[PATCH] staging: ade7759: Fix open parenthesis alignment
This patch fixes the CHECKs reported by checkpatch.pl for "alignment should match open parenthesis" Signed-off-by: rodrigosiqueira--- drivers/staging/iio/meter/ade7759.c | 80 ++--- 1 file changed, 38 insertions(+), 42 deletions(-) diff --git a/drivers/staging/iio/meter/ade7759.c b/drivers/staging/iio/meter/ade7759.c index d99cf508d8d0..1decb2b8afab 100644 --- a/drivers/staging/iio/meter/ade7759.c +++ b/drivers/staging/iio/meter/ade7759.c @@ -72,8 +72,8 @@ struct ade7759_state { }; static int ade7759_spi_write_reg_8(struct device *dev, - u8 reg_address, - u8 val) + u8 reg_address, + u8 val) { int ret; struct iio_dev *indio_dev = dev_to_iio_dev(dev); @@ -91,8 +91,8 @@ static int ade7759_spi_write_reg_8(struct device *dev, /*Unlocked version of ade7759_spi_write_reg_16 function */ static int __ade7759_spi_write_reg_16(struct device *dev, - u8 reg_address, - u16 value) + u8 reg_address, + u16 value) { struct iio_dev *indio_dev = dev_to_iio_dev(dev); struct ade7759_state *st = iio_priv(indio_dev); @@ -104,8 +104,8 @@ static int __ade7759_spi_write_reg_16(struct device *dev, } static int ade7759_spi_write_reg_16(struct device *dev, - u8 reg_address, - u16 value) + u8 reg_address, + u16 value) { int ret; struct iio_dev *indio_dev = dev_to_iio_dev(dev); @@ -119,8 +119,8 @@ static int ade7759_spi_write_reg_16(struct device *dev, } static int ade7759_spi_read_reg_8(struct device *dev, - u8 reg_address, - u8 *val) + u8 reg_address, + u8 *val) { struct iio_dev *indio_dev = dev_to_iio_dev(dev); struct ade7759_state *st = iio_priv(indio_dev); @@ -128,8 +128,9 @@ static int ade7759_spi_read_reg_8(struct device *dev, ret = spi_w8r8(st->us, ADE7759_READ_REG(reg_address)); if (ret < 0) { - dev_err(>us->dev, "problem when reading 8 bit register 0x%02X", - reg_address); + dev_err(>us->dev, + "problem when reading 8 bit register 0x%02X", + reg_address); return ret; } *val = ret; @@ -138,8 +139,8 @@ static int ade7759_spi_read_reg_8(struct device *dev, } static int ade7759_spi_read_reg_16(struct device *dev, - u8 reg_address, - u16 *val) + u8 reg_address, + u16 *val) { struct iio_dev *indio_dev = dev_to_iio_dev(dev); struct ade7759_state *st = iio_priv(indio_dev); @@ -158,8 +159,8 @@ static int ade7759_spi_read_reg_16(struct device *dev, } static int ade7759_spi_read_reg_40(struct device *dev, - u8 reg_address, - u64 *val) + u8 reg_address, + u64 *val) { struct iio_dev *indio_dev = dev_to_iio_dev(dev); struct ade7759_state *st = iio_priv(indio_dev); @@ -179,8 +180,9 @@ static int ade7759_spi_read_reg_40(struct device *dev, ret = spi_sync_transfer(st->us, xfers, ARRAY_SIZE(xfers)); if (ret) { - dev_err(>us->dev, "problem when reading 40 bit register 0x%02X", - reg_address); + dev_err(>us->dev, + "problem when reading 40 bit register 0x%02X", + reg_address); goto error_ret; } *val = ((u64)st->rx[1] << 32) | ((u64)st->rx[2] << 24) | @@ -192,8 +194,8 @@ static int ade7759_spi_read_reg_40(struct device *dev, } static ssize_t ade7759_read_8bit(struct device *dev, - struct device_attribute *attr, - char *buf) +struct device_attribute *attr, +char *buf) { int ret; u8 val = 0; @@ -207,8 +209,8 @@ static ssize_t ade7759_read_8bit(struct device *dev, } static ssize_t ade7759_read_16bit(struct device *dev, - struct device_attribute *attr, - char *buf) + struct device_attribute *attr, + char *buf) { int ret; u16 val = 0; @@ -222,8 +224,8 @@ static ssize_t ade7759_read_16bit(struct device *dev, } static ssize_t ade7759_read_40bit(struct device *dev, - struct device_attribute *attr, - char *buf) + struct device_attribute *attr, + char *buf) { int ret; u64
[PATCH 2/4] watchdog: omap_wdt: change order for setting default timeout
watchdog_init_timeout() will preserve wdd->timeout value if no parameter nor timeout-secs dt property is set. Signed-off-by: Marcus Folkesson--- drivers/watchdog/omap_wdt.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/watchdog/omap_wdt.c b/drivers/watchdog/omap_wdt.c index 1b02bfa81b29..ae77112ce97f 100644 --- a/drivers/watchdog/omap_wdt.c +++ b/drivers/watchdog/omap_wdt.c @@ -253,10 +253,10 @@ static int omap_wdt_probe(struct platform_device *pdev) wdev->wdog.ops = _wdt_ops; wdev->wdog.min_timeout = TIMER_MARGIN_MIN; wdev->wdog.max_timeout = TIMER_MARGIN_MAX; + wdev->wdog.timeout = TIMER_MARGIN_DEFAULT; wdev->wdog.parent = >dev; - if (watchdog_init_timeout(>wdog, timer_margin, >dev) < 0) - wdev->wdog.timeout = TIMER_MARGIN_DEFAULT; + watchdog_init_timeout(>wdog, timer_margin, >dev); watchdog_set_nowayout(>wdog, nowayout); -- 2.15.1
[PATCH 4/4] watchdog: lpc18xx: remove assignment of unused ret-value
Signed-off-by: Marcus Folkesson--- drivers/watchdog/lpc18xx_wdt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/watchdog/lpc18xx_wdt.c b/drivers/watchdog/lpc18xx_wdt.c index b4221f43cd94..331cadb459ac 100644 --- a/drivers/watchdog/lpc18xx_wdt.c +++ b/drivers/watchdog/lpc18xx_wdt.c @@ -265,7 +265,7 @@ static int lpc18xx_wdt_probe(struct platform_device *pdev) lpc18xx_wdt->wdt_dev.parent = dev; watchdog_set_drvdata(_wdt->wdt_dev, lpc18xx_wdt); - ret = watchdog_init_timeout(_wdt->wdt_dev, heartbeat, dev); + watchdog_init_timeout(_wdt->wdt_dev, heartbeat, dev); __lpc18xx_wdt_set_timeout(lpc18xx_wdt); -- 2.15.1
[PATCH 3/4] watchdog: gpio: change order for setting default timeout
watchdog_init_timeout() will preserve wdd->timeout value if no parameter nor timeout-secs dt property is set. Signed-off-by: Marcus Folkesson--- drivers/watchdog/gpio_wdt.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/watchdog/gpio_wdt.c b/drivers/watchdog/gpio_wdt.c index cb66c2f99ff1..d0e8203f7a60 100644 --- a/drivers/watchdog/gpio_wdt.c +++ b/drivers/watchdog/gpio_wdt.c @@ -156,9 +156,9 @@ static int gpio_wdt_probe(struct platform_device *pdev) priv->wdd.min_timeout = SOFT_TIMEOUT_MIN; priv->wdd.max_hw_heartbeat_ms = hw_margin; priv->wdd.parent= >dev; + priv->wdd.timeout = SOFT_TIMEOUT_DEF; - if (watchdog_init_timeout(>wdd, 0, >dev) < 0) - priv->wdd.timeout = SOFT_TIMEOUT_DEF; + watchdog_init_timeout(>wdd, 0, >dev); watchdog_stop_on_reboot(>wdd); -- 2.15.1
[PATCH v2 4/6] X86/nVMX: Properly set spec_ctrl and pred_cmd before merging MSRs
From: KarimAllah AhmedThese two variables should check whether SPEC_CTRL and PRED_CMD are supposed to be passed through to L2 guests or not. While msr_write_intercepted_l01 would return 'true' if it is not passed through. So just invert the result of msr_write_intercepted_l01 to implement the correct semantics. Fixes: 086e7d4118cc ("KVM: VMX: Allow direct access to MSR_IA32_SPEC_CTRL") Signed-off-by: KarimAllah Ahmed Signed-off-by: David Woodhouse Reviewed-by: Jim Mattson Cc: Paolo Bonzini Cc: Radim Krčmář Cc: k...@vger.kernel.org Cc: linux-kernel@vger.kernel.org --- arch/x86/kvm/vmx.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c index bee4c49..599179b 100644 --- a/arch/x86/kvm/vmx.c +++ b/arch/x86/kvm/vmx.c @@ -10219,8 +10219,8 @@ static inline bool nested_vmx_merge_msr_bitmap(struct kvm_vcpu *vcpu, *updated to reflect this when L1 (or its L2s) actually write to *the MSR. */ - bool pred_cmd = msr_write_intercepted_l01(vcpu, MSR_IA32_PRED_CMD); - bool spec_ctrl = msr_write_intercepted_l01(vcpu, MSR_IA32_SPEC_CTRL); + bool pred_cmd = !msr_write_intercepted_l01(vcpu, MSR_IA32_PRED_CMD); + bool spec_ctrl = !msr_write_intercepted_l01(vcpu, MSR_IA32_SPEC_CTRL); if (!nested_cpu_has_virt_x2apic_mode(vmcs12) && !pred_cmd && !spec_ctrl) -- 2.7.4
[PATCH v2 2/6] Revert "x86/speculation: Simplify indirect_branch_prediction_barrier()"
This reverts commit 64e16720ea0879f8ab4547e3b9758936d483909b. We cannot call C functions like that, without marking all the call-clobbered registers as, well, clobbered. We might have got away with it for now because the __ibp_barrier() function was *fairly* unlikely to actually use any other registers. But no. Just no. Signed-off-by: David Woodhouse--- arch/x86/include/asm/nospec-branch.h | 13 + arch/x86/include/asm/processor.h | 3 --- arch/x86/kernel/cpu/bugs.c | 6 -- 3 files changed, 9 insertions(+), 13 deletions(-) diff --git a/arch/x86/include/asm/nospec-branch.h b/arch/x86/include/asm/nospec-branch.h index 4d57894..300cc15 100644 --- a/arch/x86/include/asm/nospec-branch.h +++ b/arch/x86/include/asm/nospec-branch.h @@ -164,10 +164,15 @@ static inline void vmexit_fill_RSB(void) static inline void indirect_branch_prediction_barrier(void) { - alternative_input("", - "call __ibp_barrier", - X86_FEATURE_USE_IBPB, - ASM_NO_INPUT_CLOBBER("eax", "ecx", "edx", "memory")); + asm volatile(ALTERNATIVE("", +"movl %[msr], %%ecx\n\t" +"movl %[val], %%eax\n\t" +"movl $0, %%edx\n\t" +"wrmsr", +X86_FEATURE_USE_IBPB) +: : [msr] "i" (MSR_IA32_PRED_CMD), +[val] "i" (PRED_CMD_IBPB) +: "eax", "ecx", "edx", "memory"); } #endif /* __ASSEMBLY__ */ diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h index 513f960..99799fb 100644 --- a/arch/x86/include/asm/processor.h +++ b/arch/x86/include/asm/processor.h @@ -969,7 +969,4 @@ bool xen_set_default_idle(void); void stop_this_cpu(void *dummy); void df_debug(struct pt_regs *regs, long error_code); - -void __ibp_barrier(void); - #endif /* _ASM_X86_PROCESSOR_H */ diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index 71949bf..61152aa 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -337,9 +337,3 @@ ssize_t cpu_show_spectre_v2(struct device *dev, spectre_v2_module_string()); } #endif - -void __ibp_barrier(void) -{ - __wrmsr(MSR_IA32_PRED_CMD, PRED_CMD_IBPB, 0); -} -EXPORT_SYMBOL_GPL(__ibp_barrier); -- 2.7.4
[PATCH v2 0/6] Spectre v2 updates
Using retpoline ensures the kernel is safe because it doesn't contain any indirect branches, but firmware still can — and we make calls into firmware at runtime. Where the IBRS microcode support is available, use that before calling into firmware. While doing that, I noticed that we were calling C functions without telling the compiler about the call-clobbered registers. Stop that. This also contains the always_inline fix for the performance problem introduced by retpoline in KVM code, and fixes some other issues with the per-vCPU KVM handling for the SPEC_CTRL MSR. Finally, update the microcode blacklist to reflect the latest information from Intel. v2: Drop IBRS_ALL patch for the time being Add KVM MSR fixes (karahmed) Update microcode blacklist David Woodhouse (4): x86/speculation: Update Speculation Control microcode blacklist Revert "x86/speculation: Simplify indirect_branch_prediction_barrier()" KVM: x86: Reduce retpoline performance impact in slot_handle_level_range() x86/speculation: Use IBRS if available before calling into firmware KarimAllah Ahmed (2): X86/nVMX: Properly set spec_ctrl and pred_cmd before merging MSRs KVM/nVMX: Set the CPU_BASED_USE_MSR_BITMAPS if we have a valid L02 MSR bitmap arch/x86/include/asm/apm.h | 6 ++ arch/x86/include/asm/cpufeatures.h | 1 + arch/x86/include/asm/efi.h | 17 +++-- arch/x86/include/asm/nospec-branch.h | 32 arch/x86/include/asm/processor.h | 3 --- arch/x86/kernel/cpu/bugs.c | 18 +++--- arch/x86/kernel/cpu/intel.c | 4 arch/x86/kvm/mmu.c | 10 +- arch/x86/kvm/vmx.c | 7 --- drivers/watchdog/hpwdt.c | 3 +++ 10 files changed, 73 insertions(+), 28 deletions(-) -- 2.7.4
[PATCH v2 1/6] x86/speculation: Update Speculation Control microcode blacklist
Intel have retroactively blessed the 0xc2 microcode on Skylake mobile and desktop parts, and the Gemini Lake 0x22 microcode is apparently fine too. We blacklisted the latter purely because it was present with all the other problematic ones in the 2018-01-08 release, but now it's explicitly listed as OK. We still list 0x84 for the various Kaby Lake / Coffee Lake parts, as that appeared in one version of the blacklist and then reverted to 0x80 again. We can change it if 0x84 is actually announced to be safe. Signed-off-by: David Woodhouse--- arch/x86/kernel/cpu/intel.c | 4 1 file changed, 4 deletions(-) diff --git a/arch/x86/kernel/cpu/intel.c b/arch/x86/kernel/cpu/intel.c index 319bf98..f73b814 100644 --- a/arch/x86/kernel/cpu/intel.c +++ b/arch/x86/kernel/cpu/intel.c @@ -123,8 +123,6 @@ static const struct sku_microcode spectre_bad_microcodes[] = { { INTEL_FAM6_KABYLAKE_MOBILE, 0x09, 0x84 }, { INTEL_FAM6_SKYLAKE_X, 0x03, 0x0100013e }, { INTEL_FAM6_SKYLAKE_X, 0x04, 0x023c }, - { INTEL_FAM6_SKYLAKE_MOBILE,0x03, 0xc2 }, - { INTEL_FAM6_SKYLAKE_DESKTOP, 0x03, 0xc2 }, { INTEL_FAM6_BROADWELL_CORE,0x04, 0x28 }, { INTEL_FAM6_BROADWELL_GT3E,0x01, 0x1b }, { INTEL_FAM6_BROADWELL_XEON_D, 0x02, 0x14 }, @@ -136,8 +134,6 @@ static const struct sku_microcode spectre_bad_microcodes[] = { { INTEL_FAM6_HASWELL_X, 0x02, 0x3b }, { INTEL_FAM6_HASWELL_X, 0x04, 0x10 }, { INTEL_FAM6_IVYBRIDGE_X, 0x04, 0x42a }, - /* Updated in the 20180108 release; blacklist until we know otherwise */ - { INTEL_FAM6_ATOM_GEMINI_LAKE, 0x01, 0x22 }, /* Observed in the wild */ { INTEL_FAM6_SANDYBRIDGE_X, 0x06, 0x61b }, { INTEL_FAM6_SANDYBRIDGE_X, 0x07, 0x712 }, -- 2.7.4
Re: [PATCH] seq_file: remove redundant assignment of index to m->index
On Sat, Feb 10, 2018 at 10:04:23AM -0800, Joe Perches wrote: > > @@ -120,14 +120,12 @@ static int traverse(struct seq_file *m, loff_t offset) > > if (pos + m->count > offset) { > > m->from = offset - pos; > > m->count -= m->from; > > -m->index = index; > > break; > > } > > pos += m->count; > > m->count = 0; > > if (pos == offset) { > > index++; > > -m->index = index; > > break; > > } > > p = m->op->next(m, p, ); > > Of course this looks correct, but how > are you _absolutely sure_ about this? > > Perhaps the m->op->stop(m, p) call below > the break, which takes m as an argument, > needs an updated m->index. Not only that, but ->next might also look at m->index. This is not performance critical; don't try to optimise it. Programmers waste enormous amounts of time thinking about, or worrying about, the speed of noncritical parts of their programs, and these attempts at efficiency actually have a strong negative impact when debugging and maintenance are considered. We should forget about small efficiencies, say about 97% of the time: premature optimization is the root of all evil. Yet we should not pass up our opportunities in that critical 3%. -- Donald Knuth
[PATCH v3 1/3] KVM: Introduce dedicated vCPUs hint KVM_HINTS_DEDICATED
From: Wanpeng LiThis patch introduces dedicated vCPUs hint KVM_HINTS_DEDICATED, guest checks this feature bit to determine if they run on dedicated vCPUs, allowing optimizations. Cc: Paolo Bonzini Cc: Radim Krčmář Cc: Eduardo Habkost Signed-off-by: Wanpeng Li --- Documentation/virtual/kvm/cpuid.txt | 12 +++- arch/mips/include/asm/kvm_para.h | 5 + arch/powerpc/include/asm/kvm_para.h | 5 + arch/s390/include/asm/kvm_para.h | 5 + arch/x86/include/asm/kvm_para.h | 6 ++ arch/x86/include/uapi/asm/kvm_para.h | 8 ++-- arch/x86/kernel/kvm.c| 5 + include/asm-generic/kvm_para.h | 5 + include/linux/kvm_para.h | 5 + 9 files changed, 53 insertions(+), 3 deletions(-) diff --git a/Documentation/virtual/kvm/cpuid.txt b/Documentation/virtual/kvm/cpuid.txt index dcab6dc..e283b88 100644 --- a/Documentation/virtual/kvm/cpuid.txt +++ b/Documentation/virtual/kvm/cpuid.txt @@ -23,7 +23,7 @@ This function queries the presence of KVM cpuid leafs. function: define KVM_CPUID_FEATURES (0x4001) -returns : ebx, ecx, edx = 0 +returns : ebx, ecx eax = and OR'ed group of (1 << flag), where each flags is: @@ -62,3 +62,13 @@ KVM_FEATURE_CLOCKSOURCE_STABLE_BIT ||24 || host will warn if no guest-side || || per-cpu warps are expected in || || kvmclock. -- + + edx = and OR'ed group of (1 << flag), where each flags is: + + +flag || value || meaning + +KVM_HINTS_DEDICATED|| 0 || guest checks this feature bit + || || to determine if they run on dedicated + || || vCPUs, allowing optimizations +- diff --git a/arch/mips/include/asm/kvm_para.h b/arch/mips/include/asm/kvm_para.h index 60b1aa0..bd1f4ee 100644 --- a/arch/mips/include/asm/kvm_para.h +++ b/arch/mips/include/asm/kvm_para.h @@ -94,6 +94,11 @@ static inline unsigned int kvm_arch_para_features(void) return 0; } +static inline unsigned int kvm_arch_hint_features(void) +{ + return 0; +} + #ifdef CONFIG_MIPS_PARAVIRT static inline bool kvm_para_available(void) { diff --git a/arch/powerpc/include/asm/kvm_para.h b/arch/powerpc/include/asm/kvm_para.h index 336a91a..8e58c00 100644 --- a/arch/powerpc/include/asm/kvm_para.h +++ b/arch/powerpc/include/asm/kvm_para.h @@ -61,6 +61,11 @@ static inline unsigned int kvm_arch_para_features(void) return r; } +static inline unsigned int kvm_arch_hint_features(void) +{ + return 0; +} + static inline bool kvm_check_and_clear_guest_paused(void) { return false; diff --git a/arch/s390/include/asm/kvm_para.h b/arch/s390/include/asm/kvm_para.h index 74eeec9..b2c935c 100644 --- a/arch/s390/include/asm/kvm_para.h +++ b/arch/s390/include/asm/kvm_para.h @@ -193,6 +193,11 @@ static inline unsigned int kvm_arch_para_features(void) return 0; } +static inline unsigned int kvm_arch_hint_features(void) +{ + return 0; +} + static inline bool kvm_check_and_clear_guest_paused(void) { return false; diff --git a/arch/x86/include/asm/kvm_para.h b/arch/x86/include/asm/kvm_para.h index 7b407dd..2c7d368 100644 --- a/arch/x86/include/asm/kvm_para.h +++ b/arch/x86/include/asm/kvm_para.h @@ -88,6 +88,7 @@ static inline long kvm_hypercall4(unsigned int nr, unsigned long p1, #ifdef CONFIG_KVM_GUEST bool kvm_para_available(void); unsigned int kvm_arch_para_features(void); +unsigned int kvm_arch_hint_features(void); void kvm_async_pf_task_wait(u32 token, int interrupt_kernel); void kvm_async_pf_task_wake(u32 token); u32 kvm_read_and_reset_pf_reason(void); @@ -115,6 +116,11 @@ static inline unsigned int kvm_arch_para_features(void) return 0; } +static inline unsigned int kvm_arch_hint_features(void) +{ + return 0; +} + static inline u32 kvm_read_and_reset_pf_reason(void) { return 0; diff --git a/arch/x86/include/uapi/asm/kvm_para.h b/arch/x86/include/uapi/asm/kvm_para.h index 7a2ade4..e8f5dfb 100644 --- a/arch/x86/include/uapi/asm/kvm_para.h +++ b/arch/x86/include/uapi/asm/kvm_para.h @@ -10,8 +10,10 @@ */ #define KVM_CPUID_SIGNATURE0x4000 -/* This CPUID returns a feature bitmap in eax. Before enabling a particular - * paravirtualization, the appropriate feature bit should be checked. +/* This CPUID returns two feature bitmaps in eax, edx. Before enabling + * a particular paravirtualization, the appropriate feature bit should + * be checked in eax. The performance hint
[PATCH v3 3/3] KVM: X86: Don't use PV TLB flush with dedicated vCPUs and steal time disabled
From: Wanpeng LivCPUs are very unlikely to get preempted when they are the only task running on a CPU. PV TLB flush is slower that the native flush in that case. In addition, avoid traversing all the cpus for pv tlb flush when steal time is disabled since pv tlb flush depends on the field in steal time for shared data. Cc: Paolo Bonzini Cc: Radim Krčmář Cc: Eduardo Habkost Signed-off-by: Wanpeng Li --- arch/x86/kernel/kvm.c | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/arch/x86/kernel/kvm.c b/arch/x86/kernel/kvm.c index c5566d9..285822f 100644 --- a/arch/x86/kernel/kvm.c +++ b/arch/x86/kernel/kvm.c @@ -545,7 +545,9 @@ static void __init kvm_guest_init(void) pv_time_ops.steal_clock = kvm_steal_clock; } - if (kvm_para_has_feature(KVM_FEATURE_PV_TLB_FLUSH)) + if (kvm_para_has_feature(KVM_FEATURE_PV_TLB_FLUSH) && + !kvm_para_has_feature(KVM_HINTS_DEDICATED) && + !kvm_para_has_feature(KVM_FEATURE_STEAL_TIME)) pv_mmu_ops.flush_tlb_others = kvm_flush_tlb_others; if (kvm_para_has_feature(KVM_FEATURE_PV_EOI)) @@ -638,7 +640,9 @@ static __init int kvm_setup_pv_tlb_flush(void) { int cpu; - if (kvm_para_has_feature(KVM_FEATURE_PV_TLB_FLUSH)) { + if (kvm_para_has_feature(KVM_FEATURE_PV_TLB_FLUSH) && + !kvm_para_has_feature(KVM_HINTS_DEDICATED) && + !kvm_para_has_feature(KVM_FEATURE_STEAL_TIME)) { for_each_possible_cpu(cpu) { zalloc_cpumask_var_node(per_cpu_ptr(&__pv_tlb_mask, cpu), GFP_KERNEL, cpu_to_node(cpu)); -- 2.7.4
[PATCH v3 2/3] KVM: X86: Choose qspinlock when dedicated vCPUs available
From: Wanpeng LiWaiman Long mentioned that: Generally speaking, unfair lock performs well for VMs with a small number of vCPUs. Native qspinlock may perform better than pvqspinlock if there is vCPU pinning and there is no vCPU over-commitment. This patch uses a KVM_HINTS_DEDICATED performance hint to allow hypervisor admin to choose the qspinlock to be used when a dedicated vCPU is available. PV_DEDICATED = 1, PV_UNHALT = anything: default is qspinlock PV_DEDICATED = 0, PV_UNHALT = 1: default is Hybrid PV queued/unfair lock PV_DEDICATED = 0, PV_UNHALT = 0: default is tas Cc: Paolo Bonzini Cc: Radim Krčmář Cc: Eduardo Habkost Signed-off-by: Wanpeng Li --- arch/x86/kernel/kvm.c | 5 + 1 file changed, 5 insertions(+) diff --git a/arch/x86/kernel/kvm.c b/arch/x86/kernel/kvm.c index 77a0723..c5566d9 100644 --- a/arch/x86/kernel/kvm.c +++ b/arch/x86/kernel/kvm.c @@ -733,6 +733,11 @@ void __init kvm_spinlock_init(void) if (!kvm_para_has_feature(KVM_FEATURE_PV_UNHALT)) return; + if (kvm_hint_has_feature(KVM_HINTS_DEDICATED)) { + static_branch_disable(_spin_lock_key); + return; + } + __pv_init_lock_hash(); pv_lock_ops.queued_spin_lock_slowpath = __pv_queued_spin_lock_slowpath; pv_lock_ops.queued_spin_unlock = PV_CALLEE_SAVE(__pv_queued_spin_unlock); -- 2.7.4
Re: Kconfig:12: can't open file "arch/powerpc64/Kconfig"
Hi test robot, 2018-02-11 12:41 GMT+09:00 kbuild test robot: > tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git > master > head: d48fcbd864a008802a90c58a9ceddd9436d11a49 > commit: 9e3e10c725360b9d07018cfcd5b7b6b7d325fae5 kconfig: send error messages > to stderr > date: 2 days ago > config: powerpc64-defconfig > compiler: powerpc64-linux-gcc (GCC) 7.2.0 > reproduce: > wget > https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O > ~/bin/make.cross > chmod +x ~/bin/make.cross > git checkout 9e3e10c725360b9d07018cfcd5b7b6b7d325fae5 > make.cross ARCH=powerpc64 defconfig > make.cross ARCH=powerpc64 I think this test setting is weird. With the following error, it is pointless to test this. > Makefile:499: arch/powerpc64/Makefile: No such file or directory arch/powerpc64/ does not exist in the first place. If you really want to give ARCH=powerpc64, you need to add something like follows in the top Makefile (but I doubt this is the right thing to do) ifeq ($(ARCH),powerpc64) SRCARCH := powerpc endif Could you check your test setting, please? > All errors (new ones prefixed by >>): > >Makefile:499: arch/powerpc64/Makefile: No such file or directory >make[1]: *** No rule to make target 'arch/powerpc64/Makefile'. >make[1]: Failed to remake makefile 'arch/powerpc64/Makefile'. >>> Kconfig:12: can't open file "arch/powerpc64/Kconfig" >make[2]: *** [defconfig] Error 1 >make[1]: *** [defconfig] Error 2 >make: *** [sub-make] Error 2 > -- >Makefile:499: arch/powerpc64/Makefile: No such file or directory >make[1]: *** No rule to make target 'arch/powerpc64/Makefile'. >make[1]: Failed to remake makefile 'arch/powerpc64/Makefile'. >>> Kconfig:12: can't open file "arch/powerpc64/Kconfig" >make[2]: *** [oldconfig] Error 1 >make[1]: *** [oldconfig] Error 2 >make: *** [sub-make] Error 2 > -- >Makefile:499: arch/powerpc64/Makefile: No such file or directory >make[1]: *** No rule to make target 'arch/powerpc64/Makefile'. >make[1]: Failed to remake makefile 'arch/powerpc64/Makefile'. >>> Kconfig:12: can't open file "arch/powerpc64/Kconfig" >make[2]: *** [olddefconfig] Error 1 >make[2]: Target 'oldnoconfig' not remade because of errors. >make[1]: *** [oldnoconfig] Error 2 >make: *** [sub-make] Error 2 > > vim +12 Kconfig > > 838a2e55 Arnaud Lacombe 2010-09-04 7 > 838a2e55 Arnaud Lacombe 2010-09-04 8 config SRCARCH > 838a2e55 Arnaud Lacombe 2010-09-04 9 string > 838a2e55 Arnaud Lacombe 2010-09-04 10 option env="SRCARCH" > 838a2e55 Arnaud Lacombe 2010-09-04 11 > 838a2e55 Arnaud Lacombe 2010-09-04 @12 source "arch/$SRCARCH/Kconfig" > > :: The code at line 12 was first introduced by commit > :: 838a2e55e6a4e9e8a10451ed2ef0f7a08dabdb04 kbuild: migrate all arch to > the kconfig mainmenu upgrade > > :: TO: Arnaud Lacombe > :: CC: Arnaud Lacombe > > --- > 0-DAY kernel test infrastructureOpen Source Technology Center > https://lists.01.org/pipermail/kbuild-all Intel Corporation -- Best Regards Masahiro Yamada
[PATCH 3.16 083/136] sctp: Fixup v4mapped behaviour to comply with Sock API
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Jason Gunthorpecommit 299ee123e19889d511092347f5fc14db0f10e3a6 upstream. The SCTP socket extensions API document describes the v4mapping option as follows: 8.1.15. Set/Clear IPv4 Mapped Addresses (SCTP_I_WANT_MAPPED_V4_ADDR) This socket option is a Boolean flag which turns on or off the mapping of IPv4 addresses. If this option is turned on, then IPv4 addresses will be mapped to V6 representation. If this option is turned off, then no mapping will be done of V4 addresses and a user will receive both PF_INET6 and PF_INET type addresses on the socket. See [RFC3542] for more details on mapped V6 addresses. This description isn't really in line with what the code does though. Introduce addr_to_user (renamed addr_v4map), which should be called before any sockaddr is passed back to user space. The new function places the sockaddr into the correct format depending on the SCTP_I_WANT_MAPPED_V4_ADDR option. Audit all places that touched v4mapped and either sanely construct a v4 or v6 address then call addr_to_user, or drop the unnecessary v4mapped check entirely. Audit all places that call addr_to_user and verify they are on a sycall return path. Add a custom getname that formats the address properly. Several bugs are addressed: - SCTP_I_WANT_MAPPED_V4_ADDR=0 often returned garbage for addresses to user space - The addr_len returned from recvmsg was not correct when returning AF_INET on a v6 socket - flowlabel and scope_id were not zerod when promoting a v4 to v6 - Some syscalls like bind and connect behaved differently depending on v4mapped Tested bind, getpeername, getsockname, connect, and recvmsg for proper behaviour in v4mapped = 1 and 0 cases. Signed-off-by: Neil Horman Tested-by: Jason Gunthorpe Signed-off-by: Jason Gunthorpe Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings --- include/net/sctp/sctp.h| 2 + include/net/sctp/structs.h | 8 +-- net/sctp/ipv6.c| 156 - net/sctp/protocol.c| 12 ++-- net/sctp/socket.c | 33 +- net/sctp/transport.c | 4 +- net/sctp/ulpevent.c| 2 +- 7 files changed, 112 insertions(+), 105 deletions(-) --- a/include/net/sctp/sctp.h +++ b/include/net/sctp/sctp.h @@ -583,6 +583,8 @@ static inline void sctp_v6_map_v4(union static inline void sctp_v4_map_v6(union sctp_addr *addr) { addr->v6.sin6_family = AF_INET6; + addr->v6.sin6_flowinfo = 0; + addr->v6.sin6_scope_id = 0; addr->v6.sin6_port = addr->v4.sin_port; addr->v6.sin6_addr.s6_addr32[3] = addr->v4.sin_addr.s_addr; addr->v6.sin6_addr.s6_addr32[0] = 0; --- a/include/net/sctp/structs.h +++ b/include/net/sctp/structs.h @@ -465,10 +465,6 @@ struct sctp_af { int saddr); void(*from_sk) (union sctp_addr *, struct sock *sk); - void(*to_sk_saddr) (union sctp_addr *, -struct sock *sk); - void(*to_sk_daddr) (union sctp_addr *, -struct sock *sk); void(*from_addr_param) (union sctp_addr *, union sctp_addr_param *, __be16 port, int iif); @@ -509,7 +505,9 @@ struct sctp_pf { int (*supported_addrs)(const struct sctp_sock *, __be16 *); struct sock *(*create_accept_sk) (struct sock *sk, struct sctp_association *asoc); - void (*addr_v4map) (struct sctp_sock *, union sctp_addr *); + int (*addr_to_user)(struct sctp_sock *sk, union sctp_addr *addr); + void (*to_sk_saddr)(union sctp_addr *, struct sock *sk); + void (*to_sk_daddr)(union sctp_addr *, struct sock *sk); struct sctp_af *af; }; --- a/net/sctp/ipv6.c +++ b/net/sctp/ipv6.c @@ -434,7 +434,7 @@ static void sctp_v6_from_sk(union sctp_a /* Initialize sk->sk_rcv_saddr from sctp_addr. */ static void sctp_v6_to_sk_saddr(union sctp_addr *addr, struct sock *sk) { - if (addr->sa.sa_family == AF_INET && sctp_sk(sk)->v4mapped) { + if (addr->sa.sa_family == AF_INET) { sk->sk_v6_rcv_saddr.s6_addr32[0] = 0; sk->sk_v6_rcv_saddr.s6_addr32[1] = 0; sk->sk_v6_rcv_saddr.s6_addr32[2] = htonl(0x); @@ -448,7 +448,7 @@ static void sctp_v6_to_sk_saddr(union sc /* Initialize sk->sk_daddr from sctp_addr. */ static void sctp_v6_to_sk_daddr(union sctp_addr *addr, struct sock *sk) { - if (addr->sa.sa_family == AF_INET &&
