[PATCH -next] soc/tegra: fuse: don't return -ENOMEM when allocate lookups failed
fuse->base can not be unmapped if allocate lookups failed in
tegra_init_fuse(), because it is an early_initcall, the driver
will be loaded anyway and fuse->base will be accessed by other
functions later, so remove the return -ENOMEM after allocating
lookups failed to make less confusing.
Signed-off-by: Yang Yingliang
---
drivers/soc/tegra/fuse/fuse-tegra.c | 12 +---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/drivers/soc/tegra/fuse/fuse-tegra.c
b/drivers/soc/tegra/fuse/fuse-tegra.c
index 94b60a692b51..a0def1219501 100644
--- a/drivers/soc/tegra/fuse/fuse-tegra.c
+++ b/drivers/soc/tegra/fuse/fuse-tegra.c
@@ -490,9 +490,15 @@ static int __init tegra_init_fuse(void)
fuse->lookups = kmemdup(fuse->soc->lookups, size, GFP_KERNEL);
if (!fuse->lookups)
- return -ENOMEM;
-
- nvmem_add_cell_lookups(fuse->lookups, fuse->soc->num_lookups);
+ /*
+* fuse->base can not be unmapped if allocate lookups
failed,
+* because it will be accessed by other functions later.
+* To make less confusing, remove the return -ENOMEM and
+* skip registering the nvmem cell lookups.
+*/
+ pr_err("failed to allocate lookups");
+ else
+ nvmem_add_cell_lookups(fuse->lookups,
fuse->soc->num_lookups);
}
return 0;
--
2.25.1
[PATCH -next v2] clocksource/drivers/qcom: add missing iounmap() on error in msm_dt_timer_init()
base and cpu0_base are not unmapped on error path, add the missing
iounmap() before return msm_dt_timer_init() in the error handling
cases.
Fixes: 6e3321631ac2 ("ARM: msm: Add DT support to msm_timer")
Reported-by: Hulk Robot
Signed-off-by: Yang Yingliang
Reviewed-by: Manivannan Sadhasivam
---
v2:
add missing "ret = -EINVAL" assignment
---
drivers/clocksource/timer-qcom.c | 24 +++-
1 file changed, 19 insertions(+), 5 deletions(-)
diff --git a/drivers/clocksource/timer-qcom.c b/drivers/clocksource/timer-qcom.c
index b4afe3a67583..f2d9a949f3f7 100644
--- a/drivers/clocksource/timer-qcom.c
+++ b/drivers/clocksource/timer-qcom.c
@@ -213,7 +213,8 @@ static int __init msm_dt_timer_init(struct device_node *np)
irq = irq_of_parse_and_map(np, 1);
if (irq <= 0) {
pr_err("Can't get irq\n");
- return -EINVAL;
+ ret = -EINVAL;
+ goto err_unmap_base;
}
/* We use CPU0's DGT for the clocksource */
@@ -223,18 +224,20 @@ static int __init msm_dt_timer_init(struct device_node
*np)
ret = of_address_to_resource(np, 0, );
if (ret) {
pr_err("Failed to parse DGT resource\n");
- return ret;
+ goto err_unmap_base;
}
cpu0_base = ioremap(res.start + percpu_offset, resource_size());
if (!cpu0_base) {
pr_err("Failed to map source base\n");
- return -EINVAL;
+ ret = -EINVAL;
+ goto err_unmap_base;
}
if (of_property_read_u32(np, "clock-frequency", )) {
pr_err("Unknown frequency\n");
- return -EINVAL;
+ ret = -EINVAL;
+ goto err_unmap_cpu0_base;
}
event_base = base + 0x4;
@@ -243,7 +246,18 @@ static int __init msm_dt_timer_init(struct device_node *np)
freq /= 4;
writel_relaxed(DGT_CLK_CTL_DIV_4, source_base + DGT_CLK_CTL);
- return msm_timer_init(freq, 32, irq, !!percpu_offset);
+ ret = msm_timer_init(freq, 32, irq, !!percpu_offset);
+ if (ret)
+ goto err_unmap_cpu0_base;
+
+ return 0;
+
+err_unmap_cpu0_base:
+ iounmap(cpu0_base);
+err_unmap_base:
+ iounmap(base);
+
+ return ret;
}
TIMER_OF_DECLARE(kpss_timer, "qcom,kpss-timer", msm_dt_timer_init);
TIMER_OF_DECLARE(scss_timer, "qcom,scss-timer", msm_dt_timer_init);
--
2.25.1
[PATCH -next] media: camss: ispif: Remove redundant dev_err call in msm_ispif_subdev_init()
There is a error message within devm_ioremap_resource
already, so remove the dev_err call to avoid redundant
error message.
Reported-by: Hulk Robot
Signed-off-by: Yang Yingliang
---
drivers/media/platform/qcom/camss/camss-ispif.c | 8 ++--
1 file changed, 2 insertions(+), 6 deletions(-)
diff --git a/drivers/media/platform/qcom/camss/camss-ispif.c
b/drivers/media/platform/qcom/camss/camss-ispif.c
index a30e453de162..37611c8861da 100644
--- a/drivers/media/platform/qcom/camss/camss-ispif.c
+++ b/drivers/media/platform/qcom/camss/camss-ispif.c
@@ -1145,17 +1145,13 @@ int msm_ispif_subdev_init(struct camss *camss,
r = platform_get_resource_byname(pdev, IORESOURCE_MEM, res->reg[0]);
ispif->base = devm_ioremap_resource(dev, r);
- if (IS_ERR(ispif->base)) {
- dev_err(dev, "could not map memory\n");
+ if (IS_ERR(ispif->base))
return PTR_ERR(ispif->base);
- }
r = platform_get_resource_byname(pdev, IORESOURCE_MEM, res->reg[1]);
ispif->base_clk_mux = devm_ioremap_resource(dev, r);
- if (IS_ERR(ispif->base_clk_mux)) {
- dev_err(dev, "could not map memory\n");
+ if (IS_ERR(ispif->base_clk_mux))
return PTR_ERR(ispif->base_clk_mux);
- }
/* Interrupt */
--
2.25.1
[PATCH -next] clocksource/drivers/qcom: add missing iounmap() on error in msm_dt_timer_init()
base and cpu0_base are not unmapped on error path, add the missing
iounmap() before return msm_dt_timer_init() in the error handling
cases.
Fixes: 6e3321631ac2 ("ARM: msm: Add DT support to msm_timer")
Reported-by: Hulk Robot
Signed-off-by: Yang Yingliang
---
drivers/clocksource/timer-qcom.c | 23 ++-
1 file changed, 18 insertions(+), 5 deletions(-)
diff --git a/drivers/clocksource/timer-qcom.c b/drivers/clocksource/timer-qcom.c
index b4afe3a67583..3488876198e0 100644
--- a/drivers/clocksource/timer-qcom.c
+++ b/drivers/clocksource/timer-qcom.c
@@ -213,7 +213,8 @@ static int __init msm_dt_timer_init(struct device_node *np)
irq = irq_of_parse_and_map(np, 1);
if (irq <= 0) {
pr_err("Can't get irq\n");
- return -EINVAL;
+ ret = -EINVAL;
+ goto err_unmap_base;
}
/* We use CPU0's DGT for the clocksource */
@@ -223,18 +224,19 @@ static int __init msm_dt_timer_init(struct device_node
*np)
ret = of_address_to_resource(np, 0, );
if (ret) {
pr_err("Failed to parse DGT resource\n");
- return ret;
+ goto err_unmap_base;
}
cpu0_base = ioremap(res.start + percpu_offset, resource_size());
if (!cpu0_base) {
pr_err("Failed to map source base\n");
- return -EINVAL;
+ goto err_unmap_base;
}
if (of_property_read_u32(np, "clock-frequency", )) {
pr_err("Unknown frequency\n");
- return -EINVAL;
+ ret = -EINVAL;
+ goto err_unmap_cpu0_base;
}
event_base = base + 0x4;
@@ -243,7 +245,18 @@ static int __init msm_dt_timer_init(struct device_node *np)
freq /= 4;
writel_relaxed(DGT_CLK_CTL_DIV_4, source_base + DGT_CLK_CTL);
- return msm_timer_init(freq, 32, irq, !!percpu_offset);
+ ret = msm_timer_init(freq, 32, irq, !!percpu_offset);
+ if (ret)
+ goto err_unmap_cpu0_base;
+
+ return 0;
+
+err_unmap_cpu0_base:
+ iounmap(cpu0_base);
+err_unmap_base:
+ iounmap(base);
+
+ return ret;
}
TIMER_OF_DECLARE(kpss_timer, "qcom,kpss-timer", msm_dt_timer_init);
TIMER_OF_DECLARE(scss_timer, "qcom,scss-timer", msm_dt_timer_init);
--
2.25.1
[PATCH -next] soc/tegra: fuse: add missing iounmap() on error in tegra_init_fuse()
Add the missing iounmap() before return from tegra_init_fuse()
in the error handling case.
Fixes: 9f94fadd75d3 ("soc/tegra: fuse: Register cell lookups for compatibility")
Reported-by: Hulk Robot
Signed-off-by: Yang Yingliang
---
drivers/soc/tegra/fuse/fuse-tegra.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/soc/tegra/fuse/fuse-tegra.c
b/drivers/soc/tegra/fuse/fuse-tegra.c
index 94b60a692b51..bc8d70e6a676 100644
--- a/drivers/soc/tegra/fuse/fuse-tegra.c
+++ b/drivers/soc/tegra/fuse/fuse-tegra.c
@@ -489,8 +489,10 @@ static int __init tegra_init_fuse(void)
size_t size = sizeof(*fuse->lookups) * fuse->soc->num_lookups;
fuse->lookups = kmemdup(fuse->soc->lookups, size, GFP_KERNEL);
- if (!fuse->lookups)
+ if (!fuse->lookups) {
+ iounmap(fuse->base);
return -ENOMEM;
+ }
nvmem_add_cell_lookups(fuse->lookups, fuse->soc->num_lookups);
}
--
2.25.1
[PATCH -next] usb: gadget: tegra-xudc: Fix possible use-after-free in tegra_xudc_remove()
This driver's remove path calls cancel_delayed_work(). However, that function does not wait until the work function finishes. This means that the callback function may still be running after the driver's remove function has finished, which would result in a use-after-free. Fix by calling cancel_delayed_work_sync(), which ensures that the work is properly cancelled, no longer running, and unable to re-schedule itself. Reported-by: Hulk Robot Signed-off-by: Yang Yingliang --- drivers/usb/gadget/udc/tegra-xudc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/gadget/udc/tegra-xudc.c b/drivers/usb/gadget/udc/tegra-xudc.c index 580bef8eb4cb..2319c9737c2b 100644 --- a/drivers/usb/gadget/udc/tegra-xudc.c +++ b/drivers/usb/gadget/udc/tegra-xudc.c @@ -3883,7 +3883,7 @@ static int tegra_xudc_remove(struct platform_device *pdev) pm_runtime_get_sync(xudc->dev); - cancel_delayed_work(>plc_reset_work); + cancel_delayed_work_sync(>plc_reset_work); cancel_work_sync(>usb_role_sw_work); usb_del_gadget_udc(>gadget); -- 2.25.1
[PATCH -next] phy: phy-twl4030-usb: Fix possible use-after-free in twl4030_usb_remove()
This driver's remove path calls cancel_delayed_work(). However, that function does not wait until the work function finishes. This means that the callback function may still be running after the driver's remove function has finished, which would result in a use-after-free. Fix by calling cancel_delayed_work_sync(), which ensures that the work is properly cancelled, no longer running, and unable to re-schedule itself. Reported-by: Hulk Robot Signed-off-by: Yang Yingliang --- drivers/phy/ti/phy-twl4030-usb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/phy/ti/phy-twl4030-usb.c b/drivers/phy/ti/phy-twl4030-usb.c index 9887f908f540..812e5409d359 100644 --- a/drivers/phy/ti/phy-twl4030-usb.c +++ b/drivers/phy/ti/phy-twl4030-usb.c @@ -779,7 +779,7 @@ static int twl4030_usb_remove(struct platform_device *pdev) usb_remove_phy(>phy); pm_runtime_get_sync(twl->dev); - cancel_delayed_work(>id_workaround_work); + cancel_delayed_work_sync(>id_workaround_work); device_remove_file(twl->dev, _attr_vbus); /* set transceiver mode to power on defaults */ -- 2.25.1
[PATCH -next] power: supply: s3c_adc_battery: fix possible use-after-free in s3c_adc_bat_remove()
This driver's remove path calls cancel_delayed_work(). However, that function does not wait until the work function finishes. This means that the callback function may still be running after the driver's remove function has finished, which would result in a use-after-free. Fix by calling cancel_delayed_work_sync(), which ensures that the work is properly cancelled, no longer running, and unable to re-schedule itself. Reported-by: Hulk Robot Signed-off-by: Yang Yingliang --- drivers/power/supply/s3c_adc_battery.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/power/supply/s3c_adc_battery.c b/drivers/power/supply/s3c_adc_battery.c index dc700066d7bc..68d31a3bee48 100644 --- a/drivers/power/supply/s3c_adc_battery.c +++ b/drivers/power/supply/s3c_adc_battery.c @@ -390,7 +390,7 @@ static int s3c_adc_bat_remove(struct platform_device *pdev) if (main_bat.charge_finished) free_irq(gpiod_to_irq(main_bat.charge_finished), NULL); - cancel_delayed_work(_work); + cancel_delayed_work_sync(_work); if (pdata->exit) pdata->exit(); -- 2.25.1
[PATCH -next] power: supply: generic-adc-battery: fix possible use-after-free in gab_remove()
This driver's remove path calls cancel_delayed_work(). However, that function does not wait until the work function finishes. This means that the callback function may still be running after the driver's remove function has finished, which would result in a use-after-free. Fix by calling cancel_delayed_work_sync(), which ensures that the work is properly cancelled, no longer running, and unable to re-schedule itself. Reported-by: Hulk Robot Signed-off-by: Yang Yingliang --- drivers/power/supply/generic-adc-battery.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/power/supply/generic-adc-battery.c b/drivers/power/supply/generic-adc-battery.c index 0032069fbc2b..66039c665dd1 100644 --- a/drivers/power/supply/generic-adc-battery.c +++ b/drivers/power/supply/generic-adc-battery.c @@ -373,7 +373,7 @@ static int gab_remove(struct platform_device *pdev) } kfree(adc_bat->psy_desc.properties); - cancel_delayed_work(_bat->bat_work); + cancel_delayed_work_sync(_bat->bat_work); return 0; } -- 2.25.1
[PATCH -next] media: i2c: adv7842: fix possible use-after-free in adv7842_remove()
This driver's remove path calls cancel_delayed_work(). However, that function does not wait until the work function finishes. This means that the callback function may still be running after the driver's remove function has finished, which would result in a use-after-free. Fix by calling cancel_delayed_work_sync(), which ensures that the work is properly cancelled, no longer running, and unable to re-schedule itself. Reported-by: Hulk Robot Signed-off-by: Yang Yingliang --- drivers/media/i2c/adv7842.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/i2c/adv7842.c b/drivers/media/i2c/adv7842.c index 21dbb7a594fb..8bd58ce07926 100644 --- a/drivers/media/i2c/adv7842.c +++ b/drivers/media/i2c/adv7842.c @@ -3573,7 +3573,7 @@ static int adv7842_remove(struct i2c_client *client) struct adv7842_state *state = to_state(sd); adv7842_irq_enable(sd, false); - cancel_delayed_work(>delayed_work_enable_hotplug); + cancel_delayed_work_sync(>delayed_work_enable_hotplug); v4l2_device_unregister_subdev(sd); media_entity_cleanup(>entity); adv7842_unregister_clients(sd); -- 2.25.1
[PATCH -next] media: i2c: tda1997: Fix possible use-after-free in tda1997x_remove()
This driver's remove path calls cancel_delayed_work(). However, that function does not wait until the work function finishes. This means that the callback function may still be running after the driver's remove function has finished, which would result in a use-after-free. Fix by calling cancel_delayed_work_sync(), which ensures that the work is properly cancelled, no longer running, and unable to re-schedule itself. Reported-by: Hulk Robot Signed-off-by: Yang Yingliang --- drivers/media/i2c/tda1997x.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/i2c/tda1997x.c b/drivers/media/i2c/tda1997x.c index a09bf0a39d05..89bb7e6dc7a4 100644 --- a/drivers/media/i2c/tda1997x.c +++ b/drivers/media/i2c/tda1997x.c @@ -2804,7 +2804,7 @@ static int tda1997x_remove(struct i2c_client *client) media_entity_cleanup(>entity); v4l2_ctrl_handler_free(>hdl); regulator_bulk_disable(TDA1997X_NUM_SUPPLIES, state->supplies); - cancel_delayed_work(>delayed_work_enable_hpd); + cancel_delayed_work_sync(>delayed_work_enable_hpd); mutex_destroy(>page_lock); mutex_destroy(>lock); -- 2.25.1
[PATCH -next] media: i2c: adv7511-v4l2: fix possible use-after-free in adv7511_remove()
This driver's remove path calls cancel_delayed_work(). However, that function does not wait until the work function finishes. This means that the callback function may still be running after the driver's remove function has finished, which would result in a use-after-free. Fix by calling cancel_delayed_work_sync(), which ensures that the work is properly cancelled, no longer running, and unable to re-schedule itself. Reported-by: Hulk Robot Signed-off-by: Yang Yingliang --- drivers/media/i2c/adv7511-v4l2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/i2c/adv7511-v4l2.c b/drivers/media/i2c/adv7511-v4l2.c index 9183003ae22d..b4f0fdf8fc06 100644 --- a/drivers/media/i2c/adv7511-v4l2.c +++ b/drivers/media/i2c/adv7511-v4l2.c @@ -1958,7 +1958,7 @@ static int adv7511_remove(struct i2c_client *client) adv7511_set_isr(sd, false); adv7511_init_setup(sd); - cancel_delayed_work(>edid_handler); + cancel_delayed_work_sync(>edid_handler); i2c_unregister_device(state->i2c_edid); i2c_unregister_device(state->i2c_cec); i2c_unregister_device(state->i2c_pktmem); -- 2.25.1
[PATCH -next] media: adv7604: fix possible use-after-free in adv76xx_remove()
This driver's remove path calls cancel_delayed_work(). However, that function does not wait until the work function finishes. This means that the callback function may still be running after the driver's remove function has finished, which would result in a use-after-free. Fix by calling cancel_delayed_work_sync(), which ensures that the work is properly cancelled, no longer running, and unable to re-schedule itself. Reported-by: Hulk Robot Signed-off-by: Yang Yingliang --- drivers/media/i2c/adv7604.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/i2c/adv7604.c b/drivers/media/i2c/adv7604.c index 18184297e2f0..9cf6de66ae25 100644 --- a/drivers/media/i2c/adv7604.c +++ b/drivers/media/i2c/adv7604.c @@ -3618,7 +3618,7 @@ static int adv76xx_remove(struct i2c_client *client) io_write(sd, 0x6e, 0); io_write(sd, 0x73, 0); - cancel_delayed_work(>delayed_work_enable_hotplug); + cancel_delayed_work_sync(>delayed_work_enable_hotplug); v4l2_async_unregister_subdev(sd); media_entity_cleanup(>entity); adv76xx_unregister_clients(to_state(sd)); -- 2.25.1
[PATCH -next] media: tc358743: fix possible use-after-free in tc358743_remove()
This driver's remove path calls cancel_delayed_work(). However, that function does not wait until the work function finishes. This means that the callback function may still be running after the driver's remove function has finished, which would result in a use-after-free. Fix by calling cancel_delayed_work_sync(), which ensures that the work is properly cancelled, no longer running, and unable to re-schedule itself. Reported-by: Hulk Robot Signed-off-by: Yang Yingliang --- drivers/media/i2c/tc358743.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/i2c/tc358743.c b/drivers/media/i2c/tc358743.c index 831b5b54fd78..1b309bb743c7 100644 --- a/drivers/media/i2c/tc358743.c +++ b/drivers/media/i2c/tc358743.c @@ -2193,7 +2193,7 @@ static int tc358743_remove(struct i2c_client *client) del_timer_sync(>timer); flush_work(>work_i2c_poll); } - cancel_delayed_work(>delayed_work_enable_hotplug); + cancel_delayed_work_sync(>delayed_work_enable_hotplug); cec_unregister_adapter(state->cec_adap); v4l2_async_unregister_subdev(sd); v4l2_device_unregister_subdev(sd); -- 2.25.1
[PATCH -next] leds: tlc591xx: fix return value check in tlc591xx_probe()
After device_get_match_data(), tlc591xx is not checked, add
check for it and also check np after dev_of_node.
Reported-by: Hulk Robot
Signed-off-by: Yang Yingliang
---
drivers/leds/leds-tlc591xx.c | 8 ++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/leds/leds-tlc591xx.c b/drivers/leds/leds-tlc591xx.c
index 5b9dfdf743ec..cb7bd1353f9f 100644
--- a/drivers/leds/leds-tlc591xx.c
+++ b/drivers/leds/leds-tlc591xx.c
@@ -148,16 +148,20 @@ static int
tlc591xx_probe(struct i2c_client *client,
const struct i2c_device_id *id)
{
- struct device_node *np = dev_of_node(>dev), *child;
+ struct device_node *np, *child;
struct device *dev = >dev;
const struct tlc591xx *tlc591xx;
struct tlc591xx_priv *priv;
int err, count, reg;
- tlc591xx = device_get_match_data(dev);
+ np = dev_of_node(dev);
if (!np)
return -ENODEV;
+ tlc591xx = device_get_match_data(dev);
+ if (!tlc591xx)
+ return -ENODEV;
+
count = of_get_available_child_count(np);
if (!count || count > tlc591xx->max_leds)
return -EINVAL;
--
2.25.1
[PATCH -next v2] speakup: i18n: Switch to kmemdup_nul() in spk_msg_set()
Use kmemdup_nul() helper instead of open-coding to
simplify the code in spk_msg_set().
