo} iomap: introduce io{read|write}64_{lo_hi|hi_lo} io-64-nonatomic: add io{read|write}64[be]{_lo_hi|_hi_lo} macros ntb: ntb_hw_intel: use io-64-nonatomic instead of in-driver hacks crypto: caam: cleanup CONFIG_64BIT ifdefs when using io{read|write}64 ntb: ntb_hw_switchtec: Cleanup 64bit IO defines to use the common header arch/parisc/include/asm/io.h | 9 +++ arch/parisc/lib/iomap.c| 64 +++ arch/powerpc/include/asm/io.h | 6 +- arch/powerpc/kernel/iomap.c| 40 + drivers/crypto/caam/regs.h | 30 +-- drivers/ntb/hw/intel/ntb_hw_intel.c| 30 +-- drivers/ntb/hw/mscc/ntb_hw_switchtec.c | 36 + include/asm-generic/iomap.h| 26 -- include/linux/io-64-nonatomic-hi-lo.h | 64 +++ include/linux/io-64-nonatomic-lo-hi.h | 64 +++ lib/iomap.c| 143 - 11 files changed, 412 insertions(+), 100 deletions(-) -- 2.11.0
[PATCH v12 3/9] powerpc: io.h: move iomap.h include so that it can use readq/writeq defs
Subsequent patches in this series makes use of the readq and writeq defines in iomap.h. However, as is, they get missed on the powerpc platform seeing the include comes before the define. This patch moves the include down to fix this. Signed-off-by: Logan GunthorpeAcked-by: Michael Ellerman Reviewed-by: Andy Shevchenko Cc: Benjamin Herrenschmidt Cc: Paul Mackerras Cc: Michael Ellerman Cc: Nicholas Piggin Cc: Suresh Warrier Cc: "Oliver O'Halloran" --- arch/powerpc/include/asm/io.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/powerpc/include/asm/io.h b/arch/powerpc/include/asm/io.h index 422f99cf9924..af074923d598 100644 --- a/arch/powerpc/include/asm/io.h +++ b/arch/powerpc/include/asm/io.h @@ -33,8 +33,6 @@ extern struct pci_dev *isa_bridge_pcidev; #include #include -#include - #ifdef CONFIG_PPC64 #include #endif @@ -663,6 +661,8 @@ static inline void name at \ #define writel_relaxed(v, addr)writel(v, addr) #define writeq_relaxed(v, addr)writeq(v, addr) +#include + #ifdef CONFIG_PPC32 #define mmiowb() #else -- 2.11.0
[PATCH v12 8/9] crypto: caam: cleanup CONFIG_64BIT ifdefs when using io{read|write}64
Clean up the extra ifdefs which defined the wr_reg64 and rd_reg64 functions in non-64bit cases in favour of the new common io-64-nonatomic-lo-hi header. To be consistent with CAAM engine HW spec: in case of 64-bit registers, irrespective of device endianness, the lower address should be read from / written to first, followed by the upper address. Indeed the I/O accessors in CAAM driver currently don't follow the spec, however this is a good opportunity to fix the code. Signed-off-by: Logan GunthorpeReviewed-by: Horia Geantă Cc: Andy Shevchenko Cc: Dan Douglass Cc: Herbert Xu Cc: "David S. Miller" --- drivers/crypto/caam/regs.h | 30 +++--- 1 file changed, 3 insertions(+), 27 deletions(-) diff --git a/drivers/crypto/caam/regs.h b/drivers/crypto/caam/regs.h index fee363865d88..f887b371040f 100644 --- a/drivers/crypto/caam/regs.h +++ b/drivers/crypto/caam/regs.h @@ -10,7 +10,7 @@ #include #include -#include +#include /* * Architecture-specific register access methods @@ -136,10 +136,9 @@ static inline void clrsetbits_32(void __iomem *reg, u32 clear, u32 set) *base + 0x : least-significant 32 bits *base + 0x0004 : most-significant 32 bits */ -#ifdef CONFIG_64BIT static inline void wr_reg64(void __iomem *reg, u64 data) { - if (caam_little_end) + if (!caam_imx && caam_little_end) iowrite64(data, reg); else iowrite64be(data, reg); @@ -147,35 +146,12 @@ static inline void wr_reg64(void __iomem *reg, u64 data) static inline u64 rd_reg64(void __iomem *reg) { - if (caam_little_end) + if (!caam_imx && caam_little_end) return ioread64(reg); else return ioread64be(reg); } -#else /* CONFIG_64BIT */ -static inline void wr_reg64(void __iomem *reg, u64 data) -{ - if (!caam_imx && caam_little_end) { - wr_reg32((u32 __iomem *)(reg) + 1, data >> 32); - wr_reg32((u32 __iomem *)(reg), data); - } else { - wr_reg32((u32 __iomem *)(reg), data >> 32); - wr_reg32((u32 __iomem *)(reg) + 1, data); - } -} - -static inline u64 rd_reg64(void __iomem *reg) -{ - if (!caam_imx && caam_little_end) - return ((u64)rd_reg32((u32 __iomem *)(reg) + 1) << 32 | - (u64)rd_reg32((u32 __iomem *)(reg))); - - return ((u64)rd_reg32((u32 __iomem *)(reg)) << 32 | - (u64)rd_reg32((u32 __iomem *)(reg) + 1)); -} -#endif /* CONFIG_64BIT */ - static inline u64 cpu_to_caam_dma64(dma_addr_t value) { if (caam_imx) -- 2.11.0
[PATCH 4.15 103/128] staging: fsl-dpaa2/eth: Fix access to FAS field
4.15-stable review patch. If anyone has any objections, please let me know. -- From: Ioana Radulescu[ Upstream commit 54ce891779888e85a2db04942dbaadd3f40fe223 ] Commit 4b2d9fe87950 ("staging: fsl-dpaa2/eth: Extra headroom in RX buffers") removes the software annotation (SWA) area from the RX buffer layout, as it's not used by anyone, but fails to update the macros for accessing hardware annotation (HWA) fields, which is right after the SWA in the buffer headroom. This may lead to some frame annotation status fields (e.g. indication if L3/L4 checksum is valid) to be read incorrectly. Turn the accessor macros into inline functions and add a bool param to specify if SWA is present or not. Fixes: 4b2d9fe87950 ("staging: fsl-dpaa2/eth: Extra headroom in RX buffers") Signed-off-by: Ioana Radulescu Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c |8 drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.h | 13 + 2 files changed, 13 insertions(+), 8 deletions(-) --- a/drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c +++ b/drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c @@ -249,7 +249,7 @@ static void dpaa2_eth_rx(struct dpaa2_et vaddr = dpaa2_iova_to_virt(priv->iommu_domain, addr); dma_unmap_single(dev, addr, DPAA2_ETH_RX_BUF_SIZE, DMA_FROM_DEVICE); - fas = dpaa2_get_fas(vaddr); + fas = dpaa2_get_fas(vaddr, false); prefetch(fas); buf_data = vaddr + dpaa2_fd_get_offset(fd); prefetch(buf_data); @@ -385,7 +385,7 @@ static int build_sg_fd(struct dpaa2_eth_ * on TX confirmation. We are clearing FAS (Frame Annotation Status) * field from the hardware annotation area */ - fas = dpaa2_get_fas(sgt_buf); + fas = dpaa2_get_fas(sgt_buf, true); memset(fas, 0, DPAA2_FAS_SIZE); sgt = (struct dpaa2_sg_entry *)(sgt_buf + priv->tx_data_offset); @@ -458,7 +458,7 @@ static int build_single_fd(struct dpaa2_ * on TX confirmation. We are clearing FAS (Frame Annotation Status) * field from the hardware annotation area */ - fas = dpaa2_get_fas(buffer_start); + fas = dpaa2_get_fas(buffer_start, true); memset(fas, 0, DPAA2_FAS_SIZE); /* Store a backpointer to the skb at the beginning of the buffer @@ -510,7 +510,7 @@ static void free_tx_fd(const struct dpaa fd_addr = dpaa2_fd_get_addr(fd); skbh = dpaa2_iova_to_virt(priv->iommu_domain, fd_addr); - fas = dpaa2_get_fas(skbh); + fas = dpaa2_get_fas(skbh, true); if (fd_format == dpaa2_fd_single) { skb = *skbh; --- a/drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.h +++ b/drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.h @@ -153,10 +153,15 @@ struct dpaa2_fas { #define DPAA2_FAS_SIZE (sizeof(struct dpaa2_fas)) /* Accessors for the hardware annotation fields that we use */ -#define dpaa2_get_hwa(buf_addr) \ - ((void *)(buf_addr) + DPAA2_ETH_SWA_SIZE) -#define dpaa2_get_fas(buf_addr) \ - (struct dpaa2_fas *)(dpaa2_get_hwa(buf_addr) + DPAA2_FAS_OFFSET) +static inline void *dpaa2_get_hwa(void *buf_addr, bool swa) +{ + return buf_addr + (swa ? DPAA2_ETH_SWA_SIZE : 0); +} + +static inline struct dpaa2_fas *dpaa2_get_fas(void *buf_addr, bool swa) +{ + return dpaa2_get_hwa(buf_addr, swa) + DPAA2_FAS_OFFSET; +} /* Error and status bits in the frame annotation status word */ /* Debug frame, otherwise supposed to be discarded */
[PATCH 4.15 088/128] perf annotate: Fix objdump comment parsing for Intel mov dissassembly
4.15-stable review patch. If anyone has any objections, please let me know. -- From: Thomas Richter[ Upstream commit 35a8a148d8c1ee9e5ae18f9565a880490f816f89 ] The command 'perf annotate' parses the output of objdump and also investigates the comments produced by objdump. For example the output of objdump produces (on x86): 23eee: 4c 8b 3d 13 01 21 00 mov 0x210113(%rip),%r15 # 234008 and the function mov__parse() is called to investigate the complete line. Mov__parse() breaks this line into several parts and finally calls function comment__symbol() to parse the data after the comment character '#'. Comment__symbol() expects a hexadecimal address followed by a symbol in '<' and '>' brackets. However the 2nd parameter given to function comment__symbol() always points to the comment character '#'. The address parsing always returns 0 because the character '#' is not a digit and strtoull() fails without being noticed. Fix this by advancing the second parameter to function comment__symbol() by one byte before invocation and add an error check after strtoull() has been called. Signed-off-by: Thomas Richter Reviewed-by: Hendrik Brueckner Acked-by: Ravi Bangoria Cc: Heiko Carstens Cc: Martin Schwidefsky Fixes: 6de783b6f50f ("perf annotate: Resolve symbols using objdump comment") Link: http://lkml.kernel.org/r/20171128075632.72182-1-tmri...@linux.vnet.ibm.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- tools/perf/util/annotate.c |8 +--- 1 file changed, 5 insertions(+), 3 deletions(-) --- a/tools/perf/util/annotate.c +++ b/tools/perf/util/annotate.c @@ -322,6 +322,8 @@ static int comment__symbol(char *raw, ch return 0; *addrp = strtoull(comment, , 16); + if (endptr == comment) + return 0; name = strchr(endptr, '<'); if (name == NULL) return -1; @@ -435,8 +437,8 @@ static int mov__parse(struct arch *arch, return 0; comment = ltrim(comment); - comment__symbol(ops->source.raw, comment, >source.addr, >source.name); - comment__symbol(ops->target.raw, comment, >target.addr, >target.name); + comment__symbol(ops->source.raw, comment + 1, >source.addr, >source.name); + comment__symbol(ops->target.raw, comment + 1, >target.addr, >target.name); return 0; @@ -480,7 +482,7 @@ static int dec__parse(struct arch *arch return 0; comment = ltrim(comment); - comment__symbol(ops->target.raw, comment, >target.addr, >target.name); + comment__symbol(ops->target.raw, comment + 1, >target.addr, >target.name); return 0; }
[PATCH 4.15 086/128] pinctrl: sh-pfc: r8a7795-es1: Fix MOD_SEL1 bit[25:24] to 0x3 when using STP_ISEN_1_D
4.15-stable review patch. If anyone has any objections, please let me know. -- From: Takeshi Kihara[ Upstream commit b16cd900de7911f96af17327a081a2141a0b763f ] This patch fixes the implementation incorrect of MOD_SEL1 bit[25:24] value when STP_ISEN_1_D pin function is selected for IPSR16 bit[27:24]. This is a correction to the incorrect implementation of MOD_SEL register pin assignment for R8A7795 SoC specification of R-Car Gen3 Hardware User's Manual Rev.0.51E. Fixes: 0b0ffc96dbe30fa9 ("pinctrl: sh-pfc: Initial R8A7795 PFC support) Signed-off-by: Takeshi Kihara Signed-off-by: Yoshihiro Kaneko Signed-off-by: Geert Uytterhoeven Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/pinctrl/sh-pfc/pfc-r8a7795-es1.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/pinctrl/sh-pfc/pfc-r8a7795-es1.c +++ b/drivers/pinctrl/sh-pfc/pfc-r8a7795-es1.c @@ -1397,7 +1397,7 @@ static const u16 pinmux_data[] = { PINMUX_IPSR_MSEL(IP16_27_24,AUDIO_CLKOUT_B, SEL_ADG_1), PINMUX_IPSR_MSEL(IP16_27_24,SSI_SCK2_B, SEL_SSI_1), PINMUX_IPSR_MSEL(IP16_27_24,TS_SDEN1_D, SEL_TSIF1_3), - PINMUX_IPSR_MSEL(IP16_27_24,STP_ISEN_1_D, SEL_SSP1_1_2), + PINMUX_IPSR_MSEL(IP16_27_24,STP_ISEN_1_D, SEL_SSP1_1_3), PINMUX_IPSR_MSEL(IP16_27_24,STP_OPWM_0_E, SEL_SSP1_0_4), PINMUX_IPSR_MSEL(IP16_27_24,RIF3_D0_B, SEL_DRIF3_1), PINMUX_IPSR_MSEL(IP16_27_24,TCLK2_B, SEL_TIMER_TMU_1),