[PATCH 3.16 088/136] KVM: vmx: Inject #GP on invalid PAT CR
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Nadav Amitcommit 4566654bb9be9e8864df417bb72ceee5136b6a6a upstream. Guest which sets the PAT CR to invalid value should get a #GP. Currently, if vmx supports loading PAT CR during entry, then the value is not checked. This patch makes the required check in that case. Signed-off-by: Nadav Amit Signed-off-by: Paolo Bonzini Signed-off-by: Ben Hutchings --- arch/x86/kvm/vmx.c | 2 ++ arch/x86/kvm/x86.c | 5 +++-- arch/x86/kvm/x86.h | 2 ++ 3 files changed, 7 insertions(+), 2 deletions(-) --- a/arch/x86/kvm/vmx.c +++ b/arch/x86/kvm/vmx.c @@ -2599,6 +2599,8 @@ static int vmx_set_msr(struct kvm_vcpu * break; case MSR_IA32_CR_PAT: if (vmcs_config.vmentry_ctrl & VM_ENTRY_LOAD_IA32_PAT) { + if (!kvm_mtrr_valid(vcpu, MSR_IA32_CR_PAT, data)) + return 1; vmcs_write64(GUEST_IA32_PAT, data); vcpu->arch.pat = data; break; --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -1742,7 +1742,7 @@ static bool valid_mtrr_type(unsigned t) return t < 8 && (1 << t) & 0x73; /* 0, 1, 4, 5, 6 */ } -static bool mtrr_valid(struct kvm_vcpu *vcpu, u32 msr, u64 data) +bool kvm_mtrr_valid(struct kvm_vcpu *vcpu, u32 msr, u64 data) { int i; @@ -1768,12 +1768,13 @@ static bool mtrr_valid(struct kvm_vcpu * /* variable MTRRs */ return valid_mtrr_type(data & 0xff); } +EXPORT_SYMBOL_GPL(kvm_mtrr_valid); static int set_msr_mtrr(struct kvm_vcpu *vcpu, u32 msr, u64 data) { u64 *p = (u64 *)>arch.mtrr_state.fixed_ranges; - if (!mtrr_valid(vcpu, msr, data)) + if (!kvm_mtrr_valid(vcpu, msr, data)) return 1; if (msr == MSR_MTRRdefType) { --- a/arch/x86/kvm/x86.h +++ b/arch/x86/kvm/x86.h @@ -132,6 +132,8 @@ int kvm_write_guest_virt_system(struct x gva_t addr, void *val, unsigned int bytes, struct x86_exception *exception); +bool kvm_mtrr_valid(struct kvm_vcpu *vcpu, u32 msr, u64 data); + #define KVM_SUPPORTED_XCR0 (XSTATE_FP | XSTATE_SSE | XSTATE_YMM \ | XSTATE_BNDREGS | XSTATE_BNDCSR) extern u64 host_xcr0;
[PATCH 3.16 073/136] s390: fix transactional execution control register handling
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Heiko Carstenscommit a1c5befc1c24eb9c1ee83f711e0f21ee79cbb556 upstream. Dan Horák reported the following crash related to transactional execution: User process fault: interruption code 0013 ilc:3 in libpthread-2.26.so[3ff93c0+1b000] CPU: 2 PID: 1 Comm: /init Not tainted 4.13.4-300.fc27.s390x #1 Hardware name: IBM 2827 H43 400 (z/VM 6.4.0) task: fafc8000 task.stack: fafc4000 User PSW : 070520018000 03ff93c14e70 R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:1 AS:0 CC:2 PM:0 RI:0 EA:3 User GPRS: 0077 03ff 03ff93144d48 03ff93144d5e 0002 03ff 0418 03ffcc9fe770 03ff93d28f50 03ff9310acf0 03ff92b0319a 03ffcc9fe6d0 User Code: 03ff93c14e62: 60e0b030std %f14,48(%r11) 03ff93c14e66: 60f0b038std %f15,56(%r11) #03ff93c14e6a: e560ff0etbegin 0,65294 >03ff93c14e70: a7740006brc 7,3ff93c14e7c 03ff93c14e74: a708lhi %r0,0 03ff93c14e78: a7f40023brc 15,3ff93c14ebe 03ff93c14e7c: b222ipm %r0 03ff93c14e80: 881csrl %r0,28 There are several bugs with control register handling with respect to transactional execution: - on task switch update_per_regs() is only called if the next task has an mm (is not a kernel thread). This however is incorrect. This breaks e.g. for user mode helper handling, where the kernel creates a kernel thread and then execve's a user space program. Control register contents related to transactional execution won't be updated on execve. If the previous task ran with transactional execution disabled then the new task will also run with transactional execution disabled, which is incorrect. Therefore call update_per_regs() unconditionally within switch_to(). - on startup the transactional execution facility is not enabled for the idle thread. This is not really a bug, but an inconsistency to other facilities. Therefore enable the facility if it is available. - on fork the new thread's per_flags field is not cleared. This means that a child process inherits the PER_FLAG_NO_TE flag. This flag can be set with a ptrace request to disable transactional execution for the current process. It should not be inherited by new child processes in order to be consistent with the handling of all other PER related debugging options. Therefore clear the per_flags field in copy_thread_tls(). Reported-and-tested-by: Dan Horák Fixes: d35339a42dd1 ("s390: add support for transactional memory") Cc: Martin Schwidefsky Reviewed-by: Christian Borntraeger Reviewed-by: Hendrik Brueckner Signed-off-by: Heiko Carstens [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings --- arch/s390/include/asm/switch_to.h | 2 +- arch/s390/kernel/early.c | 4 +++- arch/s390/kernel/process.c| 1 + 3 files changed, 5 insertions(+), 2 deletions(-) --- a/arch/s390/include/asm/switch_to.h +++ b/arch/s390/include/asm/switch_to.h @@ -124,12 +124,12 @@ static inline void restore_access_regs(u save_access_regs(>thread.acrs[0]);\ save_ri_cb(prev->thread.ri_cb); \ } \ + update_cr_regs(next); \ if (next->mm) { \ restore_fp_ctl(>thread.fp_regs.fpc); \ restore_fp_regs(next->thread.fp_regs.fprs); \ restore_access_regs(>thread.acrs[0]); \ restore_ri_cb(next->thread.ri_cb, prev->thread.ri_cb); \ - update_cr_regs(next); \ } \ prev = __switch_to(prev,next); \ } while (0) --- a/arch/s390/kernel/early.c +++ b/arch/s390/kernel/early.c @@ -388,8 +388,10 @@ static __init void detect_machine_facili S390_lowcore.machine_flags |= MACHINE_FLAG_IDTE; if (test_facility(40)) S390_lowcore.machine_flags |= MACHINE_FLAG_LPP; - if (test_facility(50) && test_facility(73)) + if (test_facility(50) && test_facility(73)) { S390_lowcore.machine_flags |= MACHINE_FLAG_TE; + __ctl_set_bit(0, 55); + } if
Re: [RFC PATCH 4/7] kconfig: support new special property shell=
On Sat, Feb 10, 2018 at 8:13 PM, Kees Cookwrote: > > It's been there since the very beginning when Arjan added it to > validate that the compiler actually produces a stack protector when > you give it -fstack-protector. Older gccs broke this entirely, more > recent misconfigurations (as seen with some of Arnd's local gcc > builds) did similar, and there have been regressions in some versions > where gcc's x86 support flipped to the global canary instead of the > %gs-offset canary. Argh. I wanted to get rid of all that entirely, and simplify this all. The mentioned script (and bugzilla) was from 2006, I assumed this was all historical. But if it has broken again since, I guess we need to have a silly script. Grr. But yes, I also reacted to your earlier " It can't silently rewrite it to _REGULAR because the compiler support for _STRONG regressed." Because it damn well can. If the compiler doesn't support -fstack-protector-strong, we can just fall back on -fstack-protector. Silently. No extra crazy complex logic for that either. Linus
[PATCH 3.16 086/136] dm: discard support requires all targets in a table support discards
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Mike Snitzercommit 8a74d29d541cd86569139c6f3f44b2d210458071 upstream. A DM device with a mix of discard capabilities (due to some underlying devices not having discard support) _should_ just return -EOPNOTSUPP for the region of the device that doesn't support discards (even if only by way of the underlying driver formally not supporting discards). BUT, that does ask the underlying driver to handle something that it never advertised support for. In doing so we're exposing users to the potential for a underlying disk driver hanging if/when a discard is issued a the device that is incapable and never claimed to support discards. Fix this by requiring that each DM target in a DM table provide discard support as a prereq for a DM device to advertise support for discards. This may cause some configurations that were happily supporting discards (even in the face of a mix of discard support) to stop supporting discards -- but the risk of users hitting driver hangs, and forced reboots, outweighs supporting those fringe mixed discard configurations. Signed-off-by: Mike Snitzer [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings --- drivers/md/dm-table.c | 33 ++--- 1 file changed, 14 insertions(+), 19 deletions(-) --- a/drivers/md/dm-table.c +++ b/drivers/md/dm-table.c @@ -1643,12 +1643,12 @@ void dm_table_run_md_queue_async(struct } EXPORT_SYMBOL(dm_table_run_md_queue_async); -static int device_discard_capable(struct dm_target *ti, struct dm_dev *dev, - sector_t start, sector_t len, void *data) +static int device_not_discard_capable(struct dm_target *ti, struct dm_dev *dev, + sector_t start, sector_t len, void *data) { struct request_queue *q = bdev_get_queue(dev->bdev); - return q && blk_queue_discard(q); + return q && !blk_queue_discard(q); } bool dm_table_supports_discards(struct dm_table *t) @@ -1656,26 +1656,22 @@ bool dm_table_supports_discards(struct d struct dm_target *ti; unsigned i = 0; - /* -* Unless any target used by the table set discards_supported, -* require at least one underlying device to support discards. -* t->devices includes internal dm devices such as mirror logs -* so we need to use iterate_devices here, which targets -* supporting discard selectively must provide. -*/ while (i < dm_table_get_num_targets(t)) { ti = dm_table_get_target(t, i++); if (!ti->num_discard_bios) - continue; + return false; - if (ti->discards_supported) - return 1; - - if (ti->type->iterate_devices && - ti->type->iterate_devices(ti, device_discard_capable, NULL)) - return 1; + /* +* Either the target provides discard support (as implied by setting +* 'discards_supported') or it relies on _all_ data devices having +* discard support. +*/ + if (!ti->discards_supported && + (!ti->type->iterate_devices || +ti->type->iterate_devices(ti, device_not_discard_capable, NULL))) + return false; } - return 0; + return true; }
[PATCH 3.16 102/136] ARM: 8721/1: mm: dump: check hardware RO bit for LPAE
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Philip Derrincommit 3b0c0c922ff4be275a8beb87ce5657d16f355b54 upstream. When CONFIG_ARM_LPAE is set, the PMD dump relies on the software read-only bit to determine whether a page is writable. This concealed a bug which left the kernel text section writable (AP2=0) while marked read-only in the software bit. In a kernel with the AP2 bug, the dump looks like this: ---[ Kernel Mapping ]--- 0xc000-0xc020 2M RW NX SHD 0xc020-0xc060 4M ro x SHD 0xc060-0xc080 2M ro NX SHD 0xc080-0xc480 64M RW NX SHD The fix is to check that the software and hardware bits are both set before displaying "ro". The dump then shows the true perms: ---[ Kernel Mapping ]--- 0xc000-0xc020 2M RW NX SHD 0xc020-0xc060 4M RW x SHD 0xc060-0xc080 2M RW NX SHD 0xc080-0xc480 64M RW NX SHD Fixes: ded947798469 ("ARM: 8109/1: mm: Modify pte_write and pmd_write logic for LPAE") Signed-off-by: Philip Derrin Tested-by: Neil Dick Reviewed-by: Kees Cook Signed-off-by: Russell King Signed-off-by: Ben Hutchings --- arch/arm/mm/dump.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/arch/arm/mm/dump.c +++ b/arch/arm/mm/dump.c @@ -126,8 +126,8 @@ static const struct prot_bits section_bi .val= PMD_SECT_USER, .set= "USR", }, { - .mask = L_PMD_SECT_RDONLY, - .val= L_PMD_SECT_RDONLY, + .mask = L_PMD_SECT_RDONLY | PMD_SECT_AP2, + .val= L_PMD_SECT_RDONLY | PMD_SECT_AP2, .set= "ro", .clear = "RW", #elif __LINUX_ARM_ARCH__ >= 6
[PATCH 3.16 081/136] ocfs2: should wait dio before inode lock in ocfs2_setattr()
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: alex chencommit 28f5a8a7c033cbf3e32277f4cc9c6afd74f05300 upstream. we should wait dio requests to finish before inode lock in ocfs2_setattr(), otherwise the following deadlock will happen: process 1 process 2process 3 truncate file 'A' end_io of writing file 'A' receiving the bast messages ocfs2_setattr ocfs2_inode_lock_tracker ocfs2_inode_lock_full inode_dio_wait __inode_dio_wait -->waiting for all dio requests finish dlm_proxy_ast_handler dlm_do_local_bast ocfs2_blocking_ast ocfs2_generic_handle_bast set OCFS2_LOCK_BLOCKED flag dio_end_io dio_bio_end_aio dio_complete ocfs2_dio_end_io ocfs2_dio_end_io_write ocfs2_inode_lock __ocfs2_cluster_lock ocfs2_wait_for_mask -->waiting for OCFS2_LOCK_BLOCKED flag to be cleared, that is waiting for 'process 1' unlocking the inode lock inode_dio_end -->here dec the i_dio_count, but will never be called, so a deadlock happened. Link: http://lkml.kernel.org/r/59f81636.70...@huawei.com Signed-off-by: Alex Chen Reviewed-by: Jun Piao Reviewed-by: Joseph Qi Acked-by: Changwei Ge Cc: Mark Fasheh Cc: Joel Becker Cc: Junxiao Bi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Ben Hutchings --- fs/ocfs2/file.c | 9 +++-- 1 file changed, 7 insertions(+), 2 deletions(-) --- a/fs/ocfs2/file.c +++ b/fs/ocfs2/file.c @@ -1152,6 +1152,13 @@ int ocfs2_setattr(struct dentry *dentry, dquot_initialize(inode); size_change = S_ISREG(inode->i_mode) && attr->ia_valid & ATTR_SIZE; if (size_change) { + /* +* Here we should wait dio to finish before inode lock +* to avoid a deadlock between ocfs2_setattr() and +* ocfs2_dio_end_io_write() +*/ + inode_dio_wait(inode); + status = ocfs2_rw_lock(inode, 1); if (status < 0) { mlog_errno(status); @@ -1171,8 +1178,6 @@ int ocfs2_setattr(struct dentry *dentry, if (status) goto bail_unlock; - inode_dio_wait(inode); - if (i_size_read(inode) >= attr->ia_size) { if (ocfs2_should_order_data(inode)) { status = ocfs2_begin_ordered_truncate(inode,
[PATCH 3.16 004/136] ipmi: fix unsigned long underflow
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Corey Minyardcommit 392a17b10ec4320d3c0e96e2a23ebaad1123b989 upstream. When I set the timeout to a specific value such as 500ms, the timeout event will not happen in time due to the overflow in function check_msg_timeout: ... ent->timeout -= timeout_period; if (ent->timeout > 0) return; ... The type of timeout_period is long, but ent->timeout is unsigned long. This patch makes the type consistent. Reported-by: Weilong Chen Signed-off-by: Corey Minyard Tested-by: Weilong Chen Signed-off-by: Ben Hutchings --- drivers/char/ipmi/ipmi_msghandler.c | 10 ++ 1 file changed, 6 insertions(+), 4 deletions(-) --- a/drivers/char/ipmi/ipmi_msghandler.c +++ b/drivers/char/ipmi/ipmi_msghandler.c @@ -4007,7 +4007,8 @@ smi_from_recv_msg(ipmi_smi_t intf, struc } static void check_msg_timeout(ipmi_smi_t intf, struct seq_table *ent, - struct list_head *timeouts, long timeout_period, + struct list_head *timeouts, + unsigned long timeout_period, int slot, unsigned long *flags, unsigned int *waiting_msgs) { @@ -4020,8 +4021,8 @@ static void check_msg_timeout(ipmi_smi_t if (!ent->inuse) return; - ent->timeout -= timeout_period; - if (ent->timeout > 0) { + if (timeout_period < ent->timeout) { + ent->timeout -= timeout_period; (*waiting_msgs)++; return; } @@ -4088,7 +4089,8 @@ static void check_msg_timeout(ipmi_smi_t } } -static unsigned int ipmi_timeout_handler(ipmi_smi_t intf, long timeout_period) +static unsigned int ipmi_timeout_handler(ipmi_smi_t intf, +unsigned long timeout_period) { struct list_head timeouts; struct ipmi_recv_msg *msg, *msg2;
[PATCH 3.16 121/136] ALSA: seq: Make ioctls race-free
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Takashi Iwaicommit b3defb791b26ea0683a93a4f49c77ec45ec96f10 upstream. The ALSA sequencer ioctls have no protection against racy calls while the concurrent operations may lead to interfere with each other. As reported recently, for example, the concurrent calls of setting client pool with a combination of write calls may lead to either the unkillable dead-lock or UAF. As a slightly big hammer solution, this patch introduces the mutex to make each ioctl exclusive. Although this may reduce performance via parallel ioctl calls, usually it's not demanded for sequencer usages, hence it should be negligible. Reported-by: Luo Quan Reviewed-by: Kees Cook Reviewed-by: Greg Kroah-Hartman Signed-off-by: Takashi Iwai [bwh: Backported to 3.16: ioctl dispatch is done from snd_seq_do_ioctl(); take the mutex and add ret variable there.] Signed-off-by: Ben Hutchings --- sound/core/seq/seq_clientmgr.c | 10 -- sound/core/seq/seq_clientmgr.h |1 + 2 files changed, 9 insertions(+), 2 deletions(-) --- a/sound/core/seq/seq_clientmgr.c +++ b/sound/core/seq/seq_clientmgr.c @@ -236,6 +236,7 @@ static struct snd_seq_client *seq_create rwlock_init(>ports_lock); mutex_init(>ports_mutex); INIT_LIST_HEAD(>ports_list_head); + mutex_init(>ioctl_mutex); /* find free slot in the client table */ spin_lock_irqsave(_lock, flags); @@ -2200,6 +2201,7 @@ static int snd_seq_do_ioctl(struct snd_s void __user *arg) { struct seq_ioctl_table *p; + int ret; switch (cmd) { case SNDRV_SEQ_IOCTL_PVERSION: @@ -2213,8 +2215,12 @@ static int snd_seq_do_ioctl(struct snd_s if (! arg) return -EFAULT; for (p = ioctl_tables; p->cmd; p++) { - if (p->cmd == cmd) - return p->func(client, arg); + if (p->cmd == cmd) { + mutex_lock(>ioctl_mutex); + ret = p->func(client, arg); + mutex_unlock(>ioctl_mutex); + return ret; + } } pr_debug("ALSA: seq unknown ioctl() 0x%x (type='%c', number=0x%02x)\n", cmd, _IOC_TYPE(cmd), _IOC_NR(cmd)); --- a/sound/core/seq/seq_clientmgr.h +++ b/sound/core/seq/seq_clientmgr.h @@ -59,6 +59,7 @@ struct snd_seq_client { struct list_head ports_list_head; rwlock_t ports_lock; struct mutex ports_mutex; + struct mutex ioctl_mutex; int convert32; /* convert 32->64bit */ /* output pool */
[PATCH 3.16 011/136] iommu/vt-d: Don't register bus-notifier under dmar_global_lock
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Joerg Roedelcommit ec154bf56b276a0bb36079a5d22a267b5f417801 upstream. The notifier function will take the dmar_global_lock too, so lockdep complains about inverse locking order when the notifier is registered under the dmar_global_lock. Reported-by: Jan Kiszka Fixes: 59ce0515cdaf ('iommu/vt-d: Update DRHD/RMRR/ATSR device scope caches when PCI hotplug happens') Signed-off-by: Joerg Roedel [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings --- drivers/iommu/dmar.c| 7 +-- drivers/iommu/intel-iommu.c | 10 ++ include/linux/dmar.h| 1 + 3 files changed, 16 insertions(+), 2 deletions(-) --- a/drivers/iommu/dmar.c +++ b/drivers/iommu/dmar.c @@ -718,13 +718,16 @@ int __init dmar_dev_scope_init(void) dmar_free_pci_notify_info(info); } } - - bus_register_notifier(_bus_type, _pci_bus_nb); } return dmar_dev_scope_status; } +void dmar_register_bus_notifier(void) +{ + bus_register_notifier(_bus_type, _pci_bus_nb); +} + int __init dmar_table_init(void) { --- a/drivers/iommu/intel-iommu.c +++ b/drivers/iommu/intel-iommu.c @@ -4044,6 +4044,16 @@ int __init intel_iommu_init(void) goto out_free_dmar; } + up_write(_global_lock); + + /* +* The bus notifier takes the dmar_global_lock, so lockdep will +* complain later when we register it under the lock. +*/ + dmar_register_bus_notifier(); + + down_write(_global_lock); + if (no_iommu || dmar_disabled) goto out_free_dmar; --- a/include/linux/dmar.h +++ b/include/linux/dmar.h @@ -100,6 +100,7 @@ static inline bool dmar_rcu_check(void) extern int dmar_table_init(void); extern int dmar_dev_scope_init(void); +extern void dmar_register_bus_notifier(void); extern int dmar_parse_dev_scope(void *start, void *end, int *cnt, struct dmar_dev_scope **devices, u16 segment); extern void *dmar_alloc_dev_scope(void *start, void *end, int *cnt);
[PATCH 3.16 136/136] kaiser: Set _PAGE_NX only if supported
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Lepton WuThis finally resolve crash if loaded under qemu + haxm. Haitao Shan pointed out that the reason of that crash is that NX bit get set for page tables. It seems we missed checking if _PAGE_NX is supported in kaiser_add_user_map Link: https://www.spinics.net/lists/kernel/msg2689835.html Reviewed-by: Guenter Roeck Signed-off-by: Lepton Wu Signed-off-by: Greg Kroah-Hartman (backported from Greg K-H's 4.4 stable-queue) Signed-off-by: Juerg Haefliger Signed-off-by: Ben Hutchings --- arch/x86/mm/kaiser.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/arch/x86/mm/kaiser.c b/arch/x86/mm/kaiser.c index 2d5ac54dbcee..7cb57d14ddc0 100644 --- a/arch/x86/mm/kaiser.c +++ b/arch/x86/mm/kaiser.c @@ -195,6 +195,8 @@ static int kaiser_add_user_map(const void *__start_addr, unsigned long size, * requires that not to be #defined to 0): so mask it off here. */ flags &= ~_PAGE_GLOBAL; + if (!(__supported_pte_mask & _PAGE_NX)) + flags &= ~_PAGE_NX; for (; address < end_addr; address += PAGE_SIZE) { target_address = get_pa_from_mapping(address);
[PATCH 3.2 28/79] media: Don't do DMA on stack for firmware upload in the AS102 driver
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Michele Baldessaricommit b3120d2cc447ee77b9d69bf4ad7b452c9adb4d39 upstream. Firmware load on AS102 is using the stack which is not allowed any longer. We currently fail with: kernel: transfer buffer not dma capable kernel: [ cut here ] kernel: WARNING: CPU: 0 PID: 598 at drivers/usb/core/hcd.c:1595 usb_hcd_map_urb_for_dma+0x41d/0x620 kernel: Modules linked in: amd64_edac_mod(-) edac_mce_amd as102_fe dvb_as102(+) kvm_amd kvm snd_hda_codec_realtek dvb_core snd_hda_codec_generic snd_hda_codec_hdmi snd_hda_intel snd_hda_codec irqbypass crct10dif_pclmul crc32_pclmul snd_hda_core snd_hwdep snd_seq ghash_clmulni_intel sp5100_tco fam15h_power wmi k10temp i2c_piix4 snd_seq_device snd_pcm snd_timer parport_pc parport tpm_infineon snd tpm_tis soundcore tpm_tis_core tpm shpchp acpi_cpufreq xfs libcrc32c amdgpu amdkfd amd_iommu_v2 radeon hid_logitech_hidpp i2c_algo_bit drm_kms_helper crc32c_intel ttm drm r8169 mii hid_logitech_dj kernel: CPU: 0 PID: 598 Comm: systemd-udevd Not tainted 4.13.10-200.fc26.x86_64 #1 kernel: Hardware name: ASUS All Series/AM1I-A, BIOS 0505 03/13/2014 kernel: task: 979933b24c80 task.stack: af83413a4000 kernel: RIP: 0010:usb_hcd_map_urb_for_dma+0x41d/0x620 systemd-fsck[659]: /dev/sda2: clean, 49/128016 files, 268609/512000 blocks kernel: RSP: 0018:af83413a7728 EFLAGS: 00010282 systemd-udevd[604]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable. kernel: RAX: 001f RBX: 979930bce780 RCX: kernel: RDX: RSI: 97993ec0e118 RDI: 97993ec0e118 kernel: RBP: af83413a7768 R08: 039a R09: kernel: R10: 0001 R11: R12: fff5 kernel: R13: 0140 R14: 0001 R15: 979930806800 kernel: FS: 7effaca5c8c0() GS:97993ec0() knlGS: kernel: CS: 0010 DS: ES: CR0: 80050033 kernel: CR2: 7effa9fca962 CR3: 000233089000 CR4: 000406f0 kernel: Call Trace: kernel: usb_hcd_submit_urb+0x493/0xb40 kernel: ? page_cache_tree_insert+0x100/0x100 kernel: ? xfs_iunlock+0xd5/0x100 [xfs] kernel: ? xfs_file_buffered_aio_read+0x57/0xc0 [xfs] kernel: usb_submit_urb+0x22d/0x560 kernel: usb_start_wait_urb+0x6e/0x180 kernel: usb_bulk_msg+0xb8/0x160 kernel: as102_send_ep1+0x49/0xe0 [dvb_as102] kernel: ? devres_add+0x3f/0x50 kernel: as102_firmware_upload.isra.0+0x1dc/0x210 [dvb_as102] kernel: as102_fw_upload+0xb6/0x1f0 [dvb_as102] kernel: as102_dvb_register+0x2af/0x2d0 [dvb_as102] kernel: as102_usb_probe+0x1f3/0x260 [dvb_as102] kernel: usb_probe_interface+0x124/0x300 kernel: driver_probe_device+0x2ff/0x450 kernel: __driver_attach+0xa4/0xe0 kernel: ? driver_probe_device+0x450/0x450 kernel: bus_for_each_dev+0x6e/0xb0 kernel: driver_attach+0x1e/0x20 kernel: bus_add_driver+0x1c7/0x270 kernel: driver_register+0x60/0xe0 kernel: usb_register_driver+0x81/0x150 kernel: ? 0xc0807000 kernel: as102_usb_driver_init+0x1e/0x1000 [dvb_as102] kernel: do_one_initcall+0x50/0x190 kernel: ? __vunmap+0x81/0xb0 kernel: ? kfree+0x154/0x170 kernel: ? kmem_cache_alloc_trace+0x15f/0x1c0 kernel: ? do_init_module+0x27/0x1e9 kernel: do_init_module+0x5f/0x1e9 kernel: load_module+0x2602/0x2c30 kernel: SYSC_init_module+0x170/0x1a0 kernel: ? SYSC_init_module+0x170/0x1a0 kernel: SyS_init_module+0xe/0x10 kernel: do_syscall_64+0x67/0x140 kernel: entry_SYSCALL64_slow_path+0x25/0x25 kernel: RIP: 0033:0x7effab6cf3ea kernel: RSP: 002b:7fff5cfcbbc8 EFLAGS: 0246 ORIG_RAX: 00af kernel: RAX: ffda RBX: 5569e0b83760 RCX: 7effab6cf3ea kernel: RDX: 7effac2099c5 RSI: 9a13 RDI: 5569e0b98c50 kernel: RBP: 7effac2099c5 R08: 5569e0b83ed0 R09: 1d80 kernel: R10: 7effab98db00 R11: 0246 R12: 5569e0b98c50 kernel: R13: 5569e0b81c60 R14: 0002 R15: 5569dfadfdf7 kernel: Code: 48 39 c8 73 30 80 3d 59 60 9d 00 00 41 bc f5 ff ff ff 0f 85 26 ff ff ff 48 c7 c7 b8 6b d0 92 c6 05 3f 60 9d 00 01 e8 24 3d ad ff <0f> ff 8b 53 64 e9 09 ff ff ff 65 48 8b 0c 25 00 d3 00 00 48 8b kernel: ---[ end trace c4cae366180e70ec ]--- kernel: as10x_usb: error during firmware upload part1 Let's allocate the the structure dynamically so we can get the firmware loaded correctly: [ 14.243057] as10x_usb: firmware: as102_data1_st.hex loaded with success [ 14.500777] as10x_usb: firmware: as102_data2_st.hex loaded with success Signed-off-by: Michele Baldessari Signed-off-by: Mauro Carvalho Chehab [bwh: Backported to 3.2: adjust filename, context] Signed-off-by: Ben Hutchings --- drivers/staging/media/as102/as102_fw.c | 28 +--- 1 file changed, 17
[PATCH 3.2 48/79] nfs: Fix ugly referral attributes
