Re: [PATCH 03/10] SCSI: fcoe: convert to use BUS_ATTR_WO
On 12/21/18 4:29 PM, James Bottomley wrote: [scsi list cc added] On Fri, 2018-12-21 at 08:54 +0100, Greg Kroah-Hartman wrote: We are trying to get rid of BUS_ATTR() and the usage of that in the fcoe driver can be trivially converted to use BUS_ATTR_WO(), so use that instead. At the same time remove a unneeded EXPORT_SYMBOL() marking for the sysfs callback function we are renaming, no idea of how that got into the tree... The EXPORT_SYMBOL removal is fine, but [...] --- a/include/scsi/libfcoe.h +++ b/include/scsi/libfcoe.h @@ -405,10 +405,8 @@ int fcoe_transport_attach(struct fcoe_transport *ft); int fcoe_transport_detach(struct fcoe_transport *ft); /* sysfs store handler for ctrl_control interface */ -ssize_t fcoe_ctlr_create_store(struct bus_type *bus, - const char *buf, size_t count); -ssize_t fcoe_ctlr_destroy_store(struct bus_type *bus, - const char *buf, size_t count); +ssize_t ctlr_create_store(struct bus_type *bus, const char *buf, size_t count); +ssize_t ctlr_destroy_store(struct bus_type *bus, const char *buf, size_t count); You're really damaging our prefix namespace here. It looks like the ctlr_ name is a farly recent addition for sysfs (only myra/b) use it in SCSI but it's inviting symbol clashes. Hmm. I was under the impression that all sysfs functions from myrb/myrs are local, hence I would not need to prefix them. If this isn't the case I definitely will be fixing them. But in any case, if possible any sysfs function should be local to the driver; no-one else should ever attempt to use them. And we should be making it so if that's not the case. Cheers, Hannes
WARNING in perf_group_attach
Hello, syzbot found the following crash on: HEAD commit:0072a0c14d5b Merge tag 'media/v4.20-4' of git://git.kernel.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=10e6d12b40 kernel config: https://syzkaller.appspot.com/x/.config?x=b9cc5a440391cbfd dashboard link: https://syzkaller.appspot.com/bug?extid=23fe48cbe532abffa52e compiler: gcc (GCC) 8.0.1 20180413 (experimental) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=135e93eb40 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1318941540 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+23fe48cbe532abffa...@syzkaller.appspotmail.com WARNING: CPU: 0 PID: 6607 at kernel/events/core.c:1833 perf_group_attach+0x4c1/0x5a0 kernel/events/core.c:1833 Kernel panic - not syncing: panic_on_warn set ... CPU: 0 PID: 6607 Comm: syz-executor062 Not tainted 4.20.0-rc5+ #141 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x244/0x39d lib/dump_stack.c:113 panic+0x2ad/0x55c kernel/panic.c:188 __warn.cold.8+0x20/0x45 kernel/panic.c:540 report_bug+0x254/0x2d0 lib/bug.c:186 fixup_bug arch/x86/kernel/traps.c:178 [inline] do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:271 do_invalid_op+0x36/0x40 arch/x86/kernel/traps.c:290 invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:969 RIP: 0010:perf_group_attach+0x4c1/0x5a0 kernel/events/core.c:1833 Code: 8d 7c 24 10 48 89 f8 48 c1 e8 03 42 80 3c 30 00 75 51 4d 8b 64 24 10 49 83 ec 10 4c 39 e3 75 d2 e9 f8 fe ff ff e8 7f ad e9 ff <0f> 0b e9 e0 fc ff ff e8 73 06 2d 00 e9 ea fb ff ff e8 69 06 2d 00 RSP: 0018:8881cbf8f5f8 EFLAGS: 00010093 RAX: 8881bb87c440 RBX: 8881bb6db240 RCX: 8195eaa6 RDX: RSI: 8195ee41 RDI: 8881bb10e398 RBP: 8881cbf8f690 R08: 8881bb87c440 R09: 0006 R10: fbfff14a7201 R11: 0001 R12: 8881bb10e180 R13: 1110397f1ec1 R14: e8c13098 R15: add_event_to_ctx kernel/events/core.c:2390 [inline] __perf_install_in_context+0x5bd/0xb70 kernel/events/core.c:2531 remote_function+0x12b/0x1a0 kernel/events/core.c:87 generic_exec_single+0x379/0x5f0 kernel/smp.c:153 smp_call_function_single+0x25a/0x660 kernel/smp.c:299 cpu_function_call kernel/events/core.c:141 [inline] perf_install_in_context+0x46c/0x510 kernel/events/core.c:2567 __do_sys_perf_event_open+0x1fa5/0x3020 kernel/events/core.c:10791 __se_sys_perf_event_open kernel/events/core.c:10420 [inline] __x64_sys_perf_event_open+0xbe/0x150 kernel/events/core.c:10420 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x446619 Code: e8 0c e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7fef7efd3db8 EFLAGS: 0246 ORIG_RAX: 012a RAX: ffda RBX: 006dbc28 RCX: 00446619 RDX: RSI: RDI: 2000 RBP: 006dbc20 R08: R09: R10: 0003 R11: 0246 R12: 006dbc2c R13: 7ffca90267df R14: 7fef7efd49c0 R15: 006dbc20 Kernel Offset: disabled Rebooting in 86400 seconds.. --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkal...@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with syzbot. syzbot can test patches for this bug, for details see: https://goo.gl/tpsmEJ#testing-patches
Re: [GIT PULL] x86/cache updates for 4.21
* Borislav Petkov wrote: > On Wed, Dec 26, 2018 at 12:26:12PM -0800, Linus Torvalds wrote: > > I've pulled this, but I think the new config option name is bad. > > > > I think it should probably have been called "X86_RESCTRL" instead of > > just "RESCTRL". That's way too generic a name for something that is > > (at least currently) very much an x86 feature. > > Right you are... ... and it's almost as if someone complained about this already: https://lkml.org/lkml/2018/11/23/389 "Also, the Kconfig space, when it gets extended with the AMD bits, should probably follow the same nomenclature: CONFIG_X86_CPU_RESOURCE_CONTROL=yor such." ;-) Anyway, I kind of dropped the ball after that first round of complaints, should have looked again. Thanks, Ingo
Re: Interrupt storm from pinctrl-amd on Acer AN515-42
On Fri, Dec 28, 2018 at 12:02 AM Leonard Crestez wrote: > Digging a little deeper it seems the touchpad interrupt is active on > boot and since it's configured as "level" and no touchpad driver is > available yet there does not seem to be any way to clear it. I think these are called "spurious interrupts". > I don't know how this should be handled, booting with an active enabled but > unclearable interrupt seems like a platform bug to me. There is even an > option to set touchpad to "basic" which does some sort of ps2 emulation > but the IRQ issue still happens! > > One workaround is to explicitly disable the interrupt from the handler > if no mapping is found; this will keep it disabled until > amd_gpio_irq_set_type is called later. I don't know how x86 and ACPI systems usually deal with this stuff so I'm kind of lost. On the embedded systems that I develop on, I would just disable all interrupts on probe() (usually writing 0x0 in some interrupt enable register) and then they will get enabled once consumers need them. But I have come to understand that maybe ACPI systems are not so happy about drivers doing things like that? Yours, Linus Walleij
Re: [GIT PULL] scheduler changes for v4.21
* Olof Johansson wrote: > Hi, > > On Mon, Dec 24, 2018 at 2:45 PM Ingo Molnar wrote: > > > > Linus, > > > > Please pull the latest sched-core-for-linus git tree from: > > > >git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git > > sched-core-for-linus > > > ># HEAD: 732cd75b8c920d3727e69957b14faa7c2d7c3b75 sched/fair: Select an > > energy-efficient CPU on task wake-up > > > > The main changes in this cycle were: > > > > - Introduce "Energy Aware Scheduling" - by Quentin Perret. This is a > >coherent topology description of CPUs in cooperation with the PM > >subsystem, with the goal to schedule more energy-efficiently on > >assymetric SMP platform - such as waking up tasks to the more > >energy-efficient CPUs first, as long as the system isn't > >oversubscribed. > > > >For details of the design, see: > > > > https://marc.info/?l=linux-kernel=153243513908731=2 > > > > - Misc cleanups and smaller enhancements. > > Looks like my warnings fix never made it in, even after a few pings. > > Linus, can you apply directly? Causes warning noise on all !SMP ARM builds: > > https://lore.kernel.org/lkml/20181125224105.123568-1-o...@lixom.net/ Thanks and sorry about that! Ingo
Re: [GIT PULL] sound updates for 4.21
* Linus Torvalds wrote:
> On Thu, Dec 20, 2018 at 7:38 AM Takashi Iwai wrote:
> >
> > git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound.git
> > tags/sound-4.21-rc1
>
> Hmm.
>
> It turns out that commit c337104b1a16 ("ALSA: HD-Audio: SKL+: abort
> probe if DSP is present and Skylake driver selected") causes my laptop
> (XPS13 9350) to no longer suspend.
Just a wild guess, I can see two ways in which that commit could make a
difference on your setup:
1)
If any of these is not set in your .config:
+ select SND_HDA_INTEL_DSP_DETECTION_SKL if SND_SOC_INTEL_SKL
+ select SND_HDA_INTEL_DSP_DETECTION_APL if SND_SOC_INTEL_APL
+ select SND_HDA_INTEL_DSP_DETECTION_KBL if SND_SOC_INTEL_KBL
+ select SND_HDA_INTEL_DSP_DETECTION_GLK if SND_SOC_INTEL_GLK
+ select SND_HDA_INTEL_DSP_DETECTION_CNL if SND_SOC_INTEL_CNL
+ select SND_HDA_INTEL_DSP_DETECTION_CFL if SND_SOC_INTEL_CFL
I.e. I'd enable all of the SND_SOC_INTEL_* options to cover this angle.
2)
There's the added logic of checking whether the DSP is enabled:
+ /* check if this driver can be used on SKL+ Intel platforms */
+ if ((pci_id->driver_data & AZX_DCAPS_INTEL_SHARED) &&
+ pci->class != 0x040300)
+ return -ENODEV;
+
if pci->class is not 0x040300 the driver could end up not detecting the
device while previously it would.
That code goes through several transformations later on - but the hack
below should make the commit an invariant. I think. Totally untested
though.
Thanks,
Ingo
==>
sound/pci/hda/hda_intel.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/pci/hda/hda_intel.c b/sound/pci/hda/hda_intel.c
index e42cc2230977..f9e9c87f6d15 100644
--- a/sound/pci/hda/hda_intel.c
+++ b/sound/pci/hda/hda_intel.c
@@ -2056,7 +2056,7 @@ static int azx_probe(struct pci_dev *pci,
if (pci_id->driver_data & AZX_DCAPS_INTEL_SHARED) {
switch (skl_pci_binding) {
case SND_SKL_PCI_BIND_AUTO:
- if (pci->class != 0x040300) {
+ if (0 && pci->class != 0x040300) {
dev_info(>dev, "The DSP is enabled on this
platform, aborting probe\n");
return -ENODEV;
}
Re: [PATCH 1/2] dt-bindings: Add Qualcomm USB Super-Speed PHY bindings
On 12/20/18 18:37, Jack Pham wrote: Hi Rob, Jorge, On Thu, Dec 20, 2018 at 11:05:31AM -0600, Rob Herring wrote: On Fri, Dec 07, 2018 at 10:55:57AM +0100, Jorge Ramirez-Ortiz wrote: Binding description for Qualcomm's Synopsys 1.0.0 super-speed PHY controller embedded in QCS404. Based on Sriharsha Allenki's original definitions. Signed-off-by: Jorge Ramirez-Ortiz Reviewed-by: Vinod Koul --- .../devicetree/bindings/usb/qcom,usb-ssphy.txt | 78 ++ 1 file changed, 78 insertions(+) create mode 100644 Documentation/devicetree/bindings/usb/qcom,usb-ssphy.txt diff --git a/Documentation/devicetree/bindings/usb/qcom,usb-ssphy.txt b/Documentation/devicetree/bindings/usb/qcom,usb-ssphy.txt new file mode 100644 index 000..fcf4e01 --- /dev/null +++ b/Documentation/devicetree/bindings/usb/qcom,usb-ssphy.txt @@ -0,0 +1,78 @@ +Qualcomm Synopsys 1.0.0 SS phy controller +=== + +Synopsys 1.0.0 ss phy controller supports SS usb connectivity on Qualcomm +chipsets + +Required properties: + +- compatible: +Value type: +Definition: Should contain "qcom,usb-ssphy". What is "qcom,dwc3-ss-usb-phy" which already exists then? Uh, apparently only the bindings doc is there but the driver never landed. I guess it fell through the cracks nearly 4 years ago. https://lore.kernel.org/patchwork/patch/499502/ Jorge, does Andy's version of this driver at all resemble what can be used for QCS404? on close inspection I cant see any similitudes between the drivers. Unfortunately I don't have access to documentation yet but the control register offsets and the control bits in the drivers do not match. because of the above I'd like to go ahead with our separate drivers -already tested and validated- for HS (Shawn's) and SS (mine). if that is acceptable, should we reuse the upstream bindings for our implementation? or perhaps Shawn Guo will do for his HS version of the driver and I go ahead and create a new one? what would you suggest? Jack
Re: [PATCH 2/2] perf c2c: Increase the HITM ratio limit for displayed cachelines
Em Fri, Dec 28, 2018 at 11:18:20AM +0100, Jiri Olsa escreveu:
> The cachelines being reported go down to 0.05%. hat makes for very
> long output files. Raising that to 0.1%. The user can always specify
> --show-all if they want all the cachelines.
Thanks, applied.
- Arnaldo
> Suggested-by: Joe Mario
> Link: http://lkml.kernel.org/n/tip-uwxpd36jutygit56mycan...@git.kernel.org
> Signed-off-by: Jiri Olsa
> ---
> tools/perf/builtin-c2c.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/tools/perf/builtin-c2c.c b/tools/perf/builtin-c2c.c
> index 321687f8f373..30584cb44fb7 100644
> --- a/tools/perf/builtin-c2c.c
> +++ b/tools/perf/builtin-c2c.c
> @@ -1878,7 +1878,7 @@ static int c2c_hists__reinit(struct c2c_hists
> *c2c_hists,
> return hpp_list__parse(_hists->list, output, sort);
> }
>
> -#define DISPLAY_LINE_LIMIT 0.0005
> +#define DISPLAY_LINE_LIMIT 0.001
>
> static bool he__display(struct hist_entry *he, struct c2c_stats *stats)
> {
> --
> 2.17.2
--
- Arnaldo
Re: [PATCH 1/2] perf c2c: Change the default coalesce setup
Em Fri, Dec 28, 2018 at 11:18:19AM +0100, Jiri Olsa escreveu: > Joe suggested to have the coalesce default set just to 'iaddr', > because it's easier to read on the (default) c2c report run. > > By removing pid from -c option, the c2c report will group all > the relevant pids under instruction address bucket. User can > always run -c pid,iaddr for more grained output on particular > pids. Thanks, applied. - Arnaldo
RE: [PATCH] regmap: irq: Make IRQ type support optional
Hello Charles,
Sending this mail form outlook web interface - so I won't inline any code :/
From: Charles Keepax [ckee...@opensource.cirrus.com]
Sent: Friday, December 28, 2018 1:55 PM
> On Fri, Dec 28, 2018 at 11:23:58AM +, Charles Keepax wrote:
> > Currently only gpio-max77620 is using the type support in regmap IRQ,
> > but the implementation causes the irq_set_type operation to fail on all
> > other regmap IRQ chips. Avoid these regressions by skipping the type
> > handling on any chips that don't define a set of supported types.
> >
> > Fixes: 1c2928e3e321 ("regmap: regmap-irq/gpio-max77620: add level-irq
> > support")
> > Signed-off-by: Charles Keepax
> > ---
> > drivers/base/regmap/regmap-irq.c | 3 +++
> > 1 file changed, 3 insertions(+)
> >
> > diff --git a/drivers/base/regmap/regmap-irq.c
> > b/drivers/base/regmap/regmap-irq.c
> > index 1bd1145ad8b5e..8c674f1ad0fc8 100644
> > --- a/drivers/base/regmap/regmap-irq.c
> > +++ b/drivers/base/regmap/regmap-irq.c
> > @@ -257,6 +257,9 @@ static int regmap_irq_set_type(struct irq_data *data,
> > unsigned int type)
> > int reg;
> > const struct regmap_irq_type *t = _data->type;
> >
> > + if (!t->types_supported)
> > + return 0;
> > +
> > if ((t->types_supported & type) != type)
> > return -ENOTSUPP;
> >
I got the bug-report from Geert and sent this patch yesterday:
https://lore.kernel.org/lkml/20181227084443.GA23991@localhost.localdomain/
Looking at these two options, I wonder if we shuld return -ENOTSUPP if we do
support type setting, but for example only for edge, not level active IRQs -
and if LEVEL_LOW or LEVEL_HIGH is requested? Well, I have no strong opinion and
both of these should fix the regressions - sorry for the hassle!
I still wonder whether we should do as I suggested and only set the
irq_set_type callback for chips which have non zero type_registers? I suggested
that here:
https://lore.kernel.org/lkml/20181228080533.GC2461@localhost.localdomain/
> + Matti Vaittinen, apologies for forgetting to include you on the
> original sending.
No problem. Thanks for adding me now =)
Br,
Matti Vaittinen
--
Matti Vaittinen
ROHM Semiconductors
~~~ "I don't think so," said Rene Descartes. Just then, he vanished ~~~
[PATCH 4.19 28/46] x86/vdso: Pass --eh-frame-hdr to the linker
4.19-stable review patch. If anyone has any objections, please let me know.
--
From: Alistair Strachan
commit cd01544a268ad8ee5b1dfe42c4393f1095f86879 upstream.
Commit
379d98ddf413 ("x86: vdso: Use $LD instead of $CC to link")
accidentally broke unwinding from userspace, because ld would strip the
.eh_frame sections when linking.
Originally, the compiler would implicitly add --eh-frame-hdr when
invoking the linker, but when this Makefile was converted from invoking
ld via the compiler, to invoking it directly (like vmlinux does),
the flag was missed. (The EH_FRAME section is important for the VDSO
shared libraries, but not for vmlinux.)
Fix the problem by explicitly specifying --eh-frame-hdr, which restores
parity with the old method.
See relevant bug reports for additional info:
https://bugzilla.kernel.org/show_bug.cgi?id=201741
https://bugzilla.redhat.com/show_bug.cgi?id=1659295
Fixes: 379d98ddf413 ("x86: vdso: Use $LD instead of $CC to link")
Reported-by: Florian Weimer
Reported-by: Carlos O'Donell
Reported-by: "H. J. Lu"
Signed-off-by: Alistair Strachan
Signed-off-by: Borislav Petkov
Tested-by: Laura Abbott
Cc: Andy Lutomirski
Cc: Carlos O'Donell
Cc: "H. Peter Anvin"
Cc: Ingo Molnar
Cc: Joel Fernandes
Cc: kernel-t...@android.com
Cc: Laura Abbott
Cc: stable
Cc: Thomas Gleixner
Cc: X86 ML
Link: https://lkml.kernel.org/r/20181214223637.35954-1-astrac...@google.com
Signed-off-by: Greg Kroah-Hartman
---
arch/x86/entry/vdso/Makefile |3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/arch/x86/entry/vdso/Makefile
+++ b/arch/x86/entry/vdso/Makefile
@@ -171,7 +171,8 @@ quiet_cmd_vdso = VDSO$@
sh $(srctree)/$(src)/checkundef.sh '$(NM)' '$@'
VDSO_LDFLAGS = -shared $(call ld-option, --hash-style=both) \
- $(call ld-option, --build-id) -Bsymbolic
+ $(call ld-option, --build-id) $(call ld-option, --eh-frame-hdr) \
+ -Bsymbolic
GCOV_PROFILE := n
#
[PATCH 4.19 30/46] panic: avoid deadlocks in re-entrant console drivers
4.19-stable review patch. If anyone has any objections, please let me know.
--
From: Sergey Senozhatsky
commit c7c3f05e341a9a2bd1a92993d4f996cfd6e7348e upstream.
>From printk()/serial console point of view panic() is special, because
it may force CPU to re-enter printk() or/and serial console driver.
Therefore, some of serial consoles drivers are re-entrant. E.g. 8250:
serial8250_console_write()
{
if (port->sysrq)
locked = 0;
else if (oops_in_progress)
locked = spin_trylock_irqsave(>lock, flags);
else
spin_lock_irqsave(>lock, flags);
...
}
panic() does set oops_in_progress via bust_spinlocks(1), so in theory
we should be able to re-enter serial console driver from panic():
CPU0
uart_console_write()
serial8250_console_write() // if (oops_in_progress)
//spin_trylock_irqsave()
call_console_drivers()
console_unlock()
console_flush_on_panic()
bust_spinlocks(1) // oops_in_progress++
panic()
spin_lock_irqsave(>lock, flags) // spin_lock_irqsave()
serial8250_console_write()
call_console_drivers()
console_unlock()
printk()
...
However, this does not happen and we deadlock in serial console on
port->lock spinlock. And the problem is that console_flush_on_panic()
called after bust_spinlocks(0):
void panic(const char *fmt, ...)
{
bust_spinlocks(1);
...
bust_spinlocks(0);
console_flush_on_panic();
...
}
bust_spinlocks(0) decrements oops_in_progress, so oops_in_progress
can go back to zero. Thus even re-entrant console drivers will simply
spin on port->lock spinlock. Given that port->lock may already be
locked either by a stopped CPU, or by the very same CPU we execute
panic() on (for instance, NMI panic() on printing CPU) the system
deadlocks and does not reboot.
Fix this by removing bust_spinlocks(0), so oops_in_progress is always
set in panic() now and, thus, re-entrant console drivers will trylock
the port->lock instead of spinning on it forever, when we call them
from console_flush_on_panic().
Link:
http://lkml.kernel.org/r/20181025101036.6823-1-sergey.senozhat...@gmail.com
Cc: Steven Rostedt
Cc: Daniel Wang
Cc: Peter Zijlstra
Cc: Andrew Morton
Cc: Linus Torvalds
Cc: Greg Kroah-Hartman
Cc: Alan Cox
Cc: Jiri Slaby
Cc: Peter Feiner
Cc: linux-ser...@vger.kernel.org
Cc: Sergey Senozhatsky
Cc: sta...@vger.kernel.org
Signed-off-by: Sergey Senozhatsky
Signed-off-by: Petr Mladek
Signed-off-by: Greg Kroah-Hartman
---
kernel/panic.c |6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/kernel/panic.c
+++ b/kernel/panic.c
@@ -14,6 +14,7 @@
#include
#include
#include
+#include
#include
#include
#include
@@ -233,7 +234,10 @@ void panic(const char *fmt, ...)
if (_crash_kexec_post_notifiers)
__crash_kexec(NULL);
- bust_spinlocks(0);
+#ifdef CONFIG_VT
+ unblank_screen();
+#endif
+ console_unblank();
/*
* We may have ended up stopping the CPU holding the lock (in
[PATCH 4.19 29/46] x86/intel_rdt: Ensure a CPU remains online for the regions pseudo-locking sequence
4.19-stable review patch. If anyone has any objections, please let me know.
--
From: Reinette Chatre
commit 80b71c340f17705ec145911b9a193ea781811b16 upstream.
The user triggers the creation of a pseudo-locked region when writing
the requested schemata to the schemata resctrl file. The pseudo-locking
of a region is required to be done on a CPU that is associated with the
cache on which the pseudo-locked region will reside. In order to run the
locking code on a specific CPU, the needed CPU has to be selected and
ensured to remain online during the entire locking sequence.
At this time, the cpu_hotplug_lock is not taken during the pseudo-lock
region creation and it is thus possible for a CPU to be selected to run
the pseudo-locking code and then that CPU to go offline before the
thread is able to run on it.
Fix this by ensuring that the cpu_hotplug_lock is taken while the CPU on
which code has to run needs to be controlled. Since the cpu_hotplug_lock
is always taken before rdtgroup_mutex the lock order is maintained.
Fixes: e0bdfe8e36f3 ("x86/intel_rdt: Support creation/removal of pseudo-locked
region")
Signed-off-by: Reinette Chatre
Signed-off-by: Borislav Petkov
Cc: "H. Peter Anvin"
Cc: Fenghua Yu
Cc: Ingo Molnar
Cc: Thomas Gleixner
Cc: Tony Luck
Cc: gavin.hind...@intel.com
Cc: jithu.jos...@intel.com
Cc: stable
Cc: x86-ml
Link:
https://lkml.kernel.org/r/b7b17432a80f95a1fa21a1698ba643014f58ad31.1544476425.git.reinette.cha...@intel.com
Signed-off-by: Greg Kroah-Hartman
---
arch/x86/kernel/cpu/intel_rdt_ctrlmondata.c |4
1 file changed, 4 insertions(+)
--- a/arch/x86/kernel/cpu/intel_rdt_ctrlmondata.c
+++ b/arch/x86/kernel/cpu/intel_rdt_ctrlmondata.c
@@ -23,6 +23,7 @@
#define pr_fmt(fmt)KBUILD_MODNAME ": " fmt
+#include
#include
#include
#include
@@ -310,9 +311,11 @@ ssize_t rdtgroup_schemata_write(struct k
return -EINVAL;
buf[nbytes - 1] = '\0';
+ cpus_read_lock();
rdtgrp = rdtgroup_kn_lock_live(of->kn);
if (!rdtgrp) {
rdtgroup_kn_unlock(of->kn);
+ cpus_read_unlock();
return -ENOENT;
}
rdt_last_cmd_clear();
@@ -367,6 +370,7 @@ ssize_t rdtgroup_schemata_write(struct k
out:
rdtgroup_kn_unlock(of->kn);
+ cpus_read_unlock();
return ret ?: nbytes;
}
[PATCH 4.19 03/46] USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data
4.19-stable review patch. If anyone has any objections, please let me know.
--
From: Hui Peng
commit 5146f95df782b0ac61abde36567e718692725c89 upstream.
The function hso_probe reads if_num from the USB device (as an u8) and uses
it without a length check to index an array, resulting in an OOB memory read
in hso_probe or hso_get_config_data.
Add a length check for both locations and updated hso_probe to bail on
error.
This issue has been assigned CVE-2018-19985.
Reported-by: Hui Peng
Reported-by: Mathias Payer
Signed-off-by: Hui Peng
Signed-off-by: Mathias Payer
Reviewed-by: Sebastian Andrzej Siewior
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman
---
drivers/net/usb/hso.c | 18 --
1 file changed, 16 insertions(+), 2 deletions(-)
--- a/drivers/net/usb/hso.c
+++ b/drivers/net/usb/hso.c
@@ -2807,6 +2807,12 @@ static int hso_get_config_data(struct us
return -EIO;
}
+ /* check if we have a valid interface */
+ if (if_num > 16) {
+ kfree(config_data);
+ return -EINVAL;
+ }
+
switch (config_data[if_num]) {
case 0x0:
result = 0;
@@ -2877,10 +2883,18 @@ static int hso_probe(struct usb_interfac
/* Get the interface/port specification from either driver_info or from
* the device itself */
- if (id->driver_info)
+ if (id->driver_info) {
+ /* if_num is controlled by the device, driver_info is a 0
terminated
+* array. Make sure, the access is in bounds! */
+ for (i = 0; i <= if_num; ++i)
+ if (((u32 *)(id->driver_info))[i] == 0)
+ goto exit;
port_spec = ((u32 *)(id->driver_info))[if_num];
- else
+ } else {
port_spec = hso_get_config_data(interface);
+ if (port_spec < 0)
+ goto exit;
+ }
/* Check if we need to switch to alt interfaces prior to port
* configuration */
[PATCH 4.19 34/46] xfrm_user: fix freeing of xfrm states on acquire
4.19-stable review patch. If anyone has any objections, please let me know.
--
From: Mathias Krause
commit 4a135e538962cb00a9667c82e7d2b9e4d7cd7177 upstream.
Commit 565f0fa902b6 ("xfrm: use a dedicated slab cache for struct
xfrm_state") moved xfrm state objects to use their own slab cache.
However, it missed to adapt xfrm_user to use this new cache when
freeing xfrm states.
Fix this by introducing and make use of a new helper for freeing
xfrm_state objects.
Fixes: 565f0fa902b6 ("xfrm: use a dedicated slab cache for struct xfrm_state")
Reported-by: Pan Bian
Cc: # v4.18+
Signed-off-by: Mathias Krause
Acked-by: Herbert Xu
Signed-off-by: Steffen Klassert
Signed-off-by: Greg Kroah-Hartman
---
include/net/xfrm.h|1 +
net/xfrm/xfrm_state.c |8 +++-
net/xfrm/xfrm_user.c |4 ++--
3 files changed, 10 insertions(+), 3 deletions(-)
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -1552,6 +1552,7 @@ int xfrm_state_walk(struct net *net, str
int (*func)(struct xfrm_state *, int, void*), void *);
void xfrm_state_walk_done(struct xfrm_state_walk *walk, struct net *net);
struct xfrm_state *xfrm_state_alloc(struct net *net);
+void xfrm_state_free(struct xfrm_state *x);
struct xfrm_state *xfrm_state_find(const xfrm_address_t *daddr,
const xfrm_address_t *saddr,
const struct flowi *fl,
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -426,6 +426,12 @@ static void xfrm_put_mode(struct xfrm_mo
module_put(mode->owner);
}
+void xfrm_state_free(struct xfrm_state *x)
+{
+ kmem_cache_free(xfrm_state_cache, x);
+}
+EXPORT_SYMBOL(xfrm_state_free);
+
static void xfrm_state_gc_destroy(struct xfrm_state *x)
{
tasklet_hrtimer_cancel(>mtimer);
@@ -452,7 +458,7 @@ static void xfrm_state_gc_destroy(struct
}
xfrm_dev_state_free(x);
security_xfrm_state_free(x);
- kmem_cache_free(xfrm_state_cache, x);
+ xfrm_state_free(x);
}
static void xfrm_state_gc_task(struct work_struct *work)
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -2288,13 +2288,13 @@ static int xfrm_add_acquire(struct sk_bu
}
- kfree(x);
+ xfrm_state_free(x);
kfree(xp);
return 0;
free_state:
- kfree(x);
+ xfrm_state_free(x);
nomem:
return err;
}
[PATCH 4.19 31/46] mm: add mm_pxd_folded checks to pgtable_bytes accounting functions
4.19-stable review patch. If anyone has any objections, please let me know.
--
[ Upstream commit 6d212db11947ae5464e4717536ed9faf61c01e86 ]
The common mm code calls mm_dec_nr_pmds() and mm_dec_nr_puds()
in free_pgtables() if the address range spans a full pud or pmd.
If mm_dec_nr_puds/mm_dec_nr_pmds are non-empty due to configuration
settings they blindly subtract the size of the pmd or pud table from
pgtable_bytes even if the pud or pmd page table layer is folded.
Add explicit mm_[pmd|pud]_folded checks to the four pgtable_bytes
accounting functions mm_inc_nr_puds, mm_inc_nr_pmds, mm_dec_nr_puds
and mm_dec_nr_pmds. As the check for folded page tables can be
overwritten by the architecture, this allows to keep a correct
pgtable_bytes value for platforms that use a dynamic number of
page table levels.
Acked-by: Kirill A. Shutemov
Signed-off-by: Martin Schwidefsky
Signed-off-by: Sasha Levin
---
include/linux/mm.h | 8
1 file changed, 8 insertions(+)
diff --git a/include/linux/mm.h b/include/linux/mm.h
index 0416a7204be3..e899460f1bc5 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -1724,11 +1724,15 @@ int __pud_alloc(struct mm_struct *mm, p4d_t *p4d,
unsigned long address);
static inline void mm_inc_nr_puds(struct mm_struct *mm)
{
+ if (mm_pud_folded(mm))
+ return;
atomic_long_add(PTRS_PER_PUD * sizeof(pud_t), >pgtables_bytes);
}
static inline void mm_dec_nr_puds(struct mm_struct *mm)
{
+ if (mm_pud_folded(mm))
+ return;
atomic_long_sub(PTRS_PER_PUD * sizeof(pud_t), >pgtables_bytes);
}
#endif
@@ -1748,11 +1752,15 @@ int __pmd_alloc(struct mm_struct *mm, pud_t *pud,
unsigned long address);
static inline void mm_inc_nr_pmds(struct mm_struct *mm)
{
+ if (mm_pmd_folded(mm))
+ return;
atomic_long_add(PTRS_PER_PMD * sizeof(pmd_t), >pgtables_bytes);
}
static inline void mm_dec_nr_pmds(struct mm_struct *mm)
{
+ if (mm_pmd_folded(mm))
+ return;
atomic_long_sub(PTRS_PER_PMD * sizeof(pmd_t), >pgtables_bytes);
}
#endif
--
2.19.1
[PATCH 4.19 36/46] iwlwifi: mvm: dont send GEO_TX_POWER_LIMIT to old firmwares
4.19-stable review patch. If anyone has any objections, please let me know.
