[RFC PATCH] mtd: spi-nor: rockchip_sfc_runtime_suspend() can be static
Fixes: dbc2d867929a ("mtd: spi-nor: add rockchip serial flash controller
driver")
Signed-off-by: Fengguang Wu
---
rockchip-sfc.c |4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/mtd/spi-nor/rockchip-sfc.c
b/drivers/mtd/spi-nor/rockchip-sfc.c
index 60371011..e38d79d 100644
--- a/drivers/mtd/spi-nor/rockchip-sfc.c
+++ b/drivers/mtd/spi-nor/rockchip-sfc.c
@@ -896,7 +896,7 @@ static int rockchip_sfc_remove(struct platform_device *pdev)
}
#ifdef CONFIG_PM
-int rockchip_sfc_runtime_suspend(struct device *dev)
+static int rockchip_sfc_runtime_suspend(struct device *dev)
{
struct rockchip_sfc *sfc = dev_get_drvdata(dev);
@@ -904,7 +904,7 @@ int rockchip_sfc_runtime_suspend(struct device *dev)
return 0;
}
-int rockchip_sfc_runtime_resume(struct device *dev)
+static int rockchip_sfc_runtime_resume(struct device *dev)
{
struct rockchip_sfc *sfc = dev_get_drvdata(dev);
Re: [PATCH 0/3] Fix broken bananapi m2 devicetree/regulators
On 02/11/2018 01:07 AM, Philipp Rossak wrote: On 10.02.2018 22:08, Sergey Suloev wrote: On 02/11/2018 12:01 AM, Philipp Rossak wrote: Hey Sergey, Thanks for mentioning, but I think the problem has nothing to do with those patches. I tested them with the v4.15.0 Kernel since this is the last stable release and we are right now in the merging window. I tested the latest mainline, without those patches and the kernel is not booting (I can't see any uart output). Thanks, Philipp On 10.02.2018 14:56, Sergey Suloev wrote: On 02/09/2018 08:52 PM, Philipp Rossak wrote: This patchseries fixes the bananapi m1 devicetree, to be able to boot again. The first two patches update/improve the devicetree and the last patch adds all missing regulators. Regards, Philipp Philipp Rossak (3): arm: dts: sun6i: a31s: bpi-m2: update mmc supply nodes arm: dts: sun6i: a31s: bpi-m2: improve pmic properties arm: dts: sun6i: a31s: fix: bpi-m2: add missing regulators arch/arm/boot/dts/sun6i-a31s-sinovoip-bpi-m2.dts | 70 +++- 1 file changed, 67 insertions(+), 3 deletions(-) patches are not working Thanks same problem, but after applying the patches my device is till hanging. Can you please share a bootlog? Here is mine [1]. As you can see I'm able to boot. I build it with this branch [2]. For testing you should replace the dtb and the uImage/zImage Philipp [1]: https://pastebin.com/mVjv3LDf [2]: https://github.com/embed-3d/linux/tree/testing/bpi-m2-regulator-test-2 My dmesg is very similar to yours unless it hangs on the last line [1]. For this test I used kernel from tag v4.15 with no additional patching. [1] https://pastebin.com/3a6bk5Dk
Re: [PATCH v8 2/3] mtd: spi-nor: add rockchip serial flash controller driver
Hi Shawn, I love your patch! Perhaps something to improve: [auto build test WARNING on robh/for-next] [also build test WARNING on v4.15 next-20180209] [if your patch is applied to the wrong git tree, please drop us a note to help improve the system] url: https://github.com/0day-ci/linux/commits/Andy-Yan/Add-Rockchip-SFC-serial-flash-controller-support/20180211-135616 base: https://git.kernel.org/pub/scm/linux/kernel/git/robh/linux.git for-next reproduce: # apt-get install sparse make ARCH=x86_64 allmodconfig make C=1 CF=-D__CHECK_ENDIAN__ sparse warnings: (new ones prefixed by >>) >> drivers/mtd/spi-nor/rockchip-sfc.c:899:5: sparse: symbol >> 'rockchip_sfc_runtime_suspend' was not declared. Should it be >> drivers/mtd/spi-nor/rockchip-sfc.c:907:5: sparse: symbol >> 'rockchip_sfc_runtime_resume' was not declared. Should it be Please review and possibly fold the followup patch. --- 0-DAY kernel test infrastructureOpen Source Technology Center https://lists.01.org/pipermail/kbuild-all Intel Corporation
Re: [PATCH v2 5/7] watchdog: mtk: allow setting timeout in devicetree
On Sat, 2018-02-10 at 17:52 -0800, Guenter Roeck wrote: > On 02/10/2018 12:12 PM, Marcus Folkesson wrote: > > Hello Sean, > > > > On Sat, Feb 10, 2018 at 01:43:28PM +0100, Marcus Folkesson wrote: > >> Hello Sean, > >> > >> On Sat, Feb 10, 2018 at 07:10:02PM +0800, Sean Wang wrote: > >>> > >>> Hi, Marcus > >>> > >>> The changes you made for dt-bindings and driver should be put into > >>> separate patches. > >> > >> I actually thought about it but chose to have it in the same patch because > >> I > >> did not see any direct advantage to separating them. > >> > >> But I can do that. > >> I will come up with a v3 with this change if no one thinks differently. > >> > > > > When looking at the git log, I'm not that convinced it should be > > separate patches. > > > > For example, I found a4f741e3e157c3a5c8aea5f2ea62b692fbf17338 that is > > doing the exact same thing as this patch. > > > > There is plenty of patches that mixes the code change and dt bindings > > updates. > > Could it not be useful to overview both the implementation and > > dt-mapping change in one view? > > > > If you or anyone else still think it should be separated, please let me > > know and I will > > come up with a v3. > > > > If we were talking about something new, specifically new and unapproved DT > bindings, > it should be separate patches. However, that is not the case here. The DT > bindings > are well established. Sure, we could be pedantic and request a split into two > patches. However, the only benefit of that would be more work for the > maintainers, > ie Wim and myself (including me having to send this e-mail). I don't really > see > the point of that. > > I have already sent my Reviewed-by:, and I don't intend to withdraw it. > Hi, both Sorry for that if I caused any inconvenience to you. I didn't really insist on if the patch is needed to split into two, which totally depends on whether dt maintainers like it. The change for dt-binding is usually added as a split patch with dt-bindings as a prefix. This way I thought dt maintainers is not easy to miss those patches and also can give some useful feedback for them. Sean > Thanks, > Guenter >
Re: [PATCH 3.2 39/79] ocfs2: should wait dio before inode lock in ocfs2_setattr()
Hi Ben,
ocfs2_dio_end_io_write() was introduced in 4.6 and the problem this patch
fixes is only exist in the kernel 4.6 and above 4.6.
Thanks,
Alex
On 2018/2/11 12:20, Ben Hutchings wrote:
> 3.2.99-rc1 review patch. If anyone has any objections, please let me know.
>
> --
>
> From: alex chen
>
> commit 28f5a8a7c033cbf3e32277f4cc9c6afd74f05300 upstream.
>
> we should wait dio requests to finish before inode lock in
> ocfs2_setattr(), otherwise the following deadlock will happen:
>
> process 1 process 2process 3
> truncate file 'A' end_io of writing file 'A' receiving the bast
> messages
> ocfs2_setattr
> ocfs2_inode_lock_tracker
> ocfs2_inode_lock_full
> inode_dio_wait
> __inode_dio_wait
> -->waiting for all dio
> requests finish
> dlm_proxy_ast_handler
> dlm_do_local_bast
> ocfs2_blocking_ast
>
> ocfs2_generic_handle_bast
> set
> OCFS2_LOCK_BLOCKED flag
> dio_end_io
> dio_bio_end_aio
> dio_complete
>ocfs2_dio_end_io
> ocfs2_dio_end_io_write
> ocfs2_inode_lock
> __ocfs2_cluster_lock
>ocfs2_wait_for_mask
>-->waiting for OCFS2_LOCK_BLOCKED
>flag to be cleared, that is waiting
>for 'process 1' unlocking the inode lock
>inode_dio_end
>-->here dec the i_dio_count, but will never
>be called, so a deadlock happened.
>
> Link: http://lkml.kernel.org/r/59f81636.70...@huawei.com
> Signed-off-by: Alex Chen
> Reviewed-by: Jun Piao
> Reviewed-by: Joseph Qi
> Acked-by: Changwei Ge
> Cc: Mark Fasheh
> Cc: Joel Becker
> Cc: Junxiao Bi
> Signed-off-by: Andrew Morton
> Signed-off-by: Linus Torvalds
> Signed-off-by: Ben Hutchings
> ---
> fs/ocfs2/file.c | 9 +++--
> 1 file changed, 7 insertions(+), 2 deletions(-)
>
> --- a/fs/ocfs2/file.c
> +++ b/fs/ocfs2/file.c
> @@ -1130,6 +1130,13 @@ int ocfs2_setattr(struct dentry *dentry,
> dquot_initialize(inode);
> size_change = S_ISREG(inode->i_mode) && attr->ia_valid & ATTR_SIZE;
> if (size_change) {
> + /*
> + * Here we should wait dio to finish before inode lock
> + * to avoid a deadlock between ocfs2_setattr() and
> + * ocfs2_dio_end_io_write()
> + */
> + inode_dio_wait(inode);
> +
> status = ocfs2_rw_lock(inode, 1);
> if (status < 0) {
> mlog_errno(status);
> @@ -1149,8 +1156,6 @@ int ocfs2_setattr(struct dentry *dentry,
> if (status)
> goto bail_unlock;
>
> - inode_dio_wait(inode);
> -
> if (i_size_read(inode) >= attr->ia_size) {
> if (ocfs2_should_order_data(inode)) {
> status = ocfs2_begin_ordered_truncate(inode,
>
>
> .
>
Re: [PATCH 0/3] Fix broken bananapi m2 devicetree/regulators
On 02/11/2018 01:07 AM, Philipp Rossak wrote: On 10.02.2018 22:08, Sergey Suloev wrote: On 02/11/2018 12:01 AM, Philipp Rossak wrote: Hey Sergey, Thanks for mentioning, but I think the problem has nothing to do with those patches. I tested them with the v4.15.0 Kernel since this is the last stable release and we are right now in the merging window. I tested the latest mainline, without those patches and the kernel is not booting (I can't see any uart output). Thanks, Philipp On 10.02.2018 14:56, Sergey Suloev wrote: On 02/09/2018 08:52 PM, Philipp Rossak wrote: This patchseries fixes the bananapi m1 devicetree, to be able to boot again. The first two patches update/improve the devicetree and the last patch adds all missing regulators. Regards, Philipp Philipp Rossak (3): arm: dts: sun6i: a31s: bpi-m2: update mmc supply nodes arm: dts: sun6i: a31s: bpi-m2: improve pmic properties arm: dts: sun6i: a31s: fix: bpi-m2: add missing regulators arch/arm/boot/dts/sun6i-a31s-sinovoip-bpi-m2.dts | 70 +++- 1 file changed, 67 insertions(+), 3 deletions(-) patches are not working Thanks same problem, but after applying the patches my device is till hanging. Can you please share a bootlog? Here is mine [1]. As you can see I'm able to boot. I build it with this branch [2]. For testing you should replace the dtb and the uImage/zImage Philipp [1]: https://pastebin.com/mVjv3LDf [2]: https://github.com/embed-3d/linux/tree/testing/bpi-m2-regulator-test-2 I am going to test it and come back with outcome Thanks
Re: [RFC PATCH 4/7] kconfig: support new special property shell=
On Sat, Feb 10, 2018 at 8:46 PM, Linus Torvalds wrote: > > Argh. I wanted to get rid of all that entirely, and simplify this all. > The mentioned script (and bugzilla) was from 2006, I assumed this was > all historical. > > But if it has broken again since, I guess we need to have a silly script. Grr. Ok, so this really ended up bothering me. I was hoping to really just unify all the stupid compiler flag testing in just the Kconfig files and hoping we could really just use config CC_xyz bool option cc_option "-fwhatever-xyz" to set them, and then build Kconfig rules from that: config USE_xyz bool "Some question that needs xyz" depends on CC_xyz and have a nice simple ccflags-$(CONFIG_USE_xyz) += -fwhataver-xyz in the Makefiles. And one thought I had was "hey, if we need a script for -fstack-protector, maybe we can simply standardize on _everything_ using a script". But doing the stats, we test about two _hundred_ different compiler options, and it really looks like -fstack-protector is the _only_ one that uses a dedicated script. Everything else is just using the "see if the compiler accepts the flag". So no, we wouldn't want to standardize around a script. We do have a script for some other build options related to gcc breakage, but not command line flags per se: both 'asm goto' and for gcc version generation. And gcc plugin compatibility checking. Oh well. It looks like we really have to have those nasty exceptions from the normal rules. Linus
/kbuild/src/consumer/include/linux/kasan.h:28:41: error: 'KASAN_SHADOW_SCALE_SHIFT' undeclared; did you mean 'KASAN_SHADOW_START'?
tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
master
head: d48fcbd864a008802a90c58a9ceddd9436d11a49
commit: 917538e212a2c080af95ccb4376c5387fac08176 kasan: clean up
KASAN_SHADOW_SCALE_SHIFT usage
date: 4 days ago
config: xtensa-allyesconfig (attached as .config)
compiler: xtensa-linux-gcc (GCC) 7.2.0
reproduce:
wget
https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O
~/bin/make.cross
chmod +x ~/bin/make.cross
git checkout 917538e212a2c080af95ccb4376c5387fac08176
# save the attached .config to linux build tree
make.cross ARCH=xtensa
All errors (new ones prefixed by >>):
In file included from /kbuild/src/consumer/include/linux/slab.h:129:0,
from /kbuild/src/consumer/include/linux/irq.h:26,
from /kbuild/src/consumer/include/asm-generic/hardirq.h:13,
from ./arch/xtensa/include/generated/asm/hardirq.h:1,
from /kbuild/src/consumer/include/linux/hardirq.h:9,
from /kbuild/src/consumer/include/linux/interrupt.h:13,
from
/kbuild/src/consumer/drivers//w1/masters/matrox_w1.c:30:
/kbuild/src/consumer/include/linux/kasan.h: In function
'kasan_mem_to_shadow':
>> /kbuild/src/consumer/include/linux/kasan.h:28:41: error:
>> 'KASAN_SHADOW_SCALE_SHIFT' undeclared (first use in this function); did you
>> mean 'KASAN_SHADOW_START'?
return (void *)((unsigned long)addr >> KASAN_SHADOW_SCALE_SHIFT)
^~~~
KASAN_SHADOW_START
/kbuild/src/consumer/include/linux/kasan.h:28:41: note: each undeclared
identifier is reported only once for each function it appears in
--
In file included from /kbuild/src/consumer/include/linux/slab.h:129:0,
from /kbuild/src/consumer/include/linux/irq.h:26,
from /kbuild/src/consumer/include/asm-generic/hardirq.h:13,
from ./arch/xtensa/include/generated/asm/hardirq.h:1,
from /kbuild/src/consumer/include/linux/hardirq.h:9,
from /kbuild/src/consumer/include/linux/interrupt.h:13,
from
/kbuild/src/consumer/drivers//scsi/sym53c8xx_2/sym_glue.h:45,
from
/kbuild/src/consumer/drivers//scsi/sym53c8xx_2/sym_fw.c:40:
/kbuild/src/consumer/include/linux/kasan.h: In function
'kasan_mem_to_shadow':
>> /kbuild/src/consumer/include/linux/kasan.h:28:41: error:
>> 'KASAN_SHADOW_SCALE_SHIFT' undeclared (first use in this function); did you
>> mean 'KASAN_SHADOW_START'?
return (void *)((unsigned long)addr >> KASAN_SHADOW_SCALE_SHIFT)
^~~~
KASAN_SHADOW_START
/kbuild/src/consumer/include/linux/kasan.h:28:41: note: each undeclared
identifier is reported only once for each function it appears in
In file included from
/kbuild/src/consumer/drivers//scsi/sym53c8xx_2/sym_glue.h:64:0,
from
/kbuild/src/consumer/drivers//scsi/sym53c8xx_2/sym_fw.c:40:
/kbuild/src/consumer/drivers//scsi/sym53c8xx_2/sym_defs.h: At top level:
/kbuild/src/consumer/drivers//scsi/sym53c8xx_2/sym_defs.h:109:0: warning:
"WSR" redefined
#define WSR 0x01 /* sta: wide scsi received [W]*/
In file included from
/kbuild/src/consumer/arch/xtensa/include/asm/bitops.h:22:0,
from /kbuild/src/consumer/include/linux/bitops.h:38,
from /kbuild/src/consumer/include/linux/kernel.h:11,
from /kbuild/src/consumer/include/linux/list.h:9,
from /kbuild/src/consumer/include/linux/wait.h:7,
from /kbuild/src/consumer/include/linux/completion.h:12,
from
/kbuild/src/consumer/drivers//scsi/sym53c8xx_2/sym_glue.h:43,
from
/kbuild/src/consumer/drivers//scsi/sym53c8xx_2/sym_fw.c:40:
/kbuild/src/consumer/arch/xtensa/include/asm/processor.h:220:0: note: this
is the location of the previous definition
#define WSR(v,sr) __asm__ __volatile__ ("wsr %0,"__stringify(sr) :: "a"(v));
--
In file included from /kbuild/src/consumer/include/linux/slab.h:129:0,
from /kbuild/src/consumer/include/linux/irq.h:26,
from /kbuild/src/consumer/include/asm-generic/hardirq.h:13,
from ./arch/xtensa/include/generated/asm/hardirq.h:1,
from /kbuild/src/consumer/include/linux/hardirq.h:9,
from /kbuild/src/consumer/include/linux/interrupt.h:13,
from
/kbuild/src/consumer/drivers/infiniband/hw/bnxt_re/ib_verbs.c:39:
/kbuild/src/consumer/include/linux/kasan.h: In function
'kasan_mem_to_shadow':
>> /kbuild/src/consumer/include/linux/kasan.h:28:41: error:
>> 'KASAN_SHADOW_SCALE_SHIFT' undec
Re: [PATCHv2 1/2] zsmalloc: introduce zs_huge_object() function
Some more nitpicks :)
On Sat, Feb 10, 2018 at 05:23:21PM +0900, Sergey Senozhatsky wrote:
> Not every object can be share its zspage with other objects, e.g.
> when the object is as big as zspage or nearly as big a zspage.
> For such objects zsmalloc has a so called huge class - every object
> which belongs to huge class consumes the entire zspage (which
> consists of a physical page). On x86_64, PAGE_SHIFT 12 box, the
> first non-huge class size is 3264, so starting down from size 3264,
> objects can share page(-s) and thus minimize memory wastage.
>
> ZRAM, however, has its own statically defined watermark for huge
> objects - "3 * PAGE_SIZE / 4 = 3072", and forcibly stores every
> object larger than this watermark (3072) as a PAGE_SIZE object,
> in other words, to a huge class, while zsmalloc can keep some of
> those objects in non-huge classes. This results in increased
> memory consumption.
>
> zsmalloc knows better if the object is huge or not. Introduce
> zs_huge_object() function which tells if the given object can be
> stored in one of non-huge classes or not. This will let us to drop
> ZRAM's huge object watermark and fully rely on zsmalloc when we
> decide if the object is huge.
>
> Signed-off-by: Sergey Senozhatsky
> ---
> include/linux/zsmalloc.h | 2 ++
> mm/zsmalloc.c| 26 ++
> 2 files changed, 28 insertions(+)
>
> diff --git a/include/linux/zsmalloc.h b/include/linux/zsmalloc.h
> index 57a8e98f2708..9a1baf673cc1 100644
> --- a/include/linux/zsmalloc.h
> +++ b/include/linux/zsmalloc.h
> @@ -47,6 +47,8 @@ void zs_destroy_pool(struct zs_pool *pool);
> unsigned long zs_malloc(struct zs_pool *pool, size_t size, gfp_t flags);
> void zs_free(struct zs_pool *pool, unsigned long obj);
>
> +bool zs_huge_object(size_t sz);
> +
> void *zs_map_object(struct zs_pool *pool, unsigned long handle,
> enum zs_mapmode mm);
> void zs_unmap_object(struct zs_pool *pool, unsigned long handle);
> diff --git a/mm/zsmalloc.c b/mm/zsmalloc.c
> index c3013505c305..922180183ca3 100644
> --- a/mm/zsmalloc.c
> +++ b/mm/zsmalloc.c
> @@ -192,6 +192,7 @@ static struct vfsmount *zsmalloc_mnt;
> * (see: fix_fullness_group())
> */
> static const int fullness_threshold_frac = 4;
> +static size_t zs_huge_class_size;
>
> struct size_class {
> spinlock_t lock;
> @@ -1417,6 +1418,28 @@ void zs_unmap_object(struct zs_pool *pool, unsigned
> long handle)
> }
> EXPORT_SYMBOL_GPL(zs_unmap_object);
>
> +/**
> + * zs_huge_object() - Test if a compressed object's size is too big for
> normal
> + *zspool classes and it shall be stored in a huge class.
I think "is should be stored" is more appropriate
> + * @sz: Size of the compressed object (in bytes).
> + *
> + * The function checks if the object's size falls into huge_class
> + * area. We must take handle size into account and test the actual
> + * size we are going to use, because zs_malloc() unconditionally
> + * adds %ZS_HANDLE_SIZE before it performs %size_class lookup.
^ &size_class ;-)
> + *
> + * Context: Any context.
> + *
> + * Return:
> + * * true - The object's size is too big, it will be stored in a huge class.
> + * * false - The object will be store in normal zspool classes.
> + */
> +bool zs_huge_object(size_t sz)
> +{
> + return sz + ZS_HANDLE_SIZE >= zs_huge_class_size;
> +}
> +EXPORT_SYMBOL_GPL(zs_huge_object);
> +
> static unsigned long obj_malloc(struct size_class *class,
> struct zspage *zspage, unsigned long handle)
> {
> @@ -2404,6 +2427,9 @@ struct zs_pool *zs_create_pool(const char *name)
> INIT_LIST_HEAD(&class->fullness_list[fullness]);
>
> prev_class = class;
> + if (pages_per_zspage == 1 && objs_per_zspage == 1
> + && !zs_huge_class_size)
> + zs_huge_class_size = size;
> }
>
> /* debug only, don't abort if it fails */
> --
> 2.16.1
>
--
Sincerely yours,
Mike.
[PATCH v2] Input: gpio_keys: Add level trigger support for GPIO keys
On some platforms (such as Spreadtrum platform), the GPIO keys can only
be triggered by level type. So this patch introduces one property to
indicate if the GPIO trigger type is level trigger or edge trigger.
Signed-off-by: Baolin Wang
---
Changes since v1:
- Diable the GPIO irq until reversing the GPIO level type.
---
.../devicetree/bindings/input/gpio-keys.txt|2 ++
drivers/input/keyboard/gpio_keys.c | 26 +++-
include/linux/gpio_keys.h |1 +
3 files changed, 28 insertions(+), 1 deletion(-)
diff --git a/Documentation/devicetree/bindings/input/gpio-keys.txt
b/Documentation/devicetree/bindings/input/gpio-keys.txt
index a949404..e3104bd 100644
--- a/Documentation/devicetree/bindings/input/gpio-keys.txt
+++ b/Documentation/devicetree/bindings/input/gpio-keys.txt
@@ -29,6 +29,8 @@ Optional subnode-properties:
- linux,can-disable: Boolean, indicates that button is connected
to dedicated (not shared) interrupt which can be disabled to
suppress events from the button.
+ - gpio-key,level-trigger: Boolean, indicates that button's interrupt
+ type is level trigger. Otherwise it is edge trigger as default.
Example nodes:
diff --git a/drivers/input/keyboard/gpio_keys.c
b/drivers/input/keyboard/gpio_keys.c
index 87e613d..218698a 100644
--- a/drivers/input/keyboard/gpio_keys.c
+++ b/drivers/input/keyboard/gpio_keys.c
@@ -385,6 +385,20 @@ static void gpio_keys_gpio_work_func(struct work_struct
*work)
struct gpio_button_data *bdata =
container_of(work, struct gpio_button_data, work.work);
+ if (bdata->button->level_trigger) {
+ unsigned int trigger =
+ irq_get_trigger_type(bdata->irq) & ~IRQF_TRIGGER_MASK;
+ int state = gpiod_get_raw_value_cansleep(bdata->gpiod);
+
+ if (state)
+ trigger |= IRQF_TRIGGER_LOW;
+ else
+ trigger |= IRQF_TRIGGER_HIGH;
+
+ irq_set_irq_type(bdata->irq, trigger);
+ enable_irq(bdata->irq);
+ }
+
gpio_keys_gpio_report_event(bdata);
if (bdata->button->wakeup)
@@ -397,6 +411,9 @@ static irqreturn_t gpio_keys_gpio_isr(int irq, void *dev_id)
BUG_ON(irq != bdata->irq);
+ if (bdata->button->level_trigger)
+ disable_irq_nosync(bdata->irq);
+
if (bdata->button->wakeup) {
const struct gpio_keys_button *button = bdata->button;
@@ -566,7 +583,11 @@ static int gpio_keys_setup_key(struct platform_device
*pdev,
INIT_DELAYED_WORK(&bdata->work, gpio_keys_gpio_work_func);
isr = gpio_keys_gpio_isr;
- irqflags = IRQF_TRIGGER_RISING | IRQF_TRIGGER_FALLING;
+ if (button->level_trigger)
+ irqflags = gpiod_is_active_low(bdata->gpiod) ?
+ IRQF_TRIGGER_LOW : IRQF_TRIGGER_HIGH;
+ else
+ irqflags = IRQF_TRIGGER_RISING | IRQF_TRIGGER_FALLING;
} else {
if (!button->irq) {
@@ -721,6 +742,9 @@ static void gpio_keys_close(struct input_dev *input)
button->can_disable =
fwnode_property_read_bool(child, "linux,can-disable");
+ button->level_trigger =
+ fwnode_property_read_bool(child,
"gpio-key,level-trigger");
+
if (fwnode_property_read_u32(child, "debounce-interval",
&button->debounce_interval))
button->debounce_interval = 5;
diff --git a/include/linux/gpio_keys.h b/include/linux/gpio_keys.h
index d06bf77..5095645 100644
--- a/include/linux/gpio_keys.h
+++ b/include/linux/gpio_keys.h
@@ -28,6 +28,7 @@ struct gpio_keys_button {
int wakeup;
int debounce_interval;
bool can_disable;
+ bool level_trigger;
int value;
unsigned int irq;
};
--
1.7.9.5
The usage of page_mapping() in architecture code
Sorry for bothering, forget to Cc LKML in the original email.
Hi, All,
To optimize the scalability of swap cache, it is made more dynamic
than before. That is, after being swapped off, the address space of
the swap device will be freed too. So the usage of page_mapping()
need to be audited to make sure the address space of the swap device
will not be used after it is freed. For most cases it is OK, because
to call page_mapping(), the page, page table, or LRU list will be
locked. But I found at least one usage isn't safe. When
page_mapping() is called in architecture specific code to flush dcache
or sync between dcache and icache.
The typical usage models are,
1) Check whether page_mapping() is NULL, which is safe
2) Call mapping_mapped() to check whether the backing file is mapped
to user space.
3) Iterate all vmas via the interval tree (mapping->i_mmap) to flush dcache
2) and 3) isn't safe, because no lock to prevent swap device from
swapping off is held. But I found the code is for file address space
only, not for swap cache. For example, for flush_dcache_page() in
arch/parisc/kernel/cache.c,
void flush_dcache_page(struct page *page)
{
struct address_space *mapping = page_mapping(page);
struct vm_area_struct *mpnt;
unsigned long offset;
unsigned long addr, old_addr = 0;
pgoff_t pgoff;
if (mapping && !mapping_mapped(mapping)) {
set_bit(PG_dcache_dirty, &page->flags);
return;
}
flush_kernel_dcache_page(page);
if (!mapping)
return;
pgoff = page->index;
/* We have carefully arranged in arch_get_unmapped_area() that
* *any* mappings of a file are always congruently mapped (whether
* declared as MAP_PRIVATE or MAP_SHARED), so we only need
* to flush one address here for them all to become coherent */
flush_dcache_mmap_lock(mapping);
vma_interval_tree_foreach(mpnt, &mapping->i_mmap, pgoff, pgoff) {
offset = (pgoff - mpnt->vm_pgoff) << PAGE_SHIFT;
addr = mpnt->vm_start + offset;
/* The TLB is the engine of coherence on parisc: The
* CPU is entitled to speculate any page with a TLB
* mapping, so here we kill the mapping then flush the
* page along a special flush only alias mapping.
* This guarantees that the page is no-longer in the
* cache for any process and nor may it be
* speculatively read in (until the user or kernel
* specifically accesses it, of course) */
flush_tlb_page(mpnt, addr);
if (old_addr == 0 || (old_addr & (SHM_COLOUR - 1))
!= (addr & (SHM_COLOUR - 1))) {
__flush_cache_page(mpnt, addr, page_to_phys(page));
if (old_addr)
printk(KERN_ERR "INEQUIVALENT ALIASES 0x%lx and
0x%lx in file %pD\n", old_addr, addr, mpnt->vm_file);
old_addr = addr;
}
}
flush_dcache_mmap_unlock(mapping);
}
if page is an anonymous page in swap cache, "mapping &&
!mapping_mapped()" will be true, so we will delay flushing. But if my
understanding of the code were correct, we should call
flush_kernel_dcache() because the kernel may access the page during
swapping in/out.
The code in other architectures follow the similar logic. Would it be
better for page_mapping() here to return NULL for anonymous pages even
if they are in swap cache? Of course we need to change the function
name. page_file_mapping() appears a good name, but that has been used
already. Any suggestion?
Is my understanding correct? Could you help me on this?
Best Regards,
Huang, Ying
drivers/net/ethernet/intel/i40e/i40e_ethtool.c:4326:6: error: implicit declaration of function 'cmpxchg64'; did you mean 'cmpxchg'?
Hi Alice,
FYI, the error/warning still remains.
tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
master
head: d48fcbd864a008802a90c58a9ceddd9436d11a49
commit: 60f481b9703867330dc6010868054f68f6d52f7a i40e: change flags to use 64
bits
date: 2 weeks ago
config: mips-allyesconfig (attached as .config)
compiler: mips-linux-gnu-gcc (Debian 7.2.0-11) 7.2.0
reproduce:
wget
https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O
~/bin/make.cross
chmod +x ~/bin/make.cross
git checkout 60f481b9703867330dc6010868054f68f6d52f7a
# save the attached .config to linux build tree
make.cross ARCH=mips
All errors (new ones prefixed by >>):
drivers/net/ethernet/intel/i40e/i40e_ethtool.c: In function
'i40e_set_priv_flags':
>> drivers/net/ethernet/intel/i40e/i40e_ethtool.c:4326:6: error: implicit
>> declaration of function 'cmpxchg64'; did you mean 'cmpxchg'?
>> [-Werror=implicit-function-declaration]
if (cmpxchg64(&pf->flags, orig_flags, new_flags) != orig_flags) {
^
cmpxchg
cc1: some warnings being treated as errors
vim +4326 drivers/net/ethernet/intel/i40e/i40e_ethtool.c
4258
4259 /**
4260 * i40e_set_priv_flags - set private flags
4261 * @dev: network interface device structure
4262 * @flags: bit flags to be set
4263 **/
4264 static int i40e_set_priv_flags(struct net_device *dev, u32 flags)
4265 {
4266 struct i40e_netdev_priv *np = netdev_priv(dev);
4267 struct i40e_vsi *vsi = np->vsi;
4268 struct i40e_pf *pf = vsi->back;
4269 u64 orig_flags, new_flags, changed_flags;
4270 u32 i, j;
4271
4272 orig_flags = READ_ONCE(pf->flags);
4273 new_flags = orig_flags;
4274
4275 for (i = 0; i < I40E_PRIV_FLAGS_STR_LEN; i++) {
4276 const struct i40e_priv_flags *priv_flags;
4277
4278 priv_flags = &i40e_gstrings_priv_flags[i];
4279
4280 if (flags & BIT(i))
4281 new_flags |= priv_flags->flag;
4282 else
4283 new_flags &= ~(priv_flags->flag);
4284
4285 /* If this is a read-only flag, it can't be changed */
4286 if (priv_flags->read_only &&
4287 ((orig_flags ^ new_flags) & ~BIT(i)))
4288 return -EOPNOTSUPP;
4289 }
4290
4291 if (pf->hw.pf_id != 0)
4292 goto flags_complete;
4293
4294 for (j = 0; j < I40E_GL_PRIV_FLAGS_STR_LEN; j++) {
4295 const struct i40e_priv_flags *priv_flags;
4296
4297 priv_flags = &i40e_gl_gstrings_priv_flags[j];
4298
4299 if (flags & BIT(i + j))
4300 new_flags |= priv_flags->flag;
4301 else
4302 new_flags &= ~(priv_flags->flag);
4303
4304 /* If this is a read-only flag, it can't be changed */
4305 if (priv_flags->read_only &&
4306 ((orig_flags ^ new_flags) & ~BIT(i)))
4307 return -EOPNOTSUPP;
4308 }
4309
4310 flags_complete:
4311 /* Before we finalize any flag changes, we need to perform some
4312 * checks to ensure that the changes are supported and safe.