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Chuck Levercommit c05cefcc72416a37eba5a2b35f0704ed758a9145 upstream. Before traversing a referral and performing a mount, the mounted-on directory looks strange: dr-xr-xr-x. 2 4294967294 4294967294 0 Dec 31 1969 dir.0 nfs4_get_referral is wiping out any cached attributes with what was returned via GETATTR(fs_locations), but the bit mask for that operation does not request any file attributes. Retrieve owner and timestamp information so that the memcpy in nfs4_get_referral fills in more attributes. Changes since v1: - Don't request attributes that the client unconditionally replaces - Request only MOUNTED_ON_FILEID or FILEID attribute, not both - encode_fs_locations() doesn't use the third bitmask word Fixes: 6b97fd3da1ea ("NFSv4: Follow a referral") Suggested-by: Pradeep Thomas Signed-off-by: Chuck Lever Signed-off-by: Anna Schumaker [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings --- fs/nfs/nfs4proc.c | 18 -- 1 file changed, 8 insertions(+), 10 deletions(-) --- a/fs/nfs/nfs4proc.c +++ b/fs/nfs/nfs4proc.c @@ -151,15 +151,12 @@ const u32 nfs4_fsinfo_bitmap[3] = { FATT }; const u32 nfs4_fs_locations_bitmap[2] = { - FATTR4_WORD0_TYPE - | FATTR4_WORD0_CHANGE + FATTR4_WORD0_CHANGE | FATTR4_WORD0_SIZE | FATTR4_WORD0_FSID | FATTR4_WORD0_FILEID | FATTR4_WORD0_FS_LOCATIONS, - FATTR4_WORD1_MODE - | FATTR4_WORD1_NUMLINKS - | FATTR4_WORD1_OWNER + FATTR4_WORD1_OWNER | FATTR4_WORD1_OWNER_GROUP | FATTR4_WORD1_RAWDEV | FATTR4_WORD1_SPACE_USED @@ -4805,9 +4802,7 @@ int nfs4_proc_fs_locations(struct inode struct nfs4_fs_locations *fs_locations, struct page *page) { struct nfs_server *server = NFS_SERVER(dir); - u32 bitmask[2] = { - [0] = FATTR4_WORD0_FSID | FATTR4_WORD0_FS_LOCATIONS, - }; + u32 bitmask[2]; struct nfs4_fs_locations_arg args = { .dir_fh = NFS_FH(dir), .name = name, @@ -4826,12 +4821,15 @@ int nfs4_proc_fs_locations(struct inode dprintk("%s: start\n", __func__); + bitmask[0] = nfs4_fattr_bitmap[0] | FATTR4_WORD0_FS_LOCATIONS; + bitmask[1] = nfs4_fattr_bitmap[1]; + /* Ask for the fileid of the absent filesystem if mounted_on_fileid * is not supported */ if (NFS_SERVER(dir)->attr_bitmask[1] & FATTR4_WORD1_MOUNTED_ON_FILEID) - bitmask[1] |= FATTR4_WORD1_MOUNTED_ON_FILEID; + bitmask[0] &= ~FATTR4_WORD0_FILEID; else - bitmask[0] |= FATTR4_WORD0_FILEID; + bitmask[1] &= ~FATTR4_WORD1_MOUNTED_ON_FILEID; nfs_fattr_init(_locations->fattr); fs_locations->server = server;
[PATCH 3.2 27/79] eCryptfs: use after free in ecryptfs_release_messaging()
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Dan Carpentercommit db86be3a12d0b6e5c5b51c2ab2a48f06329cb590 upstream. We're freeing the list iterator so we should be using the _safe() version of hlist_for_each_entry(). Fixes: 88b4a07e6610 ("[PATCH] eCryptfs: Public key transport mechanism") Signed-off-by: Dan Carpenter Signed-off-by: Tyler Hicks [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings --- --- a/fs/ecryptfs/messaging.c +++ b/fs/ecryptfs/messaging.c @@ -550,17 +550,17 @@ void ecryptfs_release_messaging(void) mutex_unlock(_msg_ctx_lists_mux); } if (ecryptfs_daemon_hash) { - struct hlist_node *elem; struct ecryptfs_daemon *daemon; + struct hlist_node *elem, *n; int i; mutex_lock(_daemon_hash_mux); for (i = 0; i < (1 << ecryptfs_hash_bits); i++) { int rc; - hlist_for_each_entry(daemon, elem, -_daemon_hash[i], -euid_chain) { + hlist_for_each_entry_safe(daemon, elem, n, + _daemon_hash[i], + euid_chain) { rc = ecryptfs_exorcise_daemon(daemon); if (rc) printk(KERN_ERR "%s: Error whilst "
[PATCH 3.2 40/79] s390/disassembler: increase show_code buffer size
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Vasily Gorbikcommit b192571d1ae375e0bbe0aa3ccfa1a3c3704454b9 upstream. Current buffer size of 64 is too small. objdump shows that there are instructions which would require up to 75 bytes buffer (with current formating). 128 bytes "ought to be enough for anybody". Also replaces 8 spaces with a single tab to reduce the memory footprint. Fixes the following KASAN finding: BUG: KASAN: stack-out-of-bounds in number+0x3fe/0x538 Write of size 1 at addr 5a4a75a0 by task bash/1282 CPU: 1 PID: 1282 Comm: bash Not tainted 4.14.0+ #215 Hardware name: IBM 2964 N96 702 (z/VM 6.4.0) Call Trace: ([<0011eeb6>] show_stack+0x56/0x88) [<00e1ce1a>] dump_stack+0x15a/0x1b0 [<004e2994>] print_address_description+0xf4/0x288 [<004e2cf2>] kasan_report+0x13a/0x230 [<00e38ae6>] number+0x3fe/0x538 [<00e3dfe4>] vsnprintf+0x194/0x948 [<00e3ea42>] sprintf+0xa2/0xb8 [<001198dc>] print_insn+0x374/0x500 [<00119346>] show_code+0x4ee/0x538 [<0011f234>] show_registers+0x34c/0x388 [<0011f2ae>] show_regs+0x3e/0xa8 [<0011f502>] die+0x1ea/0x2e8 [<00138f0e>] do_no_context+0x106/0x168 [<00139a1a>] do_protection_exception+0x4da/0x7d0 [<00e55914>] pgm_check_handler+0x16c/0x1c0 [<0090639e>] sysrq_handle_crash+0x46/0x58 ([<0007>] 0x7) [<009073fa>] __handle_sysrq+0x102/0x218 [<00907c06>] write_sysrq_trigger+0xd6/0x100 [<0061d67a>] proc_reg_write+0xb2/0x128 [<00520be6>] __vfs_write+0xee/0x368 [<00521222>] vfs_write+0x21a/0x278 [<0052156a>] SyS_write+0xda/0x178 [<00e555cc>] system_call+0xc4/0x270 The buggy address belongs to the page: page:03d1016929c0 count:0 mapcount:0 mapping: (null) index:0x0 flags: 0x0() raw: raw: 0100 0200 page dumped because: kasan: bad access detected Memory state around the buggy address: 5a4a7480: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 5a4a7500: 00 00 00 00 00 00 00 00 f2 f2 f2 f2 00 00 00 00 >5a4a7580: 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00 00 00 00 ^ 5a4a7600: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f8 f8 5a4a7680: f2 f2 f2 f2 f2 f2 f8 f8 f2 f2 f3 f3 f3 f3 00 00 == Signed-off-by: Vasily Gorbik Signed-off-by: Martin Schwidefsky Signed-off-by: Ben Hutchings --- arch/s390/kernel/dis.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/arch/s390/kernel/dis.c +++ b/arch/s390/kernel/dis.c @@ -1542,7 +1542,7 @@ void show_code(struct pt_regs *regs) { char *mode = (regs->psw.mask & PSW_MASK_PSTATE) ? "User" : "Krnl"; unsigned char code[64]; - char buffer[64], *ptr; + char buffer[128], *ptr; mm_segment_t old_fs; unsigned long addr; int start, end, opsize, hops, i; @@ -1600,7 +1600,7 @@ void show_code(struct pt_regs *regs) start += opsize; printk(buffer); ptr = buffer; - ptr += sprintf(ptr, "\n "); + ptr += sprintf(ptr, "\n\t "); hops++; } printk("\n");
[PATCH 3.2 34/79] dm: fix race between dm_get_from_kobject() and __dm_destroy()
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Hou Taocommit b9a41d21dceadf8104812626ef85dc56ee8a60ed upstream. The following BUG_ON was hit when testing repeat creation and removal of DM devices: kernel BUG at drivers/md/dm.c:2919! CPU: 7 PID: 750 Comm: systemd-udevd Not tainted 4.1.44 Call Trace: [] dm_get_from_kobject+0x34/0x3a [] dm_attr_show+0x2b/0x5e [] ? mutex_lock+0x26/0x44 [] sysfs_kf_seq_show+0x83/0xcf [] kernfs_seq_show+0x23/0x25 [] seq_read+0x16f/0x325 [] kernfs_fop_read+0x3a/0x13f [] __vfs_read+0x26/0x9d [] ? security_file_permission+0x3c/0x44 [] ? rw_verify_area+0x83/0xd9 [] vfs_read+0x8f/0xcf [] ? __fdget_pos+0x12/0x41 [] SyS_read+0x4b/0x76 [] system_call_fastpath+0x12/0x71 The bug can be easily triggered, if an extra delay (e.g. 10ms) is added between the test of DMF_FREEING & DMF_DELETING and dm_get() in dm_get_from_kobject(). To fix it, we need to ensure the test of DMF_FREEING & DMF_DELETING and dm_get() are done in an atomic way, so _minor_lock is used. The other callers of dm_get() have also been checked to be OK: some callers invoke dm_get() under _minor_lock, some callers invoke it under _hash_lock, and dm_start_request() invoke it after increasing md->open_count. Signed-off-by: Hou Tao Signed-off-by: Mike Snitzer Signed-off-by: Ben Hutchings --- drivers/md/dm.c | 12 1 file changed, 8 insertions(+), 4 deletions(-) --- a/drivers/md/dm.c +++ b/drivers/md/dm.c @@ -2685,11 +2685,15 @@ struct mapped_device *dm_get_from_kobjec md = container_of(kobj, struct mapped_device, kobj_holder.kobj); - if (test_bit(DMF_FREEING, >flags) || - dm_deleting_md(md)) - return NULL; - + spin_lock(&_minor_lock); + if (test_bit(DMF_FREEING, >flags) || dm_deleting_md(md)) { + md = NULL; + goto out; + } dm_get(md); +out: + spin_unlock(&_minor_lock); + return md; }
[PATCH 3.2 32/79] video: udlfb: Fix read EDID timeout
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Ladislav Michlcommit c98769475575c8a585f5b3952f4b5f90266f699b upstream. While usb_control_msg function expects timeout in miliseconds, a value of HZ is used. Replace it with USB_CTRL_GET_TIMEOUT and also fix error message which looks like: udlfb: Read EDID byte 78 failed err ff92 as error is either negative errno or number of bytes transferred use %d format specifier. Returned EDID is in second byte, so return error when less than two bytes are received. Fixes: 18dffdf8913a ("staging: udlfb: enhance EDID and mode handling support") Signed-off-by: Ladislav Michl Cc: Bernie Thompson Signed-off-by: Bartlomiej Zolnierkiewicz [bwh: Backported to 3.2: adjust filename] Signed-off-by: Ben Hutchings --- drivers/video/udlfb.c | 10 +- 1 file changed, 5 insertions(+), 5 deletions(-) --- a/drivers/video/udlfb.c +++ b/drivers/video/udlfb.c @@ -765,11 +765,11 @@ static int dlfb_get_edid(struct dlfb_dat for (i = 0; i < len; i++) { ret = usb_control_msg(dev->udev, - usb_rcvctrlpipe(dev->udev, 0), (0x02), - (0x80 | (0x02 << 5)), i << 8, 0xA1, rbuf, 2, - HZ); - if (ret < 1) { - pr_err("Read EDID byte %d failed err %x\n", i, ret); + usb_rcvctrlpipe(dev->udev, 0), 0x02, + (0x80 | (0x02 << 5)), i << 8, 0xA1, + rbuf, 2, USB_CTRL_GET_TIMEOUT); + if (ret < 2) { + pr_err("Read EDID byte %d failed: %d\n", i, ret); i--; break; }
[PATCH 3.2 71/79] usbip: Fix sscanf handling
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Alancommit 2d32927127f44d755780aa5fa88c8c34e72558f8 upstream. Scan only to the length permitted by the buffer One of a set of sscanf problems noted by Jackie Chang Signed-off-by: Alan Cox Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings --- drivers/staging/usbip/userspace/libsrc/usbip_common.c | 2 +- drivers/staging/usbip/userspace/libsrc/vhci_driver.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) --- a/drivers/staging/usbip/userspace/libsrc/usbip_common.c +++ b/drivers/staging/usbip/userspace/libsrc/usbip_common.c @@ -164,7 +164,7 @@ int read_attr_speed(struct sysfs_device goto err; } - ret = sscanf(attr->value, "%s\n", speed); + ret = sscanf(attr->value, "%99s\n", speed); if (ret < 1) { dbg("sscanf failed"); goto err; --- a/drivers/staging/usbip/userspace/libsrc/vhci_driver.c +++ b/drivers/staging/usbip/userspace/libsrc/vhci_driver.c @@ -66,7 +66,7 @@ static int parse_status(char *value) unsigned long socket; char lbusid[SYSFS_BUS_ID_SIZE]; - ret = sscanf(c, "%d %d %d %x %lx %s\n", + ret = sscanf(c, "%d %d %d %x %lx %31s\n", , , , , , lbusid);
[PATCH 3.2 42/79] sctp: fully initialize the IPv6 address in sctp_v6_to_addr()
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Alexander Potapenkocommit 15339e441ec46fbc3bf3486bb1ae4845b0f1bb8d upstream. KMSAN reported use of uninitialized sctp_addr->v4.sin_addr.s_addr and sctp_addr->v6.sin6_scope_id in sctp_v6_cmp_addr() (see below). Make sure all fields of an IPv6 address are initialized, which guarantees that the IPv4 fields are also initialized. == BUG: KMSAN: use of uninitialized memory in sctp_v6_cmp_addr+0x8d4/0x9f0 net/sctp/ipv6.c:517 CPU: 2 PID: 31056 Comm: syz-executor1 Not tainted 4.11.0-rc5+ #2944 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: dump_stack+0x172/0x1c0 lib/dump_stack.c:42 is_logbuf_locked mm/kmsan/kmsan.c:59 [inline] kmsan_report+0x12a/0x180 mm/kmsan/kmsan.c:938 native_save_fl arch/x86/include/asm/irqflags.h:18 [inline] arch_local_save_flags arch/x86/include/asm/irqflags.h:72 [inline] arch_local_irq_save arch/x86/include/asm/irqflags.h:113 [inline] __msan_warning_32+0x61/0xb0 mm/kmsan/kmsan_instr.c:467 sctp_v6_cmp_addr+0x8d4/0x9f0 net/sctp/ipv6.c:517 sctp_v6_get_dst+0x8c7/0x1630 net/sctp/ipv6.c:290 sctp_transport_route+0x101/0x570 net/sctp/transport.c:292 sctp_assoc_add_peer+0x66d/0x16f0 net/sctp/associola.c:651 sctp_sendmsg+0x35a5/0x4f90 net/sctp/socket.c:1871 inet_sendmsg+0x498/0x670 net/ipv4/af_inet.c:762 sock_sendmsg_nosec net/socket.c:633 [inline] sock_sendmsg net/socket.c:643 [inline] SYSC_sendto+0x608/0x710 net/socket.c:1696 SyS_sendto+0x8a/0xb0 net/socket.c:1664 entry_SYSCALL_64_fastpath+0x13/0x94 RIP: 0033:0x44b479 RSP: 002b:7f6213f21c08 EFLAGS: 0286 ORIG_RAX: 002c RAX: ffda RBX: 2000 RCX: 0044b479 RDX: 0041 RSI: 20edd000 RDI: 0006 RBP: 007080a8 R08: 20b85fe4 R09: 001c R10: 00040005 R11: 0286 R12: R13: 3760 R14: 006e5820 R15: 00ff8000 origin description: dst_saddr@sctp_v6_get_dst local variable created at: sk_fullsock include/net/sock.h:2321 [inline] inet6_sk include/linux/ipv6.h:309 [inline] sctp_v6_get_dst+0x91/0x1630 net/sctp/ipv6.c:241 sctp_transport_route+0x101/0x570 net/sctp/transport.c:292 == BUG: KMSAN: use of uninitialized memory in sctp_v6_cmp_addr+0x8d4/0x9f0 net/sctp/ipv6.c:517 CPU: 2 PID: 31056 Comm: syz-executor1 Not tainted 4.11.0-rc5+ #2944 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: dump_stack+0x172/0x1c0 lib/dump_stack.c:42 is_logbuf_locked mm/kmsan/kmsan.c:59 [inline] kmsan_report+0x12a/0x180 mm/kmsan/kmsan.c:938 native_save_fl arch/x86/include/asm/irqflags.h:18 [inline] arch_local_save_flags arch/x86/include/asm/irqflags.h:72 [inline] arch_local_irq_save arch/x86/include/asm/irqflags.h:113 [inline] __msan_warning_32+0x61/0xb0 mm/kmsan/kmsan_instr.c:467 sctp_v6_cmp_addr+0x8d4/0x9f0 net/sctp/ipv6.c:517 sctp_v6_get_dst+0x8c7/0x1630 net/sctp/ipv6.c:290 sctp_transport_route+0x101/0x570 net/sctp/transport.c:292 sctp_assoc_add_peer+0x66d/0x16f0 net/sctp/associola.c:651 sctp_sendmsg+0x35a5/0x4f90 net/sctp/socket.c:1871 inet_sendmsg+0x498/0x670 net/ipv4/af_inet.c:762 sock_sendmsg_nosec net/socket.c:633 [inline] sock_sendmsg net/socket.c:643 [inline] SYSC_sendto+0x608/0x710 net/socket.c:1696 SyS_sendto+0x8a/0xb0 net/socket.c:1664 entry_SYSCALL_64_fastpath+0x13/0x94 RIP: 0033:0x44b479 RSP: 002b:7f6213f21c08 EFLAGS: 0286 ORIG_RAX: 002c RAX: ffda RBX: 2000 RCX: 0044b479 RDX: 0041 RSI: 20edd000 RDI: 0006 RBP: 007080a8 R08: 20b85fe4 R09: 001c R10: 00040005 R11: 0286 R12: R13: 3760 R14: 006e5820 R15: 00ff8000 origin description: dst_saddr@sctp_v6_get_dst local variable created at: sk_fullsock include/net/sock.h:2321 [inline] inet6_sk include/linux/ipv6.h:309 [inline] sctp_v6_get_dst+0x91/0x1630 net/sctp/ipv6.c:241 sctp_transport_route+0x101/0x570 net/sctp/transport.c:292 == Signed-off-by: Alexander Potapenko Reviewed-by: Xin Long Acked-by: Marcelo Ricardo Leitner Signed-off-by: David S. Miller [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings --- net/sctp/ipv6.c | 2 ++ 1 file changed, 2 insertions(+) --- a/net/sctp/ipv6.c +++ b/net/sctp/ipv6.c @@ -487,7 +487,9 @@ static void sctp_v6_to_addr(union sctp_a { addr->sa.sa_family = AF_INET6; addr->v6.sin6_port = port; +
[PATCH 3.2 36/79] blktrace: fix unlocked access to init/start-stop/teardown
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Jens Axboecommit 1f2cac107c591c24b60b115d6050adc213d10fc0 upstream. sg.c calls into the blktrace functions without holding the proper queue mutex for doing setup, start/stop, or teardown. Add internal unlocked variants, and export the ones that do the proper locking. Fixes: 6da127ad0918 ("blktrace: Add blktrace ioctls to SCSI generic devices") Tested-by: Dmitry Vyukov Signed-off-by: Jens Axboe Signed-off-by: Ben Hutchings --- kernel/trace/blktrace.c | 58 - 1 file changed, 48 insertions(+), 10 deletions(-) --- a/kernel/trace/blktrace.c +++ b/kernel/trace/blktrace.c @@ -296,7 +296,7 @@ static void blk_trace_cleanup(struct blk blk_unregister_tracepoints(); } -int blk_trace_remove(struct request_queue *q) +static int __blk_trace_remove(struct request_queue *q) { struct blk_trace *bt; @@ -309,6 +309,17 @@ int blk_trace_remove(struct request_queu return 0; } + +int blk_trace_remove(struct request_queue *q) +{ + int ret; + + mutex_lock(>blk_trace_mutex); + ret = __blk_trace_remove(q); + mutex_unlock(>blk_trace_mutex); + + return ret; +} EXPORT_SYMBOL_GPL(blk_trace_remove); static int blk_dropped_open(struct inode *inode, struct file *filp) @@ -538,9 +549,8 @@ err: return ret; } -int blk_trace_setup(struct request_queue *q, char *name, dev_t dev, - struct block_device *bdev, - char __user *arg) +static int __blk_trace_setup(struct request_queue *q, char *name, dev_t dev, +struct block_device *bdev, char __user *arg) { struct blk_user_trace_setup buts; int ret; @@ -559,6 +569,19 @@ int blk_trace_setup(struct request_queue } return 0; } + +int blk_trace_setup(struct request_queue *q, char *name, dev_t dev, + struct block_device *bdev, + char __user *arg) +{ + int ret; + + mutex_lock(>blk_trace_mutex); + ret = __blk_trace_setup(q, name, dev, bdev, arg); + mutex_unlock(>blk_trace_mutex); + + return ret; +} EXPORT_SYMBOL_GPL(blk_trace_setup); #if defined(CONFIG_COMPAT) && defined(CONFIG_X86_64) @@ -596,7 +619,7 @@ static int compat_blk_trace_setup(struct } #endif -int blk_trace_startstop(struct request_queue *q, int start) +static int __blk_trace_startstop(struct request_queue *q, int start) { int ret; struct blk_trace *bt = q->blk_trace; @@ -629,6 +652,17 @@ int blk_trace_startstop(struct request_q return ret; } + +int blk_trace_startstop(struct request_queue *q, int start) +{ + int ret; + + mutex_lock(>blk_trace_mutex); + ret = __blk_trace_startstop(q, start); + mutex_unlock(>blk_trace_mutex); + + return ret; +} EXPORT_SYMBOL_GPL(blk_trace_startstop); /* @@ -659,7 +693,7 @@ int blk_trace_ioctl(struct block_device switch (cmd) { case BLKTRACESETUP: bdevname(bdev, b); - ret = blk_trace_setup(q, b, bdev->bd_dev, bdev, arg); + ret = __blk_trace_setup(q, b, bdev->bd_dev, bdev, arg); break; #if defined(CONFIG_COMPAT) && defined(CONFIG_X86_64) case BLKTRACESETUP32: @@ -670,10 +704,10 @@ int blk_trace_ioctl(struct block_device case BLKTRACESTART: start = 1; case BLKTRACESTOP: - ret = blk_trace_startstop(q, start); + ret = __blk_trace_startstop(q, start); break; case BLKTRACETEARDOWN: - ret = blk_trace_remove(q); + ret = __blk_trace_remove(q); break; default: ret = -ENOTTY; @@ -691,10 +725,14 @@ int blk_trace_ioctl(struct block_device **/ void blk_trace_shutdown(struct request_queue *q) { + mutex_lock(>blk_trace_mutex); + if (q->blk_trace) { - blk_trace_startstop(q, 0); - blk_trace_remove(q); + __blk_trace_startstop(q, 0); + __blk_trace_remove(q); } + + mutex_unlock(>blk_trace_mutex); } /*
[PATCH 3.2 54/79] ALSA: timer: Remove kernel warning at compat ioctl error paths
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Takashi Iwaicommit 3d4e8303f2c747c8540a0a0126d0151514f6468b upstream. Some timer compat ioctls have NULL checks of timer instance with snd_BUG_ON() that bring up WARN_ON() when the debug option is set. Actually the condition can be met in the normal situation and it's confusing and bad to spew kernel warnings with stack trace there. Let's remove snd_BUG_ON() invocation and replace with the simple checks. Also, correct the error code to EBADFD to follow the native ioctl error handling. Reported-by: syzbot Signed-off-by: Takashi Iwai Signed-off-by: Ben Hutchings --- sound/core/timer_compat.c | 12 ++-- 1 file changed, 6 insertions(+), 6 deletions(-) --- a/sound/core/timer_compat.c +++ b/sound/core/timer_compat.c @@ -40,11 +40,11 @@ static int snd_timer_user_info_compat(st struct snd_timer *t; tu = file->private_data; - if (snd_BUG_ON(!tu->timeri)) - return -ENXIO; + if (!tu->timeri) + return -EBADFD; t = tu->timeri->timer; - if (snd_BUG_ON(!t)) - return -ENXIO; + if (!t) + return -EBADFD; memset(, 0, sizeof(info)); info.card = t->card ? t->card->number : -1; if (t->hw.flags & SNDRV_TIMER_HW_SLAVE) @@ -73,8 +73,8 @@ static int snd_timer_user_status_compat( struct snd_timer_status32 status; tu = file->private_data; - if (snd_BUG_ON(!tu->timeri)) - return -ENXIO; + if (!tu->timeri) + return -EBADFD; memset(, 0, sizeof(status)); status.tstamp.tv_sec = tu->tstamp.tv_sec; status.tstamp.tv_nsec = tu->tstamp.tv_nsec;
[PATCH 3.2 00/79] 3.2.99-rc1 review
This is the start of the stable review cycle for the 3.2.99 release. There are 79 patches in this series, which will be posted as responses to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Tue Feb 13 12:00:00 UTC 2018. Anything received after that time might be too late. All the patches have also been committed to the linux-3.2.y-rc branch of https://git.kernel.org/pub/scm/linux/kernel/git/bwh/linux-stable-rc.git . A shortlog and diffstat can be found below. Ben. - Al Viro (2): autofs4: autofs4_wait() vs. autofs4_catatonic_mode() race [4041bcdc7bef06a2fb29c57394c713a74bd13b08] autofs4: catatonic_mode vs. notify_daemon race [875266be67ff3a984ac1f6566d31c260bee4] Alan (1): usbip: Fix sscanf handling [2d32927127f44d755780aa5fa88c8c34e72558f8] Alan Stern (1): USB: usbfs: compute urb->actual_length for isochronous [2ef47001b3ee3ded579b7532ebdcf8680e4d8c54] Alex Chen (1): ocfs2: should wait dio before inode lock in ocfs2_setattr() [28f5a8a7c033cbf3e32277f4cc9c6afd74f05300] Alexander Potapenko (1): sctp: fully initialize the IPv6 address in sctp_v6_to_addr() [15339e441ec46fbc3bf3486bb1ae4845b0f1bb8d] Alexander Steffen (1): tpm-dev-common: Reject too short writes [ee70bc1e7b63ac8023c9ff9475d8741e397316e7] Alexandre Belloni (1): rtc: set the alarm to the next expiring timer [74717b28cb32e1ad3c1042cafd76b264c8c0f68d] Andreas Rohner (1): nilfs2: fix race condition that causes file system corruption [31ccb1f7ba3cfe29631587d451cf5bb8ab593550] Arnd Bergmann (2): Input: adxl34x - do not treat FIFO_MODE() as boolean [1dbc080c9ef6bcfba652ef0d6ae919b8c7c85a1d] isofs: fix timestamps beyond 2027 [34be4dbf87fc3e474a842305394534216d428f5d] Bart Van Assche (1): IB/srp: Avoid that a cable pull can trigger a kernel crash [8a0d18c62121d3c554a83eb96e2752861d84d937] Bart Westgeest (1): staging: usbip: removed #if 0'd out code [34c09578179f5838e5958c45e8aed4edc9c6c3b8] Bernhard Rosenkraenzer (1): USB: Add delay-init quirk for Corsair K70 LUX keyboards [a0fea6027f19c62727315aba1a7fae75a9caa842] Brent Taylor (1): mtd: nand: Fix writing mtdoops to nand flash. [30863e38ebeb500a31cecee8096fb5002677dd9b] Chuck Lever (1): nfs: Fix ugly referral attributes [c05cefcc72416a37eba5a2b35f0704ed758a9145] Colin Ian King (1): rtc: interface: ignore expired timers when enqueuing new timers [2b2f5ff00f63847d95adad6289bd8b05f5983dd5] Dan Carpenter (2): eCryptfs: use after free in ecryptfs_release_messaging() [db86be3a12d0b6e5c5b51c2ab2a48f06329cb590] scsi: bfa: integer overflow in debugfs [3e351275655d3c84dc28abf170def9786db5176d] Eric Biggers (1): dm bufio: fix integer overflow when limiting maximum cache size [74d4108d9e681dbbe4a2940ed8fdff1f6868184c] Eric Dumazet (1): netfilter: xt_TCPMSS: add more sanity tests on tcph->doff [2638fd0f92d4397884fd991d8f4925cb3f081901] Eric W. Biederman (1): net/sctp: Always set scope_id in sctp_inet6_skb_msgname [7c8a61d9ee1df0fb4747879fa67a99614eb62fec] Felipe Balbi (1): usb: add helper to extract bits 12:11 of wMaxPacketSize [541b6fe63023f3059cf85d47ff2767a3e42a8e44] Gabriele Paoloni (1): PCI/AER: Report non-fatal errors only to the affected endpoint [86acc790717fb60fb51ea3095084e331d8711c74] Guenter Roeck (1): kaiser: Set _PAGE_NX only if supported [61e9b3671007a5da8127955a1a3bda7e0d5f42e8] Guillaume Nault (5): l2tp: don't register sessions in l2tp_session_create() [3953ae7b218df4d1e544b98a393666f9ae58a78c] l2tp: ensure sessions are freed after their PPPOL2TP socket [cdd10c9627496ad25c87ce6394e29752253c69d3] l2tp: initialise PPP sessions before registering them [f98be6c6359e7e4a61aaefb9964c1db31cb9ec0c] l2tp: initialise l2tp_eth sessions before registering them [ee28de6bbd78c2e18111a0aef43ea746f28d2073] l2tp: protect sock pointer of struct pppol2tp_session with RCU [ee40fb2e1eb5bc0ddd3f2f83c6e39a454ef5a741] Hou Tao (1): dm: fix race between dm_get_from_kobject() and __dm_destroy() [b9a41d21dceadf8104812626ef85dc56ee8a60ed] Jan Harkes (1): coda: fix 'kernel memory exposure attempt' in fsync [d337b66a4c52c7b04eec661d86c2ef6e168965a2] Jason Gunthorpe (1): sctp: Fixup v4mapped behaviour to comply with Sock API [299ee123e19889d511092347f5fc14db0f10e3a6] Jens Axboe (1): blktrace: fix unlocked access to init/start-stop/teardown [1f2cac107c591c24b60b115d6050adc213d10fc0] Johan Hovold (2): USB: serial: garmin_gps: fix I/O after failed probe and remove [19a565d9af6e0d828bd0d521d3bafd5017f4ce52]
[PATCH 3.2 03/79] rtc: set the alarm to the next expiring timer
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Alexandre Bellonicommit 74717b28cb32e1ad3c1042cafd76b264c8c0f68d upstream. If there is any non expired timer in the queue, the RTC alarm is never set. This is an issue when adding a timer that expires before the next non expired timer. Ensure the RTC alarm is set in that case. Fixes: 2b2f5ff00f63 ("rtc: interface: ignore expired timers when enqueuing new timers") Signed-off-by: Alexandre Belloni [bwh: Backported to 3.2: open-code ktime_before()] Signed-off-by: Ben Hutchings --- drivers/rtc/interface.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/rtc/interface.c +++ b/drivers/rtc/interface.c @@ -765,7 +765,7 @@ static int rtc_timer_enqueue(struct rtc_ } timerqueue_add(>timerqueue, >node); - if (!next) { + if (!next || timer->node.expires.tv64 < next->expires.tv64) { struct rtc_wkalrm alarm; int err; alarm.time = rtc_ktime_to_tm(timer->node.expires);
[PATCH 3.2 02/79] rtc: interface: ignore expired timers when enqueuing new timers
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Colin Ian Kingcommit 2b2f5ff00f63847d95adad6289bd8b05f5983dd5 upstream. This patch fixes a RTC wakealarm issue, namely, the event fires during hibernate and is not cleared from the list, causing hwclock to block. The current enqueuing does not trigger an alarm if any expired timers already exist on the timerqueue. This can occur when a RTC wake alarm is used to wake a machine out of hibernate and the resumed state has old expired timers that have not been removed from the timer queue. This fix skips over any expired timers and triggers an alarm if there are no pending timers on the timerqueue. Note that the skipped expired timer will get reaped later on, so there is no need to clean it up immediately. The issue can be reproduced by putting a machine into hibernate and waking it with the RTC wakealarm. Running the example RTC test program from tools/testing/selftests/timers/rtctest.c after the hibernate will block indefinitely. With the fix, it no longer blocks after the hibernate resume. BugLink: http://bugs.launchpad.net/bugs/1333569 Signed-off-by: Colin Ian King Signed-off-by: Alexandre Belloni Signed-off-by: Ben Hutchings --- drivers/rtc/interface.c | 16 +++- 1 file changed, 15 insertions(+), 1 deletion(-) --- a/drivers/rtc/interface.c +++ b/drivers/rtc/interface.c @@ -749,9 +749,23 @@ EXPORT_SYMBOL_GPL(rtc_irq_set_freq); */ static int rtc_timer_enqueue(struct rtc_device *rtc, struct rtc_timer *timer) { + struct timerqueue_node *next = timerqueue_getnext(>timerqueue); + struct rtc_time tm; + ktime_t now; + timer->enabled = 1; + __rtc_read_time(rtc, ); + now = rtc_tm_to_ktime(tm); + + /* Skip over expired timers */ + while (next) { + if (next->expires.tv64 >= now.tv64) + break; + next = timerqueue_iterate_next(next); + } + timerqueue_add(>timerqueue, >node); - if (>node == timerqueue_getnext(>timerqueue)) { + if (!next) { struct rtc_wkalrm alarm; int err; alarm.time = rtc_ktime_to_tm(timer->node.expires);