--
From: Emmanuel Grumbach
commit eca1e56ceedd9cc185eb18baf307d3ff2e4af376 upstream.
Old firmware versions don't support this command. Sending it
to any firmware before -41.ucode will crash the firmware.
This fixes https://bugzilla.kernel.org/show_bug.cgi?id=201975
Fixes: 66e839030fd6 ("iwlwifi: fix wrong WGDS_WIFI_DATA_SIZE")
CC: #4.19+
Signed-off-by: Emmanuel Grumbach
Signed-off-by: Luca Coelho
Signed-off-by: Kalle Valo
Signed-off-by: Greg Kroah-Hartman
---
drivers/net/wireless/intel/iwlwifi/mvm/fw.c |9 +
1 file changed, 9 insertions(+)
--- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
@@ -868,6 +868,15 @@ static int iwl_mvm_sar_geo_init(struct i
int ret, i, j;
u16 cmd_wide_id = WIDE_ID(PHY_OPS_GROUP, GEO_TX_POWER_LIMIT);
+ /*
+* This command is not supported on earlier firmware versions.
+* Unfortunately, we don't have a TLV API flag to rely on, so
+* rely on the major version which is in the first byte of
+* ucode_ver.
+*/
+ if (IWL_UCODE_SERIAL(mvm->fw->ucode_ver) < 41)
+ return 0;
+
ret = iwl_mvm_sar_get_wgds_table(mvm);
if (ret < 0) {
IWL_DEBUG_RADIO(mvm,
[PATCH 4.19 32/46] mm: make the __PAGETABLE_PxD_FOLDED defines non-empty
4.19-stable review patch. If anyone has any objections, please let me know. -- [ Upstream commit a8874e7e8a8896f2b6c641f4b8e2473eafd35204 ] Change the currently empty defines for __PAGETABLE_PMD_FOLDED, __PAGETABLE_PUD_FOLDED and __PAGETABLE_P4D_FOLDED to return 1. This makes it possible to use __is_defined() to test if the preprocessor define exists. Acked-by: Kirill A. Shutemov Signed-off-by: Martin Schwidefsky Signed-off-by: Sasha Levin --- arch/arm/include/asm/pgtable-2level.h| 2 +- arch/m68k/include/asm/pgtable_mm.h | 4 ++-- arch/microblaze/include/asm/pgtable.h| 2 +- arch/nds32/include/asm/pgtable.h | 2 +- arch/parisc/include/asm/pgtable.h| 2 +- include/asm-generic/4level-fixup.h | 2 +- include/asm-generic/5level-fixup.h | 2 +- include/asm-generic/pgtable-nop4d-hack.h | 2 +- include/asm-generic/pgtable-nop4d.h | 2 +- include/asm-generic/pgtable-nopmd.h | 2 +- include/asm-generic/pgtable-nopud.h | 2 +- 11 files changed, 12 insertions(+), 12 deletions(-) diff --git a/arch/arm/include/asm/pgtable-2level.h b/arch/arm/include/asm/pgtable-2level.h index 92fd2c8a9af0..12659ce5c1f3 100644 --- a/arch/arm/include/asm/pgtable-2level.h +++ b/arch/arm/include/asm/pgtable-2level.h @@ -10,7 +10,7 @@ #ifndef _ASM_PGTABLE_2LEVEL_H #define _ASM_PGTABLE_2LEVEL_H -#define __PAGETABLE_PMD_FOLDED +#define __PAGETABLE_PMD_FOLDED 1 /* * Hardware-wise, we have a two level page table structure, where the first diff --git a/arch/m68k/include/asm/pgtable_mm.h b/arch/m68k/include/asm/pgtable_mm.h index 6181e4134483..fe3ddd73a0cc 100644 --- a/arch/m68k/include/asm/pgtable_mm.h +++ b/arch/m68k/include/asm/pgtable_mm.h @@ -55,12 +55,12 @@ */ #ifdef CONFIG_SUN3 #define PTRS_PER_PTE 16 -#define __PAGETABLE_PMD_FOLDED +#define __PAGETABLE_PMD_FOLDED 1 #define PTRS_PER_PMD 1 #define PTRS_PER_PGD 2048 #elif defined(CONFIG_COLDFIRE) #define PTRS_PER_PTE 512 -#define __PAGETABLE_PMD_FOLDED +#define __PAGETABLE_PMD_FOLDED 1 #define PTRS_PER_PMD 1 #define PTRS_PER_PGD 1024 #else diff --git a/arch/microblaze/include/asm/pgtable.h b/arch/microblaze/include/asm/pgtable.h index 7b650ab14fa0..2ca598534cc7 100644 --- a/arch/microblaze/include/asm/pgtable.h +++ b/arch/microblaze/include/asm/pgtable.h @@ -63,7 +63,7 @@ extern int mem_init_done; #include -#define __PAGETABLE_PMD_FOLDED +#define __PAGETABLE_PMD_FOLDED 1 #ifdef __KERNEL__ #ifndef __ASSEMBLY__ diff --git a/arch/nds32/include/asm/pgtable.h b/arch/nds32/include/asm/pgtable.h index d3e19a55cf53..9f52db930c00 100644 --- a/arch/nds32/include/asm/pgtable.h +++ b/arch/nds32/include/asm/pgtable.h @@ -4,7 +4,7 @@ #ifndef _ASMNDS32_PGTABLE_H #define _ASMNDS32_PGTABLE_H -#define __PAGETABLE_PMD_FOLDED +#define __PAGETABLE_PMD_FOLDED 1 #include #include diff --git a/arch/parisc/include/asm/pgtable.h b/arch/parisc/include/asm/pgtable.h index fa6b7c78f18a..ff0860b2b21a 100644 --- a/arch/parisc/include/asm/pgtable.h +++ b/arch/parisc/include/asm/pgtable.h @@ -117,7 +117,7 @@ static inline void purge_tlb_entries(struct mm_struct *mm, unsigned long addr) #if CONFIG_PGTABLE_LEVELS == 3 #define BITS_PER_PMD (PAGE_SHIFT + PMD_ORDER - BITS_PER_PMD_ENTRY) #else -#define __PAGETABLE_PMD_FOLDED +#define __PAGETABLE_PMD_FOLDED 1 #define BITS_PER_PMD 0 #endif #define PTRS_PER_PMD(1UL << BITS_PER_PMD) diff --git a/include/asm-generic/4level-fixup.h b/include/asm-generic/4level-fixup.h index 89f3b03b1445..e3667c9a33a5 100644 --- a/include/asm-generic/4level-fixup.h +++ b/include/asm-generic/4level-fixup.h @@ -3,7 +3,7 @@ #define _4LEVEL_FIXUP_H #define __ARCH_HAS_4LEVEL_HACK -#define __PAGETABLE_PUD_FOLDED +#define __PAGETABLE_PUD_FOLDED 1 #define PUD_SHIFT PGDIR_SHIFT #define PUD_SIZE PGDIR_SIZE diff --git a/include/asm-generic/5level-fixup.h b/include/asm-generic/5level-fixup.h index 9c2e0708eb82..73474bb52344 100644 --- a/include/asm-generic/5level-fixup.h +++ b/include/asm-generic/5level-fixup.h @@ -3,7 +3,7 @@ #define _5LEVEL_FIXUP_H #define __ARCH_HAS_5LEVEL_HACK -#define __PAGETABLE_P4D_FOLDED +#define __PAGETABLE_P4D_FOLDED 1 #define P4D_SHIFT PGDIR_SHIFT #define P4D_SIZE PGDIR_SIZE diff --git a/include/asm-generic/pgtable-nop4d-hack.h b/include/asm-generic/pgtable-nop4d-hack.h index 0c34215263b8..1d6dd38c0e5e 100644 --- a/include/asm-generic/pgtable-nop4d-hack.h +++ b/include/asm-generic/pgtable-nop4d-hack.h @@ -5,7 +5,7 @@ #ifndef __ASSEMBLY__ #include -#define __PAGETABLE_PUD_FOLDED +#define __PAGETABLE_PUD_FOLDED 1 /* * Having the pud type consist of a pgd gets the size right, and allows diff --git a/include/asm-generic/pgtable-nop4d.h b/include/asm-generic/pgtable-nop4d.h index 1a29b2a0282b..04cb913797bc 100644 --- a/include/asm-generic/pgtable-nop4d.h +++ b/include/asm-generic/pgtable-nop4d.h @@ -4,7 +4,7 @@ #ifndef
[PATCH 4.19 05/46] USB: xhci: fix broken_suspend placement in struct xchi_hcd
4.19-stable review patch. If anyone has any objections, please let me know.
--
From: Nicolas Saenz Julienne
commit 2419f30a4a4fcaa5f35111563b4c61f1b2b26841 upstream.
As commented in the struct's definition there shouldn't be anything
underneath its 'priv[0]' member as it would break some macros.
The patch converts the broken_suspend into a bit-field and relocates it
next to to the rest of bit-fields.
Fixes: a7d57abcc8a5 ("xhci: workaround CSS timeout on AMD SNPS 3.0 xHC")
Reported-by: Oliver Neukum
Signed-off-by: Nicolas Saenz Julienne
Acked-by: Mathias Nyman
Cc: stable
Signed-off-by: Greg Kroah-Hartman
---
drivers/usb/host/xhci.h |4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/usb/host/xhci.h
+++ b/drivers/usb/host/xhci.h
@@ -1860,6 +1860,8 @@ struct xhci_hcd {
unsignedsw_lpm_support:1;
/* support xHCI 1.0 spec USB2 hardware LPM */
unsignedhw_lpm_support:1;
+ /* Broken Suspend flag for SNPS Suspend resume issue */
+ unsignedbroken_suspend:1;
/* cached usb2 extened protocol capabilites */
u32 *ext_caps;
unsigned intnum_ext_caps;
@@ -1877,8 +1879,6 @@ struct xhci_hcd {
void*dbc;
/* platform-specific data -- must come last */
unsigned long priv[0] __aligned(sizeof(s64));
- /* Broken Suspend flag for SNPS Suspend resume issue */
- u8 broken_suspend;
};
/* Platform specific overrides to generic XHCI hc_driver ops */
[PATCH 4.19 07/46] USB: serial: option: add HP lt4132
4.19-stable review patch. If anyone has any objections, please let me know.
--
From: Tore Anderson
commit d57ec3c83b5153217a70b561d4fb6ed96f2f7a25 upstream.
The HP lt4132 is a rebranded Huawei ME906s-158 LTE modem.
The interface with protocol 0x16 is "CDC ECM & NCM" according to the *.inf
files included with the Windows driver. Attaching the option driver to it
doesn't result in a /dev/ttyUSB* device being created, so I've excluded it.
Note that it is also excluded for corresponding Huawei-branded devices, cf.
commit d544db293a44 ("USB: support new huawei devices in option.c").
T: Bus=01 Lev=01 Prnt=01 Port=02 Cnt=02 Dev#= 3 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=ff MxPS=64 #Cfgs= 3
P: Vendor=03f0 ProdID=a31d Rev=01.02
S: Manufacturer=HP Inc.
S: Product=HP lt4132 LTE/HSPA+ 4G Module
S: SerialNumber=0123456789ABCDEF
C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=2mA
I: If#=0x0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=06 Prot=10 Driver=option
I: If#=0x1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=13 Driver=option
I: If#=0x2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=12 Driver=option
I: If#=0x3 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=06 Prot=16 Driver=(none)
I: If#=0x4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=14 Driver=option
I: If#=0x5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=1b Driver=option
T: Bus=01 Lev=01 Prnt=01 Port=02 Cnt=02 Dev#= 3 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=ff MxPS=64 #Cfgs= 3
P: Vendor=03f0 ProdID=a31d Rev=01.02
S: Manufacturer=HP Inc.
S: Product=HP lt4132 LTE/HSPA+ 4G Module
S: SerialNumber=0123456789ABCDEF
C: #Ifs= 7 Cfg#= 2 Atr=a0 MxPwr=2mA
I: If#=0x0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=06 Prot=00 Driver=cdc_ether
I: If#=0x1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=06 Prot=00 Driver=cdc_ether
I: If#=0x2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=06 Prot=10 Driver=option
I: If#=0x3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=13 Driver=option
I: If#=0x4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=12 Driver=option
I: If#=0x5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=14 Driver=option
I: If#=0x6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=1b Driver=option
T: Bus=01 Lev=01 Prnt=01 Port=02 Cnt=02 Dev#= 3 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=ff MxPS=64 #Cfgs= 3
P: Vendor=03f0 ProdID=a31d Rev=01.02
S: Manufacturer=HP Inc.
S: Product=HP lt4132 LTE/HSPA+ 4G Module
S: SerialNumber=0123456789ABCDEF
C: #Ifs= 3 Cfg#= 3 Atr=a0 MxPwr=2mA
I: If#=0x0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
I: If#=0x1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
I: If#=0x2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=14 Driver=option
Signed-off-by: Tore Anderson
Cc: sta...@vger.kernel.org
[ johan: drop id defines ]
Signed-off-by: Johan Hovold
Signed-off-by: Greg Kroah-Hartman
---
drivers/usb/serial/option.c |7 ++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1942,7 +1942,12 @@ static const struct usb_device_id option
{ USB_DEVICE_AND_INTERFACE_INFO(WETELECOM_VENDOR_ID,
WETELECOM_PRODUCT_WMD200, 0xff, 0xff, 0xff) },
{ USB_DEVICE_AND_INTERFACE_INFO(WETELECOM_VENDOR_ID,
WETELECOM_PRODUCT_6802, 0xff, 0xff, 0xff) },
{ USB_DEVICE_AND_INTERFACE_INFO(WETELECOM_VENDOR_ID,
WETELECOM_PRODUCT_WMD300, 0xff, 0xff, 0xff) },
- { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0x421d, 0xff, 0xff, 0xff) }, /*
HP lt2523 (Novatel E371) */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0x421d, 0xff, 0xff, 0xff) },
/* HP lt2523 (Novatel E371) */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x10) },
/* HP lt4132 (Huawei ME906s-158) */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x12) },
+ { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x13) },
+ { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x14) },
+ { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x1b) },
{ } /* Terminating entry */
};
MODULE_DEVICE_TABLE(usb, option_ids);
[PATCH 4.19 38/46] iwlwifi: add new cards for 9560, 9462, 9461 and killer series
4.19-stable review patch. If anyone has any objections, please let me know.
--
From: Ihab Zhaika
commit f108703cb5f199d0fc98517ac29a997c4c646c94 upstream.
add few PCI ID'S for 9560, 9462, 9461 and killer series.
Cc: sta...@vger.kernel.org
Signed-off-by: Ihab Zhaika
Signed-off-by: Luca Coelho
Signed-off-by: Greg Kroah-Hartman
---
drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 50 ++
1 file changed, 50 insertions(+)
--- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
+++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
@@ -518,6 +518,56 @@ static const struct pci_device_id iwl_hw
{IWL_PCI_DEVICE(0x24FD, 0x9074, iwl8265_2ac_cfg)},
/* 9000 Series */
+ {IWL_PCI_DEVICE(0x02F0, 0x0030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x02F0, 0x0034, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x02F0, 0x0038, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x02F0, 0x003C, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x02F0, 0x0060, iwl9461_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x02F0, 0x0064, iwl9461_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x02F0, 0x00A0, iwl9462_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x02F0, 0x00A4, iwl9462_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x02F0, 0x0230, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x02F0, 0x0234, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x02F0, 0x0238, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x02F0, 0x023C, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x02F0, 0x0260, iwl9461_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x02F0, 0x0264, iwl9461_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x02F0, 0x02A0, iwl9462_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x02F0, 0x02A4, iwl9462_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x02F0, 0x1551, iwl9560_killer_s_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x02F0, 0x1552, iwl9560_killer_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x02F0, 0x2030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x02F0, 0x2034, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x02F0, 0x4030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x02F0, 0x4034, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x02F0, 0x40A4, iwl9462_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x02F0, 0x4234, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x02F0, 0x42A4, iwl9462_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x06F0, 0x0030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x06F0, 0x0034, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x06F0, 0x0038, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x06F0, 0x003C, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x06F0, 0x0060, iwl9461_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x06F0, 0x0064, iwl9461_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x06F0, 0x00A0, iwl9462_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x06F0, 0x00A4, iwl9462_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x06F0, 0x0230, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x06F0, 0x0234, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x06F0, 0x0238, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x06F0, 0x023C, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x06F0, 0x0260, iwl9461_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x06F0, 0x0264, iwl9461_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x06F0, 0x02A0, iwl9462_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x06F0, 0x02A4, iwl9462_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x06F0, 0x1551, iwl9560_killer_s_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x06F0, 0x1552, iwl9560_killer_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x06F0, 0x2030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x06F0, 0x2034, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x06F0, 0x4030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x06F0, 0x4034, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x06F0, 0x40A4, iwl9462_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x06F0, 0x4234, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x06F0, 0x42A4, iwl9462_2ac_cfg_soc)},
{IWL_PCI_DEVICE(0x2526, 0x0010, iwl9260_2ac_cfg)},
{IWL_PCI_DEVICE(0x2526, 0x0014, iwl9260_2ac_cfg)},
{IWL_PCI_DEVICE(0x2526, 0x0018, iwl9260_2ac_cfg)},
[PATCH 4.19 09/46] USB: serial: option: add Fibocom NL668 series
4.19-stable review patch. If anyone has any objections, please let me know.
--
From: Jörgen Storvist
commit 30360224441ce89a98ed627861e735beb4010775 upstream.
Added USB serial option driver support for Fibocom NL668 series cellular
modules. Reserved USB endpoints 4, 5 and 6 for network + ADB interfaces.
usb-devices output (QMI mode)
T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 16 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=1508 ProdID=1001 Rev=03.18
S: Manufacturer=Nodecom NL668 Modem
S: Product=Nodecom NL668-CN Modem
S: SerialNumber=
C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
I: If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
usb-devices output (ECM mode)
T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 17 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=1508 ProdID=1001 Rev=03.18
S: Manufacturer=Nodecom NL668 Modem
S: Product=Nodecom NL668-CN Modem
S: SerialNumber=
C: #Ifs= 7 Cfg#= 1 Atr=a0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#= 4 Alt= 0 #EPs= 1 Cls=02(commc) Sub=06 Prot=00 Driver=cdc_ether
I: If#= 5 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether
I: If#= 6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
Signed-off-by: Jörgen Storvist
Cc: stable
Signed-off-by: Johan Hovold
Signed-off-by: Greg Kroah-Hartman
---
drivers/usb/serial/option.c |2 ++
1 file changed, 2 insertions(+)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1949,6 +1949,8 @@ static const struct usb_device_id option
{ USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x13) },
{ USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x14) },
{ USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x1b) },
+ { USB_DEVICE(0x1508, 0x1001),
/* Fibocom NL668 */
+ .driver_info = RSVD(4) | RSVD(5) | RSVD(6) },
{ } /* Terminating entry */
};
MODULE_DEVICE_TABLE(usb, option_ids);
Re: [RFC][PATCH v2 00/21] PMEM NUMA node and hotness accounting/migration
On Fri 28-12-18 17:42:08, Wu Fengguang wrote: [...] > Those look unnecessary complexities for this post. This v2 patchset > mainly fulfills our first milestone goal: a minimal viable solution > that's relatively clean to backport. Even when preparing for new > upstreamable versions, it may be good to keep it simple for the > initial upstream inclusion. On the other hand this is creating a new NUMA semantic and I would like to have something long term thatn let's throw something in now and care about long term later. So I would really prefer to talk about long term plans first and only care about implementation details later. > > I haven't looked at the implementation yet but if you are proposing a > > special cased zone lists then this is something CDM (Coherent Device > > Memory) was trying to do two years ago and there was quite some > > skepticism in the approach. > > It looks we are pretty different than CDM. :) > We creating new NUMA nodes rather than CDM's new ZONE. > The zonelists modification is just to make PMEM nodes more separated. Yes, this is exactly what CDM was after. Have a zone which is not reachable without explicit request AFAIR. So no, I do not think you are too different, you just use a different terminology ;) -- Michal Hocko SUSE Labs
[PATCH 4.19 42/46] mm, page_alloc: fix has_unmovable_pages for HugePages
4.19-stable review patch. If anyone has any objections, please let me know.
--
From: Oscar Salvador
commit 17e2e7d7e1b83fa324b3f099bfe426659aa3c2a4 upstream.
While playing with gigantic hugepages and memory_hotplug, I triggered
the following #PF when "cat memoryX/removable":
BUG: unable to handle kernel NULL pointer dereference at 0008
#PF error: [normal kernel read fault]
PGD 0 P4D 0
Oops: [#1] SMP PTI
CPU: 1 PID: 1481 Comm: cat Tainted: GE
4.20.0-rc6-mm1-1-default+ #18
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.0.0-prebuilt.qemu-project.org 04/01/2014
RIP: 0010:has_unmovable_pages+0x154/0x210
Call Trace:
is_mem_section_removable+0x7d/0x100
removable_show+0x90/0xb0
dev_attr_show+0x1c/0x50
sysfs_kf_seq_show+0xca/0x1b0
seq_read+0x133/0x380
__vfs_read+0x26/0x180
vfs_read+0x89/0x140
ksys_read+0x42/0x90
do_syscall_64+0x5b/0x180
entry_SYSCALL_64_after_hwframe+0x44/0xa9
The reason is we do not pass the Head to page_hstate(), and so, the call
to compound_order() in page_hstate() returns 0, so we end up checking
all hstates's size to match PAGE_SIZE.
Obviously, we do not find any hstate matching that size, and we return
NULL. Then, we dereference that NULL pointer in
hugepage_migration_supported() and we got the #PF from above.
Fix that by getting the head page before calling page_hstate().
Also, since gigantic pages span several pageblocks, re-adjust the logic
for skipping pages. While are it, we can also get rid of the
round_up().
[osalva...@suse.de: remove round_up(), adjust skip pages logic per Michal]
Link: http://lkml.kernel.org/r/20181221062809.31771-1-osalva...@suse.de
Link: http://lkml.kernel.org/r/20181217225113.17864-1-osalva...@suse.de
Signed-off-by: Oscar Salvador
Acked-by: Michal Hocko
Reviewed-by: David Hildenbrand
Cc: Vlastimil Babka
Cc: Pavel Tatashin
Cc: Mike Rapoport
Cc:
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
Signed-off-by: Greg Kroah-Hartman
---
mm/page_alloc.c |7 +--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -7716,11 +7716,14 @@ bool has_unmovable_pages(struct zone *zo
* handle each tail page individually in migration.
*/
if (PageHuge(page)) {
+ struct page *head = compound_head(page);
+ unsigned int skip_pages;
- if (!hugepage_migration_supported(page_hstate(page)))
+ if (!hugepage_migration_supported(page_hstate(head)))
goto unmovable;
- iter = round_up(iter + 1, 1<
[PATCH 4.19 44/46] Input: elantech - disable elan-i2c for P52 and P72
4.19-stable review patch. If anyone has any objections, please let me know.
--
From: Benjamin Tissoires
commit d21ff5d7f8c397261e095393a1a8e199934720bc upstream.
The current implementation of elan_i2c is known to not support those
2 laptops.
A proper fix is to tweak both elantech and elan_i2c to transmit the
correct information from PS/2, which would make a bad candidate for
stable.
So to give us some time for fixing the root of the problem, disable
elan_i2c for the devices we know are not behaving properly.
Link: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1803600
Link: https://bugs.archlinux.org/task/59714
Fixes: df077237cf55 Input: elantech - detect new ICs and setup Host Notify for
them
Cc: sta...@vger.kernel.org # v4.18+
Signed-off-by: Benjamin Tissoires
Acked-by: Peter Hutterer
Signed-off-by: Dmitry Torokhov
Signed-off-by: Greg Kroah-Hartman
---
drivers/input/mouse/elantech.c | 18 --
1 file changed, 16 insertions(+), 2 deletions(-)
--- a/drivers/input/mouse/elantech.c
+++ b/drivers/input/mouse/elantech.c
@@ -1767,6 +1767,18 @@ static int elantech_smbus = IS_ENABLED(C
module_param_named(elantech_smbus, elantech_smbus, int, 0644);
MODULE_PARM_DESC(elantech_smbus, "Use a secondary bus for the Elantech
device.");
+static const char * const i2c_blacklist_pnp_ids[] = {
+ /*
+* These are known to not be working properly as bits are missing
+* in elan_i2c.
+*/
+ "LEN2131", /* ThinkPad P52 w/ NFC */
+ "LEN2132", /* ThinkPad P52 */
+ "LEN2133", /* ThinkPad P72 w/ NFC */
+ "LEN2134", /* ThinkPad P72 */
+ NULL
+};
+
static int elantech_create_smbus(struct psmouse *psmouse,
struct elantech_device_info *info,
bool leave_breadcrumbs)
@@ -1802,10 +1814,12 @@ static int elantech_setup_smbus(struct p
if (elantech_smbus == ELANTECH_SMBUS_NOT_SET) {
/*
-* New ICs are enabled by default.
+* New ICs are enabled by default, unless mentioned in
+* i2c_blacklist_pnp_ids.
* Old ICs are up to the user to decide.
*/
- if (!ETP_NEW_IC_SMBUS_HOST_NOTIFY(info->fw_version))
+ if (!ETP_NEW_IC_SMBUS_HOST_NOTIFY(info->fw_version) ||
+ psmouse_matches_pnp_id(psmouse, i2c_blacklist_pnp_ids))
return -ENXIO;
}
[PATCH 4.14 06/36] perf record: Synthesize features before events in pipe mode
4.14-stable review patch. If anyone has any objections, please let me know.
--
[ Upstream commit a2015516c5c0be932a69e1d3405c2fb03b4eacf1 ]
We need to synthesize events first, because some features works on top
of them (on report side).
Signed-off-by: Jiri Olsa
Tested-by: Stephane Eranian
Cc: Alexander Shishkin
Cc: David Ahern
Cc: Namhyung Kim
Cc: Peter Zijlstra
Link: http://lkml.kernel.org/r/20180314092205.23291-1-jo...@kernel.org
Signed-off-by: Arnaldo Carvalho de Melo
Signed-off-by: Sasha Levin
---
tools/perf/builtin-record.c | 18 +++---
1 file changed, 11 insertions(+), 7 deletions(-)
diff --git a/tools/perf/builtin-record.c b/tools/perf/builtin-record.c
index b205c1340456..5e53cafe6cf9 100644
--- a/tools/perf/builtin-record.c
+++ b/tools/perf/builtin-record.c
@@ -800,13 +800,10 @@ static int record__synthesize(struct record *rec, bool
tail)
return 0;
if (file->is_pipe) {
- err = perf_event__synthesize_features(
- tool, session, rec->evlist, process_synthesized_event);
- if (err < 0) {
- pr_err("Couldn't synthesize features.\n");
- return err;
- }
-
+ /*
+* We need to synthesize events first, because some
+* features works on top of them (on report side).
+*/
err = perf_event__synthesize_attrs(tool, session,
process_synthesized_event);
if (err < 0) {
@@ -814,6 +811,13 @@ static int record__synthesize(struct record *rec, bool
tail)
goto out;
}
+ err = perf_event__synthesize_features(tool, session,
rec->evlist,
+
process_synthesized_event);
+ if (err < 0) {
+ pr_err("Couldn't synthesize features.\n");
+ return err;
+ }
+
if (have_tracepoints(>evlist->entries)) {
/*
* FIXME err <= 0 here actually means that
--
2.19.1
[PATCH 4.19 45/46] proc/sysctl: dont return ENOMEM on lookup when a table is unregistering
4.19-stable review patch. If anyone has any objections, please let me know.
--
From: Ivan Delalande
commit ea5751ccd665a2fd1b24f9af81f6167f0718c5f6 upstream.
proc_sys_lookup can fail with ENOMEM instead of ENOENT when the
corresponding sysctl table is being unregistered. In our case we see
this upon opening /proc/sys/net/*/conf files while network interfaces
are being deleted, which confuses our configuration daemon.
The problem was successfully reproduced and this fix tested on v4.9.122
and v4.20-rc6.
v2: return ERR_PTRs in all cases when proc_sys_make_inode fails instead
of mixing them with NULL. Thanks Al Viro for the feedback.
Fixes: ace0c791e6c3 ("proc/sysctl: Don't grab i_lock under sysctl_lock.")
Cc: sta...@vger.kernel.org
Signed-off-by: Ivan Delalande
Signed-off-by: Al Viro
Signed-off-by: Greg Kroah-Hartman
---
fs/proc/proc_sysctl.c | 13 ++---
1 file changed, 6 insertions(+), 7 deletions(-)
--- a/fs/proc/proc_sysctl.c
+++ b/fs/proc/proc_sysctl.c
@@ -464,7 +464,7 @@ static struct inode *proc_sys_make_inode
inode = new_inode(sb);
if (!inode)
- goto out;
+ return ERR_PTR(-ENOMEM);
inode->i_ino = get_next_ino();
@@ -474,8 +474,7 @@ static struct inode *proc_sys_make_inode
if (unlikely(head->unregistering)) {
spin_unlock(_lock);
iput(inode);
- inode = NULL;
- goto out;
+ return ERR_PTR(-ENOENT);
}
ei->sysctl = head;
ei->sysctl_entry = table;
@@ -500,7 +499,6 @@ static struct inode *proc_sys_make_inode
if (root->set_ownership)
root->set_ownership(head, table, >i_uid, >i_gid);
-out:
return inode;
}
@@ -549,10 +547,11 @@ static struct dentry *proc_sys_lookup(st
goto out;
}
- err = ERR_PTR(-ENOMEM);
inode = proc_sys_make_inode(dir->i_sb, h ? h : head, p);
- if (!inode)
+ if (IS_ERR(inode)) {
+ err = ERR_CAST(inode);
goto out;
+ }
d_set_d_op(dentry, _sys_dentry_operations);
err = d_splice_alias(inode, dentry);
@@ -685,7 +684,7 @@ static bool proc_sys_fill_cache(struct f
if (d_in_lookup(child)) {
struct dentry *res;
inode = proc_sys_make_inode(dir->d_sb, head, table);
- if (!inode) {
+ if (IS_ERR(inode)) {
d_lookup_done(child);
dput(child);
return false;
[PATCH 4.19 46/46] drm/ioctl: Fix Spectre v1 vulnerabilities
4.19-stable review patch. If anyone has any objections, please let me know.
--
From: Gustavo A. R. Silva
commit 505b5240329b922f21f91d5b5d1e535c805eca6d upstream.
nr is indirectly controlled by user-space, hence leading to a
potential exploitation of the Spectre variant 1 vulnerability.
This issue was detected with the help of Smatch:
drivers/gpu/drm/drm_ioctl.c:805 drm_ioctl() warn: potential spectre issue
'dev->driver->ioctls' [r]
drivers/gpu/drm/drm_ioctl.c:810 drm_ioctl() warn: potential spectre issue
'drm_ioctls' [r] (local cap)
drivers/gpu/drm/drm_ioctl.c:892 drm_ioctl_flags() warn: potential spectre issue
'drm_ioctls' [r] (local cap)
Fix this by sanitizing nr before using it to index dev->driver->ioctls
and drm_ioctls.
Notice that given that speculation windows are large, the policy is
to kill the speculation on the first load and not worry if it can be
completed with a dependent load/store [1].
[1] https://marc.info/?l=linux-kernel=152449131114778=2
Cc: sta...@vger.kernel.org
Signed-off-by: Gustavo A. R. Silva
Signed-off-by: Daniel Vetter
Link:
https://patchwork.freedesktop.org/patch/msgid/2018122015.GA18973@embeddedor
Signed-off-by: Greg Kroah-Hartman
---
drivers/gpu/drm/drm_ioctl.c | 10 --
1 file changed, 8 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/drm_ioctl.c
+++ b/drivers/gpu/drm/drm_ioctl.c
@@ -37,6 +37,7 @@
#include
#include
+#include
/**
* DOC: getunique and setversion story
@@ -794,13 +795,17 @@ long drm_ioctl(struct file *filp,
if (is_driver_ioctl) {
/* driver ioctl */
- if (nr - DRM_COMMAND_BASE >= dev->driver->num_ioctls)
+ unsigned int index = nr - DRM_COMMAND_BASE;
+
+ if (index >= dev->driver->num_ioctls)
goto err_i1;
- ioctl = >driver->ioctls[nr - DRM_COMMAND_BASE];
+ index = array_index_nospec(index, dev->driver->num_ioctls);
+ ioctl = >driver->ioctls[index];
} else {
/* core ioctl */
if (nr >= DRM_CORE_IOCTL_COUNT)
goto err_i1;
+ nr = array_index_nospec(nr, DRM_CORE_IOCTL_COUNT);
ioctl = _ioctls[nr];
}
@@ -882,6 +887,7 @@ bool drm_ioctl_flags(unsigned int nr, un
if (nr >= DRM_CORE_IOCTL_COUNT)
return false;
+ nr = array_index_nospec(nr, DRM_CORE_IOCTL_COUNT);
*flags = drm_ioctls[nr].flags;
return true;
[PATCH 4.14 11/36] USB: serial: option: add GosunCn ZTE WeLink ME3630
4.14-stable review patch. If anyone has any objections, please let me know.
