Re: [PATCH] md: Fix failed allocation of md_register_thread
On Thu, Mar 7, 2019 at 7:13 PM Guoqing Jiang wrote: > > > > On 3/5/19 6:48 AM, Aditya Pakki wrote: > > mddev->sync_thread can be set to NULL on kzalloc failure downstream. > > The patch checks for such a scenario and frees allocated resources. > > > > Signed-off-by: Aditya Pakki Applied to https://github.com/liu-song-6/linux/tree/for-5.1/md-post @Guoqing, I added your Acked-by to the commit and also the raid5 fix. Thanks, Song > > --- > > drivers/md/raid10.c | 2 ++ > > 1 file changed, 2 insertions(+) > > > > diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c > > index abb5d382f64d..f52b4d9bcd24 100644 > > --- a/drivers/md/raid10.c > > +++ b/drivers/md/raid10.c > > @@ -3939,6 +3939,8 @@ static int raid10_run(struct mddev *mddev) > > set_bit(MD_RECOVERY_RUNNING, >recovery); > > mddev->sync_thread = md_register_thread(md_do_sync, mddev, > > "reshape"); > > + if (!mddev->sync_thread) > > + goto out_free_conf; > > } > > > > return 0; > > Could you make the change for raid5 as well? It also doesn't check the > failure > in raid5_run. > > Thanks, > Guoqing
[PATCH 4.9 09/96] staging: android: ion: fix sys heap pools gfp_flags
4.9-stable review patch. If anyone has any objections, please let me know.
--
From: Qing Xia
commit 9bcf065e28122588a6cbee08cf847826dacbb438 upstream.
In the first loop, gfp_flags will be modified to high_order_gfp_flags,
and there will be no chance to change back to low_order_gfp_flags.
Fixes: e7f63771b60e ("ION: Sys_heap: Add cached pool to spead up cached buffer
alloc")
Signed-off-by: Qing Xia
Cc: stable
Signed-off-by: Jing Xia
Reviewed-by: Yuming Han
Reviewed-by: Zhaoyang Huang
Reviewed-by: Orson Zhai
Signed-off-by: Greg Kroah-Hartman
---
drivers/staging/android/ion/ion_system_heap.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/staging/android/ion/ion_system_heap.c
+++ b/drivers/staging/android/ion/ion_system_heap.c
@@ -307,10 +307,10 @@ static int ion_system_heap_create_pools(
bool cached)
{
int i;
- gfp_t gfp_flags = low_order_gfp_flags;
for (i = 0; i < NUM_ORDERS; i++) {
struct ion_page_pool *pool;
+ gfp_t gfp_flags = low_order_gfp_flags;
if (orders[i] > 4)
gfp_flags = high_order_gfp_flags;
[PATCH 4.9 20/96] net: sit: fix memory leak in sit_init_net()
4.9-stable review patch. If anyone has any objections, please let me know. -- From: Mao Wenan [ Upstream commit 07f12b26e21ab359261bf75cfcb424fdc7daeb6d ] If register_netdev() is failed to register sitn->fb_tunnel_dev, it will go to err_reg_dev and forget to free netdev(sitn->fb_tunnel_dev). BUG: memory leak unreferenced object 0x888378daad00 (size 512): comm "syz-executor.1", pid 4006, jiffies 4295121142 (age 16.115s) hex dump (first 32 bytes): 00 e6 ed c0 83 88 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 backtrace: [] kvmalloc include/linux/mm.h:577 [inline] [ ] kvzalloc include/linux/mm.h:585 [inline] [ ] netif_alloc_netdev_queues net/core/dev.c:8380 [inline] [ ] alloc_netdev_mqs+0x600/0xcc0 net/core/dev.c:8970 [<867e172f>] sit_init_net+0x295/0xa40 net/ipv6/sit.c:1848 [<871019fa>] ops_init+0xad/0x3e0 net/core/net_namespace.c:129 [<319507f6>] setup_net+0x2ba/0x690 net/core/net_namespace.c:314 [<87db4f96>] copy_net_ns+0x1dc/0x330 net/core/net_namespace.c:437 [<57efc651>] create_new_namespaces+0x382/0x730 kernel/nsproxy.c:107 [<676f83de>] copy_namespaces+0x2ed/0x3d0 kernel/nsproxy.c:165 [<30b74bac>] copy_process.part.27+0x231e/0x6db0 kernel/fork.c:1919 [ ] copy_process kernel/fork.c:1713 [inline] [ ] _do_fork+0x1bc/0xe90 kernel/fork.c:2224 [<1c2e0d1c>] do_syscall_64+0xc8/0x580 arch/x86/entry/common.c:290 [ ] entry_SYSCALL_64_after_hwframe+0x49/0xbe [<39acff8a>] 0x Signed-off-by: Mao Wenan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/ipv6/sit.c |1 + 1 file changed, 1 insertion(+) --- a/net/ipv6/sit.c +++ b/net/ipv6/sit.c @@ -1851,6 +1851,7 @@ static int __net_init sit_init_net(struc err_reg_dev: ipip6_dev_free(sitn->fb_tunnel_dev); + free_netdev(sitn->fb_tunnel_dev); err_alloc_dev: return err; }
[PATCH 4.9 69/96] irqchip/mmp: Only touch the PJ4 IRQ & FIQ bits on enable/disable
4.9-stable review patch. If anyone has any objections, please let me know.