4313 */
4314
4315 /* ATR eviction is not supported on all devices */
4316 if ((new_flags & I40E_FLAG_HW_ATR_EVICT_ENABLED) &&
4317 !(pf->hw_features & I40E_HW_ATR_EVICT_CAPABLE))
4318 return -EOPNOTSUPP;
4319
4320 /* Compare and exchange the new flags into place. If we failed,
that
4321 * is if cmpxchg returns anything but the old value, this means
that
4322 * something else has modified the flags variable since we
copied it
4323 * originally. We'll just punt with an error and log something
in the
4324 * message buffer.
4325 */
> 4326 if (cmpxchg64(&pf->flags, orig_flags, new_flags) != orig_flags)
> {
4327 dev_warn(&pf->pdev->dev,
4328 "Unable to update pf->flags as it was modified
by another thread...\n");
4329 return -EAGAIN;
4330 }
4331
4332 changed_flags = orig_flags ^ new_flags;
4333
4334 /* Process any additional changes needed as a result of flag
changes.
4335 * The changed_flags value reflects the list of bits that were
4336 * changed in the code above.
4337 */
4338
4339 /* Flush current ATR settings if ATR was disabled */
4340 if ((changed_flags & I40E_FLAG_FD_ATR_ENABLED) &&
4341 !(pf->flags & I40E_FLAG_FD_ATR_E
Re: [PATCH] f2fs: set_code_data in move_data_block
OK, Got it.
On 2018/2/11 11:50, Chao Yu wrote:
On 2018/2/11 11:34, Yunlong Song wrote:
Ping...
move_data_block misses set_cold_data, then the F2FS_WB_CP_DATA will
lack these data pages in move_data_block, and write_checkpoint can
not make sure this pages committed to the flash.
Hmm.. data block migration is running based on meta inode, so it will
be safe since checkpoint will flush all meta pages including encrypted
pages cached in meta inode?
Thanks,
On 2018/2/8 20:33, Yunlong Song wrote:
Signed-off-by: Yunlong Song
---
fs/f2fs/gc.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c
index b9d93fd..2095630 100644
--- a/fs/f2fs/gc.c
+++ b/fs/f2fs/gc.c
@@ -692,6 +692,7 @@ static void move_data_block(struct inode *inode, block_t
bidx,
fio.op = REQ_OP_WRITE;
fio.op_flags = REQ_SYNC;
fio.new_blkaddr = newaddr;
+ set_cold_data(fio.page);
err = f2fs_submit_page_write(&fio);
if (err) {
if (PageWriteback(fio.encrypted_page))
.
--
Thanks,
Yunlong Song
Re: [PATCH] seq_file: remove redundant assignment of index to m->index
On Sun, Feb 11, 2018 at 9:02 AM, Matthew Wilcox wrote:
> On Sat, Feb 10, 2018 at 10:04:23AM -0800, Joe Perches wrote:
>> > @@ -120,14 +120,12 @@ static int traverse(struct seq_file *m, loff_t
>> > offset)
>> > if (pos + m->count > offset) {
>> > m->from = offset - pos;
>> > m->count -= m->from;
>> > -m->index = index;
>> > break;
>> > }
>> > pos += m->count;
>> > m->count = 0;
>> > if (pos == offset) {
>> > index++;
>> > -m->index = index;
>> > break;
>> > }
>> > p = m->op->next(m, p, &index);
>>
>> Of course this looks correct, but how
>> are you _absolutely sure_ about this?
>>
>> Perhaps the m->op->stop(m, p) call below
>> the break, which takes m as an argument,
>> needs an updated m->index.
>
> Not only that, but ->next might also look at m->index.
I think there is no chance to call op->next, because the loop will
break immediately
after the assignment.
Re: [kselftests] compaction_test is blocked
On 02/10/2018 05:11 AM, Dan Rue wrote:
On Fri, Feb 09, 2018 at 03:53:59PM +0800, Li Zhijian wrote:
Hi
kselftests is integrated Intel 0Day project.
Sometimes we found compaction_test is blocked for more than 1 hours until i
kill it.
Try to figure out where it is running, i added some log to this case.
the test log is like:
---
[ 111.750543] main: 248
[ 111.750544]-
[ 111.750821] check_compaction: 98
[ 111.750822]-
[ 111.751102] check_compaction: 105
[ 111.751103]-
[ 111.751362] check_compaction: 111
[ 111.751363]-
[ 111.751621] check_compaction: 118
[ 111.751622]-
[ 111.751879] check_compaction: 123
[ 111.751880]-
---
118 fprintf(stderr, "%s: %d\n", __func__, __LINE__);
119 lseek(fd, 0, SEEK_SET);
120
121 /* Request a large number of huge pages. The Kernel will allocate
122as much as it can */
123 fprintf(stderr, "%s: %d\n", __func__, __LINE__);
<<< the last line we can catch.
124 if (write(fd, "10", (6*sizeof(char))) != (6*sizeof(char))) {
blocking position
125 perror("Failed to write 10 to
/proc/sys/vm/nr_hugepages\n");
126 goto close_fd;
127 }
128
129 lseek(fd, 0, SEEK_SET);
130
131 fprintf(stderr, "%s: %d\n", __func__, __LINE__);
132 if (read(fd, nr_hugepages, sizeof(nr_hugepages)) <= 0) {
133 perror("Failed to re-read from
/proc/sys/vm/nr_hugepages\n");
134 goto close_fd;
135 }
---
According to above log and code, it most likely it is blocking at the writing
operation.
my environment is like:
OS: debian
kernel: v4.15
model: Ivytown Ivy Bridge-EP
nr_cpu: 48
memory: 64G
Hi Zhijian,
Please try this patch in mainline:
4c1baad22390 kselftest: fix OOM in memory compaction test
Hi Dan
Thanks for your replies.
I run this case on v4.15, looks this patch is already merged to v4.15.
lizhijian@inn:~/linux$ git describe 4c1baad
v4.15-rc2-2-g4c1baad223906
Thanks
Dan
NOTE: 0Day can reproduce this issue in 20% on 0Day.
Anybody can help have a look?
Thanks
Zhjian
--
To unsubscribe from this list: send the line "unsubscribe linux-kselftest" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
.
--
Best regards.
Li Zhijian (8528)
Re: [PATCH] KVM: lapic: stop advertising DIRECTED_EOI when in-kernel IOAPIC is in use
On Fri, Feb 09, 2018 at 02:01:33PM +0100, Vitaly Kuznetsov wrote: > Devices which use level-triggered interrupts under Windows 2016 with > Hyper-V role enabled don't work: Windows disables EOI broadcast in SPIV > unconditionally. Our in-kernel IOAPIC implementation emulates an old IOAPIC > version which has no EOI register so EOI never happens. > > The issue was discovered and discussed a while ago: > https://www.spinics.net/lists/kvm/msg148098.html > > While this is a guest OS bug (it should check that IOAPIC has the required > capabilities before disabling EOI broadcast) we can workaround it in KVM: > advertising DIRECTED_EOI with in-kernel IOAPIC makes little sense anyway. > > Signed-off-by: Vitaly Kuznetsov > --- > - Radim's suggestion was to disable DIRECTED_EOI unconditionally but I'm not > that radical :-) In theory, we may have multiple IOAPICs in userspace in > future and DIRECTED_EOI can be leveraged. I sort of agree on this, especially considering that we already have IOAPIC version 0x20 support in QEMU already. > --- > arch/x86/kvm/lapic.c | 10 +- > 1 file changed, 9 insertions(+), 1 deletion(-) > > diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c > index 924ac8ce9d50..5339287fee63 100644 > --- a/arch/x86/kvm/lapic.c > +++ b/arch/x86/kvm/lapic.c > @@ -321,8 +321,16 @@ void kvm_apic_set_version(struct kvm_vcpu *vcpu) > if (!lapic_in_kernel(vcpu)) > return; > > + /* > + * KVM emulates 82093AA datasheet (with in-kernel IOAPIC implementation) > + * which doesn't have EOI register; Some buggy OSes (e.g. Windows with > + * Hyper-V role) disable EOI broadcast in lapic not checking for IOAPIC > + * version first and level-triggered interrupts never get EOIed in > + * IOAPIC. > + */ > feat = kvm_find_cpuid_entry(apic->vcpu, 0x1, 0); > - if (feat && (feat->ecx & (1 << (X86_FEATURE_X2APIC & 31 > + if (feat && (feat->ecx & (1 << (X86_FEATURE_X2APIC & 31))) && > + !ioapic_in_kernel(vcpu->kvm)) > v |= APIC_LVR_DIRECTED_EOI; > kvm_lapic_set_reg(apic, APIC_LVR, v); > } > -- > 2.14.3 > Does this mean that we can avoid the migration problem that Radim raised in previous discussion? Basically the OSs should only probe this version once for each boot, if so I think it should be fine. But since you didn't mention that in either commit message and comment, I would like to ask and confirm. For the change itself, it looks sane to me. Thanks, -- Peter Xu
[PATCH 3.2 08/79] KVM: nVMX: set IDTR and GDTR limits when loading L1 host state
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Ladi Prosek commit 21f2d551183847bc7fbe8d866151d00cdad18752 upstream. Intel SDM 27.5.2 Loading Host Segment and Descriptor-Table Registers: "The GDTR and IDTR limits are each set to H." Signed-off-by: Ladi Prosek Signed-off-by: Paolo Bonzini [bwh: Backported to 3.2: adjust context] Signed-off-by: Ben Hutchings --- arch/x86/kvm/vmx.c | 2 ++ 1 file changed, 2 insertions(+) --- a/arch/x86/kvm/vmx.c +++ b/arch/x86/kvm/vmx.c @@ -7076,6 +7076,8 @@ void load_vmcs12_host_state(struct kvm_v vmcs_writel(GUEST_SYSENTER_EIP, vmcs12->host_ia32_sysenter_eip); vmcs_writel(GUEST_IDTR_BASE, vmcs12->host_idtr_base); vmcs_writel(GUEST_GDTR_BASE, vmcs12->host_gdtr_base); + vmcs_write32(GUEST_IDTR_LIMIT, 0x); + vmcs_write32(GUEST_GDTR_LIMIT, 0x); vmcs_writel(GUEST_TR_BASE, vmcs12->host_tr_base); vmcs_writel(GUEST_GS_BASE, vmcs12->host_gs_base); vmcs_writel(GUEST_FS_BASE, vmcs12->host_fs_base);
[PATCH 3.2 04/79] PCI/AER: Report non-fatal errors only to the affected endpoint
3.2.99-rc1 review patch. If anyone has any objections, please let me know.
--
From: Gabriele Paoloni
commit 86acc790717fb60fb51ea3095084e331d8711c74 upstream.
Previously, if an non-fatal error was reported by an endpoint, we
called report_error_detected() for the endpoint, every sibling on the
bus, and their descendents. If any of them did not implement the
.error_detected() method, do_recovery() failed, leaving all these
devices unrecovered.
For example, the system described in the bugzilla below has two devices:
:74:02.0 [19e5:a230] SAS controller, driver has .error_detected()
:74:03.0 [19e5:a235] SATA controller, driver lacks .error_detected()
When a device such as 74:02.0 reported a non-fatal error, do_recovery()
failed because 74:03.0 lacked an .error_detected() method. But per PCIe
r3.1, sec 6.2.2.2.2, such an error does not compromise the Link and
does not affect 74:03.0:
Non-fatal errors are uncorrectable errors which cause a particular
transaction to be unreliable but the Link is otherwise fully functional.
Isolating Non-fatal from Fatal errors provides Requester/Receiver logic
in a device or system management software the opportunity to recover from
the error without resetting the components on the Link and disturbing
other transactions in progress. Devices not associated with the
transaction in error are not impacted by the error.
Report non-fatal errors only to the endpoint that reported them. We really
want to check for AER_NONFATAL here, but the current code structure doesn't
allow that. Looking for pci_channel_io_normal is the best we can do now.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=197055
Fixes: 6c2b374d7485 ("PCI-Express AER implemetation: AER core and aerdriver")
Signed-off-by: Gabriele Paoloni
Signed-off-by: Dongdong Liu
[bhelgaas: changelog]
Signed-off-by: Bjorn Helgaas
Signed-off-by: Ben Hutchings
---
drivers/pci/pcie/aer/aerdrv_core.c | 9 -
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/drivers/pci/pcie/aer/aerdrv_core.c
+++ b/drivers/pci/pcie/aer/aerdrv_core.c
@@ -367,7 +367,14 @@ static pci_ers_result_t broadcast_error_
* If the error is reported by an end point, we think this
* error is related to the upstream link of the end point.
*/
- pci_walk_bus(dev->bus, cb, &result_data);
+ if (state == pci_channel_io_normal)
+ /*
+* the error is non fatal so the bus is ok, just invoke
+* the callback for the function that logged the error.
+*/
+ cb(dev, &result_data);
+ else
+ pci_walk_bus(dev->bus, cb, &result_data);
}
return result_data.result;
[PATCH 3.2 79/79] kaiser: Set _PAGE_NX only if supported
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Lepton Wu This finally resolve crash if loaded under qemu + haxm. Haitao Shan pointed out that the reason of that crash is that NX bit get set for page tables. It seems we missed checking if _PAGE_NX is supported in kaiser_add_user_map Link: https://www.spinics.net/lists/kernel/msg2689835.html Reviewed-by: Guenter Roeck Signed-off-by: Lepton Wu Signed-off-by: Greg Kroah-Hartman (backported from Greg K-H's 4.4 stable-queue) Signed-off-by: Juerg Haefliger Signed-off-by: Ben Hutchings --- arch/x86/mm/kaiser.c | 2 ++ 1 file changed, 2 insertions(+) --- a/arch/x86/mm/kaiser.c +++ b/arch/x86/mm/kaiser.c @@ -189,6 +189,8 @@ static int kaiser_add_user_map(const voi * requires that not to be #defined to 0): so mask it off here. */ flags &= ~_PAGE_GLOBAL; + if (!(__supported_pte_mask & _PAGE_NX)) + flags &= ~_PAGE_NX; if (flags & _PAGE_USER) BUG_ON(address < FIXADDR_START || end_addr >= FIXADDR_TOP);
[PATCH 3.2 06/79] USB: serial: garmin_gps: fix memory leak on probe errors
3.2.99-rc1 review patch. If anyone has any objections, please let me know.
--
From: Johan Hovold
commit 74d471b598444b7f2d964930f7234779c80960a0 upstream.
Make sure to free the port private data before returning after a failed
probe attempt.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reviewed-by: Greg Kroah-Hartman
Signed-off-by: Johan Hovold
Signed-off-by: Ben Hutchings
---
drivers/usb/serial/garmin_gps.c | 6 ++
1 file changed, 6 insertions(+)
--- a/drivers/usb/serial/garmin_gps.c
+++ b/drivers/usb/serial/garmin_gps.c
@@ -1476,6 +1476,12 @@ static int garmin_attach(struct usb_seri
usb_set_serial_port_data(port, garmin_data_p);
status = garmin_init_session(port);
+ if (status)
+ goto err_free;
+
+ return 0;
+err_free:
+ kfree(garmin_data_p);
return status;
}
[PATCH 3.2 01/79] Input: adxl34x - do not treat FIFO_MODE() as boolean
3.2.99-rc1 review patch. If anyone has any objections, please let me know.
--
From: Arnd Bergmann
commit 1dbc080c9ef6bcfba652ef0d6ae919b8c7c85a1d upstream.
FIFO_MODE() is a macro expression with a '<<' operator, which gcc points
out could be misread as a '<':
drivers/input/misc/adxl34x.c: In function 'adxl34x_probe':
drivers/input/misc/adxl34x.c:799:36: error: '<<' in boolean context, did you
mean '<' ? [-Werror=int-in-bool-context]
While utility of this warning is being disputed (Chief Penguin: "This
warning is clearly pure garbage.") FIFO_MODE() extracts range of values,
with 0 being FIFO_BYPASS, and not something that is logically boolean.
This converts the test to an explicit comparison with FIFO_BYPASS,
making it clearer to gcc and the reader what is intended.
Fixes: e27c729219ad ("Input: add driver for ADXL345/346 Digital Accelerometers")
Signed-off-by: Arnd Bergmann
Signed-off-by: Dmitry Torokhov
Signed-off-by: Ben Hutchings
---
drivers/input/misc/adxl34x.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/input/misc/adxl34x.c
+++ b/drivers/input/misc/adxl34x.c
@@ -797,7 +797,7 @@ struct adxl34x *adxl34x_probe(struct dev
if (pdata->watermark) {
ac->int_mask |= WATERMARK;
- if (!FIFO_MODE(pdata->fifo_mode))
+ if (FIFO_MODE(pdata->fifo_mode) == FIFO_BYPASS)
ac->pdata.fifo_mode |= FIFO_STREAM;
} else {
ac->int_mask |= DATA_READY;
[PATCH 3.2 00/79] 3.2.99-rc1 review
This is the start of the stable review cycle for the 3.2.99 release. There are 79 patches in this series, which will be posted as responses to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Tue Feb 13 12:00:00 UTC 2018. Anything received after that time might be too late. All the patches have also been committed to the linux-3.2.y-rc branch of https://git.kernel.org/pub/scm/linux/kernel/git/bwh/linux-stable-rc.git . A shortlog and diffstat can be found below. Ben. - Al Viro (2): autofs4: autofs4_wait() vs. autofs4_catatonic_mode() race [4041bcdc7bef06a2fb29c57394c713a74bd13b08] autofs4: catatonic_mode vs. notify_daemon race [875266be67ff3a984ac1f6566d31c260bee4] Alan (1): usbip: Fix sscanf handling [2d32927127f44d755780aa5fa88c8c34e72558f8] Alan Stern (1): USB: usbfs: compute urb->actual_length for isochronous [2ef47001b3ee3ded579b7532ebdcf8680e4d8c54] Alex Chen (1): ocfs2: should wait dio before inode lock in ocfs2_setattr() [28f5a8a7c033cbf3e32277f4cc9c6afd74f05300] Alexander Potapenko (1): sctp: fully initialize the IPv6 address in sctp_v6_to_addr() [15339e441ec46fbc3bf3486bb1ae4845b0f1bb8d] Alexander Steffen (1): tpm-dev-common: Reject too short writes [ee70bc1e7b63ac8023c9ff9475d8741e397316e7] Alexandre Belloni (1): rtc: set the alarm to the next expiring timer [74717b28cb32e1ad3c1042cafd76b264c8c0f68d] Andreas Rohner (1): nilfs2: fix race condition that causes file system corruption [31ccb1f7ba3cfe29631587d451cf5bb8ab593550] Arnd Bergmann (2): Input: adxl34x - do not treat FIFO_MODE() as boolean [1dbc080c9ef6bcfba652ef0d6ae919b8c7c85a1d] isofs: fix timestamps beyond 2027 [34be4dbf87fc3e474a842305394534216d428f5d] Bart Van Assche (1): IB/srp: Avoid that a cable pull can trigger a kernel crash [8a0d18c62121d3c554a83eb96e2752861d84d937] Bart Westgeest (1): staging: usbip: removed #if 0'd out code [34c09578179f5838e5958c45e8aed4edc9c6c3b8] Bernhard Rosenkraenzer (1): USB: Add delay-init quirk for Corsair K70 LUX keyboards [a0fea6027f19c62727315aba1a7fae75a9caa842] Brent Taylor (1): mtd: nand: Fix writing mtdoops to nand flash. [30863e38ebeb500a31cecee8096fb5002677dd9b] Chuck Lever (1): nfs: Fix ugly referral attributes [c05cefcc72416a37eba5a2b35f0704ed758a9145] Colin Ian King (1): rtc: interface: ignore expired timers when enqueuing new timers [2b2f5ff00f63847d95adad6289bd8b05f5983dd5] Dan Carpenter (2): eCryptfs: use after free in ecryptfs_release_messaging() [db86be3a12d0b6e5c5b51c2ab2a48f06329cb590] scsi: bfa: integer overflow in debugfs [3e351275655d3c84dc28abf170def9786db5176d] Eric Biggers (1): dm bufio: fix integer overflow when limiting maximum cache size [74d4108d9e681dbbe4a2940ed8fdff1f6868184c] Eric Dumazet (1): netfilter: xt_TCPMSS: add more sanity tests on tcph->doff [2638fd0f92d4397884fd991d8f4925cb3f081901] Eric W. Biederman (1): net/sctp: Always set scope_id in sctp_inet6_skb_msgname [7c8a61d9ee1df0fb4747879fa67a99614eb62fec] Felipe Balbi (1): usb: add helper to extract bits 12:11 of wMaxPacketSize [541b6fe63023f3059cf85d47ff2767a3e42a8e44] Gabriele Paoloni (1): PCI/AER: Report non-fatal errors only to the affected endpoint [86acc790717fb60fb51ea3095084e331d8711c74] Guenter Roeck (1): kaiser: Set _PAGE_NX only if supported [61e9b3671007a5da8127955a1a3bda7e0d5f42e8] Guillaume Nault (5): l2tp: don't register sessions in l2tp_session_create() [3953ae7b218df4d1e544b98a393666f9ae58a78c] l2tp: ensure sessions are freed after their PPPOL2TP socket [cdd10c9627496ad25c87ce6394e29752253c69d3] l2tp: initialise PPP sessions before registering them [f98be6c6359e7e4a61aaefb9964c1db31cb9ec0c] l2tp: initialise l2tp_eth sessions before registering them [ee28de6bbd78c2e18111a0aef43ea746f28d2073] l2tp: protect sock pointer of struct pppol2tp_session with RCU [ee40fb2e1eb5bc0ddd3f2f83c6e39a454ef5a741] Hou Tao (1): dm: fix race between dm_get_from_kobject() and __dm_destroy() [b9a41d21dceadf8104812626ef85dc56ee8a60ed] Jan Harkes (1): coda: fix 'kernel memory exposure attempt' in fsync [d337b66a4c52c7b04eec661d86c2ef6e168965a2] Jason Gunthorpe (1): sctp: Fixup v4mapped behaviour to comply with Sock API [299ee123e19889d511092347f5fc14db0f10e3a6] Jens Axboe (1): blktrace: fix unlocked access to init/start-stop/teardown [1f2cac107c591c24b60b115d6050adc213d10fc0] Johan Hovold (2): USB: serial: garmin_gps: fix I/O after failed probe and remove [19a565d9af6e0d828bd0d521d3bafd5017f4ce52]
[PATCH 3.2 03/79] rtc: set the alarm to the next expiring timer
3.2.99-rc1 review patch. If anyone has any objections, please let me know.
--
From: Alexandre Belloni
commit 74717b28cb32e1ad3c1042cafd76b264c8c0f68d upstream.
If there is any non expired timer in the queue, the RTC alarm is never set.
This is an issue when adding a timer that expires before the next non
expired timer.
Ensure the RTC alarm is set in that case.
Fixes: 2b2f5ff00f63 ("rtc: interface: ignore expired timers when enqueuing new
timers")
Signed-off-by: Alexandre Belloni
[bwh: Backported to 3.2: open-code ktime_before()]
Signed-off-by: Ben Hutchings
---
drivers/rtc/interface.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/rtc/interface.c
+++ b/drivers/rtc/interface.c
@@ -765,7 +765,7 @@ static int rtc_timer_enqueue(struct rtc_
}
timerqueue_add(&rtc->timerqueue, &timer->node);
- if (!next) {
+ if (!next || timer->node.expires.tv64 < next->expires.tv64) {
struct rtc_wkalrm alarm;
int err;
alarm.time = rtc_ktime_to_tm(timer->node.expires);
[PATCH 3.2 02/79] rtc: interface: ignore expired timers when enqueuing new timers
3.2.99-rc1 review patch. If anyone has any objections, please let me know.
--
From: Colin Ian King
commit 2b2f5ff00f63847d95adad6289bd8b05f5983dd5 upstream.
This patch fixes a RTC wakealarm issue, namely, the event fires during
hibernate and is not cleared from the list, causing hwclock to block.
The current enqueuing does not trigger an alarm if any expired timers
already exist on the timerqueue. This can occur when a RTC wake alarm
is used to wake a machine out of hibernate and the resumed state has
old expired timers that have not been removed from the timer queue.
This fix skips over any expired timers and triggers an alarm if there
are no pending timers on the timerqueue. Note that the skipped expired
timer will get reaped later on, so there is no need to clean it up
immediately.
The issue can be reproduced by putting a machine into hibernate and
waking it with the RTC wakealarm. Running the example RTC test program
from tools/testing/selftests/timers/rtctest.c after the hibernate will
block indefinitely. With the fix, it no longer blocks after the
hibernate resume.
BugLink: http://bugs.launchpad.net/bugs/1333569
Signed-off-by: Colin Ian King
Signed-off-by: Alexandre Belloni
Signed-off-by: Ben Hutchings
---
drivers/rtc/interface.c | 16 +++-
1 file changed, 15 insertions(+), 1 deletion(-)
--- a/drivers/rtc/interface.c
+++ b/drivers/rtc/interface.c
@@ -749,9 +749,23 @@ EXPORT_SYMBOL_GPL(rtc_irq_set_freq);
*/
static int rtc_timer_enqueue(struct rtc_device *rtc, struct rtc_timer *timer)
{
+ struct timerqueue_node *next = timerqueue_getnext(&rtc->timerqueue);
+ struct rtc_time tm;
+ ktime_t now;
+
timer->enabled = 1;
+ __rtc_read_time(rtc, &tm);
+ now = rtc_tm_to_ktime(tm);
+
+ /* Skip over expired timers */
+ while (next) {
+ if (next->expires.tv64 >= now.tv64)
+ break;
+ next = timerqueue_iterate_next(next);
+ }
+
timerqueue_add(&rtc->timerqueue, &timer->node);
- if (&timer->node == timerqueue_getnext(&rtc->timerqueue)) {
+ if (!next) {
struct rtc_wkalrm alarm;
int err;
alarm.time = rtc_ktime_to_tm(timer->node.expires);
[PATCH 3.2 17/79] l2tp: ensure sessions are freed after their PPPOL2TP socket
3.2.99-rc1 review patch. If anyone has any objections, please let me know.
--
From: Guillaume Nault
commit cdd10c9627496ad25c87ce6394e29752253c69d3 upstream.
If l2tp_tunnel_delete() or l2tp_tunnel_closeall() deletes a session
right after pppol2tp_release() orphaned its socket, then the 'sock'
variable of the pppol2tp_session_close() callback is NULL. Yet the
session is still used by pppol2tp_release().
Therefore we need to take an extra reference in any case, to prevent
l2tp_tunnel_delete() or l2tp_tunnel_closeall() from freeing the session.
Since the pppol2tp_session_close() callback is only set if the session
is associated to a PPPOL2TP socket and that both l2tp_tunnel_delete()
and l2tp_tunnel_closeall() hold the PPPOL2TP socket before calling
pppol2tp_session_close(), we're sure that pppol2tp_session_close() and
pppol2tp_session_destruct() are paired and called in the right order.
So the reference taken by the former will be released by the later.
Signed-off-by: Guillaume Nault
Signed-off-by: David S. Miller
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings
---
net/l2tp/l2tp_ppp.c | 8
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -466,11 +466,11 @@ static void pppol2tp_session_close(struc
BUG_ON(session->magic != L2TP_SESSION_MAGIC);
- if (sock) {
+ if (sock)
inet_shutdown(sock, 2);
- /* Don't let the session go away before our socket does */
- l2tp_session_inc_refcount(session);
- }
+
+ /* Don't let the session go away before our socket does */
+ l2tp_session_inc_refcount(session);
return;
}
[PATCH 3.2 16/79] l2tp: push all ppp pseudowire shutdown through .release handler
3.2.99-rc1 review patch. If anyone has any objections, please let me know.
--
From: Tom Parkin
commit cf2f5c886a209377daefd5d2ba0bcd49c3887813 upstream.
If userspace deletes a ppp pseudowire using the netlink API, either by
directly deleting the session or by deleting the tunnel that contains the
session, we need to tear down the corresponding pppox channel.
Rather than trying to manage two pppox unbind codepaths, switch the netlink
and l2tp_core session_close handlers to close via. the l2tp_ppp socket
.release handler.
Signed-off-by: Tom Parkin
Signed-off-by: James Chapman
Signed-off-by: David S. Miller
Signed-off-by: Ben Hutchings
---
net/l2tp/l2tp_ppp.c | 53 ++---
1 file changed, 10 insertions(+), 43 deletions(-)
--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -95,6 +95,7 @@
#include
#include
#include
+#include
#include
#include
@@ -460,34 +461,16 @@ static void pppol2tp_session_close(struc
{
struct pppol2tp_session *ps = l2tp_session_priv(session);
struct sock *sk = ps->sock;
- struct sk_buff *skb;
+ struct socket *sock = sk->sk_socket;
BUG_ON(session->magic != L2TP_SESSION_MAGIC);
- if (session->session_id == 0)
- goto out;
-
- if (sk != NULL) {
- lock_sock(sk);
-
- if (sk->sk_state & (PPPOX_CONNECTED | PPPOX_BOUND)) {
- pppox_unbind_sock(sk);
- sk->sk_state = PPPOX_DEAD;
- sk->sk_state_change(sk);
- }
-
- /* Purge any queued data */
- skb_queue_purge(&sk->sk_receive_queue);
- skb_queue_purge(&sk->sk_write_queue);
- while ((skb = skb_dequeue(&session->reorder_q))) {
- kfree_skb(skb);
- sock_put(sk);
- }
- release_sock(sk);
+ if (sock) {
+ inet_shutdown(sock, 2);
+ /* Don't let the session go away before our socket does */
+ l2tp_session_inc_refcount(session);
}
-
-out:
return;
}
@@ -538,16 +521,12 @@ static int pppol2tp_release(struct socke
session = pppol2tp_sock_to_session(sk);
/* Purge any queued data */
- skb_queue_purge(&sk->sk_receive_queue);
- skb_queue_purge(&sk->sk_write_queue);
if (session != NULL) {
- struct sk_buff *skb;
- while ((skb = skb_dequeue(&session->reorder_q))) {
- kfree_skb(skb);
- sock_put(sk);
- }
+ l2tp_session_queue_purge(session);
sock_put(sk);
}
+ skb_queue_purge(&sk->sk_receive_queue);
+ skb_queue_purge(&sk->sk_write_queue);
release_sock(sk);
@@ -872,18 +851,6 @@ out:
return error;
}
-/* Called when deleting sessions via the netlink interface.
- */
-static int pppol2tp_session_delete(struct l2tp_session *session)
-{
- struct pppol2tp_session *ps = l2tp_session_priv(session);
-
- if (ps->sock == NULL)
- l2tp_session_dec_refcount(session);
-
- return 0;
-}
-
#endif /* CONFIG_L2TP_V3 */
/* getname() support.