[PATCH 4.15 087/128] perf annotate: Fix unnecessary memory allocation for s390x
4.15-stable review patch. If anyone has any objections, please let me know. -- From: Thomas Richter[ Upstream commit 36c263607d36c6a3788c09301d9f5fe35404048a ] This patch fixes a bug introduced with commit d9f8dfa9baf9 ("perf annotate s390: Implement jump types for perf annotate"). 'perf annotate' displays annotated assembler output by reading output of command objdump and parsing the disassembled lines. For each shown mnemonic this function sequence is executed: disasm_line__new() | +--> disasm_line__init_ins() | +--> ins__find() | +--> arch->associate_instruction_ops() The s390x specific function assigned to function pointer associate_instruction_ops refers to function s390__associate_ins_ops(). This function checks for supported mnemonics and assigns a NULL pointer to unsupported mnemonics. However even the NULL pointer is added to the architecture dependend instruction array. This leads to an extremely large architecture instruction array (due to array resize logic in function arch__grow_instructions()). Depending on the objdump output being parsed the array can end up with several ten-thousand elements. This patch checks if a mnemonic is supported and only adds supported ones into the architecture instruction array. The array does not contain elements with NULL pointers anymore. Before the patch (With some debug printf output): [root@s35lp76 perf]# time ./perf annotate --stdio > /tmp/xxxbb real8m49.679s user7m13.008s sys 0m1.649s [root@s35lp76 perf]# fgrep '__ins__find sorted:1 nr_instructions:' /tmp/xxxbb | tail -1 __ins__find sorted:1 nr_instructions:87433 ins:0x341583c0 [root@s35lp76 perf]# The number of different s390x branch/jump/call/return instructions entered into the array is 87433. After the patch (With some printf debug output:) [root@s35lp76 perf]# time ./perf annotate --stdio > /tmp/xxxaa real1m24.553s user0m0.587s sys 0m1.530s [root@s35lp76 perf]# fgrep '__ins__find sorted:1 nr_instructions:' /tmp/xxxaa | tail -1 __ins__find sorted:1 nr_instructions:56 ins:0x3f406570 [root@s35lp76 perf]# The number of different s390x branch/jump/call/return instructions entered into the array is 56 which is sensible. Signed-off-by: Thomas Richter Reviewed-by: Hendrik Brueckner Acked-by: Ravi Bangoria Cc: Heiko Carstens Cc: Martin Schwidefsky Link: http://lkml.kernel.org/r/20171124094637.8-1-tmri...@linux.vnet.ibm.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- tools/perf/arch/s390/annotate/instructions.c |3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/tools/perf/arch/s390/annotate/instructions.c +++ b/tools/perf/arch/s390/annotate/instructions.c @@ -18,7 +18,8 @@ static struct ins_ops *s390__associate_i if (!strcmp(name, "br")) ops = _ops; - arch__associate_ins_ops(arch, name, ops); + if (ops) + arch__associate_ins_ops(arch, name, ops); return ops; }
[PATCH 4.15 061/128] ARM: dts: am335x-pepper: Fix the audio CODECs reset pin
4.15-stable review patch. If anyone has any objections, please let me know. -- From: "Andrew F. Davis"[ Upstream commit e153db03c6b7a035c797bcdf35262586f003ee93 ] The correct DT property for specifying a GPIO used for reset is "reset-gpios", fix this here. Fixes: 4341881d0562 ("ARM: dts: Add devicetree for Gumstix Pepper board") Signed-off-by: Andrew F. Davis Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- arch/arm/boot/dts/am335x-pepper.dts |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/arch/arm/boot/dts/am335x-pepper.dts +++ b/arch/arm/boot/dts/am335x-pepper.dts @@ -139,7 +139,7 @@ _codec { status = "okay"; - gpio-reset = < 16 GPIO_ACTIVE_LOW>; + reset-gpios = < 16 GPIO_ACTIVE_LOW>; AVDD-supply = <_reg>; IOVDD-supply = <_reg>; DRVDD-supply = <_reg>;
[PATCH 4.15 063/128] mtd: nand: ifc: update bufnum mask for ver >= 2.0.0
4.15-stable review patch. If anyone has any objections, please let me know. -- From: Jagdish Gediya[ Upstream commit bccb06c353af3764ca86d9da47652458e6c2eb41 ] Bufnum mask is used to calculate page position in the internal SRAM. As IFC version 2.0.0 has 16KB of internal SRAM as compared to older versions which had 8KB. Hence bufnum mask needs to be updated. Signed-off-by: Jagdish Gediya Signed-off-by: Prabhakar Kushwaha Signed-off-by: Boris Brezillon Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/mtd/nand/fsl_ifc_nand.c |7 +++ 1 file changed, 7 insertions(+) --- a/drivers/mtd/nand/fsl_ifc_nand.c +++ b/drivers/mtd/nand/fsl_ifc_nand.c @@ -916,6 +916,13 @@ static int fsl_ifc_chip_init(struct fsl_ if (ctrl->version >= FSL_IFC_VERSION_1_1_0) fsl_ifc_sram_init(priv); + /* +* As IFC version 2.0.0 has 16KB of internal SRAM as compared to older +* versions which had 8KB. Hence bufnum mask needs to be updated. +*/ + if (ctrl->version >= FSL_IFC_VERSION_2_0_0) + priv->bufnum_mask = (priv->bufnum_mask * 2) + 1; + return 0; }
[PATCH 4.15 031/128] KVM: PPC: Book3S HV: Avoid shifts by negative amounts
4.15-stable review patch. If anyone has any objections, please let me know. -- From: Paul Mackerras[ Upstream commit cda2eaa35948893d70145490d5d6ded546fc3bc6 ] The kvmppc_hpte_page_shifts function decodes the actual and base page sizes for a HPTE, returning -1 if it doesn't recognize the page size encoding. This then gets used as a shift amount in various places, which is undefined behaviour. This was reported by Coverity. In fact this should never occur, since we should only get HPTEs in the HPT which have a recognized page size encoding. The only place where this might not be true is in the call to kvmppc_actual_pgsz() near the beginning of kvmppc_do_h_enter(), where we are validating the HPTE value passed in from the guest. So to fix this and eliminate the undefined behaviour, we make kvmppc_hpte_page_shifts return 0 for unrecognized page size encodings, and make kvmppc_actual_pgsz() detect that case and return 0 for the page size, which will then cause kvmppc_do_h_enter() to return an error and refuse to insert any HPTE with an unrecognized page size encoding. To ensure that we don't get undefined behaviour in compute_tlbie_rb(), we take the 4k page size path for any unrecognized page size encoding. This should never be hit in practice because it is only used on HPTE values which have previously been checked for having a recognized page size encoding. Signed-off-by: Paul Mackerras Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- arch/powerpc/include/asm/kvm_book3s_64.h | 14 +- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/arch/powerpc/include/asm/kvm_book3s_64.h b/arch/powerpc/include/asm/kvm_book3s_64.h index 735cfa35298a..998f7b7aaa9e 100644 --- a/arch/powerpc/include/asm/kvm_book3s_64.h +++ b/arch/powerpc/include/asm/kvm_book3s_64.h @@ -122,13 +122,13 @@ static inline int kvmppc_hpte_page_shifts(unsigned long h, unsigned long l) lphi = (l >> 16) & 0xf; switch ((l >> 12) & 0xf) { case 0: - return !lphi ? 24 : -1; /* 16MB */ + return !lphi ? 24 : 0; /* 16MB */ break; case 1: return 16; /* 64kB */ break; case 3: - return !lphi ? 34 : -1; /* 16GB */ + return !lphi ? 34 : 0; /* 16GB */ break; case 7: return (16 << 8) + 12; /* 64kB in 4kB */ @@ -140,7 +140,7 @@ static inline int kvmppc_hpte_page_shifts(unsigned long h, unsigned long l) return (24 << 8) + 12; /* 16MB in 4kB */ break; } - return -1; + return 0; } static inline int kvmppc_hpte_base_page_shift(unsigned long h, unsigned long l) @@ -159,7 +159,11 @@ static inline int kvmppc_hpte_actual_page_shift(unsigned long h, unsigned long l static inline unsigned long kvmppc_actual_pgsz(unsigned long v, unsigned long r) { - return 1ul << kvmppc_hpte_actual_page_shift(v, r); + int shift = kvmppc_hpte_actual_page_shift(v, r); + + if (shift) + return 1ul << shift; + return 0; } static inline int kvmppc_pgsize_lp_encoding(int base_shift, int actual_shift) @@ -232,7 +236,7 @@ static inline unsigned long compute_tlbie_rb(unsigned long v, unsigned long r, va_low ^= v >> (SID_SHIFT_1T - 16); va_low &= 0x7ff; - if (b_pgshift == 12) { + if (b_pgshift <= 12) { if (a_pgshift > 12) { sllp = (a_pgshift == 16) ? 5 : 4; rb |= sllp << 5;/* AP field */ -- 2.16.2
[PATCH 4.15 003/128] ASoC: sgtl5000: Fix suspend/resume
4.15-stable review patch. If anyone has any objections, please let me know. -- From: Fabio Estevamcommit a8992973edbb2555e956b90f6fe97c4bc14d761d upstream. Commit 8419caa72702 ("ASoC: sgtl5000: Do not disable regulators in SND_SOC_BIAS_OFF") causes the sgtl5000 to fail after a suspend/resume sequence: Playing WAVE '/media/a2002011001-e02.wav' : Signed 16 bit Little Endian, Rate 44100 Hz, Stereo aplay: pcm_write:2051: write error: Input/output error The problem is caused by the fact that the aforementioned commit dropped the cache handling, so re-introduce the register map resync to fix the problem. Suggested-by: Mark Brown Signed-off-by: Fabio Estevam Signed-off-by: Mark Brown Cc: Signed-off-by: Greg Kroah-Hartman --- sound/soc/codecs/sgtl5000.c | 11 +++ 1 file changed, 11 insertions(+) --- a/sound/soc/codecs/sgtl5000.c +++ b/sound/soc/codecs/sgtl5000.c @@ -871,15 +871,26 @@ static int sgtl5000_pcm_hw_params(struct static int sgtl5000_set_bias_level(struct snd_soc_codec *codec, enum snd_soc_bias_level level) { + struct sgtl5000_priv *sgtl = snd_soc_codec_get_drvdata(codec); + int ret; + switch (level) { case SND_SOC_BIAS_ON: case SND_SOC_BIAS_PREPARE: case SND_SOC_BIAS_STANDBY: + regcache_cache_only(sgtl->regmap, false); + ret = regcache_sync(sgtl->regmap); + if (ret) { + regcache_cache_only(sgtl->regmap, true); + return ret; + } + snd_soc_update_bits(codec, SGTL5000_CHIP_ANA_POWER, SGTL5000_REFTOP_POWERUP, SGTL5000_REFTOP_POWERUP); break; case SND_SOC_BIAS_OFF: + regcache_cache_only(sgtl->regmap, true); snd_soc_update_bits(codec, SGTL5000_CHIP_ANA_POWER, SGTL5000_REFTOP_POWERUP, 0); break;
[PATCH 4.15 029/128] spi: imx: Fix failure path leak on GPIO request error correctly
4.15-stable review patch. If anyone has any objections, please let me know. -- From: Trent Piepho[ Upstream commit 8197f489f4c4398391746a377c10501076b05168 ] In commit 974488e4ce1e ("spi: imx: Fix failure path leak on GPIO request error"), spi_bitbang_start() was moved later in the probe sequence. But this doesn't work, as spi_bitbang_start() has to be called before requesting GPIOs because the GPIO data in the spi master is populated when the master is registed, and that doesn't happen until spi_bitbang_start() is called. The default only works if one uses one CS. So add a failure path call to spi_bitbang_stop() to fix the leak. CC: Shawn Guo CC: Sascha Hauer CC: Fabio Estevam CC: Mark Brown CC: Oleksij Rempel Signed-off-by: Trent Piepho Reviewed-by: Oleksij Rempel Signed-off-by: Mark Brown Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/spi/spi-imx.c | 11 +-- 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/drivers/spi/spi-imx.c b/drivers/spi/spi-imx.c index 40390d31a93b..6f57592a7f95 100644 --- a/drivers/spi/spi-imx.c +++ b/drivers/spi/spi-imx.c @@ -1622,6 +1622,11 @@ static int spi_imx_probe(struct platform_device *pdev) spi_imx->devtype_data->intctrl(spi_imx, 0); master->dev.of_node = pdev->dev.of_node; + ret = spi_bitbang_start(_imx->bitbang); + if (ret) { + dev_err(>dev, "bitbang start failed with %d\n", ret); + goto out_clk_put; + } /* Request GPIO CS lines, if any */ if (!spi_imx->slave_mode && master->cs_gpios) { @@ -1640,12 +1645,6 @@ static int spi_imx_probe(struct platform_device *pdev) } } - ret = spi_bitbang_start(_imx->bitbang); - if (ret) { - dev_err(>dev, "bitbang start failed with %d\n", ret); - goto out_clk_put; - } - dev_info(>dev, "probed\n"); clk_disable(spi_imx->clk_ipg); -- 2.16.2