Reported-by: Hulk Robot
Signed-off-by: Yang Yingliang
---
V2:
change the tile and commit log.
---
drivers/accessibility/speakup/i18n.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/drivers/accessibility/speakup/i18n.c
b/drivers/accessibility/speakup/i18n.c
index ee240d36f947..46bd50f3c3a4 100644
--- a/drivers/accessibility/speakup/i18n.c
+++ b/drivers/accessibility/speakup/i18n.c
@@ -548,12 +548,10 @@ ssize_t spk_msg_set(enum msg_index_t index, char *text,
size_t length)
if ((index < MSG_FIRST_INDEX) || (index >= MSG_LAST_INDEX))
return -EINVAL;
- newstr = kmalloc(length + 1, GFP_KERNEL);
+ newstr = kmemdup_nul(text, length, GFP_KERNEL);
if (!newstr)
return -ENOMEM;
- memcpy(newstr, text, length);
- newstr[length] = '\0';
if (index >= MSG_FORMATTED_START &&
index <= MSG_FORMATTED_END &&
!fmt_validate(speakup_default_msgs[index], newstr)) {
--
2.25.1
Re: [PATCH -next] staging/speakup: Switch to kmemdup_nul()
Hi, On 2021/4/2 21:13, Greg KH wrote: On Fri, Apr 02, 2021 at 05:21:11PM +0800, Yang Yingliang wrote: Use kmemdup_nul() helper instead of open-coding to simplify the code. Reported-by: Hulk Robot Signed-off-by: Yang Yingliang --- drivers/accessibility/speakup/i18n.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) Your subject line is very odd, why does it have "staging"? I check git log of this file and use prefix of the history title, obviously I was wrong, I will send a v2 later. Thanks, Yang Your robot is not doing well these days... greg k-h .
[PATCH -next] media: camss: csid: Remove redundant dev_err call in msm_csid_subdev_init()
There is a error message within devm_ioremap_resource
already, so remove the dev_err call to avoid redundant
error message.
Reported-by: Hulk Robot
Signed-off-by: Yang Yingliang
---
drivers/media/platform/qcom/camss/camss-csid.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/drivers/media/platform/qcom/camss/camss-csid.c
b/drivers/media/platform/qcom/camss/camss-csid.c
index 463760c29294..cc11fbfdae13 100644
--- a/drivers/media/platform/qcom/camss/camss-csid.c
+++ b/drivers/media/platform/qcom/camss/camss-csid.c
@@ -568,10 +568,8 @@ int msm_csid_subdev_init(struct camss *camss, struct
csid_device *csid,
r = platform_get_resource_byname(pdev, IORESOURCE_MEM, res->reg[0]);
csid->base = devm_ioremap_resource(dev, r);
- if (IS_ERR(csid->base)) {
- dev_err(dev, "could not map memory\n");
+ if (IS_ERR(csid->base))
return PTR_ERR(csid->base);
- }
/* Interrupt */
--
2.25.1
[PATCH -next] scsi: target: iscsi: Switch to kmemdup_nul()
Use kmemdup_nul() helper instead of open-coding to
simplify the code.
Reported-by: Hulk Robot
Signed-off-by: Yang Yingliang
---
drivers/target/iscsi/iscsi_target_nego.c | 4 +---
drivers/target/iscsi/iscsi_target_parameters.c | 4 +---
2 files changed, 2 insertions(+), 6 deletions(-)
diff --git a/drivers/target/iscsi/iscsi_target_nego.c
b/drivers/target/iscsi/iscsi_target_nego.c
index 151e2949bb75..9a4a632f631d 100644
--- a/drivers/target/iscsi/iscsi_target_nego.c
+++ b/drivers/target/iscsi/iscsi_target_nego.c
@@ -1082,14 +1082,12 @@ int iscsi_target_locate_portal(
login_req = (struct iscsi_login_req *) login->req;
payload_length = ntoh24(login_req->dlength);
- tmpbuf = kzalloc(payload_length + 1, GFP_KERNEL);
+ tmpbuf = kmemdup_nul(login->req_buf, payload_length, GFP_KERNEL);
if (!tmpbuf) {
pr_err("Unable to allocate memory for tmpbuf.\n");
return -1;
}
- memcpy(tmpbuf, login->req_buf, payload_length);
- tmpbuf[payload_length] = '\0';
start = tmpbuf;
end = (start + payload_length);
diff --git a/drivers/target/iscsi/iscsi_target_parameters.c
b/drivers/target/iscsi/iscsi_target_parameters.c
index 7a461fbb1566..6bc3aaf655fc 100644
--- a/drivers/target/iscsi/iscsi_target_parameters.c
+++ b/drivers/target/iscsi/iscsi_target_parameters.c
@@ -1357,14 +1357,12 @@ int iscsi_decode_text_input(
struct iscsi_param_list *param_list = conn->param_list;
char *tmpbuf, *start = NULL, *end = NULL;
- tmpbuf = kzalloc(length + 1, GFP_KERNEL);
+ tmpbuf = kmemdup_nul(textbuf, length, GFP_KERNEL);
if (!tmpbuf) {
pr_err("Unable to allocate %u + 1 bytes for tmpbuf.\n", length);
return -ENOMEM;
}
- memcpy(tmpbuf, textbuf, length);
- tmpbuf[length] = '\0';
start = tmpbuf;
end = (start + length);
--
2.25.1
[PATCH -next] KEYS: trusted: Switch to kmemdup_nul()
Use kmemdup_nul() helper instead of open-coding to
simplify the code.
Reported-by: Hulk Robot
Signed-off-by: Yang Yingliang
---
security/keys/trusted-keys/trusted_tpm1.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/security/keys/trusted-keys/trusted_tpm1.c
b/security/keys/trusted-keys/trusted_tpm1.c
index 493eb91ed017..90ded4757e79 100644
--- a/security/keys/trusted-keys/trusted_tpm1.c
+++ b/security/keys/trusted-keys/trusted_tpm1.c
@@ -978,11 +978,9 @@ static int trusted_instantiate(struct key *key,
if (datalen <= 0 || datalen > 32767 || !prep->data)
return -EINVAL;
- datablob = kmalloc(datalen + 1, GFP_KERNEL);
+ datablob = kmemdup_nul(prep->data, datalen, GFP_KERNEL);
if (!datablob)
return -ENOMEM;
- memcpy(datablob, prep->data, datalen);
- datablob[datalen] = '\0';
options = trusted_options_alloc();
if (!options) {
--
2.25.1
[PATCH -next] staging/speakup: Switch to kmemdup_nul()
Use kmemdup_nul() helper instead of open-coding to
simplify the code.
Reported-by: Hulk Robot
Signed-off-by: Yang Yingliang
---
drivers/accessibility/speakup/i18n.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/drivers/accessibility/speakup/i18n.c
b/drivers/accessibility/speakup/i18n.c
index ee240d36f947..46bd50f3c3a4 100644
--- a/drivers/accessibility/speakup/i18n.c
+++ b/drivers/accessibility/speakup/i18n.c
@@ -548,12 +548,10 @@ ssize_t spk_msg_set(enum msg_index_t index, char *text,
size_t length)
if ((index < MSG_FIRST_INDEX) || (index >= MSG_LAST_INDEX))
return -EINVAL;
- newstr = kmalloc(length + 1, GFP_KERNEL);
+ newstr = kmemdup_nul(text, length, GFP_KERNEL);
if (!newstr)
return -ENOMEM;
- memcpy(newstr, text, length);
- newstr[length] = '\0';
if (index >= MSG_FORMATTED_START &&
index <= MSG_FORMATTED_END &&
!fmt_validate(speakup_default_msgs[index], newstr)) {
--
2.25.1
[PATCH -next v2] libbpf: remove redundant semi-colon
Remove redundant semi-colon in infinalize_btf_ext().
Signed-off-by: Yang Yingliang
---
v2:
add commit log
---
tools/lib/bpf/linker.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/lib/bpf/linker.c b/tools/lib/bpf/linker.c
index 46b16cbdcda3..4e08bc07e635 100644
--- a/tools/lib/bpf/linker.c
+++ b/tools/lib/bpf/linker.c
@@ -1895,7 +1895,7 @@ static int finalize_btf_ext(struct bpf_linker *linker)
hdr->func_info_len = funcs_sz;
hdr->line_info_off = funcs_sz;
hdr->line_info_len = lines_sz;
- hdr->core_relo_off = funcs_sz + lines_sz;;
+ hdr->core_relo_off = funcs_sz + lines_sz;
hdr->core_relo_len = core_relos_sz;
if (funcs_sz) {
--
2.25.1
[PATCH -next] iocost: remove redundant semi-colon
Signed-off-by: Yang Yingliang --- include/trace/events/iocost.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/trace/events/iocost.h b/include/trace/events/iocost.h index e282ce02fa2d..6d1626e7a4ce 100644 --- a/include/trace/events/iocost.h +++ b/include/trace/events/iocost.h @@ -160,7 +160,7 @@ TRACE_EVENT(iocost_ioc_vrate_adj, TP_fast_assign( __assign_str(devname, ioc_name(ioc)); - __entry->old_vrate = atomic64_read(>vtime_rate);; + __entry->old_vrate = atomic64_read(>vtime_rate); __entry->new_vrate = new_vrate; __entry->busy_level = ioc->busy_level; __entry->read_missed_ppm = missed_ppm[READ]; -- 2.25.1
[PATCH -next] KVM: selftests: remove redundant semi-colon
Signed-off-by: Yang Yingliang
---
tools/testing/selftests/kvm/x86_64/xen_shinfo_test.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/testing/selftests/kvm/x86_64/xen_shinfo_test.c
b/tools/testing/selftests/kvm/x86_64/xen_shinfo_test.c
index 804ff5ff022d..1f4a0599683c 100644
--- a/tools/testing/selftests/kvm/x86_64/xen_shinfo_test.c
+++ b/tools/testing/selftests/kvm/x86_64/xen_shinfo_test.c
@@ -186,7 +186,7 @@ int main(int argc, char *argv[])
vcpu_ioctl(vm, VCPU_ID, KVM_XEN_VCPU_SET_ATTR, );
}
- struct vcpu_runstate_info *rs = addr_gpa2hva(vm, RUNSTATE_ADDR);;
+ struct vcpu_runstate_info *rs = addr_gpa2hva(vm, RUNSTATE_ADDR);
rs->state = 0x5a;
for (;;) {
--
2.25.1
[PATCH -next] libbpf: remove redundant semi-colon
Signed-off-by: Yang Yingliang
---
tools/lib/bpf/linker.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/lib/bpf/linker.c b/tools/lib/bpf/linker.c
index 46b16cbdcda3..4e08bc07e635 100644
--- a/tools/lib/bpf/linker.c
+++ b/tools/lib/bpf/linker.c
@@ -1895,7 +1895,7 @@ static int finalize_btf_ext(struct bpf_linker *linker)
hdr->func_info_len = funcs_sz;
hdr->line_info_off = funcs_sz;
hdr->line_info_len = lines_sz;
- hdr->core_relo_off = funcs_sz + lines_sz;;
+ hdr->core_relo_off = funcs_sz + lines_sz;
hdr->core_relo_len = core_relos_sz;
if (funcs_sz) {
--
2.25.1
[PATCH -next] lan743x: remove redundant semi-colon
Signed-off-by: Yang Yingliang --- drivers/net/ethernet/microchip/lan743x_main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/ethernet/microchip/lan743x_main.c b/drivers/net/ethernet/microchip/lan743x_main.c index 1c3e204d727c..e7ab5f3f73fd 100644 --- a/drivers/net/ethernet/microchip/lan743x_main.c +++ b/drivers/net/ethernet/microchip/lan743x_main.c @@ -3004,7 +3004,7 @@ static int lan743x_pm_suspend(struct device *dev) lan743x_pm_set_wol(adapter); /* Host sets PME_En, put D3hot */ - return pci_prepare_to_sleep(pdev);; + return pci_prepare_to_sleep(pdev); } static int lan743x_pm_resume(struct device *dev) -- 2.25.1
[PATCH -next] drm/nouveau/gem: remove redundant semi-colon
Signed-off-by: Yang Yingliang --- drivers/gpu/drm/nouveau/nouveau_gem.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/nouveau/nouveau_gem.c b/drivers/gpu/drm/nouveau/nouveau_gem.c index c88cbb85f101..492e6794c5e6 100644 --- a/drivers/gpu/drm/nouveau/nouveau_gem.c +++ b/drivers/gpu/drm/nouveau/nouveau_gem.c @@ -303,7 +303,7 @@ nouveau_gem_set_domain(struct drm_gem_object *gem, uint32_t read_domains, struct ttm_buffer_object *bo = >bo; uint32_t domains = valid_domains & nvbo->valid_domains & (write_domains ? write_domains : read_domains); - uint32_t pref_domains = 0;; + uint32_t pref_domains = 0; if (!domains) return -EINVAL; -- 2.25.1
[PATCH -next] spi: fsl: add missing iounmap() on error in of_fsl_spi_probe()
Add the missing iounmap() before return from of_fsl_spi_probe()
in the error handling case.
Fixes: 0f0581b24bd0 ("spi: fsl: Convert to use CS GPIO descriptors")
Reported-by: Hulk Robot
Signed-off-by: Yang Yingliang
---
drivers/spi/spi-fsl-spi.c | 23 ++-
1 file changed, 18 insertions(+), 5 deletions(-)
diff --git a/drivers/spi/spi-fsl-spi.c b/drivers/spi/spi-fsl-spi.c
index e4a8d203f940..d0e5aa18b7ba 100644
--- a/drivers/spi/spi-fsl-spi.c
+++ b/drivers/spi/spi-fsl-spi.c
@@ -707,6 +707,11 @@ static int of_fsl_spi_probe(struct platform_device *ofdev)
struct resource mem;
int irq, type;
int ret;
+ bool spisel_boot = false;
+#if IS_ENABLED(CONFIG_FSL_SOC)
+ struct mpc8xxx_spi_probe_info *pinfo = NULL;
+#endif
+
ret = of_mpc8xxx_spi_probe(ofdev);
if (ret)
@@ -715,9 +720,8 @@ static int of_fsl_spi_probe(struct platform_device *ofdev)
type = fsl_spi_get_type(>dev);
if (type == TYPE_FSL) {
struct fsl_spi_platform_data *pdata = dev_get_platdata(dev);
- bool spisel_boot = false;
#if IS_ENABLED(CONFIG_FSL_SOC)
- struct mpc8xxx_spi_probe_info *pinfo = to_of_pinfo(pdata);
+ pinfo = to_of_pinfo(pdata);
spisel_boot = of_property_read_bool(np, "fsl,spisel_boot");
if (spisel_boot) {
@@ -746,15 +750,24 @@ static int of_fsl_spi_probe(struct platform_device *ofdev)
ret = of_address_to_resource(np, 0, );
if (ret)
- return ret;
+ goto unmap_out;
irq = platform_get_irq(ofdev, 0);
- if (irq < 0)
- return irq;
+ if (irq < 0) {
+ ret = irq;
+ goto unmap_out;
+ }
master = fsl_spi_probe(dev, , irq);
return PTR_ERR_OR_ZERO(master);
+
+unmap_out:
+#if IS_ENABLED(CONFIG_FSL_SOC)
+ if (spisel_boot)
+ iounmap(pinfo->immr_spi_cs);
+#endif
+ return ret;
}
static int of_fsl_spi_remove(struct platform_device *ofdev)
--
2.25.1
[PATCH -next] media: imx-pxp: remove redundant dev_err call in pxp_probe()
There is an error message within devm_ioremap_resource
already, so remove the dev_err call to avoid redundant
error message.
Reported-by: Hulk Robot
Signed-off-by: Yang Yingliang
---
drivers/media/platform/imx-pxp.c | 7 ++-
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/drivers/media/platform/imx-pxp.c b/drivers/media/platform/imx-pxp.c
index 08d76eb05ed1..13bc88e9358e 100644
--- a/drivers/media/platform/imx-pxp.c
+++ b/drivers/media/platform/imx-pxp.c
@@ -1654,11 +1654,8 @@ static int pxp_probe(struct platform_device *pdev)
res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
dev->mmio = devm_ioremap_resource(>dev, res);
- if (IS_ERR(dev->mmio)) {
- ret = PTR_ERR(dev->mmio);
- dev_err(>dev, "Failed to map register space: %d\n", ret);
- return ret;
- }
+ if (IS_ERR(dev->mmio))
+ return PTR_ERR(dev->mmio);
irq = platform_get_irq(pdev, 0);
if (irq < 0)
--
2.25.1
[PATCH -next] media: ti-vpe: csc: remove redundant dev_err call in csc_create()
There is an error message within devm_ioremap_resource
already, so remove the dev_err call to avoid redundant
error message.
Reported-by: Hulk Robot
Signed-off-by: Yang Yingliang
---
drivers/media/platform/ti-vpe/csc.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/drivers/media/platform/ti-vpe/csc.c
b/drivers/media/platform/ti-vpe/csc.c
index f4e0cf72d1cf..ff15bc589f1b 100644
--- a/drivers/media/platform/ti-vpe/csc.c
+++ b/drivers/media/platform/ti-vpe/csc.c
@@ -267,10 +267,8 @@ struct csc_data *csc_create(struct platform_device *pdev,
const char *res_name)
}
csc->base = devm_ioremap_resource(>dev, csc->res);
- if (IS_ERR(csc->base)) {
- dev_err(>dev, "failed to ioremap\n");
+ if (IS_ERR(csc->base))
return ERR_CAST(csc->base);
- }
return csc;
}
--
2.25.1
[PATCH -next v3] staging: greybus: camera: Switch to memdup_user_nul()
Use memdup_user_nul() helper instead of open-coding to
simplify the code.
Reported-by: Hulk Robot
Signed-off-by: Yang Yingliang
---
v3:
remove duplicate ';'
v2:
delete unnecessary blank line
use return PTR_ERR(kbuf) instead
---
drivers/staging/greybus/camera.c | 13 +++--
1 file changed, 3 insertions(+), 10 deletions(-)
diff --git a/drivers/staging/greybus/camera.c b/drivers/staging/greybus/camera.c
index b570e13394ac..2ecdc1bc5092 100644
--- a/drivers/staging/greybus/camera.c
+++ b/drivers/staging/greybus/camera.c
@@ -1120,16 +1120,9 @@ static ssize_t gb_camera_debugfs_write(struct file *file,
if (len > 1024)
return -EINVAL;
- kbuf = kmalloc(len + 1, GFP_KERNEL);
- if (!kbuf)
- return -ENOMEM;
-
- if (copy_from_user(kbuf, buf, len)) {
- ret = -EFAULT;
- goto done;
- }
-
- kbuf[len] = '\0';
+ kbuf = memdup_user_nul(buf, len);
+ if (IS_ERR(kbuf))
+ return PTR_ERR(kbuf);
ret = op->execute(gcam, kbuf, len);
--
2.25.1
[PATCH -next] media: camss: csiphy: Remove redundant dev_err call in msm_csiphy_subdev_init()
There is an error message within devm_ioremap_resource
already, so remove the dev_err call to avoid redundant
error message.
Reported-by: Hulk Robot
Signed-off-by: Yang Yingliang
---
drivers/media/platform/qcom/camss/camss-csiphy.c | 8 ++--
1 file changed, 2 insertions(+), 6 deletions(-)
diff --git a/drivers/media/platform/qcom/camss/camss-csiphy.c
b/drivers/media/platform/qcom/camss/camss-csiphy.c
index 6ceb6d7d53d1..b3c3bf19e522 100644
--- a/drivers/media/platform/qcom/camss/camss-csiphy.c
+++ b/drivers/media/platform/qcom/camss/camss-csiphy.c
@@ -593,20 +593,16 @@ int msm_csiphy_subdev_init(struct camss *camss,
r = platform_get_resource_byname(pdev, IORESOURCE_MEM, res->reg[0]);
csiphy->base = devm_ioremap_resource(dev, r);
- if (IS_ERR(csiphy->base)) {
- dev_err(dev, "could not map memory\n");
+ if (IS_ERR(csiphy->base))
return PTR_ERR(csiphy->base);
- }
if (camss->version == CAMSS_8x16 ||
camss->version == CAMSS_8x96) {
r = platform_get_resource_byname(pdev, IORESOURCE_MEM,
res->reg[1]);
csiphy->base_clk_mux = devm_ioremap_resource(dev, r);
- if (IS_ERR(csiphy->base_clk_mux)) {
- dev_err(dev, "could not map memory\n");
+ if (IS_ERR(csiphy->base_clk_mux))
return PTR_ERR(csiphy->base_clk_mux);
- }
} else {
csiphy->base_clk_mux = NULL;
}
--
2.25.1
[PATCH -next] media: ti-vpe: sc: remove redundant dev_err call in sc_create()
There is an error message within devm_ioremap_resource
already, so remove the dev_err call to avoid redundant
error message.