@@ -1801,7 +1768,7 @@ static const struct pppox_proto pppol2tp
static const struct l2tp_nl_cmd_ops pppol2tp_nl_cmd_ops = {
.session_create = pppol2tp_session_create,
- .session_delete = pppol2tp_session_delete,
+ .session_delete = l2tp_session_delete,
};
#endif /* CONFIG_L2TP_V3 */
[PATCH 3.2 68/79] RDS: null pointer dereference in rds_atomic_free_op
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Mohamed Ghannam commit 7d11f77f84b27cef452cee332f4e469503084737 upstream. set rm->atomic.op_active to 0 when rds_pin_pages() fails or the user supplied address is invalid, this prevents a NULL pointer usage in rds_atomic_free_op() Signed-off-by: Mohamed Ghannam Acked-by: Santosh Shilimkar Signed-off-by: David S. Miller Signed-off-by: Ben Hutchings --- net/rds/rdma.c | 1 + 1 file changed, 1 insertion(+) --- a/net/rds/rdma.c +++ b/net/rds/rdma.c @@ -855,6 +855,7 @@ int rds_cmsg_atomic(struct rds_sock *rs, err: if (page) put_page(page); + rm->atomic.op_active = 0; kfree(rm->atomic.op_notifier); return ret;
[PATCH 3.2 78/79] kaiser: Set _PAGE_NX only if supported
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Guenter Roeck This resolves a crash if loaded under qemu + haxm under windows. See https://www.spinics.net/lists/kernel/msg2689835.html for details. Here is a boot log (the log is from chromeos-4.4, but Tao Wu says that the same log is also seen with vanilla v4.4.110-rc1). [0.712750] Freeing unused kernel memory: 552K [0.721821] init: Corrupted page table at address 57b029b332e0 [0.722761] PGD 8000bb238067 PUD bc36a067 PMD bc369067 PTE 45d2067 [0.722761] Bad pagetable: 000b [#1] PREEMPT SMP [0.722761] Modules linked in: [0.722761] CPU: 1 PID: 1 Comm: init Not tainted 4.4.96 #31 [0.722761] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5.1-0-g8936dbb-20141113_115728-nilsson.home.kraxel.org 04/01/2014 [0.722761] task: 8800bc29 ti: 8800bc28c000 task.ti: 8800bc28c000 [0.722761] RIP: 0010:[] [] __clear_user+0x42/0x67 [0.722761] RSP: :8800bc28fcf8 EFLAGS: 00010202 [0.722761] RAX: RBX: 01a4 RCX: 01a4 [0.722761] RDX: RSI: 0008 RDI: 57b029b332e0 [0.722761] RBP: 8800bc28fd08 R08: 8800bc29 R09: 8800bb2f4000 [0.722761] R10: 8800bc29 R11: 8800bb2f4000 R12: 57b029b332e0 [0.722761] R13: R14: 57b029b33340 R15: 8800bb1e2a00 [0.722761] FS: () GS:8800bfb0() knlGS: [0.722761] CS: 0010 DS: ES: CR0: 8005003b [0.722761] CR2: 57b029b332e0 CR3: bb2f8000 CR4: 06e0 [0.722761] Stack: [0.722761] 57b029b332e0 8800bb95fa80 8800bc28fd18 83f4120c [0.722761] 8800bc28fe18 83e9e7a1 8800bc28fd68 [0.722761] 8800bc29 8800bc29 8800bc29 8800bc29 [0.722761] Call Trace: [0.722761] [] clear_user+0x2e/0x30 [0.722761] [] load_elf_binary+0xa7f/0x18f7 [0.722761] [] search_binary_handler+0x86/0x19c [0.722761] [] do_execveat_common.isra.26+0x909/0xf98 [0.722761] [] ? rest_init+0x87/0x87 [0.722761] [] do_execve+0x23/0x25 [0.722761] [] run_init_process+0x2b/0x2d [0.722761] [] kernel_init+0x6d/0xda [0.722761] [] ret_from_fork+0x3f/0x70 [0.722761] [] ? rest_init+0x87/0x87 [0.722761] Code: 86 84 be 12 00 00 00 e8 87 0d e8 ff 66 66 90 48 89 d8 48 c1 eb 03 4c 89 e7 83 e0 07 48 89 d9 be 08 00 00 00 31 d2 48 85 c9 74 0a <48> 89 17 48 01 f7 ff c9 75 f6 48 89 c1 85 c9 74 09 88 17 48 ff [0.722761] RIP [] __clear_user+0x42/0x67 [0.722761] RSP [0.722761] ---[ end trace def703879b4ff090 ]--- [0.722761] BUG: sleeping function called from invalid context at /mnt/host/source/src/third_party/kernel/v4.4/kernel/locking/rwsem.c:21 [0.722761] in_atomic(): 0, irqs_disabled(): 1, pid: 1, name: init [0.722761] CPU: 1 PID: 1 Comm: init Tainted: G D 4.4.96 #31 [0.722761] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5.1-0-g8936dbb-20141113_115728-nilsson.home.kraxel.org 04/01/2014 [0.722761] 0086 dcb5d76098c89836 8800bc28fa30 83f34004 [0.722761] 84839dc2 0015 8800bc28fa40 83d57dc9 [0.722761] 8800bc28fa68 83d57e6a 84a53640 [0.722761] Call Trace: [0.722761] [] dump_stack+0x4d/0x63 [0.722761] [] ___might_sleep+0x13a/0x13c [0.722761] [] __might_sleep+0x9f/0xa6 [0.722761] [] down_read+0x20/0x31 [0.722761] [] __blocking_notifier_call_chain+0x35/0x63 [0.722761] [] blocking_notifier_call_chain+0x14/0x16 [0.800374] usb 1-1: new full-speed USB device number 2 using uhci_hcd [0.722761] [] profile_task_exit+0x1a/0x1c [0.802309] [] do_exit+0x39/0xe7f [0.802309] [] ? vprintk_default+0x1d/0x1f [0.802309] [] ? printk+0x57/0x73 [0.802309] [] oops_end+0x80/0x85 [0.802309] [] pgtable_bad+0x8a/0x95 [0.802309] [] __do_page_fault+0x8c/0x352 [0.802309] [] ? file_has_perm+0xc4/0xe5 [0.802309] [] do_page_fault+0xc/0xe [0.802309] [] page_fault+0x22/0x30 [0.802309] [] ? __clear_user+0x42/0x67 [0.802309] [] ? __clear_user+0x23/0x67 [0.802309] [] clear_user+0x2e/0x30 [0.802309] [] load_elf_binary+0xa7f/0x18f7 [0.802309] [] search_binary_handler+0x86/0x19c [0.802309] [] do_execveat_common.isra.26+0x909/0xf98 [0.802309] [] ? rest_init+0x87/0x87 [0.802309] [] do_execve+0x23/0x25 [0.802309] [] run_init_process+0x2b/0x2d [0.802309] [] kernel_init+0x6d/0xda [0.802309] [] ret_from_fork+0x3f/0x70 [0.802309] [] ? rest_init+0x87/0x87 [0.830559] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0009 [0.830559] [0.831305] Kernel Offset: 0x2c0 from 0x8
[PATCH 3.2 10/79] IB/srp: Avoid that a cable pull can trigger a kernel crash
3.2.99-rc1 review patch. If anyone has any objections, please let me know.
--
From: Bart Van Assche
commit 8a0d18c62121d3c554a83eb96e2752861d84d937 upstream.
This patch fixes the following kernel crash:
general protection fault: [#1] PREEMPT SMP
Workqueue: ib_mad2 timeout_sends [ib_core]
Call Trace:
ib_sa_path_rec_callback+0x1c4/0x1d0 [ib_core]
send_handler+0xb2/0xd0 [ib_core]
timeout_sends+0x14d/0x220 [ib_core]
process_one_work+0x200/0x630
worker_thread+0x4e/0x3b0
kthread+0x113/0x150
Fixes: commit aef9ec39c47f ("IB: Add SCSI RDMA Protocol (SRP) initiator")
Signed-off-by: Bart Van Assche
Reviewed-by: Sagi Grimberg
Signed-off-by: Doug Ledford
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings
---
--- a/drivers/infiniband/ulp/srp/ib_srp.c
+++ b/drivers/infiniband/ulp/srp/ib_srp.c
@@ -310,10 +310,19 @@ static void srp_path_rec_completion(int
static int srp_lookup_path(struct srp_target_port *target)
{
+ int ret = -ENODEV;
+
target->path.numb_path = 1;
init_completion(&target->done);
+ /*
+* Avoid that the SCSI host can be removed by srp_remove_target()
+* before srp_path_rec_completion() is called.
+*/
+ if (!scsi_host_get(target->scsi_host))
+ goto out;
+
target->path_query_id = ib_sa_path_rec_get(&srp_sa_client,
target->srp_host->srp_dev->dev,
target->srp_host->port,
@@ -327,16 +336,22 @@ static int srp_lookup_path(struct srp_ta
GFP_KERNEL,
srp_path_rec_completion,
target, &target->path_query);
- if (target->path_query_id < 0)
- return target->path_query_id;
+ ret = target->path_query_id;
+ if (ret < 0)
+ goto put;
wait_for_completion(&target->done);
- if (target->status < 0)
+ ret = target->status;
+ if (ret < 0)
shost_printk(KERN_WARNING, target->scsi_host,
PFX "Path record query failed\n");
- return target->status;
+put:
+ scsi_host_put(target->scsi_host);
+
+out:
+ return ret;
}
static int srp_send_req(struct srp_target_port *target)
[PATCH 3.2 14/79] l2tp: add session reorder queue purge function to core
3.2.99-rc1 review patch. If anyone has any objections, please let me know.
--
From: Tom Parkin
commit 48f72f92b31431c40279b0fba6c5588e07e67d95 upstream.
If an l2tp session is deleted, it is necessary to delete skbs in-flight
on the session's reorder queue before taking it down.
Rather than having each pseudowire implementation reaching into the
l2tp_session struct to handle this itself, provide a function in l2tp_core to
purge the session queue.
Signed-off-by: Tom Parkin
Signed-off-by: James Chapman
Signed-off-by: David S. Miller
[bwh: Backported to 3.2: use non-atomic increment on rx_errors]
Signed-off-by: Ben Hutchings
---
net/l2tp/l2tp_core.c | 17 +
net/l2tp/l2tp_core.h | 1 +
2 files changed, 18 insertions(+)
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -830,6 +830,23 @@ discard:
}
EXPORT_SYMBOL(l2tp_recv_common);
+/* Drop skbs from the session's reorder_q
+ */
+int l2tp_session_queue_purge(struct l2tp_session *session)
+{
+ struct sk_buff *skb = NULL;
+ BUG_ON(!session);
+ BUG_ON(session->magic != L2TP_SESSION_MAGIC);
+ while ((skb = skb_dequeue(&session->reorder_q))) {
+ session->stats.rx_errors++;
+ kfree_skb(skb);
+ if (session->deref)
+ (*session->deref)(session);
+ }
+ return 0;
+}
+EXPORT_SYMBOL_GPL(l2tp_session_queue_purge);
+
/* Internal UDP receive frame. Do the real work of receiving an L2TP data frame
* here. The skb is not on a list when we get here.
* Returns 0 if the packet was a data packet and was successfully passed on.
--- a/net/l2tp/l2tp_core.h
+++ b/net/l2tp/l2tp_core.h
@@ -249,6 +249,7 @@ extern struct l2tp_session *l2tp_session
extern int l2tp_session_delete(struct l2tp_session *session);
extern void l2tp_session_free(struct l2tp_session *session);
extern void l2tp_recv_common(struct l2tp_session *session, struct sk_buff
*skb, unsigned char *ptr, unsigned char *optr, u16 hdrflags, int length, int
(*payload_hook)(struct sk_buff *skb));
+extern int l2tp_session_queue_purge(struct l2tp_session *session);
extern int l2tp_udp_encap_recv(struct sock *sk, struct sk_buff *skb);
extern int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb,
int hdr_len);
[PATCH 3.16 020/136] elf_fdpic: fix unused variable warning
3.16.54-rc1 review patch. If anyone has any objections, please let me know.
--
From: Arnd Bergmann
commit 11e3e8d6d9274bf630859b4c47bc4e4d76f289db upstream.
The elf_fdpic code shows a harmless warning when built with MMU disabled,
I ran into this now that fdpic is available on ARM randconfig builds
since commit 50b2b2e691cd ("ARM: add ELF_FDPIC support").
fs/binfmt_elf_fdpic.c: In function 'elf_fdpic_dump_segments':
fs/binfmt_elf_fdpic.c:1501:17: error: unused variable 'addr'
[-Werror=unused-variable]
This adds another #ifdef around the variable declaration to shut up
the warning.
Fixes: e6c1baa9b562 ("convert the rest of binfmt_elf_fdpic to dump_emit()")
Acked-by: Nicolas Pitre
Signed-off-by: Arnd Bergmann
Signed-off-by: Al Viro
Signed-off-by: Ben Hutchings
---
fs/binfmt_elf_fdpic.c | 2 ++
1 file changed, 2 insertions(+)
--- a/fs/binfmt_elf_fdpic.c
+++ b/fs/binfmt_elf_fdpic.c
@@ -1487,7 +1487,9 @@ static bool elf_fdpic_dump_segments(stru
struct vm_area_struct *vma;
for (vma = current->mm->mmap; vma; vma = vma->vm_next) {
+#ifdef CONFIG_MMU
unsigned long addr;
+#endif
if (!maydump(vma, cprm->mm_flags))
continue;
[PATCH 3.16 060/136] ACPI / APEI: Replace ioremap_page_range() with fixmap
3.16.54-rc1 review patch. If anyone has any objections, please let me know.
--
From: James Morse
commit 4f89fa286f6729312e227e7c2d764e8e7b9d340e upstream.
Replace ghes_io{re,un}map_pfn_{nmi,irq}()s use of ioremap_page_range()
with __set_fixmap() as ioremap_page_range() may sleep to allocate a new
level of page-table, even if its passed an existing final-address to
use in the mapping.
The GHES driver can only be enabled for architectures that select
HAVE_ACPI_APEI: Add fixmap entries to both x86 and arm64.
clear_fixmap() does the TLB invalidation in __set_fixmap() for arm64
and __set_pte_vaddr() for x86. In each case its the same as the
respective arch_apei_flush_tlb_one().
Reported-by: Fengguang Wu
Suggested-by: Linus Torvalds
Signed-off-by: James Morse
Reviewed-by: Borislav Petkov
Tested-by: Tyler Baicar
Tested-by: Toshi Kani
[ For the arm64 bits: ]
Acked-by: Will Deacon
[ For the x86 bits: ]
Acked-by: Ingo Molnar
Signed-off-by: Rafael J. Wysocki
[bwh: Backported to 3.16:
- Drop arm64 changes; ghes is x86-only here
- Don't use page or prot variables in ghes_ioremap_fn_{nmi,irq}()
- Adjust context]
Signed-off-by: Ben Hutchings
---
--- a/arch/x86/include/asm/fixmap.h
+++ b/arch/x86/include/asm/fixmap.h
@@ -103,6 +103,12 @@ enum fixed_addresses {
#ifdef CONFIG_X86_INTEL_MID
FIX_LNW_VRTC,
#endif
+#ifdef CONFIG_ACPI_APEI_GHES
+ /* Used for GHES mapping from assorted contexts */
+ FIX_APEI_GHES_IRQ,
+ FIX_APEI_GHES_NMI,
+#endif
+
__end_of_permanent_fixed_addresses,
/*
--- a/drivers/acpi/apei/ghes.c
+++ b/drivers/acpi/apei/ghes.c
@@ -49,6 +49,7 @@
#include
#include
+#include
#include
#include
#include
@@ -110,7 +111,7 @@ static DEFINE_RAW_SPINLOCK(ghes_nmi_lock
* Because the memory area used to transfer hardware error information
* from BIOS to Linux can be determined only in NMI, IRQ or timer
* handler, but general ioremap can not be used in atomic context, so
- * a special version of atomic ioremap is implemented for that.
+ * the fixmap is used instead.
*/
/*
@@ -124,8 +125,8 @@ static DEFINE_RAW_SPINLOCK(ghes_nmi_lock
/* virtual memory area for atomic ioremap */
static struct vm_struct *ghes_ioremap_area;
/*
- * These 2 spinlock is used to prevent atomic ioremap virtual memory
- * area from being mapped simultaneously.
+ * These 2 spinlocks are used to prevent the fixmap entries from being used
+ * simultaneously.
*/
static DEFINE_RAW_SPINLOCK(ghes_ioremap_lock_nmi);
static DEFINE_SPINLOCK(ghes_ioremap_lock_irq);
@@ -165,44 +166,26 @@ static void ghes_ioremap_exit(void)
static void __iomem *ghes_ioremap_pfn_nmi(u64 pfn)
{
- unsigned long vaddr;
+ __set_fixmap(FIX_APEI_GHES_NMI, pfn << PAGE_SHIFT, PAGE_KERNEL);
- vaddr = (unsigned long)GHES_IOREMAP_NMI_PAGE(ghes_ioremap_area->addr);
- ioremap_page_range(vaddr, vaddr + PAGE_SIZE,
- pfn << PAGE_SHIFT, PAGE_KERNEL);
-
- return (void __iomem *)vaddr;
+ return (void __iomem *) fix_to_virt(FIX_APEI_GHES_NMI);
}
static void __iomem *ghes_ioremap_pfn_irq(u64 pfn)
{
- unsigned long vaddr;
-
- vaddr = (unsigned long)GHES_IOREMAP_IRQ_PAGE(ghes_ioremap_area->addr);
- ioremap_page_range(vaddr, vaddr + PAGE_SIZE,
- pfn << PAGE_SHIFT, PAGE_KERNEL);
+ __set_fixmap(FIX_APEI_GHES_IRQ, pfn << PAGE_SHIFT, PAGE_KERNEL);
- return (void __iomem *)vaddr;
+ return (void __iomem *) fix_to_virt(FIX_APEI_GHES_IRQ);
}
-static void ghes_iounmap_nmi(void __iomem *vaddr_ptr)
+static void ghes_iounmap_nmi(void)
{
- unsigned long vaddr = (unsigned long __force)vaddr_ptr;
- void *base = ghes_ioremap_area->addr;
-
- BUG_ON(vaddr != (unsigned long)GHES_IOREMAP_NMI_PAGE(base));
- unmap_kernel_range_noflush(vaddr, PAGE_SIZE);
- __flush_tlb_one(vaddr);
+ clear_fixmap(FIX_APEI_GHES_NMI);
}
-static void ghes_iounmap_irq(void __iomem *vaddr_ptr)
+static void ghes_iounmap_irq(void)
{
- unsigned long vaddr = (unsigned long __force)vaddr_ptr;
- void *base = ghes_ioremap_area->addr;
-
- BUG_ON(vaddr != (unsigned long)GHES_IOREMAP_IRQ_PAGE(base));
- unmap_kernel_range_noflush(vaddr, PAGE_SIZE);
- __flush_tlb_one(vaddr);
+ clear_fixmap(FIX_APEI_GHES_IRQ);
}
static int ghes_estatus_pool_init(void)
@@ -341,10 +324,10 @@ static void ghes_copy_tofrom_phys(void *
paddr += trunk;
buffer += trunk;
if (in_nmi) {
- ghes_iounmap_nmi(vaddr);
+ ghes_iounmap_nmi();
raw_spin_unlock(&ghes_ioremap_lock_nmi);
} else {
- ghes_iounmap_irq(vaddr);
+ ghes_iounmap_irq();
spin_unlock_irqrestore(&ghes_ioremap_lock_irq, flags);
}
}
[PATCH 3.16 067/136] ima: fix hash algorithm initialization
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Boshi Wang commit ebe7c0a7be92bbd34c6ff5b55810546a0ee05bee upstream. The hash_setup function always sets the hash_setup_done flag, even when the hash algorithm is invalid. This prevents the default hash algorithm defined as CONFIG_IMA_DEFAULT_HASH from being used. This patch sets hash_setup_done flag only for valid hash algorithms. Fixes: e7a2ad7eb6f4 "ima: enable support for larger default filedata hash algorithms" Signed-off-by: Boshi Wang Signed-off-by: Mimi Zohar Signed-off-by: Ben Hutchings --- security/integrity/ima/ima_main.c | 4 1 file changed, 4 insertions(+) --- a/security/integrity/ima/ima_main.c +++ b/security/integrity/ima/ima_main.c @@ -52,6 +52,8 @@ static int __init hash_setup(char *str) ima_hash_algo = HASH_ALGO_SHA1; else if (strncmp(str, "md5", 3) == 0) ima_hash_algo = HASH_ALGO_MD5; + else + return 1; goto out; } @@ -61,6 +63,8 @@ static int __init hash_setup(char *str) break; } } + if (i == HASH_ALGO__LAST) + return 1; out: hash_setup_done = 1; return 1;
[PATCH 3.16 028/136] net/9p: Switch to wait_event_killable()
3.16.54-rc1 review patch. If anyone has any objections, please let me know.
--
From: Tuomas Tynkkynen
commit 9523feac272ccad2ad8186ba4fcc89103754de52 upstream.
Because userspace gets Very Unhappy when calls like stat() and execve()
return -EINTR on 9p filesystem mounts. For instance, when bash is
looking in PATH for things to execute and some SIGCHLD interrupts
stat(), bash can throw a spurious 'command not found' since it doesn't
retry the stat().
In practice, hitting the problem is rare and needs a really
slow/bogged down 9p server.
Signed-off-by: Tuomas Tynkkynen
Signed-off-by: Al Viro
[bwh: Backported to 3.16: drop changes in trans_xen.c]
Signed-off-by: Ben Hutchings
---
--- a/net/9p/client.c
+++ b/net/9p/client.c
@@ -753,8 +753,7 @@ p9_client_rpc(struct p9_client *c, int8_
}
again:
/* Wait for the response */
- err = wait_event_interruptible(*req->wq,
- req->status >= REQ_STATUS_RCVD);
+ err = wait_event_killable(*req->wq, req->status >= REQ_STATUS_RCVD);
/*
* Make sure our req is coherent with regard to updates in other
--- a/net/9p/trans_virtio.c
+++ b/net/9p/trans_virtio.c
@@ -292,8 +292,8 @@ req_retry:
if (err == -ENOSPC) {
chan->ring_bufs_avail = 0;
spin_unlock_irqrestore(&chan->lock, flags);
- err = wait_event_interruptible(*chan->vc_wq,
- chan->ring_bufs_avail);
+ err = wait_event_killable(*chan->vc_wq,
+ chan->ring_bufs_avail);
if (err == -ERESTARTSYS)
return err;
@@ -324,7 +324,7 @@ static int p9_get_mapped_pages(struct vi
* Other zc request to finish here
*/
if (atomic_read(&vp_pinned) >= chan->p9_max_pages) {
- err = wait_event_interruptible(vp_wq,
+ err = wait_event_killable(vp_wq,
(atomic_read(&vp_pinned) < chan->p9_max_pages));
if (err == -ERESTARTSYS)
return err;
@@ -454,8 +454,8 @@ req_retry_pinned:
if (err == -ENOSPC) {
chan->ring_bufs_avail = 0;
spin_unlock_irqrestore(&chan->lock, flags);
- err = wait_event_interruptible(*chan->vc_wq,
- chan->ring_bufs_avail);
+ err = wait_event_killable(*chan->vc_wq,
+ chan->ring_bufs_avail);
if (err == -ERESTARTSYS)
goto err_out;
@@ -472,8 +472,7 @@ req_retry_pinned:
virtqueue_kick(chan->vq);
spin_unlock_irqrestore(&chan->lock, flags);
p9_debug(P9_DEBUG_TRANS, "virtio request kicked\n");
- err = wait_event_interruptible(*req->wq,
- req->status >= REQ_STATUS_RCVD);
+ err = wait_event_killable(*req->wq, req->status >= REQ_STATUS_RCVD);
/*
* Non kernel buffers are pinned, unpin them
*/
[PATCH 3.16 062/136] kprobes, x86/alternatives: Use text_mutex to protect smp_alt_modules
3.16.54-rc1 review patch. If anyone has any objections, please let me know.
--
From: Zhou Chengming
commit e846d13958066828a9483d862cc8370a72fadbb6 upstream.
We use alternatives_text_reserved() to check if the address is in
the fixed pieces of alternative reserved, but the problem is that
we don't hold the smp_alt mutex when call this function. So the list
traversal may encounter a deleted list_head if another path is doing
alternatives_smp_module_del().
One solution is that we can hold smp_alt mutex before call this
function, but the difficult point is that the callers of this
functions, arch_prepare_kprobe() and arch_prepare_optimized_kprobe(),
are called inside the text_mutex. So we must hold smp_alt mutex
before we go into these arch dependent code. But we can't now,
the smp_alt mutex is the arch dependent part, only x86 has it.
Maybe we can export another arch dependent callback to solve this.
But there is a simpler way to handle this problem. We can reuse the
text_mutex to protect smp_alt_modules instead of using another mutex.
And all the arch dependent checks of kprobes are inside the text_mutex,
so it's safe now.
Signed-off-by: Zhou Chengming
Reviewed-by: Masami Hiramatsu
Acked-by: Steven Rostedt (VMware)
Cc: Andy Lutomirski
Cc: Borislav Petkov
Cc: Brian Gerst
Cc: Denys Vlasenko
Cc: H. Peter Anvin
Cc: Josh Poimboeuf
Cc: Linus Torvalds
Cc: Peter Zijlstra
Cc: Thomas Gleixner
Cc: b...@suse.de
Fixes: 2cfa197 "ftrace/alternatives: Introducing *_text_reserved functions"
Link:
http://lkml.kernel.org/r/1509585501-79466-1-git-send-email-zhouchengmi...@huawei.com
Signed-off-by: Ingo Molnar
Signed-off-by: Ben Hutchings
---
arch/x86/kernel/alternative.c | 26 +-
kernel/extable.c | 2 ++
2 files changed, 15 insertions(+), 13 deletions(-)
--- a/arch/x86/kernel/alternative.c
+++ b/arch/x86/kernel/alternative.c
@@ -409,7 +409,6 @@ static void alternatives_smp_lock(const
{
const s32 *poff;
- mutex_lock(&text_mutex);
for (poff = start; poff < end; poff++) {
u8 *ptr = (u8 *)poff + *poff;
@@ -419,7 +418,6 @@ static void alternatives_smp_lock(const
if (*ptr == 0x3e)
text_poke(ptr, ((unsigned char []){0xf0}), 1);
}
- mutex_unlock(&text_mutex);
}
static void alternatives_smp_unlock(const s32 *start, const s32 *end,
@@ -427,7 +425,6 @@ static void alternatives_smp_unlock(cons
{
const s32 *poff;
- mutex_lock(&text_mutex);
for (poff = start; poff < end; poff++) {
u8 *ptr = (u8 *)poff + *poff;
@@ -437,7 +434,6 @@ static void alternatives_smp_unlock(cons
if (*ptr == 0xf0)
text_poke(ptr, ((unsigned char []){0x3E}), 1);
}
- mutex_unlock(&text_mutex);
}
struct smp_alt_module {
@@ -456,8 +452,7 @@ struct smp_alt_module {
struct list_head next;
};
static LIST_HEAD(smp_alt_modules);
-static DEFINE_MUTEX(smp_alt);
-static bool uniproc_patched = false; /* protected by smp_alt */
+static bool uniproc_patched = false; /* protected by text_mutex */
void __init_or_module alternatives_smp_module_add(struct module *mod,
char *name,
@@ -466,7 +461,7 @@ void __init_or_module alternatives_smp_m
{
struct smp_alt_module *smp;
- mutex_lock(&smp_alt);
+ mutex_lock(&text_mutex);
if (!uniproc_patched)
goto unlock;
@@ -493,14 +488,14 @@ void __init_or_module alternatives_smp_m
smp_unlock:
alternatives_smp_unlock(locks, locks_end, text, text_end);
unlock:
- mutex_unlock(&smp_alt);
+ mutex_unlock(&text_mutex);
}
void __init_or_module alternatives_smp_module_del(struct module *mod)
{
struct smp_alt_module *item;
- mutex_lock(&smp_alt);
+ mutex_lock(&text_mutex);
list_for_each_entry(item, &smp_alt_modules, next) {
if (mod != item->mod)
continue;
@@ -508,7 +503,7 @@ void __init_or_module alternatives_smp_m
kfree(item);
break;
}
- mutex_unlock(&smp_alt);
+ mutex_unlock(&text_mutex);
}
void alternatives_enable_smp(void)
@@ -518,7 +513,7 @@ void alternatives_enable_smp(void)
/* Why bother if there are no other CPUs? */
BUG_ON(num_possible_cpus() == 1);
- mutex_lock(&smp_alt);
+ mutex_lock(&text_mutex);
if (uniproc_patched) {
pr_info("switching to SMP code\n");
@@ -530,10 +525,13 @@ void alternatives_enable_smp(void)
mod->text, mod->text_end);
uniproc_patched = false;
}
- mutex_unlock(&smp_alt);
+ mutex_unlock(&text_mutex);
}
-/* Return 1 if the address range is reserved for smp-alternatives */
+/*
+ * Return 1 if the address range is reserved for SMP-alternatives.
+ * Must hold
[PATCH 3.16 034/136] l2tp: initialise l2tp_eth sessions before registering them
3.16.54-rc1 review patch. If anyone has any objections, please let me know.
--
From: Guillaume Nault
commit ee28de6bbd78c2e18111a0aef43ea746f28d2073 upstream.
Sessions must be initialised before being made externally visible by
l2tp_session_register(). Otherwise the session may be concurrently
deleted before being initialised, which can confuse the deletion path
and eventually lead to kernel oops.
Therefore, we need to move l2tp_session_register() down in
l2tp_eth_create(), but also handle the intermediate step where only the
session or the netdevice has been registered.
We can't just call l2tp_session_register() in ->ndo_init() because
we'd have no way to properly undo this operation in ->ndo_uninit().
Instead, let's register the session and the netdevice in two different
steps and protect the session's device pointer with RCU.
And now that we allow the session's .dev field to be NULL, we don't
need to prevent the netdevice from being removed anymore. So we can
drop the dev_hold() and dev_put() calls in l2tp_eth_create() and
l2tp_eth_dev_uninit().
Fixes: d9e31d17ceba ("l2tp: Add L2TP ethernet pseudowire support")
Signed-off-by: Guillaume Nault
Signed-off-by: David S. Miller
[bwh: Backported to 3.16:
- Update another 'goto out' in l2tp_eth_create()
- Adjust context]
Signed-off-by: Ben Hutchings
---
--- a/net/l2tp/l2tp_eth.c
+++ b/net/l2tp/l2tp_eth.c
@@ -51,7 +51,7 @@ struct l2tp_eth {
/* via l2tp_session_priv() */
struct l2tp_eth_sess {
- struct net_device *dev;
+ struct net_device __rcu *dev;
};
@@ -69,7 +69,14 @@ static int l2tp_eth_dev_init(struct net_
static void l2tp_eth_dev_uninit(struct net_device *dev)
{
- dev_put(dev);
+ struct l2tp_eth *priv = netdev_priv(dev);
+ struct l2tp_eth_sess *spriv;
+
+ spriv = l2tp_session_priv(priv->session);
+ RCU_INIT_POINTER(spriv->dev, NULL);
+ /* No need for synchronize_net() here. We're called by
+* unregister_netdev*(), which does the synchronisation for us.