[PATCH 3.2 68/79] RDS: null pointer dereference in rds_atomic_free_op
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Mohamed Ghannamcommit 7d11f77f84b27cef452cee332f4e469503084737 upstream. set rm->atomic.op_active to 0 when rds_pin_pages() fails or the user supplied address is invalid, this prevents a NULL pointer usage in rds_atomic_free_op() Signed-off-by: Mohamed Ghannam Acked-by: Santosh Shilimkar Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings --- net/rds/rdma.c | 1 + 1 file changed, 1 insertion(+) --- a/net/rds/rdma.c +++ b/net/rds/rdma.c @@ -855,6 +855,7 @@ int rds_cmsg_atomic(struct rds_sock *rs, err: if (page) put_page(page); + rm->atomic.op_active = 0; kfree(rm->atomic.op_notifier); return ret;
[PATCH 3.2 78/79] kaiser: Set _PAGE_NX only if supported
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Guenter RoeckThis resolves a crash if loaded under qemu + haxm under windows. See https://www.spinics.net/lists/kernel/msg2689835.html for details. Here is a boot log (the log is from chromeos-4.4, but Tao Wu says that the same log is also seen with vanilla v4.4.110-rc1). [0.712750] Freeing unused kernel memory: 552K [0.721821] init: Corrupted page table at address 57b029b332e0 [0.722761] PGD 8000bb238067 PUD bc36a067 PMD bc369067 PTE 45d2067 [0.722761] Bad pagetable: 000b [#1] PREEMPT SMP [0.722761] Modules linked in: [0.722761] CPU: 1 PID: 1 Comm: init Not tainted 4.4.96 #31 [0.722761] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5.1-0-g8936dbb-20141113_115728-nilsson.home.kraxel.org 04/01/2014 [0.722761] task: 8800bc29 ti: 8800bc28c000 task.ti: 8800bc28c000 [0.722761] RIP: 0010:[] [] __clear_user+0x42/0x67 [0.722761] RSP: :8800bc28fcf8 EFLAGS: 00010202 [0.722761] RAX: RBX: 01a4 RCX: 01a4 [0.722761] RDX: RSI: 0008 RDI: 57b029b332e0 [0.722761] RBP: 8800bc28fd08 R08: 8800bc29 R09: 8800bb2f4000 [0.722761] R10: 8800bc29 R11: 8800bb2f4000 R12: 57b029b332e0 [0.722761] R13: R14: 57b029b33340 R15: 8800bb1e2a00 [0.722761] FS: () GS:8800bfb0() knlGS: [0.722761] CS: 0010 DS: ES: CR0: 8005003b [0.722761] CR2: 57b029b332e0 CR3: bb2f8000 CR4: 06e0 [0.722761] Stack: [0.722761] 57b029b332e0 8800bb95fa80 8800bc28fd18 83f4120c [0.722761] 8800bc28fe18 83e9e7a1 8800bc28fd68 [0.722761] 8800bc29 8800bc29 8800bc29 8800bc29 [0.722761] Call Trace: [0.722761] [] clear_user+0x2e/0x30 [0.722761] [] load_elf_binary+0xa7f/0x18f7 [0.722761] [] search_binary_handler+0x86/0x19c [0.722761] [] do_execveat_common.isra.26+0x909/0xf98 [0.722761] [] ? rest_init+0x87/0x87 [0.722761] [] do_execve+0x23/0x25 [0.722761] [] run_init_process+0x2b/0x2d [0.722761] [] kernel_init+0x6d/0xda [0.722761] [] ret_from_fork+0x3f/0x70 [0.722761] [] ? rest_init+0x87/0x87 [0.722761] Code: 86 84 be 12 00 00 00 e8 87 0d e8 ff 66 66 90 48 89 d8 48 c1 eb 03 4c 89 e7 83 e0 07 48 89 d9 be 08 00 00 00 31 d2 48 85 c9 74 0a <48> 89 17 48 01 f7 ff c9 75 f6 48 89 c1 85 c9 74 09 88 17 48 ff [0.722761] RIP [] __clear_user+0x42/0x67 [0.722761] RSP [0.722761] ---[ end trace def703879b4ff090 ]--- [0.722761] BUG: sleeping function called from invalid context at /mnt/host/source/src/third_party/kernel/v4.4/kernel/locking/rwsem.c:21 [0.722761] in_atomic(): 0, irqs_disabled(): 1, pid: 1, name: init [0.722761] CPU: 1 PID: 1 Comm: init Tainted: G D 4.4.96 #31 [0.722761] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5.1-0-g8936dbb-20141113_115728-nilsson.home.kraxel.org 04/01/2014 [0.722761] 0086 dcb5d76098c89836 8800bc28fa30 83f34004 [0.722761] 84839dc2 0015 8800bc28fa40 83d57dc9 [0.722761] 8800bc28fa68 83d57e6a 84a53640 [0.722761] Call Trace: [0.722761] [] dump_stack+0x4d/0x63 [0.722761] [] ___might_sleep+0x13a/0x13c [0.722761] [] __might_sleep+0x9f/0xa6 [0.722761] [] down_read+0x20/0x31 [0.722761] [] __blocking_notifier_call_chain+0x35/0x63 [0.722761] [] blocking_notifier_call_chain+0x14/0x16 [0.800374] usb 1-1: new full-speed USB device number 2 using uhci_hcd [0.722761] [] profile_task_exit+0x1a/0x1c [0.802309] [] do_exit+0x39/0xe7f [0.802309] [] ? vprintk_default+0x1d/0x1f [0.802309] [] ? printk+0x57/0x73 [0.802309] [] oops_end+0x80/0x85 [0.802309] [] pgtable_bad+0x8a/0x95 [0.802309] [] __do_page_fault+0x8c/0x352 [0.802309] [] ? file_has_perm+0xc4/0xe5 [0.802309] [] do_page_fault+0xc/0xe [0.802309] [] page_fault+0x22/0x30 [0.802309] [] ? __clear_user+0x42/0x67 [0.802309] [] ? __clear_user+0x23/0x67 [0.802309] [] clear_user+0x2e/0x30 [0.802309] [] load_elf_binary+0xa7f/0x18f7 [0.802309] [] search_binary_handler+0x86/0x19c [0.802309] [] do_execveat_common.isra.26+0x909/0xf98 [0.802309] [] ? rest_init+0x87/0x87 [0.802309] [] do_execve+0x23/0x25 [0.802309] [] run_init_process+0x2b/0x2d [0.802309] [] kernel_init+0x6d/0xda [0.802309] [] ret_from_fork+0x3f/0x70 [0.802309] [] ? rest_init+0x87/0x87 [0.830559] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0009 [0.830559] [0.831305] Kernel Offset:
[PATCH 3.2 10/79] IB/srp: Avoid that a cable pull can trigger a kernel crash
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Bart Van Asschecommit 8a0d18c62121d3c554a83eb96e2752861d84d937 upstream. This patch fixes the following kernel crash: general protection fault: [#1] PREEMPT SMP Workqueue: ib_mad2 timeout_sends [ib_core] Call Trace: ib_sa_path_rec_callback+0x1c4/0x1d0 [ib_core] send_handler+0xb2/0xd0 [ib_core] timeout_sends+0x14d/0x220 [ib_core] process_one_work+0x200/0x630 worker_thread+0x4e/0x3b0 kthread+0x113/0x150 Fixes: commit aef9ec39c47f ("IB: Add SCSI RDMA Protocol (SRP) initiator") Signed-off-by: Bart Van Assche Reviewed-by: Sagi Grimberg Signed-off-by: Doug Ledford [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings --- --- a/drivers/infiniband/ulp/srp/ib_srp.c +++ b/drivers/infiniband/ulp/srp/ib_srp.c @@ -310,10 +310,19 @@ static void srp_path_rec_completion(int static int srp_lookup_path(struct srp_target_port *target) { + int ret = -ENODEV; + target->path.numb_path = 1; init_completion(>done); + /* +* Avoid that the SCSI host can be removed by srp_remove_target() +* before srp_path_rec_completion() is called. +*/ + if (!scsi_host_get(target->scsi_host)) + goto out; + target->path_query_id = ib_sa_path_rec_get(_sa_client, target->srp_host->srp_dev->dev, target->srp_host->port, @@ -327,16 +336,22 @@ static int srp_lookup_path(struct srp_ta GFP_KERNEL, srp_path_rec_completion, target, >path_query); - if (target->path_query_id < 0) - return target->path_query_id; + ret = target->path_query_id; + if (ret < 0) + goto put; wait_for_completion(>done); - if (target->status < 0) + ret = target->status; + if (ret < 0) shost_printk(KERN_WARNING, target->scsi_host, PFX "Path record query failed\n"); - return target->status; +put: + scsi_host_put(target->scsi_host); + +out: + return ret; } static int srp_send_req(struct srp_target_port *target)
[PATCH 3.16 028/136] net/9p: Switch to wait_event_killable()
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Tuomas Tynkkynencommit 9523feac272ccad2ad8186ba4fcc89103754de52 upstream. Because userspace gets Very Unhappy when calls like stat() and execve() return -EINTR on 9p filesystem mounts. For instance, when bash is looking in PATH for things to execute and some SIGCHLD interrupts stat(), bash can throw a spurious 'command not found' since it doesn't retry the stat(). In practice, hitting the problem is rare and needs a really slow/bogged down 9p server. Signed-off-by: Tuomas Tynkkynen Signed-off-by: Al Viro [bwh: Backported to 3.16: drop changes in trans_xen.c] Signed-off-by: Ben Hutchings --- --- a/net/9p/client.c +++ b/net/9p/client.c @@ -753,8 +753,7 @@ p9_client_rpc(struct p9_client *c, int8_ } again: /* Wait for the response */ - err = wait_event_interruptible(*req->wq, - req->status >= REQ_STATUS_RCVD); + err = wait_event_killable(*req->wq, req->status >= REQ_STATUS_RCVD); /* * Make sure our req is coherent with regard to updates in other --- a/net/9p/trans_virtio.c +++ b/net/9p/trans_virtio.c @@ -292,8 +292,8 @@ req_retry: if (err == -ENOSPC) { chan->ring_bufs_avail = 0; spin_unlock_irqrestore(>lock, flags); - err = wait_event_interruptible(*chan->vc_wq, - chan->ring_bufs_avail); + err = wait_event_killable(*chan->vc_wq, + chan->ring_bufs_avail); if (err == -ERESTARTSYS) return err; @@ -324,7 +324,7 @@ static int p9_get_mapped_pages(struct vi * Other zc request to finish here */ if (atomic_read(_pinned) >= chan->p9_max_pages) { - err = wait_event_interruptible(vp_wq, + err = wait_event_killable(vp_wq, (atomic_read(_pinned) < chan->p9_max_pages)); if (err == -ERESTARTSYS) return err; @@ -454,8 +454,8 @@ req_retry_pinned: if (err == -ENOSPC) { chan->ring_bufs_avail = 0; spin_unlock_irqrestore(>lock, flags); - err = wait_event_interruptible(*chan->vc_wq, - chan->ring_bufs_avail); + err = wait_event_killable(*chan->vc_wq, + chan->ring_bufs_avail); if (err == -ERESTARTSYS) goto err_out; @@ -472,8 +472,7 @@ req_retry_pinned: virtqueue_kick(chan->vq); spin_unlock_irqrestore(>lock, flags); p9_debug(P9_DEBUG_TRANS, "virtio request kicked\n"); - err = wait_event_interruptible(*req->wq, - req->status >= REQ_STATUS_RCVD); + err = wait_event_killable(*req->wq, req->status >= REQ_STATUS_RCVD); /* * Non kernel buffers are pinned, unpin them */
[PATCH 3.16 034/136] l2tp: initialise l2tp_eth sessions before registering them
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Guillaume Naultcommit ee28de6bbd78c2e18111a0aef43ea746f28d2073 upstream. Sessions must be initialised before being made externally visible by l2tp_session_register(). Otherwise the session may be concurrently deleted before being initialised, which can confuse the deletion path and eventually lead to kernel oops. Therefore, we need to move l2tp_session_register() down in l2tp_eth_create(), but also handle the intermediate step where only the session or the netdevice has been registered. We can't just call l2tp_session_register() in ->ndo_init() because we'd have no way to properly undo this operation in ->ndo_uninit(). Instead, let's register the session and the netdevice in two different steps and protect the session's device pointer with RCU. And now that we allow the session's .dev field to be NULL, we don't need to prevent the netdevice from being removed anymore. So we can drop the dev_hold() and dev_put() calls in l2tp_eth_create() and l2tp_eth_dev_uninit(). Fixes: d9e31d17ceba ("l2tp: Add L2TP ethernet pseudowire support") Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller [bwh: Backported to 3.16: - Update another 'goto out' in l2tp_eth_create() - Adjust context] Signed-off-by: Ben Hutchings --- --- a/net/l2tp/l2tp_eth.c +++ b/net/l2tp/l2tp_eth.c @@ -51,7 +51,7 @@ struct l2tp_eth { /* via l2tp_session_priv() */ struct l2tp_eth_sess { - struct net_device *dev; + struct net_device __rcu *dev; }; @@ -69,7 +69,14 @@ static int l2tp_eth_dev_init(struct net_ static void l2tp_eth_dev_uninit(struct net_device *dev) { - dev_put(dev); + struct l2tp_eth *priv = netdev_priv(dev); + struct l2tp_eth_sess *spriv; + + spriv = l2tp_session_priv(priv->session); + RCU_INIT_POINTER(spriv->dev, NULL); + /* No need for synchronize_net() here. We're called by +* unregister_netdev*(), which does the synchronisation for us. +*/ } static int l2tp_eth_dev_xmit(struct sk_buff *skb, struct net_device *dev) @@ -123,8 +130,8 @@ static void l2tp_eth_dev_setup(struct ne static void l2tp_eth_dev_recv(struct l2tp_session *session, struct sk_buff *skb, int data_len) { struct l2tp_eth_sess *spriv = l2tp_session_priv(session); - struct net_device *dev = spriv->dev; - struct l2tp_eth *priv = netdev_priv(dev); + struct net_device *dev; + struct l2tp_eth *priv; if (session->debug & L2TP_MSG_DATA) { unsigned int length; @@ -148,16 +155,25 @@ static void l2tp_eth_dev_recv(struct l2t skb_dst_drop(skb); nf_reset(skb); + rcu_read_lock(); + dev = rcu_dereference(spriv->dev); + if (!dev) + goto error_rcu; + + priv = netdev_priv(dev); if (dev_forward_skb(dev, skb) == NET_RX_SUCCESS) { atomic_long_inc(>rx_packets); atomic_long_add(data_len, >rx_bytes); } else { atomic_long_inc(>rx_errors); } + rcu_read_unlock(); + return; +error_rcu: + rcu_read_unlock(); error: - atomic_long_inc(>rx_errors); kfree_skb(skb); } @@ -168,11 +184,15 @@ static void l2tp_eth_delete(struct l2tp_ if (session) { spriv = l2tp_session_priv(session); - dev = spriv->dev; + + rtnl_lock(); + dev = rtnl_dereference(spriv->dev); if (dev) { - unregister_netdev(dev); - spriv->dev = NULL; + unregister_netdevice(dev); + rtnl_unlock(); module_put(THIS_MODULE); + } else { + rtnl_unlock(); } } } @@ -182,9 +202,20 @@ static void l2tp_eth_show(struct seq_fil { struct l2tp_session *session = arg; struct l2tp_eth_sess *spriv = l2tp_session_priv(session); - struct net_device *dev = spriv->dev; + struct net_device *dev; + + rcu_read_lock(); + dev = rcu_dereference(spriv->dev); + if (!dev) { + rcu_read_unlock(); + return; + } + dev_hold(dev); + rcu_read_unlock(); seq_printf(m, " interface %s\n", dev->name); + + dev_put(dev); } #endif @@ -204,7 +235,7 @@ static int l2tp_eth_create(struct net *n if (dev) { dev_put(dev); rc = -EEXIST; - goto out; + goto err; } strlcpy(name, cfg->ifname, IFNAMSIZ); } else @@ -214,20 +245,13 @@ static int l2tp_eth_create(struct net *n peer_session_id, cfg); if (IS_ERR(session)) {
[PATCH 3.16 020/136] elf_fdpic: fix unused variable warning
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Arnd Bergmanncommit 11e3e8d6d9274bf630859b4c47bc4e4d76f289db upstream. The elf_fdpic code shows a harmless warning when built with MMU disabled, I ran into this now that fdpic is available on ARM randconfig builds since commit 50b2b2e691cd ("ARM: add ELF_FDPIC support"). fs/binfmt_elf_fdpic.c: In function 'elf_fdpic_dump_segments': fs/binfmt_elf_fdpic.c:1501:17: error: unused variable 'addr' [-Werror=unused-variable] This adds another #ifdef around the variable declaration to shut up the warning. Fixes: e6c1baa9b562 ("convert the rest of binfmt_elf_fdpic to dump_emit()") Acked-by: Nicolas Pitre Signed-off-by: Arnd Bergmann Signed-off-by: Al Viro Signed-off-by: Ben Hutchings --- fs/binfmt_elf_fdpic.c | 2 ++ 1 file changed, 2 insertions(+) --- a/fs/binfmt_elf_fdpic.c +++ b/fs/binfmt_elf_fdpic.c @@ -1487,7 +1487,9 @@ static bool elf_fdpic_dump_segments(stru struct vm_area_struct *vma; for (vma = current->mm->mmap; vma; vma = vma->vm_next) { +#ifdef CONFIG_MMU unsigned long addr; +#endif if (!maydump(vma, cprm->mm_flags)) continue;
[PATCH 3.16 060/136] ACPI / APEI: Replace ioremap_page_range() with fixmap
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: James Morsecommit 4f89fa286f6729312e227e7c2d764e8e7b9d340e upstream. Replace ghes_io{re,un}map_pfn_{nmi,irq}()s use of ioremap_page_range() with __set_fixmap() as ioremap_page_range() may sleep to allocate a new level of page-table, even if its passed an existing final-address to use in the mapping. The GHES driver can only be enabled for architectures that select HAVE_ACPI_APEI: Add fixmap entries to both x86 and arm64. clear_fixmap() does the TLB invalidation in __set_fixmap() for arm64 and __set_pte_vaddr() for x86. In each case its the same as the respective arch_apei_flush_tlb_one(). Reported-by: Fengguang Wu Suggested-by: Linus Torvalds Signed-off-by: James Morse Reviewed-by: Borislav Petkov Tested-by: Tyler Baicar Tested-by: Toshi Kani [ For the arm64 bits: ] Acked-by: Will Deacon [ For the x86 bits: ] Acked-by: Ingo Molnar Signed-off-by: Rafael J. Wysocki [bwh: Backported to 3.16: - Drop arm64 changes; ghes is x86-only here - Don't use page or prot variables in ghes_ioremap_fn_{nmi,irq}() - Adjust context] Signed-off-by: Ben Hutchings --- --- a/arch/x86/include/asm/fixmap.h +++ b/arch/x86/include/asm/fixmap.h @@ -103,6 +103,12 @@ enum fixed_addresses { #ifdef CONFIG_X86_INTEL_MID FIX_LNW_VRTC, #endif +#ifdef CONFIG_ACPI_APEI_GHES + /* Used for GHES mapping from assorted contexts */ + FIX_APEI_GHES_IRQ, + FIX_APEI_GHES_NMI, +#endif + __end_of_permanent_fixed_addresses, /* --- a/drivers/acpi/apei/ghes.c +++ b/drivers/acpi/apei/ghes.c @@ -49,6 +49,7 @@ #include #include +#include #include #include #include @@ -110,7 +111,7 @@ static DEFINE_RAW_SPINLOCK(ghes_nmi_lock * Because the memory area used to transfer hardware error information * from BIOS to Linux can be determined only in NMI, IRQ or timer * handler, but general ioremap can not be used in atomic context, so - * a special version of atomic ioremap is implemented for that. + * the fixmap is used instead. */ /* @@ -124,8 +125,8 @@ static DEFINE_RAW_SPINLOCK(ghes_nmi_lock /* virtual memory area for atomic ioremap */ static struct vm_struct *ghes_ioremap_area; /* - * These 2 spinlock is used to prevent atomic ioremap virtual memory - * area from being mapped simultaneously. + * These 2 spinlocks are used to prevent the fixmap entries from being used + * simultaneously. */ static DEFINE_RAW_SPINLOCK(ghes_ioremap_lock_nmi); static DEFINE_SPINLOCK(ghes_ioremap_lock_irq); @@ -165,44 +166,26 @@ static void ghes_ioremap_exit(void) static void __iomem *ghes_ioremap_pfn_nmi(u64 pfn) { - unsigned long vaddr; + __set_fixmap(FIX_APEI_GHES_NMI, pfn << PAGE_SHIFT, PAGE_KERNEL); - vaddr = (unsigned long)GHES_IOREMAP_NMI_PAGE(ghes_ioremap_area->addr); - ioremap_page_range(vaddr, vaddr + PAGE_SIZE, - pfn << PAGE_SHIFT, PAGE_KERNEL); - - return (void __iomem *)vaddr; + return (void __iomem *) fix_to_virt(FIX_APEI_GHES_NMI); } static void __iomem *ghes_ioremap_pfn_irq(u64 pfn) { - unsigned long vaddr; - - vaddr = (unsigned long)GHES_IOREMAP_IRQ_PAGE(ghes_ioremap_area->addr); - ioremap_page_range(vaddr, vaddr + PAGE_SIZE, - pfn << PAGE_SHIFT, PAGE_KERNEL); + __set_fixmap(FIX_APEI_GHES_IRQ, pfn << PAGE_SHIFT, PAGE_KERNEL); - return (void __iomem *)vaddr; + return (void __iomem *) fix_to_virt(FIX_APEI_GHES_IRQ); } -static void ghes_iounmap_nmi(void __iomem *vaddr_ptr) +static void ghes_iounmap_nmi(void) { - unsigned long vaddr = (unsigned long __force)vaddr_ptr; - void *base = ghes_ioremap_area->addr; - - BUG_ON(vaddr != (unsigned long)GHES_IOREMAP_NMI_PAGE(base)); - unmap_kernel_range_noflush(vaddr, PAGE_SIZE); - __flush_tlb_one(vaddr); + clear_fixmap(FIX_APEI_GHES_NMI); } -static void ghes_iounmap_irq(void __iomem *vaddr_ptr) +static void ghes_iounmap_irq(void) { - unsigned long vaddr = (unsigned long __force)vaddr_ptr; - void *base = ghes_ioremap_area->addr; - - BUG_ON(vaddr != (unsigned long)GHES_IOREMAP_IRQ_PAGE(base)); - unmap_kernel_range_noflush(vaddr, PAGE_SIZE); - __flush_tlb_one(vaddr); + clear_fixmap(FIX_APEI_GHES_IRQ); } static int ghes_estatus_pool_init(void) @@ -341,10 +324,10 @@ static void ghes_copy_tofrom_phys(void * paddr += trunk; buffer += trunk; if (in_nmi) { - ghes_iounmap_nmi(vaddr); + ghes_iounmap_nmi(); raw_spin_unlock(_ioremap_lock_nmi); } else { -
[PATCH 3.16 067/136] ima: fix hash algorithm initialization
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Boshi Wangcommit ebe7c0a7be92bbd34c6ff5b55810546a0ee05bee upstream. The hash_setup function always sets the hash_setup_done flag, even when the hash algorithm is invalid. This prevents the default hash algorithm defined as CONFIG_IMA_DEFAULT_HASH from being used. This patch sets hash_setup_done flag only for valid hash algorithms. Fixes: e7a2ad7eb6f4 "ima: enable support for larger default filedata hash algorithms" Signed-off-by: Boshi Wang Signed-off-by: Mimi Zohar Signed-off-by: Ben Hutchings --- security/integrity/ima/ima_main.c | 4 1 file changed, 4 insertions(+) --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -52,6 +52,8 @@ static int __init hash_setup(char *str) ima_hash_algo = HASH_ALGO_SHA1; else if (strncmp(str, "md5", 3) == 0) ima_hash_algo = HASH_ALGO_MD5; + else + return 1; goto out; } @@ -61,6 +63,8 @@ static int __init hash_setup(char *str) break; } } + if (i == HASH_ALGO__LAST) + return 1; out: hash_setup_done = 1; return 1;
[PATCH 3.2 16/79] l2tp: push all ppp pseudowire shutdown through .release handler
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Tom Parkincommit cf2f5c886a209377daefd5d2ba0bcd49c3887813 upstream. If userspace deletes a ppp pseudowire using the netlink API, either by directly deleting the session or by deleting the tunnel that contains the session, we need to tear down the corresponding pppox channel. Rather than trying to manage two pppox unbind codepaths, switch the netlink and l2tp_core session_close handlers to close via. the l2tp_ppp socket .release handler. Signed-off-by: Tom Parkin Signed-off-by: James Chapman Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings --- net/l2tp/l2tp_ppp.c | 53 ++--- 1 file changed, 10 insertions(+), 43 deletions(-) --- a/net/l2tp/l2tp_ppp.c +++ b/net/l2tp/l2tp_ppp.c @@ -95,6 +95,7 @@ #include #include #include +#include #include #include @@ -460,34 +461,16 @@ static void pppol2tp_session_close(struc { struct pppol2tp_session *ps = l2tp_session_priv(session); struct sock *sk = ps->sock; - struct sk_buff *skb; + struct socket *sock = sk->sk_socket; BUG_ON(session->magic != L2TP_SESSION_MAGIC); - if (session->session_id == 0) - goto out; - - if (sk != NULL) { - lock_sock(sk); - - if (sk->sk_state & (PPPOX_CONNECTED | PPPOX_BOUND)) { - pppox_unbind_sock(sk); - sk->sk_state = PPPOX_DEAD; - sk->sk_state_change(sk); - } - - /* Purge any queued data */ - skb_queue_purge(>sk_receive_queue); - skb_queue_purge(>sk_write_queue); - while ((skb = skb_dequeue(>reorder_q))) { - kfree_skb(skb); - sock_put(sk); - } - release_sock(sk); + if (sock) { + inet_shutdown(sock, 2); + /* Don't let the session go away before our socket does */ + l2tp_session_inc_refcount(session); } - -out: return; } @@ -538,16 +521,12 @@ static int pppol2tp_release(struct socke session = pppol2tp_sock_to_session(sk); /* Purge any queued data */ - skb_queue_purge(>sk_receive_queue); - skb_queue_purge(>sk_write_queue); if (session != NULL) { - struct sk_buff *skb; - while ((skb = skb_dequeue(>reorder_q))) { - kfree_skb(skb); - sock_put(sk); - } + l2tp_session_queue_purge(session); sock_put(sk); } + skb_queue_purge(>sk_receive_queue); + skb_queue_purge(>sk_write_queue); release_sock(sk); @@ -872,18 +851,6 @@ out: return error; } -/* Called when deleting sessions via the netlink interface. - */ -static int pppol2tp_session_delete(struct l2tp_session *session) -{ - struct pppol2tp_session *ps = l2tp_session_priv(session); - - if (ps->sock == NULL) - l2tp_session_dec_refcount(session); - - return 0; -} - #endif /* CONFIG_L2TP_V3 */ /* getname() support. @@ -1801,7 +1768,7 @@ static const struct pppox_proto pppol2tp static const struct l2tp_nl_cmd_ops pppol2tp_nl_cmd_ops = { .session_create = pppol2tp_session_create, - .session_delete = pppol2tp_session_delete, + .session_delete = l2tp_session_delete, }; #endif /* CONFIG_L2TP_V3 */
[PATCH 3.2 17/79] l2tp: ensure sessions are freed after their PPPOL2TP socket
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Guillaume Naultcommit cdd10c9627496ad25c87ce6394e29752253c69d3 upstream. If l2tp_tunnel_delete() or l2tp_tunnel_closeall() deletes a session right after pppol2tp_release() orphaned its socket, then the 'sock' variable of the pppol2tp_session_close() callback is NULL. Yet the session is still used by pppol2tp_release(). Therefore we need to take an extra reference in any case, to prevent l2tp_tunnel_delete() or l2tp_tunnel_closeall() from freeing the session. Since the pppol2tp_session_close() callback is only set if the session is associated to a PPPOL2TP socket and that both l2tp_tunnel_delete() and l2tp_tunnel_closeall() hold the PPPOL2TP socket before calling pppol2tp_session_close(), we're sure that pppol2tp_session_close() and pppol2tp_session_destruct() are paired and called in the right order. So the reference taken by the former will be released by the later. Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings --- net/l2tp/l2tp_ppp.c | 8 1 file changed, 4 insertions(+), 4 deletions(-) --- a/net/l2tp/l2tp_ppp.c +++ b/net/l2tp/l2tp_ppp.c @@ -466,11 +466,11 @@ static void pppol2tp_session_close(struc BUG_ON(session->magic != L2TP_SESSION_MAGIC); - if (sock) { + if (sock) inet_shutdown(sock, 2); - /* Don't let the session go away before our socket does */ - l2tp_session_inc_refcount(session); - } + + /* Don't let the session go away before our socket does */ + l2tp_session_inc_refcount(session); return; }
[PATCH 3.2 14/79] l2tp: add session reorder queue purge function to core
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Tom Parkincommit 48f72f92b31431c40279b0fba6c5588e07e67d95 upstream. If an l2tp session is deleted, it is necessary to delete skbs in-flight on the session's reorder queue before taking it down. Rather than having each pseudowire implementation reaching into the l2tp_session struct to handle this itself, provide a function in l2tp_core to purge the session queue. Signed-off-by: Tom Parkin Signed-off-by: James Chapman Signed-off-by: David S. Miller [bwh: Backported to 3.2: use non-atomic increment on rx_errors] Signed-off-by: Ben Hutchings --- net/l2tp/l2tp_core.c | 17 + net/l2tp/l2tp_core.h | 1 + 2 files changed, 18 insertions(+) --- a/net/l2tp/l2tp_core.c +++ b/net/l2tp/l2tp_core.c @@ -830,6 +830,23 @@ discard: } EXPORT_SYMBOL(l2tp_recv_common); +/* Drop skbs from the session's reorder_q + */ +int l2tp_session_queue_purge(struct l2tp_session *session) +{ + struct sk_buff *skb = NULL; + BUG_ON(!session); + BUG_ON(session->magic != L2TP_SESSION_MAGIC); + while ((skb = skb_dequeue(>reorder_q))) { + session->stats.rx_errors++; + kfree_skb(skb); + if (session->deref) + (*session->deref)(session); + } + return 0; +} +EXPORT_SYMBOL_GPL(l2tp_session_queue_purge); + /* Internal UDP receive frame. Do the real work of receiving an L2TP data frame * here. The skb is not on a list when we get here. * Returns 0 if the packet was a data packet and was successfully passed on. --- a/net/l2tp/l2tp_core.h +++ b/net/l2tp/l2tp_core.h @@ -249,6 +249,7 @@ extern struct l2tp_session *l2tp_session extern int l2tp_session_delete(struct l2tp_session *session); extern void l2tp_session_free(struct l2tp_session *session); extern void l2tp_recv_common(struct l2tp_session *session, struct sk_buff *skb, unsigned char *ptr, unsigned char *optr, u16 hdrflags, int length, int (*payload_hook)(struct sk_buff *skb)); +extern int l2tp_session_queue_purge(struct l2tp_session *session); extern int l2tp_udp_encap_recv(struct sock *sk, struct sk_buff *skb); extern int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb, int hdr_len);
drivers/net/ethernet/intel/i40e/i40e_ethtool.c:4326:6: error: implicit declaration of function 'cmpxchg64'; did you mean 'cmpxchg'?