Reported-by: Hulk Robot
Signed-off-by: Yang Yingliang
---
drivers/media/platform/ti-vpe/sc.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/drivers/media/platform/ti-vpe/sc.c
b/drivers/media/platform/ti-vpe/sc.c
index 98f95082a6fd..0202d278523f 100644
--- a/drivers/media/platform/ti-vpe/sc.c
+++ b/drivers/media/platform/ti-vpe/sc.c
@@ -294,10 +294,8 @@ struct sc_data *sc_create(struct platform_device *pdev,
const char *res_name)
}
sc->base = devm_ioremap_resource(>dev, sc->res);
- if (IS_ERR(sc->base)) {
- dev_err(>dev, "failed to ioremap\n");
+ if (IS_ERR(sc->base))
return ERR_CAST(sc->base);
- }
return sc;
}
--
2.25.1
[PATCH -next] locking/ww_mutex: fix missing destroy_workqueue() on error in test_ww_mutex_init()
If test_ww_mutex_init() failed, the module won't be loaded,
so test_ww_mutex_exit() can not be called, in this case, wq
will be leaked, fix it by adding destroy_workqueue() on error
path of test_ww_mutex_init().
Fixes: d1b42b800e5d ("locking/ww_mutex: Add kselftests for resolving...")
Reported-by: Hulk Robot
Signed-off-by: Yang Yingliang
---
kernel/locking/test-ww_mutex.c | 20
1 file changed, 12 insertions(+), 8 deletions(-)
diff --git a/kernel/locking/test-ww_mutex.c b/kernel/locking/test-ww_mutex.c
index 3e82f449b4ff..6e4faa853e56 100644
--- a/kernel/locking/test-ww_mutex.c
+++ b/kernel/locking/test-ww_mutex.c
@@ -589,37 +589,41 @@ static int __init test_ww_mutex_init(void)
ret = test_mutex();
if (ret)
- return ret;
+ goto out;
ret = test_aa();
if (ret)
- return ret;
+ goto out;
ret = test_abba(false);
if (ret)
- return ret;
+ goto out;
ret = test_abba(true);
if (ret)
- return ret;
+ goto out;
ret = test_cycle(ncpus);
if (ret)
- return ret;
+ goto out;
ret = stress(16, 2*ncpus, STRESS_INORDER);
if (ret)
- return ret;
+ goto out;
ret = stress(16, 2*ncpus, STRESS_REORDER);
if (ret)
- return ret;
+ goto out;
ret = stress(4095, hweight32(STRESS_ALL)*ncpus, STRESS_ALL);
if (ret)
- return ret;
+ goto out;
return 0;
+
+out:
+ destroy_workqueue(wq);
+ return ret;
}
static void __exit test_ww_mutex_exit(void)
--
2.25.1
Re: [PATCH -next v2] staging: greybus: camera: Switch to memdup_user_nul()
On 2021/4/1 15:47, Dan Carpenter wrote:
On Thu, Apr 01, 2021 at 10:43:32AM +0300, Dan Carpenter wrote:
On Thu, Apr 01, 2021 at 11:17:52AM +0800, Yang Yingliang wrote:
Use memdup_user_nul() helper instead of open-coding to
simplify the code.
Reported-by: Hulk Robot
Signed-off-by: Yang Yingliang
---
drivers/staging/greybus/camera.c | 13 +++--
1 file changed, 3 insertions(+), 10 deletions(-)
diff --git a/drivers/staging/greybus/camera.c b/drivers/staging/greybus/camera.c
index b570e13394ac..2ecdc1bc5092 100644
--- a/drivers/staging/greybus/camera.c
+++ b/drivers/staging/greybus/camera.c
@@ -1120,16 +1120,9 @@ static ssize_t gb_camera_debugfs_write(struct file *file,
if (len > 1024)
return -EINVAL;
- kbuf = kmalloc(len + 1, GFP_KERNEL);
- if (!kbuf)
- return -ENOMEM;
-
- if (copy_from_user(kbuf, buf, len)) {
- ret = -EFAULT;
- goto done;
- }
-
- kbuf[len] = '\0';
+ kbuf = memdup_user_nul(buf, len);
+ if (IS_ERR(kbuf))
+ return PTR_ERR(kbuf);;
^^
There is an extra semi-colon here. Checkpatch actually catches this
sort of typo.
So when someone makes a typo like this, my response is:
1) Let's add this to checkpatch (turns out it was already done)
2) Let's grep the kernel and fix the other instances. The command would
be something like: git grep ';;$' | grep '\.c:'
I search it in kernel and find some other instances like this, I can
send some
patches to fix these.
Thanks,
Yang
regards,
dan carpenter
.
Re: [PATCH -next v2] staging: greybus: camera: Switch to memdup_user_nul()
On 2021/4/1 15:43, Dan Carpenter wrote:
On Thu, Apr 01, 2021 at 11:17:52AM +0800, Yang Yingliang wrote:
Use memdup_user_nul() helper instead of open-coding to
simplify the code.
Reported-by: Hulk Robot
Signed-off-by: Yang Yingliang
---
drivers/staging/greybus/camera.c | 13 +++--
1 file changed, 3 insertions(+), 10 deletions(-)
diff --git a/drivers/staging/greybus/camera.c b/drivers/staging/greybus/camera.c
index b570e13394ac..2ecdc1bc5092 100644
--- a/drivers/staging/greybus/camera.c
+++ b/drivers/staging/greybus/camera.c
@@ -1120,16 +1120,9 @@ static ssize_t gb_camera_debugfs_write(struct file *file,
if (len > 1024)
return -EINVAL;
- kbuf = kmalloc(len + 1, GFP_KERNEL);
- if (!kbuf)
- return -ENOMEM;
-
- if (copy_from_user(kbuf, buf, len)) {
- ret = -EFAULT;
- goto done;
- }
-
- kbuf[len] = '\0';
+ kbuf = memdup_user_nul(buf, len);
+ if (IS_ERR(kbuf))
+ return PTR_ERR(kbuf);;
^^
There is an extra semi-colon here. Checkpatch actually catches this
sort of typo.
I will remove it, and send a v3 later.
Thanks,
Yang
regards,
dan carpenter
.
Re: [PATCH -next v2] staging: greybus: camera: Switch to memdup_user_nul()
On 2021/4/1 13:59, Greg KH wrote: On Thu, Apr 01, 2021 at 11:17:52AM +0800, Yang Yingliang wrote: Use memdup_user_nul() helper instead of open-coding to simplify the code. Reported-by: Hulk Robot Signed-off-by: Yang Yingliang --- drivers/staging/greybus/camera.c | 13 +++-- 1 file changed, 3 insertions(+), 10 deletions(-) What changed from v1? Always put that below the --- line like the documentation asks you to. Please fix up and send a v3. OK, I will add the changelog and send a v3 later Thanks, Yang thanks, greg k-h .
[PATCH -next v2] staging: greybus: camera: Switch to memdup_user_nul()
Use memdup_user_nul() helper instead of open-coding to
simplify the code.
Reported-by: Hulk Robot
Signed-off-by: Yang Yingliang
---
drivers/staging/greybus/camera.c | 13 +++--
1 file changed, 3 insertions(+), 10 deletions(-)
diff --git a/drivers/staging/greybus/camera.c b/drivers/staging/greybus/camera.c
index b570e13394ac..2ecdc1bc5092 100644
--- a/drivers/staging/greybus/camera.c
+++ b/drivers/staging/greybus/camera.c
@@ -1120,16 +1120,9 @@ static ssize_t gb_camera_debugfs_write(struct file *file,
if (len > 1024)
return -EINVAL;
- kbuf = kmalloc(len + 1, GFP_KERNEL);
- if (!kbuf)
- return -ENOMEM;
-
- if (copy_from_user(kbuf, buf, len)) {
- ret = -EFAULT;
- goto done;
- }
-
- kbuf[len] = '\0';
+ kbuf = memdup_user_nul(buf, len);
+ if (IS_ERR(kbuf))
+ return PTR_ERR(kbuf);;
ret = op->execute(gcam, kbuf, len);
--
2.25.1
Re: [PATCH -next] staging: greybus: camera: Switch to memdup_user_nul()
Hi,
On 2021/3/31 18:24, Dan Carpenter wrote:
On Wed, Mar 31, 2021 at 05:52:01PM +0800, Yang Yingliang wrote:
Use memdup_user_nul() helper instead of open-coding to
simplify the code.
Reported-by: Hulk Robot
Signed-off-by: Yang Yingliang
---
drivers/staging/greybus/camera.c | 10 ++
1 file changed, 2 insertions(+), 8 deletions(-)
diff --git a/drivers/staging/greybus/camera.c b/drivers/staging/greybus/camera.c
index b570e13394ac..0f005facffbc 100644
--- a/drivers/staging/greybus/camera.c
+++ b/drivers/staging/greybus/camera.c
@@ -1120,16 +1120,10 @@ static ssize_t gb_camera_debugfs_write(struct file
*file,
if (len > 1024)
return -EINVAL;
- kbuf = kmalloc(len + 1, GFP_KERNEL);
- if (!kbuf)
+ kbuf = memdup_user_nul(buf, len);
+ if (IS_ERR(kbuf))
return -ENOMEM;
return PTR_ERR(kbuf);
- if (copy_from_user(kbuf, buf, len)) {
- ret = -EFAULT;
- goto done;
- }
-
- kbuf[len] = '\0';
Please delete this blank line so there aren't two blank lines in a row.
I will change it and send a v2.
Thanks,
Yang
ret = op->execute(gcam, kbuf, len);
regards,
dan carpenter
.
Re: [PATCH -next] staging: rtl8723bs: os_dep: remove unused variable 'ret'
Hi,
On 2021/3/31 18:27, Greg KH wrote:
On Wed, Mar 31, 2021 at 05:42:47PM +0800, Yang Yingliang wrote:
GCC reports the following warning with W=1:
drivers/staging/rtl8723bs/os_dep/recv_linux.c:101:6: warning:
variable ‘ret’ set but not used [-Wunused-but-set-variable]
101 | int ret;
| ^~~
This variable is not used in function , this commit
remove it to fix the warning.
Fixes: de69e2b3f105 ("staging: rtl8723bs: remove DBG_COUNTER calls from
os_dep/recv_linux.c")
Reported-by: Hulk Robot
Signed-off-by: Yang Yingliang
---
drivers/staging/rtl8723bs/os_dep/recv_linux.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/staging/rtl8723bs/os_dep/recv_linux.c
b/drivers/staging/rtl8723bs/os_dep/recv_linux.c
index fbdbcd04d44a..f6a9482be8e3 100644
--- a/drivers/staging/rtl8723bs/os_dep/recv_linux.c
+++ b/drivers/staging/rtl8723bs/os_dep/recv_linux.c
@@ -98,7 +98,6 @@ struct sk_buff *rtw_os_alloc_msdu_pkt(union recv_frame
*prframe, u16 nSubframe_L
void rtw_os_recv_indicate_pkt(struct adapter *padapter, struct sk_buff *pkt,
struct rx_pkt_attrib *pattrib)
{
struct mlme_priv *pmlmepriv = >mlmepriv;
- int ret;
/* Indicate the packets to upper layer */
if (pkt) {
@@ -140,7 +139,7 @@ void rtw_os_recv_indicate_pkt(struct adapter *padapter,
struct sk_buff *pkt, str
pkt->ip_summed = CHECKSUM_NONE;
- ret = rtw_netif_rx(padapter->pnetdev, pkt);
+ rtw_netif_rx(padapter->pnetdev, pkt);
Why not handle the result of this call properly?
The return type of rtw_os_recv_indicate_pkt() is void, it can't use this
return code.
I will try to make a patch to change return type of
rtw_os_recv_indicate_pkt() to use
this return code later.
Thanks,
Yang
.
[PATCH -next] soc: ixp4xx: qmgr: Use DEFINE_SPINLOCK() for spinlock
spinlock can be initialized automatically with DEFINE_SPINLOCK() rather than explicitly calling spin_lock_init(). Reported-by: Hulk Robot Signed-off-by: Yang Yingliang --- drivers/soc/ixp4xx/ixp4xx-qmgr.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/soc/ixp4xx/ixp4xx-qmgr.c b/drivers/soc/ixp4xx/ixp4xx-qmgr.c index 8c968382cea7..dde3b668eb40 100644 --- a/drivers/soc/ixp4xx/ixp4xx-qmgr.c +++ b/drivers/soc/ixp4xx/ixp4xx-qmgr.c @@ -16,7 +16,7 @@ static struct qmgr_regs __iomem *qmgr_regs; static int qmgr_irq_1; static int qmgr_irq_2; -static spinlock_t qmgr_lock; +static DEFINE_SPINLOCK(qmgr_lock); static u32 used_sram_bitmap[4]; /* 128 16-dword pages */ static void (*irq_handlers[QUEUES])(void *pdev); static void *irq_pdevs[QUEUES]; @@ -434,7 +434,6 @@ static int ixp4xx_qmgr_probe(struct platform_device *pdev) } used_sram_bitmap[0] = 0xF; /* 4 first pages reserved for config */ - spin_lock_init(_lock); dev_info(dev, "IXP4xx Queue Manager initialized.\n"); return 0; -- 2.25.1
[PATCH -next] staging: greybus: camera: Switch to memdup_user_nul()
Use memdup_user_nul() helper instead of open-coding to
simplify the code.
Reported-by: Hulk Robot
Signed-off-by: Yang Yingliang
---
drivers/staging/greybus/camera.c | 10 ++
1 file changed, 2 insertions(+), 8 deletions(-)
diff --git a/drivers/staging/greybus/camera.c b/drivers/staging/greybus/camera.c
index b570e13394ac..0f005facffbc 100644
--- a/drivers/staging/greybus/camera.c
+++ b/drivers/staging/greybus/camera.c
@@ -1120,16 +1120,10 @@ static ssize_t gb_camera_debugfs_write(struct file
*file,
if (len > 1024)
return -EINVAL;
- kbuf = kmalloc(len + 1, GFP_KERNEL);
- if (!kbuf)
+ kbuf = memdup_user_nul(buf, len);
+ if (IS_ERR(kbuf))
return -ENOMEM;
- if (copy_from_user(kbuf, buf, len)) {
- ret = -EFAULT;
- goto done;
- }
-
- kbuf[len] = '\0';
ret = op->execute(gcam, kbuf, len);
--
2.25.1
[PATCH -next] staging: rtl8723bs: os_dep: remove unused variable 'ret'
GCC reports the following warning with W=1:
drivers/staging/rtl8723bs/os_dep/recv_linux.c:101:6: warning:
variable ‘ret’ set but not used [-Wunused-but-set-variable]
101 | int ret;
| ^~~
This variable is not used in function , this commit
remove it to fix the warning.
Fixes: de69e2b3f105 ("staging: rtl8723bs: remove DBG_COUNTER calls from
os_dep/recv_linux.c")
Reported-by: Hulk Robot
Signed-off-by: Yang Yingliang
---
drivers/staging/rtl8723bs/os_dep/recv_linux.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/staging/rtl8723bs/os_dep/recv_linux.c
b/drivers/staging/rtl8723bs/os_dep/recv_linux.c
index fbdbcd04d44a..f6a9482be8e3 100644
--- a/drivers/staging/rtl8723bs/os_dep/recv_linux.c
+++ b/drivers/staging/rtl8723bs/os_dep/recv_linux.c
@@ -98,7 +98,6 @@ struct sk_buff *rtw_os_alloc_msdu_pkt(union recv_frame
*prframe, u16 nSubframe_L
void rtw_os_recv_indicate_pkt(struct adapter *padapter, struct sk_buff *pkt,
struct rx_pkt_attrib *pattrib)
{
struct mlme_priv *pmlmepriv = >mlmepriv;
- int ret;
/* Indicate the packets to upper layer */
if (pkt) {
@@ -140,7 +139,7 @@ void rtw_os_recv_indicate_pkt(struct adapter *padapter,
struct sk_buff *pkt, str
pkt->ip_summed = CHECKSUM_NONE;
- ret = rtw_netif_rx(padapter->pnetdev, pkt);
+ rtw_netif_rx(padapter->pnetdev, pkt);
}
}
--
2.25.1
[PATCH -next] PCI: endpoint: fix missing destroy_workqueue()
Add the missing destroy_workqueue() before return from
pci_epf_test_init() in the error handling case and add
destroy_workqueue() in pci_epf_test_exit().
Fixes: 349e7a85b25fa ("PCI: endpoint: functions: Add an EP function to test
PCI")
Reported-by: Hulk Robot
Signed-off-by: Yang Yingliang
---
drivers/pci/endpoint/functions/pci-epf-test.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/pci/endpoint/functions/pci-epf-test.c
b/drivers/pci/endpoint/functions/pci-epf-test.c
index 63d5f5c6e3e0..8e24b5e50e4b 100644
--- a/drivers/pci/endpoint/functions/pci-epf-test.c
+++ b/drivers/pci/endpoint/functions/pci-epf-test.c
@@ -922,6 +922,7 @@ static int __init pci_epf_test_init(void)
ret = pci_epf_register_driver(_driver);
if (ret) {
+ destroy_workqueue(kpcitest_workqueue);
pr_err("Failed to register pci epf test driver --> %d\n", ret);
return ret;
}
@@ -932,6 +933,8 @@ module_init(pci_epf_test_init);
static void __exit pci_epf_test_exit(void)
{
+ if (kpcitest_workqueue)
+ destroy_workqueue(kpcitest_workqueue);
pci_epf_unregister_driver(_driver);
}
module_exit(pci_epf_test_exit);
--
2.25.1
[PATCH -next] fs: 9p: fix wrong pointer passed to IS_ERR() and PTR_ERR()
IS_ERR() and PTR_ERR() use wrong pointer, it should be
writeback_fid, fix it.
Fixes: 5bfe97d7382b ("9p: Fix writeback fid incorrectly being attached to
dentry")
Reported-by: Hulk Robot
Signed-off-by: Yang Yingliang
---
fs/9p/vfs_file.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/9p/vfs_file.c b/fs/9p/vfs_file.c
index 649f04f112dc..59c32c9b799f 100644
--- a/fs/9p/vfs_file.c
+++ b/fs/9p/vfs_file.c
@@ -86,8 +86,8 @@ int v9fs_file_open(struct inode *inode, struct file *file)
* to work.
*/
writeback_fid = v9fs_writeback_fid(file_dentry(file));
- if (IS_ERR(fid)) {
- err = PTR_ERR(fid);
+ if (IS_ERR(writeback_fid)) {
+ err = PTR_ERR(writeback_fid);
mutex_unlock(>v_mutex);
goto out_error;
}
--
2.25.1
[PATCH -next] media: i2c: ov5648: fix wrong pointer passed to IS_ERR() and PTR_ERR()
IS_ERR() and PTR_ERR() use wrong pointer, it should be
sensor->dovdd, fix it.
Fixes: e43ccb0a045f ("media: i2c: Add support for the OV5648 image sensor")
Reported-by: Hulk Robot
Signed-off-by: Yang Yingliang
---
drivers/media/i2c/ov5648.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/media/i2c/ov5648.c b/drivers/media/i2c/ov5648.c
index dfe38ab8224d..db6f626f92fb 100644
--- a/drivers/media/i2c/ov5648.c
+++ b/drivers/media/i2c/ov5648.c
@@ -2494,9 +2494,9 @@ static int ov5648_probe(struct i2c_client *client)
/* DOVDD: digital I/O */
sensor->dovdd = devm_regulator_get(dev, "dovdd");
- if (IS_ERR(sensor->dvdd)) {
+ if (IS_ERR(sensor->dovdd)) {
dev_err(dev, "cannot get DOVDD (digital I/O) regulator\n");
- ret = PTR_ERR(sensor->dvdd);
+ ret = PTR_ERR(sensor->dovdd);
goto error_endpoint;
}
--
2.25.1
[PATCH -next] USB: gadget: udc: fix wrong pointer passed to IS_ERR() and PTR_ERR()
IS_ERR() and PTR_ERR() use wrong pointer, it should be
udc->virt_addr, fix it.
Fixes: 1b9f35adb0ff ("usb: gadget: udc: Add Synopsys UDC Platform driver")
Reported-by: Hulk Robot
Signed-off-by: Yang Yingliang
---
drivers/usb/gadget/udc/snps_udc_plat.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/gadget/udc/snps_udc_plat.c
b/drivers/usb/gadget/udc/snps_udc_plat.c
index 32f1d3e90c26..99805d60a7ab 100644
--- a/drivers/usb/gadget/udc/snps_udc_plat.c
+++ b/drivers/usb/gadget/udc/snps_udc_plat.c
@@ -114,8 +114,8 @@ static int udc_plat_probe(struct platform_device *pdev)
res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
udc->virt_addr = devm_ioremap_resource(dev, res);
- if (IS_ERR(udc->regs))
- return PTR_ERR(udc->regs);
+ if (IS_ERR(udc->virt_addr))
+ return PTR_ERR(udc->virt_addr);
/* udc csr registers base */
udc->csr = udc->virt_addr + UDC_CSR_ADDR;
--
2.25.1
[PATCH -next] scsi: fnic: remove unnecessary spin_lock_init() and INIT_LIST_HEAD()
The spinlock and list head of fnic_list is initialized statically.
It is unnecessary to initialize by spin_lock_init() and INIT_LIST_HEAD().