+*/
}
static int l2tp_eth_dev_xmit(struct sk_buff *skb, struct net_device *dev)
@@ -123,8 +130,8 @@ static void l2tp_eth_dev_setup(struct ne
static void l2tp_eth_dev_recv(struct l2tp_session *session, struct sk_buff
*skb, int data_len)
{
struct l2tp_eth_sess *spriv = l2tp_session_priv(session);
- struct net_device *dev = spriv->dev;
- struct l2tp_eth *priv = netdev_priv(dev);
+ struct net_device *dev;
+ struct l2tp_eth *priv;
if (session->debug & L2TP_MSG_DATA) {
unsigned int length;
@@ -148,16 +155,25 @@ static void l2tp_eth_dev_recv(struct l2t
skb_dst_drop(skb);
nf_reset(skb);
+ rcu_read_lock();
+ dev = rcu_dereference(spriv->dev);
+ if (!dev)
+ goto error_rcu;
+
+ priv = netdev_priv(dev);
if (dev_forward_skb(dev, skb) == NET_RX_SUCCESS) {
atomic_long_inc(&priv->rx_packets);
atomic_long_add(data_len, &priv->rx_bytes);
} else {
atomic_long_inc(&priv->rx_errors);
}
+ rcu_read_unlock();
+
return;
+error_rcu:
+ rcu_read_unlock();
error:
- atomic_long_inc(&priv->rx_errors);
kfree_skb(skb);
}
@@ -168,11 +184,15 @@ static void l2tp_eth_delete(struct l2tp_
if (session) {
spriv = l2tp_session_priv(session);
- dev = spriv->dev;
+
+ rtnl_lock();
+ dev = rtnl_dereference(spriv->dev);
if (dev) {
- unregister_netdev(dev);
- spriv->dev = NULL;
+ unregister_netdevice(dev);
+ rtnl_unlock();
module_put(THIS_MODULE);
+ } else {
+ rtnl_unlock();
}
}
}
@@ -182,9 +202,20 @@ static void l2tp_eth_show(struct seq_fil
{
struct l2tp_session *session = arg;
struct l2tp_eth_sess *spriv = l2tp_session_priv(session);
- struct net_device *dev = spriv->dev;
+ struct net_device *dev;
+
+ rcu_read_lock();
+ dev = rcu_dereference(spriv->dev);
+ if (!dev) {
+ rcu_read_unlock();
+ return;
+ }
+ dev_hold(dev);
+ rcu_read_unlock();
seq_printf(m, " interface %s\n", dev->name);
+
+ dev_put(dev);
}
#endif
@@ -204,7 +235,7 @@ static int l2tp_eth_create(struct net *n
if (dev) {
dev_put(dev);
rc = -EEXIST;
- goto out;
+ goto err;
}
strlcpy(name, cfg->ifname, IFNAMSIZ);
} else
@@ -214,20 +245,13 @@ static int l2tp_eth_create(struct net *n
peer_session_id, cfg);
if (IS_ERR(session)) {
rc = PTR_ERR(session);
- goto out;
- }
[PATCH 3.16 025/136] IB/srp: Avoid that a cable pull can trigger a kernel crash
3.16.54-rc1 review patch. If anyone has any objections, please let me know.
--
From: Bart Van Assche
commit 8a0d18c62121d3c554a83eb96e2752861d84d937 upstream.
This patch fixes the following kernel crash:
general protection fault: [#1] PREEMPT SMP
Workqueue: ib_mad2 timeout_sends [ib_core]
Call Trace:
ib_sa_path_rec_callback+0x1c4/0x1d0 [ib_core]
send_handler+0xb2/0xd0 [ib_core]
timeout_sends+0x14d/0x220 [ib_core]
process_one_work+0x200/0x630
worker_thread+0x4e/0x3b0
kthread+0x113/0x150
Fixes: commit aef9ec39c47f ("IB: Add SCSI RDMA Protocol (SRP) initiator")
Signed-off-by: Bart Van Assche
Reviewed-by: Sagi Grimberg
Signed-off-by: Doug Ledford
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings
---
--- a/drivers/infiniband/ulp/srp/ib_srp.c
+++ b/drivers/infiniband/ulp/srp/ib_srp.c
@@ -600,12 +600,19 @@ static void srp_path_rec_completion(int
static int srp_lookup_path(struct srp_target_port *target)
{
- int ret;
+ int ret = -ENODEV;
target->path.numb_path = 1;
init_completion(&target->done);
+ /*
+* Avoid that the SCSI host can be removed by srp_remove_target()
+* before srp_path_rec_completion() is called.
+*/
+ if (!scsi_host_get(target->scsi_host))
+ goto out;
+
target->path_query_id = ib_sa_path_rec_get(&srp_sa_client,
target->srp_host->srp_dev->dev,
target->srp_host->port,
@@ -619,18 +626,24 @@ static int srp_lookup_path(struct srp_ta
GFP_KERNEL,
srp_path_rec_completion,
target, &target->path_query);
- if (target->path_query_id < 0)
- return target->path_query_id;
+ ret = target->path_query_id;
+ if (ret < 0)
+ goto put;
ret = wait_for_completion_interruptible(&target->done);
if (ret < 0)
return ret;
- if (target->status < 0)
+ ret = target->status;
+ if (ret < 0)
shost_printk(KERN_WARNING, target->scsi_host,
PFX "Path record query failed\n");
- return target->status;
+put:
+ scsi_host_put(target->scsi_host);
+
+out:
+ return ret;
}
static int srp_send_req(struct srp_target_port *target)
[PATCH 3.16 030/136] f2fs: expose some sectors to user in inline data or dentry case
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Jaegeuk Kim commit 5b4267d195dd887c4412e34b5a7365baa741b679 upstream. If there's some data written through inline data or dentry, we need to shouw st_blocks. This fixes reporting zero blocks even though there is small written data. Reviewed-by: Chao Yu [Jaegeuk Kim: avoid link file for quotacheck] Signed-off-by: Jaegeuk Kim [bwh: Backported to 3.16: - Inline dentries are not supported - Adjust context] Signed-off-by: Ben Hutchings --- --- a/fs/f2fs/file.c +++ b/fs/f2fs/file.c @@ -460,6 +460,11 @@ int f2fs_getattr(struct vfsmount *mnt, struct inode *inode = dentry->d_inode; generic_fillattr(inode, stat); stat->blocks <<= 3; + + /* we need to show initial sectors used for inline_data/dentries */ + if (S_ISREG(inode->i_mode) && f2fs_has_inline_data(inode)) + stat->blocks += (stat->size + 511) >> 9; + return 0; }
[PATCH 3.16 024/136] IB/srpt: Do not accept invalid initiator port names
3.16.54-rc1 review patch. If anyone has any objections, please let me know.
--
From: Bart Van Assche
commit c70ca38960399a63d5c048b7b700612ea321d17e upstream.
Make srpt_parse_i_port_id() return a negative value if hex2bin()
fails.
Fixes: commit a42d985bd5b2 ("ib_srpt: Initial SRP Target merge for v3.3-rc1")
Signed-off-by: Bart Van Assche
Signed-off-by: Doug Ledford
Signed-off-by: Ben Hutchings
---
drivers/infiniband/ulp/srpt/ib_srpt.c | 9 -
1 file changed, 4 insertions(+), 5 deletions(-)
--- a/drivers/infiniband/ulp/srpt/ib_srpt.c
+++ b/drivers/infiniband/ulp/srpt/ib_srpt.c
@@ -3521,7 +3521,7 @@ static int srpt_parse_i_port_id(u8 i_por
{
const char *p;
unsigned len, count, leading_zero_bytes;
- int ret, rc;
+ int ret;
p = name;
if (strnicmp(p, "0x", 2) == 0)
@@ -3533,10 +3533,9 @@ static int srpt_parse_i_port_id(u8 i_por
count = min(len / 2, 16U);
leading_zero_bytes = 16 - count;
memset(i_port_id, 0, leading_zero_bytes);
- rc = hex2bin(i_port_id + leading_zero_bytes, p, count);
- if (rc < 0)
- pr_debug("hex2bin failed for srpt_parse_i_port_id: %d\n", rc);
- ret = 0;
+ ret = hex2bin(i_port_id + leading_zero_bytes, p, count);
+ if (ret < 0)
+ pr_debug("hex2bin failed for srpt_parse_i_port_id: %d\n", ret);
out:
return ret;
}
[PATCH 3.16 036/136] l2tp: initialise PPP sessions before registering them
3.16.54-rc1 review patch. If anyone has any objections, please let me know.
--
From: Guillaume Nault
commit f98be6c6359e7e4a61aaefb9964c1db31cb9ec0c upstream.
pppol2tp_connect() initialises L2TP sessions after they've been exposed
to the rest of the system by l2tp_session_register(). This puts
sessions into transient states that are the source of several races, in
particular with session's deletion path.
This patch centralises the initialisation code into
pppol2tp_session_init(), which is called before the registration phase.
The only field that can't be set before session registration is the
pppol2tp socket pointer, which has already been converted to RCU. So
pppol2tp_connect() should now be race-free.
The session's .session_close() callback is now set before registration.
Therefore, it's always called when l2tp_core deletes the session, even
if it was created by pppol2tp_session_create() and hasn't been plugged
to a pppol2tp socket yet. That'd prevent session free because the extra
reference taken by pppol2tp_session_close() wouldn't be dropped by the
socket's ->sk_destruct() callback (pppol2tp_session_destruct()).
We could set .session_close() only while connecting a session to its
pppol2tp socket, or teach pppol2tp_session_close() to avoid grabbing a
reference when the session isn't connected, but that'd require adding
some form of synchronisation to be race free.
Instead of that, we can just let the pppol2tp socket hold a reference
on the session as soon as it starts depending on it (that is, in
pppol2tp_connect()). Then we don't need to utilise
pppol2tp_session_close() to hold a reference at the last moment to
prevent l2tp_core from dropping it.
When releasing the socket, pppol2tp_release() now deletes the session
using the standard l2tp_session_delete() function, instead of merely
removing it from hash tables. l2tp_session_delete() drops the reference
the sessions holds on itself, but also makes sure it doesn't remove a
session twice. So it can safely be called, even if l2tp_core already
tried, or is concurrently trying, to remove the session.
Finally, pppol2tp_session_destruct() drops the reference held by the
socket.
Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp
parts")
Signed-off-by: Guillaume Nault
Signed-off-by: David S. Miller
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings
---
net/l2tp/l2tp_ppp.c | 69 +
1 file changed, 38 insertions(+), 31 deletions(-)
--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -468,9 +468,6 @@ static void pppol2tp_session_close(struc
inet_shutdown(sk->sk_socket, SEND_SHUTDOWN);
sock_put(sk);
}
-
- /* Don't let the session go away before our socket does */
- l2tp_session_inc_refcount(session);
}
/* Really kill the session socket. (Called from sock_put() if
@@ -526,8 +523,7 @@ static int pppol2tp_release(struct socke
if (session != NULL) {
struct pppol2tp_session *ps;
- __l2tp_session_unhash(session);
- l2tp_session_queue_purge(session);
+ l2tp_session_delete(session);
ps = l2tp_session_priv(session);
mutex_lock(&ps->sk_lock);
@@ -619,6 +615,35 @@ static void pppol2tp_show(struct seq_fil
}
#endif
+static void pppol2tp_session_init(struct l2tp_session *session)
+{
+ struct pppol2tp_session *ps;
+ struct dst_entry *dst;
+
+ session->recv_skb = pppol2tp_recv;
+ session->session_close = pppol2tp_session_close;
+#if IS_ENABLED(CONFIG_L2TP_DEBUGFS)
+ session->show = pppol2tp_show;
+#endif
+
+ ps = l2tp_session_priv(session);
+ mutex_init(&ps->sk_lock);
+ ps->tunnel_sock = session->tunnel->sock;
+ ps->owner = current->pid;
+
+ /* If PMTU discovery was enabled, use the MTU that was discovered */
+ dst = sk_dst_get(session->tunnel->sock);
+ if (dst) {
+ u32 pmtu = dst_mtu(dst);
+
+ if (pmtu) {
+ session->mtu = pmtu - PPPOL2TP_HEADER_OVERHEAD;
+ session->mru = pmtu - PPPOL2TP_HEADER_OVERHEAD;
+ }
+ dst_release(dst);
+ }
+}
+
/* connect() handler. Attach a PPPoX socket to a tunnel UDP socket
*/
static int pppol2tp_connect(struct socket *sock, struct sockaddr *uservaddr,
@@ -630,7 +655,6 @@ static int pppol2tp_connect(struct socke
struct l2tp_session *session = NULL;
struct l2tp_tunnel *tunnel;
struct pppol2tp_session *ps;
- struct dst_entry *dst;
struct l2tp_session_cfg cfg = { 0, };
int error = 0;
u32 tunnel_id, peer_tunnel_id;
@@ -775,8 +799,8 @@ static int pppol2tp_connect(struct socke
goto end;
}
+ pppol2tp_session_init(session);
ps = l2tp_session_priv(session);
-
[PATCH 3.16 021/136] USB: serial: metro-usb: stop I/O after failed open
3.16.54-rc1 review patch. If anyone has any objections, please let me know.
--
From: Johan Hovold
commit 2339536d229df25c71c0900fc619289229bfecf6 upstream.
Make sure to kill the interrupt-in URB after a failed open request.
Apart from saving power (and avoiding stale input after a later
successful open), this also prevents a NULL-deref in the completion
handler if the port is manually unbound.
Reviewed-by: Greg Kroah-Hartman
Fixes: 704577861d5e ("USB: serial: metro-usb: get data from device in
Uni-Directional mode.")
Signed-off-by: Johan Hovold
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings
---
drivers/usb/serial/metro-usb.c | 11 ---
1 file changed, 8 insertions(+), 3 deletions(-)
--- a/drivers/usb/serial/metro-usb.c
+++ b/drivers/usb/serial/metro-usb.c
@@ -217,7 +217,7 @@ static int metrousb_open(struct tty_stru
dev_err(&port->dev,
"%s - failed submitting interrupt in urb, error
code=%d\n",
__func__, result);
- goto exit;
+ return result;
}
/* Send activate cmd to device */
@@ -226,11 +226,16 @@ static int metrousb_open(struct tty_stru
dev_err(&port->dev,
"%s - failed to configure device, error code=%d\n",
__func__, result);
- goto exit;
+ goto err_kill_urb;
}
dev_dbg(&port->dev, "%s - port open\n", __func__);
-exit:
+
+ return 0;
+
+err_kill_urb:
+ usb_kill_urb(port->interrupt_in_urb);
+
return result;
}
[PATCH 3.16 059/136] powerpc/powernv/cpufreq: Fix the frequency read by /proc/cpuinfo
3.16.54-rc1 review patch. If anyone has any objections, please let me know.
--
From: Shriya
commit cd77b5ce208c153260ed7882d8910f2395bfaabd upstream.
The call to /proc/cpuinfo in turn calls cpufreq_quick_get() which
returns the last frequency requested by the kernel, but may not
reflect the actual frequency the processor is running at. This patch
makes a call to cpufreq_get() instead which returns the current
frequency reported by the hardware.
Fixes: fb5153d05a7d ("powerpc: powernv: Implement ppc_md.get_proc_freq()")
Signed-off-by: Shriya
Signed-off-by: Michael Ellerman
Signed-off-by: Ben Hutchings
---
arch/powerpc/platforms/powernv/setup.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/powerpc/platforms/powernv/setup.c
+++ b/arch/powerpc/platforms/powernv/setup.c
@@ -309,7 +309,7 @@ unsigned long pnv_get_proc_freq(unsigned
{
unsigned long ret_freq;
- ret_freq = cpufreq_quick_get(cpu) * 1000ul;
+ ret_freq = cpufreq_get(cpu) * 1000ul;
/*
* If the backend cpufreq driver does not exist,
[PATCH 3.16 027/136] fs/9p: Compare qid.path in v9fs_test_inode
3.16.54-rc1 review patch. If anyone has any objections, please let me know.
--
From: Tuomas Tynkkynen
commit 8ee031631546cf2f7859cc69593bd60bbdd70b46 upstream.
Commit fd2421f54423 ("fs/9p: When doing inode lookup compare qid details
and inode mode bits.") transformed v9fs_qid_iget() to use iget5_locked()
instead of iget_locked(). However, the test() callback is not checking
fid.path at all, which means that a lookup in the inode cache can now
accidentally locate a completely wrong inode from the same inode hash
bucket if the other fields (qid.type and qid.version) match.
Fixes: fd2421f54423 ("fs/9p: When doing inode lookup compare qid details and
inode mode bits.")
Reviewed-by: Latchesar Ionkov
Signed-off-by: Tuomas Tynkkynen
Signed-off-by: Al Viro
Signed-off-by: Ben Hutchings
---
fs/9p/vfs_inode.c | 3 +++
fs/9p/vfs_inode_dotl.c | 3 +++
2 files changed, 6 insertions(+)
--- a/fs/9p/vfs_inode.c
+++ b/fs/9p/vfs_inode.c
@@ -483,6 +483,9 @@ static int v9fs_test_inode(struct inode
if (v9inode->qid.type != st->qid.type)
return 0;
+
+ if (v9inode->qid.path != st->qid.path)
+ return 0;
return 1;
}
--- a/fs/9p/vfs_inode_dotl.c
+++ b/fs/9p/vfs_inode_dotl.c
@@ -87,6 +87,9 @@ static int v9fs_test_inode_dotl(struct i
if (v9inode->qid.type != st->qid.type)
return 0;
+
+ if (v9inode->qid.path != st->qid.path)
+ return 0;
return 1;
}
[PATCH 3.16 056/136] powerpc/pseries/vio: Dispose of virq mapping on vdevice unregister
3.16.54-rc1 review patch. If anyone has any objections, please let me know.
--
From: Tyrel Datwyler
commit b8f89fea599d91e674497aad572613eb63181f31 upstream.
When a vdevice is DLPAR removed from the system the vio subsystem
doesn't bother unmapping the virq from the irq_domain. As a result we
have a virq mapped to a hardware irq that is no longer valid for the
irq_domain. A side effect is that we are left with /proc/irq/
affinity entries, and attempts to modify the smp_affinity of the irq
will fail.
In the following observed example the kernel log is spammed by
ics_rtas_set_affinity errors after the removal of a VSCSI adapter.
This is a result of irqbalance trying to adjust the affinity every 10
seconds.
rpadlpar_io: slot U8408.E8E.10A7ACV-V5-C25 removed
ics_rtas_set_affinity: ibm,set-xive irq=655385 returns -3
ics_rtas_set_affinity: ibm,set-xive irq=655385 returns -3
This patch fixes the issue by calling irq_dispose_mapping() on the
virq of the viodev on unregister.
Fixes: f2ab6219969f ("powerpc/pseries: Add PFO support to the VIO bus")
Signed-off-by: Tyrel Datwyler
Signed-off-by: Michael Ellerman
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings
---
arch/powerpc/kernel/vio.c | 2 ++
1 file changed, 2 insertions(+)
--- a/arch/powerpc/kernel/vio.c
+++ b/arch/powerpc/kernel/vio.c
@@ -1572,6 +1572,8 @@ static struct device_attribute vio_dev_a
void vio_unregister_device(struct vio_dev *viodev)
{
device_unregister(&viodev->dev);
+ if (viodev->family == VDEVICE)
+ irq_dispose_mapping(viodev->irq);
}
EXPORT_SYMBOL(vio_unregister_device);
[PATCH 3.16 038/136] bcache: only permit to recovery read error when cache device is clean
3.16.54-rc1 review patch. If anyone has any objections, please let me know.
--
From: Coly Li
commit d59b23795933678c9638fd20c942d2b4f3cd6185 upstream.
When bcache does read I/Os, for example in writeback or writethrough mode,
if a read request on cache device is failed, bcache will try to recovery
the request by reading from cached device. If the data on cached device is
not synced with cache device, then requester will get a stale data.
For critical storage system like database, providing stale data from
recovery may result an application level data corruption, which is
unacceptible.
With this patch, for a failed read request in writeback or writethrough
mode, recovery a recoverable read request only happens when cache device
is clean. That is to say, all data on cached device is up to update.
For other cache modes in bcache, read request will never hit
cached_dev_read_error(), they don't need this patch.
Please note, because cache mode can be switched arbitrarily in run time, a
writethrough mode might be switched from a writeback mode. Therefore
checking dc->has_data in writethrough mode still makes sense.
Changelog:
V4: Fix parens error pointed by Michael Lyle.
v3: By response from Kent Oversteet, he thinks recovering stale data is a
bug to fix, and option to permit it is unnecessary. So this version
the sysfs file is removed.
v2: rename sysfs entry from allow_stale_data_on_failure to
allow_stale_data_on_failure, and fix the confusing commit log.
v1: initial patch posted.
[small change to patch comment spelling by mlyle]
Signed-off-by: Coly Li
Signed-off-by: Michael Lyle
Reported-by: Arne Wolf
Reviewed-by: Michael Lyle
Cc: Kent Overstreet
Cc: Nix
Cc: Kai Krakow
Cc: Eric Wheeler
Cc: Junhui Tang
Signed-off-by: Jens Axboe
Signed-off-by: Ben Hutchings
---
drivers/md/bcache/request.c | 10 +-
1 file changed, 9 insertions(+), 1 deletion(-)
--- a/drivers/md/bcache/request.c
+++ b/drivers/md/bcache/request.c
@@ -698,8 +698,16 @@ static void cached_dev_read_error(struct
{
struct search *s = container_of(cl, struct search, cl);
struct bio *bio = &s->bio.bio;
+ struct cached_dev *dc = container_of(s->d, struct cached_dev, disk);
- if (s->recoverable) {
+ /*
+* If cache device is dirty (dc->has_dirty is non-zero), then
+* recovery a failed read request from cached device may get a
+* stale data back. So read failure recovery is only permitted
+* when cache device is clean.
+*/
+ if (s->recoverable &&
+ (dc && !atomic_read(&dc->has_dirty))) {
/* Retry from the backing device: */
trace_bcache_read_retry(s->orig_bio);
[PATCH 3.16 026/136] tpm-dev-common: Reject too short writes
3.16.54-rc1 review patch. If anyone has any objections, please let me know.
--
From: Alexander Steffen
commit ee70bc1e7b63ac8023c9ff9475d8741e397316e7 upstream.
tpm_transmit() does not offer an explicit interface to indicate the number
of valid bytes in the communication buffer. Instead, it relies on the
commandSize field in the TPM header that is encoded within the buffer.
Therefore, ensure that a) enough data has been written to the buffer, so
that the commandSize field is present and b) the commandSize field does not
announce more data than has been written to the buffer.
This should have been fixed with CVE-2011-1161 long ago, but apparently
a correct version of that patch never made it into the kernel.
Signed-off-by: Alexander Steffen
Reviewed-by: Jarkko Sakkinen
Tested-by: Jarkko Sakkinen
Signed-off-by: Jarkko Sakkinen
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings
---
drivers/char/tpm/tpm-dev.c | 6 ++
1 file changed, 6 insertions(+)
--- a/drivers/char/tpm/tpm-dev.c
+++ b/drivers/char/tpm/tpm-dev.c
@@ -139,6 +139,12 @@ static ssize_t tpm_write(struct file *fi
return -EFAULT;
}
+ if (in_size < 6 ||
+ in_size < be32_to_cpu(*((__be32 *) (priv->data_buffer + 2 {
+ mutex_unlock(&priv->buffer_mutex);
+ return -EINVAL;
+ }
+
/* atomic tpm command send and result receive */
out_size = tpm_transmit(priv->chip, priv->data_buffer,
sizeof(priv->data_buffer));
[PATCH 3.16 022/136] bcache: check ca->alloc_thread initialized before wake up it
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Coly Li commit 91af8300d9c1d7c6b6a2fd754109e08d4798b8d8 upstream. In bcache code, sysfs entries are created before all resources get allocated, e.g. allocation thread of a cache set. There is posibility for NULL pointer deference if a resource is accessed but which is not initialized yet. Indeed Jorg Bornschein catches one on cache set allocation thread and gets a kernel oops. The reason for this bug is, when bch_bucket_alloc() is called during cache set registration and attaching, ca->alloc_thread is not properly allocated and initialized yet, call wake_up_process() on ca->alloc_thread triggers NULL pointer deference failure. A simple and fast fix is, before waking up ca->alloc_thread, checking whether it is allocated, and only wake up ca->alloc_thread when it is not NULL. Signed-off-by: Coly Li Reported-by: Jorg Bornschein Cc: Kent Overstreet Reviewed-by: Michael Lyle Signed-off-by: Jens Axboe Signed-off-by: Ben Hutchings --- drivers/md/bcache/alloc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/drivers/md/bcache/alloc.c +++ b/drivers/md/bcache/alloc.c @@ -406,7 +406,8 @@ long bch_bucket_alloc(struct cache *ca, finish_wait(&ca->set->bucket_wait, &w); out: - wake_up_process(ca->alloc_thread); + if (ca->alloc_thread) + wake_up_process(ca->alloc_thread); trace_bcache_alloc(ca, reserve);
[PATCH 3.16 052/136] coda: fix 'kernel memory exposure attempt' in fsync
3.16.54-rc1 review patch. If anyone has any objections, please let me know. -- From: Jan Harkes commit d337b66a4c52c7b04eec661d86c2ef6e168965a2 upstream. When an application called fsync on a file in Coda a small request with just the file identifier was allocated, but the declared length was set to the size of union of all possible upcall requests. This bug has been around for a very long time and is now caught by the extra checking in usercopy that was introduced in Linux-4.8. The exposure happens when the Coda cache manager process reads the fsync upcall request at which point it is killed. As a result there is nobody servicing any further upcalls, trapping any processes that try to access the mounted Coda filesystem. Signed-off-by: Jan Harkes Signed-off-by: Al Viro Signed-off-by: Ben Hutchings --- fs/coda/upcall.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) --- a/fs/coda/upcall.c +++ b/fs/coda/upcall.c @@ -446,8 +446,7 @@ int venus_fsync(struct super_block *sb, UPARG(CODA_FSYNC); inp->coda_fsync.VFid = *fid; - error = coda_upcall(coda_vcp(sb), sizeof(union inputArgs), - &outsize, inp); + error = coda_upcall(coda_vcp(sb), insize, &outsize, inp); CODA_FREE(inp, insize); return error;
[PATCH 3.16 070/136] MIPS: Fix an n32 core file generation regset support regression
3.16.54-rc1 review patch. If anyone has any objections, please let me know.
--
From: "Maciej W. Rozycki"
commit 547da673173de51f73887377eb275304775064ad upstream.
Fix a commit 7aeb753b5353 ("MIPS: Implement task_user_regset_view.")
regression, then activated by commit 6a9c001b7ec3 ("MIPS: Switch ELF
core dumper to use regsets.)", that caused n32 processes to dump o32
core files by failing to set the EF_MIPS_ABI2 flag in the ELF core file
header's `e_flags' member:
$ file tls-core
tls-core: ELF 32-bit MSB executable, MIPS, N32 MIPS64 rel2 version 1 (SYSV),
[...]
$ ./tls-core
Aborted (core dumped)
$ file core
core: ELF 32-bit MSB core file MIPS, MIPS-I version 1 (SYSV), SVR4-style
$
Previously the flag was set as the result of a:
statement placed in arch/mips/kernel/binfmt_elfn32.c, however in the
regset case, i.e. when CORE_DUMP_USE_REGSET is set, ELF_CORE_EFLAGS is
no longer used by `fill_note_info' in fs/binfmt_elf.c, and instead the
`->e_flags' member of the regset view chosen is. We have the views
defined in arch/mips/kernel/ptrace.c, however only an o32 and an n64
one, and the latter is used for n32 as well. Consequently an o32 core
file is incorrectly dumped from n32 processes (the ELF32 vs ELF64 class
is chosen elsewhere, and the 32-bit one is correctly selected for n32).
Correct the issue then by defining an n32 regset view and using it as
appropriate. Issue discovered in GDB testing.
Fixes: 7aeb753b5353 ("MIPS: Implement task_user_regset_view.")
Signed-off-by: Maciej W. Rozycki
Cc: Ralf Baechle
Cc: Djordje Todorovic
Cc: linux-m...@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/17617/
Signed-off-by: James Hogan
Signed-off-by: Ben Hutchings
---
arch/mips/kernel/ptrace.c | 17 +
1 file changed, 17 insertions(+)
--- a/arch/mips/kernel/ptrace.c
+++ b/arch/mips/kernel/ptrace.c
@@ -522,6 +522,19 @@ static const struct user_regset_view use
.n = ARRAY_SIZE(mips64_regsets),
};
+#ifdef CONFIG_MIPS32_N32
+
+static const struct user_regset_view user_mipsn32_view = {
+ .name = "mipsn32",
+ .e_flags= EF_MIPS_ABI2,
+ .e_machine = ELF_ARCH,
+ .ei_osabi = ELF_OSABI,
+ .regsets= mips64_regsets,
+ .n = ARRAY_SIZE(mips64_regsets),
+};
+
+#endif /* CONFIG_MIPS32_N32 */
+
#endif /* CONFIG_64BIT */
const struct user_regset_view *task_user_regset_view(struct task_struct *task)
@@ -533,6 +546,10 @@ const struct user_regset_view *task_user
if (test_tsk_thread_flag(task, TIF_32BIT_REGS))
return &user_mips_view;
#endif
+#ifdef CONFIG_MIPS32_N32
+ if (test_tsk_thread_flag(task, TIF_32BIT_ADDR))
+ return &user_mipsn32_view;
+#endif
return &user_mips64_view;
#endif
}
[PATCH 3.2 67/79] RDS: Heap OOB write in rds_message_alloc_sgs()
3.2.99-rc1 review patch. If anyone has any objections, please let me know.
--
From: Mohamed Ghannam
commit c095508770aebf1b9218e77026e48345d719b17c upstream.
When args->nr_local is 0, nr_pages gets also 0 due some size
calculation via rds_rm_size(), which is later used to allocate
pages for DMA, this bug produces a heap Out-Of-Bound write access
to a specific memory region.
Signed-off-by: Mohamed Ghannam
Signed-off-by: David S. Miller
Signed-off-by: Ben Hutchings
---
net/rds/rdma.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/rds/rdma.c
+++ b/net/rds/rdma.c
@@ -516,6 +516,9 @@ int rds_rdma_extra_size(struct rds_rdma_
local_vec = (struct rds_iovec __user *)(unsigned long)
args->local_vec_addr;
+ if (args->nr_local == 0)
+ return -EINVAL;
+
/* figure out the number of pages in the vector */
for (i = 0; i < args->nr_local; i++) {
if (copy_from_user(&vec, &local_vec[i],
[PATCH 3.2 15/79] l2tp: purge session reorder queue on delete
3.2.99-rc1 review patch. If anyone has any objections, please let me know.
--
From: Tom Parkin
commit 4c6e2fd35460208596fa099ee0750a4b0438aa5c upstream.
Add calls to l2tp_session_queue_purge as a part of l2tp_tunnel_closeall
and l2tp_session_delete. Pseudowire implementations which are deleted only
via. l2tp_core l2tp_session_delete calls can dispense with their own code for
flushing the reorder queue.
Signed-off-by: Tom Parkin
Signed-off-by: James Chapman
Signed-off-by: David S. Miller
Signed-off-by: Ben Hutchings
---
net/l2tp/l2tp_core.c | 4
1 file changed, 4 insertions(+)
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -1347,6 +1347,8 @@ again:
synchronize_rcu();
}
+ l2tp_session_queue_purge(session);
+
if (session->session_close != NULL)
(*session->session_close)(session);
@@ -1669,6 +1671,8 @@ EXPORT_SYMBOL_GPL(l2tp_session_free);
*/
int l2tp_session_delete(struct l2tp_session *session)
{
+ l2tp_session_queue_purge(session);
+
if (session->session_close != NULL)
(*session->session_close)(session);
[PATCH 3.2 77/79] [media] cx231xx: Fix the max number of interfaces
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Mauro Carvalho Chehab commit 139d28826b8e2bc7a9232fde0d2f14812914f501 upstream. The max number of interfaces was read from the wrong descriptor. Signed-off-by: Mauro Carvalho Chehab [bwh: Backported to 3.2: adjust filename] Signed-off-by: Ben Hutchings --- drivers/media/video/cx231xx/cx231xx-cards.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) --- a/drivers/media/video/cx231xx/cx231xx-cards.c +++ b/drivers/media/video/cx231xx/cx231xx-cards.c @@ -1070,8 +1070,7 @@ static int cx231xx_usb_probe(struct usb_ dev->vbi_or_sliced_cc_mode = 0; /* get maximum no.of IAD interfaces */ - assoc_desc = udev->actconfig->intf_assoc[0]; - dev->max_iad_interface_count = assoc_desc->bInterfaceCount; + dev->max_iad_interface_count = udev->config->desc.bNumInterfaces; /* init CIR module TBD */
[PATCH 3.2 63/79] netfilter: xt_TCPMSS: Fix missing fragmentation handling
3.2.99-rc1 review patch. If anyone has any objections, please let me know.