--
From: Jörgen Storvist
commit 70a7444c550a75584ffcfae95267058817eff6a7 upstream.
Added USB serial option driver support for GosunCn ZTE WeLink ME3630
series cellular modules for USB modes ECM/NCM and MBIM.
usb-devices output MBIM mode:
T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 10 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=19d2 ProdID=0602 Rev=03.18
S: Manufacturer=Android
S: Product=Android
S: SerialNumber=
C: #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#= 3 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
I: If#= 4 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
usb-devices output ECM/NCM mode:
T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 11 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=19d2 ProdID=1476 Rev=03.18
S: Manufacturer=Android
S: Product=Android
S: SerialNumber=
C: #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#= 3 Alt= 0 #EPs= 1 Cls=02(commc) Sub=06 Prot=00 Driver=cdc_ether
I: If#= 4 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether
Signed-off-by: Jörgen Storvist
Cc: stable
Signed-off-by: Johan Hovold
Signed-off-by: Greg Kroah-Hartman
---
drivers/usb/serial/option.c |2 ++
1 file changed, 2 insertions(+)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1331,6 +1331,7 @@ static const struct usb_device_id option
.driver_info = RSVD(4) },
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0414, 0xff, 0xff,
0xff) },
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0417, 0xff, 0xff,
0xff) },
+ { USB_DEVICE_INTERFACE_CLASS(ZTE_VENDOR_ID, 0x0602, 0xff) },/*
GosunCn ZTE WeLink ME3630 (MBIM mode) */
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1008, 0xff, 0xff,
0xff),
.driver_info = RSVD(4) },
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1010, 0xff, 0xff,
0xff),
@@ -1534,6 +1535,7 @@ static const struct usb_device_id option
.driver_info = RSVD(2) },
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1428, 0xff, 0xff,
0xff), /* Telewell TW-LTE 4G v2 */
.driver_info = RSVD(2) },
+ { USB_DEVICE_INTERFACE_CLASS(ZTE_VENDOR_ID, 0x1476, 0xff) },/*
GosunCn ZTE WeLink ME3630 (ECM/NCM mode) */
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1533, 0xff, 0xff,
0xff) },
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1534, 0xff, 0xff,
0xff) },
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1535, 0xff, 0xff,
0xff) },
[PATCH 4.14 07/36] cifs: integer overflow in in SMB2_ioctl()
4.14-stable review patch. If anyone has any objections, please let me know.
--
commit 2d204ee9d671327915260071c19350d84344e096 upstream
The "le32_to_cpu(rsp->OutputOffset) + *plen" addition can overflow and
wrap around to a smaller value which looks like it would lead to an
information leak.
Fixes: 4a72dafa19ba ("SMB2 FSCTL and IOCTL worker function")
Signed-off-by: Dan Carpenter
Signed-off-by: Steve French
Reviewed-by: Aurelien Aptel
CC: Stable
Signed-off-by: Sudip Mukherjee
Signed-off-by: Sasha Levin
---
fs/cifs/smb2pdu.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index 69309538ffb8..1581e8668b09 100644
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -2020,14 +2020,14 @@ SMB2_ioctl(const unsigned int xid, struct cifs_tcon
*tcon, u64 persistent_fid,
/* We check for obvious errors in the output buffer length and offset */
if (*plen == 0)
goto ioctl_exit; /* server returned no data */
- else if (*plen > 0xFF00) {
+ else if (*plen > rsp_iov.iov_len || *plen > 0xFF00) {
cifs_dbg(VFS, "srv returned invalid ioctl length: %d\n", *plen);
*plen = 0;
rc = -EIO;
goto ioctl_exit;
}
- if (get_rfc1002_length(rsp) < le32_to_cpu(rsp->OutputOffset) + *plen) {
+ if (get_rfc1002_length(rsp) - *plen < le32_to_cpu(rsp->OutputOffset)) {
cifs_dbg(VFS, "Malformed ioctl resp: len %d offset %d\n", *plen,
le32_to_cpu(rsp->OutputOffset));
*plen = 0;
--
2.19.1
[PATCH 4.14 08/36] USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data
4.14-stable review patch. If anyone has any objections, please let me know.
--
From: Hui Peng
commit 5146f95df782b0ac61abde36567e718692725c89 upstream.
The function hso_probe reads if_num from the USB device (as an u8) and uses
it without a length check to index an array, resulting in an OOB memory read
in hso_probe or hso_get_config_data.
Add a length check for both locations and updated hso_probe to bail on
error.
This issue has been assigned CVE-2018-19985.
Reported-by: Hui Peng
Reported-by: Mathias Payer
Signed-off-by: Hui Peng
Signed-off-by: Mathias Payer
Reviewed-by: Sebastian Andrzej Siewior
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman
---
drivers/net/usb/hso.c | 18 --
1 file changed, 16 insertions(+), 2 deletions(-)
--- a/drivers/net/usb/hso.c
+++ b/drivers/net/usb/hso.c
@@ -2806,6 +2806,12 @@ static int hso_get_config_data(struct us
return -EIO;
}
+ /* check if we have a valid interface */
+ if (if_num > 16) {
+ kfree(config_data);
+ return -EINVAL;
+ }
+
switch (config_data[if_num]) {
case 0x0:
result = 0;
@@ -2876,10 +2882,18 @@ static int hso_probe(struct usb_interfac
/* Get the interface/port specification from either driver_info or from
* the device itself */
- if (id->driver_info)
+ if (id->driver_info) {
+ /* if_num is controlled by the device, driver_info is a 0
terminated
+* array. Make sure, the access is in bounds! */
+ for (i = 0; i <= if_num; ++i)
+ if (((u32 *)(id->driver_info))[i] == 0)
+ goto exit;
port_spec = ((u32 *)(id->driver_info))[if_num];
- else
+ } else {
port_spec = hso_get_config_data(interface);
+ if (port_spec < 0)
+ goto exit;
+ }
/* Check if we need to switch to alt interfaces prior to port
* configuration */
[PATCH 4.14 02/36] block: fix infinite loop if the device loses discard capability
4.14-stable review patch. If anyone has any objections, please let me know.
--
[ Upstream commit b88aef36b87c9787a4db724923ec4f57dfd513f3 ]
If __blkdev_issue_discard is in progress and a device mapper device is
reloaded with a table that doesn't support discard,
q->limits.max_discard_sectors is set to zero. This results in infinite
loop in __blkdev_issue_discard.
This patch checks if max_discard_sectors is zero and aborts with
-EOPNOTSUPP.
Signed-off-by: Mikulas Patocka
Tested-by: Zdenek Kabelac
Cc: sta...@vger.kernel.org
Signed-off-by: Jens Axboe
Signed-off-by: Sasha Levin
---
block/blk-lib.c | 10 ++
1 file changed, 10 insertions(+)
diff --git a/block/blk-lib.c b/block/blk-lib.c
index 53a45663e688..0bdc77888dc5 100644
--- a/block/blk-lib.c
+++ b/block/blk-lib.c
@@ -65,6 +65,8 @@ int __blkdev_issue_discard(struct block_device *bdev,
sector_t sector,
*/
req_sects = min_t(sector_t, nr_sects,
q->limits.max_discard_sectors);
+ if (!req_sects)
+ goto fail;
if (req_sects > UINT_MAX >> 9)
req_sects = UINT_MAX >> 9;
@@ -102,6 +104,14 @@ int __blkdev_issue_discard(struct block_device *bdev,
sector_t sector,
*biop = bio;
return 0;
+
+fail:
+ if (bio) {
+ submit_bio_wait(bio);
+ bio_put(bio);
+ }
+ *biop = NULL;
+ return -EOPNOTSUPP;
}
EXPORT_SYMBOL(__blkdev_issue_discard);
--
2.19.1
[PATCH 4.14 28/36] panic: avoid deadlocks in re-entrant console drivers
4.14-stable review patch. If anyone has any objections, please let me know.
--
From: Sergey Senozhatsky
commit c7c3f05e341a9a2bd1a92993d4f996cfd6e7348e upstream.
>From printk()/serial console point of view panic() is special, because
it may force CPU to re-enter printk() or/and serial console driver.
Therefore, some of serial consoles drivers are re-entrant. E.g. 8250:
serial8250_console_write()
{
if (port->sysrq)
locked = 0;
else if (oops_in_progress)
locked = spin_trylock_irqsave(>lock, flags);
else
spin_lock_irqsave(>lock, flags);
...
}
panic() does set oops_in_progress via bust_spinlocks(1), so in theory
we should be able to re-enter serial console driver from panic():
CPU0
uart_console_write()
serial8250_console_write() // if (oops_in_progress)
//spin_trylock_irqsave()
call_console_drivers()
console_unlock()
console_flush_on_panic()
bust_spinlocks(1) // oops_in_progress++
panic()
spin_lock_irqsave(>lock, flags) // spin_lock_irqsave()
serial8250_console_write()
call_console_drivers()
console_unlock()
printk()
...
However, this does not happen and we deadlock in serial console on
port->lock spinlock. And the problem is that console_flush_on_panic()
called after bust_spinlocks(0):
void panic(const char *fmt, ...)
{
bust_spinlocks(1);
...
bust_spinlocks(0);
console_flush_on_panic();
...
}
bust_spinlocks(0) decrements oops_in_progress, so oops_in_progress
can go back to zero. Thus even re-entrant console drivers will simply
spin on port->lock spinlock. Given that port->lock may already be
locked either by a stopped CPU, or by the very same CPU we execute
panic() on (for instance, NMI panic() on printing CPU) the system
deadlocks and does not reboot.
Fix this by removing bust_spinlocks(0), so oops_in_progress is always
set in panic() now and, thus, re-entrant console drivers will trylock
the port->lock instead of spinning on it forever, when we call them
from console_flush_on_panic().
Link:
http://lkml.kernel.org/r/20181025101036.6823-1-sergey.senozhat...@gmail.com
Cc: Steven Rostedt
Cc: Daniel Wang
Cc: Peter Zijlstra
Cc: Andrew Morton
Cc: Linus Torvalds
Cc: Greg Kroah-Hartman
Cc: Alan Cox
Cc: Jiri Slaby
Cc: Peter Feiner
Cc: linux-ser...@vger.kernel.org
Cc: Sergey Senozhatsky
Cc: sta...@vger.kernel.org
Signed-off-by: Sergey Senozhatsky
Signed-off-by: Petr Mladek
Signed-off-by: Greg Kroah-Hartman
---
kernel/panic.c |6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/kernel/panic.c
+++ b/kernel/panic.c
@@ -14,6 +14,7 @@
#include
#include
#include
+#include
#include
#include
#include
@@ -230,7 +231,10 @@ void panic(const char *fmt, ...)
if (_crash_kexec_post_notifiers)
__crash_kexec(NULL);
- bust_spinlocks(0);
+#ifdef CONFIG_VT
+ unblank_screen();
+#endif
+ console_unblank();
/*
* We may have ended up stopping the CPU holding the lock (in
[PATCH] staging: rtl8192e: fix camelcase style warning
Remove CamelCase words. Warning found using checkpatch.pl
Signed-off-by: Sushil Verma
---
drivers/staging/rtl8192e/dot11d.c | 84 +++
1 file changed, 42 insertions(+), 42 deletions(-)
diff --git a/drivers/staging/rtl8192e/dot11d.c
b/drivers/staging/rtl8192e/dot11d.c
index a1c096124683..bf151d81767f 100644
--- a/drivers/staging/rtl8192e/dot11d.c
+++ b/drivers/staging/rtl8192e/dot11d.c
@@ -15,11 +15,11 @@
#include "dot11d.h"
struct channel_list {
- u8 Channel[32];
- u8 Len;
+ u8 channel[32];
+ u8 len;
};
-static struct channel_list ChannelPlan[] = {
+static struct channel_list channelPlan[] = {
{{1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 36, 40, 44, 48, 52, 56, 60, 64,
149, 153, 157, 161, 165}, 24},
{{1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11}, 11},
@@ -48,29 +48,29 @@ void dot11d_init(struct rtllib_device *ieee)
pDot11dInfo->bEnabled = false;
- pDot11dInfo->State = DOT11D_STATE_NONE;
- pDot11dInfo->CountryIeLen = 0;
+ pDot11dInfo->state = DOT11D_STATE_NONE;
+ pDot11dInfo->countryIelen = 0;
memset(pDot11dInfo->channel_map, 0, MAX_CHANNEL_NUMBER + 1);
- memset(pDot11dInfo->MaxTxPwrDbmList, 0xFF, MAX_CHANNEL_NUMBER + 1);
+ memset(pDot11dInfo->maxTxPwrDbmList, 0xFF, MAX_CHANNEL_NUMBER + 1);
RESET_CIE_WATCHDOG(ieee);
}
EXPORT_SYMBOL(dot11d_init);
-void Dot11d_Channelmap(u8 channel_plan, struct rtllib_device *ieee)
+void dot11d_channelmap(u8 channel_plan, struct rtllib_device *ieee)
{
int i, max_chan = 14, min_chan = 1;
ieee->bGlobalDomain = false;
- if (ChannelPlan[channel_plan].Len != 0) {
+ if (channelPlan[channel_plan].len != 0) {
memset(GET_DOT11D_INFO(ieee)->channel_map, 0,
sizeof(GET_DOT11D_INFO(ieee)->channel_map));
- for (i = 0; i < ChannelPlan[channel_plan].Len; i++) {
- if (ChannelPlan[channel_plan].Channel[i] < min_chan ||
- ChannelPlan[channel_plan].Channel[i] > max_chan)
+ for (i = 0; i < channelPlan[channel_plan].len; i++) {
+ if (channelPlan[channel_plan].channel[i] < min_chan ||
+ channelPlan[channel_plan].channel[i] > max_chan)
break;
- GET_DOT11D_INFO(ieee)->channel_map[ChannelPlan
- [channel_plan].Channel[i]] = 1;
+ GET_DOT11D_INFO(ieee)->channel_map[channelPlan
+ [channel_plan].channel[i]] = 1;
}
}
@@ -79,73 +79,73 @@ void Dot11d_Channelmap(u8 channel_plan, struct
rtllib_device *ieee)
ieee->bGlobalDomain = true;
for (i = 12; i <= 14; i++)
GET_DOT11D_INFO(ieee)->channel_map[i] = 2;
- ieee->IbssStartChnl = 10;
+ ieee->ibssStartChnl = 10;
ieee->ibss_maxjoin_chal = 11;
break;
case COUNTRY_CODE_WORLD_WIDE_13:
for (i = 12; i <= 13; i++)
GET_DOT11D_INFO(ieee)->channel_map[i] = 2;
- ieee->IbssStartChnl = 10;
+ ieee->ibssStartChnl = 10;
ieee->ibss_maxjoin_chal = 11;
break;
default:
- ieee->IbssStartChnl = 1;
+ ieee->ibssStartChnl = 1;
ieee->ibss_maxjoin_chal = 14;
break;
}
}
-EXPORT_SYMBOL(Dot11d_Channelmap);
+EXPORT_SYMBOL(dot11d_channelmap);
-void Dot11d_Reset(struct rtllib_device *ieee)
+void dot11d_Reset(struct rtllib_device *ieee)
{
struct rt_dot11d_info *pDot11dInfo = GET_DOT11D_INFO(ieee);
u32 i;
memset(pDot11dInfo->channel_map, 0, MAX_CHANNEL_NUMBER + 1);
- memset(pDot11dInfo->MaxTxPwrDbmList, 0xFF, MAX_CHANNEL_NUMBER + 1);
+ memset(pDot11dInfo->maxTxPwrDbmList, 0xFF, MAX_CHANNEL_NUMBER + 1);
for (i = 1; i <= 11; i++)
(pDot11dInfo->channel_map)[i] = 1;
for (i = 12; i <= 14; i++)
(pDot11dInfo->channel_map)[i] = 2;
- pDot11dInfo->State = DOT11D_STATE_NONE;
- pDot11dInfo->CountryIeLen = 0;
+ pDot11dInfo->state = DOT11D_STATE_NONE;
+ pDot11dInfo->countryIelen = 0;
RESET_CIE_WATCHDOG(ieee);
}
-void Dot11d_UpdateCountryIe(struct rtllib_device *dev, u8 *pTaddr,
- u16 CoutryIeLen, u8 *pCoutryIe)
+void dot11d_UpdateCountryIe(struct rtllib_device *dev, u8 *pTaddr,
+ u16 coutryIeLen, u8 *pCoutryIe)
{
struct rt_dot11d_info *pDot11dInfo = GET_DOT11D_INFO(dev);
- u8 i, j, NumTriples, MaxChnlNum;
+ u8 i, j, numTriples, maxChnlNum;
struct chnl_txpow_triple *pTriple;
memset(pDot11dInfo->channel_map, 0, MAX_CHANNEL_NUMBER + 1);
- memset(pDot11dInfo->MaxTxPwrDbmList,
Re: d_off field in struct dirent and 32-on-64 emulation
On 28/12/2018 10:01, Florian Weimer wrote: > * Florian Weimer: > >> * Adhemerval Zanella: >> >>> On 27/12/2018 16:09, Florian Weimer wrote: * Adhemerval Zanella: > Also for glibc standpoint, although reverting it back to use getdents > syscall for non-LFS mode might fix this issue for architectures that > provides non-LFS getdents syscall it won't be a fix for architectures > that still provides off_t different than off64_t *and* only provides > getdents64 syscall. > > Currently we only have nios2 and csky (unfortunately). But since generic > definition for off_t and off64_t still assumes non-LFS support, all new > 32-bits ports potentially might carry the issue. For csky, we could still change the type of the non-standard d_off field to long long int. This way, only telldir would have to fail when truncation is necessary, as mentioned below: >>> >>> I think it makes no sense to continue making non-LFS as default for >>> newer 32 bits ports, the support will be emulated with LFS syscalls. >> >> Sorry, I don't see how this matters. seekdir and telldir are NOT >> affected by LFS. > > Ah, right. If struct dirent is 64-bit only, then the d_off member > will be 64 bits as well. But it is unclear whether you can use that > with lseek (probably yes, in its 64-bit variant), and it's unlikely > it's going to work with seekdir because of the POSIX-required long int > type. > I was referring to all other API that uses off_t as well (pread for instance), where new ports will have non-LFS variants that will call only LFS variants.
[PATCH 4.14 24/36] kvm: x86: Add AMDs EX_CFG to the list of ignored MSRs
4.14-stable review patch. If anyone has any objections, please let me know. -- From: Eduardo Habkost commit 0e1b869fff60c81b510c2d00602d778f8f59dd9a upstream. Some guests OSes (including Windows 10) write to MSR 0xc001102c on some cases (possibly while trying to apply a CPU errata). Make KVM ignore reads and writes to that MSR, so the guest won't crash. The MSR is documented as "Execution Unit Configuration (EX_CFG)", at AMD's "BIOS and Kernel Developer's Guide (BKDG) for AMD Family 15h Models 00h-0Fh Processors". Cc: sta...@vger.kernel.org Signed-off-by: Eduardo Habkost Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman --- arch/x86/include/asm/msr-index.h |1 + arch/x86/kvm/x86.c |2 ++ 2 files changed, 3 insertions(+) --- a/arch/x86/include/asm/msr-index.h +++ b/arch/x86/include/asm/msr-index.h @@ -372,6 +372,7 @@ #define MSR_F15H_NB_PERF_CTR 0xc0010241 #define MSR_F15H_PTSC 0xc0010280 #define MSR_F15H_IC_CFG0xc0011021 +#define MSR_F15H_EX_CFG0xc001102c /* Fam 10h MSRs */ #define MSR_FAM10H_MMIO_CONF_BASE 0xc0010058 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -2227,6 +2227,7 @@ int kvm_set_msr_common(struct kvm_vcpu * case MSR_AMD64_PATCH_LOADER: case MSR_AMD64_BU_CFG2: case MSR_AMD64_DC_CFG: + case MSR_F15H_EX_CFG: break; case MSR_IA32_UCODE_REV: @@ -2508,6 +2509,7 @@ int kvm_get_msr_common(struct kvm_vcpu * case MSR_AMD64_BU_CFG2: case MSR_IA32_PERF_CTL: case MSR_AMD64_DC_CFG: + case MSR_F15H_EX_CFG: msr_info->data = 0; break; case MSR_K7_EVNTSEL0 ... MSR_K7_EVNTSEL3:
[PATCH 4.14 00/36] 4.14.91-stable review
This is the start of the stable review cycle for the 4.14.91 release. There are 36 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sun Dec 30 11:30:54 UTC 2018. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.91-rc1.gz or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y and the diffstat can be found below. thanks, greg k-h - Pseudo-Shortlog of commits: Greg Kroah-Hartman Linux 4.14.91-rc1 Gustavo A. R. Silva drm/ioctl: Fix Spectre v1 vulnerabilities Ivan Delalande proc/sysctl: don't return ENOMEM on lookup when a table is unregistering Roman Gushchin mm: don't miss the last page because of round-off error Richard Weinberger ubifs: Handle re-linking of inodes correctly while recovery Uwe Kleine-König spi: imx: mx51-ecspi: Move some initialisation to prepare_message hook. Uwe Kleine-König spi: imx: add a device specific prepare_message callback Ihab Zhaika iwlwifi: add new cards for 9560, 9462, 9461 and killer series Emmanuel Grumbach iwlwifi: mvm: don't send GEO_TX_POWER_LIMIT to old firmwares Sergey Senozhatsky panic: avoid deadlocks in re-entrant console drivers Colin Ian King x86/mtrr: Don't copy uninitialized gentry fields back to userspace Dexuan Cui Drivers: hv: vmbus: Return -EINVAL for the sys files for unopened channels Cfir Cohen KVM: Fix UAF in nested posted interrupt processing Eduardo Habkost kvm: x86: Add AMD's EX_CFG to the list of ignored MSRs Thomas Gleixner posix-timers: Fix division by zero bug Hans de Goede gpiolib-acpi: Only defer request_irq for GpioInt ACPI event handlers Christophe Leroy gpio: max7301: fix driver for use with CONFIG_VMAP_STACK Russell King mmc: omap_hsmmc: fix DMA API warning Ulf Hansson mmc: core: Use a minimum 1600ms timeout when enabling CACHE ctrl Ulf Hansson mmc: core: Allow BKOPS and CACHE ctrl even if no HPI support Ulf Hansson mmc: core: Reset HPI enabled state during re-init and in case of errors Jens Axboe scsi: sd: use mempool for discard special page Jörgen Storvist USB: serial: option: add Telit LN940 series Jörgen Storvist USB: serial: option: add Fibocom NL668 series Jörgen Storvist USB: serial: option: add Simcom SIM7500/SIM7600 (MBIM mode) Tore Anderson USB: serial: option: add HP lt4132 Jörgen Storvist USB: serial: option: add GosunCn ZTE WeLink ME3630 Nicolas Saenz Julienne USB: xhci: fix 'broken_suspend' placement in struct xchi_hcd Mathias Nyman xhci: Don't prevent USB2 bus suspend in state check intended for USB3 only Hui Peng USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data Dan Carpenter cifs: integer overflow in in SMB2_ioctl() Jiri Olsa perf record: Synthesize features before events in pipe mode Bart Van Assche ib_srpt: Fix a use-after-free in __srpt_close_all_ch() Richard Weinberger ubifs: Fix directory size calculation for symlinks Daniel Mack ASoC: sta32x: set ->component pointer in private struct Mikulas Patocka block: fix infinite loop if the device loses discard capability Jens Axboe block: break discard submissions into the user defined size - Diffstat: Makefile | 4 +- arch/x86/include/asm/msr-index.h | 1 + arch/x86/kernel/cpu/mtrr/if.c | 2 + arch/x86/kvm/vmx.c| 2 + arch/x86/kvm/x86.c| 2 + block/blk-lib.c | 22 +++- drivers/gpio/gpio-max7301.c | 12 +-- drivers/gpio/gpiolib-acpi.c | 144 +++--- drivers/gpu/drm/drm_ioctl.c | 10 +- drivers/hv/vmbus_drv.c| 20 drivers/infiniband/ulp/srpt/ib_srpt.c | 4 +- drivers/mmc/core/mmc.c| 24 +++-- drivers/mmc/host/omap_hsmmc.c | 12 ++- drivers/net/usb/hso.c | 18 +++- drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 9 ++ drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 50 + drivers/scsi/sd.c | 23 +++- drivers/spi/spi-imx.c | 91 drivers/usb/host/xhci-hub.c | 3 +- drivers/usb/host/xhci.h | 4 +- drivers/usb/serial/option.c | 16 ++- fs/cifs/smb2pdu.c | 4 +- fs/proc/proc_sysctl.c | 13 ++- fs/ubifs/dir.c| 5 +-
[PATCH 4.14 25/36] KVM: Fix UAF in nested posted interrupt processing
4.14-stable review patch. If anyone has any objections, please let me know. -- From: Cfir Cohen commit c2dd5146e9fe1f22c77c1b011adf84eea0245806 upstream. nested_get_vmcs12_pages() processes the posted_intr address in vmcs12. It caches the kmap()ed page object and pointer, however, it doesn't handle errors correctly: it's possible to cache a valid pointer, then release the page and later dereference the dangling pointer. I was able to reproduce with the following steps: 1. Call vmlaunch with valid posted_intr_desc_addr but an invalid MSR_EFER. This causes nested_get_vmcs12_pages() to cache the kmap()ed pi_desc_page and pi_desc. Later the invalid EFER value fails check_vmentry_postreqs() which fails the first vmlaunch. 2. Call vmlanuch with a valid EFER but an invalid posted_intr_desc_addr (I set it to 2G - 0x80). The second time we call nested_get_vmcs12_pages pi_desc_page is unmapped and released and pi_desc_page is set to NULL (the "shouldn't happen" clause). Due to the invalid posted_intr_desc_addr, kvm_vcpu_gpa_to_page() fails and nested_get_vmcs12_pages() returns. It doesn't return an error value so vmlaunch proceeds. Note that at this time we have a dangling pointer in vmx->nested.pi_desc and POSTED_INTR_DESC_ADDR in L0's vmcs. 3. Issue an IPI in L2 guest code. This triggers a call to vmx_complete_nested_posted_interrupt() and pi_test_and_clear_on() which dereferences the dangling pointer. Vulnerable code requires nested and enable_apicv variables to be set to true. The host CPU must also support posted interrupts. Fixes: 5e2f30b756a37 "KVM: nVMX: get rid of nested_get_page()" Cc: sta...@vger.kernel.org Reviewed-by: Andy Honig Signed-off-by: Cfir Cohen Reviewed-by: Liran Alon Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman --- arch/x86/kvm/vmx.c |2 ++ 1 file changed, 2 insertions(+) --- a/arch/x86/kvm/vmx.c +++ b/arch/x86/kvm/vmx.c @@ -10447,6 +10447,8 @@ static void nested_get_vmcs12_pages(stru kunmap(vmx->nested.pi_desc_page); kvm_release_page_dirty(vmx->nested.pi_desc_page); vmx->nested.pi_desc_page = NULL; + vmx->nested.pi_desc = NULL; + vmcs_write64(POSTED_INTR_DESC_ADDR, -1ull); } page = kvm_vcpu_gpa_to_page(vcpu, vmcs12->posted_intr_desc_addr); if (is_error_page(page))
[PATCH 4.14 23/36] posix-timers: Fix division by zero bug
4.14-stable review patch. If anyone has any objections, please let me know.
--
From: Thomas Gleixner
commit 0e334db6bb4b1fd1e2d72c1f3d8f004313cd9f94 upstream.
The signal delivery path of posix-timers can try to rearm the timer even if
the interval is zero. That's handled for the common case (hrtimer) but not
for alarm timers. In that case the forwarding function raises a division by
zero exception.
The handling for hrtimer based posix timers is wrong because it marks the
timer as active despite the fact that it is stopped.
Move the check from common_hrtimer_rearm() to posixtimer_rearm() to cure
both issues.
Reported-by: syzbot+9d38bedac9cc77b8a...@syzkaller.appspotmail.com
Signed-off-by: Thomas Gleixner
Cc: John Stultz
Cc: Linus Torvalds
Cc: Peter Zijlstra
Cc: sb...@kernel.org
Cc: sta...@vger.kernel.org
Cc: syzkaller-b...@googlegroups.com
Link:
http://lkml.kernel.org/r/alpine.deb.2.21.1812171328050.1...@nanos.tec.linutronix.de
Signed-off-by: Ingo Molnar
Signed-off-by: Greg Kroah-Hartman
---
kernel/time/posix-timers.c |5 +
1 file changed, 1 insertion(+), 4 deletions(-)
--- a/kernel/time/posix-timers.c
+++ b/kernel/time/posix-timers.c
@@ -298,9 +298,6 @@ static void common_hrtimer_rearm(struct
{
struct hrtimer *timer = >it.real.timer;
- if (!timr->it_interval)
- return;
-
timr->it_overrun += hrtimer_forward(timer, timer->base->get_time(),
timr->it_interval);
hrtimer_restart(timer);
@@ -326,7 +323,7 @@ void posixtimer_rearm(struct siginfo *in
if (!timr)
return;
- if (timr->it_requeue_pending == info->si_sys_private) {
+ if (timr->it_interval && timr->it_requeue_pending ==
info->si_sys_private) {
timr->kclock->timer_rearm(timr);
timr->it_active = 1;
[PATCH 4.14 33/36] ubifs: Handle re-linking of inodes correctly while recovery
4.14-stable review patch. If anyone has any objections, please let me know.
--
commit e58725d51fa8da9133f3f1c54170aa2e43056b91 upstream.
UBIFS's recovery code strictly assumes that a deleted inode will never
come back, therefore it removes all data which belongs to that inode
as soon it faces an inode with link count 0 in the replay list.
Before O_TMPFILE this assumption was perfectly fine. With O_TMPFILE
it can lead to data loss upon a power-cut.
Consider a journal with entries like:
0: inode X (nlink = 0) /* O_TMPFILE was created */
1: data for inode X /* Someone writes to the temp file */
2: inode X (nlink = 0) /* inode was changed, xattr, chmod, … */
3: inode X (nlink = 1) /* inode was re-linked via linkat() */
Upon replay of entry #2 UBIFS will drop all data that belongs to inode X,
this will lead to an empty file after mounting.
As solution for this problem, scan the replay list for a re-link entry
before dropping data.
Fixes: 474b93704f32 ("ubifs: Implement O_TMPFILE")
Cc: sta...@vger.kernel.org # 4.9-4.18
Cc: Russell Senior
Cc: Rafał Miłecki
Reported-by: Russell Senior
Reported-by: Rafał Miłecki
Tested-by: Rafał Miłecki
Signed-off-by: Richard Weinberger
[rmilecki: update ubifs_assert() calls to compile with 4.18 and older]
Signed-off-by: Rafał Miłecki
(cherry picked from commit e58725d51fa8da9133f3f1c54170aa2e43056b91)
Signed-off-by: Sasha Levin
---
fs/ubifs/replay.c | 37 +
1 file changed, 37 insertions(+)
diff --git a/fs/ubifs/replay.c b/fs/ubifs/replay.c
index ae5c02f22f3e..d998fbf7de30 100644
--- a/fs/ubifs/replay.c
+++ b/fs/ubifs/replay.c
@@ -209,6 +209,38 @@ static int trun_remove_range(struct ubifs_info *c, struct
replay_entry *r)
return ubifs_tnc_remove_range(c, _key, _key);
}
+/**
+ * inode_still_linked - check whether inode in question will be re-linked.
+ * @c: UBIFS file-system description object
+ * @rino: replay entry to test
+ *
+ * O_TMPFILE files can be re-linked, this means link count goes from 0 to 1.
+ * This case needs special care, otherwise all references to the inode will
+ * be removed upon the first replay entry of an inode with link count 0
+ * is found.
+ */
+static bool inode_still_linked(struct ubifs_info *c, struct replay_entry *rino)
+{
+ struct replay_entry *r;
+
+ ubifs_assert(rino->deletion);
+ ubifs_assert(key_type(c, >key) == UBIFS_INO_KEY);
+
+ /*
+* Find the most recent entry for the inode behind @rino and check
+* whether it is a deletion.