--
[ Upstream commit 2380a22b60ce6f995eac806e69c66e397b59d045 ]
Resetting bit 4 disables the interrupt delivery to the "secure
processor" core. This breaks the keyboard on a OLPC XO 1.75 laptop,
where the firmware running on the "secure processor" bit-bangs the
PS/2 protocol over the GPIO lines.
It is not clear what the rest of the bits are and Marvell was unhelpful
when asked for documentation. Aside from the SP bit, there are probably
priority bits.
Leaving the unknown bits as the firmware set them up seems to be a wiser
course of action compared to just turning them off.
Signed-off-by: Lubomir Rintel
Acked-by: Pavel Machek
[maz: fixed-up subject and commit message]
Signed-off-by: Marc Zyngier
Signed-off-by: Sasha Levin
---
drivers/irqchip/irq-mmp.c | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/irqchip/irq-mmp.c b/drivers/irqchip/irq-mmp.c
index 013fc9659a84..2fe2bcb63a71 100644
--- a/drivers/irqchip/irq-mmp.c
+++ b/drivers/irqchip/irq-mmp.c
@@ -34,6 +34,9 @@
#define SEL_INT_PENDING(1 << 6)
#define SEL_INT_NUM_MASK 0x3f
+#define MMP2_ICU_INT_ROUTE_PJ4_IRQ (1 << 5)
+#define MMP2_ICU_INT_ROUTE_PJ4_FIQ (1 << 6)
+
struct icu_chip_data {
int nr_irqs;
unsigned intvirq_base;
@@ -190,7 +193,8 @@ static struct mmp_intc_conf mmp_conf = {
static struct mmp_intc_conf mmp2_conf = {
.conf_enable= 0x20,
.conf_disable = 0x0,
- .conf_mask = 0x7f,
+ .conf_mask = MMP2_ICU_INT_ROUTE_PJ4_IRQ |
+ MMP2_ICU_INT_ROUTE_PJ4_FIQ,
};
static void __exception_irq_entry mmp_handle_irq(struct pt_regs *regs)
--
2.19.1
Re: [PATCH 0/4] mm: Use slab_list list_head instead of lru
On Tue, Mar 12, 2019 at 01:01:53PM +1100, Tobin C. Harding wrote:
> On Tue, Mar 12, 2019 at 12:22:23AM +, Roman Gushchin wrote:
> > On Mon, Mar 11, 2019 at 04:16:33PM -0700, Matthew Wilcox wrote:
> > > On Mon, Mar 11, 2019 at 08:49:23PM +, Roman Gushchin wrote:
> > > > The patchset looks good to me, however I'd add some clarifications
> > > > why switching from lru to slab_list is safe.
> > > >
> > > > My understanding is that the slab_list fields isn't currently in use,
> > > > but it's not that obvious that putting slab_list and next/pages/pobjects
> > > > fields into a union is safe (for the slub case).
> > >
> > > It's already in a union.
> > >
> > > struct page {
> > > union {
> > > struct {/* Page cache and anonymous pages */
> > > struct list_head lru;
> > > ...
> > > struct {/* slab, slob and slub */
> > > union {
> > > struct list_head slab_list; /* uses
> > > lru */
> > > struct {/* Partial pages */
> > > struct page *next;
> > >
> > > slab_list and lru are in the same bits. Once this patch set is in,
> > > we can remove the enigmatic 'uses lru' comment that I added.
> >
> > Ah, perfect, thanks! Makes total sense then.