[PATCH v3] ata: add Amiga Gayle PATA controller driver
Add Amiga Gayle PATA controller driver. It enables libata support for the on-board IDE interfaces on some Amiga models (A600, A1200, A4000 and A4000T) and also for IDE interfaces on the Zorro expansion bus (M-Tech E-Matrix 530 expansion card). Thanks to John Paul Adrian Glaubitz and Michael Schmitz for help with testing the driver. Tested-by: John Paul Adrian GlaubitzCc: Michael Schmitz Cc: Geert Uytterhoeven Cc: Philippe Ombredanne Cc: Andy Shevchenko Signed-off-by: Bartlomiej Zolnierkiewicz --- v3: - fix minor issues reported by Andy v2: - clarify license version (it should be GPL 2.0) - use SPDX header drivers/ata/Kconfig | 12 ++ drivers/ata/Makefile |1 drivers/ata/pata_gayle.c | 219 +++ 3 files changed, 232 insertions(+) Index: b/drivers/ata/Kconfig === --- a/drivers/ata/Kconfig 2018-03-16 17:01:47.051581322 +0100 +++ b/drivers/ata/Kconfig 2018-03-16 17:01:47.027581322 +0100 @@ -954,6 +954,18 @@ config PATA_FALCON If unsure, say N. +config PATA_GAYLE + tristate "Amiga Gayle PATA support" + depends on M68K && AMIGA + help + This option enables support for the on-board IDE + interfaces on some Amiga models (A600, A1200, + A4000 and A4000T) and also for IDE interfaces on + the Zorro expansion bus (M-Tech E-Matrix 530 + expansion card). + + If unsure, say N. + config PATA_ISAPNP tristate "ISA Plug and Play PATA support" depends on ISAPNP Index: b/drivers/ata/Makefile === --- a/drivers/ata/Makefile 2018-03-16 17:01:47.051581322 +0100 +++ b/drivers/ata/Makefile 2018-03-16 17:01:47.035581322 +0100 @@ -97,6 +97,7 @@ obj-$(CONFIG_PATA_WINBOND)+= pata_sl82c # SFF PIO only obj-$(CONFIG_PATA_CMD640_PCI) += pata_cmd640.o obj-$(CONFIG_PATA_FALCON) += pata_falcon.o +obj-$(CONFIG_PATA_GAYLE) += pata_gayle.o obj-$(CONFIG_PATA_ISAPNP) += pata_isapnp.o obj-$(CONFIG_PATA_IXP4XX_CF) += pata_ixp4xx_cf.o obj-$(CONFIG_PATA_MPIIX) += pata_mpiix.o Index: b/drivers/ata/pata_gayle.c === --- /dev/null 1970-01-01 00:00:00.0 + +++ b/drivers/ata/pata_gayle.c 2018-03-16 17:05:31.972718374 +0100 @@ -0,0 +1,219 @@ +// SPDX-License-Identifier: GPL-2.0 + +/* + * Amiga Gayle PATA controller driver + * + * Copyright (c) 2018 Samsung Electronics Co., Ltd. + * http://www.samsung.com + * + * Based on gayle.c: + * + * Created 12 Jul 1997 by Geert Uytterhoeven + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include + +#define DRV_NAME "pata_gayle" +#define DRV_VERSION "0.1.0" + +#define GAYLE_CONTROL 0x101a + +static struct scsi_host_template pata_gayle_sht = { + ATA_PIO_SHT(DRV_NAME), +}; + +/* FIXME: is this needed? */ +static unsigned int pata_gayle_data_xfer(struct ata_queued_cmd *qc, +unsigned char *buf, +unsigned int buflen, int rw) +{ + struct ata_device *dev = qc->dev; + struct ata_port *ap = dev->link->ap; + void __iomem *data_addr = ap->ioaddr.data_addr; + unsigned int words = buflen >> 1; + + /* Transfer multiple of 2 bytes */ + if (rw == READ) + raw_insw((u16 *)data_addr, (u16 *)buf, words); + else + raw_outsw((u16 *)data_addr, (u16 *)buf, words); + + /* Transfer trailing byte, if any. */ + if (unlikely(buflen & 0x01)) { + unsigned char pad[2] = { }; + + /* Point buf to the tail of buffer */ + buf += buflen - 1; + + if (rw == READ) { + raw_insw((u16 *)data_addr, (u16 *)pad, 1); + *buf = pad[0]; + } else { + pad[0] = *buf; + raw_outsw((u16 *)data_addr, (u16 *)pad, 1); + } + words++; + } + + return words << 1; +} + +/* + * Provide our own set_mode() as we don't want to change anything that has + * already been configured.. + */ +static int pata_gayle_set_mode(struct ata_link *link, + struct ata_device **unused) +{ + struct ata_device *dev; + + ata_for_each_dev(dev, link, ENABLED) { + /* We don't really care */ + dev->pio_mode = dev->xfer_mode = XFER_PIO_0; + dev->xfer_shift = ATA_SHIFT_PIO; + dev->flags |= ATA_DFLAG_PIO; +
[PATCH 4.15 018/128] usb: usbmon: Read text within supplied buffer size
4.15-stable review patch. If anyone has any objections, please let me know. -- From: Pete Zaitcevcommit a5f596830e27e15f7a0ecd6be55e433d776986d8 upstream. This change fixes buffer overflows and silent data corruption with the usbmon device driver text file read operations. Signed-off-by: Fredrik Noring Signed-off-by: Pete Zaitcev Cc: stable Signed-off-by: Greg Kroah-Hartman --- drivers/usb/mon/mon_text.c | 124 +++-- 1 file changed, 77 insertions(+), 47 deletions(-) --- a/drivers/usb/mon/mon_text.c +++ b/drivers/usb/mon/mon_text.c @@ -85,6 +85,8 @@ struct mon_reader_text { wait_queue_head_t wait; int printf_size; + size_t printf_offset; + size_t printf_togo; char *printf_buf; struct mutex printf_lock; @@ -376,75 +378,103 @@ err_alloc: return rc; } -/* - * For simplicity, we read one record in one system call and throw out - * what does not fit. This means that the following does not work: - * dd if=/dbg/usbmon/0t bs=10 - * Also, we do not allow seeks and do not bother advancing the offset. - */ +static ssize_t mon_text_copy_to_user(struct mon_reader_text *rp, +char __user * const buf, const size_t nbytes) +{ + const size_t togo = min(nbytes, rp->printf_togo); + + if (copy_to_user(buf, >printf_buf[rp->printf_offset], togo)) + return -EFAULT; + rp->printf_togo -= togo; + rp->printf_offset += togo; + return togo; +} + +/* ppos is not advanced since the llseek operation is not permitted. */ static ssize_t mon_text_read_t(struct file *file, char __user *buf, - size_t nbytes, loff_t *ppos) +size_t nbytes, loff_t *ppos) { struct mon_reader_text *rp = file->private_data; struct mon_event_text *ep; struct mon_text_ptr ptr; + ssize_t ret; - ep = mon_text_read_wait(rp, file); - if (IS_ERR(ep)) - return PTR_ERR(ep); mutex_lock(>printf_lock); - ptr.cnt = 0; - ptr.pbuf = rp->printf_buf; - ptr.limit = rp->printf_size; - - mon_text_read_head_t(rp, , ep); - mon_text_read_statset(rp, , ep); - ptr.cnt += snprintf(ptr.pbuf + ptr.cnt, ptr.limit - ptr.cnt, - " %d", ep->length); - mon_text_read_data(rp, , ep); - if (copy_to_user(buf, rp->printf_buf, ptr.cnt)) - ptr.cnt = -EFAULT; + if (rp->printf_togo == 0) { + + ep = mon_text_read_wait(rp, file); + if (IS_ERR(ep)) { + mutex_unlock(>printf_lock); + return PTR_ERR(ep); + } + ptr.cnt = 0; + ptr.pbuf = rp->printf_buf; + ptr.limit = rp->printf_size; + + mon_text_read_head_t(rp, , ep); + mon_text_read_statset(rp, , ep); + ptr.cnt += snprintf(ptr.pbuf + ptr.cnt, ptr.limit - ptr.cnt, + " %d", ep->length); + mon_text_read_data(rp, , ep); + + rp->printf_togo = ptr.cnt; + rp->printf_offset = 0; + + kmem_cache_free(rp->e_slab, ep); + } + + ret = mon_text_copy_to_user(rp, buf, nbytes); mutex_unlock(>printf_lock); - kmem_cache_free(rp->e_slab, ep); - return ptr.cnt; + return ret; } +/* ppos is not advanced since the llseek operation is not permitted. */ static ssize_t mon_text_read_u(struct file *file, char __user *buf, - size_t nbytes, loff_t *ppos) +size_t nbytes, loff_t *ppos) { struct mon_reader_text *rp = file->private_data; struct mon_event_text *ep; struct mon_text_ptr ptr; + ssize_t ret; - ep = mon_text_read_wait(rp, file); - if (IS_ERR(ep)) - return PTR_ERR(ep); mutex_lock(>printf_lock); - ptr.cnt = 0; - ptr.pbuf = rp->printf_buf; - ptr.limit = rp->printf_size; - mon_text_read_head_u(rp, , ep); - if (ep->type == 'E') { - mon_text_read_statset(rp, , ep); - } else if (ep->xfertype == USB_ENDPOINT_XFER_ISOC) { - mon_text_read_isostat(rp, , ep); - mon_text_read_isodesc(rp, , ep); - } else if (ep->xfertype == USB_ENDPOINT_XFER_INT) { - mon_text_read_intstat(rp, , ep); - } else { - mon_text_read_statset(rp, , ep); + if (rp->printf_togo == 0) { + + ep = mon_text_read_wait(rp, file); + if (IS_ERR(ep)) { + mutex_unlock(>printf_lock); + return PTR_ERR(ep); + } + ptr.cnt = 0; + ptr.pbuf = rp->printf_buf; + ptr.limit = rp->printf_size; + + mon_text_read_head_u(rp, , ep); +
[PATCH 4.15 016/128] usbip: vudc: fix null pointer dereference on udc->lock
4.15-stable review patch. If anyone has any objections, please let me know. -- From: Colin Ian Kingcommit df3334c223a033f562645712e832ca4cbb326bbf upstream. Currently the driver attempts to spin lock on udc->lock before a NULL pointer check is performed on udc, hence there is a potential null pointer dereference on udc->lock. Fix this by moving the null check on udc before the lock occurs. Fixes: ea6873a45a22 ("usbip: vudc: Add SysFS infrastructure for VUDC") Signed-off-by: Colin Ian King Acked-by: Shuah Khan Reviewed-by: Krzysztof Opasiak Cc: stable Signed-off-by: Greg Kroah-Hartman --- drivers/usb/usbip/vudc_sysfs.c |8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) --- a/drivers/usb/usbip/vudc_sysfs.c +++ b/drivers/usb/usbip/vudc_sysfs.c @@ -105,10 +105,14 @@ static ssize_t store_sockfd(struct devic if (rv != 0) return -EINVAL; + if (!udc) { + dev_err(dev, "no device"); + return -ENODEV; + } spin_lock_irqsave(>lock, flags); /* Don't export what we don't have */ - if (!udc || !udc->driver || !udc->pullup) { - dev_err(dev, "no device or gadget not bound"); + if (!udc->driver || !udc->pullup) { + dev_err(dev, "gadget not bound"); ret = -ENODEV; goto unlock; }
Re: [PATCH 5/8] trace_uprobe: Support SDT markers having reference count (semaphore)
On 03/15, Steven Rostedt wrote: > > On Tue, 13 Mar 2018 18:26:00 +0530 > Ravi Bangoriawrote: > > > +static void sdt_increment_ref_ctr(struct trace_uprobe *tu) > > +{ > > + struct uprobe_map_info *info; > > + struct vm_area_struct *vma; > > + unsigned long vaddr; > > + > > + uprobe_start_dup_mmap(); > > Please add a comment here that this function ups the mm ref count for > each info returned. Otherwise it's hard to know what that mmput() below > matches. You meant uprobe_build_map_info(), not uprobe_start_dup_mmap(). Yes, and if it gets more callers perhaps we should move this mmput() into uprobe_free_map_info()... Oleg. --- x/kernel/events/uprobes.c +++ x/kernel/events/uprobes.c @@ -714,6 +714,7 @@ struct map_info { static inline struct map_info *free_map_info(struct map_info *info) { struct map_info *next = info->next; + mmput(info->mm); kfree(info); return next; } @@ -783,8 +784,11 @@ build_map_info(struct address_space *map goto again; out: - while (prev) - prev = free_map_info(prev); + while (prev) { + info = prev; + prev = prev->next; + kfree(info); + } return curr; } @@ -834,7 +838,6 @@ register_for_each_vma(struct uprobe *upr unlock: up_write(>mmap_sem); free: - mmput(mm); info = free_map_info(info); } out:
[RT PATCH 1/2 v2] kernel/cpu_chill: use schedule_hrtimeout()
If a task calls cpu_chill() and gets woken up by a regular or spurious wakeup and has a signal pending, then it exits the sleep loop in do_nanosleep() and sets up the restart block. If restart->nanosleep.type is not TI_NONE then this results in accessing a stale user pointer from a previously interrupted syscall and a copy to user based on the stale pointer or a BUG() when 'type' is not supported in nanosleep_copyout(). Instead all this trouble, use schedule_hrtimeout(). Cc: stable...@vger.kernel.org Signed-off-by: Sebastian Andrzej Siewior--- kernel/time/hrtimer.c | 9 - 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c index 6c77643eaf02..c0efc22ba635 100644 --- a/kernel/time/hrtimer.c +++ b/kernel/time/hrtimer.c @@ -1873,14 +1873,13 @@ COMPAT_SYSCALL_DEFINE2(nanosleep, struct compat_timespec __user *, rqtp, */ void cpu_chill(void) { - struct timespec64 tu = { - .tv_nsec = NSEC_PER_MSEC, - }; + ktime_t chill_time; unsigned int freeze_flag = current->flags & PF_NOFREEZE; + chill_time = ktime_set(0, NSEC_PER_MSEC); + set_current_state(TASK_UNINTERRUPTIBLE); current->flags |= PF_NOFREEZE; - __hrtimer_nanosleep(, HRTIMER_MODE_REL_HARD, CLOCK_MONOTONIC, - TASK_UNINTERRUPTIBLE); + schedule_hrtimeout(_time, HRTIMER_MODE_REL_HARD); if (!freeze_flag) current->flags &= ~PF_NOFREEZE; } -- 2.16.2