Reported-by: Hulk Robot
Signed-off-by: Yang Yingliang
---
drivers/scsi/fnic/fnic_main.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/drivers/scsi/fnic/fnic_main.c b/drivers/scsi/fnic/fnic_main.c
index 186c3ab4456b..786f9d2704b6 100644
--- a/drivers/scsi/fnic/fnic_main.c
+++ b/drivers/scsi/fnic/fnic_main.c
@@ -1100,9 +1100,6 @@ static int __init fnic_init_module(void)
goto err_create_fnic_workq;
}
- spin_lock_init(_list_lock);
- INIT_LIST_HEAD(_list);
-
fnic_fip_queue = create_singlethread_workqueue("fnic_fip_q");
if (!fnic_fip_queue) {
printk(KERN_ERR PFX "fnic FIP work queue create failed\n");
--
2.25.1
[PATCH -next] fs: dlm: fix missing unlock on error in accept_from_sock()
Add the missing unlock before return from accept_from_sock()
in the error handling case.
Fixes: 6cde210a9758 ("fs: dlm: add helper for init connection")
Reported-by: Hulk Robot
Signed-off-by: Yang Yingliang
---
fs/dlm/lowcomms.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/dlm/lowcomms.c b/fs/dlm/lowcomms.c
index 73cc1809050a..166e36fcf3e4 100644
--- a/fs/dlm/lowcomms.c
+++ b/fs/dlm/lowcomms.c
@@ -931,6 +931,7 @@ static int accept_from_sock(struct listen_connection *con)
result = dlm_con_init(othercon, nodeid);
if (result < 0) {
kfree(othercon);
+ mutex_unlock(>sock_mutex);
goto accept_err;
}
--
2.25.1
[PATCH 3/3] arm64: lib: improve copy performance when size is less than 128 and ge 64 bytes
When copy less than 128 and ge than 64 bytes, add src/dst after load and store 64 bytes to improve performance. Copy 127 bytes cost on Kunpeng920 (ms): Without this patch: memcpy: 14.62 copy_from_user: 14.23 copy_to_user: 14.42 With this patch: memcpy: 13.85 copy_from_user: 13.26 copy_to_user: 13.84 It's about 5.27% improvement in memcpy(). Signed-off-by: Yang Yingliang --- arch/arm64/lib/copy_template.S | 18 ++ 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/arch/arm64/lib/copy_template.S b/arch/arm64/lib/copy_template.S index c3cd6f84c9c0..a9cbd47473f0 100644 --- a/arch/arm64/lib/copy_template.S +++ b/arch/arm64/lib/copy_template.S @@ -132,14 +132,16 @@ D_h .reqx14 * Less than 128 bytes to copy, so handle 64 here and then jump * to the tail. */ - ldp1A_l, A_h, src, #16 - stp1A_l, A_h, dst, #16 - ldp1B_l, B_h, src, #16 - ldp1C_l, C_h, src, #16 - stp1B_l, B_h, dst, #16 - stp1C_l, C_h, dst, #16 - ldp1D_l, D_h, src, #16 - stp1D_l, D_h, dst, #16 + ldp2A_l, A_h, src, #0, #8 + stp2A_l, A_h, dst, #0, #8 + ldp2B_l, B_h, src, #16, #24 + ldp2C_l, C_h, src, #32, #40 + stp2B_l, B_h, dst, #16, #24 + stp2C_l, C_h, dst, #32, #40 + ldp2D_l, D_h, src, #48, #56 + stp2D_l, D_h, dst, #48, #56 + add src, src, #64 + add dst, dst, #64 tst count, #0x3f b.ne.Ltail63 -- 2.25.1
[PATCH 0/3] arm64: lib: improve copy performance
This patchset reduce instructions in copy_template.S to improve the performance of copy memory, when size is ge 64 bytes. Yang Yingliang (3): arm64: lib: introduce ldp2/stp2 macro arm64: lib: improve copy performance when size is ge 128 bytes arm64: lib: improve copy performance when size is less than 128 and ge 64 bytes arch/arm64/include/asm/asm-uaccess.h | 16 + arch/arm64/lib/copy_from_user.S | 8 + arch/arm64/lib/copy_in_user.S| 8 + arch/arm64/lib/copy_template.S | 54 +++- arch/arm64/lib/copy_to_user.S| 8 + arch/arm64/lib/memcpy.S | 8 + 6 files changed, 78 insertions(+), 24 deletions(-) -- 2.25.1
[PATCH 1/3] arm64: lib: introduce ldp2/stp2 macro
Introduce ldp2/stp2 to load/store without add src/dst. Signed-off-by: Yang Yingliang --- arch/arm64/include/asm/asm-uaccess.h | 16 arch/arm64/lib/copy_from_user.S | 8 arch/arm64/lib/copy_in_user.S| 8 arch/arm64/lib/copy_to_user.S| 8 arch/arm64/lib/memcpy.S | 8 5 files changed, 48 insertions(+) diff --git a/arch/arm64/include/asm/asm-uaccess.h b/arch/arm64/include/asm/asm-uaccess.h index ccedf548dac9..129c08621df1 100644 --- a/arch/arm64/include/asm/asm-uaccess.h +++ b/arch/arm64/include/asm/asm-uaccess.h @@ -72,6 +72,14 @@ alternative_else_nop_endif _asm_extable8889b,\l; .endm + .macro user_ldp2 l, reg1, reg2, addr, post_inc1, post_inc2 +: ldtr\reg1, [\addr, \post_inc1]; +8889: ldtr\reg2, [\addr, \post_inc2]; + + _asm_extableb,\l; + _asm_extable8889b,\l; + .endm + .macro user_stp l, reg1, reg2, addr, post_inc : sttr\reg1, [\addr]; 8889: sttr\reg2, [\addr, #8]; @@ -81,6 +89,14 @@ alternative_else_nop_endif _asm_extable8889b,\l; .endm + .macro user_stp2 l, reg1, reg2, addr, post_inc1, post_inc2 +: sttr\reg1, [\addr, \post_inc1]; +8889: sttr\reg2, [\addr, \post_inc2]; + + _asm_extableb,\l; + _asm_extable8889b,\l; + .endm + .macro user_ldst l, inst, reg, addr, post_inc : \inst \reg, [\addr]; add \addr, \addr, \post_inc; diff --git a/arch/arm64/lib/copy_from_user.S b/arch/arm64/lib/copy_from_user.S index 95cd62d67371..37308bcb338e 100644 --- a/arch/arm64/lib/copy_from_user.S +++ b/arch/arm64/lib/copy_from_user.S @@ -48,10 +48,18 @@ user_ldp 9998f, \reg1, \reg2, \ptr, \val .endm + .macro ldp2 reg1, reg2, ptr, val1, val2 + user_ldp2 9998f, \reg1, \reg2, \ptr, \val1, \val2 + .endm + .macro stp1 reg1, reg2, ptr, val stp \reg1, \reg2, [\ptr], \val .endm + .macro stp2 reg1, reg2, ptr, val1, val2 + stp \reg1, \reg2, [\ptr, \val1] + .endm + end.reqx5 SYM_FUNC_START(__arch_copy_from_user) add end, x0, x2 diff --git a/arch/arm64/lib/copy_in_user.S b/arch/arm64/lib/copy_in_user.S index 1f61cd0df062..5654f7098102 100644 --- a/arch/arm64/lib/copy_in_user.S +++ b/arch/arm64/lib/copy_in_user.S @@ -49,10 +49,18 @@ user_ldp 9998f, \reg1, \reg2, \ptr, \val .endm + .macro ldp2 reg1, reg2, ptr, val1, val2 + user_ldp2 9998f, \reg1, \reg2, \ptr, \val1, \val2 + .endm + .macro stp1 reg1, reg2, ptr, val user_stp 9998f, \reg1, \reg2, \ptr, \val .endm + .macro stp2 reg1, reg2, ptr, val1, val2 + user_stp2 9998f, \reg1, \reg2, \ptr, \val1, \val2 + .endm + end.reqx5 SYM_FUNC_START(__arch_copy_in_user) diff --git a/arch/arm64/lib/copy_to_user.S b/arch/arm64/lib/copy_to_user.S index 043da90f5dd7..a1f95169ce04 100644 --- a/arch/arm64/lib/copy_to_user.S +++ b/arch/arm64/lib/copy_to_user.S @@ -47,10 +47,18 @@ ldp \reg1, \reg2, [\ptr], \val .endm + .macro ldp2 reg1, reg2, ptr, val1, val2 + ldp \reg1, \reg2, [\ptr, \val1] + .endm + .macro stp1 reg1, reg2, ptr, val user_stp 9998f, \reg1, \reg2, \ptr, \val .endm + .macro stp2 reg1, reg2, ptr, val1, val2 + user_stp2 9998f, \reg1, \reg2, \ptr, \val1, \val2 + .endm + end.reqx5 SYM_FUNC_START(__arch_copy_to_user) add end, x0, x2 diff --git a/arch/arm64/lib/memcpy.S b/arch/arm64/lib/memcpy.S index dc8d2a216a6e..9e0bfefd2673 100644 --- a/arch/arm64/lib/memcpy.S +++ b/arch/arm64/lib/memcpy.S @@ -52,10 +52,18 @@ ldp \reg1, \reg2, [\ptr], \val .endm + .macro ldp2 reg1, reg2, ptr, val1, val2 + ldp \reg1, \reg2, [\ptr, \val1] + .endm + .macro stp1 reg1, reg2, ptr, val stp \reg1, \reg2, [\ptr], \val .endm + .macro stp2 reg1, reg2, ptr, val1, val2 + stp \reg1, \reg2, [\ptr, \val1] + .endm + SYM_FUNC_START_ALIAS(__memcpy) SYM_FUNC_START_WEAK_PI(memcpy) #include "copy_template.S" -- 2.25.1
[PATCH 2/3] arm64: lib: improve copy performance when size is ge 128 bytes
When copy over 128 bytes, src/dst is added after each ldp/stp instruction, it will cost more time. To improve this, we only add src/dst after load or store 64 bytes. Copy 4096 bytes cost on Kunpeng920 (ms): Without this patch: memcpy: 143.85 copy_from_user: 172.69 copy_to_user: 199.23 With this patch: memcpy: 107.12 copy_from_user: 157.50 copy_to_user: 198.85 It's about 25% improvement in memcpy(). Signed-off-by: Yang Yingliang --- arch/arm64/lib/copy_template.S | 36 +++--- 1 file changed, 20 insertions(+), 16 deletions(-) diff --git a/arch/arm64/lib/copy_template.S b/arch/arm64/lib/copy_template.S index 488df234c49a..c3cd6f84c9c0 100644 --- a/arch/arm64/lib/copy_template.S +++ b/arch/arm64/lib/copy_template.S @@ -152,29 +152,33 @@ D_h .reqx14 .p2alignL1_CACHE_SHIFT .Lcpy_body_large: /* pre-get 64 bytes data. */ - ldp1A_l, A_h, src, #16 - ldp1B_l, B_h, src, #16 - ldp1C_l, C_h, src, #16 - ldp1D_l, D_h, src, #16 + ldp2A_l, A_h, src, #0, #8 + ldp2B_l, B_h, src, #16, #24 + ldp2C_l, C_h, src, #32, #40 + ldp2D_l, D_h, src, #48, #56 + add src, src, #64 1: /* * interlace the load of next 64 bytes data block with store of the last * loaded 64 bytes data. */ - stp1A_l, A_h, dst, #16 - ldp1A_l, A_h, src, #16 - stp1B_l, B_h, dst, #16 - ldp1B_l, B_h, src, #16 - stp1C_l, C_h, dst, #16 - ldp1C_l, C_h, src, #16 - stp1D_l, D_h, dst, #16 - ldp1D_l, D_h, src, #16 + stp2A_l, A_h, dst, #0, #8 + ldp2A_l, A_h, src, #0, #8 + stp2B_l, B_h, dst, #16, #24 + ldp2B_l, B_h, src, #16, #24 + stp2C_l, C_h, dst, #32, #40 + ldp2C_l, C_h, src, #32, #40 + stp2D_l, D_h, dst, #48, #56 + ldp2D_l, D_h, src, #48, #56 + add src, src, #64 + add dst, dst, #64 subscount, count, #64 b.ge1b - stp1A_l, A_h, dst, #16 - stp1B_l, B_h, dst, #16 - stp1C_l, C_h, dst, #16 - stp1D_l, D_h, dst, #16 + stp2A_l, A_h, dst, #0, #8 + stp2B_l, B_h, dst, #16, #24 + stp2C_l, C_h, dst, #32, #40 + stp2D_l, D_h, dst, #48, #56 + add dst, dst, #64 tst count, #0x3f b.ne.Ltail63 -- 2.25.1
[PATCH -next] crypto: hisilicon/hpre: fix link error
Fix the follow link error by select config CRYPTO_ECC and CRYPTO_ECDH.
ERROR: modpost: "ecc_get_curve25519"
[drivers/crypto/hisilicon/hpre/hisi_hpre.ko] undefined!
ERROR: modpost: "ecc_get_curve" [drivers/crypto/hisilicon/hpre/hisi_hpre.ko]
undefined!
ERROR: modpost: "crypto_ecdh_decode_key"
[drivers/crypto/hisilicon/hpre/hisi_hpre.ko] undefined!
Fixes: 90274769cf79 ("crypto: hisilicon/hpre - add 'CURVE25519' algorithm")
Fixes: 05e7b906aa7c ("crypto: hisilicon/hpre - add 'ECDH' algorithm")
Signed-off-by: Yang Yingliang
---
drivers/crypto/hisilicon/Kconfig | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/crypto/hisilicon/Kconfig b/drivers/crypto/hisilicon/Kconfig
index c45adb15ce8d..d87c89af2a7f 100644
--- a/drivers/crypto/hisilicon/Kconfig
+++ b/drivers/crypto/hisilicon/Kconfig
@@ -69,6 +69,8 @@ config CRYPTO_DEV_HISI_HPRE
select CRYPTO_DEV_HISI_QM
select CRYPTO_DH
select CRYPTO_RSA
+ select CRYPTO_ECC
+ select CRYPTO_ECDH
help
Support for HiSilicon HPRE(High Performance RSA Engine)
accelerator, which can accelerate RSA and DH algorithms.
--
2.25.1
Re: [PATCH 4.19 21/57] proc: dont allow async path resolution of /proc/self components
Hi, On 2020/12/1 16:53, Greg Kroah-Hartman wrote: From: Jens Axboe [ Upstream commit 8d4c3e76e3be11a64df95ddee52e99092d42fc19 ] If this is attempted by a kthread, then return -EOPNOTSUPP as we don't currently support that. Once we can get task_pid_ptr() doing the right thing, then this can go away again. https://www.spinics.net/lists/io-uring/msg05297.html This patch seems used for io-wq worker which is merged in v5.5-rc1, why we need this in linux-4.19.y ? Thanks, Yang Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin --- fs/proc/self.c | 7 +++ 1 file changed, 7 insertions(+) diff --git a/fs/proc/self.c b/fs/proc/self.c index cc6d4253399d1..7922edf70ce1a 100644 --- a/fs/proc/self.c +++ b/fs/proc/self.c @@ -16,6 +16,13 @@ static const char *proc_self_get_link(struct dentry *dentry, pid_t tgid = task_tgid_nr_ns(current, ns); char *name; + /* +* Not currently supported. Once we can inherit all of struct pid, +* we can allow this. +*/ + if (current->flags & PF_KTHREAD) + return ERR_PTR(-EOPNOTSUPP); + if (!tgid) return ERR_PTR(-ENOENT); /* max length of unsigned int in decimal + NULL term */
[tip: timers/core] clocksource/drivers/orion: Add missing clk_disable_unprepare() on error path
The following commit has been merged into the timers/core branch of tip:
Commit-ID: c1e6cad00aa2f17845e7270e38ff3cc82c7b022a
Gitweb:
https://git.kernel.org/tip/c1e6cad00aa2f17845e7270e38ff3cc82c7b022a
Author:Yang Yingliang
AuthorDate:Wed, 11 Nov 2020 14:47:06 +08:00
Committer: Daniel Lezcano
CommitterDate: Thu, 03 Dec 2020 19:16:26 +01:00
clocksource/drivers/orion: Add missing clk_disable_unprepare() on error path
After calling clk_prepare_enable(), clk_disable_unprepare() need
be called on error path.
Fixes: fbe4b3566ddc ("clocksource/drivers/orion: Convert init function...")
Reported-by: Hulk Robot
Signed-off-by: Yang Yingliang
Signed-off-by: Daniel Lezcano
Link:
https://lore.kernel.org/r/2020064706.3397156-1-yangyingli...@huawei.com
---
drivers/clocksource/timer-orion.c | 11 ---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/drivers/clocksource/timer-orion.c
b/drivers/clocksource/timer-orion.c
index d01ff41..5101e83 100644
--- a/drivers/clocksource/timer-orion.c
+++ b/drivers/clocksource/timer-orion.c
@@ -143,7 +143,8 @@ static int __init orion_timer_init(struct device_node *np)
irq = irq_of_parse_and_map(np, 1);
if (irq <= 0) {
pr_err("%pOFn: unable to parse timer1 irq\n", np);
- return -EINVAL;
+ ret = -EINVAL;
+ goto out_unprep_clk;
}
rate = clk_get_rate(clk);
@@ -160,7 +161,7 @@ static int __init orion_timer_init(struct device_node *np)
clocksource_mmio_readl_down);
if (ret) {
pr_err("Failed to initialize mmio timer\n");
- return ret;
+ goto out_unprep_clk;
}
sched_clock_register(orion_read_sched_clock, 32, rate);
@@ -170,7 +171,7 @@ static int __init orion_timer_init(struct device_node *np)
"orion_event", NULL);
if (ret) {
pr_err("%pOFn: unable to setup irq\n", np);
- return ret;
+ goto out_unprep_clk;
}
ticks_per_jiffy = (clk_get_rate(clk) + HZ/2) / HZ;
@@ -183,5 +184,9 @@ static int __init orion_timer_init(struct device_node *np)
orion_delay_timer_init(rate);
return 0;
+
+out_unprep_clk:
+ clk_disable_unprepare(clk);
+ return ret;
}
TIMER_OF_DECLARE(orion_timer, "marvell,orion-timer", orion_timer_init);
[PATCH v2] iommu: return error code when it can't get group
It's better to return error code if it can't get group
in iommu_probe_device(). It's no function change.
Reported-by: Hulk Robot
Signed-off-by: Yang Yingliang
---
drivers/iommu/iommu.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c
index b53446bb8c6b..6f4a32df90f6 100644
--- a/drivers/iommu/iommu.c
+++ b/drivers/iommu/iommu.c
@@ -253,8 +253,10 @@ int iommu_probe_device(struct device *dev)
goto err_out;
group = iommu_group_get(dev);
- if (!group)
+ if (!group) {
+ ret = -ENODEV;
goto err_release;
+ }
/*
* Try to allocate a default domain - needs support from the
--
2.25.1
Re: [PATCH] iommu: fix return error code in iommu_probe_device()
On 2020/11/25 19:35, Will Deacon wrote:
On Wed, Nov 25, 2020 at 09:54:34AM +0800, Yang Yingliang wrote:
On 2020/11/18 6:41, Will Deacon wrote:
On Tue, Nov 17, 2020 at 07:11:28PM +0800, Yang Yingliang wrote:
On 2020/11/17 17:40, Lu Baolu wrote:
On 2020/11/17 10:52, Yang Yingliang wrote:
If iommu_group_get() failed, it need return error code
in iommu_probe_device().
Fixes: cf193888bfbd ("iommu: Move new probe_device path...")
Reported-by: Hulk Robot
Signed-off-by: Yang Yingliang
---
drivers/iommu/iommu.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c
index b53446bb8c6b..6f4a32df90f6 100644
--- a/drivers/iommu/iommu.c
+++ b/drivers/iommu/iommu.c
@@ -253,8 +253,10 @@ int iommu_probe_device(struct device *dev)
goto err_out;
group = iommu_group_get(dev);
- if (!group)
+ if (!group) {
+ ret = -ENODEV;
Can you please explain why you use -ENODEV here?
Before 79659190ee97 ("iommu: Don't take group reference in
iommu_alloc_default_domain()"), in
iommu_alloc_default_domain(), if group is NULL, it will return -ENODEV.
Hmm. While I think the patch is ok, I'm not sure it qualifies as a fix.
Has iommu_probe_device() ever propagated this error? The commit you
identify in the 'Fixes:' tag doesn't seem to change this afaict.
I think after this commit 439945e74a4b ("iommu: Move default domain
allocation to iommu_probe_device()"),
That SHA doesn't exist in my tree (maybe you mean 6e1aa2049154?). But even
then, I'm not sure 6e1aa2049154 is actually broken if you look at the
interaction with group creation in __iommu_probe_device().
In fact, isn't that the case in mainline too? If __iommu_probe_device()
returns 0, then we _know_ a group exists and so iommu_group_get() will
succeed. I'm still happy with the patch in case this changes in future,
but it doesn't appear to be fixing anything. Do you agree?
Yes, I look into the __iommu_probe_device(), if it can't get group, it
will return error
first. Do I need send a v2 without the fix tag ?
Will
.
Re: [PATCH] iommu: fix return error code in iommu_probe_device()
On 2020/11/18 6:41, Will Deacon wrote:
On Tue, Nov 17, 2020 at 07:11:28PM +0800, Yang Yingliang wrote:
On 2020/11/17 17:40, Lu Baolu wrote:
On 2020/11/17 10:52, Yang Yingliang wrote:
If iommu_group_get() failed, it need return error code
in iommu_probe_device().
Fixes: cf193888bfbd ("iommu: Move new probe_device path...")