Hi Alice, FYI, the error/warning still remains. tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master head: d48fcbd864a008802a90c58a9ceddd9436d11a49 commit: 60f481b9703867330dc6010868054f68f6d52f7a i40e: change flags to use 64 bits date: 2 weeks ago config: mips-allyesconfig (attached as .config) compiler: mips-linux-gnu-gcc (Debian 7.2.0-11) 7.2.0 reproduce: wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross git checkout 60f481b9703867330dc6010868054f68f6d52f7a # save the attached .config to linux build tree make.cross ARCH=mips All errors (new ones prefixed by >>): drivers/net/ethernet/intel/i40e/i40e_ethtool.c: In function 'i40e_set_priv_flags': >> drivers/net/ethernet/intel/i40e/i40e_ethtool.c:4326:6: error: implicit >> declaration of function 'cmpxchg64'; did you mean 'cmpxchg'? >> [-Werror=implicit-function-declaration] if (cmpxchg64(>flags, orig_flags, new_flags) != orig_flags) { ^ cmpxchg cc1: some warnings being treated as errors vim +4326 drivers/net/ethernet/intel/i40e/i40e_ethtool.c 4258 4259 /** 4260 * i40e_set_priv_flags - set private flags 4261 * @dev: network interface device structure 4262 * @flags: bit flags to be set 4263 **/ 4264 static int i40e_set_priv_flags(struct net_device *dev, u32 flags) 4265 { 4266 struct i40e_netdev_priv *np = netdev_priv(dev); 4267 struct i40e_vsi *vsi = np->vsi; 4268 struct i40e_pf *pf = vsi->back; 4269 u64 orig_flags, new_flags, changed_flags; 4270 u32 i, j; 4271 4272 orig_flags = READ_ONCE(pf->flags); 4273 new_flags = orig_flags; 4274 4275 for (i = 0; i < I40E_PRIV_FLAGS_STR_LEN; i++) { 4276 const struct i40e_priv_flags *priv_flags; 4277 4278 priv_flags = _gstrings_priv_flags[i]; 4279 4280 if (flags & BIT(i)) 4281 new_flags |= priv_flags->flag; 4282 else 4283 new_flags &= ~(priv_flags->flag); 4284 4285 /* If this is a read-only flag, it can't be changed */ 4286 if (priv_flags->read_only && 4287 ((orig_flags ^ new_flags) & ~BIT(i))) 4288 return -EOPNOTSUPP; 4289 } 4290 4291 if (pf->hw.pf_id != 0) 4292 goto flags_complete; 4293 4294 for (j = 0; j < I40E_GL_PRIV_FLAGS_STR_LEN; j++) { 4295 const struct i40e_priv_flags *priv_flags; 4296 4297 priv_flags = _gl_gstrings_priv_flags[j]; 4298 4299 if (flags & BIT(i + j)) 4300 new_flags |= priv_flags->flag; 4301 else 4302 new_flags &= ~(priv_flags->flag); 4303 4304 /* If this is a read-only flag, it can't be changed */ 4305 if (priv_flags->read_only && 4306 ((orig_flags ^ new_flags) & ~BIT(i))) 4307 return -EOPNOTSUPP; 4308 } 4309 4310 flags_complete: 4311 /* Before we finalize any flag changes, we need to perform some 4312 * checks to ensure that the changes are supported and safe. 4313 */ 4314 4315 /* ATR eviction is not supported on all devices */ 4316 if ((new_flags & I40E_FLAG_HW_ATR_EVICT_ENABLED) && 4317 !(pf->hw_features & I40E_HW_ATR_EVICT_CAPABLE)) 4318 return -EOPNOTSUPP; 4319 4320 /* Compare and exchange the new flags into place. If we failed, that 4321 * is if cmpxchg returns anything but the old value, this means that 4322 * something else has modified the flags variable since we copied it 4323 * originally. We'll just punt with an error and log something in the 4324 * message buffer. 4325 */ > 4326 if (cmpxchg64(>flags, orig_flags, new_flags) != orig_flags) > { 4327 dev_warn(>pdev->dev, 4328 "Unable to update pf->flags as it was modified by another thread...\n"); 4329 return -EAGAIN; 4330 } 4331 4332 changed_flags = orig_flags ^ new_flags; 4333 4334 /* Process any additional changes needed as a result of flag changes. 4335 * The changed_flags value reflects the list of bits that were 4336 * changed in the code above. 4337 */ 4338 4339 /* Flush current ATR settings if ATR was disabled */ 4340 if ((changed_flags & I40E_FLAG_FD_ATR_ENABLED) && 4341 !(pf->flags & I40E_FLAG_FD_ATR_ENABLED)) { 4342
Re: [PATCH 2/2] xen: xenbus: WARN_ON XS_TRANSACTION_{START,END} misuse
Boris Ostrovsky: > On 02/07/2018 05:22 PM, Simon Gaiser wrote: >> +users_old = xs_state_users; >> xs_state_users--; >> if ((req->type == XS_TRANSACTION_START && req->msg.type == XS_ERROR) || >> req->type == XS_TRANSACTION_END) >> xs_state_users--; >> +if (WARN_ON(xs_state_users > users_old)) > > > WARN_ON_ONCE()? Since we "fix" the wrong decrement by clamping at zero it should not happen immediately again. But if you prefer _ONCE I can change it. signature.asc Description: OpenPGP digital signature
[RFC PATCH v15 0/6] mm: security: ro protection for dynamic data
This patch-set introduces the possibility of protecting memory that has been allocated dynamically. The memory is managed in pools: when a memory pool is turned into R/O, all the memory that is part of it, will become R/O. A R/O pool can be destroyed, to recover its memory, but it cannot be turned back into R/W mode. This is intentional. This feature is meant for data that doesn't need further modifications after initialization. However the data might need to be released, for example as part of module unloading. To do this, the memory must first be freed, then the pool can be destroyed. An example is provided, in the form of self-testing. Changes since v14: [http://www.openwall.com/lists/kernel-hardening/2018/02/04/2] - fix various warnings from sparse - multiline comments - fix naming of headers guards - fix compilation of individual patches, for bisect - split genalloc documentation about bitmap for allocation - fix headers to match kerneldoc format for "Return:" field - fix variable naming according to coding guidelines - fix wrong default value for pmalloc Kconfig option - refreshed integration of pmalloc with hardened usercopy - removed unnecessary include that was causing compilation failures - changed license of pmalloc documentation from GPL 2.0 to CC-BY-SA-4.0 Igor Stoppa (6): genalloc: track beginning of allocations genalloc: selftest struct page: add field for vm_struct Protectable Memory Pmalloc: self-test Documentation for Pmalloc Documentation/core-api/index.rst | 1 + Documentation/core-api/pmalloc.rst | 114 include/linux/genalloc-selftest.h | 26 ++ include/linux/genalloc.h | 7 +- include/linux/mm_types.h | 1 + include/linux/pmalloc.h| 222 +++ include/linux/vmalloc.h| 1 + init/main.c| 2 + lib/Kconfig| 15 + lib/Makefile | 1 + lib/genalloc-selftest.c| 400 ++ lib/genalloc.c | 554 +++-- mm/Kconfig | 15 + mm/Makefile| 2 + mm/pmalloc-selftest.c | 63 + mm/pmalloc-selftest.h | 24 ++ mm/pmalloc.c | 499 + mm/usercopy.c | 33 +++ mm/vmalloc.c | 18 +- 19 files changed, 1852 insertions(+), 146 deletions(-) create mode 100644 Documentation/core-api/pmalloc.rst create mode 100644 include/linux/genalloc-selftest.h create mode 100644 include/linux/pmalloc.h create mode 100644 lib/genalloc-selftest.c create mode 100644 mm/pmalloc-selftest.c create mode 100644 mm/pmalloc-selftest.h create mode 100644 mm/pmalloc.c -- 2.14.1
arch/microblaze/lib/fastcopy.S:33:2: error: #error Microblaze LE not support ASM optimized lib func. Disable OPT_LIB_ASM.
Hi Arnd, FYI, the error/warning still remains. tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master head: d48fcbd864a008802a90c58a9ceddd9436d11a49 commit: 71e7673dadfdae0605d4c1f66ecb4b045c79fe0f microblaze: fix endian handling date: 4 weeks ago config: microblaze-mmu_defconfig (attached as .config) compiler: microblaze-linux-gcc (GCC) 7.2.0 reproduce: wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross git checkout 71e7673dadfdae0605d4c1f66ecb4b045c79fe0f # save the attached .config to linux build tree make.cross ARCH=microblaze All errors (new ones prefixed by >>): >> arch/microblaze/lib/fastcopy.S:33:2: error: #error Microblaze LE not support >> ASM optimized lib func. Disable OPT_LIB_ASM. #error Microblaze LE not support ASM optimized lib func. Disable OPT_LIB_ASM. ^ vim +33 arch/microblaze/lib/fastcopy.S de93c3c1 Michal Simek 2011-01-28 @33 #error Microblaze LE not support ASM optimized lib func. Disable OPT_LIB_ASM. de93c3c1 Michal Simek 2011-01-28 34 #endif de93c3c1 Michal Simek 2011-01-28 35 :: The code at line 33 was first introduced by commit :: de93c3c119382cb888ca8a94b642dbcf8035525e microblaze: Fix ASM optimized code for LE :: TO: Michal Simek:: CC: Michal Simek --- 0-DAY kernel test infrastructureOpen Source Technology Center https://lists.01.org/pipermail/kbuild-all Intel Corporation .config.gz Description: application/gzip
[PATCH 3.16 074/136] dm: fix race between dm_get_from_kobject() and __dm_destroy()
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Hou Taocommit b9a41d21dceadf8104812626ef85dc56ee8a60ed upstream. The following BUG_ON was hit when testing repeat creation and removal of DM devices: kernel BUG at drivers/md/dm.c:2919! CPU: 7 PID: 750 Comm: systemd-udevd Not tainted 4.1.44 Call Trace: [] dm_get_from_kobject+0x34/0x3a [] dm_attr_show+0x2b/0x5e [] ? mutex_lock+0x26/0x44 [] sysfs_kf_seq_show+0x83/0xcf [] kernfs_seq_show+0x23/0x25 [] seq_read+0x16f/0x325 [] kernfs_fop_read+0x3a/0x13f [] __vfs_read+0x26/0x9d [] ? security_file_permission+0x3c/0x44 [] ? rw_verify_area+0x83/0xd9 [] vfs_read+0x8f/0xcf [] ? __fdget_pos+0x12/0x41 [] SyS_read+0x4b/0x76 [] system_call_fastpath+0x12/0x71 The bug can be easily triggered, if an extra delay (e.g. 10ms) is added between the test of DMF_FREEING & DMF_DELETING and dm_get() in dm_get_from_kobject(). To fix it, we need to ensure the test of DMF_FREEING & DMF_DELETING and dm_get() are done in an atomic way, so _minor_lock is used. The other callers of dm_get() have also been checked to be OK: some callers invoke dm_get() under _minor_lock, some callers invoke it under _hash_lock, and dm_start_request() invoke it after increasing md->open_count. Signed-off-by: Hou Tao Signed-off-by: Mike Snitzer Signed-off-by: Ben Hutchings --- drivers/md/dm.c | 12 1 file changed, 8 insertions(+), 4 deletions(-) --- a/drivers/md/dm.c +++ b/drivers/md/dm.c @@ -2912,11 +2912,15 @@ struct mapped_device *dm_get_from_kobjec md = container_of(kobj, struct mapped_device, kobj_holder.kobj); - if (test_bit(DMF_FREEING, >flags) || - dm_deleting_md(md)) - return NULL; - + spin_lock(&_minor_lock); + if (test_bit(DMF_FREEING, >flags) || dm_deleting_md(md)) { + md = NULL; + goto out; + } dm_get(md); +out: + spin_unlock(&_minor_lock); + return md; }
[PATCH 3.16 076/136] blktrace: fix unlocked access to init/start-stop/teardown
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Jens Axboecommit 1f2cac107c591c24b60b115d6050adc213d10fc0 upstream. sg.c calls into the blktrace functions without holding the proper queue mutex for doing setup, start/stop, or teardown. Add internal unlocked variants, and export the ones that do the proper locking. Fixes: 6da127ad0918 ("blktrace: Add blktrace ioctls to SCSI generic devices") Tested-by: Dmitry Vyukov Signed-off-by: Jens Axboe Signed-off-by: Ben Hutchings --- kernel/trace/blktrace.c | 58 - 1 file changed, 48 insertions(+), 10 deletions(-) --- a/kernel/trace/blktrace.c +++ b/kernel/trace/blktrace.c @@ -307,7 +307,7 @@ static void blk_trace_cleanup(struct blk blk_unregister_tracepoints(); } -int blk_trace_remove(struct request_queue *q) +static int __blk_trace_remove(struct request_queue *q) { struct blk_trace *bt; @@ -320,6 +320,17 @@ int blk_trace_remove(struct request_queu return 0; } + +int blk_trace_remove(struct request_queue *q) +{ + int ret; + + mutex_lock(>blk_trace_mutex); + ret = __blk_trace_remove(q); + mutex_unlock(>blk_trace_mutex); + + return ret; +} EXPORT_SYMBOL_GPL(blk_trace_remove); static ssize_t blk_dropped_read(struct file *filp, char __user *buffer, @@ -536,9 +547,8 @@ err: return ret; } -int blk_trace_setup(struct request_queue *q, char *name, dev_t dev, - struct block_device *bdev, - char __user *arg) +static int __blk_trace_setup(struct request_queue *q, char *name, dev_t dev, +struct block_device *bdev, char __user *arg) { struct blk_user_trace_setup buts; int ret; @@ -557,6 +567,19 @@ int blk_trace_setup(struct request_queue } return 0; } + +int blk_trace_setup(struct request_queue *q, char *name, dev_t dev, + struct block_device *bdev, + char __user *arg) +{ + int ret; + + mutex_lock(>blk_trace_mutex); + ret = __blk_trace_setup(q, name, dev, bdev, arg); + mutex_unlock(>blk_trace_mutex); + + return ret; +} EXPORT_SYMBOL_GPL(blk_trace_setup); #if defined(CONFIG_COMPAT) && defined(CONFIG_X86_64) @@ -593,7 +616,7 @@ static int compat_blk_trace_setup(struct } #endif -int blk_trace_startstop(struct request_queue *q, int start) +static int __blk_trace_startstop(struct request_queue *q, int start) { int ret; struct blk_trace *bt = q->blk_trace; @@ -632,6 +655,17 @@ int blk_trace_startstop(struct request_q return ret; } + +int blk_trace_startstop(struct request_queue *q, int start) +{ + int ret; + + mutex_lock(>blk_trace_mutex); + ret = __blk_trace_startstop(q, start); + mutex_unlock(>blk_trace_mutex); + + return ret; +} EXPORT_SYMBOL_GPL(blk_trace_startstop); /* @@ -662,7 +696,7 @@ int blk_trace_ioctl(struct block_device switch (cmd) { case BLKTRACESETUP: bdevname(bdev, b); - ret = blk_trace_setup(q, b, bdev->bd_dev, bdev, arg); + ret = __blk_trace_setup(q, b, bdev->bd_dev, bdev, arg); break; #if defined(CONFIG_COMPAT) && defined(CONFIG_X86_64) case BLKTRACESETUP32: @@ -673,10 +707,10 @@ int blk_trace_ioctl(struct block_device case BLKTRACESTART: start = 1; case BLKTRACESTOP: - ret = blk_trace_startstop(q, start); + ret = __blk_trace_startstop(q, start); break; case BLKTRACETEARDOWN: - ret = blk_trace_remove(q); + ret = __blk_trace_remove(q); break; default: ret = -ENOTTY; @@ -694,10 +728,14 @@ int blk_trace_ioctl(struct block_device **/ void blk_trace_shutdown(struct request_queue *q) { + mutex_lock(>blk_trace_mutex); + if (q->blk_trace) { - blk_trace_startstop(q, 0); - blk_trace_remove(q); + __blk_trace_startstop(q, 0); + __blk_trace_remove(q); } + + mutex_unlock(>blk_trace_mutex); } /*
[PATCH 3.16 069/136] USB: usbfs: compute urb->actual_length for isochronous
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Alan Sterncommit 2ef47001b3ee3ded579b7532ebdcf8680e4d8c54 upstream. The USB kerneldoc says that the actual_length field "is read in non-iso completion functions", but the usbfs driver uses it for all URB types in processcompl(). Since not all of the host controller drivers set actual_length for isochronous URBs, programs using usbfs with some host controllers don't work properly. For example, Minas reports that a USB camera controlled by libusb doesn't work properly with a dwc2 controller. It doesn't seem worthwhile to change the HCDs and the documentation, since the in-kernel USB class drivers evidently don't rely on actual_length for isochronous transfers. The easiest solution is for usbfs to calculate the actual_length value for itself, by adding up the lengths of the individual packets in an isochronous transfer. Signed-off-by: Alan Stern CC: Minas Harutyunyan Reported-and-tested-by: wlf Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings --- drivers/usb/core/devio.c | 14 ++ 1 file changed, 14 insertions(+) --- a/drivers/usb/core/devio.c +++ b/drivers/usb/core/devio.c @@ -1650,6 +1650,18 @@ static int proc_unlinkurb(struct usb_dev return 0; } +static void compute_isochronous_actual_length(struct urb *urb) +{ + unsigned int i; + + if (urb->number_of_packets > 0) { + urb->actual_length = 0; + for (i = 0; i < urb->number_of_packets; i++) + urb->actual_length += + urb->iso_frame_desc[i].actual_length; + } +} + static int processcompl(struct async *as, void __user * __user *arg) { struct urb *urb = as->urb; @@ -1657,6 +1669,7 @@ static int processcompl(struct async *as void __user *addr = as->userurb; unsigned int i; + compute_isochronous_actual_length(urb); if (as->userbuffer && urb->actual_length) { if (copy_urb_data_to_user(as->userbuffer, urb)) goto err_out; @@ -1826,6 +1839,7 @@ static int processcompl_compat(struct as void __user *addr = as->userurb; unsigned int i; + compute_isochronous_actual_length(urb); if (as->userbuffer && urb->actual_length) { if (copy_urb_data_to_user(as->userbuffer, urb)) return -EFAULT;
[PATCH 3.16 078/136] IB/mlx4: Increase maximal message size under UD QP
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Mark Blochcommit 5f22a1d87c5315a98981ecf93cd8de226cffe6ca upstream. Maximal message should be used as a limit to the max message payload allowed, without the headers. The ConnectX-3 check is done against this value includes the headers. When the payload is 4K this will cause the NIC to drop packets. Increase maximal message to 8K as workaround, this shouldn't change current behaviour because we continue to set the MTU to 4k. To reproduce; set MTU to 4296 on the corresponding interface, for example: ifconfig eth0 mtu 4296 (both server and client) On server: ib_send_bw -c UD -d mlx4_0 -s 4096 -n 100 -i1 -m 4096 On client: ib_send_bw -d mlx4_0 -c UD -s 4096 -n 100 -i 1 -m 4096 Fixes: 6e0d733d9215 ("IB/mlx4: Allow 4K messages for UD QPs") Signed-off-by: Mark Bloch Reviewed-by: Majd Dibbiny Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford Signed-off-by: Ben Hutchings --- drivers/infiniband/hw/mlx4/qp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/infiniband/hw/mlx4/qp.c +++ b/drivers/infiniband/hw/mlx4/qp.c @@ -1468,7 +1468,7 @@ static int __mlx4_ib_modify_qp(struct ib context->mtu_msgmax = (IB_MTU_4096 << 5) | ilog2(dev->dev->caps.max_gso_sz); else - context->mtu_msgmax = (IB_MTU_4096 << 5) | 12; + context->mtu_msgmax = (IB_MTU_4096 << 5) | 13; } else if (attr_mask & IB_QP_PATH_MTU) { if (attr->path_mtu < IB_MTU_256 || attr->path_mtu > IB_MTU_4096) { pr_err("path MTU (%u) is invalid\n",
[PATCH 3.16 085/136] net/sctp: Always set scope_id in sctp_inet6_skb_msgname
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: "Eric W. Biederman"commit 7c8a61d9ee1df0fb4747879fa67a99614eb62fec upstream. Alexandar Potapenko while testing the kernel with KMSAN and syzkaller discovered that in some configurations sctp would leak 4 bytes of kernel stack. Working with his reproducer I discovered that those 4 bytes that are leaked is the scope id of an ipv6 address returned by recvmsg. With a little code inspection and a shrewd guess I discovered that sctp_inet6_skb_msgname only initializes the scope_id field for link local ipv6 addresses to the interface index the link local address pertains to instead of initializing the scope_id field for all ipv6 addresses. That is almost reasonable as scope_id's are meaniningful only for link local addresses. Set the scope_id in all other cases to 0 which is not a valid interface index to make it clear there is nothing useful in the scope_id field. There should be no danger of breaking userspace as the stack leak guaranteed that previously meaningless random data was being returned. Fixes: 372f525b495c ("SCTP: Resync with LKSCTP tree.") History-tree: https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git Reported-by: Alexander Potapenko Tested-by: Alexander Potapenko Signed-off-by: "Eric W. Biederman" Signed-off-by: David S. Miller [bwh: Backported to 3.16: - Adjust context - Add braces] Signed-off-by: Ben Hutchings --- --- a/net/sctp/ipv6.c +++ b/net/sctp/ipv6.c @@ -787,6 +787,8 @@ static void sctp_inet6_skb_msgname(struc if (ipv6_addr_type(>v6.sin6_addr) & IPV6_ADDR_LINKLOCAL) { struct sctp_ulpevent *ev = sctp_skb2event(skb); addr->v6.sin6_scope_id = ev->iif; + } else { + addr->v6.sin6_scope_id = 0; } }
[PATCH 3.16 045/136] drm/ttm: once more fix ttm_buffer_object_transfer
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Christian Königcommit 4d98e5ee6084f6d7bc578c5d5f86de7156aaa4cb upstream. When the mutex is locked just in the moment we copy it we end up with a warning that we release a locked mutex. Fix this by properly reinitializing the mutex. Signed-off-by: Christian König Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings --- drivers/gpu/drm/ttm/ttm_bo_util.c | 1 + 1 file changed, 1 insertion(+) --- a/drivers/gpu/drm/ttm/ttm_bo_util.c +++ b/drivers/gpu/drm/ttm/ttm_bo_util.c @@ -463,6 +463,7 @@ static int ttm_buffer_object_transfer(st INIT_LIST_HEAD(>lru); INIT_LIST_HEAD(>swap); INIT_LIST_HEAD(>io_reserve_lru); + mutex_init(>wu_mutex); drm_vma_node_reset(>vma_node); atomic_set(>cpu_writers, 0);
[PATCH 3.16 040/136] arm64: vdso: minor ABI fix for clock_getres
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Nathan Lynchcommit e1b6b6ce55a0a25c8aa8af019095253b2133a41a upstream. The vdso implementation of clock_getres currently returns 0 (success) whenever a null timespec is provided by the caller, regardless of the clock id supplied. This behavior is incorrect. It should fall back to syscall when an unrecognized clock id is passed, even when the timespec argument is null. This ensures that clock_getres always returns an error for invalid clock ids. Signed-off-by: Nathan Lynch Acked-by: Will Deacon Signed-off-by: Catalin Marinas Signed-off-by: Ben Hutchings --- arch/arm64/kernel/vdso/gettimeofday.S | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) --- a/arch/arm64/kernel/vdso/gettimeofday.S +++ b/arch/arm64/kernel/vdso/gettimeofday.S @@ -174,8 +174,6 @@ ENDPROC(__kernel_clock_gettime) /* int __kernel_clock_getres(clockid_t clock_id, struct timespec *res); */ ENTRY(__kernel_clock_getres) .cfi_startproc - cbz w1, 3f - cmp w0, #CLOCK_REALTIME ccmpw0, #CLOCK_MONOTONIC, #0x4, ne b.ne1f @@ -188,6 +186,7 @@ ENTRY(__kernel_clock_getres) b.ne4f ldr x2, 6f 2: + cbz w1, 3f stp xzr, x2, [x1] 3: /* res == NULL. */
[PATCH 3.16 072/136] rt2x00usb: mark device removed when get ENOENT usb error
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Stanislaw Gruszkacommit bfa62a52cad93686bb8d8171ea5288813248a7c6 upstream. ENOENT usb error mean "specified interface or endpoint does not exist or is not enabled". Mark device not present when we encounter this error similar like we do with ENODEV error. Otherwise we can have infinite loop in rt2x00usb_work_rxdone(), because we remove and put again RX entries to the queue infinitely. We can have similar situation when submit urb will fail all the time with other error, so we need consider to limit number of entries processed by rxdone work. But for now, since the patch fixes reproducible soft lockup issue on single processor systems and taken ENOENT error meaning, let apply this fix. Patch adds additional ENOENT check not only in rx kick routine, but also on other places where we check for ENODEV error. Reported-by: Richard Genoud Debugged-by: Richard Genoud Signed-off-by: Stanislaw Gruszka Tested-by: Richard Genoud Signed-off-by: Kalle Valo [bwh: Backported to 3.16: adjust filename, context] Signed-off-by: Ben Hutchings --- drivers/net/wireless/rt2x00/rt2x00usb.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) --- a/drivers/net/wireless/rt2x00/rt2x00usb.c +++ b/drivers/net/wireless/rt2x00/rt2x00usb.c @@ -62,7 +62,7 @@ int rt2x00usb_vendor_request(struct rt2x * -ENODEV: Device has disappeared, no point continuing. * All other errors: Try again. */ - else if (status == -ENODEV) { + else if (status == -ENODEV || status == -ENOENT) { clear_bit(DEVICE_STATE_PRESENT, >flags); break; } @@ -325,7 +325,7 @@ static bool rt2x00usb_kick_tx_entry(stru status = usb_submit_urb(entry_priv->urb, GFP_ATOMIC); if (status) { - if (status == -ENODEV) + if (status == -ENODEV || status == -ENOENT) clear_bit(DEVICE_STATE_PRESENT, >flags); set_bit(ENTRY_DATA_IO_FAILED, >flags); rt2x00lib_dmadone(entry); @@ -414,7 +414,7 @@ static bool rt2x00usb_kick_rx_entry(stru status = usb_submit_urb(entry_priv->urb, GFP_ATOMIC); if (status) { - if (status == -ENODEV) + if (status == -ENODEV || status == -ENOENT) clear_bit(DEVICE_STATE_PRESENT, >flags); set_bit(ENTRY_DATA_IO_FAILED, >flags); rt2x00lib_dmadone(entry);
[PATCH 3.16 049/136] crypto: caam - fix incorrect define
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Radu Alexecommit cc2f8ab5334a736fa0e775cfccf06c1e268667f0 upstream. Fixes: 3ebfa92f49a6 ("crypto: caam - Add new macros for building extended SEC descriptors (> 64 words)") Signed-off-by: Radu Alexe Signed-off-by: Horia Geantă Signed-off-by: Herbert Xu Signed-off-by: Ben Hutchings --- drivers/crypto/caam/desc.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/crypto/caam/desc.h +++ b/drivers/crypto/caam/desc.h @@ -1434,7 +1434,7 @@ struct sec4_sg_entry { #define MATH_SRC1_REG2 (0x02 << MATH_SRC1_SHIFT) #define MATH_SRC1_REG3 (0x03 << MATH_SRC1_SHIFT) #define MATH_SRC1_IMM (0x04 << MATH_SRC1_SHIFT) -#define MATH_SRC1_DPOVRD (0x07 << MATH_SRC0_SHIFT) +#define MATH_SRC1_DPOVRD (0x07 << MATH_SRC1_SHIFT) #define MATH_SRC1_INFIFO (0x0a << MATH_SRC1_SHIFT) #define MATH_SRC1_OUTFIFO (0x0b << MATH_SRC1_SHIFT) #define MATH_SRC1_ONE (0x0c << MATH_SRC1_SHIFT)
[PATCH 3.16 128/136] x86, vdso: Move the vvar area before the vdso text
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Andy Lutomirskicommit e6577a7ce99a506b587bcd1d2cd803cb45119557 upstream. Putting the vvar area after the vdso text is rather complicated: it only works of the total length of the vdso text mapping is known at vdso link time, and the linker doesn't allow symbol addresses to depend on the sizes of non-allocatable data after the PT_LOAD segment. Moving the vvar area before the vdso text will allow is to safely map non-allocatable data after the vdso text, which is a nice simplification. Signed-off-by: Andy Lutomirski Link: http://lkml.kernel.org/r/156c78c0d93144ff1055a66493783b9e56813983.1405040914.git.l...@amacapital.net Signed-off-by: H. Peter Anvin Signed-off-by: Ben Hutchings --- arch/x86/include/asm/vdso.h | 18 - arch/x86/vdso/vdso-layout.lds.S | 44 ++--- arch/x86/vdso/vdso2c.c | 12 ++- arch/x86/vdso/vdso2c.h | 25 ++- arch/x86/vdso/vma.c | 20 ++- 5 files changed, 62 insertions(+), 57 deletions(-) --- a/arch/x86/include/asm/vdso.h +++ b/arch/x86/include/asm/vdso.h @@ -18,15 +18,15 @@ struct vdso_image { unsigned long alt, alt_len; - unsigned long sym_end_mapping; /* Total size of the mapping */ + long sym_vvar_start; /* Negative offset to the vvar area */ - unsigned long sym_vvar_page; - unsigned long sym_hpet_page; - unsigned long sym_VDSO32_NOTE_MASK; - unsigned long sym___kernel_sigreturn; - unsigned long sym___kernel_rt_sigreturn; - unsigned long sym___kernel_vsyscall; - unsigned long sym_VDSO32_SYSENTER_RETURN; + long sym_vvar_page; + long sym_hpet_page; + long sym_VDSO32_NOTE_MASK; + long sym___kernel_sigreturn; + long sym___kernel_rt_sigreturn; + long sym___kernel_vsyscall; + long sym_VDSO32_SYSENTER_RETURN; }; #ifdef CONFIG_X86_64 --- a/arch/x86/vdso/vdso-layout.lds.S +++ b/arch/x86/vdso/vdso-layout.lds.S @@ -18,6 +18,25 @@ SECTIONS { + /* +* User/kernel shared data is before the vDSO. This may be a little +* uglier than putting it after the vDSO, but it avoids issues with +* non-allocatable things that dangle past the end of the PT_LOAD +* segment. +*/ + + vvar_start = . - 2 * PAGE_SIZE; + vvar_page = vvar_start; + + /* Place all vvars at the offsets in asm/vvar.h. */ +#define EMIT_VVAR(name, offset) vvar_ ## name = vvar_page + offset; +#define __VVAR_KERNEL_LDS +#include +#undef __VVAR_KERNEL_LDS +#undef EMIT_VVAR + + hpet_page = vvar_start + PAGE_SIZE; + . = SIZEOF_HEADERS; .hash : { *(.hash) } :text @@ -74,31 +93,6 @@ SECTIONS .altinstructions: { *(.altinstructions) } :text .altinstr_replacement : { *(.altinstr_replacement) } :text - /* -* The remainder of the vDSO consists of special pages that are -* shared between the kernel and userspace. It needs to be at the -* end so that it doesn't overlap the mapping of the actual -* vDSO image. -*/ - - . = ALIGN(PAGE_SIZE); - vvar_page = .; - - /* Place all vvars at the offsets in asm/vvar.h. */ -#define EMIT_VVAR(name, offset) vvar_ ## name = vvar_page + offset; -#define __VVAR_KERNEL_LDS -#include -#undef __VVAR_KERNEL_LDS -#undef EMIT_VVAR - - . = vvar_page + PAGE_SIZE; - - hpet_page = .; - . = . + PAGE_SIZE; - - . = ALIGN(PAGE_SIZE); - end_mapping = .; - /DISCARD/ : { *(.discard) *(.discard.*) --- a/arch/x86/vdso/vdso2c.c +++ b/arch/x86/vdso/vdso2c.c @@ -20,9 +20,9 @@ const char *outfilename; /* Symbols that we need in vdso2c. */ enum { + sym_vvar_start, sym_vvar_page, sym_hpet_page, - sym_end_mapping, sym_VDSO_FAKE_SECTION_TABLE_START, sym_VDSO_FAKE_SECTION_TABLE_END, }; @@ -38,9 +38,9 @@ struct vdso_sym { }; struct vdso_sym required_syms[] = { + [sym_vvar_start] = {"vvar_start", true}, [sym_vvar_page] = {"vvar_page", true}, [sym_hpet_page] = {"hpet_page", true}, - [sym_end_mapping] = {"end_mapping", true}, [sym_VDSO_FAKE_SECTION_TABLE_START] = { "VDSO_FAKE_SECTION_TABLE_START", false }, @@ -96,9 +96,11 @@ extern void bad_put_le(void); #define NSYMS (sizeof(required_syms) / sizeof(required_syms[0])) -#define BITSFUNC3(name, bits) name##bits -#define BITSFUNC2(name, bits) BITSFUNC3(name, bits) -#define BITSFUNC(name) BITSFUNC2(name, ELF_BITS) +#define BITSFUNC3(name, bits, suffix) name##bits##suffix +#define BITSFUNC2(name, bits, suffix) BITSFUNC3(name, bits, suffix) +#define BITSFUNC(name)