[PATCH v3 10/18] net: qla3xxx: Eliminate duplicate barriers on weakly-ordered archs
Code includes wmb() followed by writel(). writel() already has a barrier on some architectures like arm64. This ends up CPU observing two barriers back to back before executing the register write. Since code already has an explicit barrier call, changing writel() to writel_relaxed(). Signed-off-by: Sinan Kaya--- drivers/net/ethernet/qlogic/qla3xxx.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/ethernet/qlogic/qla3xxx.c b/drivers/net/ethernet/qlogic/qla3xxx.c index 9e5264d..0e71b74 100644 --- a/drivers/net/ethernet/qlogic/qla3xxx.c +++ b/drivers/net/ethernet/qlogic/qla3xxx.c @@ -1858,8 +1858,8 @@ static void ql_update_small_bufq_prod_index(struct ql3_adapter *qdev) qdev->small_buf_release_cnt -= 8; } wmb(); - writel(qdev->small_buf_q_producer_index, - _regs->CommonRegs.rxSmallQProducerIndex); + writel_relaxed(qdev->small_buf_q_producer_index, + _regs->CommonRegs.rxSmallQProducerIndex); } } -- 2.7.4
[PATCH 4.14 067/109] scsi: ses: dont ask for diagnostic pages repeatedly during probe
4.14-stable review patch. If anyone has any objections, please let me know. -- From: Li Dongyang[ Upstream commit 9c0a50022b8ac7e863e6ec8342fa476fe5d1d75c ] We are testing if there is a match with the ses device in a loop by calling ses_match_to_enclosure(), which will issue scsi receive diagnostics commands to the ses device for every device on the same host. On one of our boxes with 840 disks, it takes a long time to load the driver: [root@g1b-oss06 ~]# time modprobe ses real40m48.247s user0m0.001s sys 0m0.196s With the patch: [root@g1b-oss06 ~]# time modprobe ses real0m17.915s user0m0.008s sys 0m0.053s Note that we still need to refresh page 10 when we see a new disk to create the link. Signed-off-by: Li Dongyang Tested-by: Jason Ozolins Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/scsi/ses.c | 11 +++ 1 file changed, 7 insertions(+), 4 deletions(-) --- a/drivers/scsi/ses.c +++ b/drivers/scsi/ses.c @@ -615,13 +615,16 @@ static void ses_enclosure_data_process(s } static void ses_match_to_enclosure(struct enclosure_device *edev, - struct scsi_device *sdev) + struct scsi_device *sdev, + int refresh) { + struct scsi_device *edev_sdev = to_scsi_device(edev->edev.parent); struct efd efd = { .addr = 0, }; - ses_enclosure_data_process(edev, to_scsi_device(edev->edev.parent), 0); + if (refresh) + ses_enclosure_data_process(edev, edev_sdev, 0); if (scsi_is_sas_rphy(sdev->sdev_target->dev.parent)) efd.addr = sas_get_address(sdev); @@ -652,7 +655,7 @@ static int ses_intf_add(struct device *c struct enclosure_device *prev = NULL; while ((edev = enclosure_find(>host->shost_gendev, prev)) != NULL) { - ses_match_to_enclosure(edev, sdev); + ses_match_to_enclosure(edev, sdev, 1); prev = edev; } return -ENODEV; @@ -768,7 +771,7 @@ page2_not_supported: shost_for_each_device(tmp_sdev, sdev->host) { if (tmp_sdev->lun != 0 || scsi_device_enclosure(tmp_sdev)) continue; - ses_match_to_enclosure(edev, tmp_sdev); + ses_match_to_enclosure(edev, tmp_sdev, 0); } return 0;
Re: [Intel-wired-lan] [PATCH v3 09/18] fm10k: Eliminate duplicate barriers on weakly-ordered archs
On Fri, Mar 16, 2018 at 9:16 AM, Sinan Kayawrote: > Code includes wmb() followed by writel(). writel() already has a > barrier on some architectures like arm64. > > This ends up CPU observing two barriers back to back before executing > the register write. > > Since code already has an explicit barrier call, changing writel() to > writel_relaxed(). > > Signed-off-by: Sinan Kaya You can update the writel call in fm10k_tx_map as well. Of the drivers updated in drivers/net/ethernet/intel/* it looks like this is the only one that still requires any additional changes. Thanks. - Alex
[PATCH 4.14 101/109] mmc: mmc_test: Ensure command queue is disabled for testing
4.14-stable review patch. If anyone has any objections, please let me know. -- From: Adrian Hunter[ Upstream commit 23a185254ace8e63dc4ca36e0315aed9440ae749 ] mmc_test disables the command queue because none of the tests use the command queue. However the Reset Test will re-enable it, so disable it in that case too. Fixes: 9d4579a85c84 ("mmc: mmc_test: Disable Command Queue while mmc_test is used") Signed-off-by: Adrian Hunter Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/mmc/core/mmc_test.c | 11 +-- 1 file changed, 9 insertions(+), 2 deletions(-) --- a/drivers/mmc/core/mmc_test.c +++ b/drivers/mmc/core/mmc_test.c @@ -2328,10 +2328,17 @@ static int mmc_test_reset(struct mmc_tes int err; err = mmc_hw_reset(host); - if (!err) + if (!err) { + /* +* Reset will re-enable the card's command queue, but tests +* expect it to be disabled. +*/ + if (card->ext_csd.cmdq_en) + mmc_cmdq_disable(card); return RESULT_OK; - else if (err == -EOPNOTSUPP) + } else if (err == -EOPNOTSUPP) { return RESULT_UNSUP_HOST; + } return RESULT_FAIL; }
Re: [PATCH 1/2] dt: bindings: fpga: add lattice machxo2 slave spi binding description
On Fri, Mar 16, 2018 at 04:54:28PM +0100, Paolo Pisati wrote: > Add dt binding documentation details for Lattice MachXO2 FPGA configuration > over Slave SPI interface. > > Signed-off-by: Paolo Pisati> Acked-by: Rob Herring Acked-by: Moritz Fischer > --- > .../bindings/fpga/lattice-machxo2-spi.txt | 29 > ++ > 1 file changed, 29 insertions(+) > create mode 100644 > Documentation/devicetree/bindings/fpga/lattice-machxo2-spi.txt > > diff --git a/Documentation/devicetree/bindings/fpga/lattice-machxo2-spi.txt > b/Documentation/devicetree/bindings/fpga/lattice-machxo2-spi.txt > new file mode 100644 > index 000..a8c362e > --- /dev/null > +++ b/Documentation/devicetree/bindings/fpga/lattice-machxo2-spi.txt > @@ -0,0 +1,29 @@ > +Lattice MachXO2 Slave SPI FPGA Manager > + > +Lattice MachXO2 FPGAs support a method of loading the bitstream over > +'slave SPI' interface. Nit: a 'slave SPI' > + > +See 'MachXO2ProgrammingandConfigurationUsageGuide.pdf' on www.latticesemi.com > + > +Required properties: > +- compatible: should contain "lattice,machxo2-slave-spi" > +- reg: spi chip select of the FPGA > + > +Example for full FPGA configuration: > + > + fpga-region0 { > + compatible = "fpga-region"; > + fpga-mgr = <_mgr_spi>; > + #address-cells = <0x1>; > + #size-cells = <0x1>; > + }; > + > + spi1: spi@2000 { > +... > + > + fpga_mgr_spi: fpga-mgr@0 { > + compatible = "lattice,machxo2-slave-spi"; > + spi-max-frequency = <800>; > + reg = <0>; > + }; > + }; > -- > 2.7.4 > Thanks, Moritz
[PATCH 4.14 065/109] dmaengine: amba-pl08x: Use vchan_terminate_vdesc() instead of desc_free
4.14-stable review patch. If anyone has any objections, please let me know. -- From: Peter Ujfalusi[ Upstream commit 47d71bc75d072ce25c1063aa629e55e1cfb961b2 ] To avoid race with vchan_complete, use the race free way to terminate running transfer. Implement the device_synchronize callback to make sure that the terminated descriptor is freed. Signed-off-by: Peter Ujfalusi Reviewed-by: Linus Walleij Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/dma/amba-pl08x.c | 11 ++- 1 file changed, 10 insertions(+), 1 deletion(-) --- a/drivers/dma/amba-pl08x.c +++ b/drivers/dma/amba-pl08x.c @@ -2182,7 +2182,7 @@ static int pl08x_terminate_all(struct dm } /* Dequeue jobs and free LLIs */ if (plchan->at) { - pl08x_desc_free(>at->vd); + vchan_terminate_vdesc(>at->vd); plchan->at = NULL; } /* Dequeue jobs not yet fired as well */ @@ -2193,6 +2193,13 @@ static int pl08x_terminate_all(struct dm return 0; } +static void pl08x_synchronize(struct dma_chan *chan) +{ + struct pl08x_dma_chan *plchan = to_pl08x_chan(chan); + + vchan_synchronize(>vc); +} + static int pl08x_pause(struct dma_chan *chan) { struct pl08x_dma_chan *plchan = to_pl08x_chan(chan); @@ -2773,6 +2780,7 @@ static int pl08x_probe(struct amba_devic pl08x->memcpy.device_pause = pl08x_pause; pl08x->memcpy.device_resume = pl08x_resume; pl08x->memcpy.device_terminate_all = pl08x_terminate_all; + pl08x->memcpy.device_synchronize = pl08x_synchronize; pl08x->memcpy.src_addr_widths = PL80X_DMA_BUSWIDTHS; pl08x->memcpy.dst_addr_widths = PL80X_DMA_BUSWIDTHS; pl08x->memcpy.directions = BIT(DMA_MEM_TO_MEM); @@ -2802,6 +2810,7 @@ static int pl08x_probe(struct amba_devic pl08x->slave.device_pause = pl08x_pause; pl08x->slave.device_resume = pl08x_resume; pl08x->slave.device_terminate_all = pl08x_terminate_all; + pl08x->slave.device_synchronize = pl08x_synchronize; pl08x->slave.src_addr_widths = PL80X_DMA_BUSWIDTHS; pl08x->slave.dst_addr_widths = PL80X_DMA_BUSWIDTHS; pl08x->slave.directions =
[PATCH 4.14 075/109] drm/amdgpu:fix virtual dce bug
4.14-stable review patch. If anyone has any objections, please let me know. -- From: Monk Liu[ Upstream commit 129d65c18ecfb249aceb540c31fdaf79bd5a11ff ] this fix the issue that access memory after freed after driver unloaded. Signed-off-by: Monk Liu Acked-by: Alex Deucher Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/gpu/drm/amd/amdgpu/dce_virtual.c |4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/drivers/gpu/drm/amd/amdgpu/dce_virtual.c +++ b/drivers/gpu/drm/amd/amdgpu/dce_virtual.c @@ -437,6 +437,8 @@ static int dce_virtual_sw_fini(void *han drm_kms_helper_poll_fini(adev->ddev); drm_mode_config_cleanup(adev->ddev); + /* clear crtcs pointer to avoid dce irq finish routine access freed data */ + memset(adev->mode_info.crtcs, 0, sizeof(adev->mode_info.crtcs[0]) * AMDGPU_MAX_CRTCS); adev->mode_info.mode_config_initialized = false; return 0; } @@ -723,7 +725,7 @@ static void dce_virtual_set_crtc_vblank_ int crtc, enum amdgpu_interrupt_state state) { - if (crtc >= adev->mode_info.num_crtc) { + if (crtc >= adev->mode_info.num_crtc || !adev->mode_info.crtcs[crtc]) { DRM_DEBUG("invalid crtc %d\n", crtc); return; }
[PATCH 4.14 080/109] spi: sun6i: disable/unprepare clocks on remove
4.14-stable review patch. If anyone has any objections, please let me know. -- From: Tobias Jordan[ Upstream commit 2d9bbd02c54094ceffa555143b0d68cd06504d63 ] sun6i_spi_probe() uses sun6i_spi_runtime_resume() to prepare/enable clocks, so sun6i_spi_remove() should use sun6i_spi_runtime_suspend() to disable/unprepare them if we're not suspended. Replacing pm_runtime_disable() by pm_runtime_force_suspend() will ensure that sun6i_spi_runtime_suspend() is called if needed. Found by Linux Driver Verification project (linuxtesting.org). Fixes: 3558fe900e8af (spi: sunxi: Add Allwinner A31 SPI controller driver) Signed-off-by: Tobias Jordan Acked-by: Maxime Ripard Signed-off-by: Mark Brown Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/spi/spi-sun6i.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/spi/spi-sun6i.c +++ b/drivers/spi/spi-sun6i.c @@ -541,7 +541,7 @@ err_free_master: static int sun6i_spi_remove(struct platform_device *pdev) { - pm_runtime_disable(>dev); + pm_runtime_force_suspend(>dev); return 0; }
Re: [PATCH net] netlink: avoid a double skb free in genlmsg_mcast()
From: Nicolas DichtelDate: Wed, 14 Mar 2018 21:10:23 +0100 > nlmsg_multicast() consumes always the skb, thus the original skb must be > freed only when this function is called with a clone. > > Fixes: cb9f7a9a5c96 ("netlink: ensure to loop over all netns in > genlmsg_multicast_allns()") > Reported-by: Ben Hutchings > Signed-off-by: Nicolas Dichtel Yeah these "clone until final send" loops can be tricky to manage. Good catch, applied and queued up for -stable, thanks.