Reported-by: Hulk Robot
Signed-off-by: Yang Yingliang
---
drivers/iommu/iommu.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c
index b53446bb8c6b..6f4a32df90f6 100644
--- a/drivers/iommu/iommu.c
+++ b/drivers/iommu/iommu.c
@@ -253,8 +253,10 @@ int iommu_probe_device(struct device *dev)
goto err_out;
group = iommu_group_get(dev);
- if (!group)
+ if (!group) {
+ ret = -ENODEV;
Can you please explain why you use -ENODEV here?
Before 79659190ee97 ("iommu: Don't take group reference in
iommu_alloc_default_domain()"), in
iommu_alloc_default_domain(), if group is NULL, it will return -ENODEV.
Hmm. While I think the patch is ok, I'm not sure it qualifies as a fix.
Has iommu_probe_device() ever propagated this error? The commit you
identify in the 'Fixes:' tag doesn't seem to change this afaict.
I think after this commit 439945e74a4b ("iommu: Move default domain
allocation to iommu_probe_device()"),
iommu_probe_device() won't return error code if group is NULL. I can add
this fix tag in v2.
Will
.
[PATCH] Input: sunkbd - fix UAF in sunkbd_reinit()
fb fb fb fb fb fb fb fb fb
fb
[ 235.674072] >88812d475480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[ 235.676390] ^
[ 235.678576] 88812d475500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[ 235.680880] 88812d475580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
fb
[ 235.683221]
==
After sunkbd->tq is added to workqueue, before scheduled work finish, sunkbd is
freed by sunkbd_disconnect(), when sunkbd is used in sunkbd_reinit(), it causes
a UAF. Fix this by calling flush_scheduled_work() before free sunkbd.
This fixes CVE-2020-25669.
Signed-off-by: Yang Yingliang
---
drivers/input/keyboard/sunkbd.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/input/keyboard/sunkbd.c b/drivers/input/keyboard/sunkbd.c
index 27126e621eb6..b6222896acdf 100644
--- a/drivers/input/keyboard/sunkbd.c
+++ b/drivers/input/keyboard/sunkbd.c
@@ -316,6 +316,7 @@ static void sunkbd_disconnect(struct serio *serio)
{
struct sunkbd *sunkbd = serio_get_drvdata(serio);
+ flush_scheduled_work();
sunkbd_enable(sunkbd, false);
input_unregister_device(sunkbd->dev);
serio_close(serio);
--
2.17.1
Re: [PATCH] iommu: fix return error code in iommu_probe_device()
On 2020/11/17 17:40, Lu Baolu wrote:
Hi Yingliang,
On 2020/11/17 10:52, Yang Yingliang wrote:
If iommu_group_get() failed, it need return error code
in iommu_probe_device().
Fixes: cf193888bfbd ("iommu: Move new probe_device path...")
Reported-by: Hulk Robot
Signed-off-by: Yang Yingliang
---
drivers/iommu/iommu.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c
index b53446bb8c6b..6f4a32df90f6 100644
--- a/drivers/iommu/iommu.c
+++ b/drivers/iommu/iommu.c
@@ -253,8 +253,10 @@ int iommu_probe_device(struct device *dev)
goto err_out;
group = iommu_group_get(dev);
- if (!group)
+ if (!group) {
+ ret = -ENODEV;
Can you please explain why you use -ENODEV here?
Before 79659190ee97 ("iommu: Don't take group reference in
iommu_alloc_default_domain()"), in
iommu_alloc_default_domain(), if group is NULL, it will return -ENODEV.
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/iommu/iommu.c?h=v5.10-rc4=70b8170e55d3ca9503a53211967faee6b5f18b19
Best regards,
baolu
goto err_release;
+ }
/*
* Try to allocate a default domain - needs support from the
.
[PATCH] USB: gadget: legacy: fix return error code in acm_ms_bind()
If usb_otg_descriptor_alloc() failed, it need return ENOMEM.
Fixes: 578aa8a2b12c ("usb: gadget: acm_ms: allocate and init otg descriptor by
otg capabilities")
Reported-by: Hulk Robot
Signed-off-by: Yang Yingliang
---
drivers/usb/gadget/legacy/acm_ms.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/gadget/legacy/acm_ms.c
b/drivers/usb/gadget/legacy/acm_ms.c
index 59be2d8417c9..e8033e5f0c18 100644
--- a/drivers/usb/gadget/legacy/acm_ms.c
+++ b/drivers/usb/gadget/legacy/acm_ms.c
@@ -200,8 +200,10 @@ static int acm_ms_bind(struct usb_composite_dev *cdev)
struct usb_descriptor_header *usb_desc;
usb_desc = usb_otg_descriptor_alloc(gadget);
- if (!usb_desc)
+ if (!usb_desc) {
+ status = -ENOMEM;
goto fail_string_ids;
+ }
usb_otg_descriptor_init(gadget, usb_desc);
otg_desc[0] = usb_desc;
otg_desc[1] = NULL;
--
2.25.1
[PATCH] usb/max3421: fix return error code in max3421_probe()
retval may be reassigned to 0 after max3421_of_vbus_en_pin(),
if allocate memory failed after this, max3421_probe() cann't
return ENOMEM, fix this by moving assign retval afther max3421_probe().
Fixes: 721fdc83b31b ("usb: max3421: Add devicetree support")
Reported-by: Hulk Robot
Signed-off-by: Yang Yingliang
---
drivers/usb/host/max3421-hcd.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/host/max3421-hcd.c b/drivers/usb/host/max3421-hcd.c
index 0894f6caccb2..ebb8180b52ab 100644
--- a/drivers/usb/host/max3421-hcd.c
+++ b/drivers/usb/host/max3421-hcd.c
@@ -1847,7 +1847,7 @@ max3421_probe(struct spi_device *spi)
struct max3421_hcd *max3421_hcd;
struct usb_hcd *hcd = NULL;
struct max3421_hcd_platform_data *pdata = NULL;
- int retval = -ENOMEM;
+ int retval;
if (spi_setup(spi) < 0) {
dev_err(>dev, "Unable to setup SPI bus");
@@ -1889,6 +1889,7 @@ max3421_probe(struct spi_device *spi)
goto error;
}
+ retval = -ENOMEM;
hcd = usb_create_hcd(_hcd_desc, >dev,
dev_name(>dev));
if (!hcd) {
--
2.25.1
[PATCH] video: fbdev: atmel_lcdfb: fixe return error code in atmel_lcdfb_of_init()
If devm_kzalloc() failed after first time, atmel_lcdfb_of_init()
cann't return -ENOMEM, fix this by putting the error code in loop.
Fixes: b985172b328a ("video: atmel_lcdfb: add device tree suport")
Reported-by: Hulk Robot
Signed-off-by: Yang Yingliang
---
drivers/video/fbdev/atmel_lcdfb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/video/fbdev/atmel_lcdfb.c
b/drivers/video/fbdev/atmel_lcdfb.c
index 8c1d47e52b1a..355b6120dc4f 100644
--- a/drivers/video/fbdev/atmel_lcdfb.c
+++ b/drivers/video/fbdev/atmel_lcdfb.c
@@ -987,8 +987,8 @@ static int atmel_lcdfb_of_init(struct atmel_lcdfb_info
*sinfo)
}
INIT_LIST_HEAD(>pwr_gpios);
- ret = -ENOMEM;
for (i = 0; i < gpiod_count(dev, "atmel,power-control"); i++) {
+ ret = -ENOMEM;
gpiod = devm_gpiod_get_index(dev, "atmel,power-control",
i, GPIOD_ASIS);
if (IS_ERR(gpiod))
--
2.25.1
[PATCH] drm/omap: dmm_tiler: fix return error code in omap_dmm_probe()
Return -ENOMEM when allocating refill memory failed.
Fixes: 71e8831f6407 ("drm/omap: DMM/TILER support for OMAP4+ platform")
Reported-by: Hulk Robot
Signed-off-by: Yang Yingliang
---
drivers/gpu/drm/omapdrm/omap_dmm_tiler.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c
b/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c
index 42ec51bb7b1b..7f4317248812 100644
--- a/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c
+++ b/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c
@@ -889,6 +889,7 @@ static int omap_dmm_probe(struct platform_device *dev)
_dmm->refill_pa, GFP_KERNEL);
if (!omap_dmm->refill_va) {
dev_err(>dev, "could not allocate refill memory\n");
+ ret = -ENOMEM;
goto fail;
}
--
2.25.1
[PATCH] iommu: fix return error code in iommu_probe_device()
If iommu_group_get() failed, it need return error code
in iommu_probe_device().
Fixes: cf193888bfbd ("iommu: Move new probe_device path...")
Reported-by: Hulk Robot
Signed-off-by: Yang Yingliang
---
drivers/iommu/iommu.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c
index b53446bb8c6b..6f4a32df90f6 100644
--- a/drivers/iommu/iommu.c
+++ b/drivers/iommu/iommu.c
@@ -253,8 +253,10 @@ int iommu_probe_device(struct device *dev)
goto err_out;
group = iommu_group_get(dev);
- if (!group)
+ if (!group) {
+ ret = -ENODEV;
goto err_release;
+ }
/*
* Try to allocate a default domain - needs support from the
--
2.25.1
[PATCH] [media] omap4iss: return error code when omap4iss_get() failed
If omap4iss_get() failed, it need return error code in iss_probe().
Fixes: 59f0ad807681 ("[media] v4l: omap4iss: Add support for OMAP4...")
Reported-by: Hulk Robot
Signed-off-by: Yang Yingliang
---
drivers/staging/media/omap4iss/iss.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/staging/media/omap4iss/iss.c
b/drivers/staging/media/omap4iss/iss.c
index e06ea7ea1e50..3dac35f68238 100644
--- a/drivers/staging/media/omap4iss/iss.c
+++ b/drivers/staging/media/omap4iss/iss.c
@@ -1236,8 +1236,10 @@ static int iss_probe(struct platform_device *pdev)
if (ret < 0)
goto error;
- if (!omap4iss_get(iss))
+ if (!omap4iss_get(iss)) {
+ ret = -EINVAL;
goto error;
+ }
ret = iss_reset(iss);
if (ret < 0)
--
2.25.1
[PATCH] speakup: fix uninitialized flush_lock
The flush_lock is uninitialized, use DEFINE_SPINLOCK
to define and initialize flush_lock.
Fixes: c6e3fd22cd53 ("Staging: add speakup to the staging directory")
Reported-by: Hulk Robot
Signed-off-by: Yang Yingliang
---
drivers/accessibility/speakup/speakup_dectlk.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/accessibility/speakup/speakup_dectlk.c
b/drivers/accessibility/speakup/speakup_dectlk.c
index 780214b5ca16..ab6d61e80b1c 100644
--- a/drivers/accessibility/speakup/speakup_dectlk.c
+++ b/drivers/accessibility/speakup/speakup_dectlk.c
@@ -37,7 +37,7 @@ static unsigned char get_index(struct spk_synth *synth);
static int in_escape;
static int is_flushing;
-static spinlock_t flush_lock;
+static DEFINE_SPINLOCK(flush_lock);
static DECLARE_WAIT_QUEUE_HEAD(flush);
static struct var_t vars[] = {
--
2.25.1
[PATCH] clocksource/drivers/orion: add missing clk_disable_unprepare() on error path
After calling clk_prepare_enable(), clk_disable_unprepare() need
be called on error path.
Fixes: fbe4b3566ddc ("clocksource/drivers/orion: Convert init function...")
Reported-by: Hulk Robot
Signed-off-by: Yang Yingliang
---
drivers/clocksource/timer-orion.c | 11 ---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/drivers/clocksource/timer-orion.c
b/drivers/clocksource/timer-orion.c
index d01ff4181867..5101e834d78f 100644
--- a/drivers/clocksource/timer-orion.c
+++ b/drivers/clocksource/timer-orion.c
@@ -143,7 +143,8 @@ static int __init orion_timer_init(struct device_node *np)
irq = irq_of_parse_and_map(np, 1);
if (irq <= 0) {
pr_err("%pOFn: unable to parse timer1 irq\n", np);
- return -EINVAL;
+ ret = -EINVAL;
+ goto out_unprep_clk;
}
rate = clk_get_rate(clk);
@@ -160,7 +161,7 @@ static int __init orion_timer_init(struct device_node *np)
clocksource_mmio_readl_down);
if (ret) {
pr_err("Failed to initialize mmio timer\n");
- return ret;
+ goto out_unprep_clk;
}
sched_clock_register(orion_read_sched_clock, 32, rate);
@@ -170,7 +171,7 @@ static int __init orion_timer_init(struct device_node *np)
"orion_event", NULL);
if (ret) {
pr_err("%pOFn: unable to setup irq\n", np);
- return ret;
+ goto out_unprep_clk;
}
ticks_per_jiffy = (clk_get_rate(clk) + HZ/2) / HZ;
@@ -183,5 +184,9 @@ static int __init orion_timer_init(struct device_node *np)
orion_delay_timer_init(rate);
return 0;
+
+out_unprep_clk:
+ clk_disable_unprepare(clk);
+ return ret;
}
TIMER_OF_DECLARE(orion_timer, "marvell,orion-timer", orion_timer_init);
--
2.25.1
[PATCH] drm/panel: add missing platform_driver_unregister() on error path
If mipi_dsi_driver_register() failed, platform_driver_unregister()
need be called.
Fixes: 210fcd9d9cf1 ("drm/panel: Add support for Panasonic VVX10F004B0")
Reported-by: Hulk Robot
Signed-off-by: Yang Yingliang
---
drivers/gpu/drm/panel/panel-simple.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/panel/panel-simple.c
b/drivers/gpu/drm/panel/panel-simple.c
index 2be358fb46f7..2966ac13c538 100644
--- a/drivers/gpu/drm/panel/panel-simple.c
+++ b/drivers/gpu/drm/panel/panel-simple.c
@@ -4644,8 +4644,10 @@ static int __init panel_simple_init(void)
if (IS_ENABLED(CONFIG_DRM_MIPI_DSI)) {
err = mipi_dsi_driver_register(_simple_dsi_driver);
- if (err < 0)
+ if (err < 0) {
+
platform_driver_unregister(_simple_platform_driver);
return err;
+ }
}
return 0;
--
2.25.1
Re: [PATCH resend] vgacon: fix a UAF in do_update_region()
20001f40 = 0; *(uint64_t*)0x20001f48 = 0; *(uint64_t*)0x20001f50 = 0; *(uint64_t*)0x20001f58 = 0; *(uint64_t*)0x20001f60 = 0; *(uint64_t*)0x20001f68 = 0; *(uint64_t*)0x20001f70 = 0; *(uint64_t*)0x20001f78 = 0; *(uint64_t*)0x20001f80 = 0; *(uint64_t*)0x20001f88 = 0; *(uint64_t*)0x20001f90 = 0; *(uint64_t*)0x20001f98 = 0; *(uint64_t*)0x20001fa0 = 0; *(uint64_t*)0x20001fa8 = 0; *(uint64_t*)0x20001fb0 = 0; *(uint64_t*)0x20001fb8 = 0; *(uint64_t*)0x20001fc0 = 0; *(uint64_t*)0x20001fc8 = 0; *(uint64_t*)0x20001fd0 = 0; *(uint64_t*)0x20001fd8 = 0; *(uint64_t*)0x20001fe0 = 0; *(uint64_t*)0x20001fe8 = 0; *(uint64_t*)0x20001ff0 = 0; *(uint64_t*)0x20001ff8 = 0; *(uint64_t*)0x20002000 = 0; *(uint64_t*)0x20002008 = 0; *(uint64_t*)0x20002010 = 0; *(uint64_t*)0x20002018 = 0; *(uint64_t*)0x20002020 = 0; *(uint64_t*)0x20002028 = 0; *(uint64_t*)0x20002030 = 0; *(uint64_t*)0x20002038 = 0; *(uint64_t*)0x20002040 = 0; *(uint64_t*)0x20002048 = 0; *(uint64_t*)0x20002050 = 0; *(uint64_t*)0x20002058 = 0; *(uint64_t*)0x20002060 = 0; *(uint64_t*)0x20002068 = 0; *(uint64_t*)0x20002070 = 0; *(uint64_t*)0x20002078 = 0; *(uint64_t*)0x20002080 = 0; *(uint64_t*)0x20002088 = 0; *(uint64_t*)0x20002090 = 0; *(uint64_t*)0x20002098 = 0; *(uint64_t*)0x200020a0 = 0; *(uint64_t*)0x200020a8 = 0; *(uint64_t*)0x200020b0 = 0; syscall(__NR_write, r[3], 0x2840ul, 0x1878ul); return 0; } On 2020/10/20 17:02, Yang Yingliang wrote: I got a UAF report in do_update_region() when I doing fuzz test. [ 51.161905] BUG: KASAN: use-after-free in do_update_region+0x579/0x600 [ 51.161918] Read of size 2 at addr 88800010 by task test/295 [ 51.161957] CPU: 2 PID: 295 Comm: test Not tainted 5.7.0+ #975 [ 51.161969] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [ 51.161976] Call Trace: [ 51.162001] dump_stack+0xc6/0x11e [ 51.162019] ? do_update_region+0x579/0x600 [ 51.162047] print_address_description.constprop.6+0x1a/0x220 [ 51.162083] ? vprintk_func+0x66/0xed [ 51.162100] ? do_update_region+0x579/0x600 [ 51.162112] ? do_update_region+0x579/0x600 [ 51.162128] kasan_report.cold.9+0x37/0x7c [ 51.162151] ? do_update_region+0x579/0x600 [ 51.162173] do_update_region+0x579/0x600 [ 51.162207] ? con_get_trans_old+0x230/0x230 [ 51.162229] ? retint_kernel+0x10/0x10 [ 51.162278] csi_J+0x557/0xa00 [ 51.162307] do_con_trol+0x49af/0x5cc0 [ 51.162330] ? lock_downgrade+0x720/0x720 [ 51.162347] ? reset_palette+0x1b0/0x1b0 [ 51.162369] ? lockdep_hardirqs_on_prepare+0x379/0x540 [ 51.162393] ? notifier_call_chain+0x11b/0x160 [ 51.162438] do_con_write.part.24+0xb0a/0x1a30 [ 51.162501] ? do_con_trol+0x5cc0/0x5cc0 [ 51.162522] ? console_unlock+0x7b8/0xb00 [ 51.162555] ? __mutex_unlock_slowpath+0xd4/0x670 [ 51.162574] ? this_tty+0xe0/0xe0 [ 51.162589] ? console_unlock+0x559/0xb00 [ 51.162605] ? wait_for_completion+0x260/0x260 [ 51.162638] con_write+0x31/0xb0 [ 51.162658] n_tty_write+0x4fa/0xd40 [ 51.162710] ? n_tty_read+0x1800/0x1800 [ 51.162730] ? prepare_to_wait_exclusive+0x270/0x270 [ 51.162754] ? __might_fault+0x175/0x1b0 [ 51.162783] tty_write+0x42b/0x8d0 [ 51.162795] ? n_tty_read+0x1800/0x1800 [ 51.162825] ? tty_lookup_driver+0x450/0x450 [ 51.162848] __vfs_write+0x7c/0x100 [ 51.162875] vfs_write+0x1c9/0x510 [ 51.162901] ksys_write+0xff/0x200 [ 51.162918] ? __ia32_sys_read+0xb0/0xb0 [ 51.162940] ? do_syscall_64+0x1a/0x520 [ 51.162957] ? lockdep_hardirqs_on_prepare+0x379/0x540 [ 51.162984] do_syscall_64+0xa1/0x520 [ 51.163008] entry_SYSCALL_64_after_hwframe+0x49/0xb3 After vgacon_set_origin() is called in set_origin(), the vc_origin is set to vga_vram_base, the vc_pos should between vga_vram_base and vga_vram_end. But we still use vc_screenbuf_size, if the vga_vram_size is smaller than vc_screenbuf_size, vc_pos may be out of bound, using it will cause a use-after-free(or out-of-bounds). Fix this by calling vc_resize() if vga_vram_size is smaller than vc_screenbuf_size. Signed-off-by: Yang Yingliang --- drivers/video/console/vgacon.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/video/console/vgacon.c b/drivers/video/console/vgacon.c index 998b0de..2ee3d62 100644 --- a/drivers/video/console/vgacon.c +++ b/drivers/video/console/vgacon.c @@ -1336,6 +1336,9 @@ static int vgacon_set_origin(struct vc_data *c) if (vga_is_gfx || /* We don't play origin tricks in graphic modes */ (console_blanked && !vga_palette_blanked)) /* Nor we write to blanked screens */ return 0; + + if (c->vc_screenbuf_size > vga_vram_size) + vc_resize(c, screen_info.orig_video_cols, screen_info.orig_video_lines); c->vc_origin = c->vc_visible_origin = vga_vram_base; vga_set_mem_top(c); vga_rolled_over = 0; .