[PATCH 3.16 015/136] p54: don't unregister leds when they are not initialized
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Andrey Konovalovcommit fc09785de0a364427a5df63d703bae9a306ed116 upstream. ieee80211_register_hw() in p54_register_common() may fail and leds won't get initialized. Currently p54_unregister_common() doesn't check that and always calls p54_unregister_leds(). The fix is to check priv->registered flag before calling p54_unregister_leds(). Found by syzkaller. INFO: trying to register non-static key. the code is fine but needs lockdep annotation. turning off the locking correctness validator. CPU: 1 PID: 1404 Comm: kworker/1:1 Not tainted 4.14.0-rc1-42251-gebb2c2437d80-dirty #205 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Workqueue: usb_hub_wq hub_event Call Trace: __dump_stack lib/dump_stack.c:16 dump_stack+0x292/0x395 lib/dump_stack.c:52 register_lock_class+0x6c4/0x1a00 kernel/locking/lockdep.c:769 __lock_acquire+0x27e/0x4550 kernel/locking/lockdep.c:3385 lock_acquire+0x259/0x620 kernel/locking/lockdep.c:4002 flush_work+0xf0/0x8c0 kernel/workqueue.c:2886 __cancel_work_timer+0x51d/0x870 kernel/workqueue.c:2961 cancel_delayed_work_sync+0x1f/0x30 kernel/workqueue.c:3081 p54_unregister_leds+0x6c/0xc0 drivers/net/wireless/intersil/p54/led.c:160 p54_unregister_common+0x3d/0xb0 drivers/net/wireless/intersil/p54/main.c:856 p54u_disconnect+0x86/0x120 drivers/net/wireless/intersil/p54/p54usb.c:1073 usb_unbind_interface+0x21c/0xa90 drivers/usb/core/driver.c:423 __device_release_driver drivers/base/dd.c:861 device_release_driver_internal+0x4f4/0x5c0 drivers/base/dd.c:893 device_release_driver+0x1e/0x30 drivers/base/dd.c:918 bus_remove_device+0x2f4/0x4b0 drivers/base/bus.c:565 device_del+0x5c4/0xab0 drivers/base/core.c:1985 usb_disable_device+0x1e9/0x680 drivers/usb/core/message.c:1170 usb_disconnect+0x260/0x7a0 drivers/usb/core/hub.c:2124 hub_port_connect drivers/usb/core/hub.c:4754 hub_port_connect_change drivers/usb/core/hub.c:5009 port_event drivers/usb/core/hub.c:5115 hub_event+0x1318/0x3740 drivers/usb/core/hub.c:5195 process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119 process_scheduled_works kernel/workqueue.c:2179 worker_thread+0xb2b/0x1850 kernel/workqueue.c:2255 kthread+0x3a1/0x470 kernel/kthread.c:231 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431 Signed-off-by: Andrey Konovalov Acked-by: Christian Lamparter Signed-off-by: Kalle Valo [bwh: Backported to 3.16: adjust filename] Signed-off-by: Ben Hutchings --- drivers/net/wireless/p54/main.c | 7 +++ 1 file changed, 3 insertions(+), 4 deletions(-) --- a/drivers/net/wireless/p54/main.c +++ b/drivers/net/wireless/p54/main.c @@ -851,12 +851,11 @@ void p54_unregister_common(struct ieee80 { struct p54_common *priv = dev->priv; -#ifdef CONFIG_P54_LEDS - p54_unregister_leds(priv); -#endif /* CONFIG_P54_LEDS */ - if (priv->registered) { priv->registered = false; +#ifdef CONFIG_P54_LEDS + p54_unregister_leds(priv); +#endif /* CONFIG_P54_LEDS */ ieee80211_unregister_hw(dev); }
[PATCH 3.16 131/136] x86/vdso: Get pvclock data from the vvar VMA instead of the fixmap
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Andy Lutomirskicommit dac16fba6fc590fa7239676b35ed75dae4c4cd2b upstream. Signed-off-by: Andy Lutomirski Reviewed-by: Paolo Bonzini Cc: Andy Lutomirski Cc: Borislav Petkov Cc: Brian Gerst Cc: Denys Vlasenko Cc: H. Peter Anvin Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: linux...@kvack.org Link: http://lkml.kernel.org/r/9d37826fdc7e2d2809efe31d5345f97186859284.1449702533.git.l...@kernel.org Signed-off-by: Ingo Molnar [bwh: Backported to 3.16: adjust filenames] Signed-off-by: Ben Hutchings --- arch/x86/vdso/vclock_gettime.c | 20 arch/x86/vdso/vdso-layout.lds.S | 3 ++- arch/x86/vdso/vdso2c.c | 3 +++ arch/x86/vdso/vma.c | 13 + arch/x86/include/asm/pvclock.h | 9 + arch/x86/include/asm/vdso.h | 1 + arch/x86/kernel/kvmclock.c | 5 + 7 files changed, 41 insertions(+), 13 deletions(-) --- a/arch/x86/vdso/vclock_gettime.c +++ b/arch/x86/vdso/vclock_gettime.c @@ -36,6 +36,11 @@ static notrace cycle_t vread_hpet(void) } #endif +#ifdef CONFIG_PARAVIRT_CLOCK +extern u8 pvclock_page + __attribute__((visibility("hidden"))); +#endif + #ifndef BUILD_VDSO32 #include @@ -62,23 +67,14 @@ notrace static long vdso_fallback_gtod(s #ifdef CONFIG_PARAVIRT_CLOCK -static notrace const struct pvclock_vsyscall_time_info *get_pvti(int cpu) +static notrace const struct pvclock_vsyscall_time_info *get_pvti0(void) { - const struct pvclock_vsyscall_time_info *pvti_base; - int idx = cpu / (PAGE_SIZE/PVTI_SIZE); - int offset = cpu % (PAGE_SIZE/PVTI_SIZE); - - BUG_ON(PVCLOCK_FIXMAP_BEGIN + idx > PVCLOCK_FIXMAP_END); - - pvti_base = (struct pvclock_vsyscall_time_info *) - __fix_to_virt(PVCLOCK_FIXMAP_BEGIN+idx); - - return _base[offset]; + return (const struct pvclock_vsyscall_time_info *)_page; } static notrace cycle_t vread_pvclock(int *mode) { - const struct pvclock_vcpu_time_info *pvti = _pvti(0)->pvti; + const struct pvclock_vcpu_time_info *pvti = _pvti0()->pvti; cycle_t ret; u64 tsc, pvti_tsc; u64 last, delta, pvti_system_time; --- a/arch/x86/vdso/vdso-layout.lds.S +++ b/arch/x86/vdso/vdso-layout.lds.S @@ -25,7 +25,7 @@ SECTIONS * segment. */ - vvar_start = . - 2 * PAGE_SIZE; + vvar_start = . - 3 * PAGE_SIZE; vvar_page = vvar_start; /* Place all vvars at the offsets in asm/vvar.h. */ @@ -36,6 +36,7 @@ SECTIONS #undef EMIT_VVAR hpet_page = vvar_start + PAGE_SIZE; + pvclock_page = vvar_start + 2 * PAGE_SIZE; . = SIZEOF_HEADERS; --- a/arch/x86/vdso/vdso2c.c +++ b/arch/x86/vdso/vdso2c.c @@ -23,6 +23,7 @@ enum { sym_vvar_start, sym_vvar_page, sym_hpet_page, + sym_pvclock_page, sym_VDSO_FAKE_SECTION_TABLE_START, sym_VDSO_FAKE_SECTION_TABLE_END, }; @@ -30,6 +31,7 @@ enum { const int special_pages[] = { sym_vvar_page, sym_hpet_page, + sym_pvclock_page, }; struct vdso_sym { @@ -41,6 +43,7 @@ struct vdso_sym required_syms[] = { [sym_vvar_start] = {"vvar_start", true}, [sym_vvar_page] = {"vvar_page", true}, [sym_hpet_page] = {"hpet_page", true}, + [sym_pvclock_page] = {"pvclock_page", true}, [sym_VDSO_FAKE_SECTION_TABLE_START] = { "VDSO_FAKE_SECTION_TABLE_START", false }, --- a/arch/x86/vdso/vma.c +++ b/arch/x86/vdso/vma.c @@ -113,6 +113,7 @@ static int map_vdso(const struct vdso_im .name = "[vvar]", .pages = no_pages, }; + struct pvclock_vsyscall_time_info *pvti; if (calculate_addr) { addr = vdso_addr(current->mm->start_stack, @@ -182,6 +183,18 @@ static int map_vdso(const struct vdso_im } #endif + pvti = pvclock_pvti_cpu0_va(); + if (pvti && image->sym_pvclock_page) { + ret = remap_pfn_range(vma, + text_start + image->sym_pvclock_page, + __pa(pvti) >> PAGE_SHIFT, + PAGE_SIZE, + PAGE_READONLY); + + if (ret) + goto up_fail; + } + up_fail: if (ret) current->mm->context.vdso = NULL; --- a/arch/x86/include/asm/pvclock.h +++ b/arch/x86/include/asm/pvclock.h @@ -4,6 +4,15 @@ #include #include +#ifdef CONFIG_PARAVIRT_CLOCK +extern struct pvclock_vsyscall_time_info *pvclock_pvti_cpu0_va(void); +#else +static inline struct
[PATCH 3.16 125/136] usbip: prevent vhci_hcd driver from leaking a socket pointer address
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Shuah Khancommit 2f2d0088eb93db5c649d2a5e34a3800a8a935fc5 upstream. When a client has a USB device attached over IP, the vhci_hcd driver is locally leaking a socket pointer address via the /sys/devices/platform/vhci_hcd/status file (world-readable) and in debug output when "usbip --debug port" is run. Fix it to not leak. The socket pointer address is not used at the moment and it was made visible as a convenient way to find IP address from socket pointer address by looking up /proc/net/{tcp,tcp6}. As this opens a security hole, the fix replaces socket pointer address with sockfd. Reported-by: Secunia Research Signed-off-by: Shuah Khan Signed-off-by: Greg Kroah-Hartman [bwh: Backported to 3.16: - usbip port status does not include hub type - Adjust filenames, context, indentation] Signed-off-by: Ben Hutchings --- drivers/staging/usbip/usbip_common.h | 1 + drivers/staging/usbip/vhci_sysfs.c | 25 - drivers/staging/usbip/userspace/libsrc/vhci_driver.c | 8 3 files changed, 21 insertions(+), 13 deletions(-) --- a/drivers/staging/usbip/usbip_common.h +++ b/drivers/staging/usbip/usbip_common.h @@ -261,6 +261,7 @@ struct usbip_device { /* lock for status */ spinlock_t lock; + int sockfd; struct socket *tcp_socket; struct task_struct *tcp_rx; --- a/drivers/staging/usbip/vhci_sysfs.c +++ b/drivers/staging/usbip/vhci_sysfs.c @@ -39,13 +39,18 @@ static ssize_t status_show(struct device /* * output example: -* prt sta spd dev socket local_busid -* 000 004 000 000 c5a7bb80 1-2.3 -* 001 004 000 000 d8cee980 2-3.4 +* prt sta spd dev sockfdlocal_busid +* 000 004 000 000 3 1-2.3 +* 001 004 000 000 4 2-3.4 +* +* Output includes socket fd instead of socket pointer address to avoid +* leaking kernel memory address in: +* /sys/devices/platform/vhci_hcd.0/status and in debug output. +* The socket pointer address is not used at the moment and it was made +* visible as a convenient way to find IP address from socket pointer +* address by looking up /proc/net/{tcp,tcp6}. As this opens a security +* hole, the change is made to use sockfd instead. * -* IP address can be retrieved from a socket pointer address by looking -* up /proc/net/{tcp,tcp6}. Also, a userland program may remember a -* port number and its peer IP address. */ out += sprintf(out, "prt sta spd bus dev socket local_busid\n"); @@ -59,7 +64,7 @@ static ssize_t status_show(struct device if (vdev->ud.status == VDEV_ST_USED) { out += sprintf(out, "%03u %08x ", vdev->speed, vdev->devid); - out += sprintf(out, "%16p ", vdev->ud.tcp_socket); + out += sprintf(out, "%u", vdev->ud.sockfd); out += sprintf(out, "%s", dev_name(>udev->dev)); } else { @@ -223,6 +228,7 @@ static ssize_t store_attach(struct devic vdev->devid = devid; vdev->speed = speed; + vdev->ud.sockfd = sockfd; vdev->ud.tcp_socket = socket; vdev->ud.status = VDEV_ST_NOTASSIGNED; --- a/drivers/staging/usbip/userspace/libsrc/vhci_driver.c +++ b/drivers/staging/usbip/userspace/libsrc/vhci_driver.c @@ -55,12 +55,12 @@ static int parse_status(const char *valu while (*c != '\0') { int port, status, speed, devid; - unsigned long socket; + int sockfd; char lbusid[SYSFS_BUS_ID_SIZE]; - ret = sscanf(c, "%d %d %d %x %lx %31s\n", + ret = sscanf(c, "%d %d %d %x %u %31s\n", , , , - , , lbusid); + , , lbusid); if (ret < 5) { dbg("sscanf failed: %d", ret); @@ -69,7 +69,7 @@ static int parse_status(const char *valu dbg("port %d status %d speed %d devid %x", port, status, speed, devid); - dbg("socket %lx lbusid %s", socket, lbusid); + dbg("sockfd %u lbusid %s", sockfd, lbusid); /* if a device is connected, look at it */
[PATCH 3.16 014/136] drm/i915/bios: parse DDI ports also for CHV for HDMI DDC pin and DP AUX channel
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Jani Nikulacommit 348e4058ebf53904e817eec7a1b25327143c2ed2 upstream. While technically CHV isn't DDI, we do look at the VBT based DDI port info for HDMI DDC pin and DP AUX channel. (We call these "alternate", but they're really just something that aren't platform defaults.) In commit e4ab73a13291 ("drm/i915: Respect alternate_ddc_pin for all DDI ports") Ville writes, "IIRC there may be CHV system that might actually need this." I'm not sure why there couldn't be even more platforms that need this, but start conservative, and parse the info for CHV in addition to DDI. Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=100553 Reported-by: Marek Wilczewski Reviewed-by: Ville Syrjälä Signed-off-by: Jani Nikula Link: https://patchwork.freedesktop.org/patch/msgid/d0815082cb98487618429b62414854137049b888.1506586821.git.jani.nik...@intel.com [bwh: Backported to 3.16: IS_CHERRYVIEW() takes a drm_device pointer] Signed-off-by: Ben Hutchings --- drivers/gpu/drm/i915/intel_bios.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/gpu/drm/i915/intel_bios.c +++ b/drivers/gpu/drm/i915/intel_bios.c @@ -1007,7 +1007,7 @@ static void parse_ddi_ports(struct drm_i struct drm_device *dev = dev_priv->dev; enum port port; - if (!HAS_DDI(dev)) + if (!HAS_DDI(dev) && !IS_CHERRYVIEW(dev)) return; if (!dev_priv->vbt.child_dev_num)
[PATCH 3.2 08/79] KVM: nVMX: set IDTR and GDTR limits when loading L1 host state
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Ladi Prosekcommit 21f2d551183847bc7fbe8d866151d00cdad18752 upstream. Intel SDM 27.5.2 Loading Host Segment and Descriptor-Table Registers: "The GDTR and IDTR limits are each set to H." Signed-off-by: Ladi Prosek Signed-off-by: Paolo Bonzini [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings --- arch/x86/kvm/vmx.c | 2 ++ 1 file changed, 2 insertions(+) --- a/arch/x86/kvm/vmx.c +++ b/arch/x86/kvm/vmx.c @@ -7076,6 +7076,8 @@ void load_vmcs12_host_state(struct kvm_v vmcs_writel(GUEST_SYSENTER_EIP, vmcs12->host_ia32_sysenter_eip); vmcs_writel(GUEST_IDTR_BASE, vmcs12->host_idtr_base); vmcs_writel(GUEST_GDTR_BASE, vmcs12->host_gdtr_base); + vmcs_write32(GUEST_IDTR_LIMIT, 0x); + vmcs_write32(GUEST_GDTR_LIMIT, 0x); vmcs_writel(GUEST_TR_BASE, vmcs12->host_tr_base); vmcs_writel(GUEST_GS_BASE, vmcs12->host_gs_base); vmcs_writel(GUEST_FS_BASE, vmcs12->host_fs_base);
[PATCH 3.2 04/79] PCI/AER: Report non-fatal errors only to the affected endpoint
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Gabriele Paolonicommit 86acc790717fb60fb51ea3095084e331d8711c74 upstream. Previously, if an non-fatal error was reported by an endpoint, we called report_error_detected() for the endpoint, every sibling on the bus, and their descendents. If any of them did not implement the .error_detected() method, do_recovery() failed, leaving all these devices unrecovered. For example, the system described in the bugzilla below has two devices: :74:02.0 [19e5:a230] SAS controller, driver has .error_detected() :74:03.0 [19e5:a235] SATA controller, driver lacks .error_detected() When a device such as 74:02.0 reported a non-fatal error, do_recovery() failed because 74:03.0 lacked an .error_detected() method. But per PCIe r3.1, sec 6.2.2.2.2, such an error does not compromise the Link and does not affect 74:03.0: Non-fatal errors are uncorrectable errors which cause a particular transaction to be unreliable but the Link is otherwise fully functional. Isolating Non-fatal from Fatal errors provides Requester/Receiver logic in a device or system management software the opportunity to recover from the error without resetting the components on the Link and disturbing other transactions in progress. Devices not associated with the transaction in error are not impacted by the error. Report non-fatal errors only to the endpoint that reported them. We really want to check for AER_NONFATAL here, but the current code structure doesn't allow that. Looking for pci_channel_io_normal is the best we can do now. Link: https://bugzilla.kernel.org/show_bug.cgi?id=197055 Fixes: 6c2b374d7485 ("PCI-Express AER implemetation: AER core and aerdriver") Signed-off-by: Gabriele Paoloni Signed-off-by: Dongdong Liu [bhelgaas: changelog] Signed-off-by: Bjorn Helgaas Signed-off-by: Ben Hutchings --- drivers/pci/pcie/aer/aerdrv_core.c | 9 - 1 file changed, 8 insertions(+), 1 deletion(-) --- a/drivers/pci/pcie/aer/aerdrv_core.c +++ b/drivers/pci/pcie/aer/aerdrv_core.c @@ -367,7 +367,14 @@ static pci_ers_result_t broadcast_error_ * If the error is reported by an end point, we think this * error is related to the upstream link of the end point. */ - pci_walk_bus(dev->bus, cb, _data); + if (state == pci_channel_io_normal) + /* +* the error is non fatal so the bus is ok, just invoke +* the callback for the function that logged the error. +*/ + cb(dev, _data); + else + pci_walk_bus(dev->bus, cb, _data); } return result_data.result;
[PATCH 3.2 79/79] kaiser: Set _PAGE_NX only if supported
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Lepton WuThis finally resolve crash if loaded under qemu + haxm. Haitao Shan pointed out that the reason of that crash is that NX bit get set for page tables. It seems we missed checking if _PAGE_NX is supported in kaiser_add_user_map Link: https://www.spinics.net/lists/kernel/msg2689835.html Reviewed-by: Guenter Roeck Signed-off-by: Lepton Wu Signed-off-by: Greg Kroah-Hartman (backported from Greg K-H's 4.4 stable-queue) Signed-off-by: Juerg Haefliger Signed-off-by: Ben Hutchings --- arch/x86/mm/kaiser.c | 2 ++ 1 file changed, 2 insertions(+) --- a/arch/x86/mm/kaiser.c +++ b/arch/x86/mm/kaiser.c @@ -189,6 +189,8 @@ static int kaiser_add_user_map(const voi * requires that not to be #defined to 0): so mask it off here. */ flags &= ~_PAGE_GLOBAL; + if (!(__supported_pte_mask & _PAGE_NX)) + flags &= ~_PAGE_NX; if (flags & _PAGE_USER) BUG_ON(address < FIXADDR_START || end_addr >= FIXADDR_TOP);
Re: [PATCH] KVM: lapic: stop advertising DIRECTED_EOI when in-kernel IOAPIC is in use
On Fri, Feb 09, 2018 at 02:01:33PM +0100, Vitaly Kuznetsov wrote: > Devices which use level-triggered interrupts under Windows 2016 with > Hyper-V role enabled don't work: Windows disables EOI broadcast in SPIV > unconditionally. Our in-kernel IOAPIC implementation emulates an old IOAPIC > version which has no EOI register so EOI never happens. > > The issue was discovered and discussed a while ago: > https://www.spinics.net/lists/kvm/msg148098.html > > While this is a guest OS bug (it should check that IOAPIC has the required > capabilities before disabling EOI broadcast) we can workaround it in KVM: > advertising DIRECTED_EOI with in-kernel IOAPIC makes little sense anyway. > > Signed-off-by: Vitaly Kuznetsov> --- > - Radim's suggestion was to disable DIRECTED_EOI unconditionally but I'm not > that radical :-) In theory, we may have multiple IOAPICs in userspace in > future and DIRECTED_EOI can be leveraged. I sort of agree on this, especially considering that we already have IOAPIC version 0x20 support in QEMU already. > --- > arch/x86/kvm/lapic.c | 10 +- > 1 file changed, 9 insertions(+), 1 deletion(-) > > diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c > index 924ac8ce9d50..5339287fee63 100644 > --- a/arch/x86/kvm/lapic.c > +++ b/arch/x86/kvm/lapic.c > @@ -321,8 +321,16 @@ void kvm_apic_set_version(struct kvm_vcpu *vcpu) > if (!lapic_in_kernel(vcpu)) > return; > > + /* > + * KVM emulates 82093AA datasheet (with in-kernel IOAPIC implementation) > + * which doesn't have EOI register; Some buggy OSes (e.g. Windows with > + * Hyper-V role) disable EOI broadcast in lapic not checking for IOAPIC > + * version first and level-triggered interrupts never get EOIed in > + * IOAPIC. > + */ > feat = kvm_find_cpuid_entry(apic->vcpu, 0x1, 0); > - if (feat && (feat->ecx & (1 << (X86_FEATURE_X2APIC & 31 > + if (feat && (feat->ecx & (1 << (X86_FEATURE_X2APIC & 31))) && > + !ioapic_in_kernel(vcpu->kvm)) > v |= APIC_LVR_DIRECTED_EOI; > kvm_lapic_set_reg(apic, APIC_LVR, v); > } > -- > 2.14.3 > Does this mean that we can avoid the migration problem that Radim raised in previous discussion? Basically the OSs should only probe this version once for each boot, if so I think it should be fine. But since you didn't mention that in either commit message and comment, I would like to ask and confirm. For the change itself, it looks sane to me. Thanks, -- Peter Xu
[PATCH 3.2 06/79] USB: serial: garmin_gps: fix memory leak on probe errors
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Johan Hovoldcommit 74d471b598444b7f2d964930f7234779c80960a0 upstream. Make sure to free the port private data before returning after a failed probe attempt. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reviewed-by: Greg Kroah-Hartman Signed-off-by: Johan Hovold Signed-off-by: Ben Hutchings --- drivers/usb/serial/garmin_gps.c | 6 ++ 1 file changed, 6 insertions(+) --- a/drivers/usb/serial/garmin_gps.c +++ b/drivers/usb/serial/garmin_gps.c @@ -1476,6 +1476,12 @@ static int garmin_attach(struct usb_seri usb_set_serial_port_data(port, garmin_data_p); status = garmin_init_session(port); + if (status) + goto err_free; + + return 0; +err_free: + kfree(garmin_data_p); return status; }
[PATCH 3.2 01/79] Input: adxl34x - do not treat FIFO_MODE() as boolean
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Arnd Bergmanncommit 1dbc080c9ef6bcfba652ef0d6ae919b8c7c85a1d upstream. FIFO_MODE() is a macro expression with a '<<' operator, which gcc points out could be misread as a '<': drivers/input/misc/adxl34x.c: In function 'adxl34x_probe': drivers/input/misc/adxl34x.c:799:36: error: '<<' in boolean context, did you mean '<' ? [-Werror=int-in-bool-context] While utility of this warning is being disputed (Chief Penguin: "This warning is clearly pure garbage.") FIFO_MODE() extracts range of values, with 0 being FIFO_BYPASS, and not something that is logically boolean. This converts the test to an explicit comparison with FIFO_BYPASS, making it clearer to gcc and the reader what is intended. Fixes: e27c729219ad ("Input: add driver for ADXL345/346 Digital Accelerometers") Signed-off-by: Arnd Bergmann Signed-off-by: Dmitry Torokhov Signed-off-by: Ben Hutchings --- drivers/input/misc/adxl34x.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/input/misc/adxl34x.c +++ b/drivers/input/misc/adxl34x.c @@ -797,7 +797,7 @@ struct adxl34x *adxl34x_probe(struct dev if (pdata->watermark) { ac->int_mask |= WATERMARK; - if (!FIFO_MODE(pdata->fifo_mode)) + if (FIFO_MODE(pdata->fifo_mode) == FIFO_BYPASS) ac->pdata.fifo_mode |= FIFO_STREAM; } else { ac->int_mask |= DATA_READY;
Re: [PATCH 3.2 39/79] ocfs2: should wait dio before inode lock in ocfs2_setattr()
Hi Ben, ocfs2_dio_end_io_write() was introduced in 4.6 and the problem this patch fixes is only exist in the kernel 4.6 and above 4.6. Thanks, Alex On 2018/2/11 12:20, Ben Hutchings wrote: > 3.2.99-rc1 review patch. If anyone has any objections, please let me know. > > -- > > From: alex chen> > commit 28f5a8a7c033cbf3e32277f4cc9c6afd74f05300 upstream. > > we should wait dio requests to finish before inode lock in > ocfs2_setattr(), otherwise the following deadlock will happen: > > process 1 process 2process 3 > truncate file 'A' end_io of writing file 'A' receiving the bast > messages > ocfs2_setattr > ocfs2_inode_lock_tracker > ocfs2_inode_lock_full > inode_dio_wait > __inode_dio_wait > -->waiting for all dio > requests finish > dlm_proxy_ast_handler > dlm_do_local_bast > ocfs2_blocking_ast > > ocfs2_generic_handle_bast > set > OCFS2_LOCK_BLOCKED flag > dio_end_io > dio_bio_end_aio > dio_complete >ocfs2_dio_end_io > ocfs2_dio_end_io_write > ocfs2_inode_lock > __ocfs2_cluster_lock >ocfs2_wait_for_mask >-->waiting for OCFS2_LOCK_BLOCKED >flag to be cleared, that is waiting >for 'process 1' unlocking the inode lock >inode_dio_end >-->here dec the i_dio_count, but will never >be called, so a deadlock happened. > > Link: http://lkml.kernel.org/r/59f81636.70...@huawei.com > Signed-off-by: Alex Chen > Reviewed-by: Jun Piao > Reviewed-by: Joseph Qi > Acked-by: Changwei Ge > Cc: Mark Fasheh > Cc: Joel Becker > Cc: Junxiao Bi > Signed-off-by: Andrew Morton > Signed-off-by: Linus Torvalds > Signed-off-by: Ben Hutchings > --- > fs/ocfs2/file.c | 9 +++-- > 1 file changed, 7 insertions(+), 2 deletions(-) > > --- a/fs/ocfs2/file.c > +++ b/fs/ocfs2/file.c > @@ -1130,6 +1130,13 @@ int ocfs2_setattr(struct dentry *dentry, > dquot_initialize(inode); > size_change = S_ISREG(inode->i_mode) && attr->ia_valid & ATTR_SIZE; > if (size_change) { > + /* > + * Here we should wait dio to finish before inode lock > + * to avoid a deadlock between ocfs2_setattr() and > + * ocfs2_dio_end_io_write() > + */ > + inode_dio_wait(inode); > + > status = ocfs2_rw_lock(inode, 1); > if (status < 0) { > mlog_errno(status); > @@ -1149,8 +1156,6 @@ int ocfs2_setattr(struct dentry *dentry, > if (status) > goto bail_unlock; > > - inode_dio_wait(inode); > - > if (i_size_read(inode) >= attr->ia_size) { > if (ocfs2_should_order_data(inode)) { > status = ocfs2_begin_ordered_truncate(inode, > > > . >
Re: [PATCH 09/31] x86/entry/32: Leave the kernel via trampoline stack
On Sat, Feb 10, 2018 at 7:26 AM, David Laightwrote: > > The alignment doesn't matter, 'rep movsl' will still work. .. no it won't. It might not copy the last two bytes or whatever, because the shift of the count will have ignored the low bits. But since an unaligned stack pointer really shouldn't be an issue, it's fine to not care. >> Indeed, "rep movs" has some setup overhead that makes it undesirable >> for small sizes. In my testing, moving less than 128 bytes with "rep movs" >> is a loss. > > It very much depends on the cpu. No again. It does NOT depend on the CPU, since the only CPU's that are relevant to this patch are the ones that don't do 64-bit. If you run a 32-bit Linux on a 64-bit CPU, performance simply isn't an issue. The problem is between keyboard and chair, not in the kernel. And absolutely *no* 32-bit-only CPU does "rep movs" really well. Some of them do it even worse than others (P4), but none of them do a great job. That said, none of them should do _such_ a shitty job that this will be in the least noticeable compared to all the crazy %cr3 stuff. Linus
[PATCH 1/2] gpio: omap: Delete an error message for a failed memory allocation in omap_gpio_probe()
From: Markus ElfringDate: Sat, 10 Feb 2018 21:46:30 +0100 Omit an extra message for a memory allocation failure in this function. This issue was detected by using the Coccinelle software. Signed-off-by: Markus Elfring --- drivers/gpio/gpio-omap.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/drivers/gpio/gpio-omap.c b/drivers/gpio/gpio-omap.c index ab5035b96886..4db6f13fa133 100644 --- a/drivers/gpio/gpio-omap.c +++ b/drivers/gpio/gpio-omap.c @@ -1158,10 +1158,8 @@ static int omap_gpio_probe(struct platform_device *pdev) return -EINVAL; bank = devm_kzalloc(dev, sizeof(struct gpio_bank), GFP_KERNEL); - if (!bank) { - dev_err(dev, "Memory alloc failed\n"); + if (!bank) return -ENOMEM; - } irqc = devm_kzalloc(dev, sizeof(*irqc), GFP_KERNEL); if (!irqc) -- 2.16.1
Re: [PATCH] x86_64: trim clear_page.S includes
On Sat, Jan 13, 2018 at 10:06:48PM +0300, Alexey Dobriyan wrote: > After alternatives were shifted to the call site, only 2 headers are > necessary. > > Signed-off-by: Alexey Dobriyan> --- > > arch/x86/lib/clear_page_64.S |2 -- > 1 file changed, 2 deletions(-) > > --- a/arch/x86/lib/clear_page_64.S > +++ b/arch/x86/lib/clear_page_64.S > @@ -1,6 +1,4 @@ > #include > -#include > -#include > #include > > /* Reviewed-by: Borislav Petkov -- Regards/Gruss, Boris. SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) --
[PATCH] gpio-ml-ioh: Delete an error message for a failed memory allocation in ioh_gpio_probe()
From: Markus ElfringDate: Sat, 10 Feb 2018 22:27:15 +0100 Omit an extra message for a memory allocation failure in this function. This issue was detected by using the Coccinelle software. Signed-off-by: Markus Elfring --- drivers/gpio/gpio-ml-ioh.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/gpio/gpio-ml-ioh.c b/drivers/gpio/gpio-ml-ioh.c index 4b80e996d976..b3678bd1c120 100644 --- a/drivers/gpio/gpio-ml-ioh.c +++ b/drivers/gpio/gpio-ml-ioh.c @@ -445,7 +445,6 @@ static int ioh_gpio_probe(struct pci_dev *pdev, chip_save = kzalloc(sizeof(*chip) * 8, GFP_KERNEL); if (chip_save == NULL) { - dev_err(>dev, "%s : kzalloc failed", __func__); ret = -ENOMEM; goto err_kzalloc; } -- 2.16.1
Re: [PATCH] MAINTAINERS: auxdisplay: remove obsolete webpages
On Sat, 2018-02-10 at 09:32 -0800, Randy Dunlap wrote: > On 02/10/2018 01:56 AM, Miguel Ojeda wrote: > > Cc: Randy Dunlap> > Signed-off-by: Miguel Ojeda > > Acked-by: Randy Dunlap > > Are you merging this directly to Linus? or what? A generic negative of these removals, even for ancient drivers that may or may not work anymore, is that the old links may still be found on things like the wayback machine/archive.org. Miguel, do you have a copy of this link source? If you do, should it be introduced as a .rst into Documentation/ somewhere? > Thanks. > > > --- > > MAINTAINERS | 8 > > 1 file changed, 8 deletions(-) > > > > diff --git a/MAINTAINERS b/MAINTAINERS > > index e6c26cb47d02..01e302f7967e 100644 > > --- a/MAINTAINERS > > +++ b/MAINTAINERS > > @@ -2484,8 +2484,6 @@ F:kernel/audit* > > > > AUXILIARY DISPLAY DRIVERS > > M: Miguel Ojeda Sandonis > > -W: http://miguelojeda.es/auxdisplay.htm > > -W: http://jair.lab.fi.uva.es/~migojed/auxdisplay.htm > > S: Maintained > > F: drivers/auxdisplay/ > > F: include/linux/cfag12864b.h > > @@ -3373,16 +3371,12 @@ F: include/linux/usb/wusb* > > > > CFAG12864B LCD DRIVER > > M: Miguel Ojeda Sandonis > > -W: http://miguelojeda.es/auxdisplay.htm > > -W: http://jair.lab.fi.uva.es/~migojed/auxdisplay.htm > > S: Maintained > > F: drivers/auxdisplay/cfag12864b.c > > F: include/linux/cfag12864b.h Another suggestion would be to move "include/linux/cfag12864b.h" into drivers/auxdisplay > > CFAG12864BFB LCD FRAMEBUFFER DRIVER > > M: Miguel Ojeda Sandonis > > -W: http://miguelojeda.es/auxdisplay.htm > > -W: http://jair.lab.fi.uva.es/~migojed/auxdisplay.htm > > S: Maintained > > F: drivers/auxdisplay/cfag12864bfb.c > > F: include/linux/cfag12864b.h > > @@ -7866,8 +7860,6 @@ F:kernel/kprobes.c > > > > KS0108 LCD CONTROLLER DRIVER > > M: Miguel Ojeda Sandonis > > -W: http://miguelojeda.es/auxdisplay.htm > > -W: http://jair.lab.fi.uva.es/~migojed/auxdisplay.htm > > S: Maintained > > F: Documentation/auxdisplay/ks0108 > > F: drivers/auxdisplay/ks0108.c > > > >