--
From: Phil Oester
commit b396966c4688522863572927cb30aa874b3ec504 upstream.
Similar to commit bc6bcb59 ("netfilter: xt_TCPOPTSTRIP: fix
possible mangling beyond packet boundary"), add safe fragment
handling to xt_TCPMSS.
Signed-off-by: Phil Oester
Signed-off-by: Pablo Neira Ayuso
[bwh: Backported to 3.2: Change parameters for tcpmss_mangle_packet() as
done upstream in commit 70d19f805f8c "netfilter: xt_TCPMSS: Fix IPv6 default
MSS too"]
Signed-off-by: Ben Hutchings
---
--- a/net/netfilter/xt_TCPMSS.c
+++ b/net/netfilter/xt_TCPMSS.c
@@ -44,17 +44,22 @@ optlen(const u_int8_t *opt, unsigned int
static int
tcpmss_mangle_packet(struct sk_buff *skb,
-const struct xt_tcpmss_info *info,
+const struct xt_action_param *par,
unsigned int in_mtu,
unsigned int tcphoff,
unsigned int minlen)
{
+ const struct xt_tcpmss_info *info = par->targinfo;
struct tcphdr *tcph;
unsigned int tcplen, i;
__be16 oldval;
u16 newmss;
u8 *opt;
+ /* This is a fragment, no TCP header is available */
+ if (par->fragoff != 0)
+ return XT_CONTINUE;
+
if (!skb_make_writable(skb, skb->len))
return -1;
@@ -183,7 +188,7 @@ tcpmss_tg4(struct sk_buff *skb, const st
__be16 newlen;
int ret;
- ret = tcpmss_mangle_packet(skb, par->targinfo,
+ ret = tcpmss_mangle_packet(skb, par,
tcpmss_reverse_mtu(skb, PF_INET),
iph->ihl * 4,
sizeof(*iph) + sizeof(struct tcphdr));
@@ -211,7 +216,7 @@ tcpmss_tg6(struct sk_buff *skb, const st
tcphoff = ipv6_skip_exthdr(skb, sizeof(*ipv6h), &nexthdr);
if (tcphoff < 0)
return NF_DROP;
- ret = tcpmss_mangle_packet(skb, par->targinfo,
+ ret = tcpmss_mangle_packet(skb, par,
tcpmss_reverse_mtu(skb, PF_INET6),
tcphoff,
sizeof(*ipv6h) + sizeof(struct tcphdr));
[PATCH 3.2 65/79] netfilter: xt_TCPMSS: correct return value in tcpmss_mangle_packet
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Phil Oester commit 1205e1fa615805c9efa97303b552cf445965752a upstream. In commit b396966c4 (netfilter: xt_TCPMSS: Fix missing fragmentation handling), I attempted to add safe fragment handling to xt_TCPMSS. However, Andy Padavan of Project N56U correctly points out that returning XT_CONTINUE in this function does not work. The callers (tcpmss_tg[46]) expect to receive a value of 0 in order to return XT_CONTINUE. Signed-off-by: Phil Oester Signed-off-by: Pablo Neira Ayuso Signed-off-by: Ben Hutchings --- net/netfilter/xt_TCPMSS.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/net/netfilter/xt_TCPMSS.c +++ b/net/netfilter/xt_TCPMSS.c @@ -59,7 +59,7 @@ tcpmss_mangle_packet(struct sk_buff *skb /* This is a fragment, no TCP header is available */ if (par->fragoff != 0) - return XT_CONTINUE; + return 0; if (!skb_make_writable(skb, skb->len)) return -1;
[PATCH 3.2 74/79] usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input
3.2.99-rc1 review patch. If anyone has any objections, please let me know.
--
From: Shuah Khan
commit c6688ef9f29762e65bce325ef4acd6c675806366 upstream.
Harden CMD_SUBMIT path to handle malicious input that could trigger
large memory allocations. Add checks to validate transfer_buffer_length
and number_of_packets to protect against bad input requesting for
unbounded memory allocations. Validate early in get_pipe() and return
failure.
Reported-by: Secunia Research
Signed-off-by: Shuah Khan
Signed-off-by: Greg Kroah-Hartman
[bwh: Backported to 3.2:
- Device for logging purposes is &sdev->interface->dev
- Adjust filename, context]
Signed-off-by: Ben Hutchings
---
drivers/staging/usbip/stub_rx.c | 35 +++
1 file changed, 31 insertions(+), 4 deletions(-)
--- a/drivers/staging/usbip/stub_rx.c
+++ b/drivers/staging/usbip/stub_rx.c
@@ -350,11 +350,13 @@ static struct stub_priv *stub_priv_alloc
return priv;
}
-static int get_pipe(struct stub_device *sdev, int epnum, int dir)
+static int get_pipe(struct stub_device *sdev, struct usbip_header *pdu)
{
struct usb_device *udev = sdev->udev;
struct usb_host_endpoint *ep;
struct usb_endpoint_descriptor *epd = NULL;
+ int epnum = pdu->base.ep;
+ int dir = pdu->base.direction;
if (epnum < 0 || epnum > 15)
goto err_ret;
@@ -367,6 +369,15 @@ static int get_pipe(struct stub_device *
goto err_ret;
epd = &ep->desc;
+
+ /* validate transfer_buffer_length */
+ if (pdu->u.cmd_submit.transfer_buffer_length > INT_MAX) {
+ dev_err(&sdev->interface->dev,
+ "CMD_SUBMIT: -EMSGSIZE transfer_buffer_length %d\n",
+ pdu->u.cmd_submit.transfer_buffer_length);
+ return -1;
+ }
+
if (usb_endpoint_xfer_control(epd)) {
if (dir == USBIP_DIR_OUT)
return usb_sndctrlpipe(udev, epnum);
@@ -389,6 +400,21 @@ static int get_pipe(struct stub_device *
}
if (usb_endpoint_xfer_isoc(epd)) {
+ /* validate packet size and number of packets */
+ unsigned int maxp, packets, bytes;
+
+ maxp = usb_endpoint_maxp(epd);
+ maxp *= usb_endpoint_maxp_mult(epd);
+ bytes = pdu->u.cmd_submit.transfer_buffer_length;
+ packets = DIV_ROUND_UP(bytes, maxp);
+
+ if (pdu->u.cmd_submit.number_of_packets < 0 ||
+ pdu->u.cmd_submit.number_of_packets > packets) {
+ dev_err(&sdev->interface->dev,
+ "CMD_SUBMIT: isoc invalid num packets %d\n",
+ pdu->u.cmd_submit.number_of_packets);
+ return -1;
+ }
if (dir == USBIP_DIR_OUT)
return usb_sndisocpipe(udev, epnum);
else
@@ -397,7 +423,7 @@ static int get_pipe(struct stub_device *
err_ret:
/* NOT REACHED */
- dev_err(&sdev->interface->dev, "get pipe() invalid epnum %d\n", epnum);
+ dev_err(&sdev->interface->dev, "CMD_SUBMIT: invalid epnum %d\n", epnum);
return -1;
}
@@ -462,7 +488,7 @@ static void stub_recv_cmd_submit(struct
struct stub_priv *priv;
struct usbip_device *ud = &sdev->ud;
struct usb_device *udev = sdev->udev;
- int pipe = get_pipe(sdev, pdu->base.ep, pdu->base.direction);
+ int pipe = get_pipe(sdev, pdu);
if (pipe == -1)
return;
@@ -485,7 +511,8 @@ static void stub_recv_cmd_submit(struct
}
/* set priv->urb->transfer_buffer */
- if (pdu->u.cmd_submit.transfer_buffer_length > 0) {
+ if (pdu->u.cmd_submit.transfer_buffer_length > 0 &&
+ pdu->u.cmd_submit.transfer_buffer_length <= INT_MAX) {
priv->urb->transfer_buffer =
kzalloc(pdu->u.cmd_submit.transfer_buffer_length,
GFP_KERNEL);
[PATCH 3.2 62/79] netfilter: xt_TCPOPTSTRIP: don't use tcp_hdr()
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Pablo Neira Ayuso commit ed82c437320c48a4032492f4a55a7e2c934158b6 upstream. In (bc6bcb5 netfilter: xt_TCPOPTSTRIP: fix possible mangling beyond packet boundary), the use of tcp_hdr was introduced. However, we cannot assume that skb->transport_header is set for non-local packets. Cc: Florian Westphal Reported-by: Phil Oester Signed-off-by: Pablo Neira Ayuso Signed-off-by: Ben Hutchings --- net/netfilter/xt_TCPOPTSTRIP.c | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) --- a/net/netfilter/xt_TCPOPTSTRIP.c +++ b/net/netfilter/xt_TCPOPTSTRIP.c @@ -48,11 +48,13 @@ tcpoptstrip_mangle_packet(struct sk_buff return NF_DROP; len = skb->len - tcphoff; - if (len < (int)sizeof(struct tcphdr) || - tcp_hdr(skb)->doff * 4 > len) + if (len < (int)sizeof(struct tcphdr)) return NF_DROP; tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff); + if (tcph->doff * 4 > len) + return NF_DROP; + opt = (u_int8_t *)tcph; /*
[PATCH 3.2 49/79] autofs4: autofs4_wait() vs. autofs4_catatonic_mode() race
3.2.99-rc1 review patch. If anyone has any objections, please let me know.
--
From: Al Viro
commit 4041bcdc7bef06a2fb29c57394c713a74bd13b08 upstream.
We need to recheck ->catatonic after autofs4_wait() got ->wq_mutex
for good, or we might end up with wq inserted into queue after
autofs4_catatonic_mode() had done its thing. It will stick there
forever, since there won't be anything to clear its ->name.name.
A bit of a complication: validate_request() drops and regains ->wq_mutex.
It actually ends up the most convenient place to stick the check into...
Acked-by: Ian Kent
Signed-off-by: Al Viro
Signed-off-by: Ben Hutchings
---
fs/autofs4/waitq.c | 8 +++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/fs/autofs4/waitq.c
+++ b/fs/autofs4/waitq.c
@@ -257,6 +257,9 @@ static int validate_request(struct autof
struct autofs_wait_queue *wq;
struct autofs_info *ino;
+ if (sbi->catatonic)
+ return -ENOENT;
+
/* Wait in progress, continue; */
wq = autofs4_find_wait(sbi, qstr);
if (wq) {
@@ -289,6 +292,9 @@ static int validate_request(struct autof
if (mutex_lock_interruptible(&sbi->wq_mutex))
return -EINTR;
+ if (sbi->catatonic)
+ return -ENOENT;
+
wq = autofs4_find_wait(sbi, qstr);
if (wq) {
*wait = wq;
@@ -389,7 +395,7 @@ int autofs4_wait(struct autofs_sb_info *
ret = validate_request(&wq, sbi, &qstr, dentry, notify);
if (ret <= 0) {
- if (ret == 0)
+ if (ret != -EINTR)
mutex_unlock(&sbi->wq_mutex);
kfree(qstr.name);
return ret;
[PATCH 3.2 73/79] usbip: fix stub_rx: get_pipe() to validate endpoint number
3.2.99-rc1 review patch. If anyone has any objections, please let me know.
--
From: Shuah Khan
commit 635f545a7e8be7596b9b2b6a43cab6bbd5a88e43 upstream.
get_pipe() routine doesn't validate the input endpoint number
and uses to reference ep_in and ep_out arrays. Invalid endpoint
number can trigger BUG(). Range check the epnum and returning
error instead of calling BUG().
Change caller stub_recv_cmd_submit() to handle the get_pipe()
error return.
Reported-by: Secunia Research
Signed-off-by: Shuah Khan
Signed-off-by: Greg Kroah-Hartman
[bwh: Backported to 3.2: adjust filename, context]
Signed-off-by: Ben Hutchings
---
drivers/staging/usbip/stub_rx.c | 18 +++---
1 file changed, 11 insertions(+), 7 deletions(-)
--- a/drivers/staging/usbip/stub_rx.c
+++ b/drivers/staging/usbip/stub_rx.c
@@ -356,15 +356,15 @@ static int get_pipe(struct stub_device *
struct usb_host_endpoint *ep;
struct usb_endpoint_descriptor *epd = NULL;
+ if (epnum < 0 || epnum > 15)
+ goto err_ret;
+
if (dir == USBIP_DIR_IN)
ep = udev->ep_in[epnum & 0x7f];
else
ep = udev->ep_out[epnum & 0x7f];
- if (!ep) {
- dev_err(&sdev->interface->dev, "no such endpoint?, %d\n",
- epnum);
- BUG();
- }
+ if (!ep)
+ goto err_ret;
epd = &ep->desc;
if (usb_endpoint_xfer_control(epd)) {
@@ -395,9 +395,10 @@ static int get_pipe(struct stub_device *
return usb_rcvisocpipe(udev, epnum);
}
+err_ret:
/* NOT REACHED */
- dev_err(&sdev->interface->dev, "get pipe, epnum %d\n", epnum);
- return 0;
+ dev_err(&sdev->interface->dev, "get pipe() invalid epnum %d\n", epnum);
+ return -1;
}
static void masking_bogus_flags(struct urb *urb)
@@ -463,6 +464,9 @@ static void stub_recv_cmd_submit(struct
struct usb_device *udev = sdev->udev;
int pipe = get_pipe(sdev, pdu->base.ep, pdu->base.direction);
+ if (pipe == -1)
+ return;
+
priv = stub_priv_alloc(sdev, pdu);
if (!priv)
return;
[PATCH 3.2 76/79] usbip: fix stub_send_ret_submit() vulnerability to null transfer_buffer
3.2.99-rc1 review patch. If anyone has any objections, please let me know.
--
From: Shuah Khan
commit be6123df1ea8f01ee2f896a16c2b7be3e4557a5a upstream.
stub_send_ret_submit() handles urb with a potential null transfer_buffer,
when it replays a packet with potential malicious data that could contain
a null buffer. Add a check for the condition when actual_length > 0 and
transfer_buffer is null.
Reported-by: Secunia Research
Signed-off-by: Shuah Khan
Signed-off-by: Greg Kroah-Hartman
[bwh: Backported to 3.2:
- Device for logging purposes is &sdev->interface->dev
- Adjust filename]
Signed-off-by: Ben Hutchings
---
drivers/staging/usbip/stub_tx.c | 7 +++
1 file changed, 7 insertions(+)
--- a/drivers/staging/usbip/stub_tx.c
+++ b/drivers/staging/usbip/stub_tx.c
@@ -178,6 +178,13 @@ static int stub_send_ret_submit(struct s
memset(&pdu_header, 0, sizeof(pdu_header));
memset(&msg, 0, sizeof(msg));
+ if (urb->actual_length > 0 && !urb->transfer_buffer) {
+ dev_err(&sdev->interface->dev,
+ "urb: actual_length %d transfer_buffer null\n",
+ urb->actual_length);
+ return -1;
+ }
+
if (usb_pipetype(urb->pipe) == PIPE_ISOCHRONOUS)
iovnum = 2 + urb->number_of_packets;
else
[PATCH 3.2 47/79] KVM: SVM: obey guest PAT
3.2.99-rc1 review patch. If anyone has any objections, please let me know.
--
From: Paolo Bonzini
commit 15038e14724799b8c205beb5f20f9e54896013c3 upstream.
For many years some users of assigned devices have reported worse
performance on AMD processors with NPT than on AMD without NPT,
Intel or bare metal.
The reason turned out to be that SVM is discarding the guest PAT
setting and uses the default (PA0=PA4=WB, PA1=PA5=WT, PA2=PA6=UC-,
PA3=UC). The guest might be using a different setting, and
especially might want write combining but isn't getting it
(instead getting slow UC or UC- accesses).
Thanks a lot to ge...@hostfission.com for noticing the relation
to the g_pat setting. The patch has been tested also by a bunch
of people on VFIO users forums.
Fixes: 709ddebf81cb40e3c36c6109a7892e8b93a09464
Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=196409
Signed-off-by: Paolo Bonzini
Reviewed-by: David Hildenbrand
Tested-by: Nick Sarnie
Signed-off-by: Radim Krčmář
Signed-off-by: Ben Hutchings
---
arch/x86/kvm/svm.c | 7 +++
1 file changed, 7 insertions(+)
--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
@@ -3040,6 +3040,13 @@ static int svm_set_msr(struct kvm_vcpu *
struct vcpu_svm *svm = to_svm(vcpu);
switch (ecx) {
+ case MSR_IA32_CR_PAT:
+ if (!kvm_mtrr_valid(vcpu, MSR_IA32_CR_PAT, data))
+ return 1;
+ vcpu->arch.pat = data;
+ svm->vmcb->save.g_pat = data;
+ mark_dirty(svm->vmcb, VMCB_NPT);
+ break;
case MSR_IA32_TSC:
kvm_write_tsc(vcpu, data);
break;
[PATCH 3.2 61/79] netfilter: xt_TCPOPTSTRIP: fix possible mangling beyond packet boundary
3.2.99-rc1 review patch. If anyone has any objections, please let me know.
--
From: Pablo Neira Ayuso
commit bc6bcb59dd7c184d229f9e86d08aa56059938a4c upstream.
This target assumes that tcph->doff is well-formed, that may be well
not the case. Add extra sanity checkings to avoid possible crash due
to read/write out of the real packet boundary. After this patch, the
default action on malformed TCP packets is to drop them. Moreover,
fragments are skipped.
Reported-by: Rafal Kupka
Signed-off-by: Pablo Neira Ayuso
Signed-off-by: Ben Hutchings
---
net/netfilter/xt_TCPOPTSTRIP.c | 17 ++---
1 file changed, 14 insertions(+), 3 deletions(-)
--- a/net/netfilter/xt_TCPOPTSTRIP.c
+++ b/net/netfilter/xt_TCPOPTSTRIP.c
@@ -30,17 +30,28 @@ static inline unsigned int optlen(const
static unsigned int
tcpoptstrip_mangle_packet(struct sk_buff *skb,
- const struct xt_tcpoptstrip_target_info *info,
+ const struct xt_action_param *par,
unsigned int tcphoff, unsigned int minlen)
{
+ const struct xt_tcpoptstrip_target_info *info = par->targinfo;
unsigned int optl, i, j;
struct tcphdr *tcph;
u_int16_t n, o;
u_int8_t *opt;
+ int len;
+
+ /* This is a fragment, no TCP header is available */
+ if (par->fragoff != 0)
+ return XT_CONTINUE;
if (!skb_make_writable(skb, skb->len))
return NF_DROP;
+ len = skb->len - tcphoff;
+ if (len < (int)sizeof(struct tcphdr) ||
+ tcp_hdr(skb)->doff * 4 > len)
+ return NF_DROP;
+
tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff);
opt = (u_int8_t *)tcph;
@@ -76,7 +87,7 @@ tcpoptstrip_mangle_packet(struct sk_buff
static unsigned int
tcpoptstrip_tg4(struct sk_buff *skb, const struct xt_action_param *par)
{
- return tcpoptstrip_mangle_packet(skb, par->targinfo, ip_hdrlen(skb),
+ return tcpoptstrip_mangle_packet(skb, par, ip_hdrlen(skb),
sizeof(struct iphdr) + sizeof(struct tcphdr));
}
@@ -93,7 +104,7 @@ tcpoptstrip_tg6(struct sk_buff *skb, con
if (tcphoff < 0)
return NF_DROP;
- return tcpoptstrip_mangle_packet(skb, par->targinfo, tcphoff,
+ return tcpoptstrip_mangle_packet(skb, par, tcphoff,
sizeof(*ipv6h) + sizeof(struct tcphdr));
}
#endif
[PATCH 3.2 18/79] l2tp: don't register sessions in l2tp_session_create()
3.2.99-rc1 review patch. If anyone has any objections, please let me know.
--
From: Guillaume Nault
commit 3953ae7b218df4d1e544b98a393666f9ae58a78c upstream.
Sessions created by l2tp_session_create() aren't fully initialised:
some pseudo-wire specific operations need to be done before making the
session usable. Therefore the PPP and Ethernet pseudo-wires continue
working on the returned l2tp session while it's already been exposed to
the rest of the system.
This can lead to various issues. In particular, the session may enter
the deletion process before having been fully initialised, which will
confuse the session removal code.
This patch moves session registration out of l2tp_session_create(), so
that callers can control when the session is exposed to the rest of the
system. This is done by the new l2tp_session_register() function.
Only pppol2tp_session_create() can be easily converted to avoid
modifying its session after registration (the debug message is dropped
in order to avoid the need for holding a reference on the session).
For pppol2tp_connect() and l2tp_eth_create()), more work is needed.
That'll be done in followup patches. For now, let's just register the
session right after its creation, like it was done before. The only
difference is that we can easily take a reference on the session before
registering it, so, at least, we're sure it's not going to be freed
while we're working on it.
Signed-off-by: Guillaume Nault
Signed-off-by: David S. Miller
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings
---
net/l2tp/l2tp_core.c | 21 +++--
net/l2tp/l2tp_core.h | 3 +++
net/l2tp/l2tp_eth.c | 9 +
net/l2tp/l2tp_ppp.c | 23 +--
4 files changed, 36 insertions(+), 20 deletions(-)
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -327,8 +327,8 @@ struct l2tp_session *l2tp_session_get_by
}
EXPORT_SYMBOL_GPL(l2tp_session_get_by_ifname);
-static int l2tp_session_add_to_tunnel(struct l2tp_tunnel *tunnel,
- struct l2tp_session *session)
+int l2tp_session_register(struct l2tp_session *session,
+ struct l2tp_tunnel *tunnel)
{
struct l2tp_session *session_walk;
struct hlist_head *g_head;
@@ -377,6 +377,10 @@ static int l2tp_session_add_to_tunnel(st
hlist_add_head(&session->hlist, head);
write_unlock_bh(&tunnel->hlist_lock);
+ /* Ignore management session in session count value */
+ if (session->session_id != 0)
+ atomic_inc(&l2tp_session_count);
+
return 0;
err_tlock_pnlock:
@@ -386,6 +390,7 @@ err_tlock:
return err;
}
+EXPORT_SYMBOL_GPL(l2tp_session_register);
/* Lookup a tunnel by id
*/
@@ -1703,7 +1708,6 @@ static void l2tp_session_set_header_len(
struct l2tp_session *l2tp_session_create(int priv_size, struct l2tp_tunnel
*tunnel, u32 session_id, u32 peer_session_id, struct l2tp_session_cfg *cfg)
{
struct l2tp_session *session;
- int err;
session = kzalloc(sizeof(struct l2tp_session) + priv_size, GFP_KERNEL);
if (session != NULL) {
@@ -1752,17 +1756,6 @@ struct l2tp_session *l2tp_session_create
l2tp_session_inc_refcount(session);
- err = l2tp_session_add_to_tunnel(tunnel, session);
- if (err) {
- kfree(session);
-
- return ERR_PTR(err);
- }
-
- /* Ignore management session in session count value */
- if (session->session_id != 0)
- atomic_inc(&l2tp_session_count);
-
return session;
}
--- a/net/l2tp/l2tp_core.h
+++ b/net/l2tp/l2tp_core.h
@@ -246,6 +246,8 @@ extern struct l2tp_tunnel *l2tp_tunnel_f
extern int l2tp_tunnel_create(struct net *net, int fd, int version, u32
tunnel_id, u32 peer_tunnel_id, struct l2tp_tunnel_cfg *cfg, struct l2tp_tunnel
**tunnelp);
extern int l2tp_tunnel_delete(struct l2tp_tunnel *tunnel);
extern struct l2tp_session *l2tp_session_create(int priv_size, struct
l2tp_tunnel *tunnel, u32 session_id, u32 peer_session_id, struct
l2tp_session_cfg *cfg);
+int l2tp_session_register(struct l2tp_session *session,
+ struct l2tp_tunnel *tunnel);
extern int l2tp_session_delete(struct l2tp_session *session);
extern void l2tp_session_free(struct l2tp_session *session);
extern void l2tp_recv_common(struct l2tp_session *session, struct sk_buff
*skb, unsigned char *ptr, unsigned char *optr, u16 hdrflags, int length, int
(*payload_hook)(struct sk_buff *skb));
--- a/net/l2tp/l2tp_eth.c
+++ b/net/l2tp/l2tp_eth.c
@@ -194,6 +194,13 @@ static int l2tp_eth_create(struct net *n
goto out;
}
+ l2tp_session_inc_refcount(session);
+ rc = l2tp_session_register(session, tunnel);
+ if (rc < 0) {
+ kfree(session);
+ goto out;
+ }
+
dev = a
[PATCH 3.2 66/79] netfilter: xt_TCPMSS: add more sanity tests on tcph->doff
3.2.99-rc1 review patch. If anyone has any objections, please let me know.
--
From: Eric Dumazet
commit 2638fd0f92d4397884fd991d8f4925cb3f081901 upstream.
Denys provided an awesome KASAN report pointing to an use
after free in xt_TCPMSS
I have provided three patches to fix this issue, either in xt_TCPMSS or
in xt_tcpudp.c. It seems xt_TCPMSS patch has the smallest possible
impact.
Signed-off-by: Eric Dumazet
Reported-by: Denys Fedoryshchenko
Signed-off-by: Pablo Neira Ayuso
Signed-off-by: Ben Hutchings
---
net/netfilter/xt_TCPMSS.c | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/net/netfilter/xt_TCPMSS.c
+++ b/net/netfilter/xt_TCPMSS.c
@@ -71,7 +71,7 @@ tcpmss_mangle_packet(struct sk_buff *skb
tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff);
tcp_hdrlen = tcph->doff * 4;
- if (len < tcp_hdrlen)
+ if (len < tcp_hdrlen || tcp_hdrlen < sizeof(struct tcphdr))
return -1;
if (info->mss == XT_TCPMSS_CLAMP_PMTU) {
@@ -122,6 +122,10 @@ tcpmss_mangle_packet(struct sk_buff *skb
if (len > tcp_hdrlen)
return 0;
+ /* tcph->doff has 4 bits, do not wrap it to 0 */
+ if (tcp_hdrlen >= 15 * 4)
+ return 0;
+
/*
* MSS Option not found ?! add it..
*/
[PATCH 3.2 13/79] net/9p: Switch to wait_event_killable()
3.2.99-rc1 review patch. If anyone has any objections, please let me know.
--
From: Tuomas Tynkkynen
commit 9523feac272ccad2ad8186ba4fcc89103754de52 upstream.
Because userspace gets Very Unhappy when calls like stat() and execve()
return -EINTR on 9p filesystem mounts. For instance, when bash is
looking in PATH for things to execute and some SIGCHLD interrupts
stat(), bash can throw a spurious 'command not found' since it doesn't
retry the stat().
In practice, hitting the problem is rare and needs a really
slow/bogged down 9p server.
Signed-off-by: Tuomas Tynkkynen
Signed-off-by: Al Viro
[bwh: Backported to 3.2:
- Drop changes in trans_xen.c
- Adjust context]
Signed-off-by: Ben Hutchings
---
--- a/net/9p/client.c
+++ b/net/9p/client.c
@@ -740,8 +740,7 @@ p9_client_rpc(struct p9_client *c, int8_
goto reterr;
}
/* Wait for the response */
- err = wait_event_interruptible(*req->wq,
- req->status >= REQ_STATUS_RCVD);
+ err = wait_event_killable(*req->wq, req->status >= REQ_STATUS_RCVD);
if (req->status == REQ_STATUS_ERROR) {
P9_DPRINTK(P9_DEBUG_ERROR, "req_status error %d\n", req->t_err);
--- a/net/9p/trans_virtio.c
+++ b/net/9p/trans_virtio.c
@@ -276,8 +276,8 @@ req_retry:
if (err == -ENOSPC) {
chan->ring_bufs_avail = 0;
spin_unlock_irqrestore(&chan->lock, flags);
- err = wait_event_interruptible(*chan->vc_wq,
- chan->ring_bufs_avail);
+ err = wait_event_killable(*chan->vc_wq,
+ chan->ring_bufs_avail);
if (err == -ERESTARTSYS)
return err;
@@ -309,7 +309,7 @@ static int p9_get_mapped_pages(struct vi
* Other zc request to finish here
*/
if (atomic_read(&vp_pinned) >= chan->p9_max_pages) {
- err = wait_event_interruptible(vp_wq,
+ err = wait_event_killable(vp_wq,
(atomic_read(&vp_pinned) < chan->p9_max_pages));
if (err == -ERESTARTSYS)
return err;
@@ -419,8 +419,8 @@ req_retry_pinned:
if (err == -ENOSPC) {
chan->ring_bufs_avail = 0;
spin_unlock_irqrestore(&chan->lock, flags);
- err = wait_event_interruptible(*chan->vc_wq,
- chan->ring_bufs_avail);
+ err = wait_event_killable(*chan->vc_wq,
+ chan->ring_bufs_avail);
if (err == -ERESTARTSYS)
goto err_out;
@@ -438,8 +438,7 @@ req_retry_pinned:
virtqueue_kick(chan->vq);
spin_unlock_irqrestore(&chan->lock, flags);
P9_DPRINTK(P9_DEBUG_TRANS, "9p debug: virtio request kicked\n");
- err = wait_event_interruptible(*req->wq,
- req->status >= REQ_STATUS_RCVD);
+ err = wait_event_killable(*req->wq, req->status >= REQ_STATUS_RCVD);
/*
* Non kernel buffers are pinned, unpin them
*/
[PATCH 3.2 64/79] netfilter: xt_TCPMSS: fix handling of malformed TCP header and options
3.2.99-rc1 review patch. If anyone has any objections, please let me know.
--
From: Pablo Neira Ayuso
commit 71ffe9c77dd7a2b62207953091efa8dafec958dd upstream.
Make sure the packet has enough room for the TCP header and
that it is not malformed.
While at it, store tcph->doff*4 in a variable, as it is used
several times.
This patch also fixes a possible off by one in case of malformed
TCP options.
Reported-by: Julian Anastasov
Signed-off-by: Pablo Neira Ayuso
Signed-off-by: Ben Hutchings
---
net/netfilter/xt_TCPMSS.c | 28
1 file changed, 16 insertions(+), 12 deletions(-)
--- a/net/netfilter/xt_TCPMSS.c
+++ b/net/netfilter/xt_TCPMSS.c
@@ -51,7 +51,8 @@ tcpmss_mangle_packet(struct sk_buff *skb
{
const struct xt_tcpmss_info *info = par->targinfo;
struct tcphdr *tcph;
- unsigned int tcplen, i;
+ int len, tcp_hdrlen;
+ unsigned int i;
__be16 oldval;
u16 newmss;
u8 *opt;
@@ -63,11 +64,14 @@ tcpmss_mangle_packet(struct sk_buff *skb
if (!skb_make_writable(skb, skb->len))
return -1;
- tcplen = skb->len - tcphoff;
+ len = skb->len - tcphoff;
+ if (len < (int)sizeof(struct tcphdr))
+ return -1;
+
tcph = (struct tcphdr *)(skb_network_header(skb) + tcphoff);
+ tcp_hdrlen = tcph->doff * 4;
- /* Header cannot be larger than the packet */
- if (tcplen < tcph->doff*4)
+ if (len < tcp_hdrlen)
return -1;
if (info->mss == XT_TCPMSS_CLAMP_PMTU) {
@@ -88,9 +92,8 @@ tcpmss_mangle_packet(struct sk_buff *skb
newmss = info->mss;
opt = (u_int8_t *)tcph;
- for (i = sizeof(struct tcphdr); i < tcph->doff*4; i += optlen(opt, i)) {
- if (opt[i] == TCPOPT_MSS && tcph->doff*4 - i >= TCPOLEN_MSS &&
- opt[i+1] == TCPOLEN_MSS) {
+ for (i = sizeof(struct tcphdr); i <= tcp_hdrlen - TCPOLEN_MSS; i +=
optlen(opt, i)) {
+ if (opt[i] == TCPOPT_MSS && opt[i+1] == TCPOLEN_MSS) {
u_int16_t oldmss;
oldmss = (opt[i+2] << 8) | opt[i+3];
@@ -113,9 +116,10 @@ tcpmss_mangle_packet(struct sk_buff *skb
}
/* There is data after the header so the option can't be added
- without moving it, and doing so may make the SYN packet
- itself too large. Accept the packet unmodified instead. */
- if (tcplen > tcph->doff*4)
+* without moving it, and doing so may make the SYN packet
+* itself too large. Accept the packet unmodified instead.