[PATCH resend] vgacon: fix a UAF in do_update_region()
I got a UAF report in do_update_region() when I doing fuzz test. [ 51.161905] BUG: KASAN: use-after-free in do_update_region+0x579/0x600 [ 51.161918] Read of size 2 at addr 88800010 by task test/295 [ 51.161957] CPU: 2 PID: 295 Comm: test Not tainted 5.7.0+ #975 [ 51.161969] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [ 51.161976] Call Trace: [ 51.162001] dump_stack+0xc6/0x11e [ 51.162019] ? do_update_region+0x579/0x600 [ 51.162047] print_address_description.constprop.6+0x1a/0x220 [ 51.162083] ? vprintk_func+0x66/0xed [ 51.162100] ? do_update_region+0x579/0x600 [ 51.162112] ? do_update_region+0x579/0x600 [ 51.162128] kasan_report.cold.9+0x37/0x7c [ 51.162151] ? do_update_region+0x579/0x600 [ 51.162173] do_update_region+0x579/0x600 [ 51.162207] ? con_get_trans_old+0x230/0x230 [ 51.162229] ? retint_kernel+0x10/0x10 [ 51.162278] csi_J+0x557/0xa00 [ 51.162307] do_con_trol+0x49af/0x5cc0 [ 51.162330] ? lock_downgrade+0x720/0x720 [ 51.162347] ? reset_palette+0x1b0/0x1b0 [ 51.162369] ? lockdep_hardirqs_on_prepare+0x379/0x540 [ 51.162393] ? notifier_call_chain+0x11b/0x160 [ 51.162438] do_con_write.part.24+0xb0a/0x1a30 [ 51.162501] ? do_con_trol+0x5cc0/0x5cc0 [ 51.162522] ? console_unlock+0x7b8/0xb00 [ 51.162555] ? __mutex_unlock_slowpath+0xd4/0x670 [ 51.162574] ? this_tty+0xe0/0xe0 [ 51.162589] ? console_unlock+0x559/0xb00 [ 51.162605] ? wait_for_completion+0x260/0x260 [ 51.162638] con_write+0x31/0xb0 [ 51.162658] n_tty_write+0x4fa/0xd40 [ 51.162710] ? n_tty_read+0x1800/0x1800 [ 51.162730] ? prepare_to_wait_exclusive+0x270/0x270 [ 51.162754] ? __might_fault+0x175/0x1b0 [ 51.162783] tty_write+0x42b/0x8d0 [ 51.162795] ? n_tty_read+0x1800/0x1800 [ 51.162825] ? tty_lookup_driver+0x450/0x450 [ 51.162848] __vfs_write+0x7c/0x100 [ 51.162875] vfs_write+0x1c9/0x510 [ 51.162901] ksys_write+0xff/0x200 [ 51.162918] ? __ia32_sys_read+0xb0/0xb0 [ 51.162940] ? do_syscall_64+0x1a/0x520 [ 51.162957] ? lockdep_hardirqs_on_prepare+0x379/0x540 [ 51.162984] do_syscall_64+0xa1/0x520 [ 51.163008] entry_SYSCALL_64_after_hwframe+0x49/0xb3 After vgacon_set_origin() is called in set_origin(), the vc_origin is set to vga_vram_base, the vc_pos should between vga_vram_base and vga_vram_end. But we still use vc_screenbuf_size, if the vga_vram_size is smaller than vc_screenbuf_size, vc_pos may be out of bound, using it will cause a use-after-free(or out-of-bounds). Fix this by calling vc_resize() if vga_vram_size is smaller than vc_screenbuf_size. Signed-off-by: Yang Yingliang --- drivers/video/console/vgacon.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/video/console/vgacon.c b/drivers/video/console/vgacon.c index 998b0de..2ee3d62 100644 --- a/drivers/video/console/vgacon.c +++ b/drivers/video/console/vgacon.c @@ -1336,6 +1336,9 @@ static int vgacon_set_origin(struct vc_data *c) if (vga_is_gfx || /* We don't play origin tricks in graphic modes */ (console_blanked && !vga_palette_blanked)) /* Nor we write to blanked screens */ return 0; + + if (c->vc_screenbuf_size > vga_vram_size) + vc_resize(c, screen_info.orig_video_cols, screen_info.orig_video_lines); c->vc_origin = c->vc_visible_origin = vga_vram_base; vga_set_mem_top(c); vga_rolled_over = 0;
[PATCH -next v2] tty: hvc: fix link error with CONFIG_SERIAL_CORE_CONSOLE=n
aarch64-linux-gnu-ld: drivers/tty/hvc/hvc_dcc.o: in function `dcc_early_write':
hvc_dcc.c:(.text+0x164): undefined reference to `uart_console_write'
The driver uses the uart_console_write(), but SERIAL_CORE_CONSOLE is not
selected, so uart_console_write is not defined, then we get the error.
Fix this by selecting SERIAL_CORE_CONSOLE.
Fixes: d1a1af2cdf19 ("hvc: dcc: Add earlycon support")
Reported-by: Hulk Robot
Signed-off-by: Yang Yingliang
---
drivers/tty/hvc/Kconfig | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/tty/hvc/Kconfig b/drivers/tty/hvc/Kconfig
index d1b27b0522a3..8d60e0ff67b4 100644
--- a/drivers/tty/hvc/Kconfig
+++ b/drivers/tty/hvc/Kconfig
@@ -81,6 +81,7 @@ config HVC_DCC
bool "ARM JTAG DCC console"
depends on ARM || ARM64
select HVC_DRIVER
+ select SERIAL_CORE_CONSOLE
help
This console uses the JTAG DCC on ARM to create a console under the
HVC
driver. This console is used through a JTAG only on ARM. If you don't
have
--
2.25.1
[PATCH -next v2] tty: serial: imx: fix link error with CONFIG_SERIAL_CORE_CONSOLE=n
aarch64-linux-gnu-ld: drivers/tty/serial/imx_earlycon.o: in function
`imx_uart_console_early_write':
imx_earlycon.c:(.text+0x84): undefined reference to `uart_console_write'
The driver uses the uart_console_write(), but SERIAL_CORE_CONSOLE is not
selected, so uart_console_write is not defined, then we get the error.
Fix this by selecting SERIAL_CORE_CONSOLE.
Fixes: 699cc4dfd140 ("tty: serial: imx: add imx earlycon driver")
Reported-by: Hulk Robot
Signed-off-by: Yang Yingliang
---
drivers/tty/serial/Kconfig | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/tty/serial/Kconfig b/drivers/tty/serial/Kconfig
index 9631ccf43378..1044fc387691 100644
--- a/drivers/tty/serial/Kconfig
+++ b/drivers/tty/serial/Kconfig
@@ -521,6 +521,7 @@ config SERIAL_IMX_EARLYCON
depends on ARCH_MXC || COMPILE_TEST
depends on OF
select SERIAL_EARLYCON
+ select SERIAL_CORE_CONSOLE
help
If you have enabled the earlycon on the Freescale IMX
CPU you can make it the earlycon by answering Y to this option.
--
2.25.1
Re: [PATCH -next] tty: hvc: fix link error with CONFIG_SERIAL_CORE_CONSOLE=n
On 2020/9/18 19:17, Greg KH wrote:
On Fri, Sep 18, 2020 at 05:20:30PM +0800, Yang Yingliang wrote:
Fix the link error by selecting SERIAL_CORE_CONSOLE.
aarch64-linux-gnu-ld: drivers/tty/hvc/hvc_dcc.o: in function `dcc_early_write':
hvc_dcc.c:(.text+0x164): undefined reference to `uart_console_write'
Reported-by: Hulk Robot
Signed-off-by: Yang Yingliang
---
drivers/tty/hvc/Kconfig | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/tty/hvc/Kconfig b/drivers/tty/hvc/Kconfig
index d1b27b0522a3..8d60e0ff67b4 100644
--- a/drivers/tty/hvc/Kconfig
+++ b/drivers/tty/hvc/Kconfig
@@ -81,6 +81,7 @@ config HVC_DCC
bool "ARM JTAG DCC console"
depends on ARM || ARM64
select HVC_DRIVER
+ select SERIAL_CORE_CONSOLE
help
This console uses the JTAG DCC on ARM to create a console under the
HVC
driver. This console is used through a JTAG only on ARM. If you don't
have
--
2.25.1
Same question here, what caused this problem to happen?
Fixes: d1a1af2cdf19 ("hvc: dcc: Add earlycon support")
thanks,
greg k-h
.
Re: [PATCH -next] tty: serial: imx: fix link error with CONFIG_SERIAL_CORE_CONSOLE=n
Hi,
On 2020/9/18 19:16, Greg KH wrote:
On Fri, Sep 18, 2020 at 05:13:05PM +0800, Yang Yingliang wrote:
Fix the link error by selecting SERIAL_CORE_CONSOLE.
aarch64-linux-gnu-ld: drivers/tty/serial/imx_earlycon.o: in function
`imx_uart_console_early_write':
imx_earlycon.c:(.text+0x84): undefined reference to `uart_console_write'
Reported-by: Hulk Robot
Signed-off-by: Yang Yingliang
---
drivers/tty/serial/Kconfig | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/tty/serial/Kconfig b/drivers/tty/serial/Kconfig
index 9631ccf43378..1044fc387691 100644
--- a/drivers/tty/serial/Kconfig
+++ b/drivers/tty/serial/Kconfig
@@ -521,6 +521,7 @@ config SERIAL_IMX_EARLYCON
depends on ARCH_MXC || COMPILE_TEST
depends on OF
select SERIAL_EARLYCON
+ select SERIAL_CORE_CONSOLE
help
If you have enabled the earlycon on the Freescale IMX
CPU you can make it the earlycon by answering Y to this option.
--
2.25.1
What caused this build error to start happening? Any pointers to the
specific commit?
It's start from 699cc4dfd140 ("tty: serial: imx: add imx earlycon
driver"), the driver
uses the uart_console_write(), but SERIAL_CORE_CONSOLE is not selected,
so uart_console_write
is not defined, then we get the error.
thanks,
greg k-h
.
[PATCH -next] tty: hvc: fix link error with CONFIG_SERIAL_CORE_CONSOLE=n
Fix the link error by selecting SERIAL_CORE_CONSOLE. aarch64-linux-gnu-ld: drivers/tty/hvc/hvc_dcc.o: in function `dcc_early_write': hvc_dcc.c:(.text+0x164): undefined reference to `uart_console_write' Reported-by: Hulk Robot Signed-off-by: Yang Yingliang --- drivers/tty/hvc/Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/tty/hvc/Kconfig b/drivers/tty/hvc/Kconfig index d1b27b0522a3..8d60e0ff67b4 100644 --- a/drivers/tty/hvc/Kconfig +++ b/drivers/tty/hvc/Kconfig @@ -81,6 +81,7 @@ config HVC_DCC bool "ARM JTAG DCC console" depends on ARM || ARM64 select HVC_DRIVER + select SERIAL_CORE_CONSOLE help This console uses the JTAG DCC on ARM to create a console under the HVC driver. This console is used through a JTAG only on ARM. If you don't have -- 2.25.1
[PATCH -next] tty: serial: imx: fix link error with CONFIG_SERIAL_CORE_CONSOLE=n
Fix the link error by selecting SERIAL_CORE_CONSOLE. aarch64-linux-gnu-ld: drivers/tty/serial/imx_earlycon.o: in function `imx_uart_console_early_write': imx_earlycon.c:(.text+0x84): undefined reference to `uart_console_write' Reported-by: Hulk Robot Signed-off-by: Yang Yingliang --- drivers/tty/serial/Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/tty/serial/Kconfig b/drivers/tty/serial/Kconfig index 9631ccf43378..1044fc387691 100644 --- a/drivers/tty/serial/Kconfig +++ b/drivers/tty/serial/Kconfig @@ -521,6 +521,7 @@ config SERIAL_IMX_EARLYCON depends on ARCH_MXC || COMPILE_TEST depends on OF select SERIAL_EARLYCON + select SERIAL_CORE_CONSOLE help If you have enabled the earlycon on the Freescale IMX CPU you can make it the earlycon by answering Y to this option. -- 2.25.1
[PATCH -next] drm/amd/display: remove unused variable in amdgpu_dm.c
Fix the compile warning:
drivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm.c:892:26: warning:
variable ‘stream’ set but not used [-Wunused-but-set-variable]
struct dc_stream_state *stream;
^~
Reported-by: Hulk Robot
Signed-off-by: Yang Yingliang
---
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
index bb1bc7f5d149..7d9e8c311879 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
@@ -889,7 +889,6 @@ static void
amdgpu_check_debugfs_connector_property_change(struct amdgpu_device
struct drm_connector_state *conn_state;
struct dm_crtc_state *acrtc_state;
struct drm_crtc_state *crtc_state;
- struct dc_stream_state *stream;
struct drm_device *dev = adev_to_drm(adev);
list_for_each_entry(connector, >mode_config.connector_list, head) {
@@ -906,8 +905,6 @@ static void
amdgpu_check_debugfs_connector_property_change(struct amdgpu_device
if (!(acrtc_state && acrtc_state->stream))
continue;
- stream = acrtc_state->stream;
-
if (amdgpu_dm_connector->dsc_settings.dsc_force_enable ||
amdgpu_dm_connector->dsc_settings.dsc_num_slices_v ||
amdgpu_dm_connector->dsc_settings.dsc_num_slices_h ||
--
2.25.1
[PATCH -next] drm/amd/display: remove unused variable in dcn30_hwseq.c
Fix the compile warning:
drivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_hwseq.c:322:27: warning:
variable ‘optc’ set but not used [-Wunused-but-set-variable]
struct timing_generator *optc;
^~~~
drivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_hwseq.c:641:7: warning:
variable ‘is_dp’ set but not used [-Wunused-but-set-variable]
bool is_dp;
^
Reported-by: Hulk Robot
Signed-off-by: Yang Yingliang
---
drivers/gpu/drm/amd/display/dc/dcn30/dcn30_hwseq.c | 5 -
1 file changed, 5 deletions(-)
diff --git a/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_hwseq.c
b/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_hwseq.c
index 204773ffc376..f875b1e98dd3 100644
--- a/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_hwseq.c
+++ b/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_hwseq.c
@@ -319,13 +319,10 @@ void dcn30_enable_writeback(
{
struct dwbc *dwb;
struct mcif_wb *mcif_wb;
- struct timing_generator *optc;
dwb = dc->res_pool->dwbc[wb_info->dwb_pipe_inst];
mcif_wb = dc->res_pool->mcif_wb[wb_info->dwb_pipe_inst];
- /* set the OPTC source mux */
- optc = dc->res_pool->timing_generators[dwb->otg_inst];
DC_LOG_DWB("%s dwb_pipe_inst = %d, mpcc_inst = %d",\
__func__, wb_info->dwb_pipe_inst,\
wb_info->mpcc_inst);
@@ -638,7 +635,6 @@ void dcn30_set_avmute(struct pipe_ctx *pipe_ctx, bool
enable)
void dcn30_update_info_frame(struct pipe_ctx *pipe_ctx)
{
bool is_hdmi_tmds;
- bool is_dp;
ASSERT(pipe_ctx->stream);
@@ -646,7 +642,6 @@ void dcn30_update_info_frame(struct pipe_ctx *pipe_ctx)
return; /* this is not root pipe */
is_hdmi_tmds = dc_is_hdmi_tmds_signal(pipe_ctx->stream->signal);
- is_dp = dc_is_dp_signal(pipe_ctx->stream->signal);
if (!is_hdmi_tmds)
return;
--
2.25.1
[PATCH -next v2] powerpc/book3s64: fix link error with CONFIG_PPC_RADIX_MMU=n
Fix link error when CONFIG_PPC_RADIX_MMU is disabled:
powerpc64-linux-gnu-ld: arch/powerpc/platforms/pseries/lpar.o:(.toc+0x0):
undefined reference to `mmu_pid_bits'
Reported-by: Hulk Robot
Signed-off-by: Yang Yingliang
---
v2:
- enclose radix_init_pseries with CONFIG_PPC_RADIX_MMU
- remove CONFIG_PPC_RADIX_MMU in radix__init_new_context()
---
arch/powerpc/platforms/pseries/lpar.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/powerpc/platforms/pseries/lpar.c
b/arch/powerpc/platforms/pseries/lpar.c
index baf24eacd268..764170fdb0f7 100644
--- a/arch/powerpc/platforms/pseries/lpar.c
+++ b/arch/powerpc/platforms/pseries/lpar.c
@@ -1724,6 +1724,7 @@ void __init hpte_init_pseries(void)
pseries_lpar_register_process_table(0, 0, 0);
}
+#ifdef CONFIG_PPC_RADIX_MMU
void radix_init_pseries(void)
{
pr_info("Using radix MMU under hypervisor\n");
@@ -1731,6 +1732,7 @@ void radix_init_pseries(void)
pseries_lpar_register_process_table(__pa(process_tb),
0, PRTB_SIZE_SHIFT - 12);
}
+#endif
#ifdef CONFIG_PPC_SMLPAR
#define CMO_FREE_HINT_DEFAULT 1
--
2.25.1
Re: [PATCH -next] powerpc/book3s64: fix link error with CONFIG_PPC_RADIX_MMU=n
On 2020/9/6 14:50, Christophe Leroy wrote:
Le 05/09/2020 à 13:25, Yang Yingliang a écrit :
Fix link error when CONFIG_PPC_RADIX_MMU is disabled:
powerpc64-linux-gnu-ld:
arch/powerpc/platforms/pseries/lpar.o:(.toc+0x0): undefined reference
to `mmu_pid_bits'
Reported-by: Hulk Robot
Signed-off-by: Yang Yingliang
---
arch/powerpc/mm/book3s64/mmu_context.c | 4
In your commit log, you are just mentionning
arch/powerpc/platforms/pseries/lpar.o, which is right.
You shouldn't need to modify arch/powerpc/mm/book3s64/mmu_context.c at
all, see below.
arch/powerpc/platforms/pseries/lpar.c | 2 ++
2 files changed, 6 insertions(+)
diff --git a/arch/powerpc/mm/book3s64/mmu_context.c
b/arch/powerpc/mm/book3s64/mmu_context.c
index 0ba30b8b935b..a8e292cd88f0 100644
--- a/arch/powerpc/mm/book3s64/mmu_context.c
+++ b/arch/powerpc/mm/book3s64/mmu_context.c
@@ -152,6 +152,7 @@ void hash__setup_new_exec(void)
static int radix__init_new_context(struct mm_struct *mm)
{
+#ifdef CONFIG_PPC_RADIX_MMU
This shouldn't be required. radix__init_new_context() is only called
when radix_enabled() returns true.
As it is a static function, when it is not called it gets optimised
away, so you will never get an undefined reference to `mmu_pid_bits`
there.
powerpc64-linux-gnu-ld:
arch/powerpc/mm/book3s64/mmu_context.o:(.toc+0x0): undefined reference
to `mmu_pid_bits'
powerpc64-linux-gnu-ld:
arch/powerpc/mm/book3s64/mmu_context.o:(.toc+0x8): undefined reference
to `mmu_base_pid'
mmu_context.c is always compiled, it uses mmu_pid_bits and mmu_base_pid.
unsigned long rts_field;
int index, max_id;
@@ -177,6 +178,9 @@ static int radix__init_new_context(struct
mm_struct *mm)
mm->context.hash_context = NULL;
return index;
+#else
+ return -ENOTSUPP;
+#endif
}
int init_new_context(struct task_struct *tsk, struct mm_struct *mm)
diff --git a/arch/powerpc/platforms/pseries/lpar.c
b/arch/powerpc/platforms/pseries/lpar.c
index baf24eacd268..e454e218dbba 100644
--- a/arch/powerpc/platforms/pseries/lpar.c
+++ b/arch/powerpc/platforms/pseries/lpar.c
@@ -1726,10 +1726,12 @@ void __init hpte_init_pseries(void)
void radix_init_pseries(void)
{
+#ifdef CONFIG_PPC_RADIX_MMU
This function is only called from
/arch/powerpc/mm/book3s64/radix_pgtable.c which is only built when
CONFIG_PPC_RADIX_MMU is selected.
So the entire function should be encloded in the #ifdef.
OK, I will send a v2 later.
pr_info("Using radix MMU under hypervisor\n");
pseries_lpar_register_process_table(__pa(process_tb),
0, PRTB_SIZE_SHIFT - 12);
+#endif
}
#ifdef CONFIG_PPC_SMLPAR
Christophe
.