+*/
+ list_for_each_entry_reverse(r, >replay_list, list) {
+ ubifs_assert(r->sqnum >= rino->sqnum);
+ if (key_inum(c, >key) == key_inum(c, >key))
+ return r->deletion == 0;
+
+ }
+
+ ubifs_assert(0);
+ return false;
+}
+
/**
* apply_replay_entry - apply a replay entry to the TNC.
* @c: UBIFS file-system description object
@@ -239,6 +271,11 @@ static int apply_replay_entry(struct ubifs_info *c, struct
replay_entry *r)
{
ino_t inum = key_inum(c, >key);
+ if (inode_still_linked(c, r)) {
+ err = 0;
+ break;
+ }
+
err = ubifs_tnc_remove_ino(c, inum);
break;
}
--
2.19.1
[PATCH 4.14 27/36] x86/mtrr: Dont copy uninitialized gentry fields back to userspace
4.14-stable review patch. If anyone has any objections, please let me know.
--
From: Colin Ian King
commit 32043fa065b51e0b1433e48d118821c71b5cd65d upstream.
Currently the copy_to_user of data in the gentry struct is copying
uninitiaized data in field _pad from the stack to userspace.
Fix this by explicitly memset'ing gentry to zero, this also will zero any
compiler added padding fields that may be in struct (currently there are
none).
Detected by CoverityScan, CID#200783 ("Uninitialized scalar variable")
Fixes: b263b31e8ad6 ("x86, mtrr: Use explicit sizing and padding for the 64-bit
ioctls")
Signed-off-by: Colin Ian King
Signed-off-by: Thomas Gleixner
Reviewed-by: Tyler Hicks
Cc: secur...@kernel.org
Link: https://lkml.kernel.org/r/20181218172956.1440-1-colin.k...@canonical.com
Signed-off-by: Greg Kroah-Hartman
---
arch/x86/kernel/cpu/mtrr/if.c |2 ++
1 file changed, 2 insertions(+)
--- a/arch/x86/kernel/cpu/mtrr/if.c
+++ b/arch/x86/kernel/cpu/mtrr/if.c
@@ -173,6 +173,8 @@ mtrr_ioctl(struct file *file, unsigned i
struct mtrr_gentry gentry;
void __user *arg = (void __user *) __arg;
+ memset(, 0, sizeof(gentry));
+
switch (cmd) {
case MTRRIOC_ADD_ENTRY:
case MTRRIOC_SET_ENTRY:
[PATCH 4.14 17/36] mmc: core: Reset HPI enabled state during re-init and in case of errors
4.14-stable review patch. If anyone has any objections, please let me know.
--
From: Ulf Hansson
commit a0741ba40a009f97c019ae7541dc61c1fdf41efb upstream.
During a re-initialization of the eMMC card, we may fail to re-enable HPI.
In these cases, that isn't properly reflected in the card->ext_csd.hpi_en
bit, as it keeps being set. This may cause following attempts to use HPI,
even if's not enabled. Let's fix this!
Fixes: eb0d8f135b67 ("mmc: core: support HPI send command")
Cc:
Signed-off-by: Ulf Hansson
Signed-off-by: Greg Kroah-Hartman
---
drivers/mmc/core/mmc.c |4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/mmc/core/mmc.c
+++ b/drivers/mmc/core/mmc.c
@@ -1755,9 +1755,11 @@ static int mmc_init_card(struct mmc_host
if (err) {
pr_warn("%s: Enabling HPI failed\n",
mmc_hostname(card->host));
+ card->ext_csd.hpi_en = 0;
err = 0;
- } else
+ } else {
card->ext_csd.hpi_en = 1;
+ }
}
/*
[PATCH 4.14 32/36] spi: imx: mx51-ecspi: Move some initialisation to prepare_message hook.
4.14-stable review patch. If anyone has any objections, please let me know.
--
The relevant difference between prepare_message and config is that the
former is run before the CS signal is asserted. So the polarity of the
CLK line must be configured in prepare_message as an edge generated by
config might already result in a latch of the MOSI line.
Signed-off-by: Uwe Kleine-König
Signed-off-by: Mark Brown
[ukleinek: backport to v4.14.x]
Signed-off-by: Uwe Kleine-König
Signed-off-by: Sasha Levin
---
drivers/spi/spi-imx.c | 59 ++-
1 file changed, 36 insertions(+), 23 deletions(-)
diff --git a/drivers/spi/spi-imx.c b/drivers/spi/spi-imx.c
index 3fdb0652429b..df18d07d544d 100644
--- a/drivers/spi/spi-imx.c
+++ b/drivers/spi/spi-imx.c
@@ -443,14 +443,9 @@ static void mx51_ecspi_trigger(struct spi_imx_data
*spi_imx)
static int mx51_ecspi_prepare_message(struct spi_imx_data *spi_imx,
struct spi_message *msg)
{
- return 0;
-}
-
-static int mx51_ecspi_config(struct spi_device *spi)
-{
- struct spi_imx_data *spi_imx = spi_master_get_devdata(spi->master);
+ struct spi_device *spi = msg->spi;
u32 ctrl = MX51_ECSPI_CTRL_ENABLE;
- u32 clk = spi_imx->speed_hz, delay, reg;
+ u32 testreg;
u32 cfg = readl(spi_imx->base + MX51_ECSPI_CONFIG);
/*
@@ -468,14 +463,21 @@ static int mx51_ecspi_config(struct spi_device *spi)
if (spi->mode & SPI_READY)
ctrl |= MX51_ECSPI_CTRL_DRCTL(spi_imx->spi_drctl);
- /* set clock speed */
- ctrl |= mx51_ecspi_clkdiv(spi_imx, spi_imx->speed_hz, );
- spi_imx->spi_bus_clk = clk;
-
/* set chip select to use */
ctrl |= MX51_ECSPI_CTRL_CS(spi->chip_select);
- ctrl |= (spi_imx->bits_per_word - 1) << MX51_ECSPI_CTRL_BL_OFFSET;
+ /*
+* The ctrl register must be written first, with the EN bit set other
+* registers must not be written to.
+*/
+ writel(ctrl, spi_imx->base + MX51_ECSPI_CTRL);
+
+ testreg = readl(spi_imx->base + MX51_ECSPI_TESTREG);
+ if (spi->mode & SPI_LOOP)
+ testreg |= MX51_ECSPI_TESTREG_LBC;
+ else
+ testreg &= ~MX51_ECSPI_TESTREG_LBC;
+ writel(testreg, spi_imx->base + MX51_ECSPI_TESTREG);
cfg |= MX51_ECSPI_CONFIG_SBBCTRL(spi->chip_select);
@@ -491,26 +493,38 @@ static int mx51_ecspi_config(struct spi_device *spi)
cfg &= ~MX51_ECSPI_CONFIG_SCLKPOL(spi->chip_select);
cfg &= ~MX51_ECSPI_CONFIG_SCLKCTL(spi->chip_select);
}
+
if (spi->mode & SPI_CS_HIGH)
cfg |= MX51_ECSPI_CONFIG_SSBPOL(spi->chip_select);
else
cfg &= ~MX51_ECSPI_CONFIG_SSBPOL(spi->chip_select);
+ writel(cfg, spi_imx->base + MX51_ECSPI_CONFIG);
+
+ return 0;
+}
+
+static int mx51_ecspi_config(struct spi_device *spi)
+{
+ struct spi_imx_data *spi_imx = spi_master_get_devdata(spi->master);
+ u32 ctrl = readl(spi_imx->base + MX51_ECSPI_CTRL);
+ u32 clk = spi_imx->speed_hz, delay;
+
+ /* Clear BL field and set the right value */
+ ctrl &= ~MX51_ECSPI_CTRL_BL_MASK;
+ ctrl |= (spi_imx->bits_per_word - 1) << MX51_ECSPI_CTRL_BL_OFFSET;
+
+ /* set clock speed */
+ ctrl &= ~(0xf << MX51_ECSPI_CTRL_POSTDIV_OFFSET |
+ 0xf << MX51_ECSPI_CTRL_PREDIV_OFFSET);
+ ctrl |= mx51_ecspi_clkdiv(spi_imx, spi_imx->speed_hz, );
+ spi_imx->spi_bus_clk = clk;
+
if (spi_imx->usedma)
ctrl |= MX51_ECSPI_CTRL_SMC;
- /* CTRL register always go first to bring out controller from reset */
writel(ctrl, spi_imx->base + MX51_ECSPI_CTRL);
- reg = readl(spi_imx->base + MX51_ECSPI_TESTREG);
- if (spi->mode & SPI_LOOP)
- reg |= MX51_ECSPI_TESTREG_LBC;
- else
- reg &= ~MX51_ECSPI_TESTREG_LBC;
- writel(reg, spi_imx->base + MX51_ECSPI_TESTREG);
-
- writel(cfg, spi_imx->base + MX51_ECSPI_CONFIG);
-
/*
* Wait until the changes in the configuration register CONFIGREG
* propagate into the hardware. It takes exactly one tick of the
@@ -532,7 +546,6 @@ static int mx51_ecspi_config(struct spi_device *spi)
* Configure the DMA register: setup the watermark
* and enable DMA request.
*/
-
writel(MX51_ECSPI_DMA_RX_WML(spi_imx->wml) |
MX51_ECSPI_DMA_TX_WML(spi_imx->wml) |
MX51_ECSPI_DMA_RXT_WML(spi_imx->wml) |
--
2.19.1
[PATCH 4.14 16/36] scsi: sd: use mempool for discard special page
4.14-stable review patch. If anyone has any objections, please let me know.
--
From: Jens Axboe
commit 61cce6f6eeced5ddd9cac55e807fe28b4f18c1ba upstream.
When boxes are run near (or to) OOM, we have a problem with the discard
page allocation in sd. If we fail allocating the special page, we return
busy, and it'll get retried. But since ordering is honored for dispatch
requests, we can keep retrying this same IO and failing. Behind that IO
could be requests that want to free memory, but they never get the
chance. This means you get repeated spews of traces like this:
[1201401.625972] Call Trace:
[1201401.631748] dump_stack+0x4d/0x65
[1201401.639445] warn_alloc+0xec/0x190
[1201401.647335] __alloc_pages_slowpath+0xe84/0xf30
[1201401.657722] ? get_page_from_freelist+0x11b/0xb10
[1201401.668475] ? __alloc_pages_slowpath+0x2e/0xf30
[1201401.679054] __alloc_pages_nodemask+0x1f9/0x210
[1201401.689424] alloc_pages_current+0x8c/0x110
[1201401.699025] sd_setup_write_same16_cmnd+0x51/0x150
[1201401.709987] sd_init_command+0x49c/0xb70
[1201401.719029] scsi_setup_cmnd+0x9c/0x160
[1201401.727877] scsi_queue_rq+0x4d9/0x610
[1201401.736535] blk_mq_dispatch_rq_list+0x19a/0x360
[1201401.747113] blk_mq_sched_dispatch_requests+0xff/0x190
[1201401.758844] __blk_mq_run_hw_queue+0x95/0xa0
[1201401.768653] blk_mq_run_work_fn+0x2c/0x30
[1201401.777886] process_one_work+0x14b/0x400
[1201401.787119] worker_thread+0x4b/0x470
[1201401.795586] kthread+0x110/0x150
[1201401.803089] ? rescuer_thread+0x320/0x320
[1201401.812322] ? kthread_park+0x90/0x90
[1201401.820787] ? do_syscall_64+0x53/0x150
[1201401.829635] ret_from_fork+0x29/0x40
Ensure that the discard page allocation has a mempool backing, so we
know we can make progress.
Cc: sta...@vger.kernel.org
Signed-off-by: Jens Axboe
Reviewed-by: Christoph Hellwig
Signed-off-by: Martin K. Petersen
Signed-off-by: Greg Kroah-Hartman
---
drivers/scsi/sd.c | 23 +++
1 file changed, 19 insertions(+), 4 deletions(-)
--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -133,6 +133,7 @@ static DEFINE_MUTEX(sd_ref_mutex);
static struct kmem_cache *sd_cdb_cache;
static mempool_t *sd_cdb_pool;
+static mempool_t *sd_page_pool;
static const char *sd_cache_types[] = {
"write through", "none", "write back",
@@ -759,9 +760,10 @@ static int sd_setup_unmap_cmnd(struct sc
unsigned int data_len = 24;
char *buf;
- rq->special_vec.bv_page = alloc_page(GFP_ATOMIC | __GFP_ZERO);
+ rq->special_vec.bv_page = mempool_alloc(sd_page_pool, GFP_ATOMIC);
if (!rq->special_vec.bv_page)
return BLKPREP_DEFER;
+ clear_highpage(rq->special_vec.bv_page);
rq->special_vec.bv_offset = 0;
rq->special_vec.bv_len = data_len;
rq->rq_flags |= RQF_SPECIAL_PAYLOAD;
@@ -792,9 +794,10 @@ static int sd_setup_write_same16_cmnd(st
u32 nr_sectors = blk_rq_sectors(rq) >> (ilog2(sdp->sector_size) - 9);
u32 data_len = sdp->sector_size;
- rq->special_vec.bv_page = alloc_page(GFP_ATOMIC | __GFP_ZERO);
+ rq->special_vec.bv_page = mempool_alloc(sd_page_pool, GFP_ATOMIC);
if (!rq->special_vec.bv_page)
return BLKPREP_DEFER;
+ clear_highpage(rq->special_vec.bv_page);
rq->special_vec.bv_offset = 0;
rq->special_vec.bv_len = data_len;
rq->rq_flags |= RQF_SPECIAL_PAYLOAD;
@@ -822,9 +825,10 @@ static int sd_setup_write_same10_cmnd(st
u32 nr_sectors = blk_rq_sectors(rq) >> (ilog2(sdp->sector_size) - 9);
u32 data_len = sdp->sector_size;
- rq->special_vec.bv_page = alloc_page(GFP_ATOMIC | __GFP_ZERO);
+ rq->special_vec.bv_page = mempool_alloc(sd_page_pool, GFP_ATOMIC);
if (!rq->special_vec.bv_page)
return BLKPREP_DEFER;
+ clear_highpage(rq->special_vec.bv_page);
rq->special_vec.bv_offset = 0;
rq->special_vec.bv_len = data_len;
rq->rq_flags |= RQF_SPECIAL_PAYLOAD;
@@ -1299,7 +1303,7 @@ static void sd_uninit_command(struct scs
sd_zbc_write_unlock_zone(SCpnt);
if (rq->rq_flags & RQF_SPECIAL_PAYLOAD)
- __free_page(rq->special_vec.bv_page);
+ mempool_free(rq->special_vec.bv_page, sd_page_pool);
if (SCpnt->cmnd != scsi_req(rq)->cmd) {
cmnd = SCpnt->cmnd;
@@ -3655,6 +3659,13 @@ static int __init init_sd(void)
goto err_out_cache;
}
+ sd_page_pool = mempool_create_page_pool(SD_MEMPOOL_SIZE, 0);
+ if (!sd_page_pool) {
+ printk(KERN_ERR "sd: can't init discard page pool\n");
+ err = -ENOMEM;
+ goto err_out_ppool;
+ }
+
err = scsi_register_driver(_template.gendrv);
if (err)
goto err_out_driver;
@@ -3662,6 +3673,9 @@ static int __init init_sd(void)
return 0;
err_out_driver:
+ mempool_destroy(sd_page_pool);
+
+err_out_ppool:
[PATCH 4.14 30/36] iwlwifi: add new cards for 9560, 9462, 9461 and killer series
4.14-stable review patch. If anyone has any objections, please let me know.
--
From: Ihab Zhaika
commit f108703cb5f199d0fc98517ac29a997c4c646c94 upstream.
add few PCI ID'S for 9560, 9462, 9461 and killer series.
Cc: sta...@vger.kernel.org
Signed-off-by: Ihab Zhaika
Signed-off-by: Luca Coelho
Signed-off-by: Greg Kroah-Hartman
---
drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 50 ++
1 file changed, 50 insertions(+)
--- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
+++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
@@ -517,6 +517,56 @@ static const struct pci_device_id iwl_hw
{IWL_PCI_DEVICE(0x24FD, 0x9074, iwl8265_2ac_cfg)},
/* 9000 Series */
+ {IWL_PCI_DEVICE(0x02F0, 0x0030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x02F0, 0x0034, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x02F0, 0x0038, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x02F0, 0x003C, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x02F0, 0x0060, iwl9461_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x02F0, 0x0064, iwl9461_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x02F0, 0x00A0, iwl9462_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x02F0, 0x00A4, iwl9462_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x02F0, 0x0230, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x02F0, 0x0234, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x02F0, 0x0238, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x02F0, 0x023C, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x02F0, 0x0260, iwl9461_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x02F0, 0x0264, iwl9461_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x02F0, 0x02A0, iwl9462_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x02F0, 0x02A4, iwl9462_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x02F0, 0x1551, iwl9560_killer_s_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x02F0, 0x1552, iwl9560_killer_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x02F0, 0x2030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x02F0, 0x2034, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x02F0, 0x4030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x02F0, 0x4034, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x02F0, 0x40A4, iwl9462_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x02F0, 0x4234, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x02F0, 0x42A4, iwl9462_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x06F0, 0x0030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x06F0, 0x0034, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x06F0, 0x0038, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x06F0, 0x003C, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x06F0, 0x0060, iwl9461_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x06F0, 0x0064, iwl9461_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x06F0, 0x00A0, iwl9462_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x06F0, 0x00A4, iwl9462_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x06F0, 0x0230, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x06F0, 0x0234, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x06F0, 0x0238, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x06F0, 0x023C, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x06F0, 0x0260, iwl9461_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x06F0, 0x0264, iwl9461_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x06F0, 0x02A0, iwl9462_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x06F0, 0x02A4, iwl9462_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x06F0, 0x1551, iwl9560_killer_s_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x06F0, 0x1552, iwl9560_killer_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x06F0, 0x2030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x06F0, 0x2034, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x06F0, 0x4030, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x06F0, 0x4034, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x06F0, 0x40A4, iwl9462_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x06F0, 0x4234, iwl9560_2ac_cfg_soc)},
+ {IWL_PCI_DEVICE(0x06F0, 0x42A4, iwl9462_2ac_cfg_soc)},
{IWL_PCI_DEVICE(0x2526, 0x0010, iwl9260_2ac_cfg)},
{IWL_PCI_DEVICE(0x2526, 0x0014, iwl9260_2ac_cfg)},
{IWL_PCI_DEVICE(0x2526, 0x0018, iwl9260_2ac_cfg)},
[PATCH 4.14 18/36] mmc: core: Allow BKOPS and CACHE ctrl even if no HPI support
4.14-stable review patch. If anyone has any objections, please let me know.
--
From: Ulf Hansson
commit ba9f39a785a9977e72233000711ef1eb48203551 upstream.
In commit 5320226a0512 ("mmc: core: Disable HPI for certain Hynix eMMC
cards"), then intent was to prevent HPI from being used for some eMMC
cards, which didn't properly support it. However, that went too far, as
even BKOPS and CACHE ctrl became prevented. Let's restore those parts and
allow BKOPS and CACHE ctrl even if HPI isn't supported.
Fixes: 5320226a0512 ("mmc: core: Disable HPI for certain Hynix eMMC cards")
Cc: Pratibhasagar V
Cc:
Signed-off-by: Ulf Hansson
Signed-off-by: Greg Kroah-Hartman
---
drivers/mmc/core/mmc.c |6 ++
1 file changed, 2 insertions(+), 4 deletions(-)
--- a/drivers/mmc/core/mmc.c
+++ b/drivers/mmc/core/mmc.c
@@ -526,8 +526,7 @@ static int mmc_decode_ext_csd(struct mmc
card->cid.year += 16;
/* check whether the eMMC card supports BKOPS */
- if (!mmc_card_broken_hpi(card) &&
- ext_csd[EXT_CSD_BKOPS_SUPPORT] & 0x1) {
+ if (ext_csd[EXT_CSD_BKOPS_SUPPORT] & 0x1) {
card->ext_csd.bkops = 1;
card->ext_csd.man_bkops_en =
(ext_csd[EXT_CSD_BKOPS_EN] &
@@ -1766,8 +1765,7 @@ static int mmc_init_card(struct mmc_host
* If cache size is higher than 0, this indicates
* the existence of cache and it can be turned on.
*/
- if (!mmc_card_broken_hpi(card) &&
- card->ext_csd.cache_size > 0) {
+ if (card->ext_csd.cache_size > 0) {
err = mmc_switch(card, EXT_CSD_CMD_SET_NORMAL,
EXT_CSD_CACHE_CTRL, 1,
card->ext_csd.generic_cmd6_time);
[PATCH 4.14 13/36] USB: serial: option: add Simcom SIM7500/SIM7600 (MBIM mode)
4.14-stable review patch. If anyone has any objections, please let me know.
--
From: Jörgen Storvist
commit cc6730df08a291e51e145bc65e24ffb5e2f17ab6 upstream.
Added USB serial option driver support for Simcom SIM7500/SIM7600 series
cellular modules exposing MBIM interface (VID 0x1e0e,PID 0x9003)
T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 14 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=1e0e ProdID=9003 Rev=03.18
S: Manufacturer=SimTech, Incorporated
S: Product=SimTech, Incorporated
S: SerialNumber=0123456789ABCDEF
C: #Ifs= 7 Cfg#= 1 Atr=a0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#= 5 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
I: If#= 6 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
Signed-off-by: Jörgen Storvist
Cc: stable
Signed-off-by: Johan Hovold
Signed-off-by: Greg Kroah-Hartman
---
drivers/usb/serial/option.c |1 +
1 file changed, 1 insertion(+)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1763,6 +1763,7 @@ static const struct usb_device_id option
{ USB_DEVICE_AND_INTERFACE_INFO(ALINK_VENDOR_ID, ALINK_PRODUCT_3GU,
0xff, 0xff, 0xff) },
{ USB_DEVICE(ALINK_VENDOR_ID, SIMCOM_PRODUCT_SIM7100E),
.driver_info = RSVD(5) | RSVD(6) },
+ { USB_DEVICE_INTERFACE_CLASS(0x1e0e, 0x9003, 0xff) }, /* Simcom
SIM7500/SIM7600 MBIM mode */
{ USB_DEVICE(ALCATEL_VENDOR_ID, ALCATEL_PRODUCT_X060S_X200),
.driver_info = NCTRL(0) | NCTRL(1) | RSVD(4) },
{ USB_DEVICE(ALCATEL_VENDOR_ID, ALCATEL_PRODUCT_X220_X500D),
[PATCH 4.14 21/36] gpio: max7301: fix driver for use with CONFIG_VMAP_STACK
4.14-stable review patch. If anyone has any objections, please let me know.
--
From: Christophe Leroy
commit abf221d2f51b8ce7b9959a8953f880a8b0a1400d upstream.
spi_read() and spi_write() require DMA-safe memory. When
CONFIG_VMAP_STACK is selected, those functions cannot be used
with buffers on stack.
This patch replaces calls to spi_read() and spi_write() by
spi_write_then_read() which doesn't require DMA-safe buffers.
Fixes: 0c36ec314735 ("gpio: gpio driver for max7301 SPI GPIO expander")
Cc:
Signed-off-by: Christophe Leroy
Signed-off-by: Linus Walleij
Signed-off-by: Greg Kroah-Hartman
---
drivers/gpio/gpio-max7301.c | 12 +++-
1 file changed, 3 insertions(+), 9 deletions(-)
--- a/drivers/gpio/gpio-max7301.c
+++ b/drivers/gpio/gpio-max7301.c
@@ -25,7 +25,7 @@ static int max7301_spi_write(struct devi
struct spi_device *spi = to_spi_device(dev);
u16 word = ((reg & 0x7F) << 8) | (val & 0xFF);
- return spi_write(spi, (const u8 *), sizeof(word));
+ return spi_write_then_read(spi, , sizeof(word), NULL, 0);
}
/* A read from the MAX7301 means two transfers; here, one message each */
@@ -37,14 +37,8 @@ static int max7301_spi_read(struct devic
struct spi_device *spi = to_spi_device(dev);
word = 0x8000 | (reg << 8);
- ret = spi_write(spi, (const u8 *), sizeof(word));
- if (ret)
- return ret;
- /*
-* This relies on the fact, that a transfer with NULL tx_buf shifts out
-* zero bytes (=NOOP for MAX7301)
-*/
- ret = spi_read(spi, (u8 *), sizeof(word));
+ ret = spi_write_then_read(spi, , sizeof(word), ,
+ sizeof(word));
if (ret)
return ret;
return word & 0xff;
[PATCH 4.9 21/22] proc/sysctl: dont return ENOMEM on lookup when a table is unregistering
4.9-stable review patch. If anyone has any objections, please let me know.
--
From: Ivan Delalande
commit ea5751ccd665a2fd1b24f9af81f6167f0718c5f6 upstream.
proc_sys_lookup can fail with ENOMEM instead of ENOENT when the
corresponding sysctl table is being unregistered. In our case we see
this upon opening /proc/sys/net/*/conf files while network interfaces
are being deleted, which confuses our configuration daemon.
The problem was successfully reproduced and this fix tested on v4.9.122
and v4.20-rc6.
v2: return ERR_PTRs in all cases when proc_sys_make_inode fails instead
of mixing them with NULL. Thanks Al Viro for the feedback.
Fixes: ace0c791e6c3 ("proc/sysctl: Don't grab i_lock under sysctl_lock.")
Cc: sta...@vger.kernel.org
Signed-off-by: Ivan Delalande
Signed-off-by: Al Viro
Signed-off-by: Greg Kroah-Hartman
---
fs/proc/proc_sysctl.c | 13 ++---
1 file changed, 6 insertions(+), 7 deletions(-)
--- a/fs/proc/proc_sysctl.c
+++ b/fs/proc/proc_sysctl.c
@@ -466,7 +466,7 @@ static struct inode *proc_sys_make_inode
inode = new_inode(sb);
if (!inode)
- goto out;
+ return ERR_PTR(-ENOMEM);
inode->i_ino = get_next_ino();
@@ -476,8 +476,7 @@ static struct inode *proc_sys_make_inode
if (unlikely(head->unregistering)) {
spin_unlock(_lock);
iput(inode);
- inode = NULL;
- goto out;
+ return ERR_PTR(-ENOENT);
}
ei->sysctl = head;
ei->sysctl_entry = table;
@@ -502,7 +501,6 @@ static struct inode *proc_sys_make_inode
if (root->set_ownership)
root->set_ownership(head, table, >i_uid, >i_gid);
-out:
return inode;
}
@@ -551,10 +549,11 @@ static struct dentry *proc_sys_lookup(st
goto out;
}
- err = ERR_PTR(-ENOMEM);
inode = proc_sys_make_inode(dir->i_sb, h ? h : head, p);
- if (!inode)
+ if (IS_ERR(inode)) {
+ err = ERR_CAST(inode);
goto out;
+ }
err = NULL;
d_set_d_op(dentry, _sys_dentry_operations);
@@ -687,7 +686,7 @@ static bool proc_sys_fill_cache(struct f
return false;
if (d_in_lookup(child)) {
inode = proc_sys_make_inode(dir->d_sb, head, table);
- if (!inode) {
+ if (IS_ERR(inode)) {
d_lookup_done(child);
dput(child);
return false;
[PATCH 4.9 04/22] USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data
4.9-stable review patch. If anyone has any objections, please let me know.
--
From: Hui Peng
commit 5146f95df782b0ac61abde36567e718692725c89 upstream.
The function hso_probe reads if_num from the USB device (as an u8) and uses
it without a length check to index an array, resulting in an OOB memory read
in hso_probe or hso_get_config_data.
Add a length check for both locations and updated hso_probe to bail on
error.
This issue has been assigned CVE-2018-19985.
Reported-by: Hui Peng
Reported-by: Mathias Payer
Signed-off-by: Hui Peng
Signed-off-by: Mathias Payer
Reviewed-by: Sebastian Andrzej Siewior
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman
---
drivers/net/usb/hso.c | 18 --
1 file changed, 16 insertions(+), 2 deletions(-)
--- a/drivers/net/usb/hso.c
+++ b/drivers/net/usb/hso.c
@@ -2808,6 +2808,12 @@ static int hso_get_config_data(struct us
return -EIO;
}
+ /* check if we have a valid interface */
+ if (if_num > 16) {
+ kfree(config_data);
+ return -EINVAL;
+ }
+
switch (config_data[if_num]) {
case 0x0:
result = 0;
@@ -2878,10 +2884,18 @@ static int hso_probe(struct usb_interfac
/* Get the interface/port specification from either driver_info or from
* the device itself */
- if (id->driver_info)
+ if (id->driver_info) {
+ /* if_num is controlled by the device, driver_info is a 0
terminated
+* array. Make sure, the access is in bounds! */
+ for (i = 0; i <= if_num; ++i)
+ if (((u32 *)(id->driver_info))[i] == 0)
+ goto exit;
port_spec = ((u32 *)(id->driver_info))[if_num];
- else
+ } else {
port_spec = hso_get_config_data(interface);
+ if (port_spec < 0)
+ goto exit;
+ }
/* Check if we need to switch to alt interfaces prior to port
* configuration */
[PATCH 4.9 22/22] drm/ioctl: Fix Spectre v1 vulnerabilities
4.9-stable review patch. If anyone has any objections, please let me know.
--
From: Gustavo A. R. Silva
commit 505b5240329b922f21f91d5b5d1e535c805eca6d upstream.
nr is indirectly controlled by user-space, hence leading to a
potential exploitation of the Spectre variant 1 vulnerability.
This issue was detected with the help of Smatch:
drivers/gpu/drm/drm_ioctl.c:805 drm_ioctl() warn: potential spectre issue
'dev->driver->ioctls' [r]
drivers/gpu/drm/drm_ioctl.c:810 drm_ioctl() warn: potential spectre issue
'drm_ioctls' [r] (local cap)
drivers/gpu/drm/drm_ioctl.c:892 drm_ioctl_flags() warn: potential spectre issue
'drm_ioctls' [r] (local cap)
Fix this by sanitizing nr before using it to index dev->driver->ioctls
and drm_ioctls.
Notice that given that speculation windows are large, the policy is
to kill the speculation on the first load and not worry if it can be
completed with a dependent load/store [1].
[1] https://marc.info/?l=linux-kernel=152449131114778=2
Cc: sta...@vger.kernel.org
Signed-off-by: Gustavo A. R. Silva
Signed-off-by: Daniel Vetter
Link:
https://patchwork.freedesktop.org/patch/msgid/2018122015.GA18973@embeddedor
Signed-off-by: Greg Kroah-Hartman
---
drivers/gpu/drm/drm_ioctl.c | 10 --
1 file changed, 8 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/drm_ioctl.c
+++ b/drivers/gpu/drm/drm_ioctl.c
@@ -36,6 +36,7 @@
#include
#include
+#include
/**
* DOC: getunique and setversion story
@@ -668,13 +669,17 @@ long drm_ioctl(struct file *filp,
if (is_driver_ioctl) {
/* driver ioctl */
- if (nr - DRM_COMMAND_BASE >= dev->driver->num_ioctls)
+ unsigned int index = nr - DRM_COMMAND_BASE;
+
+ if (index >= dev->driver->num_ioctls)
goto err_i1;
- ioctl = >driver->ioctls[nr - DRM_COMMAND_BASE];
+ index = array_index_nospec(index, dev->driver->num_ioctls);
+ ioctl = >driver->ioctls[index];
} else {
/* core ioctl */
if (nr >= DRM_CORE_IOCTL_COUNT)
goto err_i1;
+ nr = array_index_nospec(nr, DRM_CORE_IOCTL_COUNT);
ioctl = _ioctls[nr];
}
@@ -770,6 +775,7 @@ bool drm_ioctl_flags(unsigned int nr, un
if (nr >= DRM_CORE_IOCTL_COUNT)
return false;
+ nr = array_index_nospec(nr, DRM_CORE_IOCTL_COUNT);
*flags = drm_ioctls[nr].flags;
return true;
[PATCH 4.9 15/22] gpio: max7301: fix driver for use with CONFIG_VMAP_STACK
4.9-stable review patch. If anyone has any objections, please let me know.
--
From: Christophe Leroy
commit abf221d2f51b8ce7b9959a8953f880a8b0a1400d upstream.
spi_read() and spi_write() require DMA-safe memory. When
CONFIG_VMAP_STACK is selected, those functions cannot be used
with buffers on stack.
This patch replaces calls to spi_read() and spi_write() by
spi_write_then_read() which doesn't require DMA-safe buffers.