+*/
+ if (len > tcp_hdrlen)
return 0;
/*
@@ -132,10 +136,10 @@ tcpmss_mangle_packet(struct sk_buff *skb
skb_put(skb, TCPOLEN_MSS);
opt = (u_int8_t *)tcph + sizeof(struct tcphdr);
- memmove(opt + TCPOLEN_MSS, opt, tcplen - sizeof(struct tcphdr));
+ memmove(opt + TCPOLEN_MSS, opt, len - sizeof(struct tcphdr));
inet_proto_csum_replace2(&tcph->check, skb,
-htons(tcplen), htons(tcplen + TCPOLEN_MSS), 1);
+htons(len), htons(len + TCPOLEN_MSS), 1);
opt[0] = TCPOPT_MSS;
opt[1] = TCPOLEN_MSS;
opt[2] = (newmss & 0xff00) >> 8;
[PATCH 3.2 43/79] net/sctp: Always set scope_id in sctp_inet6_skb_msgname
3.2.99-rc1 review patch. If anyone has any objections, please let me know.
--
From: "Eric W. Biederman"
commit 7c8a61d9ee1df0fb4747879fa67a99614eb62fec upstream.
Alexandar Potapenko while testing the kernel with KMSAN and syzkaller
discovered that in some configurations sctp would leak 4 bytes of
kernel stack.
Working with his reproducer I discovered that those 4 bytes that
are leaked is the scope id of an ipv6 address returned by recvmsg.
With a little code inspection and a shrewd guess I discovered that
sctp_inet6_skb_msgname only initializes the scope_id field for link
local ipv6 addresses to the interface index the link local address
pertains to instead of initializing the scope_id field for all ipv6
addresses.
That is almost reasonable as scope_id's are meaniningful only for link
local addresses. Set the scope_id in all other cases to 0 which is
not a valid interface index to make it clear there is nothing useful
in the scope_id field.
There should be no danger of breaking userspace as the stack leak
guaranteed that previously meaningless random data was being returned.
Fixes: 372f525b495c ("SCTP: Resync with LKSCTP tree.")
History-tree: https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git
Reported-by: Alexander Potapenko
Tested-by: Alexander Potapenko
Signed-off-by: "Eric W. Biederman"
Signed-off-by: David S. Miller
[bwh: Backported to 3.2:
- Adjust context
- Add braces]
Signed-off-by: Ben Hutchings
---
--- a/net/sctp/ipv6.c
+++ b/net/sctp/ipv6.c
@@ -781,6 +781,8 @@ static void sctp_inet6_skb_msgname(struc
if (ipv6_addr_type(&addr->v6.sin6_addr) & IPV6_ADDR_LINKLOCAL) {
struct sctp_ulpevent *ev = sctp_skb2event(skb);
addr->v6.sin6_scope_id = ev->iif;
+ } else {
+ addr->v6.sin6_scope_id = 0;
}
}
[PATCH 3.2 50/79] autofs4: catatonic_mode vs. notify_daemon race
3.2.99-rc1 review patch. If anyone has any objections, please let me know.
--
From: Al Viro
commit 875266be67ff3a984ac1f6566d31c260bee4 upstream.
we need to hold ->wq_mutex while we are forming the packet to send,
lest we have autofs4_catatonic_mode() setting wq->name.name to NULL
just as autofs4_notify_daemon() decides to memcpy() from it...
We do have check for catatonic mode immediately after that (under
->wq_mutex, as it ought to be) and packet won't be actually sent,
but it'll be too late for us if we oops on that memcpy() from NULL...
Fix is obvious - just extend the area covered by ->wq_mutex over
that switch and check whether it's catatonic *before* doing anything
else.
Acked-by: Ian Kent
Signed-off-by: Al Viro
Signed-off-by: Ben Hutchings
---
fs/autofs4/waitq.c | 25 ++---
1 file changed, 14 insertions(+), 11 deletions(-)
--- a/fs/autofs4/waitq.c
+++ b/fs/autofs4/waitq.c
@@ -110,6 +110,13 @@ static void autofs4_notify_daemon(struct
pkt.hdr.proto_version = sbi->version;
pkt.hdr.type = type;
+ mutex_lock(&sbi->wq_mutex);
+
+ /* Check if we have become catatonic */
+ if (sbi->catatonic) {
+ mutex_unlock(&sbi->wq_mutex);
+ return;
+ }
switch (type) {
/* Kernel protocol v4 missing and expire packets */
case autofs_ptype_missing:
@@ -163,22 +170,18 @@ static void autofs4_notify_daemon(struct
}
default:
printk("autofs4_notify_daemon: bad type %d!\n", type);
+ mutex_unlock(&sbi->wq_mutex);
return;
}
- /* Check if we have become catatonic */
- mutex_lock(&sbi->wq_mutex);
- if (!sbi->catatonic) {
- pipe = sbi->pipe;
- get_file(pipe);
- }
+ pipe = sbi->pipe;
+ get_file(pipe);
+
mutex_unlock(&sbi->wq_mutex);
- if (pipe) {
- if (autofs4_write(pipe, &pkt, pktsz))
- autofs4_catatonic_mode(sbi);
- fput(pipe);
- }
+ if (autofs4_write(pipe, &pkt, pktsz))
+ autofs4_catatonic_mode(sbi);
+ fput(pipe);
}
static int autofs4_getpath(struct autofs_sb_info *sbi,
[PATCH 3.2 44/79] dm: discard support requires all targets in a table support discards
3.2.99-rc1 review patch. If anyone has any objections, please let me know.
--
From: Mike Snitzer
commit 8a74d29d541cd86569139c6f3f44b2d210458071 upstream.
A DM device with a mix of discard capabilities (due to some underlying
devices not having discard support) _should_ just return -EOPNOTSUPP for
the region of the device that doesn't support discards (even if only by
way of the underlying driver formally not supporting discards). BUT,
that does ask the underlying driver to handle something that it never
advertised support for. In doing so we're exposing users to the
potential for a underlying disk driver hanging if/when a discard is
issued a the device that is incapable and never claimed to support
discards.
Fix this by requiring that each DM target in a DM table provide discard
support as a prereq for a DM device to advertise support for discards.
This may cause some configurations that were happily supporting discards
(even in the face of a mix of discard support) to stop supporting
discards -- but the risk of users hitting driver hangs, and forced
reboots, outweighs supporting those fringe mixed discard
configurations.
Signed-off-by: Mike Snitzer
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings
---
drivers/md/dm-table.c | 33 ++---
1 file changed, 14 insertions(+), 19 deletions(-)
--- a/drivers/md/dm-table.c
+++ b/drivers/md/dm-table.c
@@ -1584,12 +1584,12 @@ struct mapped_device *dm_table_get_md(st
}
EXPORT_SYMBOL(dm_table_get_md);
-static int device_discard_capable(struct dm_target *ti, struct dm_dev *dev,
- sector_t start, sector_t len, void *data)
+static int device_not_discard_capable(struct dm_target *ti, struct dm_dev *dev,
+ sector_t start, sector_t len, void *data)
{
struct request_queue *q = bdev_get_queue(dev->bdev);
- return q && blk_queue_discard(q);
+ return q && !blk_queue_discard(q);
}
bool dm_table_supports_discards(struct dm_table *t)
@@ -1597,26 +1597,22 @@ bool dm_table_supports_discards(struct d
struct dm_target *ti;
unsigned i = 0;
- /*
-* Unless any target used by the table set discards_supported,
-* require at least one underlying device to support discards.
-* t->devices includes internal dm devices such as mirror logs
-* so we need to use iterate_devices here, which targets
-* supporting discard selectively must provide.
-*/
while (i < dm_table_get_num_targets(t)) {
ti = dm_table_get_target(t, i++);
if (!ti->num_discard_requests)
- continue;
+ return false;
- if (ti->discards_supported)
- return 1;
-
- if (ti->type->iterate_devices &&
- ti->type->iterate_devices(ti, device_discard_capable, NULL))
- return 1;
+ /*
+* Either the target provides discard support (as implied by
setting
+* 'discards_supported') or it relies on _all_ data devices
having
+* discard support.
+*/
+ if (!ti->discards_supported &&
+ (!ti->type->iterate_devices ||
+ti->type->iterate_devices(ti, device_not_discard_capable,
NULL)))
+ return false;
}
- return 0;
+ return true;
}
[PATCH 3.2 46/79] KVM: vmx: Inject #GP on invalid PAT CR
3.2.99-rc1 review patch. If anyone has any objections, please let me know.
--
From: Nadav Amit
commit 4566654bb9be9e8864df417bb72ceee5136b6a6a upstream.
Guest which sets the PAT CR to invalid value should get a #GP. Currently, if
vmx supports loading PAT CR during entry, then the value is not checked. This
patch makes the required check in that case.
Signed-off-by: Nadav Amit
Signed-off-by: Paolo Bonzini
Signed-off-by: Ben Hutchings
---
arch/x86/kvm/vmx.c | 2 ++
arch/x86/kvm/x86.c | 5 +++--
arch/x86/kvm/x86.h | 2 ++
3 files changed, 7 insertions(+), 2 deletions(-)
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -2204,6 +2204,8 @@ static int vmx_set_msr(struct kvm_vcpu *
break;
case MSR_IA32_CR_PAT:
if (vmcs_config.vmentry_ctrl & VM_ENTRY_LOAD_IA32_PAT) {
+ if (!kvm_mtrr_valid(vcpu, MSR_IA32_CR_PAT, data))
+ return 1;
vmcs_write64(GUEST_IA32_PAT, data);
vcpu->arch.pat = data;
break;
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -1274,7 +1274,7 @@ static bool valid_mtrr_type(unsigned t)
return t < 8 && (1 << t) & 0x73; /* 0, 1, 4, 5, 6 */
}
-static bool mtrr_valid(struct kvm_vcpu *vcpu, u32 msr, u64 data)
+bool kvm_mtrr_valid(struct kvm_vcpu *vcpu, u32 msr, u64 data)
{
int i;
@@ -1300,12 +1300,13 @@ static bool mtrr_valid(struct kvm_vcpu *
/* variable MTRRs */
return valid_mtrr_type(data & 0xff);
}
+EXPORT_SYMBOL_GPL(kvm_mtrr_valid);
static int set_msr_mtrr(struct kvm_vcpu *vcpu, u32 msr, u64 data)
{
u64 *p = (u64 *)&vcpu->arch.mtrr_state.fixed_ranges;
- if (!mtrr_valid(vcpu, msr, data))
+ if (!kvm_mtrr_valid(vcpu, msr, data))
return 1;
if (msr == MSR_MTRRdefType) {
--- a/arch/x86/kvm/x86.h
+++ b/arch/x86/kvm/x86.h
@@ -135,6 +135,8 @@ int kvm_write_guest_virt_system(struct x
gva_t addr, void *val, unsigned int bytes,
struct x86_exception *exception);
+bool kvm_mtrr_valid(struct kvm_vcpu *vcpu, u32 msr, u64 data);
+
extern unsigned int min_timer_period_us;
#endif
[PATCH 3.2 45/79] dm bufio: fix integer overflow when limiting maximum cache size
3.2.99-rc1 review patch. If anyone has any objections, please let me know.
--
From: Eric Biggers
commit 74d4108d9e681dbbe4a2940ed8fdff1f6868184c upstream.
The default max_cache_size_bytes for dm-bufio is meant to be the lesser
of 25% of the size of the vmalloc area and 2% of the size of lowmem.
However, on 32-bit systems the intermediate result in the expression
(VMALLOC_END - VMALLOC_START) * DM_BUFIO_VMALLOC_PERCENT / 100
overflows, causing the wrong result to be computed. For example, on a
32-bit system where the vmalloc area is 520093696 bytes, the result is
1174405 rather than the expected 130023424, which makes the maximum
cache size much too small (far less than 2% of lowmem). This causes
severe performance problems for dm-verity users on affected systems.
Fix this by using mult_frac() to correctly multiply by a percentage. Do
this for all places in dm-bufio that multiply by a percentage. Also
replace (VMALLOC_END - VMALLOC_START) with VMALLOC_TOTAL, which contrary
to the comment is now defined in include/linux/vmalloc.h.
Depends-on: 9993bc635 ("sched/x86: Fix overflow in cyc2ns_offset")
Fixes: 95d402f057f2 ("dm: add bufio")
Signed-off-by: Eric Biggers
Signed-off-by: Mike Snitzer
[bwh: Backported to 3.2: keep open-coded VMALLOC_TOTAL]
Signed-off-by: Ben Hutchings
---
drivers/md/dm-bufio.c | 15 ++-
1 file changed, 6 insertions(+), 9 deletions(-)
--- a/drivers/md/dm-bufio.c
+++ b/drivers/md/dm-bufio.c
@@ -839,7 +839,8 @@ static void __get_memory_limit(struct dm
buffers = DM_BUFIO_MIN_BUFFERS;
*limit_buffers = buffers;
- *threshold_buffers = buffers * DM_BUFIO_WRITEBACK_PERCENT / 100;
+ *threshold_buffers = mult_frac(buffers,
+ DM_BUFIO_WRITEBACK_PERCENT, 100);
}
/*
@@ -1620,19 +1621,15 @@ static int __init dm_bufio_init(void)
memset(&dm_bufio_caches, 0, sizeof dm_bufio_caches);
memset(&dm_bufio_cache_names, 0, sizeof dm_bufio_cache_names);
- mem = (__u64)((totalram_pages - totalhigh_pages) *
- DM_BUFIO_MEMORY_PERCENT / 100) << PAGE_SHIFT;
+ mem = (__u64)mult_frac(totalram_pages - totalhigh_pages,
+ DM_BUFIO_MEMORY_PERCENT, 100) << PAGE_SHIFT;
if (mem > ULONG_MAX)
mem = ULONG_MAX;
#ifdef CONFIG_MMU
- /*
-* Get the size of vmalloc space the same way as VMALLOC_TOTAL
-* in fs/proc/internal.h
-*/
- if (mem > (VMALLOC_END - VMALLOC_START) * DM_BUFIO_VMALLOC_PERCENT /
100)
- mem = (VMALLOC_END - VMALLOC_START) * DM_BUFIO_VMALLOC_PERCENT
/ 100;
+ if (mem > mult_frac(VMALLOC_END - VMALLOC_START,
DM_BUFIO_VMALLOC_PERCENT, 100))
+ mem = mult_frac(VMALLOC_END - VMALLOC_START,
DM_BUFIO_VMALLOC_PERCENT, 100);
#endif
dm_bufio_default_cache_size = mem;
[PATCH 3.2 51/79] autofs: don't fail mount for transient error
3.2.99-rc1 review patch. If anyone has any objections, please let me know.
--
From: NeilBrown
commit ecc0c469f27765ed1e2b967be0aa17cee1a60b76 upstream.
Currently if the autofs kernel module gets an error when writing to the
pipe which links to the daemon, then it marks the whole moutpoint as
catatonic, and it will stop working.
It is possible that the error is transient. This can happen if the
daemon is slow and more than 16 requests queue up. If a subsequent
process tries to queue a request, and is then signalled, the write to
the pipe will return -ERESTARTSYS and autofs will take that as total
failure.
So change the code to assess -ERESTARTSYS and -ENOMEM as transient
failures which only abort the current request, not the whole mountpoint.
It isn't a crash or a data corruption, but having autofs mountpoints
suddenly stop working is rather inconvenient.
Ian said:
: And given the problems with a half dozen (or so) user space applications
: consuming large amounts of CPU under heavy mount and umount activity this
: could happen more easily than we expect.
Link: http://lkml.kernel.org/r/87y3norvgp@notabene.neil.brown.name
Signed-off-by: NeilBrown
Acked-by: Ian Kent
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
[bwh: Backported to 3.2: autofs4_write() doesn't take an autofs_sb_info
pointer]
Signed-off-by: Ben Hutchings
---
fs/autofs4/waitq.c | 15 ++-
1 file changed, 14 insertions(+), 1 deletion(-)
--- a/fs/autofs4/waitq.c
+++ b/fs/autofs4/waitq.c
@@ -88,7 +88,8 @@ static int autofs4_write(struct file *fi
spin_unlock_irqrestore(¤t->sighand->siglock, flags);
}
- return (bytes > 0);
+ /* if 'wr' returned 0 (impossible) we assume -EIO (safe) */
+ return bytes == 0 ? 0 : wr < 0 ? wr : -EIO;
}
static void autofs4_notify_daemon(struct autofs_sb_info *sbi,
@@ -102,6 +103,7 @@ static void autofs4_notify_daemon(struct
} pkt;
struct file *pipe = NULL;
size_t pktsz;
+ int ret;
DPRINTK("wait id = 0x%08lx, name = %.*s, type=%d",
(unsigned long) wq->wait_queue_token, wq->name.len,
wq->name.name, type);
@@ -180,7 +182,18 @@ static void autofs4_notify_daemon(struct
mutex_unlock(&sbi->wq_mutex);
if (autofs4_write(pipe, &pkt, pktsz))
+ switch (ret = autofs4_write(pipe, &pkt, pktsz)) {
+ case 0:
+ break;
+ case -ENOMEM:
+ case -ERESTARTSYS:
+ /* Just fail this one */
+ autofs4_wait_release(sbi, wq->wait_queue_token, ret);
+ break;
+ default:
autofs4_catatonic_mode(sbi);
+ break;
+ }
fput(pipe);
}
[PATCH 3.2 52/79] autofs: fix careless error in recent commit
3.2.99-rc1 review patch. If anyone has any objections, please let me know.
--
From: NeilBrown
commit 302ec300ef8a545a7fc7f667e5fd743b091c2eeb upstream.
Commit ecc0c469f277 ("autofs: don't fail mount for transient error") was
meant to replace an 'if' with a 'switch', but instead added the 'switch'
leaving the case in place.
Link: http://lkml.kernel.org/r/87zi6wstmw@notabene.neil.brown.name
Fixes: ecc0c469f277 ("autofs: don't fail mount for transient error")
Reported-by: Ben Hutchings
Signed-off-by: NeilBrown
Cc: Ian Kent
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
[bwh: Backported to 3.2: autofs4_write() doesn't take an autofs_sb_info
pointer]
Signed-off-by: Ben Hutchings
---
fs/autofs4/waitq.c | 1 -
1 file changed, 1 deletion(-)
--- a/fs/autofs4/waitq.c
+++ b/fs/autofs4/waitq.c
@@ -181,7 +181,6 @@ static void autofs4_notify_daemon(struct
mutex_unlock(&sbi->wq_mutex);
- if (autofs4_write(pipe, &pkt, pktsz))
switch (ret = autofs4_write(pipe, &pkt, pktsz)) {
case 0:
break;
[PATCH 3.2 75/79] usbip: prevent vhci_hcd driver from leaking a socket pointer address
3.2.99-rc1 review patch. If anyone has any objections, please let me know.
--
From: Shuah Khan
commit 2f2d0088eb93db5c649d2a5e34a3800a8a935fc5 upstream.
When a client has a USB device attached over IP, the vhci_hcd driver is
locally leaking a socket pointer address via the
/sys/devices/platform/vhci_hcd/status file (world-readable) and in debug
output when "usbip --debug port" is run.
Fix it to not leak. The socket pointer address is not used at the moment
and it was made visible as a convenient way to find IP address from socket
pointer address by looking up /proc/net/{tcp,tcp6}.
As this opens a security hole, the fix replaces socket pointer address with
sockfd.
Reported-by: Secunia Research
Signed-off-by: Shuah Khan
Signed-off-by: Greg Kroah-Hartman
[bwh: Backported to 3.2:
- usbip port status does not include hub type
- Adjust filenames, context, indentation]
Signed-off-by: Ben Hutchings
---
drivers/staging/usbip/usbip_common.h | 1 +
drivers/staging/usbip/vhci_sysfs.c | 25
-
drivers/staging/usbip/userspace/libsrc/vhci_driver.c | 8
3 files changed, 21 insertions(+), 13 deletions(-)
--- a/drivers/staging/usbip/usbip_common.h
+++ b/drivers/staging/usbip/usbip_common.h
@@ -276,6 +276,7 @@ struct usbip_device {
/* lock for status */
spinlock_t lock;
+ int sockfd;
struct socket *tcp_socket;
struct task_struct *tcp_rx;
--- a/drivers/staging/usbip/vhci_sysfs.c
+++ b/drivers/staging/usbip/vhci_sysfs.c
@@ -38,13 +38,18 @@ static ssize_t show_status(struct device
/*
* output example:
-* prt sta spd dev socket local_busid
-* 000 004 000 000 c5a7bb80 1-2.3
-* 001 004 000 000 d8cee980 2-3.4
+* prt sta spd dev sockfdlocal_busid
+* 000 004 000 000 3 1-2.3
+* 001 004 000 000 4 2-3.4
+*
+* Output includes socket fd instead of socket pointer address to avoid
+* leaking kernel memory address in:
+* /sys/devices/platform/vhci_hcd.0/status and in debug output.
+* The socket pointer address is not used at the moment and it was made
+* visible as a convenient way to find IP address from socket pointer
+* address by looking up /proc/net/{tcp,tcp6}. As this opens a security
+* hole, the change is made to use sockfd instead.
*
-* IP address can be retrieved from a socket pointer address by looking
-* up /proc/net/{tcp,tcp6}. Also, a userland program may remember a
-* port number and its peer IP address.
*/
out += sprintf(out, "prt sta spd bus dev socket "
"local_busid\n");
@@ -58,7 +63,7 @@ static ssize_t show_status(struct device
if (vdev->ud.status == VDEV_ST_USED) {
out += sprintf(out, "%03u %08x ",
vdev->speed, vdev->devid);
- out += sprintf(out, "%16p ", vdev->ud.tcp_socket);
+ out += sprintf(out, "%u", vdev->ud.sockfd);
out += sprintf(out, "%s", dev_name(&vdev->udev->dev));
} else {
@@ -215,6 +220,7 @@ static ssize_t store_attach(struct devic
vdev->devid = devid;
vdev->speed = speed;
+ vdev->ud.sockfd = sockfd;
vdev->ud.tcp_socket = socket;
vdev->ud.status = VDEV_ST_NOTASSIGNED;
--- a/drivers/staging/usbip/userspace/libsrc/vhci_driver.c
+++ b/drivers/staging/usbip/userspace/libsrc/vhci_driver.c
@@ -63,12 +63,12 @@ static int parse_status(char *value)
while (*c != '\0') {
int port, status, speed, devid;
- unsigned long socket;
+ int sockfd;
char lbusid[SYSFS_BUS_ID_SIZE];
- ret = sscanf(c, "%d %d %d %x %lx %31s\n",
+ ret = sscanf(c, "%d %d %d %x %u %31s\n",
&port, &status, &speed,
- &devid, &socket, lbusid);
+ &devid, &sockfd, lbusid);
if (ret < 5) {
dbg("sscanf failed: %d", ret);
@@ -77,7 +77,7 @@ static int parse_status(char *value)
dbg("port %d status %d speed %d devid %x",
port, status, speed, devid);
- dbg("socket %lx lbusid %s", socket, lbusid);
+ dbg("sockfd %u lbusid %s", sockfd, lbusid);
/* if a device is connected, look at it */
[PATCH 3.2 12/79] fs/9p: Compare qid.path in v9fs_test_inode
3.2.99-rc1 review patch. If anyone has any objections, please let me know.
--
From: Tuomas Tynkkynen
commit 8ee031631546cf2f7859cc69593bd60bbdd70b46 upstream.
Commit fd2421f54423 ("fs/9p: When doing inode lookup compare qid details
and inode mode bits.") transformed v9fs_qid_iget() to use iget5_locked()
instead of iget_locked(). However, the test() callback is not checking
fid.path at all, which means that a lookup in the inode cache can now
accidentally locate a completely wrong inode from the same inode hash
bucket if the other fields (qid.type and qid.version) match.
Fixes: fd2421f54423 ("fs/9p: When doing inode lookup compare qid details and
inode mode bits.")
Reviewed-by: Latchesar Ionkov
Signed-off-by: Tuomas Tynkkynen
Signed-off-by: Al Viro
Signed-off-by: Ben Hutchings
---
fs/9p/vfs_inode.c | 3 +++
fs/9p/vfs_inode_dotl.c | 3 +++
2 files changed, 6 insertions(+)
--- a/fs/9p/vfs_inode.c
+++ b/fs/9p/vfs_inode.c
@@ -469,6 +469,9 @@ static int v9fs_test_inode(struct inode
if (v9inode->qid.type != st->qid.type)
return 0;
+
+ if (v9inode->qid.path != st->qid.path)
+ return 0;
return 1;
}
--- a/fs/9p/vfs_inode_dotl.c
+++ b/fs/9p/vfs_inode_dotl.c
@@ -105,6 +105,9 @@ static int v9fs_test_inode_dotl(struct i
if (v9inode->qid.type != st->qid.type)
return 0;
+
+ if (v9inode->qid.path != st->qid.path)
+ return 0;
return 1;
}
[PATCH 3.2 56/79] ALSA: usb-audio: Fix potential out-of-bound access at parsing SU
3.2.99-rc1 review patch. If anyone has any objections, please let me know.
--
From: Takashi Iwai
commit f658f17b5e0e339935dca23e77e0f3cad591926b upstream.
The usb-audio driver may trigger an out-of-bound access at parsing a
malformed selector unit, as it checks the header length only after
evaluating bNrInPins field, which can be already above the given
length. Fix it by adding the length check beforehand.
Fixes: 99fc86450c43 ("ALSA: usb-mixer: parse descriptors with structs")
Signed-off-by: Takashi Iwai
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings
---
sound/usb/mixer.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -1845,7 +1845,8 @@ static int parse_audio_selector_unit(str
const struct usbmix_name_map *map;
char **namelist;
- if (!desc->bNrInPins || desc->bLength < 5 + desc->bNrInPins) {
+ if (desc->bLength < 5 || !desc->bNrInPins ||
+ desc->bLength < 5 + desc->bNrInPins) {
snd_printk(KERN_ERR "invalid SELECTOR UNIT descriptor %d\n",
unitid);
return -EINVAL;
}
[PATCH 3.2 41/79] sctp: Fixup v4mapped behaviour to comply with Sock API
3.2.99-rc1 review patch. If anyone has any objections, please let me know.
--
From: Jason Gunthorpe
commit 299ee123e19889d511092347f5fc14db0f10e3a6 upstream.
The SCTP socket extensions API document describes the v4mapping option as
follows:
8.1.15. Set/Clear IPv4 Mapped Addresses (SCTP_I_WANT_MAPPED_V4_ADDR)
This socket option is a Boolean flag which turns on or off the
mapping of IPv4 addresses. If this option is turned on, then IPv4
addresses will be mapped to V6 representation. If this option is
turned off, then no mapping will be done of V4 addresses and a user
will receive both PF_INET6 and PF_INET type addresses on the socket.
See [RFC3542] for more details on mapped V6 addresses.
This description isn't really in line with what the code does though.
Introduce addr_to_user (renamed addr_v4map), which should be called
before any sockaddr is passed back to user space. The new function
places the sockaddr into the correct format depending on the
SCTP_I_WANT_MAPPED_V4_ADDR option.
Audit all places that touched v4mapped and either sanely construct
a v4 or v6 address then call addr_to_user, or drop the
unnecessary v4mapped check entirely.
Audit all places that call addr_to_user and verify they are on a sycall
return path.
Add a custom getname that formats the address properly.
Several bugs are addressed:
- SCTP_I_WANT_MAPPED_V4_ADDR=0 often returned garbage for
addresses to user space
- The addr_len returned from recvmsg was not correct when
returning AF_INET on a v6 socket
- flowlabel and scope_id were not zerod when promoting
a v4 to v6
- Some syscalls like bind and connect behaved differently
depending on v4mapped
Tested bind, getpeername, getsockname, connect, and recvmsg for proper
behaviour in v4mapped = 1 and 0 cases.
Signed-off-by: Neil Horman
Tested-by: Jason Gunthorpe
Signed-off-by: Jason Gunthorpe
Signed-off-by: David S. Miller
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings
---
include/net/sctp/sctp.h| 2 +
include/net/sctp/structs.h | 8 +--
net/sctp/ipv6.c| 156 -
net/sctp/protocol.c| 12 ++--
net/sctp/socket.c | 33 +-
net/sctp/transport.c | 4 +-
net/sctp/ulpevent.c| 2 +-
7 files changed, 112 insertions(+), 105 deletions(-)
--- a/include/net/sctp/sctp.h
+++ b/include/net/sctp/sctp.h
@@ -705,6 +705,8 @@ static inline void sctp_v6_map_v4(union
static inline void sctp_v4_map_v6(union sctp_addr *addr)
{
addr->v6.sin6_family = AF_INET6;
+ addr->v6.sin6_flowinfo = 0;
+ addr->v6.sin6_scope_id = 0;
addr->v6.sin6_port = addr->v4.sin_port;
addr->v6.sin6_addr.s6_addr32[3] = addr->v4.sin_addr.s_addr;
addr->v6.sin6_addr.s6_addr32[0] = 0;
--- a/include/net/sctp/structs.h
+++ b/include/net/sctp/structs.h
@@ -603,10 +603,6 @@ struct sctp_af {
int saddr);
void(*from_sk) (union sctp_addr *,
struct sock *sk);
- void(*to_sk_saddr) (union sctp_addr *,
-struct sock *sk);
- void(*to_sk_daddr) (union sctp_addr *,
-struct sock *sk);
void(*from_addr_param) (union sctp_addr *,
union sctp_addr_param *,
__be16 port, int iif);
@@ -647,7 +643,9 @@ struct sctp_pf {
int (*supported_addrs)(const struct sctp_sock *, __be16 *);
struct sock *(*create_accept_sk) (struct sock *sk,
struct sctp_association *asoc);
- void (*addr_v4map) (struct sctp_sock *, union sctp_addr *);
+ int (*addr_to_user)(struct sctp_sock *sk, union sctp_addr *addr);
+ void (*to_sk_saddr)(union sctp_addr *, struct sock *sk);
+ void (*to_sk_daddr)(union sctp_addr *, struct sock *sk);
struct sctp_af *af;
};
--- a/net/sctp/ipv6.c
+++ b/net/sctp/ipv6.c
@@ -430,7 +430,7 @@ static void sctp_v6_from_sk(union sctp_a
/* Initialize sk->sk_rcv_saddr from sctp_addr. */
static void sctp_v6_to_sk_saddr(union sctp_addr *addr, struct sock *sk)
{
- if (addr->sa.sa_family == AF_INET && sctp_sk(sk)->v4mapped) {
+ if (addr->sa.sa_family == AF_INET) {
inet6_sk(sk)->rcv_saddr.s6_addr32[0] = 0;
inet6_sk(sk)->rcv_saddr.s6_addr32[1] = 0;
inet6_sk(sk)->rcv_saddr.s6_addr32[2] = htonl(0x);
@@ -444,7 +444,7 @@ static void sctp_v6_to_sk_saddr(union sc
/* Initialize sk->sk_daddr from sctp_addr. */
static void sctp_v6_to_sk_daddr(union sctp_addr *addr, struct sock *sk)
{
- if (addr->sa.sa_family == AF_INET && sctp_sk(sk)->v4mapped) {
+ if (addr->sa.sa_family == AF_INET) {
inet6_sk(sk)->daddr.s6_addr32[0] = 0;
[PATCH 3.2 55/79] ALSA: usb-audio: Add sanity checks to FE parser
3.2.99-rc1 review patch. If anyone has any objections, please let me know.
--
From: Takashi Iwai
commit d937cd6790a2bef2d07b500487646bd794c039bb upstream.
When the usb-audio descriptor contains the malformed feature unit
description with a too short length, the driver may access
out-of-bounds. Add a sanity check of the header size at the beginning
of parse_audio_feature_unit().