[PATCH -next] powerpc/eeh: fix compile warning with CONFIG_PROC_FS=n
Fix the compile warning:
arch/powerpc/kernel/eeh.c:1639:12: error: 'proc_eeh_show' defined but not used
[-Werror=unused-function]
static int proc_eeh_show(struct seq_file *m, void *v)
Reported-by: Hulk Robot
Signed-off-by: Yang Yingliang
---
arch/powerpc/kernel/eeh.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/powerpc/kernel/eeh.c b/arch/powerpc/kernel/eeh.c
index 94682382fc8c..420c3c25c6e7 100644
--- a/arch/powerpc/kernel/eeh.c
+++ b/arch/powerpc/kernel/eeh.c
@@ -1636,6 +1636,7 @@ int eeh_pe_inject_err(struct eeh_pe *pe, int type, int
func,
}
EXPORT_SYMBOL_GPL(eeh_pe_inject_err);
+#ifdef CONFIG_PROC_FS
static int proc_eeh_show(struct seq_file *m, void *v)
{
if (!eeh_enabled()) {
@@ -1662,6 +1663,7 @@ static int proc_eeh_show(struct seq_file *m, void *v)
return 0;
}
+#endif
#ifdef CONFIG_DEBUG_FS
static int eeh_enable_dbgfs_set(void *data, u64 val)
--
2.25.1
[PATCH -next] powerpc/book3s64: fix link error with CONFIG_PPC_RADIX_MMU=n
Fix link error when CONFIG_PPC_RADIX_MMU is disabled:
powerpc64-linux-gnu-ld: arch/powerpc/platforms/pseries/lpar.o:(.toc+0x0):
undefined reference to `mmu_pid_bits'
Reported-by: Hulk Robot
Signed-off-by: Yang Yingliang
---
arch/powerpc/mm/book3s64/mmu_context.c | 4
arch/powerpc/platforms/pseries/lpar.c | 2 ++
2 files changed, 6 insertions(+)
diff --git a/arch/powerpc/mm/book3s64/mmu_context.c
b/arch/powerpc/mm/book3s64/mmu_context.c
index 0ba30b8b935b..a8e292cd88f0 100644
--- a/arch/powerpc/mm/book3s64/mmu_context.c
+++ b/arch/powerpc/mm/book3s64/mmu_context.c
@@ -152,6 +152,7 @@ void hash__setup_new_exec(void)
static int radix__init_new_context(struct mm_struct *mm)
{
+#ifdef CONFIG_PPC_RADIX_MMU
unsigned long rts_field;
int index, max_id;
@@ -177,6 +178,9 @@ static int radix__init_new_context(struct mm_struct *mm)
mm->context.hash_context = NULL;
return index;
+#else
+ return -ENOTSUPP;
+#endif
}
int init_new_context(struct task_struct *tsk, struct mm_struct *mm)
diff --git a/arch/powerpc/platforms/pseries/lpar.c
b/arch/powerpc/platforms/pseries/lpar.c
index baf24eacd268..e454e218dbba 100644
--- a/arch/powerpc/platforms/pseries/lpar.c
+++ b/arch/powerpc/platforms/pseries/lpar.c
@@ -1726,10 +1726,12 @@ void __init hpte_init_pseries(void)
void radix_init_pseries(void)
{
+#ifdef CONFIG_PPC_RADIX_MMU
pr_info("Using radix MMU under hypervisor\n");
pseries_lpar_register_process_table(__pa(process_tb),
0, PRTB_SIZE_SHIFT - 12);
+#endif
}
#ifdef CONFIG_PPC_SMLPAR
--
2.25.1
[PATCH] arm64: PCI: fix memleak when calling pci_iomap/unmap()
config GENERIC_IOMAP is disabled on arm64, so pci_iounmap() does
nothing, when we using pci_iomap/pci_iounmap(), it will lead to
memory leak. Implements pci_iounmap() for arm64 to fix this leak.
Fixes: 09a5723983e3 ("arm64: Use include/asm-generic/io.h")
Signed-off-by: Yang Yingliang
---
arch/arm64/include/asm/io.h | 5 +
arch/arm64/kernel/pci.c | 5 +
2 files changed, 10 insertions(+)
diff --git a/arch/arm64/include/asm/io.h b/arch/arm64/include/asm/io.h
index ff50dd731852d..4d8da06ac295f 100644
--- a/arch/arm64/include/asm/io.h
+++ b/arch/arm64/include/asm/io.h
@@ -18,6 +18,11 @@
#include
#include
+#ifdef CONFIG_PCI
+struct pci_dev;
+#define pci_iounmap pci_iounmap
+extern void pci_iounmap(struct pci_dev *dev, void __iomem *addr);
+#endif
/*
* Generic IO read/write. These perform native-endian accesses.
*/
diff --git a/arch/arm64/kernel/pci.c b/arch/arm64/kernel/pci.c
index 1006ed2d7c604..ddfa1c53def48 100644
--- a/arch/arm64/kernel/pci.c
+++ b/arch/arm64/kernel/pci.c
@@ -217,4 +217,9 @@ void pcibios_remove_bus(struct pci_bus *bus)
acpi_pci_remove_bus(bus);
}
+void pci_iounmap(struct pci_dev *dev, void __iomem *addr)
+{
+ iounmap(addr);
+}
+EXPORT_SYMBOL(pci_iounmap);
#endif
--
2.25.1
Re: [PATCH v3] PCI: Add pci_iounmap
Hi, On 2020/9/2 2:05, George Cherian wrote: Hi Yang, -Original Message- From: Yang Yingliang Sent: Tuesday, September 1, 2020 6:59 PM To: George Cherian ; linux-kernel@vger.kernel.org; linux-a...@vger.kernel.org; linux-...@vger.kernel.org Cc: kbuild-...@lists.01.org; bhelg...@google.com; a...@arndb.de; m...@redhat.com Subject: Re: [PATCH v3] PCI: Add pci_iounmap On 2020/8/25 9:25, kernel test robot wrote: Hi George, I love your patch! Yet something to improve: [auto build test ERROR on pci/next] [also build test ERROR on linux/master linus/master asm-generic/master v5.9-rc2 next-20200824] [If your patch is applied to the wrong git tree, kindly drop us a note. And when submitting patch, we suggest to use '--base' as documented in https://urldefense.proofpoint.com/v2/url?u=https-3A__git- 2Dscm.com_doc s_git-2Dformat-2Dpatch=DwIC- g=nKjWec2b6R0mOyPaz7xtfQ=TjMsEFPc7di rkF6u2D3eSIS0cA8FeYpzRkkMzr4aCbk=dvtRkwC273FmalEZE_KonLRWrIV WLSWfG61 NWTWG5LI=ycW6SZOVRuKAm3YwdhyAuSh22oPuengSMVuv- EwaUew= ] url:https://urldefense.proofpoint.com/v2/url?u=https- 3A__github.com_0day-2Dci_linux_commits_George-2DCherian_PCI-2DAdd- 2Dpci-5Fiounmap_20200824-2D212149=DwIC- g=nKjWec2b6R0mOyPaz7xtfQ=TjMsEFPc7dirkF6u2D3eSIS0cA8FeYpzRkk Mzr4aCbk=dvtRkwC273FmalEZE_KonLRWrIVWLSWfG61NWTWG5LI=6c UOYHeDOBZ0HaFc2z-vaDgDmbIK4LCBRt9kNkn1sto= base: https://urldefense.proofpoint.com/v2/url?u=https- 3A__git.kernel.org_pub_scm_linux_kernel_git_helgaas_pci.git=DwIC- g=nKjWec2b6R0mOyPaz7xtfQ=TjMsEFPc7dirkF6u2D3eSIS0cA8FeYpzRkk Mzr4aCbk=dvtRkwC273FmalEZE_KonLRWrIVWLSWfG61NWTWG5LI=h- TMyLlEdAwew-u52q4dgWBUMgm0ys-xKzvOO86e1Lw= next config: powerpc-allyesconfig (attached as .config) compiler: powerpc64-linux-gcc (GCC) 9.3.0 reproduce (this is a W=1 build): wget https://urldefense.proofpoint.com/v2/url?u=https- 3A__raw.githubusercontent.com_intel_lkp- 2Dtests_master_sbin_make.cross=DwIC- g=nKjWec2b6R0mOyPaz7xtfQ=TjMsEFPc7dirkF6u2D3eSIS0cA8FeYpzRkk Mzr4aCbk=dvtRkwC273FmalEZE_KonLRWrIVWLSWfG61NWTWG5LI=az QcL0MQmPpr9UfvyBSSdQiu1UbjJgFrzNJOtcZ_--E= -O ~/bin/make.cross chmod +x ~/bin/make.cross # save the attached .config to linux build tree COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-9.3.0 make.cross ARCH=powerpc If you fix the issue, kindly add following tag as appropriate Reported-by: kernel test robot All errors (new ones prefixed by >>): powerpc64-linux-ld: lib/pci_iomap.o: in function `__crc_pci_iounmap': (.rodata+0x10): multiple definition of `__crc_pci_iounmap'; lib/iomap.o:(.rodata+0x68): first defined here EXPORT_SYMBOL(pci_iounmap) in lib/iomap.c need be removed. I really don't think that is the way to fix this. I have also seen your other patch in which iomap being moved out of lib/iomap.c to header file. There was a reason for moving iomap and its variants to a lib since most of the arch's implementation of map was similar. Whereas the unmap had multiple implementation per arch's. So, the lib/iomap never implemented the generic unmap. I see either of the following solution. a. Have an arm64 specific implementation for the unmap function. Or b. something on the lines of v2[1], which accommodates all the arch's but has the #ifdef for which Bjorn raised his concerns. I think 'a' may be better, and I have already make a patch, I can send it after testing. Bjorn, any comments? Regards -George [1] - https://lkml.org/lkml/2020/8/20/28
Re: [PATCH v3] PCI: Add pci_iounmap
On 2020/8/25 9:25, kernel test robot wrote: Hi George, I love your patch! Yet something to improve: [auto build test ERROR on pci/next] [also build test ERROR on linux/master linus/master asm-generic/master v5.9-rc2 next-20200824] [If your patch is applied to the wrong git tree, kindly drop us a note. And when submitting patch, we suggest to use '--base' as documented in https://git-scm.com/docs/git-format-patch] url: https://github.com/0day-ci/linux/commits/George-Cherian/PCI-Add-pci_iounmap/20200824-212149 base: https://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci.git next config: powerpc-allyesconfig (attached as .config) compiler: powerpc64-linux-gcc (GCC) 9.3.0 reproduce (this is a W=1 build): wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross # save the attached .config to linux build tree COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-9.3.0 make.cross ARCH=powerpc If you fix the issue, kindly add following tag as appropriate Reported-by: kernel test robot All errors (new ones prefixed by >>): powerpc64-linux-ld: lib/pci_iomap.o: in function `__crc_pci_iounmap': (.rodata+0x10): multiple definition of `__crc_pci_iounmap'; lib/iomap.o:(.rodata+0x68): first defined here EXPORT_SYMBOL(pci_iounmap) in lib/iomap.c need be removed. --- 0-DAY CI Kernel Test Service, Intel Corporation https://lists.01.org/hyperkitty/list/kbuild-...@lists.01.org
[PATCH 2/2] pci: fix memleak when calling pci_iomap/unmap()
config GENERIC_IOMAP is disabled on some archs(e.g. arm64),
so pci_iounmap() does nothing, when we using pci_iomap/pci_iounmap(),
it will lead to memory leak. Move pci_iounmap() to lib/pci_map.c
to fix this.
Signed-off-by: Yang Yingliang
---
include/asm-generic/pci_iomap.h | 2 ++
lib/iomap.c | 10 --
lib/pci_iomap.c | 8
3 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/include/asm-generic/pci_iomap.h b/include/asm-generic/pci_iomap.h
index d4f16dcc2ed79..d6a04d2462238 100644
--- a/include/asm-generic/pci_iomap.h
+++ b/include/asm-generic/pci_iomap.h
@@ -18,6 +18,8 @@ extern void __iomem *pci_iomap_range(struct pci_dev *dev, int
bar,
extern void __iomem *pci_iomap_wc_range(struct pci_dev *dev, int bar,
unsigned long offset,
unsigned long maxlen);
+#define pci_iounmap pci_iounmap
+extern void pci_iounmap(struct pci_dev *dev, void __iomem * addr);
/* Create a virtual mapping cookie for a port on a given PCI device.
* Do not call this directly, it exists to make it easier for architectures
* to override */
diff --git a/lib/iomap.c b/lib/iomap.c
index d40bc6f662540..df0b3c5fa2065 100644
--- a/lib/iomap.c
+++ b/lib/iomap.c
@@ -337,13 +337,3 @@ void ioport_unmap(void __iomem *addr)
EXPORT_SYMBOL(ioport_map);
EXPORT_SYMBOL(ioport_unmap);
#endif /* CONFIG_HAS_IOPORT_MAP */
-
-#ifdef CONFIG_PCI
-/* Hide the details if this is a MMIO or PIO address space and just do what
- * you expect in the correct way. */
-void pci_iounmap(struct pci_dev *dev, void __iomem * addr)
-{
- IO_COND(addr, /* nothing */, iounmap(addr));
-}
-EXPORT_SYMBOL(pci_iounmap);
-#endif /* CONFIG_PCI */
diff --git a/lib/pci_iomap.c b/lib/pci_iomap.c
index 2d3eb1cb73b8f..833b702771ecd 100644
--- a/lib/pci_iomap.c
+++ b/lib/pci_iomap.c
@@ -134,4 +134,12 @@ void __iomem *pci_iomap_wc(struct pci_dev *dev, int bar,
unsigned long maxlen)
return pci_iomap_wc_range(dev, bar, 0, maxlen);
}
EXPORT_SYMBOL_GPL(pci_iomap_wc);
+
+/* Hide the details if this is a MMIO or PIO address space and just do what
+ * you expect in the correct way. */
+void pci_iounmap(struct pci_dev *dev, void __iomem * addr)
+{
+ IO_COND(addr, /* nothing */, iounmap(addr));
+}
+EXPORT_SYMBOL(pci_iounmap);
#endif /* CONFIG_PCI */
--
2.25.1
[PATCH 0/2] fix memleak when using pci_iounmap()
config GENERIC_IOMAP is not selected on some arch, pci_iounmap() don't implement, when we using pci_iomap/pci_iounmap, it will lead to memory leak. This patch set moves the implemention of pci_iounmap() to lib/pci_iomap.c to fix this. Yang Yingliang (2): iomap: move some definitions to include/linux/io.h pci: fix memleak when calling pci_iomap/unmap() include/asm-generic/pci_iomap.h | 2 ++ include/linux/io.h | 36 ++ lib/iomap.c | 46 - lib/pci_iomap.c | 8 ++ 4 files changed, 46 insertions(+), 46 deletions(-) -- 2.25.1
[PATCH 1/2] iomap: move some definitions to include/linux/io.h
Move some IO macros and bad_io_access() to include/linux/io.h
This prepares for moving pci_iounmap() to lib/pci_iomap.c.
Signed-off-by: Yang Yingliang
---
include/linux/io.h | 36
lib/iomap.c| 36
2 files changed, 36 insertions(+), 36 deletions(-)
diff --git a/include/linux/io.h b/include/linux/io.h
index 8394c56babc26..fa040f8114eaa 100644
--- a/include/linux/io.h
+++ b/include/linux/io.h
@@ -13,6 +13,42 @@
#include
#include
+#ifndef HAVE_ARCH_PIO_SIZE
+/*
+ * We encode the physical PIO addresses (0-0x) into the
+ * pointer by offsetting them with a constant (0x1) and
+ * assuming that all the low addresses are always PIO. That means
+ * we can do some sanity checks on the low bits, and don't
+ * need to just take things for granted.
+ */
+#define PIO_OFFSET 0x1UL
+#define PIO_MASK 0x0UL
+#define PIO_RESERVED 0x4UL
+#endif
+
+static inline void bad_io_access(unsigned long port, const char *access)
+{
+ static int count = 10;
+ if (count) {
+ count--;
+ WARN(1, KERN_ERR "Bad IO access at port %#lx (%s)\n", port,
access);
+ }
+}
+
+/*
+ * Ugly macros are a way of life.
+ */
+#define IO_COND(addr, is_pio, is_mmio) do {\
+ unsigned long port = (unsigned long __force)addr; \
+ if (port >= PIO_RESERVED) { \
+ is_mmio;\
+ } else if (port > PIO_OFFSET) { \
+ port &= PIO_MASK; \
+ is_pio; \
+ } else \
+ bad_io_access(port, #is_pio); \
+} while (0)
+
struct device;
struct resource;
diff --git a/lib/iomap.c b/lib/iomap.c
index fbaa3e8f19d6c..d40bc6f662540 100644
--- a/lib/iomap.c
+++ b/lib/iomap.c
@@ -23,42 +23,6 @@
* implementation and should do their own copy.
*/
-#ifndef HAVE_ARCH_PIO_SIZE
-/*
- * We encode the physical PIO addresses (0-0x) into the
- * pointer by offsetting them with a constant (0x1) and
- * assuming that all the low addresses are always PIO. That means
- * we can do some sanity checks on the low bits, and don't
- * need to just take things for granted.
- */
-#define PIO_OFFSET 0x1UL
-#define PIO_MASK 0x0UL
-#define PIO_RESERVED 0x4UL
-#endif
-
-static void bad_io_access(unsigned long port, const char *access)
-{
- static int count = 10;
- if (count) {
- count--;
- WARN(1, KERN_ERR "Bad IO access at port %#lx (%s)\n", port,
access);
- }
-}
-
-/*
- * Ugly macros are a way of life.
- */
-#define IO_COND(addr, is_pio, is_mmio) do {\
- unsigned long port = (unsigned long __force)addr; \
- if (port >= PIO_RESERVED) { \
- is_mmio;\
- } else if (port > PIO_OFFSET) { \
- port &= PIO_MASK; \
- is_pio; \
- } else \
- bad_io_access(port, #is_pio ); \
-} while (0)
-
#ifndef pio_read16be
#define pio_read16be(port) swab16(inw(port))
#define pio_read32be(port) swab32(inl(port))
--
2.25.1
[PATCH stable-4.19] cgroup: add missing skcd->no_refcnt check in cgroup_sk_clone()
Add skcd->no_refcnt check which is missed when backporting
ad0f75e5f57c ("cgroup: fix cgroup_sk_alloc() for sk_clone_lock()").
This patch is needed in stable-4.9, stable-4.14 and stable-4.19.
Signed-off-by: Yang Yingliang
---
kernel/cgroup/cgroup.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
index 6ae98c714edd..2a879d34bbe5 100644
--- a/kernel/cgroup/cgroup.c
+++ b/kernel/cgroup/cgroup.c
@@ -5957,6 +5957,8 @@ void cgroup_sk_clone(struct sock_cgroup_data *skcd)
{
/* Socket clone path */
if (skcd->val) {
+ if (skcd->no_refcnt)
+ return;
/*
* We might be cloning a socket which is left in an empty
* cgroup and the cgroup might have already been rmdir'd.
--
2.25.1
[PATCH stable-4.14] cgroup: add missing skcd->no_refcnt check in cgroup_sk_clone()
Add skcd->no_refcnt check which is missed when backporting
ad0f75e5f57c ("cgroup: fix cgroup_sk_alloc() for sk_clone_lock()").
This patch is needed in stable-4.9, stable-4.14 and stable-4.19.
Signed-off-by: Yang Yingliang
---
kernel/cgroup/cgroup.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/kernel/cgroup/cgroup.c b/kernel/cgroup/cgroup.c
index a2fed8fbd2bd..ada060e628ce 100644
--- a/kernel/cgroup/cgroup.c
+++ b/kernel/cgroup/cgroup.c
@@ -5827,6 +5827,8 @@ void cgroup_sk_clone(struct sock_cgroup_data *skcd)
{
/* Socket clone path */
if (skcd->val) {
+ if (skcd->no_refcnt)
+ return;
/*
* We might be cloning a socket which is left in an empty
* cgroup and the cgroup might have already been rmdir'd.
--
2.25.1
[PATCH stable-4.9 v2] cgroup: add missing skcd->no_refcnt check in cgroup_sk_clone()
Add skcd->no_refcnt check which is missed when backporting
ad0f75e5f57c ("cgroup: fix cgroup_sk_alloc() for sk_clone_lock()").
This patch is needed in stable-4.9, stable-4.14 and stable-4.19.
Signed-off-by: Yang Yingliang
---
kernel/cgroup.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/kernel/cgroup.c b/kernel/cgroup.c
index f047c73189f3..684d02f343b4 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
@@ -6355,6 +6355,8 @@ void cgroup_sk_clone(struct sock_cgroup_data *skcd)
{
/* Socket clone path */
if (skcd->val) {
+ if (skcd->no_refcnt)
+ return;
/*
* We might be cloning a socket which is left in an empty
* cgroup and the cgroup might have already been rmdir'd.
--
2.25.1
[PATCH stable-4.9] cgroup: add missing skcd->no_refcnt check in cgroup_sk_alloc()
Add skcd->no_refcnt check which is missed when backporting
ad0f75e5f57c ("cgroup: fix cgroup_sk_alloc() for sk_clone_lock()").
This patch is needed in stable-4.9, stable-4.14 and stable-4.19.
Signed-off-by: Yang Yingliang
---
kernel/cgroup.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/kernel/cgroup.c b/kernel/cgroup.c
index f047c73189f3..684d02f343b4 100644
--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
@@ -6355,6 +6355,8 @@ void cgroup_sk_clone(struct sock_cgroup_data *skcd)
{
/* Socket clone path */
if (skcd->val) {
+ if (skcd->no_refcnt)
+ return;
/*
* We might be cloning a socket which is left in an empty
* cgroup and the cgroup might have already been rmdir'd.
--
2.25.1
Re: [PATCH 4.19 016/133] cgroup: fix cgroup_sk_alloc() for sk_clone_lock()
On 2020/8/13 19:41, Greg Kroah-Hartman wrote:
On Thu, Aug 13, 2020 at 07:30:55PM +0800, Yang Yingliang wrote:
Hi,
On 2020/7/20 23:36, Greg Kroah-Hartman wrote:
From: Cong Wang
[ Upstream commit ad0f75e5f57ccbceec13274e1e242f2b5a6397ed ]
When we clone a socket in sk_clone_lock(), its sk_cgrp_data is
copied, so the cgroup refcnt must be taken too. And, unlike the
sk_alloc() path, sock_update_netprioidx() is not called here.
Therefore, it is safe and necessary to grab the cgroup refcnt
even when cgroup_sk_alloc is disabled.
sk_clone_lock() is in BH context anyway, the in_interrupt()
would terminate this function if called there. And for sk_alloc()
skcd->val is always zero. So it's safe to factor out the code
to make it more readable.
The global variable 'cgroup_sk_alloc_disabled' is used to determine
whether to take these reference counts. It is impossible to make
the reference counting correct unless we save this bit of information
in skcd->val. So, add a new bit there to record whether the socket
has already taken the reference counts. This obviously relies on
kmalloc() to align cgroup pointers to at least 4 bytes,
ARCH_KMALLOC_MINALIGN is certainly larger than that.