[PATCH 4.14 052/109] mtd: nand: ifc: update bufnum mask for ver >= 2.0.0
4.14-stable review patch. If anyone has any objections, please let me know. -- From: Jagdish Gediya[ Upstream commit bccb06c353af3764ca86d9da47652458e6c2eb41 ] Bufnum mask is used to calculate page position in the internal SRAM. As IFC version 2.0.0 has 16KB of internal SRAM as compared to older versions which had 8KB. Hence bufnum mask needs to be updated. Signed-off-by: Jagdish Gediya Signed-off-by: Prabhakar Kushwaha Signed-off-by: Boris Brezillon Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/mtd/nand/fsl_ifc_nand.c |7 +++ 1 file changed, 7 insertions(+) --- a/drivers/mtd/nand/fsl_ifc_nand.c +++ b/drivers/mtd/nand/fsl_ifc_nand.c @@ -916,6 +916,13 @@ static int fsl_ifc_chip_init(struct fsl_ if (ctrl->version >= FSL_IFC_VERSION_1_1_0) fsl_ifc_sram_init(priv); + /* +* As IFC version 2.0.0 has 16KB of internal SRAM as compared to older +* versions which had 8KB. Hence bufnum mask needs to be updated. +*/ + if (ctrl->version >= FSL_IFC_VERSION_2_0_0) + priv->bufnum_mask = (priv->bufnum_mask * 2) + 1; + return 0; }
[PATCH 4.14 054/109] xfrm: Fix xfrm_replay_overflow_offload_esn
4.14-stable review patch. If anyone has any objections, please let me know. -- From: Yossef Efraim[ Upstream commit 0ba23a211360af7b6658e4fcfc571970bbbacc55 ] In case of wrap around, replay_esn->oseq_hi is not updated before it is tested for it's actual value, leading function to fail with overflow indication and packets being dropped. This patch updates replay_esn->oseq_hi in the right place. Fixes: d7dbefc45cf5 ("xfrm: Add xfrm_replay_overflow functions for offloading") Signed-off-by: Yossef Efraim Signed-off-by: Steffen Klassert Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- net/xfrm/xfrm_replay.c |3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) --- a/net/xfrm/xfrm_replay.c +++ b/net/xfrm/xfrm_replay.c @@ -666,7 +666,7 @@ static int xfrm_replay_overflow_offload_ if (unlikely(oseq < replay_esn->oseq)) { XFRM_SKB_CB(skb)->seq.output.hi = ++oseq_hi; xo->seq.hi = oseq_hi; - + replay_esn->oseq_hi = oseq_hi; if (replay_esn->oseq_hi == 0) { replay_esn->oseq--; replay_esn->oseq_hi--; @@ -678,7 +678,6 @@ static int xfrm_replay_overflow_offload_ } replay_esn->oseq = oseq; - replay_esn->oseq_hi = oseq_hi; if (xfrm_aevent_is_on(net)) x->repl->notify(x, XFRM_REPLAY_UPDATE);
[PATCH 4.14 059/109] drm/etnaviv: make THERMAL selectable
4.14-stable review patch. If anyone has any objections, please let me know. -- From: Philipp Zabel[ Upstream commit 49b82c389d2a40eaef1355aaa35868b367aec9d1 ] The etnaviv driver causes a link failure if it is built-in but THERMAL is built as a module: drivers/gpu/drm/etnaviv/etnaviv_gpu.o: In function `etnaviv_gpu_bind': etnaviv_gpu.c:(.text+0x4c4): undefined reference to `thermal_of_cooling_device_register' etnaviv_gpu.c:(.text+0x600): undefined reference to `thermal_cooling_device_unregister' drivers/gpu/drm/etnaviv/etnaviv_gpu.o: In function `etnaviv_gpu_unbind': etnaviv_gpu.c:(.text+0x2aac): undefined reference to `thermal_cooling_device_unregister' Adding a Kconfig dependency on THERMAL || !THERMAL to avoid this causes a dependency loop on x86_64: drivers/gpu/drm/tve200/Kconfig:1:error: recursive dependency detected! For a resolution refer to Documentation/kbuild/kconfig-language.txt subsection "Kconfig recursive dependency limitations" drivers/gpu/drm/tve200/Kconfig:1: symbol DRM_TVE200 depends on CMA For a resolution refer to Documentation/kbuild/kconfig-language.txt subsection "Kconfig recursive dependency limitations" mm/Kconfig:489: symbol CMA is selected by DRM_ETNAVIV For a resolution refer to Documentation/kbuild/kconfig-language.txt subsection "Kconfig recursive dependency limitations" drivers/gpu/drm/etnaviv/Kconfig:2: symbol DRM_ETNAVIV depends on THERMAL For a resolution refer to Documentation/kbuild/kconfig-language.txt subsection "Kconfig recursive dependency limitations" drivers/thermal/Kconfig:5: symbol THERMAL is selected by ACPI_VIDEO For a resolution refer to Documentation/kbuild/kconfig-language.txt subsection "Kconfig recursive dependency limitations" drivers/acpi/Kconfig:189: symbol ACPI_VIDEO is selected by BACKLIGHT_CLASS_DEVICE For a resolution refer to Documentation/kbuild/kconfig-language.txt subsection "Kconfig recursive dependency limitations" drivers/video/backlight/Kconfig:158:symbol BACKLIGHT_CLASS_DEVICE is selected by DRM_PARADE_PS8622 For a resolution refer to Documentation/kbuild/kconfig-language.txt subsection "Kconfig recursive dependency limitations" drivers/gpu/drm/bridge/Kconfig:62: symbol DRM_PARADE_PS8622 depends on DRM_BRIDGE For a resolution refer to Documentation/kbuild/kconfig-language.txt subsection "Kconfig recursive dependency limitations" drivers/gpu/drm/bridge/Kconfig:1: symbol DRM_BRIDGE is selected by DRM_TVE200 To work around this, add a new option DRM_ETNAVIV_THERMAL to optionally enable thermal throttling support and make DRM_ETNAVIV select THERMAL at the same time. Reported-by: Stephen Rothwell Signed-off-by: Philipp Zabel Signed-off-by: Lucas Stach Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/gpu/drm/etnaviv/Kconfig |9 + drivers/gpu/drm/etnaviv/etnaviv_gpu.c |8 +--- 2 files changed, 14 insertions(+), 3 deletions(-) --- a/drivers/gpu/drm/etnaviv/Kconfig +++ b/drivers/gpu/drm/etnaviv/Kconfig @@ -6,6 +6,7 @@ config DRM_ETNAVIV depends on MMU select SHMEM select SYNC_FILE + select THERMAL if DRM_ETNAVIV_THERMAL select TMPFS select IOMMU_API select IOMMU_SUPPORT @@ -15,6 +16,14 @@ config DRM_ETNAVIV help DRM driver for Vivante GPUs. +config DRM_ETNAVIV_THERMAL + bool "enable ETNAVIV thermal throttling" + depends on DRM_ETNAVIV + default y + help + Compile in support for thermal throttling. + Say Y unless you want to risk burning your SoC. + config DRM_ETNAVIV_REGISTER_LOGGING bool "enable ETNAVIV register logging" depends on DRM_ETNAVIV --- a/drivers/gpu/drm/etnaviv/etnaviv_gpu.c +++ b/drivers/gpu/drm/etnaviv/etnaviv_gpu.c @@ -1622,7 +1622,7 @@ static int etnaviv_gpu_bind(struct devic struct etnaviv_gpu *gpu = dev_get_drvdata(dev); int ret; - if (IS_ENABLED(CONFIG_THERMAL)) { + if (IS_ENABLED(CONFIG_DRM_ETNAVIV_THERMAL)) { gpu->cooling = thermal_of_cooling_device_register(dev->of_node, (char *)dev_name(dev), gpu, _ops); if (IS_ERR(gpu->cooling)) @@ -1635,7 +1635,8 @@ static int etnaviv_gpu_bind(struct devic ret = etnaviv_gpu_clk_enable(gpu); #endif if (ret < 0) { - thermal_cooling_device_unregister(gpu->cooling); + if (IS_ENABLED(CONFIG_DRM_ETNAVIV_THERMAL)) + thermal_cooling_device_unregister(gpu->cooling); return ret; } @@ -1692,7 +1693,8 @@ static void etnaviv_gpu_unbind(struct de gpu->drm = NULL; - thermal_cooling_device_unregister(gpu->cooling); + if
Re: [PATCH][next] crypto: x86/des3_ede: make array des3_ede_skciphers static
On Mon, Mar 05, 2018 at 02:18:00PM +0100, Colin King wrote: > From: Colin Ian King> > The array des3_ede_skciphers is local to the source and does not need > to be in global scope, so make it static. > > Cleans up sparse warning: > arch/x86/crypto/des3_ede_glue.c:407:21: warning: symbol > 'des3_ede_skciphers' was not declared. Should it be static? > > Signed-off-by: Colin Ian King This patch no longer applies because it's already been merged from someone else. Thanks, -- Email: Herbert Xu Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
[PATCH 4.14 009/109] xhci: Fix front USB ports on ASUS PRIME B350M-A
4.14-stable review patch. If anyone has any objections, please let me know. -- From: Kai-Heng Fengcommit 191edc5e2e515aab1075a3f0ef23599e80be5f59 upstream. When a USB device gets plugged on ASUS PRIME B350M-A's front ports, the xHC stops working: [ 549.114587] xhci_hcd :02:00.0: WARN: xHC CMD_RUN timeout [ 549.114608] suspend_common(): xhci_pci_suspend+0x0/0xc0 returns -110 [ 549.114638] xhci_hcd :02:00.0: can't suspend (hcd_pci_runtime_suspend returned -110) Delay before running xHC command CMD_RUN can workaround the issue. Use a new quirk to make the delay only targets to the affected xHC. Signed-off-by: Kai-Heng Feng Signed-off-by: Mathias Nyman Cc: stable Signed-off-by: Greg Kroah-Hartman --- drivers/usb/host/xhci-pci.c |3 +++ drivers/usb/host/xhci.c |3 +++ drivers/usb/host/xhci.h |1 + 3 files changed, 7 insertions(+) --- a/drivers/usb/host/xhci-pci.c +++ b/drivers/usb/host/xhci-pci.c @@ -134,6 +134,9 @@ static void xhci_pci_quirks(struct devic if (pdev->vendor == PCI_VENDOR_ID_AMD && usb_amd_find_chipset_info()) xhci->quirks |= XHCI_AMD_PLL_FIX; + if (pdev->vendor == PCI_VENDOR_ID_AMD && pdev->device == 0x43bb) + xhci->quirks |= XHCI_SUSPEND_DELAY; + if (pdev->vendor == PCI_VENDOR_ID_AMD) xhci->quirks |= XHCI_TRUST_TX_LENGTH; --- a/drivers/usb/host/xhci.c +++ b/drivers/usb/host/xhci.c @@ -887,6 +887,9 @@ int xhci_suspend(struct xhci_hcd *xhci, clear_bit(HCD_FLAG_POLL_RH, >shared_hcd->flags); del_timer_sync(>shared_hcd->rh_timer); + if (xhci->quirks & XHCI_SUSPEND_DELAY) + usleep_range(1000, 1500); + spin_lock_irq(>lock); clear_bit(HCD_FLAG_HW_ACCESSIBLE, >flags); clear_bit(HCD_FLAG_HW_ACCESSIBLE, >shared_hcd->flags); --- a/drivers/usb/host/xhci.h +++ b/drivers/usb/host/xhci.h @@ -1830,6 +1830,7 @@ struct xhci_hcd { #define XHCI_LIMIT_ENDPOINT_INTERVAL_7 (1 << 26) /* Reserved. It was XHCI_U2_DISABLE_WAKE */ #define XHCI_ASMEDIA_MODIFY_FLOWCONTROL(1 << 28) +#define XHCI_SUSPEND_DELAY (1 << 30) unsigned intnum_active_eps; unsigned intlimit_active_eps;
Re: [PATCH v2 00/36] remove in-kernel syscall invocations (part 1)
On Fri, Mar 16, 2018 at 7:20 AM, Al Virowrote: > On Fri, Mar 16, 2018 at 01:54:23AM -0700, Christoph Hellwig wrote: >> >> A lot of the issues here is that the initramfs / do_mount code >> is written as if it was user space code, but in kernel space. E.g. >> using file desriptors etc. Yeah, some of it could probably pass a 'struct filp *' around instead. So there are definitely things we could do once we no longer use the raw system calls anyway. > ... and I still wonder if it would make more sense to kick that crap > out into userland. Oh, no, let's not do that. Even if we were to still maintain control of user space, it would mean yet another nasty special case for the compiler and linker scripts and for our initrd generation. And if we were to spin it out entirely (aka udevd and friends), it would become one of those nasty situations where there's some *very* odd code that we need to keep compatibility with because you might run a new kernel and some old "pre-init user code" stuff. I'd much rather just make it look more like kernel code. And maybe remove some code entirely. Christ, we still have the logic in there to change *floppies* if the ramdisk doesn't fit on a single floppy disk. Does it work? Probably not, since presumably it hasn't been used in ages. But it's still there. So some of the ioctl's etc are due to insanely old legacy cases. Linus
[PATCH 4.14 015/109] staging: android: ashmem: Fix lockdep issue during llseek
4.14-stable review patch. If anyone has any objections, please let me know. -- From: Joel Fernandescommit cb57469c9573f6018cd1302953dd45d6e05aba7b upstream. ashmem_mutex create a chain of dependencies like so: (1) mmap syscall -> mmap_sem -> (acquired) ashmem_mmap ashmem_mutex (try to acquire) (block) (2) llseek syscall -> ashmem_llseek -> ashmem_mutex -> (acquired) inode_lock -> inode->i_rwsem (try to acquire) (block) (3) getdents -> iterate_dir -> inode_lock -> inode->i_rwsem (acquired) copy_to_user -> mmap_sem (try to acquire) There is a lock ordering created between mmap_sem and inode->i_rwsem causing a lockdep splat [2] during a syzcaller test, this patch fixes the issue by unlocking the mutex earlier. Functionally that's Ok since we don't need to protect vfs_llseek. [1] https://patchwork.kernel.org/patch/10185031/ [2] https://lkml.org/lkml/2018/1/10/48 Acked-by: Todd Kjos Cc: Arve Hjonnevag Cc: sta...@vger.kernel.org Reported-by: syzbot+8ec30bb7bf1a981a2...@syzkaller.appspotmail.com Signed-off-by: Joel Fernandes Acked-by: Greg Hackmann Signed-off-by: Greg Kroah-Hartman --- drivers/staging/android/ashmem.c | 15 +++ 1 file changed, 7 insertions(+), 8 deletions(-) --- a/drivers/staging/android/ashmem.c +++ b/drivers/staging/android/ashmem.c @@ -334,24 +334,23 @@ static loff_t ashmem_llseek(struct file mutex_lock(_mutex); if (asma->size == 0) { - ret = -EINVAL; - goto out; + mutex_unlock(_mutex); + return -EINVAL; } if (!asma->file) { - ret = -EBADF; - goto out; + mutex_unlock(_mutex); + return -EBADF; } + mutex_unlock(_mutex); + ret = vfs_llseek(asma->file, offset, origin); if (ret < 0) - goto out; + return ret; /** Copy f_pos from backing file, since f_ops->llseek() sets it */ file->f_pos = asma->file->f_pos; - -out: - mutex_unlock(_mutex); return ret; }