Fixes: 23caaf19b11e ("ALSA: usb-mixer: Add support for Audio Class v2.0")
Reported-by: Andrey Konovalov
Signed-off-by: Takashi Iwai
[bwh: Backported to 3.2: use snd_printk() for logging]
Signed-off-by: Ben Hutchings
---
sound/usb/mixer.c | 12
1 file changed, 12 insertions(+)
--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -1255,6 +1255,12 @@ static int parse_audio_feature_unit(stru
__u8 *bmaControls;
if (state->mixer->protocol == UAC_VERSION_1) {
+ if (hdr->bLength < 7) {
+ snd_printk(KERN_ERR
+ "usbaudio: unit %u: invalid UAC_FEATURE_UNIT
descriptor\n",
+ unitid);
+ return -EINVAL;
+ }
csize = hdr->bControlSize;
if (!csize) {
snd_printdd(KERN_ERR "usbaudio: unit %u: "
@@ -1271,6 +1277,12 @@ static int parse_audio_feature_unit(stru
}
} else {
struct uac2_feature_unit_descriptor *ftr = _ftr;
+ if (hdr->bLength < 6) {
+ snd_printk(KERN_ERR
+ "usbaudio: unit %u: invalid UAC_FEATURE_UNIT
descriptor\n",
+ unitid);
+ return -EINVAL;
+ }
csize = 4;
channels = (hdr->bLength - 6) / 4 - 1;
bmaControls = ftr->bmaControls;
[PATCH 3.2 58/79] ALSA: usb-audio: Add sanity checks in v2 clock parsers
3.2.99-rc1 review patch. If anyone has any objections, please let me know.
--
From: Takashi Iwai
commit 0a62d6c966956d77397c32836a5bbfe3af786fc1 upstream.
The helper functions to parse and look for the clock source, selector
and multiplier unit may return the descriptor with a too short length
than required, while there is no sanity check in the caller side.
Add some sanity checks in the parsers, at least, to guarantee the
given descriptor size, for avoiding the potential crashes.
Fixes: 79f920fbff56 ("ALSA: usb-audio: parse clock topology of UAC2 devices")
Reported-by: Andrey Konovalov
Signed-off-by: Takashi Iwai
Signed-off-by: Ben Hutchings
---
sound/usb/clock.c | 9 ++---
1 file changed, 6 insertions(+), 3 deletions(-)
--- a/sound/usb/clock.c
+++ b/sound/usb/clock.c
@@ -42,7 +42,7 @@ static struct uac_clock_source_descripto
while ((cs = snd_usb_find_csint_desc(ctrl_iface->extra,
ctrl_iface->extralen,
cs, UAC2_CLOCK_SOURCE))) {
- if (cs->bClockID == clock_id)
+ if (cs->bLength >= sizeof(*cs) && cs->bClockID == clock_id)
return cs;
}
@@ -58,8 +58,11 @@ static struct uac_clock_selector_descrip
while ((cs = snd_usb_find_csint_desc(ctrl_iface->extra,
ctrl_iface->extralen,
cs, UAC2_CLOCK_SELECTOR))) {
- if (cs->bClockID == clock_id)
+ if (cs->bLength >= sizeof(*cs) && cs->bClockID == clock_id) {
+ if (cs->bLength < 5 + cs->bNrInPins)
+ return NULL;
return cs;
+ }
}
return NULL;
@@ -74,7 +77,7 @@ static struct uac_clock_multiplier_descr
while ((cs = snd_usb_find_csint_desc(ctrl_iface->extra,
ctrl_iface->extralen,
cs, UAC2_CLOCK_MULTIPLIER))) {
- if (cs->bClockID == clock_id)
+ if (cs->bLength >= sizeof(*cs) && cs->bClockID == clock_id)
return cs;
}
[PATCH 3.2 70/79] staging: usbip: removed #if 0'd out code
3.2.99-rc1 review patch. If anyone has any objections, please let me know.
--
From: Bart Westgeest
commit 34c09578179f5838e5958c45e8aed4edc9c6c3b8 upstream.
Signed-off-by: Bart Westgeest
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Ben Hutchings
---
drivers/staging/usbip/stub_rx.c | 9 -
drivers/staging/usbip/vhci_hcd.c | 39 ---
2 files changed, 48 deletions(-)
--- a/drivers/staging/usbip/stub_rx.c
+++ b/drivers/staging/usbip/stub_rx.c
@@ -367,15 +367,6 @@ static int get_pipe(struct stub_device *
}
epd = &ep->desc;
-#if 0
- /* epnum 0 is always control */
- if (epnum == 0) {
- if (dir == USBIP_DIR_OUT)
- return usb_sndctrlpipe(udev, 0);
- else
- return usb_rcvctrlpipe(udev, 0);
- }
-#endif
if (usb_endpoint_xfer_control(epd)) {
if (dir == USBIP_DIR_OUT)
return usb_sndctrlpipe(udev, epnum);
--- a/drivers/staging/usbip/vhci_hcd.c
+++ b/drivers/staging/usbip/vhci_hcd.c
@@ -391,29 +391,6 @@ static int vhci_hub_control(struct usb_h
dum->port_status[rhport] |=
USB_PORT_STAT_ENABLE;
}
-#if 0
- if (dum->driver) {
- dum->port_status[rhport] |=
- USB_PORT_STAT_ENABLE;
- /* give it the best speed we agree on */
- dum->gadget.speed = dum->driver->speed;
- dum->gadget.ep0->maxpacket = 64;
- switch (dum->gadget.speed) {
- case USB_SPEED_HIGH:
- dum->port_status[rhport] |=
- USB_PORT_STAT_HIGH_SPEED;
- break;
- case USB_SPEED_LOW:
- dum->gadget.ep0->maxpacket = 8;
- dum->port_status[rhport] |=
- USB_PORT_STAT_LOW_SPEED;
- break;
- default:
- dum->gadget.speed = USB_SPEED_FULL;
- break;
- }
- }
-#endif
}
((u16 *) buf)[0] = cpu_to_le16(dum->port_status[rhport]);
((u16 *) buf)[1] = cpu_to_le16(dum->port_status[rhport] >> 16);
@@ -430,15 +407,6 @@ static int vhci_hub_control(struct usb_h
case USB_PORT_FEAT_SUSPEND:
usbip_dbg_vhci_rh(" SetPortFeature: "
"USB_PORT_FEAT_SUSPEND\n");
-#if 0
- dum->port_status[rhport] |=
- (1 << USB_PORT_FEAT_SUSPEND);
- if (dum->driver->suspend) {
- spin_unlock(&dum->lock);
- dum->driver->suspend(&dum->gadget);
- spin_lock(&dum->lock);
- }
-#endif
break;
case USB_PORT_FEAT_RESET:
usbip_dbg_vhci_rh(" SetPortFeature: "
@@ -449,13 +417,6 @@ static int vhci_hub_control(struct usb_h
~(USB_PORT_STAT_ENABLE |
USB_PORT_STAT_LOW_SPEED |
USB_PORT_STAT_HIGH_SPEED);
-#if 0
- if (dum->driver) {
- dev_dbg(hardware, "disconnect\n");
- stop_activity(dum, dum->driver);
- }
-#endif
-
/* FIXME test that code path! */
}
/* 50msec reset signaling */
[PATCH 3.2 11/79] tpm-dev-common: Reject too short writes
3.2.99-rc1 review patch. If anyone has any objections, please let me know.
--
From: Alexander Steffen
commit ee70bc1e7b63ac8023c9ff9475d8741e397316e7 upstream.
tpm_transmit() does not offer an explicit interface to indicate the number
of valid bytes in the communication buffer. Instead, it relies on the
commandSize field in the TPM header that is encoded within the buffer.
Therefore, ensure that a) enough data has been written to the buffer, so
that the commandSize field is present and b) the commandSize field does not
announce more data than has been written to the buffer.
This should have been fixed with CVE-2011-1161 long ago, but apparently
a correct version of that patch never made it into the kernel.
Signed-off-by: Alexander Steffen
Reviewed-by: Jarkko Sakkinen
Tested-by: Jarkko Sakkinen
Signed-off-by: Jarkko Sakkinen
[bwh: Backported to 3.2:
- s/priv/chip/
- Adjust filename, context]
Signed-off-by: Ben Hutchings
---
drivers/char/tpm/tpm.c | 6 ++
1 file changed, 6 insertions(+)
--- a/drivers/char/tpm/tpm.c
+++ b/drivers/char/tpm/tpm.c
@@ -1114,6 +1114,12 @@ ssize_t tpm_write(struct file *file, con
return -EFAULT;
}
+ if (in_size < 6 ||
+ in_size < be32_to_cpu(*((__be32 *) (chip->data_buffer + 2 {
+ mutex_unlock(&chip->buffer_mutex);
+ return -EINVAL;
+ }
+
/* atomic tpm command send and result receive */
out_size = tpm_transmit(chip, chip->data_buffer, TPM_BUFSIZE);
if (out_size < 0) {
[PATCH 3.2 57/79] ALSA: usb-audio: Fix potential zero-division at parsing FU
3.2.99-rc1 review patch. If anyone has any objections, please let me know.
--
From: Takashi Iwai
commit 8428a8ebde2db1e988e41a58497a28beb7ce1705 upstream.
parse_audio_feature_unit() contains a code dividing potentially with
zero when a malformed FU descriptor is passed. Although there is
already a sanity check, it checks only the value zero, hence it can
still lead to a zero-division when a value 1 is passed there.
Fix it by correcting the sanity check (and the error message
thereof).
Fixes: 23caaf19b11e ("ALSA: usb-mixer: Add support for Audio Class v2.0")
Signed-off-by: Takashi Iwai
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings
---
sound/usb/mixer.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -1262,9 +1262,9 @@ static int parse_audio_feature_unit(stru
return -EINVAL;
}
csize = hdr->bControlSize;
- if (!csize) {
+ if (csize <= 1) {
snd_printdd(KERN_ERR "usbaudio: unit %u: "
- "invalid bControlSize == 0\n", unitid);
+ "invalid bControlSize <= 1\n", unitid);
return -EINVAL;
}
channels = (hdr->bLength - 7) / csize - 1;
[PATCH 3.2 59/79] ALSA: hda: Add Raven PCI ID
3.2.99-rc1 review patch. If anyone has any objections, please let me know.
--
From: Vijendar Mukunda
commit 9ceace3c9c18c67676e75141032a65a8e01f9a7a upstream.
This commit adds PCI ID for Raven platform
Signed-off-by: Vijendar Mukunda
Signed-off-by: Takashi Iwai
Signed-off-by: Ben Hutchings
---
sound/pci/hda/hda_intel.c | 3 +++
1 file changed, 3 insertions(+)
--- a/sound/pci/hda/hda_intel.c
+++ b/sound/pci/hda/hda_intel.c
@@ -3045,6 +3045,9 @@ static DEFINE_PCI_DEVICE_TABLE(azx_ids)
/* AMD Hudson */
{ PCI_DEVICE(0x1022, 0x780d),
.driver_data = AZX_DRIVER_GENERIC | AZX_DCAPS_PRESET_ATI_SB },
+ /* AMD Raven */
+ { PCI_DEVICE(0x1022, 0x15e3),
+ .driver_data = AZX_DRIVER_GENERIC | AZX_DCAPS_PRESET_ATI_SB },
/* ATI HDMI */
{ PCI_DEVICE(0x1002, 0x793b),
.driver_data = AZX_DRIVER_ATIHDMI | AZX_DCAPS_PRESET_ATI_HDMI },
[PATCH 3.2 72/79] usb: add helper to extract bits 12:11 of wMaxPacketSize
3.2.99-rc1 review patch. If anyone has any objections, please let me know.
--
From: Felipe Balbi
commit 541b6fe63023f3059cf85d47ff2767a3e42a8e44 upstream.
According to USB Specification 2.0 table 9-4,
wMaxPacketSize is a bitfield. Endpoint's maxpacket
is laid out in bits 10:0. For high-speed,
high-bandwidth isochronous endpoints, bits 12:11
contain a multiplier to tell us how many
transactions we want to try per uframe.
This means that if we want an isochronous endpoint
to issue 3 transfers of 1024 bytes per uframe,
wMaxPacketSize should contain the value:
1024 | (2 << 11)
or 5120 (0x1400). In order to make Host and
Peripheral controller drivers' life easier, we're
adding a helper which returns bits 12:11. Note that
no care is made WRT to checking endpoint type and
gadget's speed. That's left for drivers to handle.
Signed-off-by: Felipe Balbi
[bwh: Backported to 3.2: adjust filename, context]
Signed-off-by: Ben Hutchings
---
include/linux/usb/ch9.h | 19 +++
1 file changed, 19 insertions(+)
--- a/include/linux/usb/ch9.h
+++ b/include/linux/usb/ch9.h
@@ -390,6 +390,11 @@ struct usb_endpoint_descriptor {
#define USB_ENDPOINT_XFER_INT 3
#define USB_ENDPOINT_MAX_ADJUSTABLE0x80
+#define USB_EP_MAXP_MULT_SHIFT 11
+#define USB_EP_MAXP_MULT_MASK (3 << USB_EP_MAXP_MULT_SHIFT)
+#define USB_EP_MAXP_MULT(m) \
+ (((m) & USB_EP_MAXP_MULT_MASK) >> USB_EP_MAXP_MULT_SHIFT)
+
#define USB_ENDPOINT_SYNCTYPE 0x0c
#define USB_ENDPOINT_SYNC_NONE (0 << 2)
#define USB_ENDPOINT_SYNC_ASYNC(1 << 2)
@@ -592,6 +597,20 @@ static inline int usb_endpoint_maxp(cons
return __le16_to_cpu(epd->wMaxPacketSize);
}
+/**
+ * usb_endpoint_maxp_mult - get endpoint's transactional opportunities
+ * @epd: endpoint to be checked
+ *
+ * Return @epd's wMaxPacketSize[12:11] + 1
+ */
+static inline int
+usb_endpoint_maxp_mult(const struct usb_endpoint_descriptor *epd)
+{
+ int maxp = __le16_to_cpu(epd->wMaxPacketSize);
+
+ return USB_EP_MAXP_MULT(maxp) + 1;
+}
+
/*-*/
/* USB_DT_SS_ENDPOINT_COMP: SuperSpeed Endpoint Companion descriptor */
[PATCH 3.2 71/79] usbip: Fix sscanf handling
3.2.99-rc1 review patch. If anyone has any objections, please let me know.
--
From: Alan
commit 2d32927127f44d755780aa5fa88c8c34e72558f8 upstream.
Scan only to the length permitted by the buffer
One of a set of sscanf problems noted by Jackie Chang
Signed-off-by: Alan Cox
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Ben Hutchings
---
drivers/staging/usbip/userspace/libsrc/usbip_common.c | 2 +-
drivers/staging/usbip/userspace/libsrc/vhci_driver.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/staging/usbip/userspace/libsrc/usbip_common.c
+++ b/drivers/staging/usbip/userspace/libsrc/usbip_common.c
@@ -164,7 +164,7 @@ int read_attr_speed(struct sysfs_device
goto err;
}
- ret = sscanf(attr->value, "%s\n", speed);
+ ret = sscanf(attr->value, "%99s\n", speed);
if (ret < 1) {
dbg("sscanf failed");
goto err;
--- a/drivers/staging/usbip/userspace/libsrc/vhci_driver.c
+++ b/drivers/staging/usbip/userspace/libsrc/vhci_driver.c
@@ -66,7 +66,7 @@ static int parse_status(char *value)
unsigned long socket;
char lbusid[SYSFS_BUS_ID_SIZE];
- ret = sscanf(c, "%d %d %d %x %lx %s\n",
+ ret = sscanf(c, "%d %d %d %x %lx %31s\n",
&port, &status, &speed,
&devid, &socket, lbusid);
[PATCH 3.2 54/79] ALSA: timer: Remove kernel warning at compat ioctl error paths
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Takashi Iwai commit 3d4e8303f2c747c8540a0a0126d0151514f6468b upstream. Some timer compat ioctls have NULL checks of timer instance with snd_BUG_ON() that bring up WARN_ON() when the debug option is set. Actually the condition can be met in the normal situation and it's confusing and bad to spew kernel warnings with stack trace there. Let's remove snd_BUG_ON() invocation and replace with the simple checks. Also, correct the error code to EBADFD to follow the native ioctl error handling. Reported-by: syzbot Signed-off-by: Takashi Iwai Signed-off-by: Ben Hutchings --- sound/core/timer_compat.c | 12 ++-- 1 file changed, 6 insertions(+), 6 deletions(-) --- a/sound/core/timer_compat.c +++ b/sound/core/timer_compat.c @@ -40,11 +40,11 @@ static int snd_timer_user_info_compat(st struct snd_timer *t; tu = file->private_data; - if (snd_BUG_ON(!tu->timeri)) - return -ENXIO; + if (!tu->timeri) + return -EBADFD; t = tu->timeri->timer; - if (snd_BUG_ON(!t)) - return -ENXIO; + if (!t) + return -EBADFD; memset(&info, 0, sizeof(info)); info.card = t->card ? t->card->number : -1; if (t->hw.flags & SNDRV_TIMER_HW_SLAVE) @@ -73,8 +73,8 @@ static int snd_timer_user_status_compat( struct snd_timer_status32 status; tu = file->private_data; - if (snd_BUG_ON(!tu->timeri)) - return -ENXIO; + if (!tu->timeri) + return -EBADFD; memset(&status, 0, sizeof(status)); status.tstamp.tv_sec = tu->tstamp.tv_sec; status.tstamp.tv_nsec = tu->tstamp.tv_nsec;
[PATCH 3.2 36/79] blktrace: fix unlocked access to init/start-stop/teardown
3.2.99-rc1 review patch. If anyone has any objections, please let me know.
--
From: Jens Axboe
commit 1f2cac107c591c24b60b115d6050adc213d10fc0 upstream.
sg.c calls into the blktrace functions without holding the proper queue
mutex for doing setup, start/stop, or teardown.
Add internal unlocked variants, and export the ones that do the proper
locking.
Fixes: 6da127ad0918 ("blktrace: Add blktrace ioctls to SCSI generic devices")
Tested-by: Dmitry Vyukov
Signed-off-by: Jens Axboe
Signed-off-by: Ben Hutchings
---
kernel/trace/blktrace.c | 58 -
1 file changed, 48 insertions(+), 10 deletions(-)
--- a/kernel/trace/blktrace.c
+++ b/kernel/trace/blktrace.c
@@ -296,7 +296,7 @@ static void blk_trace_cleanup(struct blk
blk_unregister_tracepoints();
}
-int blk_trace_remove(struct request_queue *q)
+static int __blk_trace_remove(struct request_queue *q)
{
struct blk_trace *bt;
@@ -309,6 +309,17 @@ int blk_trace_remove(struct request_queu
return 0;
}
+
+int blk_trace_remove(struct request_queue *q)
+{
+ int ret;
+
+ mutex_lock(&q->blk_trace_mutex);
+ ret = __blk_trace_remove(q);
+ mutex_unlock(&q->blk_trace_mutex);
+
+ return ret;
+}
EXPORT_SYMBOL_GPL(blk_trace_remove);
static int blk_dropped_open(struct inode *inode, struct file *filp)
@@ -538,9 +549,8 @@ err:
return ret;
}
-int blk_trace_setup(struct request_queue *q, char *name, dev_t dev,
- struct block_device *bdev,
- char __user *arg)
+static int __blk_trace_setup(struct request_queue *q, char *name, dev_t dev,
+struct block_device *bdev, char __user *arg)
{
struct blk_user_trace_setup buts;
int ret;
@@ -559,6 +569,19 @@ int blk_trace_setup(struct request_queue
}
return 0;
}
+
+int blk_trace_setup(struct request_queue *q, char *name, dev_t dev,
+ struct block_device *bdev,
+ char __user *arg)
+{
+ int ret;
+
+ mutex_lock(&q->blk_trace_mutex);
+ ret = __blk_trace_setup(q, name, dev, bdev, arg);
+ mutex_unlock(&q->blk_trace_mutex);
+
+ return ret;
+}
EXPORT_SYMBOL_GPL(blk_trace_setup);
#if defined(CONFIG_COMPAT) && defined(CONFIG_X86_64)
@@ -596,7 +619,7 @@ static int compat_blk_trace_setup(struct
}
#endif
-int blk_trace_startstop(struct request_queue *q, int start)
+static int __blk_trace_startstop(struct request_queue *q, int start)
{
int ret;
struct blk_trace *bt = q->blk_trace;
@@ -629,6 +652,17 @@ int blk_trace_startstop(struct request_q
return ret;
}
+
+int blk_trace_startstop(struct request_queue *q, int start)
+{
+ int ret;
+
+ mutex_lock(&q->blk_trace_mutex);
+ ret = __blk_trace_startstop(q, start);
+ mutex_unlock(&q->blk_trace_mutex);
+
+ return ret;
+}
EXPORT_SYMBOL_GPL(blk_trace_startstop);
/*
@@ -659,7 +693,7 @@ int blk_trace_ioctl(struct block_device
switch (cmd) {
case BLKTRACESETUP:
bdevname(bdev, b);
- ret = blk_trace_setup(q, b, bdev->bd_dev, bdev, arg);
+ ret = __blk_trace_setup(q, b, bdev->bd_dev, bdev, arg);
break;
#if defined(CONFIG_COMPAT) && defined(CONFIG_X86_64)
case BLKTRACESETUP32:
@@ -670,10 +704,10 @@ int blk_trace_ioctl(struct block_device
case BLKTRACESTART:
start = 1;
case BLKTRACESTOP:
- ret = blk_trace_startstop(q, start);
+ ret = __blk_trace_startstop(q, start);
break;
case BLKTRACETEARDOWN:
- ret = blk_trace_remove(q);
+ ret = __blk_trace_remove(q);
break;
default:
ret = -ENOTTY;
@@ -691,10 +725,14 @@ int blk_trace_ioctl(struct block_device
**/
void blk_trace_shutdown(struct request_queue *q)
{
+ mutex_lock(&q->blk_trace_mutex);
+
if (q->blk_trace) {
- blk_trace_startstop(q, 0);
- blk_trace_remove(q);
+ __blk_trace_startstop(q, 0);
+ __blk_trace_remove(q);
}
+
+ mutex_unlock(&q->blk_trace_mutex);
}
/*
[PATCH 3.2 48/79] nfs: Fix ugly referral attributes
3.2.99-rc1 review patch. If anyone has any objections, please let me know.
--
From: Chuck Lever
commit c05cefcc72416a37eba5a2b35f0704ed758a9145 upstream.
Before traversing a referral and performing a mount, the mounted-on
directory looks strange:
dr-xr-xr-x. 2 4294967294 4294967294 0 Dec 31 1969 dir.0
nfs4_get_referral is wiping out any cached attributes with what was
returned via GETATTR(fs_locations), but the bit mask for that
operation does not request any file attributes.
Retrieve owner and timestamp information so that the memcpy in
nfs4_get_referral fills in more attributes.
Changes since v1:
- Don't request attributes that the client unconditionally replaces
- Request only MOUNTED_ON_FILEID or FILEID attribute, not both
- encode_fs_locations() doesn't use the third bitmask word
Fixes: 6b97fd3da1ea ("NFSv4: Follow a referral")
Suggested-by: Pradeep Thomas
Signed-off-by: Chuck Lever
Signed-off-by: Anna Schumaker
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings
---
fs/nfs/nfs4proc.c | 18 --
1 file changed, 8 insertions(+), 10 deletions(-)
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -151,15 +151,12 @@ const u32 nfs4_fsinfo_bitmap[3] = { FATT
};
const u32 nfs4_fs_locations_bitmap[2] = {
- FATTR4_WORD0_TYPE
- | FATTR4_WORD0_CHANGE
+ FATTR4_WORD0_CHANGE
| FATTR4_WORD0_SIZE
| FATTR4_WORD0_FSID
| FATTR4_WORD0_FILEID
| FATTR4_WORD0_FS_LOCATIONS,
- FATTR4_WORD1_MODE
- | FATTR4_WORD1_NUMLINKS
- | FATTR4_WORD1_OWNER
+ FATTR4_WORD1_OWNER
| FATTR4_WORD1_OWNER_GROUP
| FATTR4_WORD1_RAWDEV
| FATTR4_WORD1_SPACE_USED
@@ -4805,9 +4802,7 @@ int nfs4_proc_fs_locations(struct inode
struct nfs4_fs_locations *fs_locations, struct page *page)
{
struct nfs_server *server = NFS_SERVER(dir);
- u32 bitmask[2] = {
- [0] = FATTR4_WORD0_FSID | FATTR4_WORD0_FS_LOCATIONS,
- };
+ u32 bitmask[2];
struct nfs4_fs_locations_arg args = {
.dir_fh = NFS_FH(dir),
.name = name,
@@ -4826,12 +4821,15 @@ int nfs4_proc_fs_locations(struct inode
dprintk("%s: start\n", __func__);
+ bitmask[0] = nfs4_fattr_bitmap[0] | FATTR4_WORD0_FS_LOCATIONS;
+ bitmask[1] = nfs4_fattr_bitmap[1];
+
/* Ask for the fileid of the absent filesystem if mounted_on_fileid
* is not supported */
if (NFS_SERVER(dir)->attr_bitmask[1] & FATTR4_WORD1_MOUNTED_ON_FILEID)
- bitmask[1] |= FATTR4_WORD1_MOUNTED_ON_FILEID;
+ bitmask[0] &= ~FATTR4_WORD0_FILEID;
else
- bitmask[0] |= FATTR4_WORD0_FILEID;
+ bitmask[1] &= ~FATTR4_WORD1_MOUNTED_ON_FILEID;
nfs_fattr_init(&fs_locations->fattr);
fs_locations->server = server;
[PATCH 3.2 28/79] media: Don't do DMA on stack for firmware upload in the AS102 driver
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Michele Baldessari commit b3120d2cc447ee77b9d69bf4ad7b452c9adb4d39 upstream. Firmware load on AS102 is using the stack which is not allowed any longer. We currently fail with: kernel: transfer buffer not dma capable kernel: [ cut here ] kernel: WARNING: CPU: 0 PID: 598 at drivers/usb/core/hcd.c:1595 usb_hcd_map_urb_for_dma+0x41d/0x620 kernel: Modules linked in: amd64_edac_mod(-) edac_mce_amd as102_fe dvb_as102(+) kvm_amd kvm snd_hda_codec_realtek dvb_core snd_hda_codec_generic snd_hda_codec_hdmi snd_hda_intel snd_hda_codec irqbypass crct10dif_pclmul crc32_pclmul snd_hda_core snd_hwdep snd_seq ghash_clmulni_intel sp5100_tco fam15h_power wmi k10temp i2c_piix4 snd_seq_device snd_pcm snd_timer parport_pc parport tpm_infineon snd tpm_tis soundcore tpm_tis_core tpm shpchp acpi_cpufreq xfs libcrc32c amdgpu amdkfd amd_iommu_v2 radeon hid_logitech_hidpp i2c_algo_bit drm_kms_helper crc32c_intel ttm drm r8169 mii hid_logitech_dj kernel: CPU: 0 PID: 598 Comm: systemd-udevd Not tainted 4.13.10-200.fc26.x86_64 #1 kernel: Hardware name: ASUS All Series/AM1I-A, BIOS 0505 03/13/2014 kernel: task: 979933b24c80 task.stack: af83413a4000 kernel: RIP: 0010:usb_hcd_map_urb_for_dma+0x41d/0x620 systemd-fsck[659]: /dev/sda2: clean, 49/128016 files, 268609/512000 blocks kernel: RSP: 0018:af83413a7728 EFLAGS: 00010282 systemd-udevd[604]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable. kernel: RAX: 001f RBX: 979930bce780 RCX: kernel: RDX: RSI: 97993ec0e118 RDI: 97993ec0e118 kernel: RBP: af83413a7768 R08: 039a R09: kernel: R10: 0001 R11: R12: fff5 kernel: R13: 0140 R14: 0001 R15: 979930806800 kernel: FS: 7effaca5c8c0() GS:97993ec0() knlGS: kernel: CS: 0010 DS: ES: CR0: 80050033 kernel: CR2: 7effa9fca962 CR3: 000233089000 CR4: 000406f0 kernel: Call Trace: kernel: usb_hcd_submit_urb+0x493/0xb40 kernel: ? page_cache_tree_insert+0x100/0x100 kernel: ? xfs_iunlock+0xd5/0x100 [xfs] kernel: ? xfs_file_buffered_aio_read+0x57/0xc0 [xfs] kernel: usb_submit_urb+0x22d/0x560 kernel: usb_start_wait_urb+0x6e/0x180 kernel: usb_bulk_msg+0xb8/0x160 kernel: as102_send_ep1+0x49/0xe0 [dvb_as102] kernel: ? devres_add+0x3f/0x50 kernel: as102_firmware_upload.isra.0+0x1dc/0x210 [dvb_as102] kernel: as102_fw_upload+0xb6/0x1f0 [dvb_as102] kernel: as102_dvb_register+0x2af/0x2d0 [dvb_as102] kernel: as102_usb_probe+0x1f3/0x260 [dvb_as102] kernel: usb_probe_interface+0x124/0x300 kernel: driver_probe_device+0x2ff/0x450 kernel: __driver_attach+0xa4/0xe0 kernel: ? driver_probe_device+0x450/0x450 kernel: bus_for_each_dev+0x6e/0xb0 kernel: driver_attach+0x1e/0x20 kernel: bus_add_driver+0x1c7/0x270 kernel: driver_register+0x60/0xe0 kernel: usb_register_driver+0x81/0x150 kernel: ? 0xc0807000 kernel: as102_usb_driver_init+0x1e/0x1000 [dvb_as102] kernel: do_one_initcall+0x50/0x190 kernel: ? __vunmap+0x81/0xb0 kernel: ? kfree+0x154/0x170 kernel: ? kmem_cache_alloc_trace+0x15f/0x1c0 kernel: ? do_init_module+0x27/0x1e9 kernel: do_init_module+0x5f/0x1e9 kernel: load_module+0x2602/0x2c30 kernel: SYSC_init_module+0x170/0x1a0 kernel: ? SYSC_init_module+0x170/0x1a0 kernel: SyS_init_module+0xe/0x10 kernel: do_syscall_64+0x67/0x140 kernel: entry_SYSCALL64_slow_path+0x25/0x25 kernel: RIP: 0033:0x7effab6cf3ea kernel: RSP: 002b:7fff5cfcbbc8 EFLAGS: 0246 ORIG_RAX: 00af kernel: RAX: ffda RBX: 5569e0b83760 RCX: 7effab6cf3ea kernel: RDX: 7effac2099c5 RSI: 9a13 RDI: 5569e0b98c50 kernel: RBP: 7effac2099c5 R08: 5569e0b83ed0 R09: 1d80 kernel: R10: 7effab98db00 R11: 0246 R12: 5569e0b98c50 kernel: R13: 5569e0b81c60 R14: 0002 R15: 5569dfadfdf7 kernel: Code: 48 39 c8 73 30 80 3d 59 60 9d 00 00 41 bc f5 ff ff ff 0f 85 26 ff ff ff 48 c7 c7 b8 6b d0 92 c6 05 3f 60 9d 00 01 e8 24 3d ad ff <0f> ff 8b 53 64 e9 09 ff ff ff 65 48 8b 0c 25 00 d3 00 00 48 8b kernel: ---[ end trace c4cae366180e70ec ]--- kernel: as10x_usb: error during firmware upload part1 Let's allocate the the structure dynamically so we can get the firmware loaded correctly: [ 14.243057] as10x_usb: firmware: as102_data1_st.hex loaded with success [ 14.500777] as10x_usb: firmware: as102_data2_st.hex loaded with success Signed-off-by: Michele Baldessari Signed-off-by: Mauro Carvalho Chehab [bwh: Backported to 3.2: adjust filename, context] Signed-off-by: Ben Hutchings --- drivers/staging/media/as102/as102_fw.c | 28 +--- 1 file changed, 17 insertions(+), 11 deletions(-) --- a/drivers/staging/media/as102/as102_fw.c +++ b/drivers/
[PATCH 3.2 27/79] eCryptfs: use after free in ecryptfs_release_messaging()
3.2.99-rc1 review patch. If anyone has any objections, please let me know.
--
From: Dan Carpenter
commit db86be3a12d0b6e5c5b51c2ab2a48f06329cb590 upstream.