Fixes: 0c36ec314735 ("gpio: gpio driver for max7301 SPI GPIO expander")
Cc:
Signed-off-by: Christophe Leroy
Signed-off-by: Linus Walleij
Signed-off-by: Greg Kroah-Hartman
---
drivers/gpio/gpio-max7301.c | 12 +++-
1 file changed, 3 insertions(+), 9 deletions(-)
--- a/drivers/gpio/gpio-max7301.c
+++ b/drivers/gpio/gpio-max7301.c
@@ -25,7 +25,7 @@ static int max7301_spi_write(struct devi
struct spi_device *spi = to_spi_device(dev);
u16 word = ((reg & 0x7F) << 8) | (val & 0xFF);
- return spi_write(spi, (const u8 *), sizeof(word));
+ return spi_write_then_read(spi, , sizeof(word), NULL, 0);
}
/* A read from the MAX7301 means two transfers; here, one message each */
@@ -37,14 +37,8 @@ static int max7301_spi_read(struct devic
struct spi_device *spi = to_spi_device(dev);
word = 0x8000 | (reg << 8);
- ret = spi_write(spi, (const u8 *), sizeof(word));
- if (ret)
- return ret;
- /*
-* This relies on the fact, that a transfer with NULL tx_buf shifts out
-* zero bytes (=NOOP for MAX7301)
-*/
- ret = spi_read(spi, (u8 *), sizeof(word));
+ ret = spi_write_then_read(spi, , sizeof(word), ,
+ sizeof(word));
if (ret)
return ret;
return word & 0xff;
[PATCH 4.9 19/22] ubifs: Handle re-linking of inodes correctly while recovery
4.9-stable review patch. If anyone has any objections, please let me know.
--
commit e58725d51fa8da9133f3f1c54170aa2e43056b91 upstream.
UBIFS's recovery code strictly assumes that a deleted inode will never
come back, therefore it removes all data which belongs to that inode
as soon it faces an inode with link count 0 in the replay list.
Before O_TMPFILE this assumption was perfectly fine. With O_TMPFILE
it can lead to data loss upon a power-cut.
Consider a journal with entries like:
0: inode X (nlink = 0) /* O_TMPFILE was created */
1: data for inode X /* Someone writes to the temp file */
2: inode X (nlink = 0) /* inode was changed, xattr, chmod, … */
3: inode X (nlink = 1) /* inode was re-linked via linkat() */
Upon replay of entry #2 UBIFS will drop all data that belongs to inode X,
this will lead to an empty file after mounting.
As solution for this problem, scan the replay list for a re-link entry
before dropping data.
Fixes: 474b93704f32 ("ubifs: Implement O_TMPFILE")
Cc: sta...@vger.kernel.org # 4.9-4.18
Cc: Russell Senior
Cc: Rafał Miłecki
Reported-by: Russell Senior
Reported-by: Rafał Miłecki
Tested-by: Rafał Miłecki
Signed-off-by: Richard Weinberger
[rmilecki: update ubifs_assert() calls to compile with 4.18 and older]
Signed-off-by: Rafał Miłecki
(cherry picked from commit e58725d51fa8da9133f3f1c54170aa2e43056b91)
Signed-off-by: Sasha Levin
---
fs/ubifs/replay.c | 37 +
1 file changed, 37 insertions(+)
diff --git a/fs/ubifs/replay.c b/fs/ubifs/replay.c
index fb0f44cd1e28..de7799a0a9d1 100644
--- a/fs/ubifs/replay.c
+++ b/fs/ubifs/replay.c
@@ -209,6 +209,38 @@ static int trun_remove_range(struct ubifs_info *c, struct
replay_entry *r)
return ubifs_tnc_remove_range(c, _key, _key);
}
+/**
+ * inode_still_linked - check whether inode in question will be re-linked.
+ * @c: UBIFS file-system description object
+ * @rino: replay entry to test
+ *
+ * O_TMPFILE files can be re-linked, this means link count goes from 0 to 1.
+ * This case needs special care, otherwise all references to the inode will
+ * be removed upon the first replay entry of an inode with link count 0
+ * is found.
+ */
+static bool inode_still_linked(struct ubifs_info *c, struct replay_entry *rino)
+{
+ struct replay_entry *r;
+
+ ubifs_assert(rino->deletion);
+ ubifs_assert(key_type(c, >key) == UBIFS_INO_KEY);
+
+ /*
+* Find the most recent entry for the inode behind @rino and check
+* whether it is a deletion.
+*/
+ list_for_each_entry_reverse(r, >replay_list, list) {
+ ubifs_assert(r->sqnum >= rino->sqnum);
+ if (key_inum(c, >key) == key_inum(c, >key))
+ return r->deletion == 0;
+
+ }
+
+ ubifs_assert(0);
+ return false;
+}
+
/**
* apply_replay_entry - apply a replay entry to the TNC.
* @c: UBIFS file-system description object
@@ -239,6 +271,11 @@ static int apply_replay_entry(struct ubifs_info *c, struct
replay_entry *r)
{
ino_t inum = key_inum(c, >key);
+ if (inode_still_linked(c, r)) {
+ err = 0;
+ break;
+ }
+
err = ubifs_tnc_remove_ino(c, inum);
break;
}
--
2.19.1
[PATCH 4.9 06/22] USB: serial: option: add GosunCn ZTE WeLink ME3630
4.9-stable review patch. If anyone has any objections, please let me know.
--
From: Jörgen Storvist
commit 70a7444c550a75584ffcfae95267058817eff6a7 upstream.
Added USB serial option driver support for GosunCn ZTE WeLink ME3630
series cellular modules for USB modes ECM/NCM and MBIM.
usb-devices output MBIM mode:
T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 10 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=19d2 ProdID=0602 Rev=03.18
S: Manufacturer=Android
S: Product=Android
S: SerialNumber=
C: #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#= 3 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
I: If#= 4 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
usb-devices output ECM/NCM mode:
T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 11 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=19d2 ProdID=1476 Rev=03.18
S: Manufacturer=Android
S: Product=Android
S: SerialNumber=
C: #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#= 3 Alt= 0 #EPs= 1 Cls=02(commc) Sub=06 Prot=00 Driver=cdc_ether
I: If#= 4 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether
Signed-off-by: Jörgen Storvist
Cc: stable
Signed-off-by: Johan Hovold
Signed-off-by: Greg Kroah-Hartman
---
drivers/usb/serial/option.c |2 ++
1 file changed, 2 insertions(+)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1327,6 +1327,7 @@ static const struct usb_device_id option
.driver_info = RSVD(4) },
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0414, 0xff, 0xff,
0xff) },
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0417, 0xff, 0xff,
0xff) },
+ { USB_DEVICE_INTERFACE_CLASS(ZTE_VENDOR_ID, 0x0602, 0xff) },/*
GosunCn ZTE WeLink ME3630 (MBIM mode) */
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1008, 0xff, 0xff,
0xff),
.driver_info = RSVD(4) },
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1010, 0xff, 0xff,
0xff),
@@ -1530,6 +1531,7 @@ static const struct usb_device_id option
.driver_info = RSVD(2) },
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1428, 0xff, 0xff,
0xff), /* Telewell TW-LTE 4G v2 */
.driver_info = RSVD(2) },
+ { USB_DEVICE_INTERFACE_CLASS(ZTE_VENDOR_ID, 0x1476, 0xff) },/*
GosunCn ZTE WeLink ME3630 (ECM/NCM mode) */
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1533, 0xff, 0xff,
0xff) },
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1534, 0xff, 0xff,
0xff) },
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1535, 0xff, 0xff,
0xff) },
[PATCH 4.9 12/22] mmc: core: Allow BKOPS and CACHE ctrl even if no HPI support
4.9-stable review patch. If anyone has any objections, please let me know.
--
From: Ulf Hansson
commit ba9f39a785a9977e72233000711ef1eb48203551 upstream.
In commit 5320226a0512 ("mmc: core: Disable HPI for certain Hynix eMMC
cards"), then intent was to prevent HPI from being used for some eMMC
cards, which didn't properly support it. However, that went too far, as
even BKOPS and CACHE ctrl became prevented. Let's restore those parts and
allow BKOPS and CACHE ctrl even if HPI isn't supported.
Fixes: 5320226a0512 ("mmc: core: Disable HPI for certain Hynix eMMC cards")
Cc: Pratibhasagar V
Cc:
Signed-off-by: Ulf Hansson
Signed-off-by: Greg Kroah-Hartman
---
drivers/mmc/core/mmc.c |6 ++
1 file changed, 2 insertions(+), 4 deletions(-)
--- a/drivers/mmc/core/mmc.c
+++ b/drivers/mmc/core/mmc.c
@@ -522,8 +522,7 @@ static int mmc_decode_ext_csd(struct mmc
card->cid.year += 16;
/* check whether the eMMC card supports BKOPS */
- if (!mmc_card_broken_hpi(card) &&
- ext_csd[EXT_CSD_BKOPS_SUPPORT] & 0x1) {
+ if (ext_csd[EXT_CSD_BKOPS_SUPPORT] & 0x1) {
card->ext_csd.bkops = 1;
card->ext_csd.man_bkops_en =
(ext_csd[EXT_CSD_BKOPS_EN] &
@@ -1730,8 +1729,7 @@ static int mmc_init_card(struct mmc_host
* If cache size is higher than 0, this indicates
* the existence of cache and it can be turned on.
*/
- if (!mmc_card_broken_hpi(card) &&
- card->ext_csd.cache_size > 0) {
+ if (card->ext_csd.cache_size > 0) {
err = mmc_switch(card, EXT_CSD_CMD_SET_NORMAL,
EXT_CSD_CACHE_CTRL, 1,
card->ext_csd.generic_cmd6_time);
[PATCH 4.9 20/22] panic: avoid deadlocks in re-entrant console drivers
4.9-stable review patch. If anyone has any objections, please let me know.
--
From: Sergey Senozhatsky
commit c7c3f05e341a9a2bd1a92993d4f996cfd6e7348e upstream.
>From printk()/serial console point of view panic() is special, because
it may force CPU to re-enter printk() or/and serial console driver.
Therefore, some of serial consoles drivers are re-entrant. E.g. 8250:
serial8250_console_write()
{
if (port->sysrq)
locked = 0;
else if (oops_in_progress)
locked = spin_trylock_irqsave(>lock, flags);
else
spin_lock_irqsave(>lock, flags);
...
}
panic() does set oops_in_progress via bust_spinlocks(1), so in theory
we should be able to re-enter serial console driver from panic():
CPU0
uart_console_write()
serial8250_console_write() // if (oops_in_progress)
//spin_trylock_irqsave()
call_console_drivers()
console_unlock()
console_flush_on_panic()
bust_spinlocks(1) // oops_in_progress++
panic()
spin_lock_irqsave(>lock, flags) // spin_lock_irqsave()
serial8250_console_write()
call_console_drivers()
console_unlock()
printk()
...
However, this does not happen and we deadlock in serial console on
port->lock spinlock. And the problem is that console_flush_on_panic()
called after bust_spinlocks(0):
void panic(const char *fmt, ...)
{
bust_spinlocks(1);
...
bust_spinlocks(0);
console_flush_on_panic();
...
}
bust_spinlocks(0) decrements oops_in_progress, so oops_in_progress
can go back to zero. Thus even re-entrant console drivers will simply
spin on port->lock spinlock. Given that port->lock may already be
locked either by a stopped CPU, or by the very same CPU we execute
panic() on (for instance, NMI panic() on printing CPU) the system
deadlocks and does not reboot.
Fix this by removing bust_spinlocks(0), so oops_in_progress is always
set in panic() now and, thus, re-entrant console drivers will trylock
the port->lock instead of spinning on it forever, when we call them
from console_flush_on_panic().
Link:
http://lkml.kernel.org/r/20181025101036.6823-1-sergey.senozhat...@gmail.com
Cc: Steven Rostedt
Cc: Daniel Wang
Cc: Peter Zijlstra
Cc: Andrew Morton
Cc: Linus Torvalds
Cc: Greg Kroah-Hartman
Cc: Alan Cox
Cc: Jiri Slaby
Cc: Peter Feiner
Cc: linux-ser...@vger.kernel.org
Cc: Sergey Senozhatsky
Cc: sta...@vger.kernel.org
Signed-off-by: Sergey Senozhatsky
Signed-off-by: Petr Mladek
Signed-off-by: Greg Kroah-Hartman
---
kernel/panic.c |6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/kernel/panic.c
+++ b/kernel/panic.c
@@ -13,6 +13,7 @@
#include
#include
#include
+#include
#include
#include
#include
@@ -228,7 +229,10 @@ void panic(const char *fmt, ...)
if (_crash_kexec_post_notifiers)
__crash_kexec(NULL);
- bust_spinlocks(0);
+#ifdef CONFIG_VT
+ unblank_screen();
+#endif
+ console_unblank();
/*
* We may have ended up stopping the CPU holding the lock (in
[PATCH 4.9 09/22] USB: serial: option: add Fibocom NL668 series
4.9-stable review patch. If anyone has any objections, please let me know.
--
From: Jörgen Storvist
commit 30360224441ce89a98ed627861e735beb4010775 upstream.
Added USB serial option driver support for Fibocom NL668 series cellular
modules. Reserved USB endpoints 4, 5 and 6 for network + ADB interfaces.
usb-devices output (QMI mode)
T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 16 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=1508 ProdID=1001 Rev=03.18
S: Manufacturer=Nodecom NL668 Modem
S: Product=Nodecom NL668-CN Modem
S: SerialNumber=
C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
I: If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
usb-devices output (ECM mode)
T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 17 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=1508 ProdID=1001 Rev=03.18
S: Manufacturer=Nodecom NL668 Modem
S: Product=Nodecom NL668-CN Modem
S: SerialNumber=
C: #Ifs= 7 Cfg#= 1 Atr=a0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#= 4 Alt= 0 #EPs= 1 Cls=02(commc) Sub=06 Prot=00 Driver=cdc_ether
I: If#= 5 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether
I: If#= 6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
Signed-off-by: Jörgen Storvist
Cc: stable
Signed-off-by: Johan Hovold
Signed-off-by: Greg Kroah-Hartman
---
drivers/usb/serial/option.c |2 ++
1 file changed, 2 insertions(+)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1950,6 +1950,8 @@ static const struct usb_device_id option
{ USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x13) },
{ USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x14) },
{ USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x1b) },
+ { USB_DEVICE(0x1508, 0x1001),
/* Fibocom NL668 */
+ .driver_info = RSVD(4) | RSVD(5) | RSVD(6) },
{ } /* Terminating entry */
};
MODULE_DEVICE_TABLE(usb, option_ids);
[PATCH 4.9 00/22] 4.9.148-stable review
This is the start of the stable review cycle for the 4.9.148 release. There are 22 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sun Dec 30 11:31:00 UTC 2018. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.148-rc1.gz or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y and the diffstat can be found below. thanks, greg k-h - Pseudo-Shortlog of commits: Greg Kroah-Hartman Linux 4.9.148-rc1 Gustavo A. R. Silva drm/ioctl: Fix Spectre v1 vulnerabilities Ivan Delalande proc/sysctl: don't return ENOMEM on lookup when a table is unregistering Sergey Senozhatsky panic: avoid deadlocks in re-entrant console drivers Richard Weinberger ubifs: Handle re-linking of inodes correctly while recovery Sebastian Andrzej Siewior x86/fpu: Disable bottom halves while loading FPU registers Colin Ian King x86/mtrr: Don't copy uninitialized gentry fields back to userspace Dexuan Cui Drivers: hv: vmbus: Return -EINVAL for the sys files for unopened channels Christophe Leroy gpio: max7301: fix driver for use with CONFIG_VMAP_STACK Russell King mmc: omap_hsmmc: fix DMA API warning Ulf Hansson mmc: core: Use a minimum 1600ms timeout when enabling CACHE ctrl Ulf Hansson mmc: core: Allow BKOPS and CACHE ctrl even if no HPI support Ulf Hansson mmc: core: Reset HPI enabled state during re-init and in case of errors Jörgen Storvist USB: serial: option: add Telit LN940 series Jörgen Storvist USB: serial: option: add Fibocom NL668 series Jörgen Storvist USB: serial: option: add Simcom SIM7500/SIM7600 (MBIM mode) Tore Anderson USB: serial: option: add HP lt4132 Jörgen Storvist USB: serial: option: add GosunCn ZTE WeLink ME3630 Mathias Nyman xhci: Don't prevent USB2 bus suspend in state check intended for USB3 only Hui Peng USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data Bart Van Assche ib_srpt: Fix a use-after-free in __srpt_close_all_ch() Mikulas Patocka block: fix infinite loop if the device loses discard capability Jens Axboe block: break discard submissions into the user defined size - Diffstat: Makefile | 4 ++-- arch/x86/kernel/cpu/mtrr/if.c | 2 ++ arch/x86/kernel/fpu/signal.c | 4 ++-- block/blk-lib.c | 22 ++--- drivers/gpio/gpio-max7301.c | 12 +++- drivers/gpu/drm/drm_ioctl.c | 10 -- drivers/hv/vmbus_drv.c| 20 +++ drivers/infiniband/ulp/srpt/ib_srpt.c | 4 ++-- drivers/mmc/core/mmc.c| 24 ++- drivers/mmc/host/omap_hsmmc.c | 12 +++- drivers/net/usb/hso.c | 18 +++-- drivers/usb/host/xhci-hub.c | 3 ++- drivers/usb/serial/option.c | 16 ++- fs/proc/proc_sysctl.c | 13 ++-- fs/ubifs/replay.c | 37 +++ kernel/panic.c| 6 +- 16 files changed, 165 insertions(+), 42 deletions(-)
[PATCH 4.9 02/22] block: fix infinite loop if the device loses discard capability
4.9-stable review patch. If anyone has any objections, please let me know.
--
[ Upstream commit b88aef36b87c9787a4db724923ec4f57dfd513f3 ]
If __blkdev_issue_discard is in progress and a device mapper device is
reloaded with a table that doesn't support discard,
q->limits.max_discard_sectors is set to zero. This results in infinite
loop in __blkdev_issue_discard.
This patch checks if max_discard_sectors is zero and aborts with
-EOPNOTSUPP.
Signed-off-by: Mikulas Patocka
Tested-by: Zdenek Kabelac
Cc: sta...@vger.kernel.org
Signed-off-by: Jens Axboe
Signed-off-by: Sasha Levin
---
block/blk-lib.c | 10 ++
1 file changed, 10 insertions(+)
diff --git a/block/blk-lib.c b/block/blk-lib.c
index d8b89c58af3d..af1d26f79878 100644
--- a/block/blk-lib.c
+++ b/block/blk-lib.c
@@ -69,6 +69,8 @@ int __blkdev_issue_discard(struct block_device *bdev,
sector_t sector,
*/
req_sects = min_t(sector_t, nr_sects,
q->limits.max_discard_sectors);
+ if (!req_sects)
+ goto fail;
if (req_sects > UINT_MAX >> 9)
req_sects = UINT_MAX >> 9;
@@ -106,6 +108,14 @@ int __blkdev_issue_discard(struct block_device *bdev,
sector_t sector,
*biop = bio;
return 0;
+
+fail:
+ if (bio) {
+ submit_bio_wait(bio);
+ bio_put(bio);
+ }
+ *biop = NULL;
+ return -EOPNOTSUPP;
}
EXPORT_SYMBOL(__blkdev_issue_discard);
--
2.19.1
[PATCH 4.9 05/22] xhci: Dont prevent USB2 bus suspend in state check intended for USB3 only
4.9-stable review patch. If anyone has any objections, please let me know.
--
From: Mathias Nyman
commit 45f750c16cae3625014c14c77bd9005eda975d35 upstream.
The code to prevent a bus suspend if a USB3 port was still in link training
also reacted to USB2 port polling state.
This caused bus suspend to busyloop in some cases.
USB2 polling state is different from USB3, and should not prevent bus
suspend.
Limit the USB3 link training state check to USB3 root hub ports only.
The origial commit went to stable so this need to be applied there as well
Fixes: 2f31a67f01a8 ("usb: xhci: Prevent bus suspend if a port connect change
or polling state is detected")
Cc: sta...@vger.kernel.org
Signed-off-by: Mathias Nyman
Signed-off-by: Greg Kroah-Hartman
---
drivers/usb/host/xhci-hub.c |3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/usb/host/xhci-hub.c
+++ b/drivers/usb/host/xhci-hub.c
@@ -1353,7 +1353,8 @@ int xhci_bus_suspend(struct usb_hcd *hcd
portsc_buf[port_index] = 0;
/* Bail out if a USB3 port has a new device in link training */
- if ((t1 & PORT_PLS_MASK) == XDEV_POLLING) {
+ if ((hcd->speed >= HCD_USB3) &&
+ (t1 & PORT_PLS_MASK) == XDEV_POLLING) {
bus_state->bus_suspended = 0;
spin_unlock_irqrestore(>lock, flags);
xhci_dbg(xhci, "Bus suspend bailout, port in
polling\n");
[PATCH 4.9 07/22] USB: serial: option: add HP lt4132
4.9-stable review patch. If anyone has any objections, please let me know.
--
From: Tore Anderson
commit d57ec3c83b5153217a70b561d4fb6ed96f2f7a25 upstream.
The HP lt4132 is a rebranded Huawei ME906s-158 LTE modem.
The interface with protocol 0x16 is "CDC ECM & NCM" according to the *.inf
files included with the Windows driver. Attaching the option driver to it
doesn't result in a /dev/ttyUSB* device being created, so I've excluded it.
Note that it is also excluded for corresponding Huawei-branded devices, cf.
commit d544db293a44 ("USB: support new huawei devices in option.c").
T: Bus=01 Lev=01 Prnt=01 Port=02 Cnt=02 Dev#= 3 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=ff MxPS=64 #Cfgs= 3
P: Vendor=03f0 ProdID=a31d Rev=01.02
S: Manufacturer=HP Inc.
S: Product=HP lt4132 LTE/HSPA+ 4G Module
S: SerialNumber=0123456789ABCDEF
C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=2mA
I: If#=0x0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=06 Prot=10 Driver=option
I: If#=0x1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=13 Driver=option
I: If#=0x2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=12 Driver=option
I: If#=0x3 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=06 Prot=16 Driver=(none)
I: If#=0x4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=14 Driver=option
I: If#=0x5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=1b Driver=option
T: Bus=01 Lev=01 Prnt=01 Port=02 Cnt=02 Dev#= 3 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=ff MxPS=64 #Cfgs= 3
P: Vendor=03f0 ProdID=a31d Rev=01.02
S: Manufacturer=HP Inc.
S: Product=HP lt4132 LTE/HSPA+ 4G Module
S: SerialNumber=0123456789ABCDEF
C: #Ifs= 7 Cfg#= 2 Atr=a0 MxPwr=2mA
I: If#=0x0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=06 Prot=00 Driver=cdc_ether
I: If#=0x1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=06 Prot=00 Driver=cdc_ether
I: If#=0x2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=06 Prot=10 Driver=option
I: If#=0x3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=13 Driver=option
I: If#=0x4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=12 Driver=option
I: If#=0x5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=14 Driver=option
I: If#=0x6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=1b Driver=option
T: Bus=01 Lev=01 Prnt=01 Port=02 Cnt=02 Dev#= 3 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=ff MxPS=64 #Cfgs= 3
P: Vendor=03f0 ProdID=a31d Rev=01.02
S: Manufacturer=HP Inc.
S: Product=HP lt4132 LTE/HSPA+ 4G Module
S: SerialNumber=0123456789ABCDEF
C: #Ifs= 3 Cfg#= 3 Atr=a0 MxPwr=2mA
I: If#=0x0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
I: If#=0x1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
I: If#=0x2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=14 Driver=option
Signed-off-by: Tore Anderson
Cc: sta...@vger.kernel.org
[ johan: drop id defines ]
Signed-off-by: Johan Hovold
Signed-off-by: Greg Kroah-Hartman
---
drivers/usb/serial/option.c |7 ++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1943,7 +1943,12 @@ static const struct usb_device_id option
{ USB_DEVICE_AND_INTERFACE_INFO(WETELECOM_VENDOR_ID,
WETELECOM_PRODUCT_WMD200, 0xff, 0xff, 0xff) },
{ USB_DEVICE_AND_INTERFACE_INFO(WETELECOM_VENDOR_ID,
WETELECOM_PRODUCT_6802, 0xff, 0xff, 0xff) },
{ USB_DEVICE_AND_INTERFACE_INFO(WETELECOM_VENDOR_ID,
WETELECOM_PRODUCT_WMD300, 0xff, 0xff, 0xff) },
- { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0x421d, 0xff, 0xff, 0xff) }, /*
HP lt2523 (Novatel E371) */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0x421d, 0xff, 0xff, 0xff) },
/* HP lt2523 (Novatel E371) */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x10) },
/* HP lt4132 (Huawei ME906s-158) */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x12) },
+ { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x13) },
+ { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x14) },
+ { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x1b) },
{ } /* Terminating entry */
};
MODULE_DEVICE_TABLE(usb, option_ids);
[PATCH 4.9 14/22] mmc: omap_hsmmc: fix DMA API warning
4.9-stable review patch. If anyone has any objections, please let me know. -- From: Russell King commit 0b479790684192ab7024ce6a621f93f6d0a64d92 upstream. While booting with rootfs on MMC, the following warning is encountered on OMAP4430: omap-dma-engine 4a056000.dma-controller: DMA-API: mapping sg segment longer than device claims to support [len=69632] [max=65536] This is because the DMA engine has a default maximum segment size of 64K but HSMMC sets: mmc->max_blk_size = 512; /* Block Length at max can be 1024 */ mmc->max_blk_count = 0x;/* No. of Blocks is 16 bits */ mmc->max_req_size = mmc->max_blk_size * mmc->max_blk_count; mmc->max_seg_size = mmc->max_req_size; which ends up telling the block layer that we support a maximum segment size of 65535*512, which exceeds the advertised DMA engine capabilities. Fix this by clamping the maximum segment size to the lower of the maximum request size and of the DMA engine device used for either DMA channel. Signed-off-by: Russell King Cc: Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman --- drivers/mmc/host/omap_hsmmc.c | 12 +++- 1 file changed, 11 insertions(+), 1 deletion(-) --- a/drivers/mmc/host/omap_hsmmc.c +++ b/drivers/mmc/host/omap_hsmmc.c @@ -2105,7 +2105,6 @@ static int omap_hsmmc_probe(struct platf mmc->max_blk_size = 512; /* Block Length at max can be 1024 */ mmc->max_blk_count = 0x;/* No. of Blocks is 16 bits */ mmc->max_req_size = mmc->max_blk_size * mmc->max_blk_count; - mmc->max_seg_size = mmc->max_req_size; mmc->caps |= MMC_CAP_MMC_HIGHSPEED | MMC_CAP_SD_HIGHSPEED | MMC_CAP_WAIT_WHILE_BUSY | MMC_CAP_ERASE; @@ -2135,6 +2134,17 @@ static int omap_hsmmc_probe(struct platf goto err_irq; } + /* +* Limit the maximum segment size to the lower of the request size +* and the DMA engine device segment size limits. In reality, with +* 32-bit transfers, the DMA engine can do longer segments than this +* but there is no way to represent that in the DMA model - if we +* increase this figure here, we get warnings from the DMA API debug. +*/ + mmc->max_seg_size = min3(mmc->max_req_size, + dma_get_max_seg_size(host->rx_chan->device->dev), + dma_get_max_seg_size(host->tx_chan->device->dev)); + /* Request IRQ for MMC operations */ ret = devm_request_irq(>dev, host->irq, omap_hsmmc_irq, 0, mmc_hostname(mmc), host);
[PATCH 4.9 08/22] USB: serial: option: add Simcom SIM7500/SIM7600 (MBIM mode)
4.9-stable review patch. If anyone has any objections, please let me know.
--
From: Jörgen Storvist
commit cc6730df08a291e51e145bc65e24ffb5e2f17ab6 upstream.
Added USB serial option driver support for Simcom SIM7500/SIM7600 series
cellular modules exposing MBIM interface (VID 0x1e0e,PID 0x9003)
T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 14 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=1e0e ProdID=9003 Rev=03.18
S: Manufacturer=SimTech, Incorporated
S: Product=SimTech, Incorporated
S: SerialNumber=0123456789ABCDEF
C: #Ifs= 7 Cfg#= 1 Atr=a0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#= 5 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
I: If#= 6 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
Signed-off-by: Jörgen Storvist
Cc: stable
Signed-off-by: Johan Hovold
Signed-off-by: Greg Kroah-Hartman
---
drivers/usb/serial/option.c |1 +
1 file changed, 1 insertion(+)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1759,6 +1759,7 @@ static const struct usb_device_id option
{ USB_DEVICE_AND_INTERFACE_INFO(ALINK_VENDOR_ID, ALINK_PRODUCT_3GU,
0xff, 0xff, 0xff) },
{ USB_DEVICE(ALINK_VENDOR_ID, SIMCOM_PRODUCT_SIM7100E),
.driver_info = RSVD(5) | RSVD(6) },
+ { USB_DEVICE_INTERFACE_CLASS(0x1e0e, 0x9003, 0xff) }, /* Simcom
SIM7500/SIM7600 MBIM mode */
{ USB_DEVICE(ALCATEL_VENDOR_ID, ALCATEL_PRODUCT_X060S_X200),
.driver_info = NCTRL(0) | NCTRL(1) | RSVD(4) },
{ USB_DEVICE(ALCATEL_VENDOR_ID, ALCATEL_PRODUCT_X220_X500D),
[PATCH 4.9 03/22] ib_srpt: Fix a use-after-free in __srpt_close_all_ch()
4.9-stable review patch. If anyone has any objections, please let me know.
--
[ Upstream commit 14d15c2b278011056482eb015dff89f9cbf2b841 ]
BUG: KASAN: use-after-free in srpt_set_enabled+0x1a9/0x1e0 [ib_srpt]
Read of size 4 at addr 8801269d23f8 by task check/29726
CPU: 4 PID: 29726 Comm: check Not tainted 4.18.0-rc2-dbg+ #4
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
1.0.0-prebuilt.qemu-project.org 04/01/2014
Call Trace:
dump_stack+0xa4/0xf5
print_address_description+0x6f/0x270
kasan_report+0x241/0x360
__asan_load4+0x78/0x80
srpt_set_enabled+0x1a9/0x1e0 [ib_srpt]
srpt_tpg_enable_store+0xb8/0x120 [ib_srpt]
configfs_write_file+0x14e/0x1d0 [configfs]
__vfs_write+0xd2/0x3b0
vfs_write+0x101/0x270
ksys_write+0xab/0x120
__x64_sys_write+0x43/0x50
do_syscall_64+0x77/0x230
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f235cfe6154
Fixes: aaf45bd83eba ("IB/srpt: Detect session shutdown reliably")
Signed-off-by: Bart Van Assche
Cc:
Signed-off-by: Jason Gunthorpe
Signed-off-by: Sasha Levin
---
drivers/infiniband/ulp/srpt/ib_srpt.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/infiniband/ulp/srpt/ib_srpt.c
b/drivers/infiniband/ulp/srpt/ib_srpt.c
index fe7c6ec67d98..2a44a2c3e859 100644
--- a/drivers/infiniband/ulp/srpt/ib_srpt.c
+++ b/drivers/infiniband/ulp/srpt/ib_srpt.c
@@ -1763,8 +1763,8 @@ static void __srpt_close_all_ch(struct srpt_device *sdev)
list_for_each_entry(ch, >rch_list, list) {
if (srpt_disconnect_ch(ch) >= 0)
- pr_info("Closing channel %s-%d because target %s has
been disabled\n",
- ch->sess_name, ch->qp->qp_num,
+ pr_info("Closing channel %s because target %s has been
disabled\n",
+ ch->sess_name,
sdev->device->name);
srpt_close_ch(ch);
}
--
2.19.1
[PATCH 4.9 13/22] mmc: core: Use a minimum 1600ms timeout when enabling CACHE ctrl
4.9-stable review patch. If anyone has any objections, please let me know.
--
From: Ulf Hansson
commit e3ae3401aa19432ee4943eb0bbc2ec704d07d793 upstream.
Some eMMCs from Micron have been reported to need ~800 ms timeout, while
enabling the CACHE ctrl after running sudden power failure tests. The
needed timeout is greater than what the card specifies as its generic CMD6
timeout, through the EXT_CSD register, hence the problem.
Normally we would introduce a card quirk to extend the timeout for these
specific Micron cards. However, due to the rather complicated debug process
needed to find out the error, let's simply use a minimum timeout of 1600ms,
the double of what has been reported, for all cards when enabling CACHE
ctrl.