Re: [PATCH] f2fs: set_code_data in move_data_block
Ping... move_data_block misses set_cold_data, then the F2FS_WB_CP_DATA will lack these data pages in move_data_block, and write_checkpoint can not make sure this pages committed to the flash. On 2018/2/8 20:33, Yunlong Song wrote: Signed-off-by: Yunlong Song--- fs/f2fs/gc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c index b9d93fd..2095630 100644 --- a/fs/f2fs/gc.c +++ b/fs/f2fs/gc.c @@ -692,6 +692,7 @@ static void move_data_block(struct inode *inode, block_t bidx, fio.op = REQ_OP_WRITE; fio.op_flags = REQ_SYNC; fio.new_blkaddr = newaddr; + set_cold_data(fio.page); err = f2fs_submit_page_write(); if (err) { if (PageWriteback(fio.encrypted_page)) -- Thanks, Yunlong Song
[PATCH 3.16 035/136] l2tp: protect sock pointer of struct pppol2tp_session with RCU
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Guillaume Naultcommit ee40fb2e1eb5bc0ddd3f2f83c6e39a454ef5a741 upstream. pppol2tp_session_create() registers sessions that can't have their corresponding socket initialised. This socket has to be created by userspace, then connected to the session by pppol2tp_connect(). Therefore, we need to protect the pppol2tp socket pointer of L2TP sessions, so that it can safely be updated when userspace is connecting or closing the socket. This will eventually allow pppol2tp_connect() to avoid generating transient states while initialising its parts of the session. To this end, this patch protects the pppol2tp socket pointer using RCU. The pppol2tp socket pointer is still set in pppol2tp_connect(), but only once we know the function isn't going to fail. It's eventually reset by pppol2tp_release(), which now has to wait for a grace period to elapse before it can drop the last reference on the socket. This ensures that pppol2tp_session_get_sock() can safely grab a reference on the socket, even after ps->sk is reset to NULL but before this operation actually gets visible from pppol2tp_session_get_sock(). The rest is standard RCU conversion: pppol2tp_recv(), which already runs in atomic context, is simply enclosed by rcu_read_lock() and rcu_read_unlock(), while other functions are converted to use pppol2tp_session_get_sock() followed by sock_put(). pppol2tp_session_setsockopt() is a special case. It used to retrieve the pppol2tp socket from the L2TP session, which itself was retrieved from the pppol2tp socket. Therefore we can just avoid dereferencing ps->sk and directly use the original socket pointer instead. With all users of ps->sk now handling NULL and concurrent updates, the L2TP ->ref() and ->deref() callbacks aren't needed anymore. Therefore, rather than converting pppol2tp_session_sock_hold() and pppol2tp_session_sock_put(), we can just drop them. Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings --- net/l2tp/l2tp_ppp.c | 154 ++-- 1 file changed, 101 insertions(+), 53 deletions(-) --- a/net/l2tp/l2tp_ppp.c +++ b/net/l2tp/l2tp_ppp.c @@ -122,8 +122,11 @@ struct pppol2tp_session { int owner; /* pid that opened the socket */ - struct sock *sock; /* Pointer to the session + struct mutexsk_lock;/* Protects .sk */ + struct sock __rcu *sk;/* Pointer to the session * PPPoX socket */ + struct sock *__sk; /* Copy of .sk, for cleanup */ + struct rcu_head rcu;/* For asynchronous release */ struct sock *tunnel_sock; /* Pointer to the tunnel UDP * socket */ int flags; /* accessed by PPPIOCGFLAGS. @@ -138,6 +141,24 @@ static const struct ppp_channel_ops pppo static const struct proto_ops pppol2tp_ops; +/* Retrieves the pppol2tp socket associated to a session. + * A reference is held on the returned socket, so this function must be paired + * with sock_put(). + */ +static struct sock *pppol2tp_session_get_sock(struct l2tp_session *session) +{ + struct pppol2tp_session *ps = l2tp_session_priv(session); + struct sock *sk; + + rcu_read_lock(); + sk = rcu_dereference(ps->sk); + if (sk) + sock_hold(sk); + rcu_read_unlock(); + + return sk; +} + /* Helpers to obtain tunnel/session contexts from sockets. */ static inline struct l2tp_session *pppol2tp_sock_to_session(struct sock *sk) @@ -225,7 +246,8 @@ static void pppol2tp_recv(struct l2tp_se /* If the socket is bound, send it in to PPP's input queue. Otherwise * queue it on the session socket. */ - sk = ps->sock; + rcu_read_lock(); + sk = rcu_dereference(ps->sk); if (sk == NULL) goto no_sock; @@ -263,30 +285,16 @@ static void pppol2tp_recv(struct l2tp_se kfree_skb(skb); } } + rcu_read_unlock(); return; no_sock: + rcu_read_unlock(); l2tp_info(session, PPPOL2TP_MSG_DATA, "%s: no socket\n", session->name); kfree_skb(skb); } -static void pppol2tp_session_sock_hold(struct l2tp_session *session) -{ - struct pppol2tp_session *ps = l2tp_session_priv(session); - - if (ps->sock) - sock_hold(ps->sock); -} - -static void pppol2tp_session_sock_put(struct l2tp_session *session) -{ - struct pppol2tp_session *ps = l2tp_session_priv(session); - - if (ps->sock) - sock_put(ps->sock); -} -
[PATCH 3.16 046/136] drm/radeon: fix atombios on big endian
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Roman Kaplcommit 4f626a4ac8f57ddabf06d03870adab91e463217f upstream. The function for byteswapping the data send to/from atombios was buggy for num_bytes not divisible by four. The function must be aware of the fact that after byte-swapping the u32 units, valid bytes might end up after the num_bytes boundary. This patch was tested on kernel 3.12 and allowed us to sucesfully use DisplayPort on and Radeon SI card. Namely it fixed the link training and EDID readout. The function is patched both in radeon and amd drivers, since the functions and the fixes are identical. Signed-off-by: Roman Kapl Signed-off-by: Alex Deucher [bwh: Backported to 3.16: drop changes in amdgpu] Signed-off-by: Ben Hutchings --- --- a/drivers/gpu/drm/radeon/atombios_dp.c +++ b/drivers/gpu/drm/radeon/atombios_dp.c @@ -45,34 +45,32 @@ static char *pre_emph_names[] = { /* radeon AUX functions */ -/* Atom needs data in little endian format - * so swap as appropriate when copying data to - * or from atom. Note that atom operates on - * dw units. +/* Atom needs data in little endian format so swap as appropriate when copying + * data to or from atom. Note that atom operates on dw units. + * + * Use to_le=true when sending data to atom and provide at least + * ALIGN(num_bytes,4) bytes in the dst buffer. + * + * Use to_le=false when receiving data from atom and provide ALIGN(num_bytes,4) + * byes in the src buffer. */ void radeon_atom_copy_swap(u8 *dst, u8 *src, u8 num_bytes, bool to_le) { #ifdef __BIG_ENDIAN - u8 src_tmp[20], dst_tmp[20]; /* used for byteswapping */ - u32 *dst32, *src32; + u32 src_tmp[5], dst_tmp[5]; int i; + u8 align_num_bytes = ALIGN(num_bytes, 4); - memcpy(src_tmp, src, num_bytes); - src32 = (u32 *)src_tmp; - dst32 = (u32 *)dst_tmp; if (to_le) { - for (i = 0; i < ((num_bytes + 3) / 4); i++) - dst32[i] = cpu_to_le32(src32[i]); - memcpy(dst, dst_tmp, num_bytes); + memcpy(src_tmp, src, num_bytes); + for (i = 0; i < align_num_bytes / 4; i++) + dst_tmp[i] = cpu_to_le32(src_tmp[i]); + memcpy(dst, dst_tmp, align_num_bytes); } else { - u8 dws = num_bytes & ~3; - for (i = 0; i < ((num_bytes + 3) / 4); i++) - dst32[i] = le32_to_cpu(src32[i]); - memcpy(dst, dst_tmp, dws); - if (num_bytes % 4) { - for (i = 0; i < (num_bytes % 4); i++) - dst[dws+i] = dst_tmp[dws+i]; - } + memcpy(src_tmp, src, align_num_bytes); + for (i = 0; i < align_num_bytes / 4; i++) + dst_tmp[i] = le32_to_cpu(src_tmp[i]); + memcpy(dst, dst_tmp, num_bytes); } #else memcpy(dst, src, num_bytes);
[PATCH 3.16 031/136] mtd: nand: omap2: Fix subpage write
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Roger Quadroscommit 739c64414f01748a36e7d82c8e0611dea94412bd upstream. Since v4.12, NAND subpage writes were causing a NULL pointer dereference on OMAP platforms (omap2-nand) using OMAP_ECC_BCH4_CODE_HW, OMAP_ECC_BCH8_CODE_HW and OMAP_ECC_BCH16_CODE_HW. This is because for those ECC modes, omap_calculate_ecc_bch() generates ECC bytes for the entire (multi-sector) page and this can overflow the ECC buffer provided by nand_write_subpage_hwecc() as it expects ecc.calculate() to return ECC bytes for just one sector. However, the root cause of the problem is present since v3.9 but was not seen then as NAND buffers were being allocated as one big chunk prior to commit 3deb9979c731 ("mtd: nand: allocate aligned buffers if NAND_OWN_BUFFERS is unset"). Fix the issue by providing a OMAP optimized write_subpage() implementation. Fixes: 62116e5171e0 ("mtd: nand: omap2: Support for hardware BCH error correction.") Signed-off-by: Roger Quadros Signed-off-by: Boris Brezillon [bwh: Backported to 3.16: - Open-code mtd_to_omap() - Adjust context] Signed-off-by: Ben Hutchings --- --- a/drivers/mtd/nand/omap2.c +++ b/drivers/mtd/nand/omap2.c @@ -1163,130 +1163,174 @@ static u8 bch8_polynomial[] = {0xef, 0x 0x97, 0x79, 0xe5, 0x24, 0xb5}; /** - * omap_calculate_ecc_bch - Generate bytes of ECC bytes + * _omap_calculate_ecc_bch - Generate ECC bytes for one sector * @mtd: MTD device structure * @dat: The pointer to data on which ecc is computed * @ecc_code: The ecc_code buffer + * @i: The sector number (for a multi sector page) * - * Support calculating of BCH4/8 ecc vectors for the page + * Support calculating of BCH4/8/16 ECC vectors for one sector + * within a page. Sector number is in @i. */ -static int __maybe_unused omap_calculate_ecc_bch(struct mtd_info *mtd, - const u_char *dat, u_char *ecc_calc) +static int _omap_calculate_ecc_bch(struct mtd_info *mtd, + const u_char *dat, u_char *ecc_calc, int i) { struct omap_nand_info *info = container_of(mtd, struct omap_nand_info, mtd); int eccbytes= info->nand.ecc.bytes; struct gpmc_nand_regs *gpmc_regs = >reg; u8 *ecc_code; - unsigned long nsectors, bch_val1, bch_val2, bch_val3, bch_val4; + unsigned long bch_val1, bch_val2, bch_val3, bch_val4; u32 val; - int i, j; + int j; + + ecc_code = ecc_calc; + switch (info->ecc_opt) { + case OMAP_ECC_BCH8_CODE_HW_DETECTION_SW: + case OMAP_ECC_BCH8_CODE_HW: + bch_val1 = readl(gpmc_regs->gpmc_bch_result0[i]); + bch_val2 = readl(gpmc_regs->gpmc_bch_result1[i]); + bch_val3 = readl(gpmc_regs->gpmc_bch_result2[i]); + bch_val4 = readl(gpmc_regs->gpmc_bch_result3[i]); + *ecc_code++ = (bch_val4 & 0xFF); + *ecc_code++ = ((bch_val3 >> 24) & 0xFF); + *ecc_code++ = ((bch_val3 >> 16) & 0xFF); + *ecc_code++ = ((bch_val3 >> 8) & 0xFF); + *ecc_code++ = (bch_val3 & 0xFF); + *ecc_code++ = ((bch_val2 >> 24) & 0xFF); + *ecc_code++ = ((bch_val2 >> 16) & 0xFF); + *ecc_code++ = ((bch_val2 >> 8) & 0xFF); + *ecc_code++ = (bch_val2 & 0xFF); + *ecc_code++ = ((bch_val1 >> 24) & 0xFF); + *ecc_code++ = ((bch_val1 >> 16) & 0xFF); + *ecc_code++ = ((bch_val1 >> 8) & 0xFF); + *ecc_code++ = (bch_val1 & 0xFF); + break; + case OMAP_ECC_BCH4_CODE_HW_DETECTION_SW: + case OMAP_ECC_BCH4_CODE_HW: + bch_val1 = readl(gpmc_regs->gpmc_bch_result0[i]); + bch_val2 = readl(gpmc_regs->gpmc_bch_result1[i]); + *ecc_code++ = ((bch_val2 >> 12) & 0xFF); + *ecc_code++ = ((bch_val2 >> 4) & 0xFF); + *ecc_code++ = ((bch_val2 & 0xF) << 4) | + ((bch_val1 >> 28) & 0xF); + *ecc_code++ = ((bch_val1 >> 20) & 0xFF); + *ecc_code++ = ((bch_val1 >> 12) & 0xFF); + *ecc_code++ = ((bch_val1 >> 4) & 0xFF); + *ecc_code++ = ((bch_val1 & 0xF) << 4); + break; + case OMAP_ECC_BCH16_CODE_HW: + val = readl(gpmc_regs->gpmc_bch_result6[i]); + ecc_code[0] = ((val >> 8) & 0xFF); + ecc_code[1] = ((val >> 0) & 0xFF); + val = readl(gpmc_regs->gpmc_bch_result5[i]); + ecc_code[2] = ((val >> 24) & 0xFF); + ecc_code[3] = ((val >> 16) & 0xFF); + ecc_code[4] = ((val >> 8) & 0xFF); + ecc_code[5] = ((val >> 0) &
[PATCH 3.16 029/136] net: bcmgenet: enable loopback during UniMAC sw_reset
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Doug Bergercommit 28c2d1a7a0bfdf3617800d2beae1c67983c03d15 upstream. It is necessary for the UniMAC to be clocked at least 5 cycles while the sw_reset is asserted to ensure a clean reset. It was discovered that this condition was not being met when connected to an external RGMII PHY that disabled the Rx clock in the Power Save state. This commit modifies the reset_umac function to place the (RG)MII interface into a local loopback mode where the Rx clock comes from the GENET sourced Tx clk during the sw_reset to ensure the presence and stability of the clock. In addition, it turns out that the sw_reset of the UniMAC is not self clearing, but this was masked by a bug in the timeout code. The sw_reset is now explicitly cleared by zeroing the UMAC_CMD register before returning from reset_umac which makes it no longer necessary to do so in init_umac and makes the clearing of CMD_TX_EN and CMD_RX_EN by umac_enable_set redundant. The timeout code (and its associated bug) are removed so reset_umac no longer needs to return a result, and that means init_umac that calls reset_umac does not need to as well. Fixes: 1c1008c793fa ("net: bcmgenet: add main driver file") Signed-off-by: Doug Berger Signed-off-by: David S. Miller [bwh: Backported to 3.16: - Update call to init_umac() in bcmgenet_wol_resume() - Drop changes in bcmgenet_resume() - Adjust context] Signed-off-by: Ben Hutchings --- --- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c +++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c @@ -1509,12 +1509,8 @@ static void bcmgenet_free_rx_buffers(str } } -static int reset_umac(struct bcmgenet_priv *priv) +static void reset_umac(struct bcmgenet_priv *priv) { - struct device *kdev = >pdev->dev; - unsigned int timeout = 0; - u32 reg; - /* 7358a0/7552a0: bad default in RBUF_FLUSH_CTRL.umac_sw_rst */ bcmgenet_rbuf_ctrl_set(priv, 0); udelay(10); @@ -1522,38 +1518,21 @@ static int reset_umac(struct bcmgenet_pr /* disable MAC while updating its registers */ bcmgenet_umac_writel(priv, 0, UMAC_CMD); - /* issue soft reset, wait for it to complete */ - bcmgenet_umac_writel(priv, CMD_SW_RESET, UMAC_CMD); - while (timeout++ < 1000) { - reg = bcmgenet_umac_readl(priv, UMAC_CMD); - if (!(reg & CMD_SW_RESET)) - return 0; - - udelay(1); - } - - if (timeout == 1000) { - dev_err(kdev, - "timeout waiting for MAC to come out of resetn\n"); - return -ETIMEDOUT; - } - - return 0; + /* issue soft reset with (rg)mii loopback to ensure a stable rxclk */ + bcmgenet_umac_writel(priv, CMD_SW_RESET | CMD_LCL_LOOP_EN, UMAC_CMD); + udelay(2); + bcmgenet_umac_writel(priv, 0, UMAC_CMD); } -static int init_umac(struct bcmgenet_priv *priv) +static void init_umac(struct bcmgenet_priv *priv) { struct device *kdev = >pdev->dev; - int ret; u32 reg, cpu_mask_clear; dev_dbg(>pdev->dev, "bcmgenet: init_umac\n"); - ret = reset_umac(priv); - if (ret) - return ret; + reset_umac(priv); - bcmgenet_umac_writel(priv, 0, UMAC_CMD); /* clear tx/rx counter */ bcmgenet_umac_writel(priv, MIB_RESET_RX | MIB_RESET_TX | MIB_RESET_RUNT, UMAC_MIB_CTRL); @@ -1604,8 +1583,6 @@ static int init_umac(struct bcmgenet_pri /* Enable rx/tx engine.*/ dev_dbg(kdev, "done init umac\n"); - - return 0; } /* Initialize all house-keeping variables for a TX ring, along @@ -1994,14 +1971,10 @@ static void bcmgenet_set_hw_addr(struct static int bcmgenet_wol_resume(struct bcmgenet_priv *priv) { - int ret; - /* From WOL-enabled suspend, switch to regular clock */ clk_disable(priv->clk_wol); /* init umac registers to synchronize s/w with h/w */ - ret = init_umac(priv); - if (ret) - return ret; + init_umac(priv); phy_init_hw(priv->phydev); /* Speed settings must be restored */ @@ -2062,14 +2035,7 @@ static int bcmgenet_open(struct net_devi /* take MAC out of reset */ bcmgenet_umac_reset(priv); - ret = init_umac(priv); - if (ret) - goto err_clk_disable; - - /* disable ethernet MAC while updating its registers */ - reg = bcmgenet_umac_readl(priv, UMAC_CMD); - reg &= ~(CMD_TX_EN | CMD_RX_EN); - bcmgenet_umac_writel(priv, reg, UMAC_CMD); + init_umac(priv); bcmgenet_set_hw_addr(priv, dev->dev_addr); @@ -2603,9 +2569,7 @@ static int bcmgenet_probe(struct platfor !strcasecmp(phy_mode_str, "internal")) bcmgenet_power_up(priv,
[PATCH 3.16 033/136] l2tp: don't register sessions in l2tp_session_create()
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Guillaume Naultcommit 3953ae7b218df4d1e544b98a393666f9ae58a78c upstream. Sessions created by l2tp_session_create() aren't fully initialised: some pseudo-wire specific operations need to be done before making the session usable. Therefore the PPP and Ethernet pseudo-wires continue working on the returned l2tp session while it's already been exposed to the rest of the system. This can lead to various issues. In particular, the session may enter the deletion process before having been fully initialised, which will confuse the session removal code. This patch moves session registration out of l2tp_session_create(), so that callers can control when the session is exposed to the rest of the system. This is done by the new l2tp_session_register() function. Only pppol2tp_session_create() can be easily converted to avoid modifying its session after registration (the debug message is dropped in order to avoid the need for holding a reference on the session). For pppol2tp_connect() and l2tp_eth_create()), more work is needed. That'll be done in followup patches. For now, let's just register the session right after its creation, like it was done before. The only difference is that we can easily take a reference on the session before registering it, so, at least, we're sure it's not going to be freed while we're working on it. Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings --- net/l2tp/l2tp_core.c | 21 +++-- net/l2tp/l2tp_core.h | 3 +++ net/l2tp/l2tp_eth.c | 9 + net/l2tp/l2tp_ppp.c | 23 +-- 4 files changed, 36 insertions(+), 20 deletions(-) --- a/net/l2tp/l2tp_core.c +++ b/net/l2tp/l2tp_core.c @@ -370,8 +370,8 @@ struct l2tp_session *l2tp_session_get_by } EXPORT_SYMBOL_GPL(l2tp_session_get_by_ifname); -static int l2tp_session_add_to_tunnel(struct l2tp_tunnel *tunnel, - struct l2tp_session *session) +int l2tp_session_register(struct l2tp_session *session, + struct l2tp_tunnel *tunnel) { struct l2tp_session *session_walk; struct hlist_head *g_head; @@ -419,6 +419,10 @@ static int l2tp_session_add_to_tunnel(st hlist_add_head(>hlist, head); write_unlock_bh(>hlist_lock); + /* Ignore management session in session count value */ + if (session->session_id != 0) + atomic_inc(_session_count); + return 0; err_tlock_pnlock: @@ -428,6 +432,7 @@ err_tlock: return err; } +EXPORT_SYMBOL_GPL(l2tp_session_register); /* Lookup a tunnel by id */ @@ -1868,7 +1873,6 @@ EXPORT_SYMBOL_GPL(l2tp_session_set_heade struct l2tp_session *l2tp_session_create(int priv_size, struct l2tp_tunnel *tunnel, u32 session_id, u32 peer_session_id, struct l2tp_session_cfg *cfg) { struct l2tp_session *session; - int err; session = kzalloc(sizeof(struct l2tp_session) + priv_size, GFP_KERNEL); if (session != NULL) { @@ -1926,17 +1930,6 @@ struct l2tp_session *l2tp_session_create l2tp_session_inc_refcount(session); - err = l2tp_session_add_to_tunnel(tunnel, session); - if (err) { - kfree(session); - - return ERR_PTR(err); - } - - /* Ignore management session in session count value */ - if (session->session_id != 0) - atomic_inc(_session_count); - return session; } --- a/net/l2tp/l2tp_core.h +++ b/net/l2tp/l2tp_core.h @@ -274,6 +274,9 @@ struct l2tp_session *l2tp_session_create struct l2tp_tunnel *tunnel, u32 session_id, u32 peer_session_id, struct l2tp_session_cfg *cfg); +int l2tp_session_register(struct l2tp_session *session, + struct l2tp_tunnel *tunnel); + void __l2tp_session_unhash(struct l2tp_session *session); int l2tp_session_delete(struct l2tp_session *session); void l2tp_session_free(struct l2tp_session *session); --- a/net/l2tp/l2tp_eth.c +++ b/net/l2tp/l2tp_eth.c @@ -217,6 +217,13 @@ static int l2tp_eth_create(struct net *n goto out; } + l2tp_session_inc_refcount(session); + rc = l2tp_session_register(session, tunnel); + if (rc < 0) { + kfree(session); + goto out; + } + dev = alloc_netdev(sizeof(*priv), name, l2tp_eth_dev_setup); if (!dev) { rc = -ENOMEM; @@ -250,6 +257,7 @@ static int l2tp_eth_create(struct net *n __module_get(THIS_MODULE); /* Must be done after register_netdev() */
[PATCH 3.16 037/136] btrfs: avoid null pointer dereference on fs_info when calling btrfs_crit
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Colin Ian Kingcommit 3993b112dac968612b0b213ed59cb30f50b0015b upstream. There are checks on fs_info in __btrfs_panic to avoid dereferencing a null fs_info, however, there is a call to btrfs_crit that may also dereference a null fs_info. Fix this by adding a check to see if fs_info is null and only print the s_id if fs_info is non-null. Detected by CoverityScan CID#401973 ("Dereference after null check") Fixes: efe120a067c8 ("Btrfs: convert printk to btrfs_ and fix BTRFS prefix") Signed-off-by: Colin Ian King Reviewed-by: David Sterba Signed-off-by: David Sterba [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings --- fs/btrfs/super.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/fs/btrfs/super.c +++ b/fs/btrfs/super.c @@ -185,7 +185,6 @@ static const char * const logtypes[] = { void btrfs_printk(const struct btrfs_fs_info *fs_info, const char *fmt, ...) { - struct super_block *sb = fs_info->sb; char lvl[4]; struct va_format vaf; va_list args; @@ -207,7 +206,8 @@ void btrfs_printk(const struct btrfs_fs_ vaf.fmt = fmt; vaf.va = - printk("%sBTRFS %s (device %s): %pV\n", lvl, type, sb->s_id, ); + printk("%sBTRFS %s (device %s): %pV\n", lvl, type, + fs_info ? fs_info->sb->s_id : "", ); va_end(args); }
[PATCH 3.16 122/136] usbip: fix NULL pointer dereference on errors
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Alexander Popovcommit 8c7003a3b4b4afd3734cdcc39217ef22d78a4a16 upstream. Fix NULL pointer dereference and obsolete comments forgotten when usbip server was converted from an interface driver to a device driver. Signed-off-by: Alexander Popov Signed-off-by: Greg Kroah-Hartman [bwh: Backported to 3.16: adjust filenames] Signed-off-by: Ben Hutchings --- drivers/staging/usbip/stub.h | 1 - drivers/staging/usbip/stub_dev.c | 4 ++-- drivers/staging/usbip/stub_rx.c | 19 +++ drivers/staging/usbip/stub_tx.c | 6 +++--- 4 files changed, 12 insertions(+), 18 deletions(-) --- a/drivers/staging/usbip/stub.h +++ b/drivers/staging/usbip/stub.h @@ -33,7 +33,6 @@ #define STUB_BUSID_ALLOC 3 struct stub_device { - struct usb_interface *interface; struct usb_device *udev; struct usbip_device ud; --- a/drivers/staging/usbip/stub_dev.c +++ b/drivers/staging/usbip/stub_dev.c @@ -246,7 +246,7 @@ static void stub_device_reset(struct usb dev_dbg(>dev, "device reset"); - ret = usb_lock_device_for_reset(udev, sdev->interface); + ret = usb_lock_device_for_reset(udev, NULL); if (ret < 0) { dev_err(>dev, "lock for reset\n"); spin_lock_irq(>lock); @@ -279,7 +279,7 @@ static void stub_device_unusable(struct /** * stub_device_alloc - allocate a new stub_device struct - * @interface: usb_interface of a new device + * @udev: usb_device of a new device * * Allocates and initializes a new stub_device struct. */ --- a/drivers/staging/usbip/stub_rx.c +++ b/drivers/staging/usbip/stub_rx.c @@ -165,12 +165,7 @@ static int tweak_reset_device_cmd(struct dev_info(>dev->dev, "usb_queue_reset_device\n"); - /* -* With the implementation of pre_reset and post_reset the driver no -* longer unbinds. This allows the use of synchronous reset. -*/ - - if (usb_lock_device_for_reset(sdev->udev, sdev->interface) < 0) { + if (usb_lock_device_for_reset(sdev->udev, NULL) < 0) { dev_err(>dev->dev, "could not obtain lock to reset device\n"); return 0; } @@ -321,7 +316,7 @@ static struct stub_priv *stub_priv_alloc priv = kmem_cache_zalloc(stub_priv_cache, GFP_ATOMIC); if (!priv) { - dev_err(>interface->dev, "alloc stub_priv\n"); + dev_err(>udev->dev, "alloc stub_priv\n"); spin_unlock_irqrestore(>priv_lock, flags); usbip_event_add(ud, SDEV_EVENT_ERROR_MALLOC); return NULL; @@ -352,7 +347,7 @@ static int get_pipe(struct stub_device * else ep = udev->ep_out[epnum & 0x7f]; if (!ep) { - dev_err(>interface->dev, "no such endpoint?, %d\n", + dev_err(>udev->dev, "no such endpoint?, %d\n", epnum); BUG(); } @@ -387,7 +382,7 @@ static int get_pipe(struct stub_device * } /* NOT REACHED */ - dev_err(>interface->dev, "get pipe, epnum %d\n", epnum); + dev_err(>udev->dev, "get pipe, epnum %d\n", epnum); return 0; } @@ -466,7 +461,7 @@ static void stub_recv_cmd_submit(struct priv->urb = usb_alloc_urb(0, GFP_KERNEL); if (!priv->urb) { - dev_err(>interface->dev, "malloc urb\n"); + dev_err(>dev, "malloc urb\n"); usbip_event_add(ud, SDEV_EVENT_ERROR_MALLOC); return; } @@ -486,7 +481,7 @@ static void stub_recv_cmd_submit(struct priv->urb->setup_packet = kmemdup(>u.cmd_submit.setup, 8, GFP_KERNEL); if (!priv->urb->setup_packet) { - dev_err(>interface->dev, "allocate setup_packet\n"); + dev_err(>dev, "allocate setup_packet\n"); usbip_event_add(ud, SDEV_EVENT_ERROR_MALLOC); return; } @@ -517,7 +512,7 @@ static void stub_recv_cmd_submit(struct usbip_dbg_stub_rx("submit urb ok, seqnum %u\n", pdu->base.seqnum); else { - dev_err(>interface->dev, "submit_urb error, %d\n", ret); + dev_err(>dev, "submit_urb error, %d\n", ret); usbip_dump_header(pdu); usbip_dump_urb(priv->urb); --- a/drivers/staging/usbip/stub_tx.c +++ b/drivers/staging/usbip/stub_tx.c @@ -233,7 +233,7 @@ static int stub_send_ret_submit(struct s } if (txsize != sizeof(pdu_header) + urb->actual_length) { - dev_err(>interface->dev, + dev_err(>udev->dev, "actual length of urb %d does not
[PATCH 3.16 124/136] usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Shuah Khancommit c6688ef9f29762e65bce325ef4acd6c675806366 upstream. Harden CMD_SUBMIT path to handle malicious input that could trigger large memory allocations. Add checks to validate transfer_buffer_length and number_of_packets to protect against bad input requesting for unbounded memory allocations. Validate early in get_pipe() and return failure. Reported-by: Secunia Research Signed-off-by: Shuah Khan Signed-off-by: Greg Kroah-Hartman [bwh: Backported to 3.16: adjust filename] Signed-off-by: Ben Hutchings --- drivers/staging/usbip/stub_rx.c | 35 +++ 1 file changed, 31 insertions(+), 4 deletions(-) --- a/drivers/staging/usbip/stub_rx.c +++ b/drivers/staging/usbip/stub_rx.c @@ -336,11 +336,13 @@ static struct stub_priv *stub_priv_alloc return priv; } -static int get_pipe(struct stub_device *sdev, int epnum, int dir) +static int get_pipe(struct stub_device *sdev, struct usbip_header *pdu) { struct usb_device *udev = sdev->udev; struct usb_host_endpoint *ep; struct usb_endpoint_descriptor *epd = NULL; + int epnum = pdu->base.ep; + int dir = pdu->base.direction; if (epnum < 0 || epnum > 15) goto err_ret; @@ -353,6 +355,15 @@ static int get_pipe(struct stub_device * goto err_ret; epd = >desc; + + /* validate transfer_buffer_length */ + if (pdu->u.cmd_submit.transfer_buffer_length > INT_MAX) { + dev_err(>udev->dev, + "CMD_SUBMIT: -EMSGSIZE transfer_buffer_length %d\n", + pdu->u.cmd_submit.transfer_buffer_length); + return -1; + } + if (usb_endpoint_xfer_control(epd)) { if (dir == USBIP_DIR_OUT) return usb_sndctrlpipe(udev, epnum); @@ -375,6 +386,21 @@ static int get_pipe(struct stub_device * } if (usb_endpoint_xfer_isoc(epd)) { + /* validate packet size and number of packets */ + unsigned int maxp, packets, bytes; + + maxp = usb_endpoint_maxp(epd); + maxp *= usb_endpoint_maxp_mult(epd); + bytes = pdu->u.cmd_submit.transfer_buffer_length; + packets = DIV_ROUND_UP(bytes, maxp); + + if (pdu->u.cmd_submit.number_of_packets < 0 || + pdu->u.cmd_submit.number_of_packets > packets) { + dev_err(>udev->dev, + "CMD_SUBMIT: isoc invalid num packets %d\n", + pdu->u.cmd_submit.number_of_packets); + return -1; + } if (dir == USBIP_DIR_OUT) return usb_sndisocpipe(udev, epnum); else @@ -383,7 +409,7 @@ static int get_pipe(struct stub_device * err_ret: /* NOT REACHED */ - dev_err(>udev->dev, "get pipe() invalid epnum %d\n", epnum); + dev_err(>udev->dev, "CMD_SUBMIT: invalid epnum %d\n", epnum); return -1; } @@ -448,7 +474,7 @@ static void stub_recv_cmd_submit(struct struct stub_priv *priv; struct usbip_device *ud = >ud; struct usb_device *udev = sdev->udev; - int pipe = get_pipe(sdev, pdu->base.ep, pdu->base.direction); + int pipe = get_pipe(sdev, pdu); if (pipe == -1) return; @@ -471,7 +497,8 @@ static void stub_recv_cmd_submit(struct } /* allocate urb transfer buffer, if needed */ - if (pdu->u.cmd_submit.transfer_buffer_length > 0) { + if (pdu->u.cmd_submit.transfer_buffer_length > 0 && + pdu->u.cmd_submit.transfer_buffer_length <= INT_MAX) { priv->urb->transfer_buffer = kzalloc(pdu->u.cmd_submit.transfer_buffer_length, GFP_KERNEL);