This bug seems to be introduced since the beginning, commit
d979a39d7242 ("cgroup: duplicate cgroup reference when cloning sockets")
tried to fix it but not compeletely. It seems not easy to trigger until
the recent commit 090e28b229af
("netprio_cgroup: Fix unlimited memory leak of v2 cgroups") was merged.
Fixes: bd1060a1d671 ("sock, cgroup: add sock->sk_cgroup")
Reported-by: Cameron Berkenpas
Reported-by: Peter Geis
Reported-by: Lu Fengqi
Reported-by: Daniël Sonck
Reported-by: Zhang Qiang
Tested-by: Cameron Berkenpas
Tested-by: Peter Geis
Tested-by: Thomas Lamprecht
Cc: Daniel Borkmann
Cc: Zefan Li
Cc: Tejun Heo
Cc: Roman Gushchin
Signed-off-by: Cong Wang
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman
---
[...]
+void cgroup_sk_clone(struct sock_cgroup_data *skcd)
+{
+ /* Socket clone path */
+ if (skcd->val) {
Compare to mainline patch, it's missing *if (skcd->no_refcnt)* check here.
Is it a mistake here ?
Possibly, it is in the cgroup_sk_free() call. Can you send a patch to
fix this up?
OK, I checked other stable branches, it also need be fixed in stable-4.9
and stable-4.14.
I will send the patches to these branches.
thanks,
greg k-h
.
Re: [PATCH 4.19 016/133] cgroup: fix cgroup_sk_alloc() for sk_clone_lock()
Hi,
On 2020/7/20 23:36, Greg Kroah-Hartman wrote:
From: Cong Wang
[ Upstream commit ad0f75e5f57ccbceec13274e1e242f2b5a6397ed ]
When we clone a socket in sk_clone_lock(), its sk_cgrp_data is
copied, so the cgroup refcnt must be taken too. And, unlike the
sk_alloc() path, sock_update_netprioidx() is not called here.
Therefore, it is safe and necessary to grab the cgroup refcnt
even when cgroup_sk_alloc is disabled.
sk_clone_lock() is in BH context anyway, the in_interrupt()
would terminate this function if called there. And for sk_alloc()
skcd->val is always zero. So it's safe to factor out the code
to make it more readable.
The global variable 'cgroup_sk_alloc_disabled' is used to determine
whether to take these reference counts. It is impossible to make
the reference counting correct unless we save this bit of information
in skcd->val. So, add a new bit there to record whether the socket
has already taken the reference counts. This obviously relies on
kmalloc() to align cgroup pointers to at least 4 bytes,
ARCH_KMALLOC_MINALIGN is certainly larger than that.
This bug seems to be introduced since the beginning, commit
d979a39d7242 ("cgroup: duplicate cgroup reference when cloning sockets")
tried to fix it but not compeletely. It seems not easy to trigger until
the recent commit 090e28b229af
("netprio_cgroup: Fix unlimited memory leak of v2 cgroups") was merged.
Fixes: bd1060a1d671 ("sock, cgroup: add sock->sk_cgroup")
Reported-by: Cameron Berkenpas
Reported-by: Peter Geis
Reported-by: Lu Fengqi
Reported-by: Daniël Sonck
Reported-by: Zhang Qiang
Tested-by: Cameron Berkenpas
Tested-by: Peter Geis
Tested-by: Thomas Lamprecht
Cc: Daniel Borkmann
Cc: Zefan Li
Cc: Tejun Heo
Cc: Roman Gushchin
Signed-off-by: Cong Wang
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman
---
[...]
+void cgroup_sk_clone(struct sock_cgroup_data *skcd)
+{
+ /* Socket clone path */
+ if (skcd->val) {
Compare to mainline patch, it's missing *if (skcd->no_refcnt)* check here.
Is it a mistake here ?
Thanks,
Yang
+ /*
+* We might be cloning a socket which is left in an empty
+* cgroup and the cgroup might have already been rmdir'd.
+* Don't use cgroup_get_live().
+*/
+ cgroup_get(sock_cgroup_ptr(skcd));
+ }
+}
+
void cgroup_sk_free(struct sock_cgroup_data *skcd)
{
+ if (skcd->no_refcnt)
+ return;
+
cgroup_put(sock_cgroup_ptr(skcd));
}
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -1694,7 +1694,7 @@ struct sock *sk_clone_lock(const struct
/* sk->sk_memcg will be populated at accept() time */
newsk->sk_memcg = NULL;
- cgroup_sk_alloc(>sk_cgrp_data);
+ cgroup_sk_clone(>sk_cgrp_data);
rcu_read_lock();
filter = rcu_dereference(sk->sk_filter);
.
[PATCH -next] sysctl: fix memleak in proc_sys_call_handler()
I got a memleak report when doing some fuzz test:
BUG: memory leak
unreferenced object 0x888103f3da00 (size 64):
comm "syz-executor.0", pid 2270, jiffies 4295404698 (age 46.593s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
backtrace:
[<4f2c0607>] kmalloc include/linux/slab.h:559 [inline]
[<4f2c0607>] kzalloc include/linux/slab.h:666 [inline]
[<4f2c0607>] proc_sys_call_handler+0x1d4/0x480 fs/proc/proc_sysctl.c:574
[<5ec6a16b>] call_write_iter include/linux/fs.h:1876 [inline]
[<5ec6a16b>] new_sync_write+0x3c5/0x5b0 fs/read_write.c:515
[<bbeebb83>] vfs_write+0x4e8/0x670 fs/read_write.c:595
[<9d967c93>] ksys_write+0x10c/0x220 fs/read_write.c:648
[<139f6002>] do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46
[<b7d61f44>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
Go to free buff when copy_from_iter_full() is failed.
Fixes: 1dea05cbc0d7 ("sysctl: Convert to iter interfaces")
Reported-by: Hulk Robot
Signed-off-by: Yang Yingliang
---
fs/proc/proc_sysctl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
index 9f6b9c3e3fda..a4a3122f8a58 100644
--- a/fs/proc/proc_sysctl.c
+++ b/fs/proc/proc_sysctl.c
@@ -578,7 +578,7 @@ static ssize_t proc_sys_call_handler(struct kiocb *iocb,
struct iov_iter *iter,
if (write) {
error = -EFAULT;
if (!copy_from_iter_full(kbuf, count, iter))
- goto out;
+ goto out_free_buf;
kbuf[count] = '\0';
}
--
2.25.1
Re: [PATCH] vgacon: Fix an out-of-bounds in vgacon_scrollback_update()
On 2020/7/30 19:04, Jiri Slaby wrote:
On 13. 07. 20, 12:57, Yang Yingliang wrote:
I got a slab-out-of-bounds report when I doing fuzz test.
[ 334.989515]
==
[ 334.989577] BUG: KASAN: slab-out-of-bounds in vgacon_scroll+0x57a/0x8ed
[ 334.989588] Write of size 1766 at addr 8883de69ff3e by task test/2658
[ 334.989593]
[ 334.989608] CPU: 3 PID: 2658 Comm: test Not tainted
5.7.0-rc5-5-g152036d1379f #789
[ 334.989617] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
[ 334.989624] Call Trace:
[ 334.989646] dump_stack+0xe4/0x14e
[ 334.989676] print_address_description.constprop.5+0x3f/0x60
[ 334.989699] ? vgacon_scroll+0x57a/0x8ed
[ 334.989710] __kasan_report.cold.8+0x92/0xaf
[ 334.989735] ? vgacon_scroll+0x57a/0x8ed
[ 334.989761] kasan_report+0x37/0x50
[ 334.989789] check_memory_region+0x1c1/0x1e0
[ 334.989806] memcpy+0x38/0x60
[ 334.989824] vgacon_scroll+0x57a/0x8ed
[ 334.989876] con_scroll+0x4ef/0x5e0
...
Because vgacon_scrollback_cur->tail plus memcpy size is greater than
vgacon_scrollback_cur->size. Fix this by checking the memcpy size.
Reported-by: Hulk Robot
Signed-off-by: Yang Yingliang
---
drivers/video/console/vgacon.c | 11 ---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/drivers/video/console/vgacon.c b/drivers/video/console/vgacon.c
index 998b0de1812f..b51ffb9a208d 100644
--- a/drivers/video/console/vgacon.c
+++ b/drivers/video/console/vgacon.c
@@ -243,6 +243,7 @@ static void vgacon_scrollback_startup(void)
static void vgacon_scrollback_update(struct vc_data *c, int t, int count)
{
void *p;
+ int size;
if (!vgacon_scrollback_cur->data || !vgacon_scrollback_cur->size ||
c->vc_num != fg_console)
@@ -251,13 +252,17 @@ static void vgacon_scrollback_update(struct vc_data *c,
int t, int count)
p = (void *) (c->vc_origin + t * c->vc_size_row);
while (count--) {
+ size = vgacon_scrollback_cur->size -
vgacon_scrollback_cur->tail;
+ if (size > c->vc_size_row)
+ size = c->vc_size_row;
+
scr_memcpyw(vgacon_scrollback_cur->data +
vgacon_scrollback_cur->tail,
- p, c->vc_size_row);
+ p, size);
Are you sure the consumer can handle split lines? As vgacon_scrolldelta
(soff in particular) looks to me like it doesn't.
Have you tested you patch? I mean with soft scrollback on the vga console?
I only test the patch with the reproduce program.
Thanks,
Yang
vgacon_scrollback_cur->cnt++;
- p += c->vc_size_row;
- vgacon_scrollback_cur->tail += c->vc_size_row;
+ p += size;
+ vgacon_scrollback_cur->tail += size;
if (vgacon_scrollback_cur->tail >= vgacon_scrollback_cur->size)
vgacon_scrollback_cur->tail = 0;
thanks,
Re: [PATCH] serial: 8250: fix null-ptr-deref in serial8250_start_tx()
On 2020/7/21 19:54, Yang Yingliang wrote:
On 2020/7/21 18:48, Greg KH wrote:
On Tue, Jul 21, 2020 at 02:38:52PM +, Yang Yingliang wrote:
I got null-ptr-deref in serial8250_start_tx():
[ 78.114630] Unable to handle kernel NULL pointer dereference at
virtual address
[ 78.123778] Mem abort info:
[ 78.126560] ESR = 0x8607
[ 78.129603] EC = 0x21: IABT (current EL), IL = 32 bits
[ 78.134891] SET = 0, FnV = 0
[ 78.137933] EA = 0, S1PTW = 0
[ 78.141064] user pgtable: 64k pages, 48-bit VAs,
pgdp=0027d41a8600
[ 78.147562] [] pgd=0027893f0003,
p4d=0027893f0003, pud=0027893f0003, pmd=0027c9a20003,
pte=
[ 78.160029] Internal error: Oops: 8607 [#1] SMP
[ 78.164886] Modules linked in: sunrpc vfat fat aes_ce_blk
crypto_simd cryptd aes_ce_cipher crct10dif_ce ghash_ce sha2_ce
sha256_arm64 sha1_ce ses enclosure sg sbsa_gwdt ipmi_ssif
spi_dw_mmio sch_fq_codel vhost_net tun vhost vhost_iotlb tap
ip_tables ext4 mbcache jbd2 ahci hisi_sas_v3_hw libahci
hisi_sas_main libsas hns3 scsi_transport_sas hclge libata
megaraid_sas ipmi_si hnae3 ipmi_devintf ipmi_msghandler br_netfilter
bridge stp llc nvme nvme_core xt_sctp sctp libcrc32c dm_mod nbd
[ 78.207383] CPU: 11 PID: 23258 Comm: null-ptr Not tainted
5.8.0-rc6+ #48
[ 78.214056] Hardware name: Huawei TaiShan 2280 V2/BC82AMDC, BIOS
2280-V2 CS V3.B210.01 03/12/2020
[ 78.222888] pstate: 80400089 (Nzcv daIf +PAN -UAO BTYPE=--)
[ 78.228435] pc : 0x0
[ 78.230618] lr : serial8250_start_tx+0x160/0x260
[ 78.235215] sp : 800062eefb80
[ 78.238517] x29: 800062eefb80 x28: 0fff
[ 78.243807] x27: 800062eefd80 x26: 202fd83b3000
[ 78.249098] x25: 800062eefd80 x24: 202fd83b3000
[ 78.254388] x23: 002fc5e50be8 x22: 0002
[ 78.259679] x21: 0001 x20:
[ 78.264969] x19: a688827eecc8 x18:
[ 78.270259] x17: x16:
[ 78.275550] x15: a68881bc67a8 x14: 02e6
[ 78.280841] x13: a68881bc67a8 x12: c539
[ 78.286131] x11: d37a6f4de9bd37a7 x10: a68881cccff0
[ 78.291421] x9 : a68881bc6000 x8 : a688819daa88
[ 78.296711] x7 : a688822a0f20 x6 : a688819e
[ 78.302002] x5 : 800062eef9d0 x4 : a68881e707a8
[ 78.307292] x3 : x2 : 0002
[ 78.312582] x1 : 0001 x0 : a688827eecc8
[ 78.317873] Call trace:
[ 78.320312] 0x0
[ 78.322147] __uart_start.isra.9+0x64/0x78
[ 78.326229] uart_start+0xb8/0x1c8
[ 78.329620] uart_flush_chars+0x24/0x30
[ 78.333442] n_tty_receive_buf_common+0x7b0/0xc30
[ 78.338128] n_tty_receive_buf+0x44/0x2c8
[ 78.342122] tty_ioctl+0x348/0x11f8
[ 78.345599] ksys_ioctl+0xd8/0xf8
[ 78.348903] __arm64_sys_ioctl+0x2c/0xc8
[ 78.352812] el0_svc_common.constprop.2+0x88/0x1b0
[ 78.357583] do_el0_svc+0x44/0xd0
[ 78.360887] el0_sync_handler+0x14c/0x1d0
[ 78.364880] el0_sync+0x140/0x180
[ 78.368185] Code: bad PC value
SERIAL_PORT_DFNS is not defined on each arch, if it's not defined,
serial8250_set_defaults() won't be called in
serial8250_isa_init_ports(),
so the p->serial_in pointer won't be initialized, and it leads a
null-ptr-deref.
Fix this problem by calling serial8250_set_defaults() after init
uart port.
Signed-off-by: Yang Yingliang
---
drivers/tty/serial/8250/8250_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Does this fix a specific commit, or has this issue always been present?
What has caused it to happen now that no one else has seen this?
I think it's always been present on the arch that not defined
SERIAL_PORT_DFNS.
I got this on arm64 and here is the C reproducer:
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include
#include
#include
#include
#include
#include
#include
#include
#ifndef __NR_ioctl
#define __NR_ioctl 29
#endif
#ifndef __NR_mmap
#define __NR_mmap 222
#endif
#ifndef __NR_openat
#define __NR_openat 56
#endif
uint64_t r[1] = {0x};
int main(void)
{
syscall(__NR_mmap, 0x2000ul, 0x100ul, 3ul, 0x32ul, -1, 0);
intptr_t res = 0;
memcpy((void*)0x2040, "/dev/ttyS3\000", 11);
res = syscall(__NR_openat, 0xff9cul, 0x2040ul,
0x401ul, 0ul);
if (res != -1)
r[0] = res;
syscall(__NR_ioctl, r[0], 0x5412ul, 0x2080ul);
return 0;
}
It's can be reproduced with CONFIG_SERIAL_8250_RUNTIME_UARTS=8 and
by opening ttyS4 on x86_64. Because the size of SERIAL_PORT_DFNS is 4 and
the pointers of ttyS4 ~ ttyS7 won't be initialized.
[ 49.427884] BUG: unable to handle kernel NULL pointer dereference at
[ 49.432786] PGD 8003d7573067 P4D 8003d7573067 PUD 3d7526067 PMD 0
[ 49.436944] Oops: 0010 [#1] SMP KASAN PTI
[ 49.439490] CPU: 1 PID: 2491 Comm: test Not ta
Re: [PATCH] serial: 8250: fix null-ptr-deref in serial8250_start_tx()
On 2020/7/21 18:48, Greg KH wrote:
On Tue, Jul 21, 2020 at 02:38:52PM +, Yang Yingliang wrote:
I got null-ptr-deref in serial8250_start_tx():
[ 78.114630] Unable to handle kernel NULL pointer dereference at virtual
address
[ 78.123778] Mem abort info:
[ 78.126560] ESR = 0x8607
[ 78.129603] EC = 0x21: IABT (current EL), IL = 32 bits
[ 78.134891] SET = 0, FnV = 0
[ 78.137933] EA = 0, S1PTW = 0
[ 78.141064] user pgtable: 64k pages, 48-bit VAs, pgdp=0027d41a8600
[ 78.147562] [] pgd=0027893f0003, p4d=0027893f0003,
pud=0027893f0003, pmd=0027c9a20003, pte=
[ 78.160029] Internal error: Oops: 8607 [#1] SMP
[ 78.164886] Modules linked in: sunrpc vfat fat aes_ce_blk crypto_simd cryptd
aes_ce_cipher crct10dif_ce ghash_ce sha2_ce sha256_arm64 sha1_ce ses enclosure
sg sbsa_gwdt ipmi_ssif spi_dw_mmio sch_fq_codel vhost_net tun vhost vhost_iotlb
tap ip_tables ext4 mbcache jbd2 ahci hisi_sas_v3_hw libahci hisi_sas_main
libsas hns3 scsi_transport_sas hclge libata megaraid_sas ipmi_si hnae3
ipmi_devintf ipmi_msghandler br_netfilter bridge stp llc nvme nvme_core xt_sctp
sctp libcrc32c dm_mod nbd
[ 78.207383] CPU: 11 PID: 23258 Comm: null-ptr Not tainted 5.8.0-rc6+ #48
[ 78.214056] Hardware name: Huawei TaiShan 2280 V2/BC82AMDC, BIOS 2280-V2 CS
V3.B210.01 03/12/2020
[ 78.222888] pstate: 80400089 (Nzcv daIf +PAN -UAO BTYPE=--)
[ 78.228435] pc : 0x0
[ 78.230618] lr : serial8250_start_tx+0x160/0x260
[ 78.235215] sp : 800062eefb80
[ 78.238517] x29: 800062eefb80 x28: 0fff
[ 78.243807] x27: 800062eefd80 x26: 202fd83b3000
[ 78.249098] x25: 800062eefd80 x24: 202fd83b3000
[ 78.254388] x23: 002fc5e50be8 x22: 0002
[ 78.259679] x21: 0001 x20:
[ 78.264969] x19: a688827eecc8 x18:
[ 78.270259] x17: x16:
[ 78.275550] x15: a68881bc67a8 x14: 02e6
[ 78.280841] x13: a68881bc67a8 x12: c539
[ 78.286131] x11: d37a6f4de9bd37a7 x10: a68881cccff0
[ 78.291421] x9 : a68881bc6000 x8 : a688819daa88
[ 78.296711] x7 : a688822a0f20 x6 : a688819e
[ 78.302002] x5 : 800062eef9d0 x4 : a68881e707a8
[ 78.307292] x3 : x2 : 0002
[ 78.312582] x1 : 0001 x0 : a688827eecc8
[ 78.317873] Call trace:
[ 78.320312] 0x0
[ 78.322147] __uart_start.isra.9+0x64/0x78
[ 78.326229] uart_start+0xb8/0x1c8
[ 78.329620] uart_flush_chars+0x24/0x30
[ 78.333442] n_tty_receive_buf_common+0x7b0/0xc30
[ 78.338128] n_tty_receive_buf+0x44/0x2c8
[ 78.342122] tty_ioctl+0x348/0x11f8
[ 78.345599] ksys_ioctl+0xd8/0xf8
[ 78.348903] __arm64_sys_ioctl+0x2c/0xc8
[ 78.352812] el0_svc_common.constprop.2+0x88/0x1b0
[ 78.357583] do_el0_svc+0x44/0xd0
[ 78.360887] el0_sync_handler+0x14c/0x1d0
[ 78.364880] el0_sync+0x140/0x180
[ 78.368185] Code: bad PC value
SERIAL_PORT_DFNS is not defined on each arch, if it's not defined,
serial8250_set_defaults() won't be called in serial8250_isa_init_ports(),
so the p->serial_in pointer won't be initialized, and it leads a null-ptr-deref.
Fix this problem by calling serial8250_set_defaults() after init uart port.
Signed-off-by: Yang Yingliang
---
drivers/tty/serial/8250/8250_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Does this fix a specific commit, or has this issue always been present?
What has caused it to happen now that no one else has seen this?
I think it's always been present on the arch that not defined
SERIAL_PORT_DFNS.
I got this on arm64 and here is the C reproducer:
// autogenerated by syzkaller (https://github.com/google/syzkaller)
#define _GNU_SOURCE
#include
#include
#include
#include
#include
#include
#include
#include
#ifndef __NR_ioctl
#define __NR_ioctl 29
#endif
#ifndef __NR_mmap
#define __NR_mmap 222
#endif
#ifndef __NR_openat
#define __NR_openat 56
#endif
uint64_t r[1] = {0x};
int main(void)
{
syscall(__NR_mmap, 0x2000ul, 0x100ul, 3ul, 0x32ul, -1, 0);
intptr_t res = 0;
memcpy((void*)0x2040, "/dev/ttyS3\000", 11);
res = syscall(__NR_openat, 0xff9cul, 0x2040ul,
0x401ul, 0ul);
if (res != -1)
r[0] = res;
syscall(__NR_ioctl, r[0], 0x5412ul, 0x2080ul);
return 0;
}
Thanks,
Yang
thanks,
greg k-h
.