Reported-by: Sjoerd Simons
Reported-by: Andreas Dannenberg
Reported-by: Faiz Abbas
Cc:
Signed-off-by: Ulf Hansson
Signed-off-by: Greg Kroah-Hartman
---
drivers/mmc/core/mmc.c | 14 ++
1 file changed, 10 insertions(+), 4 deletions(-)
--- a/drivers/mmc/core/mmc.c
+++ b/drivers/mmc/core/mmc.c
@@ -27,6 +27,7 @@
#include "sd_ops.h"
#define DEFAULT_CMD6_TIMEOUT_MS500
+#define MIN_CACHE_EN_TIMEOUT_MS 1600
static const unsigned int tran_exp[] = {
1, 10, 100,1000,
@@ -1726,13 +1727,18 @@ static int mmc_init_card(struct mmc_host
}
/*
-* If cache size is higher than 0, this indicates
-* the existence of cache and it can be turned on.
+* If cache size is higher than 0, this indicates the existence of cache
+* and it can be turned on. Note that some eMMCs from Micron has been
+* reported to need ~800 ms timeout, while enabling the cache after
+* sudden power failure tests. Let's extend the timeout to a minimum of
+* DEFAULT_CACHE_EN_TIMEOUT_MS and do it for all cards.
*/
if (card->ext_csd.cache_size > 0) {
+ unsigned int timeout_ms = MIN_CACHE_EN_TIMEOUT_MS;
+
+ timeout_ms = max(card->ext_csd.generic_cmd6_time, timeout_ms);
err = mmc_switch(card, EXT_CSD_CMD_SET_NORMAL,
- EXT_CSD_CACHE_CTRL, 1,
- card->ext_csd.generic_cmd6_time);
+ EXT_CSD_CACHE_CTRL, 1, timeout_ms);
if (err && err != -EBADMSG)
goto free_card;
[PATCH 4.9 17/22] x86/mtrr: Dont copy uninitialized gentry fields back to userspace
4.9-stable review patch. If anyone has any objections, please let me know.
--
From: Colin Ian King
commit 32043fa065b51e0b1433e48d118821c71b5cd65d upstream.
Currently the copy_to_user of data in the gentry struct is copying
uninitiaized data in field _pad from the stack to userspace.
Fix this by explicitly memset'ing gentry to zero, this also will zero any
compiler added padding fields that may be in struct (currently there are
none).
Detected by CoverityScan, CID#200783 ("Uninitialized scalar variable")
Fixes: b263b31e8ad6 ("x86, mtrr: Use explicit sizing and padding for the 64-bit
ioctls")
Signed-off-by: Colin Ian King
Signed-off-by: Thomas Gleixner
Reviewed-by: Tyler Hicks
Cc: secur...@kernel.org
Link: https://lkml.kernel.org/r/20181218172956.1440-1-colin.k...@canonical.com
Signed-off-by: Greg Kroah-Hartman
---
arch/x86/kernel/cpu/mtrr/if.c |2 ++
1 file changed, 2 insertions(+)
--- a/arch/x86/kernel/cpu/mtrr/if.c
+++ b/arch/x86/kernel/cpu/mtrr/if.c
@@ -172,6 +172,8 @@ mtrr_ioctl(struct file *file, unsigned i
struct mtrr_gentry gentry;
void __user *arg = (void __user *) __arg;
+ memset(, 0, sizeof(gentry));
+
switch (cmd) {
case MTRRIOC_ADD_ENTRY:
case MTRRIOC_SET_ENTRY:
[PATCH 4.9 01/22] block: break discard submissions into the user defined size
4.9-stable review patch. If anyone has any objections, please let me know. -- [ Upstream commit af097f5d199e2aa3ab3ef777f0716e487b8f7b08 ] Don't build discards bigger than what the user asked for, if the user decided to limit the size by writing to 'discard_max_bytes'. Reviewed-by: Darrick J. Wong Reviewed-by: Omar Sandoval Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin --- block/blk-lib.c | 12 +--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/block/blk-lib.c b/block/blk-lib.c index 46fe9248410d..d8b89c58af3d 100644 --- a/block/blk-lib.c +++ b/block/blk-lib.c @@ -63,10 +63,16 @@ int __blkdev_issue_discard(struct block_device *bdev, sector_t sector, unsigned int req_sects; sector_t end_sect, tmp; - /* Make sure bi_size doesn't overflow */ - req_sects = min_t(sector_t, nr_sects, UINT_MAX >> 9); + /* +* Issue in chunks of the user defined max discard setting, +* ensuring that bi_size doesn't overflow +*/ + req_sects = min_t(sector_t, nr_sects, + q->limits.max_discard_sectors); + if (req_sects > UINT_MAX >> 9) + req_sects = UINT_MAX >> 9; - /** + /* * If splitting a request, and the next starting sector would be * misaligned, stop the discard at the previous aligned sector. */ -- 2.19.1
[PATCH 4.9 16/22] Drivers: hv: vmbus: Return -EINVAL for the sys files for unopened channels
4.9-stable review patch. If anyone has any objections, please let me know.
--
From: Dexuan Cui
commit fc96df16a1ce80cbb3c316ab7d4dc8cd5c2852ce upstream.
Before 98f4c651762c, we returned zeros for unopened channels.
With 98f4c651762c, we started to return random on-stack values.
We'd better return -EINVAL instead.
Fixes: 98f4c651762c ("hv: move ringbuffer bus attributes to dev_groups")
Cc: sta...@vger.kernel.org
Cc: K. Y. Srinivasan
Cc: Haiyang Zhang
Cc: Stephen Hemminger
Signed-off-by: Dexuan Cui
Signed-off-by: Sasha Levin
Signed-off-by: Greg Kroah-Hartman
---
drivers/hv/vmbus_drv.c | 20
1 file changed, 20 insertions(+)
--- a/drivers/hv/vmbus_drv.c
+++ b/drivers/hv/vmbus_drv.c
@@ -317,6 +317,8 @@ static ssize_t out_intr_mask_show(struct
if (!hv_dev->channel)
return -ENODEV;
+ if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
+ return -EINVAL;
hv_ringbuffer_get_debuginfo(_dev->channel->outbound, );
return sprintf(buf, "%d\n", outbound.current_interrupt_mask);
}
@@ -330,6 +332,8 @@ static ssize_t out_read_index_show(struc
if (!hv_dev->channel)
return -ENODEV;
+ if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
+ return -EINVAL;
hv_ringbuffer_get_debuginfo(_dev->channel->outbound, );
return sprintf(buf, "%d\n", outbound.current_read_index);
}
@@ -344,6 +348,8 @@ static ssize_t out_write_index_show(stru
if (!hv_dev->channel)
return -ENODEV;
+ if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
+ return -EINVAL;
hv_ringbuffer_get_debuginfo(_dev->channel->outbound, );
return sprintf(buf, "%d\n", outbound.current_write_index);
}
@@ -358,6 +364,8 @@ static ssize_t out_read_bytes_avail_show
if (!hv_dev->channel)
return -ENODEV;
+ if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
+ return -EINVAL;
hv_ringbuffer_get_debuginfo(_dev->channel->outbound, );
return sprintf(buf, "%d\n", outbound.bytes_avail_toread);
}
@@ -372,6 +380,8 @@ static ssize_t out_write_bytes_avail_sho
if (!hv_dev->channel)
return -ENODEV;
+ if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
+ return -EINVAL;
hv_ringbuffer_get_debuginfo(_dev->channel->outbound, );
return sprintf(buf, "%d\n", outbound.bytes_avail_towrite);
}
@@ -385,6 +395,8 @@ static ssize_t in_intr_mask_show(struct
if (!hv_dev->channel)
return -ENODEV;
+ if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
+ return -EINVAL;
hv_ringbuffer_get_debuginfo(_dev->channel->inbound, );
return sprintf(buf, "%d\n", inbound.current_interrupt_mask);
}
@@ -398,6 +410,8 @@ static ssize_t in_read_index_show(struct
if (!hv_dev->channel)
return -ENODEV;
+ if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
+ return -EINVAL;
hv_ringbuffer_get_debuginfo(_dev->channel->inbound, );
return sprintf(buf, "%d\n", inbound.current_read_index);
}
@@ -411,6 +425,8 @@ static ssize_t in_write_index_show(struc
if (!hv_dev->channel)
return -ENODEV;
+ if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
+ return -EINVAL;
hv_ringbuffer_get_debuginfo(_dev->channel->inbound, );
return sprintf(buf, "%d\n", inbound.current_write_index);
}
@@ -425,6 +441,8 @@ static ssize_t in_read_bytes_avail_show(
if (!hv_dev->channel)
return -ENODEV;
+ if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
+ return -EINVAL;
hv_ringbuffer_get_debuginfo(_dev->channel->inbound, );
return sprintf(buf, "%d\n", inbound.bytes_avail_toread);
}
@@ -439,6 +457,8 @@ static ssize_t in_write_bytes_avail_show
if (!hv_dev->channel)
return -ENODEV;
+ if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
+ return -EINVAL;
hv_ringbuffer_get_debuginfo(_dev->channel->inbound, );
return sprintf(buf, "%d\n", inbound.bytes_avail_towrite);
}
[PATCH 4.9 11/22] mmc: core: Reset HPI enabled state during re-init and in case of errors
4.9-stable review patch. If anyone has any objections, please let me know.
--
From: Ulf Hansson
commit a0741ba40a009f97c019ae7541dc61c1fdf41efb upstream.
During a re-initialization of the eMMC card, we may fail to re-enable HPI.
In these cases, that isn't properly reflected in the card->ext_csd.hpi_en
bit, as it keeps being set. This may cause following attempts to use HPI,
even if's not enabled. Let's fix this!
Fixes: eb0d8f135b67 ("mmc: core: support HPI send command")
Cc:
Signed-off-by: Ulf Hansson
Signed-off-by: Greg Kroah-Hartman
---
drivers/mmc/core/mmc.c |4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/mmc/core/mmc.c
+++ b/drivers/mmc/core/mmc.c
@@ -1719,9 +1719,11 @@ static int mmc_init_card(struct mmc_host
if (err) {
pr_warn("%s: Enabling HPI failed\n",
mmc_hostname(card->host));
+ card->ext_csd.hpi_en = 0;
err = 0;
- } else
+ } else {
card->ext_csd.hpi_en = 1;
+ }
}
/*
[PATCH 4.9 10/22] USB: serial: option: add Telit LN940 series
4.9-stable review patch. If anyone has any objections, please let me know.
--
From: Jörgen Storvist
commit 28a86092b1753b802ef7e3de8a4c4a69a9c1bb03 upstream.
Added USB serial option driver support for Telit LN940 series cellular
modules. Covering both QMI and MBIM modes.
usb-devices output (0x1900):
T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 21 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=1bc7 ProdID=1900 Rev=03.10
S: Manufacturer=Telit
S: Product=Telit LN940 Mobile Broadband
S: SerialNumber=0123456789ABCDEF
C: #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
usb-devices output (0x1901):
T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 20 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=1bc7 ProdID=1901 Rev=03.10
S: Manufacturer=Telit
S: Product=Telit LN940 Mobile Broadband
S: SerialNumber=0123456789ABCDEF
C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#= 4 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
I: If#= 5 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
Signed-off-by: Jörgen Storvist
Cc: stable
Signed-off-by: Johan Hovold
Signed-off-by: Greg Kroah-Hartman
---
drivers/usb/serial/option.c |4
1 file changed, 4 insertions(+)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1163,6 +1163,10 @@ static const struct usb_device_id option
{ USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID,
TELIT_PRODUCT_LE920A4_1213, 0xff) },
{ USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920A4_1214),
.driver_info = NCTRL(0) | RSVD(1) | RSVD(2) | RSVD(3) },
+ { USB_DEVICE(TELIT_VENDOR_ID, 0x1900), /*
Telit LN940 (QMI) */
+ .driver_info = NCTRL(0) | RSVD(1) },
+ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1901, 0xff),/*
Telit LN940 (MBIM) */
+ .driver_info = NCTRL(0) },
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, ZTE_PRODUCT_MF622, 0xff,
0xff, 0xff) }, /* ZTE WCDMA products */
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0002, 0xff, 0xff,
0xff),
.driver_info = RSVD(1) },
[PATCH 4.9 18/22] x86/fpu: Disable bottom halves while loading FPU registers
4.9-stable review patch. If anyone has any objections, please let me know.
--
From: Sebastian Andrzej Siewior
commit 68239654acafe6aad5a3c1dc7237e60accfebc03 upstream.
The sequence
fpu->initialized = 1; /* step A */
preempt_disable();/* step B */
fpu__restore(fpu);
preempt_enable();
in __fpu__restore_sig() is racy in regard to a context switch.
For 32bit frames, __fpu__restore_sig() prepares the FPU state within
fpu->state. To ensure that a context switch (switch_fpu_prepare() in
particular) does not modify fpu->state it uses fpu__drop() which sets
fpu->initialized to 0.
After fpu->initialized is cleared, the CPU's FPU state is not saved
to fpu->state during a context switch. The new state is loaded via
fpu__restore(). It gets loaded into fpu->state from userland and
ensured it is sane. fpu->initialized is then set to 1 in order to avoid
fpu__initialize() doing anything (overwrite the new state) which is part
of fpu__restore().
A context switch between step A and B above would save CPU's current FPU
registers to fpu->state and overwrite the newly prepared state. This
looks like a tiny race window but the Kernel Test Robot reported this
back in 2016 while we had lazy FPU support. Borislav Petkov made the
link between that report and another patch that has been posted. Since
the removal of the lazy FPU support, this race goes unnoticed because
the warning has been removed.
Disable bottom halves around the restore sequence to avoid the race. BH
need to be disabled because BH is allowed to run (even with preemption
disabled) and might invoke kernel_fpu_begin() by doing IPsec.
[ bp: massage commit message a bit. ]
Signed-off-by: Sebastian Andrzej Siewior
Signed-off-by: Borislav Petkov
Acked-by: Ingo Molnar
Acked-by: Thomas Gleixner
Cc: Andy Lutomirski
Cc: Dave Hansen
Cc: "H. Peter Anvin"
Cc: "Jason A. Donenfeld"
Cc: kvm ML
Cc: Paolo Bonzini
Cc: Radim Krčmář
Cc: Rik van Riel
Cc: sta...@vger.kernel.org
Cc: x86-ml
Link: http://lkml.kernel.org/r/20181120102635.ddv3fvavxajjl...@linutronix.de
Link: https://lkml.kernel.org/r/20160226074940.ga28...@pd.tnic
Signed-off-by: Sebastian Andrzej Siewior
Signed-off-by: Greg Kroah-Hartman
---
arch/x86/kernel/fpu/signal.c |4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/x86/kernel/fpu/signal.c
+++ b/arch/x86/kernel/fpu/signal.c
@@ -342,10 +342,10 @@ static int __fpu__restore_sig(void __use
sanitize_restored_xstate(tsk, , xfeatures, fx_only);
}
+ local_bh_disable();
fpu->fpstate_active = 1;
- preempt_disable();
fpu__restore(fpu);
- preempt_enable();
+ local_bh_enable();
return err;
} else {
[PATCH 4.14 19/36] mmc: core: Use a minimum 1600ms timeout when enabling CACHE ctrl
4.14-stable review patch. If anyone has any objections, please let me know.
--
From: Ulf Hansson
commit e3ae3401aa19432ee4943eb0bbc2ec704d07d793 upstream.
Some eMMCs from Micron have been reported to need ~800 ms timeout, while
enabling the CACHE ctrl after running sudden power failure tests. The
needed timeout is greater than what the card specifies as its generic CMD6
timeout, through the EXT_CSD register, hence the problem.
Normally we would introduce a card quirk to extend the timeout for these
specific Micron cards. However, due to the rather complicated debug process
needed to find out the error, let's simply use a minimum timeout of 1600ms,
the double of what has been reported, for all cards when enabling CACHE
ctrl.
Reported-by: Sjoerd Simons
Reported-by: Andreas Dannenberg
Reported-by: Faiz Abbas
Cc:
Signed-off-by: Ulf Hansson
Signed-off-by: Greg Kroah-Hartman
---
drivers/mmc/core/mmc.c | 14 ++
1 file changed, 10 insertions(+), 4 deletions(-)
--- a/drivers/mmc/core/mmc.c
+++ b/drivers/mmc/core/mmc.c
@@ -30,6 +30,7 @@
#include "pwrseq.h"
#define DEFAULT_CMD6_TIMEOUT_MS500
+#define MIN_CACHE_EN_TIMEOUT_MS 1600
static const unsigned int tran_exp[] = {
1, 10, 100,1000,
@@ -1762,13 +1763,18 @@ static int mmc_init_card(struct mmc_host
}
/*
-* If cache size is higher than 0, this indicates
-* the existence of cache and it can be turned on.
+* If cache size is higher than 0, this indicates the existence of cache
+* and it can be turned on. Note that some eMMCs from Micron has been
+* reported to need ~800 ms timeout, while enabling the cache after
+* sudden power failure tests. Let's extend the timeout to a minimum of
+* DEFAULT_CACHE_EN_TIMEOUT_MS and do it for all cards.
*/
if (card->ext_csd.cache_size > 0) {
+ unsigned int timeout_ms = MIN_CACHE_EN_TIMEOUT_MS;
+
+ timeout_ms = max(card->ext_csd.generic_cmd6_time, timeout_ms);
err = mmc_switch(card, EXT_CSD_CMD_SET_NORMAL,
- EXT_CSD_CACHE_CTRL, 1,
- card->ext_csd.generic_cmd6_time);
+ EXT_CSD_CACHE_CTRL, 1, timeout_ms);
if (err && err != -EBADMSG)
goto free_card;
[PATCH 4.14 29/36] iwlwifi: mvm: dont send GEO_TX_POWER_LIMIT to old firmwares
4.14-stable review patch. If anyone has any objections, please let me know.
--
From: Emmanuel Grumbach
commit eca1e56ceedd9cc185eb18baf307d3ff2e4af376 upstream.
Old firmware versions don't support this command. Sending it
to any firmware before -41.ucode will crash the firmware.
This fixes https://bugzilla.kernel.org/show_bug.cgi?id=201975
Fixes: 66e839030fd6 ("iwlwifi: fix wrong WGDS_WIFI_DATA_SIZE")
CC: #4.19+
Signed-off-by: Emmanuel Grumbach
Signed-off-by: Luca Coelho
Signed-off-by: Kalle Valo
Signed-off-by: Greg Kroah-Hartman
---
drivers/net/wireless/intel/iwlwifi/mvm/fw.c |9 +
1 file changed, 9 insertions(+)
--- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c
@@ -952,6 +952,15 @@ static int iwl_mvm_sar_geo_init(struct i
int ret, i, j;
u16 cmd_wide_id = WIDE_ID(PHY_OPS_GROUP, GEO_TX_POWER_LIMIT);
+ /*
+* This command is not supported on earlier firmware versions.
+* Unfortunately, we don't have a TLV API flag to rely on, so
+* rely on the major version which is in the first byte of
+* ucode_ver.
+*/
+ if (IWL_UCODE_SERIAL(mvm->fw->ucode_ver) < 41)
+ return 0;
+
ret = iwl_mvm_sar_get_wgds_table(mvm);
if (ret < 0) {
IWL_DEBUG_RADIO(mvm,
[PATCH 4.14 15/36] USB: serial: option: add Telit LN940 series
4.14-stable review patch. If anyone has any objections, please let me know.
--
From: Jörgen Storvist
commit 28a86092b1753b802ef7e3de8a4c4a69a9c1bb03 upstream.
Added USB serial option driver support for Telit LN940 series cellular
modules. Covering both QMI and MBIM modes.
usb-devices output (0x1900):
T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 21 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=1bc7 ProdID=1900 Rev=03.10
S: Manufacturer=Telit
S: Product=Telit LN940 Mobile Broadband
S: SerialNumber=0123456789ABCDEF
C: #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
usb-devices output (0x1901):
T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 20 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=1bc7 ProdID=1901 Rev=03.10
S: Manufacturer=Telit
S: Product=Telit LN940 Mobile Broadband
S: SerialNumber=0123456789ABCDEF
C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#= 4 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
I: If#= 5 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
Signed-off-by: Jörgen Storvist
Cc: stable
Signed-off-by: Johan Hovold
Signed-off-by: Greg Kroah-Hartman
---
drivers/usb/serial/option.c |4
1 file changed, 4 insertions(+)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1167,6 +1167,10 @@ static const struct usb_device_id option
{ USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID,
TELIT_PRODUCT_LE920A4_1213, 0xff) },
{ USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920A4_1214),
.driver_info = NCTRL(0) | RSVD(1) | RSVD(2) | RSVD(3) },
+ { USB_DEVICE(TELIT_VENDOR_ID, 0x1900), /*
Telit LN940 (QMI) */
+ .driver_info = NCTRL(0) | RSVD(1) },
+ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1901, 0xff),/*
Telit LN940 (MBIM) */
+ .driver_info = NCTRL(0) },
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, ZTE_PRODUCT_MF622, 0xff,
0xff, 0xff) }, /* ZTE WCDMA products */
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0002, 0xff, 0xff,
0xff),
.driver_info = RSVD(1) },
[PATCH 4.14 36/36] drm/ioctl: Fix Spectre v1 vulnerabilities
4.14-stable review patch. If anyone has any objections, please let me know.
--
From: Gustavo A. R. Silva
commit 505b5240329b922f21f91d5b5d1e535c805eca6d upstream.
nr is indirectly controlled by user-space, hence leading to a
potential exploitation of the Spectre variant 1 vulnerability.
This issue was detected with the help of Smatch:
drivers/gpu/drm/drm_ioctl.c:805 drm_ioctl() warn: potential spectre issue
'dev->driver->ioctls' [r]
drivers/gpu/drm/drm_ioctl.c:810 drm_ioctl() warn: potential spectre issue
'drm_ioctls' [r] (local cap)
drivers/gpu/drm/drm_ioctl.c:892 drm_ioctl_flags() warn: potential spectre issue
'drm_ioctls' [r] (local cap)
Fix this by sanitizing nr before using it to index dev->driver->ioctls
and drm_ioctls.
Notice that given that speculation windows are large, the policy is
to kill the speculation on the first load and not worry if it can be
completed with a dependent load/store [1].
[1] https://marc.info/?l=linux-kernel=152449131114778=2
Cc: sta...@vger.kernel.org
Signed-off-by: Gustavo A. R. Silva
Signed-off-by: Daniel Vetter
Link:
https://patchwork.freedesktop.org/patch/msgid/2018122015.GA18973@embeddedor
Signed-off-by: Greg Kroah-Hartman
---
drivers/gpu/drm/drm_ioctl.c | 10 --
1 file changed, 8 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/drm_ioctl.c
+++ b/drivers/gpu/drm/drm_ioctl.c
@@ -37,6 +37,7 @@
#include
#include
+#include
/**
* DOC: getunique and setversion story
@@ -778,13 +779,17 @@ long drm_ioctl(struct file *filp,
if (is_driver_ioctl) {
/* driver ioctl */
- if (nr - DRM_COMMAND_BASE >= dev->driver->num_ioctls)
+ unsigned int index = nr - DRM_COMMAND_BASE;
+
+ if (index >= dev->driver->num_ioctls)
goto err_i1;
- ioctl = >driver->ioctls[nr - DRM_COMMAND_BASE];
+ index = array_index_nospec(index, dev->driver->num_ioctls);
+ ioctl = >driver->ioctls[index];
} else {
/* core ioctl */
if (nr >= DRM_CORE_IOCTL_COUNT)
goto err_i1;
+ nr = array_index_nospec(nr, DRM_CORE_IOCTL_COUNT);
ioctl = _ioctls[nr];
}
@@ -866,6 +871,7 @@ bool drm_ioctl_flags(unsigned int nr, un
if (nr >= DRM_CORE_IOCTL_COUNT)
return false;
+ nr = array_index_nospec(nr, DRM_CORE_IOCTL_COUNT);
*flags = drm_ioctls[nr].flags;
return true;
[PATCH 4.14 22/36] gpiolib-acpi: Only defer request_irq for GpioInt ACPI event handlers
4.14-stable review patch. If anyone has any objections, please let me know.
--
From: Hans de Goede
commit e59f5e08ece1060073d92c66ded52e1f2c43b5bb upstream.
Commit 78d3a92edbfb ("gpiolib-acpi: Register GpioInt ACPI event handlers
from a late_initcall") deferred the entire acpi_gpiochip_request_interrupt
call for each event resource.
This means it also delays the gpiochip_request_own_desc(..., "ACPI:Event")
call. This is a problem if some AML code reads the GPIO pin before we
run the deferred acpi_gpiochip_request_interrupt, because in that case
acpi_gpio_adr_space_handler() will already have called
gpiochip_request_own_desc(..., "ACPI:OpRegion") causing the call from
acpi_gpiochip_request_interrupt to fail with -EBUSY and we will fail to
register an event handler.
acpi_gpio_adr_space_handler is prepared for acpi_gpiochip_request_interrupt
already having claimed the pin, but the other way around does not work.
One example of a problem this causes, is the event handler for the OTG
ID pin on a Prowise PT301 tablet not registering, keeping the port stuck
in whatever mode it was in during boot and e.g. only allowing charging
after a reboot.
This commit fixes this by only deferring the request_irq call and the
initial run of edge-triggered IRQs instead of deferring all of
acpi_gpiochip_request_interrupt.
Cc: sta...@vger.kernel.org
Fixes: 78d3a92edbfb ("gpiolib-acpi: Register GpioInt ACPI event ...")
Signed-off-by: Hans de Goede
Reviewed-by: Andy Shevchenko
Acked-by: Mika Westerberg
Signed-off-by: Linus Walleij
Signed-off-by: Greg Kroah-Hartman
---
drivers/gpio/gpiolib-acpi.c | 144 +---
1 file changed, 84 insertions(+), 60 deletions(-)
--- a/drivers/gpio/gpiolib-acpi.c
+++ b/drivers/gpio/gpiolib-acpi.c
@@ -23,11 +23,28 @@
#include "gpiolib.h"
+/**
+ * struct acpi_gpio_event - ACPI GPIO event handler data
+ *
+ * @node:list-entry of the events list of the struct acpi_gpio_chip
+ * @handle: handle of ACPI method to execute when the IRQ triggers
+ * @handler: irq_handler to pass to request_irq when requesting the IRQ
+ * @pin: GPIO pin number on the gpio_chip
+ * @irq: Linux IRQ number for the event, for request_ / free_irq
+ * @irqflags: flags to pass to request_irq when requesting the IRQ
+ * @irq_is_wake: If the ACPI flags indicate the IRQ is a wakeup source
+ * @is_requested: True if request_irq has been done
+ * @desc:gpio_desc for the GPIO pin for this event
+ */
struct acpi_gpio_event {
struct list_head node;
acpi_handle handle;
+ irq_handler_t handler;
unsigned int pin;
unsigned int irq;
+ unsigned long irqflags;
+ bool irq_is_wake;
+ bool irq_requested;
struct gpio_desc *desc;
};
@@ -53,10 +70,10 @@ struct acpi_gpio_chip {
/*
* For gpiochips which call acpi_gpiochip_request_interrupts() before late_init
- * (so builtin drivers) we register the ACPI GpioInt event handlers from a
+ * (so builtin drivers) we register the ACPI GpioInt IRQ handlers from a
* late_initcall_sync handler, so that other builtin drivers can register their
* OpRegions before the event handlers can run. This list contains gpiochips
- * for which the acpi_gpiochip_request_interrupts() has been deferred.
+ * for which the acpi_gpiochip_request_irqs() call has been deferred.
*/
static DEFINE_MUTEX(acpi_gpio_deferred_req_irqs_lock);
static LIST_HEAD(acpi_gpio_deferred_req_irqs_list);
@@ -194,8 +211,42 @@ bool acpi_gpio_get_irq_resource(struct a
}
EXPORT_SYMBOL_GPL(acpi_gpio_get_irq_resource);
-static acpi_status acpi_gpiochip_request_interrupt(struct acpi_resource *ares,
- void *context)
+static void acpi_gpiochip_request_irq(struct acpi_gpio_chip *acpi_gpio,
+ struct acpi_gpio_event *event)
+{
+ int ret, value;
+
+ ret = request_threaded_irq(event->irq, NULL, event->handler,
+ event->irqflags, "ACPI:Event", event);
+ if (ret) {
+ dev_err(acpi_gpio->chip->parent,
+ "Failed to setup interrupt handler for %d\n",
+ event->irq);
+ return;
+ }
+
+ if (event->irq_is_wake)
+ enable_irq_wake(event->irq);
+
+ event->irq_requested = true;
+
+ /* Make sure we trigger the initial state of edge-triggered IRQs */
+ value = gpiod_get_raw_value_cansleep(event->desc);
+ if (((event->irqflags & IRQF_TRIGGER_RISING) && value == 1) ||
+ ((event->irqflags & IRQF_TRIGGER_FALLING) && value == 0))
+ event->handler(event->irq, event);
+}
+
+static void acpi_gpiochip_request_irqs(struct acpi_gpio_chip *acpi_gpio)
+{
+ struct acpi_gpio_event *event;
+
+ list_for_each_entry(event, _gpio->events, node)
+ acpi_gpiochip_request_irq(acpi_gpio, event);
+}
+
[PATCH 4.14 31/36] spi: imx: add a device specific prepare_message callback
4.14-stable review patch. If anyone has any objections, please let me know.
--
This is just preparatory work which allows to move some initialisation
that currently is done in the per transfer hook .config to an earlier
point in time in the next few patches. There is no change in behaviour
introduced by this patch.
Signed-off-by: Uwe Kleine-König
Signed-off-by: Mark Brown
[ukleinek: backport to v4.14.x]
Signed-off-by: Uwe Kleine-König
Signed-off-by: Sasha Levin
---
drivers/spi/spi-imx.c | 40 +++-
1 file changed, 39 insertions(+), 1 deletion(-)
diff --git a/drivers/spi/spi-imx.c b/drivers/spi/spi-imx.c
index d51ca243a028..3fdb0652429b 100644
--- a/drivers/spi/spi-imx.c
+++ b/drivers/spi/spi-imx.c
@@ -72,6 +72,7 @@ struct spi_imx_data;
struct spi_imx_devtype_data {
void (*intctrl)(struct spi_imx_data *, int);
+ int (*prepare_message)(struct spi_imx_data *, struct spi_message *);
int (*config)(struct spi_device *);
void (*trigger)(struct spi_imx_data *);
int (*rx_available)(struct spi_imx_data *);
@@ -439,6 +440,12 @@ static void mx51_ecspi_trigger(struct spi_imx_data
*spi_imx)
writel(reg, spi_imx->base + MX51_ECSPI_CTRL);
}
+static int mx51_ecspi_prepare_message(struct spi_imx_data *spi_imx,
+ struct spi_message *msg)
+{
+ return 0;
+}
+
static int mx51_ecspi_config(struct spi_device *spi)
{
struct spi_imx_data *spi_imx = spi_master_get_devdata(spi->master);
@@ -599,6 +606,12 @@ static void mx31_trigger(struct spi_imx_data *spi_imx)
writel(reg, spi_imx->base + MXC_CSPICTRL);
}
+static int mx31_prepare_message(struct spi_imx_data *spi_imx,
+ struct spi_message *msg)
+{
+ return 0;
+}
+
static int mx31_config(struct spi_device *spi)
{
struct spi_imx_data *spi_imx = spi_master_get_devdata(spi->master);
@@ -695,6 +708,12 @@ static void mx21_trigger(struct spi_imx_data *spi_imx)
writel(reg, spi_imx->base + MXC_CSPICTRL);
}
+static int mx21_prepare_message(struct spi_imx_data *spi_imx,
+ struct spi_message *msg)
+{
+ return 0;
+}
+
static int mx21_config(struct spi_device *spi)
{
struct spi_imx_data *spi_imx = spi_master_get_devdata(spi->master);
@@ -764,6 +783,12 @@ static void mx1_trigger(struct spi_imx_data *spi_imx)
writel(reg, spi_imx->base + MXC_CSPICTRL);
}
+static int mx1_prepare_message(struct spi_imx_data *spi_imx,
+ struct spi_message *msg)
+{
+ return 0;
+}
+
static int mx1_config(struct spi_device *spi)
{
struct spi_imx_data *spi_imx = spi_master_get_devdata(spi->master);
@@ -798,6 +823,7 @@ static void mx1_reset(struct spi_imx_data *spi_imx)
static struct spi_imx_devtype_data imx1_cspi_devtype_data = {
.intctrl = mx1_intctrl,
+ .prepare_message = mx1_prepare_message,
.config = mx1_config,
.trigger = mx1_trigger,
.rx_available = mx1_rx_available,
@@ -810,6 +836,7 @@ static struct spi_imx_devtype_data imx1_cspi_devtype_data =
{
static struct spi_imx_devtype_data imx21_cspi_devtype_data = {
.intctrl = mx21_intctrl,
+ .prepare_message = mx21_prepare_message,
.config = mx21_config,
.trigger = mx21_trigger,
.rx_available = mx21_rx_available,
@@ -823,6 +850,7 @@ static struct spi_imx_devtype_data imx21_cspi_devtype_data
= {
static struct spi_imx_devtype_data imx27_cspi_devtype_data = {
/* i.mx27 cspi shares the functions with i.mx21 one */
.intctrl = mx21_intctrl,
+ .prepare_message = mx21_prepare_message,
.config = mx21_config,
.trigger = mx21_trigger,
.rx_available = mx21_rx_available,
@@ -835,6 +863,7 @@ static struct spi_imx_devtype_data imx27_cspi_devtype_data
= {
static struct spi_imx_devtype_data imx31_cspi_devtype_data = {
.intctrl = mx31_intctrl,
+ .prepare_message = mx31_prepare_message,
.config = mx31_config,
.trigger = mx31_trigger,
.rx_available = mx31_rx_available,
@@ -848,6 +877,7 @@ static struct spi_imx_devtype_data imx31_cspi_devtype_data
= {
static struct spi_imx_devtype_data imx35_cspi_devtype_data = {
/* i.mx35 and later cspi shares the functions with i.mx31 one */
.intctrl = mx31_intctrl,
+ .prepare_message = mx31_prepare_message,
.config = mx31_config,
.trigger = mx31_trigger,
.rx_available = mx31_rx_available,
@@ -860,6 +890,7 @@ static struct spi_imx_devtype_data imx35_cspi_devtype_data
= {
static struct spi_imx_devtype_data imx51_ecspi_devtype_data = {
.intctrl = mx51_ecspi_intctrl,
+ .prepare_message = mx51_ecspi_prepare_message,
.config = mx51_ecspi_config,
.trigger = mx51_ecspi_trigger,
.rx_available = mx51_ecspi_rx_available,
@@ -872,6 +903,7 @@ static struct spi_imx_devtype_data
[PATCH 4.14 35/36] proc/sysctl: dont return ENOMEM on lookup when a table is unregistering
4.14-stable review patch. If anyone has any objections, please let me know.