[PATCH 4.14 017/109] usbip: vudc: fix null pointer dereference on udc->lock
4.14-stable review patch. If anyone has any objections, please let me know. -- From: Colin Ian Kingcommit df3334c223a033f562645712e832ca4cbb326bbf upstream. Currently the driver attempts to spin lock on udc->lock before a NULL pointer check is performed on udc, hence there is a potential null pointer dereference on udc->lock. Fix this by moving the null check on udc before the lock occurs. Fixes: ea6873a45a22 ("usbip: vudc: Add SysFS infrastructure for VUDC") Signed-off-by: Colin Ian King Acked-by: Shuah Khan Reviewed-by: Krzysztof Opasiak Cc: stable Signed-off-by: Greg Kroah-Hartman --- drivers/usb/usbip/vudc_sysfs.c |8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) --- a/drivers/usb/usbip/vudc_sysfs.c +++ b/drivers/usb/usbip/vudc_sysfs.c @@ -117,10 +117,14 @@ static ssize_t store_sockfd(struct devic if (rv != 0) return -EINVAL; + if (!udc) { + dev_err(dev, "no device"); + return -ENODEV; + } spin_lock_irqsave(>lock, flags); /* Don't export what we don't have */ - if (!udc || !udc->driver || !udc->pullup) { - dev_err(dev, "no device or gadget not bound"); + if (!udc->driver || !udc->pullup) { + dev_err(dev, "gadget not bound"); ret = -ENODEV; goto unlock; }
[PATCH 4.14 016/109] USB: storage: Add JMicron bridge 152d:2567 to unusual_devs.h
4.14-stable review patch. If anyone has any objections, please let me know. -- From: Teijo Kinnunencommit 5126a504b63d82785eaece3a9c30c660b313785a upstream. This USB-SATA controller seems to be similar with JMicron bridge 152d:2566 already on the list. Adding it here fixes "Invalid field in cdb" errors. Signed-off-by: Teijo Kinnunen Cc: sta...@vger.kernel.org Acked-by: Alan Stern Signed-off-by: Greg Kroah-Hartman --- drivers/usb/storage/unusual_devs.h |7 +++ 1 file changed, 7 insertions(+) --- a/drivers/usb/storage/unusual_devs.h +++ b/drivers/usb/storage/unusual_devs.h @@ -2137,6 +2137,13 @@ UNUSUAL_DEV( 0x152d, 0x2566, 0x0114, 0x USB_SC_DEVICE, USB_PR_DEVICE, NULL, US_FL_BROKEN_FUA ), +/* Reported by Teijo Kinnunen */ +UNUSUAL_DEV( 0x152d, 0x2567, 0x0117, 0x0117, + "JMicron", + "USB to ATA/ATAPI Bridge", + USB_SC_DEVICE, USB_PR_DEVICE, NULL, + US_FL_BROKEN_FUA ), + /* Reported-by George Cherian */ UNUSUAL_DEV(0x152d, 0x9561, 0x, 0x, "JMicron",
[PATCH 4.14 018/109] usb: quirks: add control message delay for 1b1c:1b20
4.14-stable review patch. If anyone has any objections, please let me know. -- From: Danilo Krummrichcommit cb88a0588717ba6c756cb5972d75766b273a6817 upstream. Corsair Strafe RGB keyboard does not respond to usb control messages sometimes and hence generates timeouts. Commit de3af5bf259d ("usb: quirks: add delay init quirk for Corsair Strafe RGB keyboard") tried to fix those timeouts by adding USB_QUIRK_DELAY_INIT. Unfortunately, even with this quirk timeouts of usb_control_msg() can still be seen, but with a lower frequency (approx. 1 out of 15): [ 29.103520] usb 1-8: string descriptor 0 read error: -110 [ 34.363097] usb 1-8: can't set config #1, error -110 Adding further delays to different locations where usb control messages are issued just moves the timeouts to other locations, e.g.: [ 35.400533] usbhid 1-8:1.0: can't add hid device: -110 [ 35.401014] usbhid: probe of 1-8:1.0 failed with error -110 The only way to reliably avoid those issues is having a pause after each usb control message. In approx. 200 boot cycles no more timeouts were seen. Addionaly, keep USB_QUIRK_DELAY_INIT as it turned out to be necessary to have the delay in hub_port_connect() after hub_port_init(). The overall boot time seems not to be influenced by these additional delays, even on fast machines and lightweight distributions. Fixes: de3af5bf259d ("usb: quirks: add delay init quirk for Corsair Strafe RGB keyboard") Cc: sta...@vger.kernel.org Signed-off-by: Danilo Krummrich Signed-off-by: Greg Kroah-Hartman --- drivers/usb/core/message.c |4 drivers/usb/core/quirks.c |3 ++- include/linux/usb/quirks.h |3 +++ 3 files changed, 9 insertions(+), 1 deletion(-) --- a/drivers/usb/core/message.c +++ b/drivers/usb/core/message.c @@ -150,6 +150,10 @@ int usb_control_msg(struct usb_device *d ret = usb_internal_control_msg(dev, pipe, dr, data, size, timeout); + /* Linger a bit, prior to the next control message. */ + if (dev->quirks & USB_QUIRK_DELAY_CTRL_MSG) + msleep(200); + kfree(dr); return ret; --- a/drivers/usb/core/quirks.c +++ b/drivers/usb/core/quirks.c @@ -229,7 +229,8 @@ static const struct usb_device_id usb_qu { USB_DEVICE(0x1b1c, 0x1b13), .driver_info = USB_QUIRK_DELAY_INIT }, /* Corsair Strafe RGB */ - { USB_DEVICE(0x1b1c, 0x1b20), .driver_info = USB_QUIRK_DELAY_INIT }, + { USB_DEVICE(0x1b1c, 0x1b20), .driver_info = USB_QUIRK_DELAY_INIT | + USB_QUIRK_DELAY_CTRL_MSG }, /* Corsair K70 LUX */ { USB_DEVICE(0x1b1c, 0x1b36), .driver_info = USB_QUIRK_DELAY_INIT }, --- a/include/linux/usb/quirks.h +++ b/include/linux/usb/quirks.h @@ -57,4 +57,7 @@ */ #define USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL BIT(11) +/* Device needs a pause after every control message. */ +#define USB_QUIRK_DELAY_CTRL_MSG BIT(13) + #endif /* __LINUX_USB_QUIRKS_H */
Re: [PATCH v3] hugetlbfs: check for pgoff value overflow
On Fri 16-03-18 09:19:07, Mike Kravetz wrote: > On 03/16/2018 03:17 AM, Michal Hocko wrote: > > On Thu 08-03-18 16:27:26, Mike Kravetz wrote: > > > > OK, looks good to me. Hairy but seems to be the easiest way around this. > > Acked-by: Michal Hocko> > > > >> +/* > >> + * Mask used when checking the page offset value passed in via system > >> + * calls. This value will be converted to a loff_t which is signed. > >> + * Therefore, we want to check the upper PAGE_SHIFT + 1 bits of the > >> + * value. The extra bit (- 1 in the shift value) is to take the sign > >> + * bit into account. > >> + */ > >> +#define PGOFF_LOFFT_MAX (PAGE_MASK << (BITS_PER_LONG - (2 * PAGE_SHIFT) - > >> 1)) > > Thanks Michal, > > However, kbuild found a problem with this definition on certain configs. > Consider a config where, > BITS_PER_LONG = 32 (32bit config) > PAGE_SHIFT = 16 (64K pages) > This results in the negative shift value. > Not something I would not immediately think of, but a valid config. Well, 64K pages on 32b doesn't sound even remotely sane to me but what ever. > The definition has been changed to, > #define PGOFF_LOFFT_MAX \ > (((1UL << (PAGE_SHIFT + 1)) - 1) << (BITS_PER_LONG - (PAGE_SHIFT + 1))) > > as discussed here, > http://lkml.kernel.org/r/432fb2a3-b729-9c3a-7d60-890b8f9b1...@oracle.com This looks more wild but seems correct as well. You can keep my acked-by Thanks! -- Michal Hocko SUSE Labs
Re: [PATCH] security: Fix IMA Kconfig for dependencies on ARM64
On Thu, 2018-03-15 at 10:29 -0700, James Bottomley wrote: > On Thu, 2018-03-15 at 13:14 -0400, Mimi Zohar wrote: > > On Thu, 2018-03-15 at 10:08 -0700, James Bottomley wrote: > > > > > > On Thu, 2018-03-15 at 12:19 -0400, Mimi Zohar wrote: > > > > > > > > > > > > > If EFI is extending the TPM, will the events be added to the TPM > > > > event log or to the IMA measurement list? > > > > > > I'm not proposing any changes to the tpm_pcr_extend API. At the > > > moment it does an extend without logging, so that's what it will do > > > in the EFI driver case as well. That means logging is still the > > > responsibility of the caller. > > > > Does EFI support extending multiple TPM banks? > > The specs are here: > > https://trustedcomputinggroup.org/tcg-efi-protocol-specification/ > > As I said, I'm not planning to change the tpm_pcr_.. API. At the > moment for a TPM2 we extend all banks in the tpm_pcr_extend() API, so > that's what we'll continue to do ... including extending the sha256 > banks with the sha1 hash, which seems to be our current practice. Thanks, what you're planning on doing is a lot clearer now. Mimi
Re: [PATCH v3 2/2] media: ov2680: Add Omnivision OV2680 sensor driver
Hi Sakari, On Fri 16 Mar 2018 at 16:10, Sakari Ailus wrote: On Thu, Mar 15, 2018 at 09:29:33AM +, Rui Miguel Silva wrote: Hi, On Wed 14 Mar 2018 at 19:39, kbuild test robot wrote: > Hi Rui, > > I love your patch! Yet something to improve: > > [auto build test ERROR on v4.16-rc4] > [cannot apply to next-20180314] > [if your patch is applied to the wrong git tree, please drop > us a note > to help improve the system] > > url: > https://github.com/0day-ci/linux/commits/Rui-Miguel-Silva/media-Introduce-Omnivision-OV2680-driver/20180315-020617 > config: sh-allmodconfig (attached as .config) > compiler: sh4-linux-gnu-gcc (Debian 7.2.0-11) 7.2.0 > reproduce: > wget > https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross > -O ~/bin/make.cross > chmod +x ~/bin/make.cross > # save the attached .config to linux build tree > make.cross ARCH=sh > > All errors (new ones prefixed by >>): > >drivers/media/i2c/ov2680.c: In function 'ov2680_set_fmt': > > > drivers/media/i2c/ov2680.c:713:9: error: implicit > > > declaration of > > > function 'v4l2_find_nearest_size'; did you mean > > > 'v4l2_find_nearest_format'? > > > [-Werror=implicit-function-declaration] > mode = v4l2_find_nearest_size(ov2680_mode_data, > ^~ > v4l2_find_nearest_format As requested by maintainer this series depend on this patch [0], which introduce this macro. I am not sure of the status of that patch though. No need to worry about that, the sensor driver will just be merged after the dependencies are in. Mauro said he'd handle the pull request early next week. Great, Many thanks for everything. --- Cheers, Rui
Re: uprobes misses breakpoint insertion into VM_WRITE mappings
On 03/15, Mathieu Desnoyers wrote: > > Hi, > > Erica has been working on extending test-cases for uprobes, and found > something unexpected: > > Since commit e40cfce626a5 "uprobes: Restrict valid_vma(false) to skip > VM_SHARED vmas" > uprobes does not insert breakpoints into mappings mprotect'd as writeable. Not really, VM_WRITE was illegal from the very beginning, this commit only affects the "is_register == false" case. > This issue can be reproduced by compiling a library without PIC (not using > GOT), > and then concurrently: > > A) Load the library (dynamic loader mprotect the code as writeable to do >the relocations, and then mprotect as executable), > > B) Enable a uprobe through perf. > > (it is a race window between the two mprotect syscalls) > > It appears that the following restriction in valid_vma() is responsible > for this behavior: > > if (is_register) > flags |= VM_WRITE; > > I don't figure a clear explanation for this flag based on the function > comment nor the commit changelog. Any idea on whether this is really > needed ? Because we do not want to modify the writable area. If nothing else, this can break the application which writes to the page we are going to replace. > Note that on uprobes unregister, it allows removing a breakpoint event > on a writeable mapping, Yes. Because a probed apllication can do mprotect() after the kernel installs the breakpoint. And we have to remove this breakpoint in any case, even if this is unsafe too. Oleg.