[PATCH 3.16 111/136] igbvf: Use smp_rmb rather than read_barrier_depends
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Brian Kingcommit 1e1f9ca546556e508d021545861f6b5fc75a95fe upstream. The original issue being fixed in this patch was seen with the ixgbe driver, but the same issue exists with igbvf as well, as the code is very similar. read_barrier_depends is not sufficient to ensure loads following it are not speculatively loaded out of order by the CPU, which can result in stale data being loaded, causing potential system crashes. Signed-off-by: Brian King Acked-by: Jesse Brandeburg Tested-by: Aaron Brown Signed-off-by: Jeff Kirsher Signed-off-by: Ben Hutchings --- drivers/net/ethernet/intel/igbvf/netdev.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/net/ethernet/intel/igbvf/netdev.c +++ b/drivers/net/ethernet/intel/igbvf/netdev.c @@ -808,7 +808,7 @@ static bool igbvf_clean_tx_irq(struct ig break; /* prevent any other reads prior to eop_desc */ - read_barrier_depends(); + smp_rmb(); /* if DD is not set pending work has not been completed */ if (!(eop_desc->wb.status & cpu_to_le32(E1000_TXD_STAT_DD)))
[PATCH 3.16 106/136] ALSA: usb-audio: Fix potential zero-division at parsing FU
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Takashi Iwaicommit 8428a8ebde2db1e988e41a58497a28beb7ce1705 upstream. parse_audio_feature_unit() contains a code dividing potentially with zero when a malformed FU descriptor is passed. Although there is already a sanity check, it checks only the value zero, hence it can still lead to a zero-division when a value 1 is passed there. Fix it by correcting the sanity check (and the error message thereof). Fixes: 23caaf19b11e ("ALSA: usb-mixer: Add support for Audio Class v2.0") Signed-off-by: Takashi Iwai Signed-off-by: Ben Hutchings --- sound/usb/mixer.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/sound/usb/mixer.c +++ b/sound/usb/mixer.c @@ -1385,9 +1385,9 @@ static int parse_audio_feature_unit(stru return -EINVAL; } csize = hdr->bControlSize; - if (!csize) { + if (csize <= 1) { usb_audio_dbg(state->chip, - "unit %u: invalid bControlSize == 0\n", + "unit %u: invalid bControlSize <= 1\n", unitid); return -EINVAL; }
[PATCH 3.16 105/136] ALSA: usb-audio: Fix potential out-of-bound access at parsing SU
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Takashi Iwaicommit f658f17b5e0e339935dca23e77e0f3cad591926b upstream. The usb-audio driver may trigger an out-of-bound access at parsing a malformed selector unit, as it checks the header length only after evaluating bNrInPins field, which can be already above the given length. Fix it by adding the length check beforehand. Fixes: 99fc86450c43 ("ALSA: usb-mixer: parse descriptors with structs") Signed-off-by: Takashi Iwai Signed-off-by: Ben Hutchings --- sound/usb/mixer.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/sound/usb/mixer.c +++ b/sound/usb/mixer.c @@ -2020,7 +2020,8 @@ static int parse_audio_selector_unit(str const struct usbmix_name_map *map; char **namelist; - if (!desc->bNrInPins || desc->bLength < 5 + desc->bNrInPins) { + if (desc->bLength < 5 || !desc->bNrInPins || + desc->bLength < 5 + desc->bNrInPins) { usb_audio_err(state->chip, "invalid SELECTOR UNIT descriptor %d\n", unitid); return -EINVAL;
[PATCH 3.16 109/136] i40e: Use smp_rmb rather than read_barrier_depends
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Brian Kingcommit 52c6912fde0133981ee50ba08808f257829c4c93 upstream. The original issue being fixed in this patch was seen with the ixgbe driver, but the same issue exists with i40e as well, as the code is very similar. read_barrier_depends is not sufficient to ensure loads following it are not speculatively loaded out of order by the CPU, which can result in stale data being loaded, causing potential system crashes. Signed-off-by: Brian King Acked-by: Jesse Brandeburg Tested-by: Andrew Bowers Signed-off-by: Jeff Kirsher Signed-off-by: Ben Hutchings --- drivers/net/ethernet/intel/i40e/i40e_main.c | 2 +- drivers/net/ethernet/intel/i40e/i40e_txrx.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) --- a/drivers/net/ethernet/intel/i40e/i40e_main.c +++ b/drivers/net/ethernet/intel/i40e/i40e_main.c @@ -3047,7 +3047,7 @@ static bool i40e_clean_fdir_tx_irq(struc break; /* prevent any other reads prior to eop_desc */ - read_barrier_depends(); + smp_rmb(); /* if the descriptor isn't done, no work yet to do */ if (!(eop_desc->cmd_type_offset_bsz & --- a/drivers/net/ethernet/intel/i40e/i40e_txrx.c +++ b/drivers/net/ethernet/intel/i40e/i40e_txrx.c @@ -657,7 +657,7 @@ static bool i40e_clean_tx_irq(struct i40 break; /* prevent any other reads prior to eop_desc */ - read_barrier_depends(); + smp_rmb(); /* we have caught up to head, no work left to do */ if (tx_head == tx_desc)
[PATCH 3.16 104/136] ALSA: usb-audio: Add sanity checks to FE parser
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Takashi Iwaicommit d937cd6790a2bef2d07b500487646bd794c039bb upstream. When the usb-audio descriptor contains the malformed feature unit description with a too short length, the driver may access out-of-bounds. Add a sanity check of the header size at the beginning of parse_audio_feature_unit(). Fixes: 23caaf19b11e ("ALSA: usb-mixer: Add support for Audio Class v2.0") Reported-by: Andrey Konovalov Signed-off-by: Takashi Iwai Signed-off-by: Ben Hutchings --- sound/usb/mixer.c | 12 1 file changed, 12 insertions(+) --- a/sound/usb/mixer.c +++ b/sound/usb/mixer.c @@ -1378,6 +1378,12 @@ static int parse_audio_feature_unit(stru __u8 *bmaControls; if (state->mixer->protocol == UAC_VERSION_1) { + if (hdr->bLength < 7) { + usb_audio_err(state->chip, + "unit %u: invalid UAC_FEATURE_UNIT descriptor\n", + unitid); + return -EINVAL; + } csize = hdr->bControlSize; if (!csize) { usb_audio_dbg(state->chip, @@ -1395,6 +1401,12 @@ static int parse_audio_feature_unit(stru } } else { struct uac2_feature_unit_descriptor *ftr = _ftr; + if (hdr->bLength < 6) { + usb_audio_err(state->chip, + "unit %u: invalid UAC_FEATURE_UNIT descriptor\n", + unitid); + return -EINVAL; + } csize = 4; channels = (hdr->bLength - 6) / 4 - 1; bmaControls = ftr->bmaControls;
[PATCH 3.16 113/136] i40evf: Use smp_rmb rather than read_barrier_depends
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Brian Kingcommit f72271e2a0ae4277d53c4053f5eed8bb346ba38a upstream. The original issue being fixed in this patch was seen with the ixgbe driver, but the same issue exists with i40evf as well, as the code is very similar. read_barrier_depends is not sufficient to ensure loads following it are not speculatively loaded out of order by the CPU, which can result in stale data being loaded, causing potential system crashes. Signed-off-by: Brian King Acked-by: Jesse Brandeburg Tested-by: Andrew Bowers Signed-off-by: Jeff Kirsher Signed-off-by: Ben Hutchings --- drivers/net/ethernet/intel/i40evf/i40e_txrx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/net/ethernet/intel/i40evf/i40e_txrx.c +++ b/drivers/net/ethernet/intel/i40evf/i40e_txrx.c @@ -216,7 +216,7 @@ static bool i40e_clean_tx_irq(struct i40 break; /* prevent any other reads prior to eop_desc */ - read_barrier_depends(); + smp_rmb(); /* we have caught up to head, no work left to do */ if (tx_head == tx_desc)
[PATCH 3.16 000/136] 3.16.54-rc1 review
This is the start of the stable review cycle for the 3.16.54 release. There are 136 patches in this series, which will be posted as responses to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Tue Feb 13 12:00:00 UTC 2018. Anything received after that time might be too late. All the patches have also been committed to the linux-3.16.y-rc branch of https://git.kernel.org/pub/scm/linux/kernel/git/bwh/linux-stable-rc.git . A shortlog and diffstat can be found below. Ben. - Alan Stern (1): USB: usbfs: compute urb->actual_length for isochronous [2ef47001b3ee3ded579b7532ebdcf8680e4d8c54] Alex Chen (1): ocfs2: should wait dio before inode lock in ocfs2_setattr() [28f5a8a7c033cbf3e32277f4cc9c6afd74f05300] Alexander Popov (1): usbip: fix NULL pointer dereference on errors [8c7003a3b4b4afd3734cdcc39217ef22d78a4a16] Alexander Potapenko (1): sctp: fully initialize the IPv6 address in sctp_v6_to_addr() [15339e441ec46fbc3bf3486bb1ae4845b0f1bb8d] Alexander Steffen (1): tpm-dev-common: Reject too short writes [ee70bc1e7b63ac8023c9ff9475d8741e397316e7] Alexandre Belloni (1): rtc: set the alarm to the next expiring timer [74717b28cb32e1ad3c1042cafd76b264c8c0f68d] Andreas Rohner (1): nilfs2: fix race condition that causes file system corruption [31ccb1f7ba3cfe29631587d451cf5bb8ab593550] Andrew F. Davis (1): ASoC: cs42l56: Fix reset GPIO name in example DT binding [8adc430603d67e76a0f8491df21654f691acda62] Andrey Konovalov (1): p54: don't unregister leds when they are not initialized [fc09785de0a364427a5df63d703bae9a306ed116] Andy Lutomirski (4): x86, vdso, pvclock: Simplify and speed up the vdso pvclock reader [6b078f5de7fc0851af4102493c7b5bb07e49c4cb] x86, vdso: Move the vvar area before the vdso text [e6577a7ce99a506b587bcd1d2cd803cb45119557] x86/vdso: Get pvclock data from the vvar VMA instead of the fixmap [dac16fba6fc590fa7239676b35ed75dae4c4cd2b] x86/vdso: Remove pvclock fixmap machinery [cc1e24fdb064d3126a494716f22ad4fc39306742] Anna Schumaker (1): NFS: Avoid RCU usage in tracepoints [3944369db701f075092357b511fd9f5755771585] Arnd Bergmann (4): Input: adxl34x - do not treat FIFO_MODE() as boolean [1dbc080c9ef6bcfba652ef0d6ae919b8c7c85a1d] drm: gma500: fix logic error [67a3b63a54cbe18944191f43d644686731cf30c7] elf_fdpic: fix unused variable warning [11e3e8d6d9274bf630859b4c47bc4e4d76f289db] isofs: fix timestamps beyond 2027 [34be4dbf87fc3e474a842305394534216d428f5d] Bart Van Assche (3): IB/srp: Avoid that a cable pull can trigger a kernel crash [8a0d18c62121d3c554a83eb96e2752861d84d937] IB/srpt: Do not accept invalid initiator port names [c70ca38960399a63d5c048b7b700612ea321d17e] target/iscsi: Fix iSCSI task reassignment handling [59b6986dbfcdab96a971f9663221849de79a7556] Ben Hutchings (1): usbip: tools: Install all headers needed for libusbip development [c15562c0dcb2c7f26e891923b784cf1926b8c833] Ben Seri (1): Bluetooth: Prevent stack info leak from the EFS element. [06e7e776ca4d36547e503279aeff996cbb292c16] Bernhard Rosenkraenzer (1): USB: Add delay-init quirk for Corsair K70 LUX keyboards [a0fea6027f19c62727315aba1a7fae75a9caa842] Boshi Wang (1): ima: fix hash algorithm initialization [ebe7c0a7be92bbd34c6ff5b55810546a0ee05bee] Brent Taylor (1): mtd: nand: Fix writing mtdoops to nand flash. [30863e38ebeb500a31cecee8096fb5002677dd9b] Brian King (6): i40e: Use smp_rmb rather than read_barrier_depends [52c6912fde0133981ee50ba08808f257829c4c93] i40evf: Use smp_rmb rather than read_barrier_depends [f72271e2a0ae4277d53c4053f5eed8bb346ba38a] igb: Use smp_rmb rather than read_barrier_depends [c4cb99185b4cc96c0a1c70104dc21ae14d7e7f28] igbvf: Use smp_rmb rather than read_barrier_depends [1e1f9ca546556e508d021545861f6b5fc75a95fe] ixgbe: Fix skb list corruption on Power systems [0a9a17e3bb4564caf4bfe2a6783ae1287667d188] ixgbevf: Use smp_rmb rather than read_barrier_depends [ae0c585d93dfaf923d2c7eb44b2c3ab92854ea9b] Christian König (1): drm/ttm: once more fix ttm_buffer_object_transfer [4d98e5ee6084f6d7bc578c5d5f86de7156aaa4cb] Chuck Lever (1): nfs: Fix ugly referral attributes [c05cefcc72416a37eba5a2b35f0704ed758a9145] Colin Ian King (3): btrfs: avoid null pointer dereference on fs_info when calling btrfs_crit [3993b112dac968612b0b213ed59cb30f50b0015b] rtc: interface: ignore expired timers when enqueuing new timers [2b2f5ff00f63847d95adad6289bd8b05f5983dd5] staging: rtl8188eu: avoid a null
[PATCH 3.16 135/136] kaiser: Set _PAGE_NX only if supported
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Guenter RoeckThis resolves a crash if loaded under qemu + haxm under windows. See https://www.spinics.net/lists/kernel/msg2689835.html for details. Here is a boot log (the log is from chromeos-4.4, but Tao Wu says that the same log is also seen with vanilla v4.4.110-rc1). [0.712750] Freeing unused kernel memory: 552K [0.721821] init: Corrupted page table at address 57b029b332e0 [0.722761] PGD 8000bb238067 PUD bc36a067 PMD bc369067 PTE 45d2067 [0.722761] Bad pagetable: 000b [#1] PREEMPT SMP [0.722761] Modules linked in: [0.722761] CPU: 1 PID: 1 Comm: init Not tainted 4.4.96 #31 [0.722761] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5.1-0-g8936dbb-20141113_115728-nilsson.home.kraxel.org 04/01/2014 [0.722761] task: 8800bc29 ti: 8800bc28c000 task.ti: 8800bc28c000 [0.722761] RIP: 0010:[] [] __clear_user+0x42/0x67 [0.722761] RSP: :8800bc28fcf8 EFLAGS: 00010202 [0.722761] RAX: RBX: 01a4 RCX: 01a4 [0.722761] RDX: RSI: 0008 RDI: 57b029b332e0 [0.722761] RBP: 8800bc28fd08 R08: 8800bc29 R09: 8800bb2f4000 [0.722761] R10: 8800bc29 R11: 8800bb2f4000 R12: 57b029b332e0 [0.722761] R13: R14: 57b029b33340 R15: 8800bb1e2a00 [0.722761] FS: () GS:8800bfb0() knlGS: [0.722761] CS: 0010 DS: ES: CR0: 8005003b [0.722761] CR2: 57b029b332e0 CR3: bb2f8000 CR4: 06e0 [0.722761] Stack: [0.722761] 57b029b332e0 8800bb95fa80 8800bc28fd18 83f4120c [0.722761] 8800bc28fe18 83e9e7a1 8800bc28fd68 [0.722761] 8800bc29 8800bc29 8800bc29 8800bc29 [0.722761] Call Trace: [0.722761] [] clear_user+0x2e/0x30 [0.722761] [] load_elf_binary+0xa7f/0x18f7 [0.722761] [] search_binary_handler+0x86/0x19c [0.722761] [] do_execveat_common.isra.26+0x909/0xf98 [0.722761] [] ? rest_init+0x87/0x87 [0.722761] [] do_execve+0x23/0x25 [0.722761] [] run_init_process+0x2b/0x2d [0.722761] [] kernel_init+0x6d/0xda [0.722761] [] ret_from_fork+0x3f/0x70 [0.722761] [] ? rest_init+0x87/0x87 [0.722761] Code: 86 84 be 12 00 00 00 e8 87 0d e8 ff 66 66 90 48 89 d8 48 c1 eb 03 4c 89 e7 83 e0 07 48 89 d9 be 08 00 00 00 31 d2 48 85 c9 74 0a <48> 89 17 48 01 f7 ff c9 75 f6 48 89 c1 85 c9 74 09 88 17 48 ff [0.722761] RIP [] __clear_user+0x42/0x67 [0.722761] RSP [0.722761] ---[ end trace def703879b4ff090 ]--- [0.722761] BUG: sleeping function called from invalid context at /mnt/host/source/src/third_party/kernel/v4.4/kernel/locking/rwsem.c:21 [0.722761] in_atomic(): 0, irqs_disabled(): 1, pid: 1, name: init [0.722761] CPU: 1 PID: 1 Comm: init Tainted: G D 4.4.96 #31 [0.722761] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5.1-0-g8936dbb-20141113_115728-nilsson.home.kraxel.org 04/01/2014 [0.722761] 0086 dcb5d76098c89836 8800bc28fa30 83f34004 [0.722761] 84839dc2 0015 8800bc28fa40 83d57dc9 [0.722761] 8800bc28fa68 83d57e6a 84a53640 [0.722761] Call Trace: [0.722761] [] dump_stack+0x4d/0x63 [0.722761] [] ___might_sleep+0x13a/0x13c [0.722761] [] __might_sleep+0x9f/0xa6 [0.722761] [] down_read+0x20/0x31 [0.722761] [] __blocking_notifier_call_chain+0x35/0x63 [0.722761] [] blocking_notifier_call_chain+0x14/0x16 [0.800374] usb 1-1: new full-speed USB device number 2 using uhci_hcd [0.722761] [] profile_task_exit+0x1a/0x1c [0.802309] [] do_exit+0x39/0xe7f [0.802309] [] ? vprintk_default+0x1d/0x1f [0.802309] [] ? printk+0x57/0x73 [0.802309] [] oops_end+0x80/0x85 [0.802309] [] pgtable_bad+0x8a/0x95 [0.802309] [] __do_page_fault+0x8c/0x352 [0.802309] [] ? file_has_perm+0xc4/0xe5 [0.802309] [] do_page_fault+0xc/0xe [0.802309] [] page_fault+0x22/0x30 [0.802309] [] ? __clear_user+0x42/0x67 [0.802309] [] ? __clear_user+0x23/0x67 [0.802309] [] clear_user+0x2e/0x30 [0.802309] [] load_elf_binary+0xa7f/0x18f7 [0.802309] [] search_binary_handler+0x86/0x19c [0.802309] [] do_execveat_common.isra.26+0x909/0xf98 [0.802309] [] ? rest_init+0x87/0x87 [0.802309] [] do_execve+0x23/0x25 [0.802309] [] run_init_process+0x2b/0x2d [0.802309] [] kernel_init+0x6d/0xda [0.802309] [] ret_from_fork+0x3f/0x70 [0.802309] [] ? rest_init+0x87/0x87 [0.830559] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0009 [0.830559] [0.831305] Kernel Offset:
[PATCH 3.16 006/136] rtc: interface: ignore expired timers when enqueuing new timers
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Colin Ian Kingcommit 2b2f5ff00f63847d95adad6289bd8b05f5983dd5 upstream. This patch fixes a RTC wakealarm issue, namely, the event fires during hibernate and is not cleared from the list, causing hwclock to block. The current enqueuing does not trigger an alarm if any expired timers already exist on the timerqueue. This can occur when a RTC wake alarm is used to wake a machine out of hibernate and the resumed state has old expired timers that have not been removed from the timer queue. This fix skips over any expired timers and triggers an alarm if there are no pending timers on the timerqueue. Note that the skipped expired timer will get reaped later on, so there is no need to clean it up immediately. The issue can be reproduced by putting a machine into hibernate and waking it with the RTC wakealarm. Running the example RTC test program from tools/testing/selftests/timers/rtctest.c after the hibernate will block indefinitely. With the fix, it no longer blocks after the hibernate resume. BugLink: http://bugs.launchpad.net/bugs/1333569 Signed-off-by: Colin Ian King Signed-off-by: Alexandre Belloni Signed-off-by: Ben Hutchings --- drivers/rtc/interface.c | 16 +++- 1 file changed, 15 insertions(+), 1 deletion(-) --- a/drivers/rtc/interface.c +++ b/drivers/rtc/interface.c @@ -778,9 +778,23 @@ EXPORT_SYMBOL_GPL(rtc_irq_set_freq); */ static int rtc_timer_enqueue(struct rtc_device *rtc, struct rtc_timer *timer) { + struct timerqueue_node *next = timerqueue_getnext(>timerqueue); + struct rtc_time tm; + ktime_t now; + timer->enabled = 1; + __rtc_read_time(rtc, ); + now = rtc_tm_to_ktime(tm); + + /* Skip over expired timers */ + while (next) { + if (next->expires.tv64 >= now.tv64) + break; + next = timerqueue_iterate_next(next); + } + timerqueue_add(>timerqueue, >node); - if (>node == timerqueue_getnext(>timerqueue)) { + if (!next) { struct rtc_wkalrm alarm; int err; alarm.time = rtc_ktime_to_tm(timer->node.expires);
[PATCH 3.2 35/79] blktrace: Fix potential deadlock between delete & sysfs ops
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Waiman Longcommit 5acb3cc2c2e9d3020a4fee43763c6463767f1572 upstream. The lockdep code had reported the following unsafe locking scenario: CPU0CPU1 lock(s_active#228); lock(>bd_mutex/1); lock(s_active#228); lock(>bd_mutex); *** DEADLOCK *** The deadlock may happen when one task (CPU1) is trying to delete a partition in a block device and another task (CPU0) is accessing tracing sysfs file (e.g. /sys/block/dm-1/trace/act_mask) in that partition. The s_active isn't an actual lock. It is a reference count (kn->count) on the sysfs (kernfs) file. Removal of a sysfs file, however, require a wait until all the references are gone. The reference count is treated like a rwsem using lockdep instrumentation code. The fact that a thread is in the sysfs callback method or in the ioctl call means there is a reference to the opended sysfs or device file. That should prevent the underlying block structure from being removed. Instead of using bd_mutex in the block_device structure, a new blk_trace_mutex is now added to the request_queue structure to protect access to the blk_trace structure. Suggested-by: Christoph Hellwig Signed-off-by: Waiman Long Acked-by: Steven Rostedt (VMware) Fix typo in patch subject line, and prune a comment detailing how the code used to work. Signed-off-by: Jens Axboe Signed-off-by: Ben Hutchings --- block/blk-core.c| 3 +++ include/linux/blkdev.h | 1 + kernel/trace/blktrace.c | 18 -- 3 files changed, 16 insertions(+), 6 deletions(-) --- a/block/blk-core.c +++ b/block/blk-core.c @@ -499,6 +499,9 @@ struct request_queue *blk_alloc_queue_no kobject_init(>kobj, _queue_ktype); +#ifdef CONFIG_BLK_DEV_IO_TRACE + mutex_init(>blk_trace_mutex); +#endif mutex_init(>sysfs_lock); spin_lock_init(>__queue_lock); --- a/include/linux/blkdev.h +++ b/include/linux/blkdev.h @@ -361,6 +361,7 @@ struct request_queue { int node; #ifdef CONFIG_BLK_DEV_IO_TRACE struct blk_trace*blk_trace; + struct mutexblk_trace_mutex; #endif /* * for flush operations --- a/kernel/trace/blktrace.c +++ b/kernel/trace/blktrace.c @@ -631,6 +631,12 @@ int blk_trace_startstop(struct request_q } EXPORT_SYMBOL_GPL(blk_trace_startstop); +/* + * When reading or writing the blktrace sysfs files, the references to the + * opened sysfs or device files should prevent the underlying block device + * from being removed. So no further delete protection is really needed. + */ + /** * blk_trace_ioctl: - handle the ioctls associated with tracing * @bdev: the block device @@ -648,7 +654,7 @@ int blk_trace_ioctl(struct block_device if (!q) return -ENXIO; - mutex_lock(>bd_mutex); + mutex_lock(>blk_trace_mutex); switch (cmd) { case BLKTRACESETUP: @@ -674,7 +680,7 @@ int blk_trace_ioctl(struct block_device break; } - mutex_unlock(>bd_mutex); + mutex_unlock(>blk_trace_mutex); return ret; } @@ -1660,7 +1666,7 @@ static ssize_t sysfs_blk_trace_attr_show if (q == NULL) goto out_bdput; - mutex_lock(>bd_mutex); + mutex_lock(>blk_trace_mutex); if (attr == _attr_enable) { ret = sprintf(buf, "%u\n", !!q->blk_trace); @@ -1679,7 +1685,7 @@ static ssize_t sysfs_blk_trace_attr_show ret = sprintf(buf, "%llu\n", q->blk_trace->end_lba); out_unlock_bdev: - mutex_unlock(>bd_mutex); + mutex_unlock(>blk_trace_mutex); out_bdput: bdput(bdev); out: @@ -1721,7 +1727,7 @@ static ssize_t sysfs_blk_trace_attr_stor if (q == NULL) goto out_bdput; - mutex_lock(>bd_mutex); + mutex_lock(>blk_trace_mutex); if (attr == _attr_enable) { if (value) @@ -1747,7 +1753,7 @@ static ssize_t sysfs_blk_trace_attr_stor } out_unlock_bdev: - mutex_unlock(>bd_mutex); + mutex_unlock(>blk_trace_mutex); out_bdput: bdput(bdev); out:
[PATCH 3.2 69/79] ALSA: seq: Make ioctls race-free
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Takashi Iwaicommit b3defb791b26ea0683a93a4f49c77ec45ec96f10 upstream. The ALSA sequencer ioctls have no protection against racy calls while the concurrent operations may lead to interfere with each other. As reported recently, for example, the concurrent calls of setting client pool with a combination of write calls may lead to either the unkillable dead-lock or UAF. As a slightly big hammer solution, this patch introduces the mutex to make each ioctl exclusive. Although this may reduce performance via parallel ioctl calls, usually it's not demanded for sequencer usages, hence it should be negligible. Reported-by: Luo Quan Reviewed-by: Kees Cook Reviewed-by: Greg Kroah-Hartman Signed-off-by: Takashi Iwai [bwh: Backported to 3.2: ioctl dispatch is done from snd_seq_do_ioctl(); take the mutex and add ret variable there.] Signed-off-by: Ben Hutchings --- sound/core/seq/seq_clientmgr.c | 10 -- sound/core/seq/seq_clientmgr.h |1 + 2 files changed, 9 insertions(+), 2 deletions(-) --- a/sound/core/seq/seq_clientmgr.c +++ b/sound/core/seq/seq_clientmgr.c @@ -236,6 +236,7 @@ static struct snd_seq_client *seq_create rwlock_init(>ports_lock); mutex_init(>ports_mutex); INIT_LIST_HEAD(>ports_list_head); + mutex_init(>ioctl_mutex); /* find free slot in the client table */ spin_lock_irqsave(_lock, flags); @@ -2188,6 +2189,7 @@ static int snd_seq_do_ioctl(struct snd_s void __user *arg) { struct seq_ioctl_table *p; + int ret; switch (cmd) { case SNDRV_SEQ_IOCTL_PVERSION: @@ -2201,8 +2203,12 @@ static int snd_seq_do_ioctl(struct snd_s if (! arg) return -EFAULT; for (p = ioctl_tables; p->cmd; p++) { - if (p->cmd == cmd) - return p->func(client, arg); + if (p->cmd == cmd) { + mutex_lock(>ioctl_mutex); + ret = p->func(client, arg); + mutex_unlock(>ioctl_mutex); + return ret; + } } snd_printd("seq unknown ioctl() 0x%x (type='%c', number=0x%02x)\n", cmd, _IOC_TYPE(cmd), _IOC_NR(cmd)); --- a/sound/core/seq/seq_clientmgr.h +++ b/sound/core/seq/seq_clientmgr.h @@ -59,6 +59,7 @@ struct snd_seq_client { struct list_head ports_list_head; rwlock_t ports_lock; struct mutex ports_mutex; + struct mutex ioctl_mutex; int convert32; /* convert 32->64bit */ /* output pool */
[PATCH 3.16 008/136] usbip: tools: Install all headers needed for libusbip development
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Ben Hutchingscommit c15562c0dcb2c7f26e891923b784cf1926b8c833 upstream. usbip_host_driver.h now depends on several additional headers, which need to be installed along with it. Fixes: 021aed845303 ("staging: usbip: userspace: migrate usbip_host_driver ...") Fixes: 3391ba0e2792 ("usbip: tools: Extract generic code to be shared with ...") Signed-off-by: Ben Hutchings Acked-by: Shuah Khan Signed-off-by: Greg Kroah-Hartman --- drivers/staging/usbip/userspace/Makefile.am | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/drivers/staging/usbip/userspace/Makefile.am +++ b/drivers/staging/usbip/userspace/Makefile.am @@ -1,6 +1,7 @@ SUBDIRS := libsrc src includedir = @includedir@/usbip include_HEADERS := $(addprefix libsrc/, \ -usbip_common.h vhci_driver.h usbip_host_driver.h) +usbip_common.h vhci_driver.h usbip_host_driver.h \ +list.h sysfs_utils.h) dist_man_MANS := $(addprefix doc/, usbip.8 usbipd.8)
[PATCH v2] Input: gpio_keys: Add level trigger support for GPIO keys
On some platforms (such as Spreadtrum platform), the GPIO keys can only be triggered by level type. So this patch introduces one property to indicate if the GPIO trigger type is level trigger or edge trigger. Signed-off-by: Baolin Wang--- Changes since v1: - Diable the GPIO irq until reversing the GPIO level type. --- .../devicetree/bindings/input/gpio-keys.txt|2 ++ drivers/input/keyboard/gpio_keys.c | 26 +++- include/linux/gpio_keys.h |1 + 3 files changed, 28 insertions(+), 1 deletion(-) diff --git a/Documentation/devicetree/bindings/input/gpio-keys.txt b/Documentation/devicetree/bindings/input/gpio-keys.txt index a949404..e3104bd 100644 --- a/Documentation/devicetree/bindings/input/gpio-keys.txt +++ b/Documentation/devicetree/bindings/input/gpio-keys.txt @@ -29,6 +29,8 @@ Optional subnode-properties: - linux,can-disable: Boolean, indicates that button is connected to dedicated (not shared) interrupt which can be disabled to suppress events from the button. + - gpio-key,level-trigger: Boolean, indicates that button's interrupt + type is level trigger. Otherwise it is edge trigger as default. Example nodes: diff --git a/drivers/input/keyboard/gpio_keys.c b/drivers/input/keyboard/gpio_keys.c index 87e613d..218698a 100644 --- a/drivers/input/keyboard/gpio_keys.c +++ b/drivers/input/keyboard/gpio_keys.c @@ -385,6 +385,20 @@ static void gpio_keys_gpio_work_func(struct work_struct *work) struct gpio_button_data *bdata = container_of(work, struct gpio_button_data, work.work); + if (bdata->button->level_trigger) { + unsigned int trigger = + irq_get_trigger_type(bdata->irq) & ~IRQF_TRIGGER_MASK; + int state = gpiod_get_raw_value_cansleep(bdata->gpiod); + + if (state) + trigger |= IRQF_TRIGGER_LOW; + else + trigger |= IRQF_TRIGGER_HIGH; + + irq_set_irq_type(bdata->irq, trigger); + enable_irq(bdata->irq); + } + gpio_keys_gpio_report_event(bdata); if (bdata->button->wakeup) @@ -397,6 +411,9 @@ static irqreturn_t gpio_keys_gpio_isr(int irq, void *dev_id) BUG_ON(irq != bdata->irq); + if (bdata->button->level_trigger) + disable_irq_nosync(bdata->irq); + if (bdata->button->wakeup) { const struct gpio_keys_button *button = bdata->button; @@ -566,7 +583,11 @@ static int gpio_keys_setup_key(struct platform_device *pdev, INIT_DELAYED_WORK(>work, gpio_keys_gpio_work_func); isr = gpio_keys_gpio_isr; - irqflags = IRQF_TRIGGER_RISING | IRQF_TRIGGER_FALLING; + if (button->level_trigger) + irqflags = gpiod_is_active_low(bdata->gpiod) ? + IRQF_TRIGGER_LOW : IRQF_TRIGGER_HIGH; + else + irqflags = IRQF_TRIGGER_RISING | IRQF_TRIGGER_FALLING; } else { if (!button->irq) { @@ -721,6 +742,9 @@ static void gpio_keys_close(struct input_dev *input) button->can_disable = fwnode_property_read_bool(child, "linux,can-disable"); + button->level_trigger = + fwnode_property_read_bool(child, "gpio-key,level-trigger"); + if (fwnode_property_read_u32(child, "debounce-interval", >debounce_interval)) button->debounce_interval = 5; diff --git a/include/linux/gpio_keys.h b/include/linux/gpio_keys.h index d06bf77..5095645 100644 --- a/include/linux/gpio_keys.h +++ b/include/linux/gpio_keys.h @@ -28,6 +28,7 @@ struct gpio_keys_button { int wakeup; int debounce_interval; bool can_disable; + bool level_trigger; int value; unsigned int irq; }; -- 1.7.9.5