--
From: Ivan Delalande
commit ea5751ccd665a2fd1b24f9af81f6167f0718c5f6 upstream.
proc_sys_lookup can fail with ENOMEM instead of ENOENT when the
corresponding sysctl table is being unregistered. In our case we see
this upon opening /proc/sys/net/*/conf files while network interfaces
are being deleted, which confuses our configuration daemon.
The problem was successfully reproduced and this fix tested on v4.9.122
and v4.20-rc6.
v2: return ERR_PTRs in all cases when proc_sys_make_inode fails instead
of mixing them with NULL. Thanks Al Viro for the feedback.
Fixes: ace0c791e6c3 ("proc/sysctl: Don't grab i_lock under sysctl_lock.")
Cc: sta...@vger.kernel.org
Signed-off-by: Ivan Delalande
Signed-off-by: Al Viro
Signed-off-by: Greg Kroah-Hartman
---
fs/proc/proc_sysctl.c | 13 ++---
1 file changed, 6 insertions(+), 7 deletions(-)
--- a/fs/proc/proc_sysctl.c
+++ b/fs/proc/proc_sysctl.c
@@ -464,7 +464,7 @@ static struct inode *proc_sys_make_inode
inode = new_inode(sb);
if (!inode)
- goto out;
+ return ERR_PTR(-ENOMEM);
inode->i_ino = get_next_ino();
@@ -474,8 +474,7 @@ static struct inode *proc_sys_make_inode
if (unlikely(head->unregistering)) {
spin_unlock(_lock);
iput(inode);
- inode = NULL;
- goto out;
+ return ERR_PTR(-ENOENT);
}
ei->sysctl = head;
ei->sysctl_entry = table;
@@ -500,7 +499,6 @@ static struct inode *proc_sys_make_inode
if (root->set_ownership)
root->set_ownership(head, table, >i_uid, >i_gid);
-out:
return inode;
}
@@ -549,10 +547,11 @@ static struct dentry *proc_sys_lookup(st
goto out;
}
- err = ERR_PTR(-ENOMEM);
inode = proc_sys_make_inode(dir->i_sb, h ? h : head, p);
- if (!inode)
+ if (IS_ERR(inode)) {
+ err = ERR_CAST(inode);
goto out;
+ }
err = NULL;
d_set_d_op(dentry, _sys_dentry_operations);
@@ -685,7 +684,7 @@ static bool proc_sys_fill_cache(struct f
return false;
if (d_in_lookup(child)) {
inode = proc_sys_make_inode(dir->d_sb, head, table);
- if (!inode) {
+ if (IS_ERR(inode)) {
d_lookup_done(child);
dput(child);
return false;
[PATCH 4.14 20/36] mmc: omap_hsmmc: fix DMA API warning
4.14-stable review patch. If anyone has any objections, please let me know. -- From: Russell King commit 0b479790684192ab7024ce6a621f93f6d0a64d92 upstream. While booting with rootfs on MMC, the following warning is encountered on OMAP4430: omap-dma-engine 4a056000.dma-controller: DMA-API: mapping sg segment longer than device claims to support [len=69632] [max=65536] This is because the DMA engine has a default maximum segment size of 64K but HSMMC sets: mmc->max_blk_size = 512; /* Block Length at max can be 1024 */ mmc->max_blk_count = 0x;/* No. of Blocks is 16 bits */ mmc->max_req_size = mmc->max_blk_size * mmc->max_blk_count; mmc->max_seg_size = mmc->max_req_size; which ends up telling the block layer that we support a maximum segment size of 65535*512, which exceeds the advertised DMA engine capabilities. Fix this by clamping the maximum segment size to the lower of the maximum request size and of the DMA engine device used for either DMA channel. Signed-off-by: Russell King Cc: Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman --- drivers/mmc/host/omap_hsmmc.c | 12 +++- 1 file changed, 11 insertions(+), 1 deletion(-) --- a/drivers/mmc/host/omap_hsmmc.c +++ b/drivers/mmc/host/omap_hsmmc.c @@ -2083,7 +2083,6 @@ static int omap_hsmmc_probe(struct platf mmc->max_blk_size = 512; /* Block Length at max can be 1024 */ mmc->max_blk_count = 0x;/* No. of Blocks is 16 bits */ mmc->max_req_size = mmc->max_blk_size * mmc->max_blk_count; - mmc->max_seg_size = mmc->max_req_size; mmc->caps |= MMC_CAP_MMC_HIGHSPEED | MMC_CAP_SD_HIGHSPEED | MMC_CAP_WAIT_WHILE_BUSY | MMC_CAP_ERASE | MMC_CAP_CMD23; @@ -2113,6 +2112,17 @@ static int omap_hsmmc_probe(struct platf goto err_irq; } + /* +* Limit the maximum segment size to the lower of the request size +* and the DMA engine device segment size limits. In reality, with +* 32-bit transfers, the DMA engine can do longer segments than this +* but there is no way to represent that in the DMA model - if we +* increase this figure here, we get warnings from the DMA API debug. +*/ + mmc->max_seg_size = min3(mmc->max_req_size, + dma_get_max_seg_size(host->rx_chan->device->dev), + dma_get_max_seg_size(host->tx_chan->device->dev)); + /* Request IRQ for MMC operations */ ret = devm_request_irq(>dev, host->irq, omap_hsmmc_irq, 0, mmc_hostname(mmc), host);
[PATCH 4.14 34/36] mm: dont miss the last page because of round-off error
4.14-stable review patch. If anyone has any objections, please let me know.
--
From: Roman Gushchin
commit 68600f623d69da428c6163275f97ca126e1a8ec5 upstream.
I've noticed, that dying memory cgroups are often pinned in memory by a
single pagecache page. Even under moderate memory pressure they sometimes
stayed in such state for a long time. That looked strange.
My investigation showed that the problem is caused by applying the LRU
pressure balancing math:
scan = div64_u64(scan * fraction[lru], denominator),
where
denominator = fraction[anon] + fraction[file] + 1.
Because fraction[lru] is always less than denominator, if the initial scan
size is 1, the result is always 0.
This means the last page is not scanned and has
no chances to be reclaimed.
Fix this by rounding up the result of the division.
In practice this change significantly improves the speed of dying cgroups
reclaim.
[g...@fb.com: prevent double calculation of DIV64_U64_ROUND_UP() arguments]
Link: http://lkml.kernel.org/r/20180829213311.GA13501@castle
Link: http://lkml.kernel.org/r/20180827162621.30187-3-g...@fb.com
Signed-off-by: Roman Gushchin
Reviewed-by: Andrew Morton
Cc: Johannes Weiner
Cc: Michal Hocko
Cc: Tejun Heo
Cc: Rik van Riel
Cc: Konstantin Khlebnikov
Cc: Matthew Wilcox
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
Signed-off-by: Greg Kroah-Hartman
---
include/linux/math64.h |3 +++
mm/vmscan.c|6 --
2 files changed, 7 insertions(+), 2 deletions(-)
--- a/include/linux/math64.h
+++ b/include/linux/math64.h
@@ -254,4 +254,7 @@ static inline u64 mul_u64_u32_div(u64 a,
}
#endif /* mul_u64_u32_div */
+#define DIV64_U64_ROUND_UP(ll, d) \
+ ({ u64 _tmp = (d); div64_u64((ll) + _tmp - 1, _tmp); })
+
#endif /* _LINUX_MATH64_H */
--- a/mm/vmscan.c
+++ b/mm/vmscan.c
@@ -2367,9 +2367,11 @@ out:
/*
* Scan types proportional to swappiness and
* their relative recent reclaim efficiency.
+* Make sure we don't miss the last page
+* because of a round-off error.
*/
- scan = div64_u64(scan * fraction[file],
-denominator);
+ scan = DIV64_U64_ROUND_UP(scan * fraction[file],
+ denominator);
break;
case SCAN_FILE:
case SCAN_ANON:
[PATCH 4.14 26/36] Drivers: hv: vmbus: Return -EINVAL for the sys files for unopened channels
4.14-stable review patch. If anyone has any objections, please let me know.
--
From: Dexuan Cui
commit fc96df16a1ce80cbb3c316ab7d4dc8cd5c2852ce upstream.
Before 98f4c651762c, we returned zeros for unopened channels.
With 98f4c651762c, we started to return random on-stack values.
We'd better return -EINVAL instead.
Fixes: 98f4c651762c ("hv: move ringbuffer bus attributes to dev_groups")
Cc: sta...@vger.kernel.org
Cc: K. Y. Srinivasan
Cc: Haiyang Zhang
Cc: Stephen Hemminger
Signed-off-by: Dexuan Cui
Signed-off-by: Sasha Levin
Signed-off-by: Greg Kroah-Hartman
---
drivers/hv/vmbus_drv.c | 20
1 file changed, 20 insertions(+)
--- a/drivers/hv/vmbus_drv.c
+++ b/drivers/hv/vmbus_drv.c
@@ -300,6 +300,8 @@ static ssize_t out_intr_mask_show(struct
if (!hv_dev->channel)
return -ENODEV;
+ if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
+ return -EINVAL;
hv_ringbuffer_get_debuginfo(_dev->channel->outbound, );
return sprintf(buf, "%d\n", outbound.current_interrupt_mask);
}
@@ -313,6 +315,8 @@ static ssize_t out_read_index_show(struc
if (!hv_dev->channel)
return -ENODEV;
+ if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
+ return -EINVAL;
hv_ringbuffer_get_debuginfo(_dev->channel->outbound, );
return sprintf(buf, "%d\n", outbound.current_read_index);
}
@@ -327,6 +331,8 @@ static ssize_t out_write_index_show(stru
if (!hv_dev->channel)
return -ENODEV;
+ if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
+ return -EINVAL;
hv_ringbuffer_get_debuginfo(_dev->channel->outbound, );
return sprintf(buf, "%d\n", outbound.current_write_index);
}
@@ -341,6 +347,8 @@ static ssize_t out_read_bytes_avail_show
if (!hv_dev->channel)
return -ENODEV;
+ if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
+ return -EINVAL;
hv_ringbuffer_get_debuginfo(_dev->channel->outbound, );
return sprintf(buf, "%d\n", outbound.bytes_avail_toread);
}
@@ -355,6 +363,8 @@ static ssize_t out_write_bytes_avail_sho
if (!hv_dev->channel)
return -ENODEV;
+ if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
+ return -EINVAL;
hv_ringbuffer_get_debuginfo(_dev->channel->outbound, );
return sprintf(buf, "%d\n", outbound.bytes_avail_towrite);
}
@@ -368,6 +378,8 @@ static ssize_t in_intr_mask_show(struct
if (!hv_dev->channel)
return -ENODEV;
+ if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
+ return -EINVAL;
hv_ringbuffer_get_debuginfo(_dev->channel->inbound, );
return sprintf(buf, "%d\n", inbound.current_interrupt_mask);
}
@@ -381,6 +393,8 @@ static ssize_t in_read_index_show(struct
if (!hv_dev->channel)
return -ENODEV;
+ if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
+ return -EINVAL;
hv_ringbuffer_get_debuginfo(_dev->channel->inbound, );
return sprintf(buf, "%d\n", inbound.current_read_index);
}
@@ -394,6 +408,8 @@ static ssize_t in_write_index_show(struc
if (!hv_dev->channel)
return -ENODEV;
+ if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
+ return -EINVAL;
hv_ringbuffer_get_debuginfo(_dev->channel->inbound, );
return sprintf(buf, "%d\n", inbound.current_write_index);
}
@@ -408,6 +424,8 @@ static ssize_t in_read_bytes_avail_show(
if (!hv_dev->channel)
return -ENODEV;
+ if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
+ return -EINVAL;
hv_ringbuffer_get_debuginfo(_dev->channel->inbound, );
return sprintf(buf, "%d\n", inbound.bytes_avail_toread);
}
@@ -422,6 +440,8 @@ static ssize_t in_write_bytes_avail_show
if (!hv_dev->channel)
return -ENODEV;
+ if (hv_dev->channel->state != CHANNEL_OPENED_STATE)
+ return -EINVAL;
hv_ringbuffer_get_debuginfo(_dev->channel->inbound, );
return sprintf(buf, "%d\n", inbound.bytes_avail_towrite);
}
Re: [PATCH v1 1/2] drm/fb-helper: Bring back workaround for bugs of SDL 1.2
On Fri, Dec 28, 2018 at 04:13:07AM +0500, Ivan Mironov wrote:
> SDL 1.2 sets all fields related to the pixel format to zero in some
> cases[1]. Prior to commit db05c48197759 ("drm: fb-helper: Reject all
> pixel format changing requests"), there was an unintentional workaround
> for this that existed for more than a decade. First in device-specific DRM
> drivers, then here in drm_fb_helper.c.
>
> Previous code containing this workaround just ignores pixel format fields
> from userspace code. Not a good thing either, as this way, driver may
> silently use pixel format different from what client actually requested,
> and this in turn will lead to displaying garbage on the screen. I think
> that returning EINVAL to userspace in this particular case is the right
> option, so I decided to left code from problematic commit untouched
> instead of just reverting it entirely.
>
> Here is the steps required to reproduce this problem exactly:
> 1) Compile fceux[2] with SDL 1.2.15 and without GTK or OpenGL
> support. SDL should be compiled with fbdev support (which is
> on by default).
> 2) Create /etc/fb.modes with following contents (values seems
> not used, and just required to trigger problematic code in
> SDL):
>
> mode "test"
> geometry 1 1 1 1 1
> timings 1 1 1 1 1 1 1
> endmode
>
> 3) Create ~/.fceux/fceux.cfg with following contents:
>
> SDL.Hotkeys.Quit = 27
> SDL.DoubleBuffering = 1
>
> 4) Ensure that screen resolution is at least 1280x960 (e.g.
> append "video=Virtual-1:1280x960-32" to the kernel cmdline
> for qemu/QXL).
>
> 5) Try to run fceux on VT with some ROM file[3]:
>
> # ./fceux color_test.nes
>
> [1] SDL 1.2.15 source code, src/video/fbcon/SDL_fbvideo.c,
> FB_SetVideoMode()
> [2] http://www.fceux.com
> [3] Example ROM:
> https://github.com/bokuweb/rustynes/blob/master/roms/color_test.nes
>
> Reported-by: saahriktu
> Suggested-by: saahriktu
> Cc: sta...@vger.kernel.org
> Fixes: db05c48197759 ("drm: fb-helper: Reject all pixel format changing
> requests")
> Signed-off-by: Ivan Mironov
> ---
> drivers/gpu/drm/drm_fb_helper.c | 146
> 1 file changed, 93 insertions(+), 53 deletions(-)
>
> diff --git a/drivers/gpu/drm/drm_fb_helper.c b/drivers/gpu/drm/drm_fb_helper.c
> index d3af098b0922..aff576c3c4fb 100644
> --- a/drivers/gpu/drm/drm_fb_helper.c
> +++ b/drivers/gpu/drm/drm_fb_helper.c
> @@ -1621,6 +1621,64 @@ static bool drm_fb_pixel_format_equal(const struct
> fb_var_screeninfo *var_1,
> var_1->transp.msb_right == var_2->transp.msb_right;
> }
>
> +static void drm_fb_helper_fill_pixel_fmt(struct fb_var_screeninfo *var,
> + u8 depth)
> +{
> + switch (depth) {
> + case 8:
> + var->red.offset = 0;
> + var->green.offset = 0;
> + var->blue.offset = 0;
> + var->red.length = 8; /* 8bit DAC */
> + var->green.length = 8;
> + var->blue.length = 8;
> + var->transp.offset = 0;
> + var->transp.length = 0;
> + break;
> + case 15:
> + var->red.offset = 10;
> + var->green.offset = 5;
> + var->blue.offset = 0;
> + var->red.length = 5;
> + var->green.length = 5;
> + var->blue.length = 5;
> + var->transp.offset = 15;
> + var->transp.length = 1;
> + break;
> + case 16:
> + var->red.offset = 11;
> + var->green.offset = 5;
> + var->blue.offset = 0;
> + var->red.length = 5;
> + var->green.length = 6;
> + var->blue.length = 5;
> + var->transp.offset = 0;
> + break;
> + case 24:
> + var->red.offset = 16;
> + var->green.offset = 8;
> + var->blue.offset = 0;
> + var->red.length = 8;
> + var->green.length = 8;
> + var->blue.length = 8;
> + var->transp.offset = 0;
> + var->transp.length = 0;
> + break;
> + case 32:
> + var->red.offset = 16;
> + var->green.offset = 8;
> + var->blue.offset = 0;
> + var->red.length = 8;
> + var->green.length = 8;
> + var->blue.length = 8;
> + var->transp.offset = 24;
> + var->transp.length = 8;
> + break;
> + default:
> + break;
> + }
> +}
> +
> /**
> * drm_fb_helper_check_var - implementation for _ops.fb_check_var
> * @var: screeninfo to check
> @@ -1654,6 +1712,40 @@ int drm_fb_helper_check_var(struct fb_var_screeninfo
> *var,
> return -EINVAL;
> }
>
> + /*
> + * Workaround for SDL 1.2, which is known to be
[PATCH 4.14 04/36] ubifs: Fix directory size calculation for symlinks
4.14-stable review patch. If anyone has any objections, please let me know.
--
commit 00ee8b60102862f4daf0814d12a2ea2744fc0b9b upstream
We have to account the name of the symlink and not the target length.
Fixes: ca7f85be8d6c ("ubifs: Add support for encrypted symlinks")
Cc:
Signed-off-by: Richard Weinberger
Signed-off-by: Sudip Mukherjee
Signed-off-by: Sasha Levin
---
fs/ubifs/dir.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/fs/ubifs/dir.c b/fs/ubifs/dir.c
index ef820f803176..4e6e32c0c08a 100644
--- a/fs/ubifs/dir.c
+++ b/fs/ubifs/dir.c
@@ -1147,8 +1147,7 @@ static int ubifs_symlink(struct inode *dir, struct dentry
*dentry,
struct ubifs_inode *ui;
struct ubifs_inode *dir_ui = ubifs_inode(dir);
struct ubifs_info *c = dir->i_sb->s_fs_info;
- int err, len = strlen(symname);
- int sz_change = CALC_DENT_SIZE(len);
+ int err, sz_change, len = strlen(symname);
struct fscrypt_str disk_link = FSTR_INIT((char *)symname, len + 1);
struct fscrypt_symlink_data *sd = NULL;
struct ubifs_budget_req req = { .new_ino = 1, .new_dent = 1,
@@ -1189,6 +1188,8 @@ static int ubifs_symlink(struct inode *dir, struct dentry
*dentry,
if (err)
goto out_budg;
+ sz_change = CALC_DENT_SIZE(fname_len());
+
inode = ubifs_new_inode(c, dir, S_IFLNK | S_IRWXUGO);
if (IS_ERR(inode)) {
err = PTR_ERR(inode);
--
2.19.1
[PATCH 4.14 01/36] block: break discard submissions into the user defined size
4.14-stable review patch. If anyone has any objections, please let me know. -- [ Upstream commit af097f5d199e2aa3ab3ef777f0716e487b8f7b08 ] Don't build discards bigger than what the user asked for, if the user decided to limit the size by writing to 'discard_max_bytes'. Reviewed-by: Darrick J. Wong Reviewed-by: Omar Sandoval Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin --- block/blk-lib.c | 12 +--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/block/blk-lib.c b/block/blk-lib.c index 2bc544ce3d2e..53a45663e688 100644 --- a/block/blk-lib.c +++ b/block/blk-lib.c @@ -59,10 +59,16 @@ int __blkdev_issue_discard(struct block_device *bdev, sector_t sector, unsigned int req_sects; sector_t end_sect, tmp; - /* Make sure bi_size doesn't overflow */ - req_sects = min_t(sector_t, nr_sects, UINT_MAX >> 9); + /* +* Issue in chunks of the user defined max discard setting, +* ensuring that bi_size doesn't overflow +*/ + req_sects = min_t(sector_t, nr_sects, + q->limits.max_discard_sectors); + if (req_sects > UINT_MAX >> 9) + req_sects = UINT_MAX >> 9; - /** + /* * If splitting a request, and the next starting sector would be * misaligned, stop the discard at the previous aligned sector. */ -- 2.19.1
[PATCH 4.14 09/36] xhci: Dont prevent USB2 bus suspend in state check intended for USB3 only
4.14-stable review patch. If anyone has any objections, please let me know.
--
From: Mathias Nyman
commit 45f750c16cae3625014c14c77bd9005eda975d35 upstream.
The code to prevent a bus suspend if a USB3 port was still in link training
also reacted to USB2 port polling state.
This caused bus suspend to busyloop in some cases.
USB2 polling state is different from USB3, and should not prevent bus
suspend.
Limit the USB3 link training state check to USB3 root hub ports only.
The origial commit went to stable so this need to be applied there as well
Fixes: 2f31a67f01a8 ("usb: xhci: Prevent bus suspend if a port connect change
or polling state is detected")
Cc: sta...@vger.kernel.org
Signed-off-by: Mathias Nyman
Signed-off-by: Greg Kroah-Hartman
---
drivers/usb/host/xhci-hub.c |3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/usb/host/xhci-hub.c
+++ b/drivers/usb/host/xhci-hub.c
@@ -1512,7 +1512,8 @@ int xhci_bus_suspend(struct usb_hcd *hcd
portsc_buf[port_index] = 0;
/* Bail out if a USB3 port has a new device in link training */
- if ((t1 & PORT_PLS_MASK) == XDEV_POLLING) {
+ if ((hcd->speed >= HCD_USB3) &&
+ (t1 & PORT_PLS_MASK) == XDEV_POLLING) {
bus_state->bus_suspended = 0;
spin_unlock_irqrestore(>lock, flags);
xhci_dbg(xhci, "Bus suspend bailout, port in
polling\n");
[PATCH 4.14 14/36] USB: serial: option: add Fibocom NL668 series
4.14-stable review patch. If anyone has any objections, please let me know.
--
From: Jörgen Storvist
commit 30360224441ce89a98ed627861e735beb4010775 upstream.
Added USB serial option driver support for Fibocom NL668 series cellular
modules. Reserved USB endpoints 4, 5 and 6 for network + ADB interfaces.
usb-devices output (QMI mode)
T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 16 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=1508 ProdID=1001 Rev=03.18
S: Manufacturer=Nodecom NL668 Modem
S: Product=Nodecom NL668-CN Modem
S: SerialNumber=
C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
I: If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
usb-devices output (ECM mode)
T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 17 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=1508 ProdID=1001 Rev=03.18
S: Manufacturer=Nodecom NL668 Modem
S: Product=Nodecom NL668-CN Modem
S: SerialNumber=
C: #Ifs= 7 Cfg#= 1 Atr=a0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#= 4 Alt= 0 #EPs= 1 Cls=02(commc) Sub=06 Prot=00 Driver=cdc_ether
I: If#= 5 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether
I: If#= 6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
Signed-off-by: Jörgen Storvist
Cc: stable
Signed-off-by: Johan Hovold
Signed-off-by: Greg Kroah-Hartman
---
drivers/usb/serial/option.c |2 ++
1 file changed, 2 insertions(+)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1951,6 +1951,8 @@ static const struct usb_device_id option
{ USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x13) },
{ USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x14) },
{ USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x1b) },
+ { USB_DEVICE(0x1508, 0x1001),
/* Fibocom NL668 */
+ .driver_info = RSVD(4) | RSVD(5) | RSVD(6) },
{ } /* Terminating entry */
};
MODULE_DEVICE_TABLE(usb, option_ids);
[PATCH 4.14 03/36] ASoC: sta32x: set ->component pointer in private struct
4.14-stable review patch. If anyone has any objections, please let me know.
--
commit 747df19747bc9752cd40b9cce761e17a033aa5c2 upstream
The ESD watchdog code in sta32x_watchdog() dereferences the pointer
which is never assigned.
This is a regression from a1be4cead9b950 ("ASoC: sta32x: Convert to direct
regmap API usage.") which went unnoticed since nobody seems to use that ESD
workaround.
Fixes: a1be4cead9b950 ("ASoC: sta32x: Convert to direct regmap API usage.")
Signed-off-by: Daniel Mack
Signed-off-by: Mark Brown
Cc: sta...@vger.kernel.org
Signed-off-by: Sudip Mukherjee
Signed-off-by: Sasha Levin
---
sound/soc/codecs/sta32x.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/sound/soc/codecs/sta32x.c b/sound/soc/codecs/sta32x.c
index 5b888476d9ff..b728140c79a9 100644
--- a/sound/soc/codecs/sta32x.c
+++ b/sound/soc/codecs/sta32x.c
@@ -879,6 +879,9 @@ static int sta32x_probe(struct snd_soc_codec *codec)
struct sta32x_priv *sta32x = snd_soc_codec_get_drvdata(codec);
struct sta32x_platform_data *pdata = sta32x->pdata;
int i, ret = 0, thermal = 0;
+
+ sta32x->codec = codec;
+
ret = regulator_bulk_enable(ARRAY_SIZE(sta32x->supplies),
sta32x->supplies);
if (ret != 0) {
--
2.19.1
[PATCH 4.14 05/36] ib_srpt: Fix a use-after-free in __srpt_close_all_ch()
4.14-stable review patch. If anyone has any objections, please let me know.
--
commit 14d15c2b278011056482eb015dff89f9cbf2b841 upstream
BUG: KASAN: use-after-free in srpt_set_enabled+0x1a9/0x1e0 [ib_srpt]
Read of size 4 at addr 8801269d23f8 by task check/29726
CPU: 4 PID: 29726 Comm: check Not tainted 4.18.0-rc2-dbg+ #4
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
1.0.0-prebuilt.qemu-project.org 04/01/2014
Call Trace:
dump_stack+0xa4/0xf5
print_address_description+0x6f/0x270
kasan_report+0x241/0x360
__asan_load4+0x78/0x80
srpt_set_enabled+0x1a9/0x1e0 [ib_srpt]
srpt_tpg_enable_store+0xb8/0x120 [ib_srpt]
configfs_write_file+0x14e/0x1d0 [configfs]
__vfs_write+0xd2/0x3b0
vfs_write+0x101/0x270
ksys_write+0xab/0x120
__x64_sys_write+0x43/0x50
do_syscall_64+0x77/0x230
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7f235cfe6154
Fixes: aaf45bd83eba ("IB/srpt: Detect session shutdown reliably")
Signed-off-by: Bart Van Assche
Cc:
Signed-off-by: Jason Gunthorpe
Signed-off-by: Sudip Mukherjee
Signed-off-by: Sasha Levin
---
drivers/infiniband/ulp/srpt/ib_srpt.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/infiniband/ulp/srpt/ib_srpt.c
b/drivers/infiniband/ulp/srpt/ib_srpt.c
index 60105ba77889..47f3f562d86f 100644
--- a/drivers/infiniband/ulp/srpt/ib_srpt.c
+++ b/drivers/infiniband/ulp/srpt/ib_srpt.c
@@ -1775,8 +1775,8 @@ static void __srpt_close_all_ch(struct srpt_device *sdev)
list_for_each_entry(ch, >rch_list, list) {
if (srpt_disconnect_ch(ch) >= 0)
- pr_info("Closing channel %s-%d because target %s has
been disabled\n",
- ch->sess_name, ch->qp->qp_num,
+ pr_info("Closing channel %s because target %s has been
disabled\n",
+ ch->sess_name,
sdev->device->name);
srpt_close_ch(ch);
}
--
2.19.1
[PATCH 4.14 10/36] USB: xhci: fix broken_suspend placement in struct xchi_hcd
4.14-stable review patch. If anyone has any objections, please let me know.
--
From: Nicolas Saenz Julienne
commit 2419f30a4a4fcaa5f35111563b4c61f1b2b26841 upstream.
As commented in the struct's definition there shouldn't be anything
underneath its 'priv[0]' member as it would break some macros.
The patch converts the broken_suspend into a bit-field and relocates it
next to to the rest of bit-fields.