[PATCH 4.9 47/86] watchdog: hpwdt: SMBIOS check
4.9-stable review patch. If anyone has any objections, please let me know. -- From: Jerry Hoemanncommit c42cbe41727a138905a28f8e0b00c147be77ee93 upstream. This corrects: commit cce78da76601 ("watchdog: hpwdt: Add check for UEFI bits") The test on HPE SMBIOS extension type 219 record "Misc Features" bits for UEFI support is incorrect. The definition of the Misc Features bits in the HPE SMBIOS OEM Extensions specification (and related firmware) was changed to use a different pair of bits to represent UEFI supported. Howerver, a corresponding change to Linux was missed. Current code/platform work because the iCRU test is working. But purpose of cce78da766 is to ensure correct functionality on future systems where iCRU isn't supported. Signed-off-by: Jerry Hoemann Reviewed-by: Guenter Roeck Signed-off-by: Guenter Roeck Signed-off-by: Wim Van Sebroeck Signed-off-by: Greg Kroah-Hartman --- drivers/watchdog/hpwdt.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/watchdog/hpwdt.c +++ b/drivers/watchdog/hpwdt.c @@ -700,7 +700,7 @@ static void dmi_find_icru(const struct d smbios_proliant_ptr = (struct smbios_proliant_info *) dm; if (smbios_proliant_ptr->misc_features & 0x01) is_icru = 1; - if (smbios_proliant_ptr->misc_features & 0x408) + if (smbios_proliant_ptr->misc_features & 0x1400) is_uefi = 1; } }
[PATCH 4.9 51/86] ARM: omap2: hide omap3_save_secure_ram on non-OMAP3 builds
4.9-stable review patch. If anyone has any objections, please let me know. -- From: Arnd Bergmanncommit 863204cfdae98626a92535ac928ad79f4d6b74ff upstream. In configurations without CONFIG_OMAP3 but with secure RAM support, we now run into a link failure: arch/arm/mach-omap2/omap-secure.o: In function `omap3_save_secure_ram': omap-secure.c:(.text+0x130): undefined reference to `save_secure_ram_context' The omap3_save_secure_ram() function is only called from the OMAP34xx power management code, so we can simply hide that function in the appropriate #ifdef. Fixes: d09220a887f7 ("ARM: OMAP2+: Fix SRAM virt to phys translation for save_secure_ram_context") Acked-by: Tony Lindgren Tested-by: Dan Murphy Signed-off-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman --- arch/arm/mach-omap2/omap-secure.c |2 ++ 1 file changed, 2 insertions(+) --- a/arch/arm/mach-omap2/omap-secure.c +++ b/arch/arm/mach-omap2/omap-secure.c @@ -73,6 +73,7 @@ phys_addr_t omap_secure_ram_mempool_base return omap_secure_memblock_base; } +#if defined(CONFIG_ARCH_OMAP3) && defined(CONFIG_PM) u32 omap3_save_secure_ram(void __iomem *addr, int size) { u32 ret; @@ -91,6 +92,7 @@ u32 omap3_save_secure_ram(void __iomem * return ret; } +#endif /** * rx51_secure_dispatcher: Routine to dispatch secure PPA API calls
[PATCH 4.9 80/86] usb: quirks: add control message delay for 1b1c:1b20
4.9-stable review patch. If anyone has any objections, please let me know. -- From: Danilo Krummrichcommit cb88a0588717ba6c756cb5972d75766b273a6817 upstream. Corsair Strafe RGB keyboard does not respond to usb control messages sometimes and hence generates timeouts. Commit de3af5bf259d ("usb: quirks: add delay init quirk for Corsair Strafe RGB keyboard") tried to fix those timeouts by adding USB_QUIRK_DELAY_INIT. Unfortunately, even with this quirk timeouts of usb_control_msg() can still be seen, but with a lower frequency (approx. 1 out of 15): [ 29.103520] usb 1-8: string descriptor 0 read error: -110 [ 34.363097] usb 1-8: can't set config #1, error -110 Adding further delays to different locations where usb control messages are issued just moves the timeouts to other locations, e.g.: [ 35.400533] usbhid 1-8:1.0: can't add hid device: -110 [ 35.401014] usbhid: probe of 1-8:1.0 failed with error -110 The only way to reliably avoid those issues is having a pause after each usb control message. In approx. 200 boot cycles no more timeouts were seen. Addionaly, keep USB_QUIRK_DELAY_INIT as it turned out to be necessary to have the delay in hub_port_connect() after hub_port_init(). The overall boot time seems not to be influenced by these additional delays, even on fast machines and lightweight distributions. Fixes: de3af5bf259d ("usb: quirks: add delay init quirk for Corsair Strafe RGB keyboard") Cc: sta...@vger.kernel.org Signed-off-by: Danilo Krummrich Signed-off-by: Greg Kroah-Hartman --- drivers/usb/core/message.c |4 drivers/usb/core/quirks.c |3 ++- include/linux/usb/quirks.h |3 +++ 3 files changed, 9 insertions(+), 1 deletion(-) --- a/drivers/usb/core/message.c +++ b/drivers/usb/core/message.c @@ -148,6 +148,10 @@ int usb_control_msg(struct usb_device *d ret = usb_internal_control_msg(dev, pipe, dr, data, size, timeout); + /* Linger a bit, prior to the next control message. */ + if (dev->quirks & USB_QUIRK_DELAY_CTRL_MSG) + msleep(200); + kfree(dr); return ret; --- a/drivers/usb/core/quirks.c +++ b/drivers/usb/core/quirks.c @@ -229,7 +229,8 @@ static const struct usb_device_id usb_qu { USB_DEVICE(0x1b1c, 0x1b13), .driver_info = USB_QUIRK_DELAY_INIT }, /* Corsair Strafe RGB */ - { USB_DEVICE(0x1b1c, 0x1b20), .driver_info = USB_QUIRK_DELAY_INIT }, + { USB_DEVICE(0x1b1c, 0x1b20), .driver_info = USB_QUIRK_DELAY_INIT | + USB_QUIRK_DELAY_CTRL_MSG }, /* Corsair K70 LUX */ { USB_DEVICE(0x1b1c, 0x1b36), .driver_info = USB_QUIRK_DELAY_INIT }, --- a/include/linux/usb/quirks.h +++ b/include/linux/usb/quirks.h @@ -56,4 +56,7 @@ */ #define USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL BIT(11) +/* Device needs a pause after every control message. */ +#define USB_QUIRK_DELAY_CTRL_MSG BIT(13) + #endif /* __LINUX_USB_QUIRKS_H */
[PATCH 4.9 79/86] usbip: vudc: fix null pointer dereference on udc->lock
4.9-stable review patch. If anyone has any objections, please let me know. -- From: Colin Ian Kingcommit df3334c223a033f562645712e832ca4cbb326bbf upstream. Currently the driver attempts to spin lock on udc->lock before a NULL pointer check is performed on udc, hence there is a potential null pointer dereference on udc->lock. Fix this by moving the null check on udc before the lock occurs. Fixes: ea6873a45a22 ("usbip: vudc: Add SysFS infrastructure for VUDC") Signed-off-by: Colin Ian King Acked-by: Shuah Khan Reviewed-by: Krzysztof Opasiak Cc: stable Signed-off-by: Greg Kroah-Hartman --- drivers/usb/usbip/vudc_sysfs.c |8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) --- a/drivers/usb/usbip/vudc_sysfs.c +++ b/drivers/usb/usbip/vudc_sysfs.c @@ -117,10 +117,14 @@ static ssize_t store_sockfd(struct devic if (rv != 0) return -EINVAL; + if (!udc) { + dev_err(dev, "no device"); + return -ENODEV; + } spin_lock_irqsave(>lock, flags); /* Don't export what we don't have */ - if (!udc || !udc->driver || !udc->pullup) { - dev_err(dev, "no device or gadget not bound"); + if (!udc->driver || !udc->pullup) { + dev_err(dev, "gadget not bound"); ret = -ENODEV; goto unlock; }
[PATCH 4.9 77/86] staging: android: ashmem: Fix lockdep issue during llseek
4.9-stable review patch. If anyone has any objections, please let me know. -- From: Joel Fernandescommit cb57469c9573f6018cd1302953dd45d6e05aba7b upstream. ashmem_mutex create a chain of dependencies like so: (1) mmap syscall -> mmap_sem -> (acquired) ashmem_mmap ashmem_mutex (try to acquire) (block) (2) llseek syscall -> ashmem_llseek -> ashmem_mutex -> (acquired) inode_lock -> inode->i_rwsem (try to acquire) (block) (3) getdents -> iterate_dir -> inode_lock -> inode->i_rwsem (acquired) copy_to_user -> mmap_sem (try to acquire) There is a lock ordering created between mmap_sem and inode->i_rwsem causing a lockdep splat [2] during a syzcaller test, this patch fixes the issue by unlocking the mutex earlier. Functionally that's Ok since we don't need to protect vfs_llseek. [1] https://patchwork.kernel.org/patch/10185031/ [2] https://lkml.org/lkml/2018/1/10/48 Acked-by: Todd Kjos Cc: Arve Hjonnevag Cc: sta...@vger.kernel.org Reported-by: syzbot+8ec30bb7bf1a981a2...@syzkaller.appspotmail.com Signed-off-by: Joel Fernandes Acked-by: Greg Hackmann Signed-off-by: Greg Kroah-Hartman --- drivers/staging/android/ashmem.c | 15 +++ 1 file changed, 7 insertions(+), 8 deletions(-) --- a/drivers/staging/android/ashmem.c +++ b/drivers/staging/android/ashmem.c @@ -343,24 +343,23 @@ static loff_t ashmem_llseek(struct file mutex_lock(_mutex); if (asma->size == 0) { - ret = -EINVAL; - goto out; + mutex_unlock(_mutex); + return -EINVAL; } if (!asma->file) { - ret = -EBADF; - goto out; + mutex_unlock(_mutex); + return -EBADF; } + mutex_unlock(_mutex); + ret = vfs_llseek(asma->file, offset, origin); if (ret < 0) - goto out; + return ret; /** Copy f_pos from backing file, since f_ops->llseek() sets it */ file->f_pos = asma->file->f_pos; - -out: - mutex_unlock(_mutex); return ret; }
[PATCH 4.9 65/86] ubi: Fix race condition between ubi volume creation and udev
4.9-stable review patch. If anyone has any objections, please let me know. -- From: Clay McClurecommit a51a0c8d213594bc094cb8e54aad0cb6d7f7b9a6 upstream. Similar to commit 714fb87e8bc0 ("ubi: Fix race condition between ubi device creation and udev"), we should make the volume active before registering it. Signed-off-by: Clay McClure Cc: Signed-off-by: Richard Weinberger Signed-off-by: Greg Kroah-Hartman --- drivers/mtd/ubi/vmt.c | 15 ++- 1 file changed, 10 insertions(+), 5 deletions(-) --- a/drivers/mtd/ubi/vmt.c +++ b/drivers/mtd/ubi/vmt.c @@ -265,6 +265,12 @@ int ubi_create_volume(struct ubi_device vol->last_eb_bytes = vol->usable_leb_size; } + /* Make volume "available" before it becomes accessible via sysfs */ + spin_lock(>volumes_lock); + ubi->volumes[vol_id] = vol; + ubi->vol_count += 1; + spin_unlock(>volumes_lock); + /* Register character device for the volume */ cdev_init(>cdev, _vol_cdev_operations); vol->cdev.owner = THIS_MODULE; @@ -304,11 +310,6 @@ int ubi_create_volume(struct ubi_device if (err) goto out_sysfs; - spin_lock(>volumes_lock); - ubi->volumes[vol_id] = vol; - ubi->vol_count += 1; - spin_unlock(>volumes_lock); - ubi_volume_notify(ubi, vol, UBI_VOLUME_ADDED); self_check_volumes(ubi); return err; @@ -328,6 +329,10 @@ out_sysfs: out_cdev: cdev_del(>cdev); out_mapping: + spin_lock(>volumes_lock); + ubi->volumes[vol_id] = NULL; + ubi->vol_count -= 1; + spin_unlock(>volumes_lock); if (do_free) ubi_eba_destroy_table(eba_tbl); out_acc:
[PATCH 4.9 67/86] NFS: Fix an incorrect type in struct nfs_direct_req
4.9-stable review patch. If anyone has any objections, please let me know. -- From: Trond Myklebustcommit d9ee65539d3eabd9ade46cca1780e3309ad0f907 upstream. The start offset needs to be of type loff_t. Fixed: 5fadeb47dcc5c ("nfs: count DIO good bytes correctly with mirroring") Cc: sta...@vger.kernel.org # v4.0+ Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman --- fs/nfs/direct.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/fs/nfs/direct.c +++ b/fs/nfs/direct.c @@ -86,10 +86,10 @@ struct nfs_direct_req { struct nfs_direct_mirror mirrors[NFS_PAGEIO_DESCRIPTOR_MIRROR_MAX]; int mirror_count; + loff_t io_start; /* Start offset for I/O */ ssize_t count, /* bytes actually processed */ max_count, /* max expected count */ bytes_left, /* bytes left to be sent */ - io_start, /* start of IO */ error; /* any reported error */ struct completion completion; /* wait for i/o completion */
Re: [linux-sunxi] [PATCH v4 4/9] pinctrl: sunxi: add support for the Allwinner H6 main pin controller
Hi, On 16/03/18 14:02, Icenowy Zheng wrote: > The Allwinner H6 SoC has two pin controllers, one main controller > (called CPUX-PORT in user manual) and one controller in CPUs power > domain (called CPUS-PORT in user manual). > > This commit introduces support for the main pin controller on H6. > > The pin bank A and B are not wired out and hidden from the SoC's > documents, however it's shown that the "ATE" (an AC200 chip > co-packaged with the H6 die) is connected to the main SoC die via these > pin banks. The information about these banks is just copied from the BSP > pinctrl driver, but re-formatted to fit the mainline pinctrl driver > format. The GPIO functions are dropped, as they're impossible to use -- > except a GPIO only pin (PB20) which might be the IRQ of ATE. > > Signed-off-by: Icenowy Zheng> Acked-by: Rob Herring As mentioned before, I checked every single pin against the manual and this looks correct to me. Reviewed-by: Andre Przywara Thanks! Andre.