We're freeing the list iterator so we should be using the _safe()
version of hlist_for_each_entry().
Fixes: 88b4a07e6610 ("[PATCH] eCryptfs: Public key transport mechanism")
Signed-off-by: Dan Carpenter
Signed-off-by: Tyler Hicks
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings
---
--- a/fs/ecryptfs/messaging.c
+++ b/fs/ecryptfs/messaging.c
@@ -550,17 +550,17 @@ void ecryptfs_release_messaging(void)
mutex_unlock(&ecryptfs_msg_ctx_lists_mux);
}
if (ecryptfs_daemon_hash) {
- struct hlist_node *elem;
struct ecryptfs_daemon *daemon;
+ struct hlist_node *elem, *n;
int i;
mutex_lock(&ecryptfs_daemon_hash_mux);
for (i = 0; i < (1 << ecryptfs_hash_bits); i++) {
int rc;
- hlist_for_each_entry(daemon, elem,
-&ecryptfs_daemon_hash[i],
-euid_chain) {
+ hlist_for_each_entry_safe(daemon, elem, n,
+ &ecryptfs_daemon_hash[i],
+ euid_chain) {
rc = ecryptfs_exorcise_daemon(daemon);
if (rc)
printk(KERN_ERR "%s: Error whilst "
[PATCH 3.2 40/79] s390/disassembler: increase show_code buffer size
3.2.99-rc1 review patch. If anyone has any objections, please let me know.
--
From: Vasily Gorbik
commit b192571d1ae375e0bbe0aa3ccfa1a3c3704454b9 upstream.
Current buffer size of 64 is too small. objdump shows that there are
instructions which would require up to 75 bytes buffer (with current
formating). 128 bytes "ought to be enough for anybody".
Also replaces 8 spaces with a single tab to reduce the memory footprint.
Fixes the following KASAN finding:
BUG: KASAN: stack-out-of-bounds in number+0x3fe/0x538
Write of size 1 at addr 5a4a75a0 by task bash/1282
CPU: 1 PID: 1282 Comm: bash Not tainted 4.14.0+ #215
Hardware name: IBM 2964 N96 702 (z/VM 6.4.0)
Call Trace:
([<0011eeb6>] show_stack+0x56/0x88)
[<00e1ce1a>] dump_stack+0x15a/0x1b0
[<004e2994>] print_address_description+0xf4/0x288
[<004e2cf2>] kasan_report+0x13a/0x230
[<00e38ae6>] number+0x3fe/0x538
[<00e3dfe4>] vsnprintf+0x194/0x948
[<00e3ea42>] sprintf+0xa2/0xb8
[<001198dc>] print_insn+0x374/0x500
[<00119346>] show_code+0x4ee/0x538
[<0011f234>] show_registers+0x34c/0x388
[<0011f2ae>] show_regs+0x3e/0xa8
[<0011f502>] die+0x1ea/0x2e8
[<00138f0e>] do_no_context+0x106/0x168
[<00139a1a>] do_protection_exception+0x4da/0x7d0
[<00e55914>] pgm_check_handler+0x16c/0x1c0
[<0090639e>] sysrq_handle_crash+0x46/0x58
([<0007>] 0x7)
[<009073fa>] __handle_sysrq+0x102/0x218
[<00907c06>] write_sysrq_trigger+0xd6/0x100
[<0061d67a>] proc_reg_write+0xb2/0x128
[<00520be6>] __vfs_write+0xee/0x368
[<00521222>] vfs_write+0x21a/0x278
[<0052156a>] SyS_write+0xda/0x178
[<00e555cc>] system_call+0xc4/0x270
The buggy address belongs to the page:
page:03d1016929c0 count:0 mapcount:0 mapping: (null) index:0x0
flags: 0x0()
raw:
raw: 0100 0200
page dumped because: kasan: bad access detected
Memory state around the buggy address:
5a4a7480: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
5a4a7500: 00 00 00 00 00 00 00 00 f2 f2 f2 f2 00 00 00 00
>5a4a7580: 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00 00 00 00
^
5a4a7600: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f8 f8
5a4a7680: f2 f2 f2 f2 f2 f2 f8 f8 f2 f2 f3 f3 f3 f3 00 00
==
Signed-off-by: Vasily Gorbik
Signed-off-by: Martin Schwidefsky
Signed-off-by: Ben Hutchings
---
arch/s390/kernel/dis.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/s390/kernel/dis.c
+++ b/arch/s390/kernel/dis.c
@@ -1542,7 +1542,7 @@ void show_code(struct pt_regs *regs)
{
char *mode = (regs->psw.mask & PSW_MASK_PSTATE) ? "User" : "Krnl";
unsigned char code[64];
- char buffer[64], *ptr;
+ char buffer[128], *ptr;
mm_segment_t old_fs;
unsigned long addr;
int start, end, opsize, hops, i;
@@ -1600,7 +1600,7 @@ void show_code(struct pt_regs *regs)
start += opsize;
printk(buffer);
ptr = buffer;
- ptr += sprintf(ptr, "\n ");
+ ptr += sprintf(ptr, "\n\t ");
hops++;
}
printk("\n");
[PATCH 3.2 34/79] dm: fix race between dm_get_from_kobject() and __dm_destroy()
3.2.99-rc1 review patch. If anyone has any objections, please let me know.
--
From: Hou Tao
commit b9a41d21dceadf8104812626ef85dc56ee8a60ed upstream.
The following BUG_ON was hit when testing repeat creation and removal of
DM devices:
kernel BUG at drivers/md/dm.c:2919!
CPU: 7 PID: 750 Comm: systemd-udevd Not tainted 4.1.44
Call Trace:
[] dm_get_from_kobject+0x34/0x3a
[] dm_attr_show+0x2b/0x5e
[] ? mutex_lock+0x26/0x44
[] sysfs_kf_seq_show+0x83/0xcf
[] kernfs_seq_show+0x23/0x25
[] seq_read+0x16f/0x325
[] kernfs_fop_read+0x3a/0x13f
[] __vfs_read+0x26/0x9d
[] ? security_file_permission+0x3c/0x44
[] ? rw_verify_area+0x83/0xd9
[] vfs_read+0x8f/0xcf
[] ? __fdget_pos+0x12/0x41
[] SyS_read+0x4b/0x76
[] system_call_fastpath+0x12/0x71
The bug can be easily triggered, if an extra delay (e.g. 10ms) is added
between the test of DMF_FREEING & DMF_DELETING and dm_get() in
dm_get_from_kobject().
To fix it, we need to ensure the test of DMF_FREEING & DMF_DELETING and
dm_get() are done in an atomic way, so _minor_lock is used.
The other callers of dm_get() have also been checked to be OK: some
callers invoke dm_get() under _minor_lock, some callers invoke it under
_hash_lock, and dm_start_request() invoke it after increasing
md->open_count.
Signed-off-by: Hou Tao
Signed-off-by: Mike Snitzer
Signed-off-by: Ben Hutchings
---
drivers/md/dm.c | 12
1 file changed, 8 insertions(+), 4 deletions(-)
--- a/drivers/md/dm.c
+++ b/drivers/md/dm.c
@@ -2685,11 +2685,15 @@ struct mapped_device *dm_get_from_kobjec
md = container_of(kobj, struct mapped_device, kobj_holder.kobj);
- if (test_bit(DMF_FREEING, &md->flags) ||
- dm_deleting_md(md))
- return NULL;
-
+ spin_lock(&_minor_lock);
+ if (test_bit(DMF_FREEING, &md->flags) || dm_deleting_md(md)) {
+ md = NULL;
+ goto out;
+ }
dm_get(md);
+out:
+ spin_unlock(&_minor_lock);
+
return md;
}
[PATCH 3.2 32/79] video: udlfb: Fix read EDID timeout
3.2.99-rc1 review patch. If anyone has any objections, please let me know.
--
From: Ladislav Michl
commit c98769475575c8a585f5b3952f4b5f90266f699b upstream.
While usb_control_msg function expects timeout in miliseconds, a value
of HZ is used. Replace it with USB_CTRL_GET_TIMEOUT and also fix error
message which looks like:
udlfb: Read EDID byte 78 failed err ff92
as error is either negative errno or number of bytes transferred use %d
format specifier.
Returned EDID is in second byte, so return error when less than two bytes
are received.
Fixes: 18dffdf8913a ("staging: udlfb: enhance EDID and mode handling support")
Signed-off-by: Ladislav Michl
Cc: Bernie Thompson
Signed-off-by: Bartlomiej Zolnierkiewicz
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings
---
drivers/video/udlfb.c | 10 +-
1 file changed, 5 insertions(+), 5 deletions(-)
--- a/drivers/video/udlfb.c
+++ b/drivers/video/udlfb.c
@@ -765,11 +765,11 @@ static int dlfb_get_edid(struct dlfb_dat
for (i = 0; i < len; i++) {
ret = usb_control_msg(dev->udev,
- usb_rcvctrlpipe(dev->udev, 0), (0x02),
- (0x80 | (0x02 << 5)), i << 8, 0xA1, rbuf, 2,
- HZ);
- if (ret < 1) {
- pr_err("Read EDID byte %d failed err %x\n", i, ret);
+ usb_rcvctrlpipe(dev->udev, 0), 0x02,
+ (0x80 | (0x02 << 5)), i << 8, 0xA1,
+ rbuf, 2, USB_CTRL_GET_TIMEOUT);
+ if (ret < 2) {
+ pr_err("Read EDID byte %d failed: %d\n", i, ret);
i--;
break;
}
[PATCH 3.2 42/79] sctp: fully initialize the IPv6 address in sctp_v6_to_addr()
3.2.99-rc1 review patch. If anyone has any objections, please let me know.
--
From: Alexander Potapenko
commit 15339e441ec46fbc3bf3486bb1ae4845b0f1bb8d upstream.
KMSAN reported use of uninitialized sctp_addr->v4.sin_addr.s_addr and
sctp_addr->v6.sin6_scope_id in sctp_v6_cmp_addr() (see below).
Make sure all fields of an IPv6 address are initialized, which
guarantees that the IPv4 fields are also initialized.
==
BUG: KMSAN: use of uninitialized memory in sctp_v6_cmp_addr+0x8d4/0x9f0
net/sctp/ipv6.c:517
CPU: 2 PID: 31056 Comm: syz-executor1 Not tainted 4.11.0-rc5+ #2944
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs
01/01/2011
Call Trace:
dump_stack+0x172/0x1c0 lib/dump_stack.c:42
is_logbuf_locked mm/kmsan/kmsan.c:59 [inline]
kmsan_report+0x12a/0x180 mm/kmsan/kmsan.c:938
native_save_fl arch/x86/include/asm/irqflags.h:18 [inline]
arch_local_save_flags arch/x86/include/asm/irqflags.h:72 [inline]
arch_local_irq_save arch/x86/include/asm/irqflags.h:113 [inline]
__msan_warning_32+0x61/0xb0 mm/kmsan/kmsan_instr.c:467
sctp_v6_cmp_addr+0x8d4/0x9f0 net/sctp/ipv6.c:517
sctp_v6_get_dst+0x8c7/0x1630 net/sctp/ipv6.c:290
sctp_transport_route+0x101/0x570 net/sctp/transport.c:292
sctp_assoc_add_peer+0x66d/0x16f0 net/sctp/associola.c:651
sctp_sendmsg+0x35a5/0x4f90 net/sctp/socket.c:1871
inet_sendmsg+0x498/0x670 net/ipv4/af_inet.c:762
sock_sendmsg_nosec net/socket.c:633 [inline]
sock_sendmsg net/socket.c:643 [inline]
SYSC_sendto+0x608/0x710 net/socket.c:1696
SyS_sendto+0x8a/0xb0 net/socket.c:1664
entry_SYSCALL_64_fastpath+0x13/0x94
RIP: 0033:0x44b479
RSP: 002b:7f6213f21c08 EFLAGS: 0286 ORIG_RAX: 002c
RAX: ffda RBX: 2000 RCX: 0044b479
RDX: 0041 RSI: 20edd000 RDI: 0006
RBP: 007080a8 R08: 20b85fe4 R09: 001c
R10: 00040005 R11: 0286 R12:
R13: 3760 R14: 006e5820 R15: 00ff8000
origin description: dst_saddr@sctp_v6_get_dst
local variable created at:
sk_fullsock include/net/sock.h:2321 [inline]
inet6_sk include/linux/ipv6.h:309 [inline]
sctp_v6_get_dst+0x91/0x1630 net/sctp/ipv6.c:241
sctp_transport_route+0x101/0x570 net/sctp/transport.c:292
==
BUG: KMSAN: use of uninitialized memory in sctp_v6_cmp_addr+0x8d4/0x9f0
net/sctp/ipv6.c:517
CPU: 2 PID: 31056 Comm: syz-executor1 Not tainted 4.11.0-rc5+ #2944
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs
01/01/2011
Call Trace:
dump_stack+0x172/0x1c0 lib/dump_stack.c:42
is_logbuf_locked mm/kmsan/kmsan.c:59 [inline]
kmsan_report+0x12a/0x180 mm/kmsan/kmsan.c:938
native_save_fl arch/x86/include/asm/irqflags.h:18 [inline]
arch_local_save_flags arch/x86/include/asm/irqflags.h:72 [inline]
arch_local_irq_save arch/x86/include/asm/irqflags.h:113 [inline]
__msan_warning_32+0x61/0xb0 mm/kmsan/kmsan_instr.c:467
sctp_v6_cmp_addr+0x8d4/0x9f0 net/sctp/ipv6.c:517
sctp_v6_get_dst+0x8c7/0x1630 net/sctp/ipv6.c:290
sctp_transport_route+0x101/0x570 net/sctp/transport.c:292
sctp_assoc_add_peer+0x66d/0x16f0 net/sctp/associola.c:651
sctp_sendmsg+0x35a5/0x4f90 net/sctp/socket.c:1871
inet_sendmsg+0x498/0x670 net/ipv4/af_inet.c:762
sock_sendmsg_nosec net/socket.c:633 [inline]
sock_sendmsg net/socket.c:643 [inline]
SYSC_sendto+0x608/0x710 net/socket.c:1696
SyS_sendto+0x8a/0xb0 net/socket.c:1664
entry_SYSCALL_64_fastpath+0x13/0x94
RIP: 0033:0x44b479
RSP: 002b:7f6213f21c08 EFLAGS: 0286 ORIG_RAX: 002c
RAX: ffda RBX: 2000 RCX: 0044b479
RDX: 0041 RSI: 20edd000 RDI: 0006
RBP: 007080a8 R08: 20b85fe4 R09: 001c
R10: 00040005 R11: 0286 R12:
R13: 3760 R14: 006e5820 R15: 00ff8000
origin description: dst_saddr@sctp_v6_get_dst
local variable created at:
sk_fullsock include/net/sock.h:2321 [inline]
inet6_sk include/linux/ipv6.h:309 [inline]
sctp_v6_get_dst+0x91/0x1630 net/sctp/ipv6.c:241
sctp_transport_route+0x101/0x570 net/sctp/transport.c:292
==
Signed-off-by: Alexander Potapenko
Reviewed-by: Xin Long
Acked-by: Marcelo Ricardo Leitner
Signed-off-by: David S. Miller
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings
---
net/sctp/ipv6.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/sctp/ipv6.c
+++ b/net/sctp/ipv6.c
@@ -487,7 +487,9 @@ static void sctp_v6_to_addr(union sctp_a
{
addr->sa.sa_family = AF_INET6;
addr->v6.sin6_port = port;
+ addr->v6.sin6_flowinfo = 0;
ipv6_addr_copy(&addr->v6.sin6_addr, saddr);
+ addr->v6.sin6_scope_id = 0;
}
/* Comp
[PATCH 3.2 07/79] media: rc: check for integer overflow
3.2.99-rc1 review patch. If anyone has any objections, please let me know. -- From: Sean Young commit 3e45067f94bbd61dec0619b1c32744eb0de480c8 upstream. The ioctl LIRC_SET_REC_TIMEOUT would set a timeout of 704ns if called with a timeout of 4294968us. Signed-off-by: Sean Young Signed-off-by: Mauro Carvalho Chehab [bwh: Backported to 3.2: open-code U32_MAX] Signed-off-by: Ben Hutchings --- drivers/media/rc/ir-lirc-codec.c | 9 ++--- 1 file changed, 6 insertions(+), 3 deletions(-) --- a/drivers/media/rc/ir-lirc-codec.c +++ b/drivers/media/rc/ir-lirc-codec.c @@ -255,11 +255,14 @@ static long ir_lirc_ioctl(struct file *f if (!dev->max_timeout) return -ENOSYS; + /* Check for multiply overflow */ + if (val > (u32)(-1) / 1000) + return -EINVAL; + tmp = val * 1000; - if (tmp < dev->min_timeout || - tmp > dev->max_timeout) - return -EINVAL; + if (tmp < dev->min_timeout || tmp > dev->max_timeout) + return -EINVAL; dev->timeout = tmp; break;
[PATCH 3.2 20/79] l2tp: protect sock pointer of struct pppol2tp_session with RCU
3.2.99-rc1 review patch. If anyone has any objections, please let me know.
--
From: Guillaume Nault
commit ee40fb2e1eb5bc0ddd3f2f83c6e39a454ef5a741 upstream.
pppol2tp_session_create() registers sessions that can't have their
corresponding socket initialised. This socket has to be created by
userspace, then connected to the session by pppol2tp_connect().
Therefore, we need to protect the pppol2tp socket pointer of L2TP
sessions, so that it can safely be updated when userspace is connecting
or closing the socket. This will eventually allow pppol2tp_connect()
to avoid generating transient states while initialising its parts of the
session.
To this end, this patch protects the pppol2tp socket pointer using RCU.
The pppol2tp socket pointer is still set in pppol2tp_connect(), but
only once we know the function isn't going to fail. It's eventually
reset by pppol2tp_release(), which now has to wait for a grace period
to elapse before it can drop the last reference on the socket. This
ensures that pppol2tp_session_get_sock() can safely grab a reference
on the socket, even after ps->sk is reset to NULL but before this
operation actually gets visible from pppol2tp_session_get_sock().
The rest is standard RCU conversion: pppol2tp_recv(), which already
runs in atomic context, is simply enclosed by rcu_read_lock() and
rcu_read_unlock(), while other functions are converted to use
pppol2tp_session_get_sock() followed by sock_put().
pppol2tp_session_setsockopt() is a special case. It used to retrieve
the pppol2tp socket from the L2TP session, which itself was retrieved
from the pppol2tp socket. Therefore we can just avoid dereferencing
ps->sk and directly use the original socket pointer instead.
With all users of ps->sk now handling NULL and concurrent updates, the
L2TP ->ref() and ->deref() callbacks aren't needed anymore. Therefore,
rather than converting pppol2tp_session_sock_hold() and
pppol2tp_session_sock_put(), we can just drop them.
Signed-off-by: Guillaume Nault
Signed-off-by: David S. Miller
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings
---
--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -126,8 +126,11 @@
struct pppol2tp_session {
int owner; /* pid that opened the socket */
- struct sock *sock; /* Pointer to the session
+ struct mutexsk_lock;/* Protects .sk */
+ struct sock __rcu *sk;/* Pointer to the session
* PPPoX socket */
+ struct sock *__sk; /* Copy of .sk, for cleanup */
+ struct rcu_head rcu;/* For asynchronous release */
struct sock *tunnel_sock; /* Pointer to the tunnel UDP
* socket */
int flags; /* accessed by PPPIOCGFLAGS.
@@ -142,6 +145,24 @@ static const struct ppp_channel_ops pppo
static const struct proto_ops pppol2tp_ops;
+/* Retrieves the pppol2tp socket associated to a session.
+ * A reference is held on the returned socket, so this function must be paired
+ * with sock_put().
+ */
+static struct sock *pppol2tp_session_get_sock(struct l2tp_session *session)
+{
+ struct pppol2tp_session *ps = l2tp_session_priv(session);
+ struct sock *sk;
+
+ rcu_read_lock();
+ sk = rcu_dereference(ps->sk);
+ if (sk)
+ sock_hold(sk);
+ rcu_read_unlock();
+
+ return sk;
+}
+
/* Helpers to obtain tunnel/session contexts from sockets.
*/
static inline struct l2tp_session *pppol2tp_sock_to_session(struct sock *sk)
@@ -229,7 +250,8 @@ static void pppol2tp_recv(struct l2tp_se
/* If the socket is bound, send it in to PPP's input queue. Otherwise
* queue it on the session socket.
*/
- sk = ps->sock;
+ rcu_read_lock();
+ sk = rcu_dereference(ps->sk);
if (sk == NULL)
goto no_sock;
@@ -265,31 +287,17 @@ static void pppol2tp_recv(struct l2tp_se
session->stats.rx_errors++;
kfree_skb(skb);
}
+ rcu_read_unlock();
return;
no_sock:
+ rcu_read_unlock();
PRINTK(session->debug, PPPOL2TP_MSG_DATA, KERN_INFO,
"%s: no socket\n", session->name);
kfree_skb(skb);
}
-static void pppol2tp_session_sock_hold(struct l2tp_session *session)
-{
- struct pppol2tp_session *ps = l2tp_session_priv(session);
-
- if (ps->sock)
- sock_hold(ps->sock);
-}
-
-static void pppol2tp_session_sock_put(struct l2tp_session *session)
-{
- struct pppol2tp_session *ps = l2tp_session_priv(session);
-
- if (ps->sock)
- sock_put(ps->sock);
-}
-
/
* Transmit handling
**
Re: [PATCH] ARM: dts: da850-evm: add clock properties to the nand node
Hi Bartosz, I love your patch! Yet something to improve: [auto build test ERROR on robh/for-next] [also build test ERROR on v4.15 next-20180209] [if your patch is applied to the wrong git tree, please drop us a note to help improve the system] url: https://github.com/0day-ci/linux/commits/Bartosz-Golaszewski/ARM-dts-da850-evm-add-clock-properties-to-the-nand-node/20180208-105626 base: https://git.kernel.org/pub/scm/linux/kernel/git/robh/linux.git for-next config: arm-sunxi_defconfig (attached as .config) compiler: arm-linux-gnueabi-gcc (Debian 7.2.0-11) 7.2.0 reproduce: wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross # save the attached .config to linux build tree make.cross ARCH=arm All errors (new ones prefixed by >>): >> ERROR: Input tree has errors, aborting (use -f to force output) --- 0-DAY kernel test infrastructureOpen Source Technology Center https://lists.01.org/pipermail/kbuild-all Intel Corporation .config.gz Description: application/gzip
[PATCH 3.2 24/79] isofs: fix timestamps beyond 2027
3.2.99-rc1 review patch. If anyone has any objections, please let me know.
--
From: Arnd Bergmann
commit 34be4dbf87fc3e474a842305394534216d428f5d upstream.
isofs uses a 'char' variable to load the number of years since
1900 for an inode timestamp. On architectures that use a signed
char type by default, this results in an invalid date for
anything beyond 2027.
This changes the function argument to a 'u8' array, which
is defined the same way on all architectures, and unambiguously
lets us use years until 2155.
This should be backported to all kernels that might still be
in use by that date.
Signed-off-by: Arnd Bergmann
Signed-off-by: Jan Kara
Signed-off-by: Ben Hutchings
---
fs/isofs/isofs.h | 2 +-
fs/isofs/rock.h | 2 +-
fs/isofs/util.c | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
--- a/fs/isofs/isofs.h
+++ b/fs/isofs/isofs.h
@@ -103,7 +103,7 @@ static inline unsigned int isonum_733(ch
/* Ignore bigendian datum due to broken mastering programs */
return get_unaligned_le32(p);
}
-extern int iso_date(char *, int);
+extern int iso_date(u8 *, int);
struct inode; /* To make gcc happy */
--- a/fs/isofs/rock.h
+++ b/fs/isofs/rock.h
@@ -65,7 +65,7 @@ struct RR_PL_s {
};
struct stamp {
- char time[7];
+ __u8 time[7]; /* actually 6 unsigned, 1 signed */
} __attribute__ ((packed));
struct RR_TF_s {
--- a/fs/isofs/util.c
+++ b/fs/isofs/util.c
@@ -14,7 +14,7 @@
* to GMT. Thus we should always be correct.
*/
-int iso_date(char * p, int flag)
+int iso_date(u8 *p, int flag)
{
int year, month, day, hour, minute, second, tz;
int crtime, days, i;
[PATCH 3.2 25/79] USB: Add delay-init quirk for Corsair K70 LUX keyboards
3.2.99-rc1 review patch. If anyone has any objections, please let me know.
--
From: Bernhard Rosenkraenzer
commit a0fea6027f19c62727315aba1a7fae75a9caa842 upstream.
Without this patch, K70 LUX keyboards don't work, saying
usb 3-3: unable to read config index 0 descriptor/all
usb 3-3: can't read configurations, error -110
usb usb3-port3: unable to enumerate USB device
Signed-off-by: Bernhard Rosenkraenzer
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Ben Hutchings
---
drivers/usb/core/quirks.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -205,6 +205,9 @@ static const struct usb_device_id usb_qu
/* Corsair Strafe RGB */
{ USB_DEVICE(0x1b1c, 0x1b20), .driver_info = USB_QUIRK_DELAY_INIT },
+ /* Corsair K70 LUX */
+ { USB_DEVICE(0x1b1c, 0x1b36), .driver_info = USB_QUIRK_DELAY_INIT },
+
/* MIDI keyboard WORLDE MINI */
{ USB_DEVICE(0x1c75, 0x0204), .driver_info =
USB_QUIRK_CONFIG_INTF_STRINGS },
[PATCH 3.2 21/79] l2tp: initialise PPP sessions before registering them
3.2.99-rc1 review patch. If anyone has any objections, please let me know.
--
From: Guillaume Nault
commit f98be6c6359e7e4a61aaefb9964c1db31cb9ec0c upstream.
pppol2tp_connect() initialises L2TP sessions after they've been exposed
to the rest of the system by l2tp_session_register(). This puts
sessions into transient states that are the source of several races, in
particular with session's deletion path.
This patch centralises the initialisation code into
pppol2tp_session_init(), which is called before the registration phase.
The only field that can't be set before session registration is the
pppol2tp socket pointer, which has already been converted to RCU. So
pppol2tp_connect() should now be race-free.
The session's .session_close() callback is now set before registration.
Therefore, it's always called when l2tp_core deletes the session, even
if it was created by pppol2tp_session_create() and hasn't been plugged
to a pppol2tp socket yet. That'd prevent session free because the extra
reference taken by pppol2tp_session_close() wouldn't be dropped by the
socket's ->sk_destruct() callback (pppol2tp_session_destruct()).
We could set .session_close() only while connecting a session to its
pppol2tp socket, or teach pppol2tp_session_close() to avoid grabbing a
reference when the session isn't connected, but that'd require adding
some form of synchronisation to be race free.
Instead of that, we can just let the pppol2tp socket hold a reference
on the session as soon as it starts depending on it (that is, in
pppol2tp_connect()). Then we don't need to utilise
pppol2tp_session_close() to hold a reference at the last moment to
prevent l2tp_core from dropping it.
When releasing the socket, pppol2tp_release() now deletes the session
using the standard l2tp_session_delete() function, instead of merely
removing it from hash tables. l2tp_session_delete() drops the reference
the sessions holds on itself, but also makes sure it doesn't remove a
session twice. So it can safely be called, even if l2tp_core already
tried, or is concurrently trying, to remove the session.
Finally, pppol2tp_session_destruct() drops the reference held by the
socket.
Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp
parts")
Signed-off-by: Guillaume Nault
Signed-off-by: David S. Miller
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings
---
net/l2tp/l2tp_ppp.c | 69 +
1 file changed, 38 insertions(+), 31 deletions(-)
--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -478,9 +478,6 @@ static void pppol2tp_session_close(struc
inet_shutdown(sk->sk_socket, SEND_SHUTDOWN);
sock_put(sk);
}
-
- /* Don't let the session go away before our socket does */
- l2tp_session_inc_refcount(session);
return;
}
@@ -541,7 +538,7 @@ static int pppol2tp_release(struct socke
if (session != NULL) {
struct pppol2tp_session *ps;
- l2tp_session_queue_purge(session);
+ l2tp_session_delete(session);
ps = l2tp_session_priv(session);
mutex_lock(&ps->sk_lock);
@@ -636,6 +633,35 @@ static void pppol2tp_show(struct seq_fil
}
#endif
+static void pppol2tp_session_init(struct l2tp_session *session)
+{
+ struct pppol2tp_session *ps;
+ struct dst_entry *dst;
+
+ session->recv_skb = pppol2tp_recv;
+ session->session_close = pppol2tp_session_close;
+#if IS_ENABLED(CONFIG_L2TP_DEBUGFS)
+ session->show = pppol2tp_show;
+#endif
+
+ ps = l2tp_session_priv(session);
+ mutex_init(&ps->sk_lock);
+ ps->tunnel_sock = session->tunnel->sock;
+ ps->owner = current->pid;
+
+ /* If PMTU discovery was enabled, use the MTU that was discovered */
+ dst = sk_dst_get(session->tunnel->sock);
+ if (dst) {
+ u32 pmtu = dst_mtu(dst);
+
+ if (pmtu) {
+ session->mtu = pmtu - PPPOL2TP_HEADER_OVERHEAD;
+ session->mru = pmtu - PPPOL2TP_HEADER_OVERHEAD;
+ }
+ dst_release(dst);
+ }
+}
+
/* connect() handler. Attach a PPPoX socket to a tunnel UDP socket
*/
static int pppol2tp_connect(struct socket *sock, struct sockaddr *uservaddr,
@@ -648,7 +674,6 @@ static int pppol2tp_connect(struct socke
struct l2tp_session *session = NULL;
struct l2tp_tunnel *tunnel;
struct pppol2tp_session *ps;
- struct dst_entry *dst;
struct l2tp_session_cfg cfg = { 0, };
int error = 0;
u32 tunnel_id, peer_tunnel_id;
@@ -772,8 +797,8 @@ static int pppol2tp_connect(struct socke
goto end;
}
+ pppol2tp_session_init(session);
ps = l2tp_session_priv(session);
- mutex_init(&ps->sk_lock);
l2tp_session_inc_refcount(session);
[PATCH 3.2 37/79] IB/mlx4: Increase maximal message size under UD QP
3.2.99-rc1 review patch. If anyone has any objections, please let me know.
--
From: Mark Bloch
commit 5f22a1d87c5315a98981ecf93cd8de226cffe6ca upstream.
Maximal message should be used as a limit to the max message payload allowed,
without the headers. The ConnectX-3 check is done against this value includes
the headers. When the payload is 4K this will cause the NIC to drop packets.
Increase maximal message to 8K as workaround, this shouldn't change current
behaviour because we continue to set the MTU to 4k.
To reproduce;
set MTU to 4296 on the corresponding interface, for example:
ifconfig eth0 mtu 4296 (both server and client)
On server:
ib_send_bw -c UD -d mlx4_0 -s 4096 -n 100 -i1 -m 4096
On client:
ib_send_bw -d mlx4_0 -c UD -s 4096 -n 100 -i 1 -m 4096
Fixes: 6e0d733d9215 ("IB/mlx4: Allow 4K messages for UD QPs")
Signed-off-by: Mark Bloch
Reviewed-by: Majd Dibbiny
Signed-off-by: Leon Romanovsky
Signed-off-by: Doug Ledford
Signed-off-by: Ben Hutchings
---
drivers/infiniband/hw/mlx4/qp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/infiniband/hw/mlx4/qp.c
+++ b/drivers/infiniband/hw/mlx4/qp.c
@@ -1047,7 +1047,7 @@ static int __mlx4_ib_modify_qp(struct ib
context->mtu_msgmax = (IB_MTU_4096 << 5) |
ilog2(dev->dev->caps.max_gso_sz);
else
- context->mtu_msgmax = (IB_MTU_4096 << 5) | 12;
+ context->mtu_msgmax = (IB_MTU_4096 << 5) | 13;
} else if (attr_mask & IB_QP_PATH_MTU) {
if (attr->path_mtu < IB_MTU_256 || attr->path_mtu >
IB_MTU_4096) {
printk(KERN_ERR "path MTU (%u) is invalid\n",