Fixes: a7d57abcc8a5 ("xhci: workaround CSS timeout on AMD SNPS 3.0 xHC")
Reported-by: Oliver Neukum
Signed-off-by: Nicolas Saenz Julienne
Acked-by: Mathias Nyman
Cc: stable
Signed-off-by: Greg Kroah-Hartman
---
drivers/usb/host/xhci.h |4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/usb/host/xhci.h
+++ b/drivers/usb/host/xhci.h
@@ -1859,6 +1859,8 @@ struct xhci_hcd {
unsignedsw_lpm_support:1;
/* support xHCI 1.0 spec USB2 hardware LPM */
unsignedhw_lpm_support:1;
+ /* Broken Suspend flag for SNPS Suspend resume issue */
+ unsignedbroken_suspend:1;
/* cached usb2 extened protocol capabilites */
u32 *ext_caps;
unsigned intnum_ext_caps;
@@ -1871,8 +1873,6 @@ struct xhci_hcd {
/* platform-specific data -- must come last */
unsigned long priv[0] __aligned(sizeof(s64));
- /* Broken Suspend flag for SNPS Suspend resume issue */
- u8 broken_suspend;
};
/* Platform specific overrides to generic XHCI hc_driver ops */
[PATCH 4.19 00/46] 4.19.13-stable review
This is the start of the stable review cycle for the 4.19.13 release. There are 46 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sun Dec 30 11:30:49 UTC 2018. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.13-rc1.gz or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y and the diffstat can be found below. thanks, greg k-h - Pseudo-Shortlog of commits: Greg Kroah-Hartman Linux 4.19.13-rc1 Gustavo A. R. Silva drm/ioctl: Fix Spectre v1 vulnerabilities Ivan Delalande proc/sysctl: don't return ENOMEM on lookup when a table is unregistering Benjamin Tissoires Input: elantech - disable elan-i2c for P52 and P72 Roman Gushchin mm: don't miss the last page because of round-off error Oscar Salvador mm, page_alloc: fix has_unmovable_pages for HugePages Peter Xu mm: thp: fix flags for pmd migration when split Mikhail Zaslonko mm, memory_hotplug: initialize struct pages for the full memory section Jacopo Mondi media: ov5640: Fix set format regression Ihab Zhaika iwlwifi: add new cards for 9560, 9462, 9461 and killer series Brian Norris Revert "mwifiex: restructure rx_reorder_tbl_lock usage" Emmanuel Grumbach iwlwifi: mvm: don't send GEO_TX_POWER_LIMIT to old firmwares Larry Finger rtlwifi: Fix leak of skb when processing C2H_BT_INFO Mathias Krause xfrm_user: fix freeing of xfrm states on acquire Martin Schwidefsky mm: introduce mm_[p4d|pud|pmd]_folded Martin Schwidefsky mm: make the __PAGETABLE_PxD_FOLDED defines non-empty Martin Schwidefsky mm: add mm_pxd_folded checks to pgtable_bytes accounting functions Sergey Senozhatsky panic: avoid deadlocks in re-entrant console drivers Reinette Chatre x86/intel_rdt: Ensure a CPU remains online for the region's pseudo-locking sequence Alistair Strachan x86/vdso: Pass --eh-frame-hdr to the linker Dan Williams x86/mm: Fix decoy address handling vs 32-bit builds Colin Ian King x86/mtrr: Don't copy uninitialized gentry fields back to userspace Thomas Gleixner futex: Cure exit race Dexuan Cui Drivers: hv: vmbus: Return -EINVAL for the sys files for unopened channels Cfir Cohen KVM: Fix UAF in nested posted interrupt processing Eduardo Habkost kvm: x86: Add AMD's EX_CFG to the list of ignored MSRs Wanpeng Li KVM: X86: Fix NULL deref in vcpu_scan_ioapic Thomas Gleixner posix-timers: Fix division by zero bug Hans de Goede gpiolib-acpi: Only defer request_irq for GpioInt ACPI event handlers Christophe Leroy gpio: max7301: fix driver for use with CONFIG_VMAP_STACK Russell King mmc: omap_hsmmc: fix DMA API warning Ulf Hansson mmc: core: Use a minimum 1600ms timeout when enabling CACHE ctrl Ulf Hansson mmc: core: Allow BKOPS and CACHE ctrl even if no HPI support Ulf Hansson mmc: core: Reset HPI enabled state during re-init and in case of errors Jens Axboe scsi: sd: use mempool for discard special page Martin K. Petersen scsi: t10-pi: Return correct ref tag when queue has no integrity profile Richard Weinberger ubifs: Handle re-linking of inodes correctly while recovery Jörgen Storvist USB: serial: option: add Telit LN940 series Jörgen Storvist USB: serial: option: add Fibocom NL668 series Jörgen Storvist USB: serial: option: add Simcom SIM7500/SIM7600 (MBIM mode) Tore Anderson USB: serial: option: add HP lt4132 Jörgen Storvist USB: serial: option: add GosunCn ZTE WeLink ME3630 Nicolas Saenz Julienne USB: xhci: fix 'broken_suspend' placement in struct xchi_hcd Mathias Nyman xhci: Don't prevent USB2 bus suspend in state check intended for USB3 only Hui Peng USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data Christian Brauner Revert "vfs: Allow userns root to call mknod on owned filesystems." Dave Chinner iomap: Revert "fs/iomap.c: get/put the page in iomap_page_create/release()" - Diffstat: Makefile | 4 +- arch/arm/include/asm/pgtable-2level.h | 2 +- arch/m68k/include/asm/pgtable_mm.h | 4 +- arch/microblaze/include/asm/pgtable.h | 2 +- arch/nds32/include/asm/pgtable.h | 2 +- arch/parisc/include/asm/pgtable.h | 2 +- arch/x86/entry/vdso/Makefile | 3 +- arch/x86/include/asm/msr-index.h | 1 + arch/x86/kernel/cpu/intel_rdt_ctrlmondata.c| 4 + arch/x86/kernel/cpu/mtrr/if.c | 2 + arch/x86/kvm/vmx.c
[PATCH 4.19 43/46] mm: dont miss the last page because of round-off error
4.19-stable review patch. If anyone has any objections, please let me know.
--
From: Roman Gushchin
commit 68600f623d69da428c6163275f97ca126e1a8ec5 upstream.
I've noticed, that dying memory cgroups are often pinned in memory by a
single pagecache page. Even under moderate memory pressure they sometimes
stayed in such state for a long time. That looked strange.
My investigation showed that the problem is caused by applying the LRU
pressure balancing math:
scan = div64_u64(scan * fraction[lru], denominator),
where
denominator = fraction[anon] + fraction[file] + 1.
Because fraction[lru] is always less than denominator, if the initial scan
size is 1, the result is always 0.
This means the last page is not scanned and has
no chances to be reclaimed.
Fix this by rounding up the result of the division.
In practice this change significantly improves the speed of dying cgroups
reclaim.
[g...@fb.com: prevent double calculation of DIV64_U64_ROUND_UP() arguments]
Link: http://lkml.kernel.org/r/20180829213311.GA13501@castle
Link: http://lkml.kernel.org/r/20180827162621.30187-3-g...@fb.com
Signed-off-by: Roman Gushchin
Reviewed-by: Andrew Morton
Cc: Johannes Weiner
Cc: Michal Hocko
Cc: Tejun Heo
Cc: Rik van Riel
Cc: Konstantin Khlebnikov
Cc: Matthew Wilcox
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
Signed-off-by: Greg Kroah-Hartman
---
include/linux/math64.h |3 +++
mm/vmscan.c|6 --
2 files changed, 7 insertions(+), 2 deletions(-)
--- a/include/linux/math64.h
+++ b/include/linux/math64.h
@@ -281,4 +281,7 @@ static inline u64 mul_u64_u32_div(u64 a,
}
#endif /* mul_u64_u32_div */
+#define DIV64_U64_ROUND_UP(ll, d) \
+ ({ u64 _tmp = (d); div64_u64((ll) + _tmp - 1, _tmp); })
+
#endif /* _LINUX_MATH64_H */
--- a/mm/vmscan.c
+++ b/mm/vmscan.c
@@ -2456,9 +2456,11 @@ out:
/*
* Scan types proportional to swappiness and
* their relative recent reclaim efficiency.
+* Make sure we don't miss the last page
+* because of a round-off error.
*/
- scan = div64_u64(scan * fraction[file],
-denominator);
+ scan = DIV64_U64_ROUND_UP(scan * fraction[file],
+ denominator);
break;
case SCAN_FILE:
case SCAN_ANON:
[PATCH 4.19 40/46] mm, memory_hotplug: initialize struct pages for the full memory section
4.19-stable review patch. If anyone has any objections, please let me know.
--
From: Mikhail Zaslonko
commit 2830bf6f05fb3e05bc4743274b806c821807a684 upstream.
If memory end is not aligned with the sparse memory section boundary,
the mapping of such a section is only partly initialized. This may lead
to VM_BUG_ON due to uninitialized struct page access from
is_mem_section_removable() or test_pages_in_a_zone() function triggered
by memory_hotplug sysfs handlers:
Here are the the panic examples:
CONFIG_DEBUG_VM=y
CONFIG_DEBUG_VM_PGFLAGS=y
kernel parameter mem=2050M
--
page:03d082008000 is uninitialized and poisoned
page dumped because: VM_BUG_ON_PAGE(PagePoisoned(p))
Call Trace:
( test_pages_in_a_zone+0xde/0x160)
show_valid_zones+0x5c/0x190
dev_attr_show+0x34/0x70
sysfs_kf_seq_show+0xc8/0x148
seq_read+0x204/0x480
__vfs_read+0x32/0x178
vfs_read+0x82/0x138
ksys_read+0x5a/0xb0
system_call+0xdc/0x2d8
Last Breaking-Event-Address:
test_pages_in_a_zone+0xde/0x160
Kernel panic - not syncing: Fatal exception: panic_on_oops
kernel parameter mem=3075M
--
page:03d08300c000 is uninitialized and poisoned
page dumped because: VM_BUG_ON_PAGE(PagePoisoned(p))
Call Trace:
( is_mem_section_removable+0xb4/0x190)
show_mem_removable+0x9a/0xd8
dev_attr_show+0x34/0x70
sysfs_kf_seq_show+0xc8/0x148
seq_read+0x204/0x480
__vfs_read+0x32/0x178
vfs_read+0x82/0x138
ksys_read+0x5a/0xb0
system_call+0xdc/0x2d8
Last Breaking-Event-Address:
is_mem_section_removable+0xb4/0x190
Kernel panic - not syncing: Fatal exception: panic_on_oops
Fix the problem by initializing the last memory section of each zone in
memmap_init_zone() till the very end, even if it goes beyond the zone end.
Michal said:
: This has alwways been problem AFAIU. It just went unnoticed because we
: have zeroed memmaps during allocation before f7f99100d8d9 ("mm: stop
: zeroing memory during allocation in vmemmap") and so the above test
: would simply skip these ranges as belonging to zone 0 or provided a
: garbage.
:
: So I guess we do care for post f7f99100d8d9 kernels mostly and
: therefore Fixes: f7f99100d8d9 ("mm: stop zeroing memory during
: allocation in vmemmap")
Link: http://lkml.kernel.org/r/20181212172712.34019-2-zaslo...@linux.ibm.com
Fixes: f7f99100d8d9 ("mm: stop zeroing memory during allocation in vmemmap")
Signed-off-by: Mikhail Zaslonko
Reviewed-by: Gerald Schaefer
Suggested-by: Michal Hocko
Acked-by: Michal Hocko
Reported-by: Mikhail Gavrilov
Tested-by: Mikhail Gavrilov
Cc: Dave Hansen
Cc: Alexander Duyck
Cc: Pasha Tatashin
Cc: Martin Schwidefsky
Cc: Heiko Carstens
Cc:
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
Signed-off-by: Greg Kroah-Hartman
---
mm/page_alloc.c | 12
1 file changed, 12 insertions(+)
--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -5538,6 +5538,18 @@ not_early:
cond_resched();
}
}
+#ifdef CONFIG_SPARSEMEM
+ /*
+* If the zone does not span the rest of the section then
+* we should at least initialize those pages. Otherwise we
+* could blow up on a poisoned page in some paths which depend
+* on full sections being initialized (e.g. memory hotplug).
+*/
+ while (end_pfn % PAGES_PER_SECTION) {
+ __init_single_page(pfn_to_page(end_pfn), end_pfn, zone, nid);
+ end_pfn++;
+ }
+#endif
}
static void __meminit zone_init_free_lists(struct zone *zone)
[PATCH 4.14 12/36] USB: serial: option: add HP lt4132
4.14-stable review patch. If anyone has any objections, please let me know.
--
From: Tore Anderson
commit d57ec3c83b5153217a70b561d4fb6ed96f2f7a25 upstream.
The HP lt4132 is a rebranded Huawei ME906s-158 LTE modem.
The interface with protocol 0x16 is "CDC ECM & NCM" according to the *.inf
files included with the Windows driver. Attaching the option driver to it
doesn't result in a /dev/ttyUSB* device being created, so I've excluded it.
Note that it is also excluded for corresponding Huawei-branded devices, cf.
commit d544db293a44 ("USB: support new huawei devices in option.c").
T: Bus=01 Lev=01 Prnt=01 Port=02 Cnt=02 Dev#= 3 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=ff MxPS=64 #Cfgs= 3
P: Vendor=03f0 ProdID=a31d Rev=01.02
S: Manufacturer=HP Inc.
S: Product=HP lt4132 LTE/HSPA+ 4G Module
S: SerialNumber=0123456789ABCDEF
C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=2mA
I: If#=0x0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=06 Prot=10 Driver=option
I: If#=0x1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=13 Driver=option
I: If#=0x2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=12 Driver=option
I: If#=0x3 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=06 Prot=16 Driver=(none)
I: If#=0x4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=14 Driver=option
I: If#=0x5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=1b Driver=option
T: Bus=01 Lev=01 Prnt=01 Port=02 Cnt=02 Dev#= 3 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=ff MxPS=64 #Cfgs= 3
P: Vendor=03f0 ProdID=a31d Rev=01.02
S: Manufacturer=HP Inc.
S: Product=HP lt4132 LTE/HSPA+ 4G Module
S: SerialNumber=0123456789ABCDEF
C: #Ifs= 7 Cfg#= 2 Atr=a0 MxPwr=2mA
I: If#=0x0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=06 Prot=00 Driver=cdc_ether
I: If#=0x1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=06 Prot=00 Driver=cdc_ether
I: If#=0x2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=06 Prot=10 Driver=option
I: If#=0x3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=13 Driver=option
I: If#=0x4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=12 Driver=option
I: If#=0x5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=14 Driver=option
I: If#=0x6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=1b Driver=option
T: Bus=01 Lev=01 Prnt=01 Port=02 Cnt=02 Dev#= 3 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=ff MxPS=64 #Cfgs= 3
P: Vendor=03f0 ProdID=a31d Rev=01.02
S: Manufacturer=HP Inc.
S: Product=HP lt4132 LTE/HSPA+ 4G Module
S: SerialNumber=0123456789ABCDEF
C: #Ifs= 3 Cfg#= 3 Atr=a0 MxPwr=2mA
I: If#=0x0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
I: If#=0x1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
I: If#=0x2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=06 Prot=14 Driver=option
Signed-off-by: Tore Anderson
Cc: sta...@vger.kernel.org
[ johan: drop id defines ]
Signed-off-by: Johan Hovold
Signed-off-by: Greg Kroah-Hartman
---
drivers/usb/serial/option.c |7 ++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1944,7 +1944,12 @@ static const struct usb_device_id option
{ USB_DEVICE_AND_INTERFACE_INFO(WETELECOM_VENDOR_ID,
WETELECOM_PRODUCT_WMD200, 0xff, 0xff, 0xff) },
{ USB_DEVICE_AND_INTERFACE_INFO(WETELECOM_VENDOR_ID,
WETELECOM_PRODUCT_6802, 0xff, 0xff, 0xff) },
{ USB_DEVICE_AND_INTERFACE_INFO(WETELECOM_VENDOR_ID,
WETELECOM_PRODUCT_WMD300, 0xff, 0xff, 0xff) },
- { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0x421d, 0xff, 0xff, 0xff) }, /*
HP lt2523 (Novatel E371) */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0x421d, 0xff, 0xff, 0xff) },
/* HP lt2523 (Novatel E371) */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x10) },
/* HP lt4132 (Huawei ME906s-158) */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x12) },
+ { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x13) },
+ { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x14) },
+ { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x1b) },
{ } /* Terminating entry */
};
MODULE_DEVICE_TABLE(usb, option_ids);
[PATCH 4.19 41/46] mm: thp: fix flags for pmd migration when split
4.19-stable review patch. If anyone has any objections, please let me know.
--
From: Peter Xu
commit 2e83ee1d8694a61d0d95a5b694f2e61e8dde8627 upstream.
When splitting a huge migrating PMD, we'll transfer all the existing PMD
bits and apply them again onto the small PTEs. However we are fetching
the bits unconditionally via pmd_soft_dirty(), pmd_write() or
pmd_yound() while actually they don't make sense at all when it's a
migration entry. Fix them up. Since at it, drop the ifdef together as
not needed.
Note that if my understanding is correct about the problem then if
without the patch there is chance to lose some of the dirty bits in the
migrating pmd pages (on x86_64 we're fetching bit 11 which is part of
swap offset instead of bit 2) and it could potentially corrupt the
memory of an userspace program which depends on the dirty bit.
Link: http://lkml.kernel.org/r/20181213051510.20306-1-pet...@redhat.com
Signed-off-by: Peter Xu
Reviewed-by: Konstantin Khlebnikov
Reviewed-by: William Kucharski
Acked-by: Kirill A. Shutemov
Cc: Andrea Arcangeli
Cc: Matthew Wilcox
Cc: Michal Hocko
Cc: Dave Jiang
Cc: "Aneesh Kumar K.V"
Cc: Souptick Joarder
Cc: Konstantin Khlebnikov
Cc: Zi Yan
Cc: [4.14+]
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
Signed-off-by: Greg Kroah-Hartman
---
mm/huge_memory.c | 20 +++-
1 file changed, 11 insertions(+), 9 deletions(-)
--- a/mm/huge_memory.c
+++ b/mm/huge_memory.c
@@ -2127,23 +2127,25 @@ static void __split_huge_pmd_locked(stru
*/
old_pmd = pmdp_invalidate(vma, haddr, pmd);
-#ifdef CONFIG_ARCH_ENABLE_THP_MIGRATION
pmd_migration = is_pmd_migration_entry(old_pmd);
- if (pmd_migration) {
+ if (unlikely(pmd_migration)) {
swp_entry_t entry;
entry = pmd_to_swp_entry(old_pmd);
page = pfn_to_page(swp_offset(entry));
- } else
-#endif
+ write = is_write_migration_entry(entry);
+ young = false;
+ soft_dirty = pmd_swp_soft_dirty(old_pmd);
+ } else {
page = pmd_page(old_pmd);
+ if (pmd_dirty(old_pmd))
+ SetPageDirty(page);
+ write = pmd_write(old_pmd);
+ young = pmd_young(old_pmd);
+ soft_dirty = pmd_soft_dirty(old_pmd);
+ }
VM_BUG_ON_PAGE(!page_count(page), page);
page_ref_add(page, HPAGE_PMD_NR - 1);
- if (pmd_dirty(old_pmd))
- SetPageDirty(page);
- write = pmd_write(old_pmd);
- young = pmd_young(old_pmd);
- soft_dirty = pmd_soft_dirty(old_pmd);
/*
* Withdraw the table only after we mark the pmd entry invalid.
[PATCH 4.19 08/46] USB: serial: option: add Simcom SIM7500/SIM7600 (MBIM mode)
4.19-stable review patch. If anyone has any objections, please let me know.
--
From: Jörgen Storvist
commit cc6730df08a291e51e145bc65e24ffb5e2f17ab6 upstream.
Added USB serial option driver support for Simcom SIM7500/SIM7600 series
cellular modules exposing MBIM interface (VID 0x1e0e,PID 0x9003)
T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 14 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=1e0e ProdID=9003 Rev=03.18
S: Manufacturer=SimTech, Incorporated
S: Product=SimTech, Incorporated
S: SerialNumber=0123456789ABCDEF
C: #Ifs= 7 Cfg#= 1 Atr=a0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#= 5 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
I: If#= 6 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
Signed-off-by: Jörgen Storvist
Cc: stable
Signed-off-by: Johan Hovold
Signed-off-by: Greg Kroah-Hartman
---
drivers/usb/serial/option.c |1 +
1 file changed, 1 insertion(+)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1760,6 +1760,7 @@ static const struct usb_device_id option
{ USB_DEVICE_AND_INTERFACE_INFO(ALINK_VENDOR_ID, ALINK_PRODUCT_3GU,
0xff, 0xff, 0xff) },
{ USB_DEVICE(ALINK_VENDOR_ID, SIMCOM_PRODUCT_SIM7100E),
.driver_info = RSVD(5) | RSVD(6) },
+ { USB_DEVICE_INTERFACE_CLASS(0x1e0e, 0x9003, 0xff) }, /* Simcom
SIM7500/SIM7600 MBIM mode */
{ USB_DEVICE(ALCATEL_VENDOR_ID, ALCATEL_PRODUCT_X060S_X200),
.driver_info = NCTRL(0) | NCTRL(1) | RSVD(4) },
{ USB_DEVICE(ALCATEL_VENDOR_ID, ALCATEL_PRODUCT_X220_X500D),
[PATCH 4.19 35/46] rtlwifi: Fix leak of skb when processing C2H_BT_INFO
4.19-stable review patch. If anyone has any objections, please let me know.
--
From: Larry Finger
commit 8cfa272b0d321160ebb5b45073e39ef0a6ad73f2 upstream.
With commit 0a9f8f0a1ba9 ("rtlwifi: fix btmpinfo timeout while processing
C2H_BT_INFO"), calling rtl_c2hcmd_enqueue() with rtl_c2h_fast_cmd() true,
the routine returns without freeing that skb, thereby leaking it.
This issue has been discussed at
https://github.com/lwfinger/rtlwifi_new/issues/401
and the fix tested there.
Fixes: 0a9f8f0a1ba9 ("rtlwifi: fix btmpinfo timeout while processing
C2H_BT_INFO")
Reported-and-tested-by: Francisco Machado Magalhães Neto
Cc: Francisco Machado Magalhães Neto
Cc: Ping-Ke Shih
Cc: Stable # 4.18+
Signed-off-by: Larry Finger
Signed-off-by: Kalle Valo
Signed-off-by: Greg Kroah-Hartman
---
drivers/net/wireless/realtek/rtlwifi/base.c |1 +
1 file changed, 1 insertion(+)
--- a/drivers/net/wireless/realtek/rtlwifi/base.c
+++ b/drivers/net/wireless/realtek/rtlwifi/base.c
@@ -2289,6 +2289,7 @@ void rtl_c2hcmd_enqueue(struct ieee80211
if (rtl_c2h_fast_cmd(hw, skb)) {
rtl_c2h_content_parsing(hw, skb);
+ kfree_skb(skb);
return;
}
[PATCH 4.19 39/46] media: ov5640: Fix set format regression
4.19-stable review patch. If anyone has any objections, please let me know.
--
From: Jacopo Mondi
commit 07115449919383548d094ff83cc27bd08639a8a1 upstream.
The set_fmt operations updates the sensor format only when the image format
is changed. When only the image sizes gets changed, the format do not get
updated causing the sensor to always report the one that was previously in
use.
Without this patch, updating frame size only fails:
[fmt:UYVY8_2X8/640x480@1/30 field:none colorspace:srgb xfer:srgb ...]
With this patch applied:
[fmt:UYVY8_2X8/1024x768@1/30 field:none colorspace:srgb xfer:srgb ...]
Fixes: 6949d864776e ("media: ov5640: do not change mode if format or frame
interval is unchanged")
Signed-off-by: Jacopo Mondi
Signed-off-by: Maxime Ripard
Tested-by: Adam Ford #imx6 w/ CSI2 interface on 4.19.6 and
4.20-RC5
Signed-off-by: Sakari Ailus
Signed-off-by: Mauro Carvalho Chehab
Signed-off-by: Greg Kroah-Hartman
---
drivers/media/i2c/ov5640.c | 17 -
1 file changed, 8 insertions(+), 9 deletions(-)
--- a/drivers/media/i2c/ov5640.c
+++ b/drivers/media/i2c/ov5640.c
@@ -2020,6 +2020,7 @@ static int ov5640_set_fmt(struct v4l2_su
struct ov5640_dev *sensor = to_ov5640_dev(sd);
const struct ov5640_mode_info *new_mode;
struct v4l2_mbus_framefmt *mbus_fmt = >format;
+ struct v4l2_mbus_framefmt *fmt;
int ret;
if (format->pad != 0)
@@ -2037,22 +2038,20 @@ static int ov5640_set_fmt(struct v4l2_su
if (ret)
goto out;
- if (format->which == V4L2_SUBDEV_FORMAT_TRY) {
- struct v4l2_mbus_framefmt *fmt =
- v4l2_subdev_get_try_format(sd, cfg, 0);
+ if (format->which == V4L2_SUBDEV_FORMAT_TRY)
+ fmt = v4l2_subdev_get_try_format(sd, cfg, 0);
+ else
+ fmt = >fmt;
- *fmt = *mbus_fmt;
- goto out;
- }
+ *fmt = *mbus_fmt;
if (new_mode != sensor->current_mode) {
sensor->current_mode = new_mode;
sensor->pending_mode_change = true;
}
- if (mbus_fmt->code != sensor->fmt.code) {
- sensor->fmt = *mbus_fmt;
+ if (mbus_fmt->code != sensor->fmt.code)
sensor->pending_fmt_change = true;
- }
+
out:
mutex_unlock(>lock);
return ret;
[PATCH 4.19 06/46] USB: serial: option: add GosunCn ZTE WeLink ME3630
4.19-stable review patch. If anyone has any objections, please let me know.
--
From: Jörgen Storvist
commit 70a7444c550a75584ffcfae95267058817eff6a7 upstream.
Added USB serial option driver support for GosunCn ZTE WeLink ME3630
series cellular modules for USB modes ECM/NCM and MBIM.
usb-devices output MBIM mode:
T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 10 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=19d2 ProdID=0602 Rev=03.18
S: Manufacturer=Android
S: Product=Android
S: SerialNumber=
C: #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#= 3 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
I: If#= 4 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
usb-devices output ECM/NCM mode:
T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 11 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=19d2 ProdID=1476 Rev=03.18
S: Manufacturer=Android
S: Product=Android
S: SerialNumber=
C: #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#= 3 Alt= 0 #EPs= 1 Cls=02(commc) Sub=06 Prot=00 Driver=cdc_ether
I: If#= 4 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether
Signed-off-by: Jörgen Storvist
Cc: stable
Signed-off-by: Johan Hovold
Signed-off-by: Greg Kroah-Hartman
---
drivers/usb/serial/option.c |2 ++
1 file changed, 2 insertions(+)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1328,6 +1328,7 @@ static const struct usb_device_id option
.driver_info = RSVD(4) },
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0414, 0xff, 0xff,
0xff) },
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0417, 0xff, 0xff,
0xff) },
+ { USB_DEVICE_INTERFACE_CLASS(ZTE_VENDOR_ID, 0x0602, 0xff) },/*
GosunCn ZTE WeLink ME3630 (MBIM mode) */
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1008, 0xff, 0xff,
0xff),
.driver_info = RSVD(4) },
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1010, 0xff, 0xff,
0xff),
@@ -1531,6 +1532,7 @@ static const struct usb_device_id option
.driver_info = RSVD(2) },
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1428, 0xff, 0xff,
0xff), /* Telewell TW-LTE 4G v2 */
.driver_info = RSVD(2) },
+ { USB_DEVICE_INTERFACE_CLASS(ZTE_VENDOR_ID, 0x1476, 0xff) },/*
GosunCn ZTE WeLink ME3630 (ECM/NCM mode) */
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1533, 0xff, 0xff,
0xff) },
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1534, 0xff, 0xff,
0xff) },
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1535, 0xff, 0xff,
0xff) },
[PATCH 4.19 37/46] Revert "mwifiex: restructure rx_reorder_tbl_lock usage"
4.19-stable review patch. If anyone has any objections, please let me know.
--
From: Brian Norris
commit 1aa48f088615ebfa5e139951a0d3e7dc2c2af4ec upstream.
This reverts commit 5188d5453bc9380ccd4ae1086138dd485d13aef2, because it
introduced lock recursion:
BUG: spinlock recursion on CPU#2, kworker/u13:1/395
lock: 0xffc0e28a47f0, .magic: dead4ead, .owner: kworker/u13:1/395,
.owner_cpu: 2
CPU: 2 PID: 395 Comm: kworker/u13:1 Not tainted 4.20.0-rc4+ #2
Hardware name: Google Kevin (DT)
Workqueue: MWIFIEX_RX_WORK_QUEUE mwifiex_rx_work_queue [mwifiex]
Call trace:
dump_backtrace+0x0/0x140
show_stack+0x20/0x28
dump_stack+0x84/0xa4
spin_bug+0x98/0xa4
do_raw_spin_lock+0x5c/0xdc
_raw_spin_lock_irqsave+0x38/0x48
mwifiex_flush_data+0x2c/0xa4 [mwifiex]
call_timer_fn+0xcc/0x1c4
run_timer_softirq+0x264/0x4f0
__do_softirq+0x1a8/0x35c
do_softirq+0x54/0x64
netif_rx_ni+0xe8/0x120
mwifiex_recv_packet+0xfc/0x10c [mwifiex]
mwifiex_process_rx_packet+0x1d4/0x238 [mwifiex]
mwifiex_11n_dispatch_pkt+0x190/0x1ac [mwifiex]
mwifiex_11n_rx_reorder_pkt+0x28c/0x354 [mwifiex]
mwifiex_process_sta_rx_packet+0x204/0x26c [mwifiex]
mwifiex_handle_rx_packet+0x15c/0x16c [mwifiex]
mwifiex_rx_work_queue+0x104/0x134 [mwifiex]
worker_thread+0x4cc/0x72c
kthread+0x134/0x13c
ret_from_fork+0x10/0x18
This was clearly not tested well at all. I simply performed 'wget' in a
loop and it fell over within a few seconds.
Fixes: 5188d5453bc9 ("mwifiex: restructure rx_reorder_tbl_lock usage")
Cc:
Cc: Ganapathi Bhat
Signed-off-by: Brian Norris
Signed-off-by: Kalle Valo
Signed-off-by: Greg Kroah-Hartman
---
drivers/net/wireless/marvell/mwifiex/11n.c |5
drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c | 96 +--
drivers/net/wireless/marvell/mwifiex/uap_txrx.c |3
3 files changed, 51 insertions(+), 53 deletions(-)
--- a/drivers/net/wireless/marvell/mwifiex/11n.c
+++ b/drivers/net/wireless/marvell/mwifiex/11n.c
@@ -696,11 +696,10 @@ void mwifiex_11n_delba(struct mwifiex_pr
"Send delba to tid=%d, %pM\n",
tid, rx_reor_tbl_ptr->ta);
mwifiex_send_delba(priv, tid, rx_reor_tbl_ptr->ta, 0);
- spin_unlock_irqrestore(>rx_reorder_tbl_lock,
- flags);
- return;
+ goto exit;
}
}
+exit:
spin_unlock_irqrestore(>rx_reorder_tbl_lock, flags);
}
--- a/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c
+++ b/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c
@@ -103,8 +103,6 @@ static int mwifiex_11n_dispatch_pkt(stru
* There could be holes in the buffer, which are skipped by the function.
* Since the buffer is linear, the function uses rotation to simulate
* circular buffer.
- *
- * The caller must hold rx_reorder_tbl_lock spinlock.
*/
static void
mwifiex_11n_dispatch_pkt_until_start_win(struct mwifiex_private *priv,
@@ -113,21 +111,25 @@ mwifiex_11n_dispatch_pkt_until_start_win
{
int pkt_to_send, i;
void *rx_tmp_ptr;
+ unsigned long flags;
pkt_to_send = (start_win > tbl->start_win) ?
min((start_win - tbl->start_win), tbl->win_size) :
tbl->win_size;
for (i = 0; i < pkt_to_send; ++i) {
+ spin_lock_irqsave(>rx_reorder_tbl_lock, flags);
rx_tmp_ptr = NULL;
if (tbl->rx_reorder_ptr[i]) {
rx_tmp_ptr = tbl->rx_reorder_ptr[i];
tbl->rx_reorder_ptr[i] = NULL;
}
+ spin_unlock_irqrestore(>rx_reorder_tbl_lock, flags);
if (rx_tmp_ptr)
mwifiex_11n_dispatch_pkt(priv, rx_tmp_ptr);
}
+ spin_lock_irqsave(>rx_reorder_tbl_lock, flags);
/*
* We don't have a circular buffer, hence use rotation to simulate
* circular buffer
@@ -138,6 +140,7 @@ mwifiex_11n_dispatch_pkt_until_start_win
}
tbl->start_win = start_win;
+ spin_unlock_irqrestore(>rx_reorder_tbl_lock, flags);
}
/*
@@ -147,8 +150,6 @@ mwifiex_11n_dispatch_pkt_until_start_win
* The start window is adjusted automatically when a hole is located.
* Since the buffer is linear, the function uses rotation to simulate
* circular buffer.
- *
- * The caller must hold rx_reorder_tbl_lock spinlock.
*/
static void
mwifiex_11n_scan_and_dispatch(struct mwifiex_private *priv,
@@ -156,15 +157,22 @@ mwifiex_11n_scan_and_dispatch(struct mwi
{
int i, j, xchg;
void *rx_tmp_ptr;
+ unsigned long flags;
for (i = 0; i < tbl->win_size; ++i) {
- if (!tbl->rx_reorder_ptr[i])
+ spin_lock_irqsave(>rx_reorder_tbl_lock, flags);
+ if (!tbl->rx_reorder_ptr[i]) {
+
[PATCH 4.19 04/46] xhci: Dont prevent USB2 bus suspend in state check intended for USB3 only
4.19-stable review patch. If anyone has any objections, please let me know.
--
From: Mathias Nyman
commit 45f750c16cae3625014c14c77bd9005eda975d35 upstream.
The code to prevent a bus suspend if a USB3 port was still in link training
also reacted to USB2 port polling state.
This caused bus suspend to busyloop in some cases.
USB2 polling state is different from USB3, and should not prevent bus
suspend.
Limit the USB3 link training state check to USB3 root hub ports only.
The origial commit went to stable so this need to be applied there as well
Fixes: 2f31a67f01a8 ("usb: xhci: Prevent bus suspend if a port connect change
or polling state is detected")
Cc: sta...@vger.kernel.org
Signed-off-by: Mathias Nyman
Signed-off-by: Greg Kroah-Hartman
---
drivers/usb/host/xhci-hub.c |3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/usb/host/xhci-hub.c
+++ b/drivers/usb/host/xhci-hub.c
@@ -1507,7 +1507,8 @@ int xhci_bus_suspend(struct usb_hcd *hcd
portsc_buf[port_index] = 0;
/* Bail out if a USB3 port has a new device in link training */
- if ((t1 & PORT_PLS_MASK) == XDEV_POLLING) {
+ if ((hcd->speed >= HCD_USB3) &&
+ (t1 & PORT_PLS_MASK) == XDEV_POLLING) {
bus_state->bus_suspended = 0;
spin_unlock_irqrestore(>lock, flags);
xhci_dbg(xhci, "Bus suspend bailout, port in
polling\n");