[PATCH -next 04/22] net: socket: add __sys_socket() helper; remove in-kernel call to syscall
Using the net-internal helper __sys_socket() allows us to avoid the internal calls to the sys_socket() syscall. Cc: David S. MillerCc: net...@vger.kernel.org Signed-off-by: Dominik Brodowski --- include/linux/socket.h | 1 + net/compat.c | 2 +- net/socket.c | 9 +++-- 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/include/linux/socket.h b/include/linux/socket.h index 6a9840271676..f8d040434a13 100644 --- a/include/linux/socket.h +++ b/include/linux/socket.h @@ -363,5 +363,6 @@ extern int __sys_sendto(int fd, void __user *buff, size_t len, int addr_len); extern int __sys_accept4(int fd, struct sockaddr __user *upeer_sockaddr, int __user *upeer_addrlen, int flags); +extern int __sys_socket(int family, int type, int protocol); #endif /* _LINUX_SOCKET_H */ diff --git a/net/compat.c b/net/compat.c index 0ff9f7451b6f..5b3b74c5812e 100644 --- a/net/compat.c +++ b/net/compat.c @@ -811,7 +811,7 @@ COMPAT_SYSCALL_DEFINE2(socketcall, int, call, u32 __user *, args) switch (call) { case SYS_SOCKET: - ret = sys_socket(a0, a1, a[2]); + ret = __sys_socket(a0, a1, a[2]); break; case SYS_BIND: ret = sys_bind(a0, compat_ptr(a1), a[2]); diff --git a/net/socket.c b/net/socket.c index 45f6ea0d57a5..07f379e50def 100644 --- a/net/socket.c +++ b/net/socket.c @@ -1332,7 +1332,7 @@ int sock_create_kern(struct net *net, int family, int type, int protocol, struct } EXPORT_SYMBOL(sock_create_kern); -SYSCALL_DEFINE3(socket, int, family, int, type, int, protocol) +int __sys_socket(int family, int type, int protocol) { int retval; struct socket *sock; @@ -1359,6 +1359,11 @@ SYSCALL_DEFINE3(socket, int, family, int, type, int, protocol) return sock_map_fd(sock, flags & (O_CLOEXEC | O_NONBLOCK)); } +SYSCALL_DEFINE3(socket, int, family, int, type, int, protocol) +{ + return __sys_socket(family, type, protocol); +} + /* * Create a pair of connected sockets. */ @@ -2463,7 +2468,7 @@ SYSCALL_DEFINE2(socketcall, int, call, unsigned long __user *, args) switch (call) { case SYS_SOCKET: - err = sys_socket(a0, a1, a[2]); + err = __sys_socket(a0, a1, a[2]); break; case SYS_BIND: err = sys_bind(a0, (struct sockaddr __user *)a1, a[2]); -- 2.16.2
[PATCH -next 09/22] net: socket: add __sys_getpeername() helper; remove in-kernel call to syscall
Using the net-internal helper __sys_getpeername() allows us to avoid the internal calls to the sys_getpeername() syscall. Cc: David S. MillerCc: net...@vger.kernel.org Signed-off-by: Dominik Brodowski --- include/linux/socket.h | 2 ++ net/compat.c | 2 +- net/socket.c | 14 ++ 3 files changed, 13 insertions(+), 5 deletions(-) diff --git a/include/linux/socket.h b/include/linux/socket.h index ef0226a61b03..9ba003e92fea 100644 --- a/include/linux/socket.h +++ b/include/linux/socket.h @@ -370,5 +370,7 @@ extern int __sys_connect(int fd, struct sockaddr __user *uservaddr, extern int __sys_listen(int fd, int backlog); extern int __sys_getsockname(int fd, struct sockaddr __user *usockaddr, int __user *usockaddr_len); +extern int __sys_getpeername(int fd, struct sockaddr __user *usockaddr, +int __user *usockaddr_len); #endif /* _LINUX_SOCKET_H */ diff --git a/net/compat.c b/net/compat.c index efd28d02608c..74017f618eb1 100644 --- a/net/compat.c +++ b/net/compat.c @@ -829,7 +829,7 @@ COMPAT_SYSCALL_DEFINE2(socketcall, int, call, u32 __user *, args) ret = __sys_getsockname(a0, compat_ptr(a1), compat_ptr(a[2])); break; case SYS_GETPEERNAME: - ret = sys_getpeername(a0, compat_ptr(a1), compat_ptr(a[2])); + ret = __sys_getpeername(a0, compat_ptr(a1), compat_ptr(a[2])); break; case SYS_SOCKETPAIR: ret = sys_socketpair(a0, a1, a[2], compat_ptr(a[3])); diff --git a/net/socket.c b/net/socket.c index b61e0d20f37b..007fb9483279 100644 --- a/net/socket.c +++ b/net/socket.c @@ -1712,8 +1712,8 @@ SYSCALL_DEFINE3(getsockname, int, fd, struct sockaddr __user *, usockaddr, * name to user space. */ -SYSCALL_DEFINE3(getpeername, int, fd, struct sockaddr __user *, usockaddr, - int __user *, usockaddr_len) +int __sys_getpeername(int fd, struct sockaddr __user *usockaddr, + int __user *usockaddr_len) { struct socket *sock; struct sockaddr_storage address; @@ -1738,6 +1738,12 @@ SYSCALL_DEFINE3(getpeername, int, fd, struct sockaddr __user *, usockaddr, return err; } +SYSCALL_DEFINE3(getpeername, int, fd, struct sockaddr __user *, usockaddr, + int __user *, usockaddr_len) +{ + return __sys_getpeername(fd, usockaddr, usockaddr_len); +} + /* * Send a datagram to a given address. We move the address into kernel * space and check the user space data area is readable before invoking @@ -2511,8 +2517,8 @@ SYSCALL_DEFINE2(socketcall, int, call, unsigned long __user *, args) break; case SYS_GETPEERNAME: err = - sys_getpeername(a0, (struct sockaddr __user *)a1, - (int __user *)a[2]); + __sys_getpeername(a0, (struct sockaddr __user *)a1, + (int __user *)a[2]); break; case SYS_SOCKETPAIR: err = sys_socketpair(a0, a1, a[2], (int __user *)a[3]); -- 2.16.2
[PATCH -next 00/22] remove in-kernel syscall invocations (part 2 == netdev)
Here is another series of patches which reduce the number of syscall invocations from within the kernel. This series is focused solely on the net/ part of the kernel and get rids of syscall and compat_syscall invocations from within the kernel completely. It is also available at https://git.kernel.org/pub/scm/linux/kernel/git/brodo/linux.git syscalls-net-next The rationale of this change is described in patch 1 of part 1[*] as follows: The syscall entry points to the kernel defined by SYSCALL_DEFINEx() and COMPAT_SYSCALL_DEFINEx() should only be called from userspace through kernel entry points, but not from the kernel itself. This will allow cleanups and optimizations to the entry paths *and* to the parts of the kernel code which currently need to pretend to be userspace in order to make use of syscalls. At present, these patches are based on v4.16-rc5; there is one trivial conflict against net-next. Dave, I presume that you prefer to take them through net-next? If you want to, I can re-base them against net-next. If you prefer otherwise, though, I can route them as part of my whole syscall series. Thanks, Dominik [*] The cover letter for v2 is available at http://lkml.kernel.org/r/20180315190529.20943-1-li...@dominikbrodowski.net ; the whole patchset -- in its current, slightly modified form -- is available at at https://git.kernel.org/pub/scm/linux/kernel/git/brodo/linux.git syscalls-next Dominik Brodowski (22): net: socket: add __sys_recvfrom() helper; remove in-kernel call to syscall net: socket: add __sys_sendto() helper; remove in-kernel call to syscall net: socket: add __sys_accept4() helper; remove in-kernel call to syscall net: socket: add __sys_socket() helper; remove in-kernel call to syscall net: socket: add __sys_bind() helper; remove in-kernel call to syscall net: socket: add __sys_connect() helper; remove in-kernel call to syscall net: socket: add __sys_listen() helper; remove in-kernel call to syscall net: socket: add __sys_getsockname() helper; remove in-kernel call to syscall net: socket: add __sys_getpeername() helper; remove in-kernel call to syscall net: socket: add __sys_socketpair() helper; remove in-kernel call to syscall net: socket: add __sys_shutdown() helper; remove in-kernel call to syscall net: socket: add __sys_setsockopt() helper; remove in-kernel call to syscall net: socket: add __sys_getsockopt() helper; remove in-kernel call to syscall net: socket: add do_sys_recvmmsg() helper; remove in-kernel call to syscall net: socket: move check for forbid_cmsg_compat to __sys_...msg() net: socket: replace calls to sys_send() with __sys_sendto() net: socket: replace call to sys_recv() with __sys_recvfrom() net: socket: add __compat_sys_recvfrom() helper; remove in-kernel call to compat syscall net: socket: add __compat_sys_setsockopt() helper; remove in-kernel call to compat syscall net: socket: add __compat_sys_getsockopt() helper; remove in-kernel call to compat syscall net: socket: add __compat_sys_recvmmsg() helper; remove in-kernel call to compat syscall net: socket: add __compat_sys_...msg() helpers; remove in-kernel calls to compat syscalls include/linux/socket.h | 37 +++- net/compat.c | 136 +++- net/socket.c | 234 ++--- 3 files changed, 291 insertions(+), 116 deletions(-) -- 2.16.2
[PATCH -next 14/22] net: socket: add do_sys_recvmmsg() helper; remove in-kernel call to syscall
Using the net-internal helper do_sys_recvmmsg() allows us to avoid the internal calls to the sys_getsockopt() syscall. Cc: David S. MillerCc: net...@vger.kernel.org Signed-off-by: Dominik Brodowski --- net/socket.c | 17 - 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/net/socket.c b/net/socket.c index a05289b1f863..72cdaaeccb85 100644 --- a/net/socket.c +++ b/net/socket.c @@ -2445,9 +2445,9 @@ int __sys_recvmmsg(int fd, struct mmsghdr __user *mmsg, unsigned int vlen, return datagrams; } -SYSCALL_DEFINE5(recvmmsg, int, fd, struct mmsghdr __user *, mmsg, - unsigned int, vlen, unsigned int, flags, - struct timespec __user *, timeout) +static long do_sys_recvmmsg(int fd, struct mmsghdr __user *mmsg, + unsigned int vlen, unsigned int flags, + struct timespec __user *timeout) { int datagrams; struct timespec timeout_sys; @@ -2470,6 +2470,13 @@ SYSCALL_DEFINE5(recvmmsg, int, fd, struct mmsghdr __user *, mmsg, return datagrams; } +SYSCALL_DEFINE5(recvmmsg, int, fd, struct mmsghdr __user *, mmsg, + unsigned int, vlen, unsigned int, flags, + struct timespec __user *, timeout) +{ + return do_sys_recvmmsg(fd, mmsg, vlen, flags, timeout); +} + #ifdef __ARCH_WANT_SYS_SOCKETCALL /* Argument list sizes for sys_socketcall */ #define AL(x) ((x) * sizeof(unsigned long)) @@ -2582,8 +2589,8 @@ SYSCALL_DEFINE2(socketcall, int, call, unsigned long __user *, args) err = sys_recvmsg(a0, (struct user_msghdr __user *)a1, a[2]); break; case SYS_RECVMMSG: - err = sys_recvmmsg(a0, (struct mmsghdr __user *)a1, a[2], a[3], - (struct timespec __user *)a[4]); + err = do_sys_recvmmsg(a0, (struct mmsghdr __user *)a1, a[2], + a[3], (struct timespec __user *)a[4]); break; case SYS_ACCEPT4: err = __sys_accept4(a0, (struct sockaddr __user *)a1, -- 2.16.2