> >
> > Tobin, can you, please, add a note to the commit message?
> > With the note:
> > Reviewed-by: Roman Gushchin
>
> Awesome, thanks. That's for all 4 patches or excluding 2?
To all 4, given that you'll add some explanations to the commit message.
Thanks!
[PATCH 4.9 60/96] mm, memory_hotplug: is_mem_section_removable do not pass the end of a zone
4.9-stable review patch. If anyone has any objections, please let me know.
--
[ Upstream commit efad4e475c312456edb3c789d0996d12ed744c13 ]
Patch series "mm, memory_hotplug: fix uninitialized pages fallouts", v2.
Mikhail Zaslonko has posted fixes for the two bugs quite some time ago
[1]. I have pushed back on those fixes because I believed that it is
much better to plug the problem at the initialization time rather than
play whack-a-mole all over the hotplug code and find all the places
which expect the full memory section to be initialized.
We have ended up with commit 2830bf6f05fb ("mm, memory_hotplug:
initialize struct pages for the full memory section") merged and cause a
regression [2][3]. The reason is that there might be memory layouts
when two NUMA nodes share the same memory section so the merged fix is
simply incorrect.
In order to plug this hole we really have to be zone range aware in
those handlers. I have split up the original patch into two. One is
unchanged (patch 2) and I took a different approach for `removable'
crash.
[1] http://lkml.kernel.org/r/20181105150401.97287-2-zaslo...@linux.ibm.com
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1666948
[3] http://lkml.kernel.org/r/20190125163938.ga20...@dhcp22.suse.cz
This patch (of 2):
Mikhail has reported the following VM_BUG_ON triggered when reading sysfs
removable state of a memory block:
page:03d08300c000 is uninitialized and poisoned
page dumped because: VM_BUG_ON_PAGE(PagePoisoned(p))
Call Trace:
is_mem_section_removable+0xb4/0x190
show_mem_removable+0x9a/0xd8
dev_attr_show+0x34/0x70
sysfs_kf_seq_show+0xc8/0x148
seq_read+0x204/0x480
__vfs_read+0x32/0x178
vfs_read+0x82/0x138
ksys_read+0x5a/0xb0
system_call+0xdc/0x2d8
Last Breaking-Event-Address:
is_mem_section_removable+0xb4/0x190
Kernel panic - not syncing: Fatal exception: panic_on_oops
The reason is that the memory block spans the zone boundary and we are
stumbling over an unitialized struct page. Fix this by enforcing zone
range in is_mem_section_removable so that we never run away from a zone.
Link: http://lkml.kernel.org/r/20190128144506.15603-2-mho...@kernel.org
Signed-off-by: Michal Hocko
Reported-by: Mikhail Zaslonko
Debugged-by: Mikhail Zaslonko
Tested-by: Gerald Schaefer
Tested-by: Mikhail Gavrilov
Reviewed-by: Oscar Salvador
Cc: Pavel Tatashin
Cc: Heiko Carstens
Cc: Martin Schwidefsky
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
Signed-off-by: Sasha Levin
---
mm/memory_hotplug.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/mm/memory_hotplug.c b/mm/memory_hotplug.c
index e4c271298074..a03a401f11b6 100644
--- a/mm/memory_hotplug.c
+++ b/mm/memory_hotplug.c
@@ -1471,7 +1471,8 @@ static struct page *next_active_pageblock(struct page
*page)
bool is_mem_section_removable(unsigned long start_pfn, unsigned long nr_pages)
{
struct page *page = pfn_to_page(start_pfn);
- struct page *end_page = page + nr_pages;
+ unsigned long end_pfn = min(start_pfn + nr_pages,
zone_end_pfn(page_zone(page)));
+ struct page *end_page = pfn_to_page(end_pfn);
/* Check the starting page of each pageblock within the range */
for (; page < end_page; page = next_active_pageblock(page)) {
--
2.19.1
[PATCH 4.9 00/96] 4.9.163-stable review
This is the start of the stable review cycle for the 4.9.163 release. There are 96 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu Mar 14 17:10:06 UTC 2019. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.163-rc1.gz or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y and the diffstat can be found below. thanks, greg k-h - Pseudo-Shortlog of commits: Greg Kroah-Hartman Linux 4.9.163-rc1 Peter Zijlstra (Intel) x86: Add TSX Force Abort CPUID/MSR Peter Zijlstra (Intel) perf/x86/intel: Generalize dynamic constraint creation Peter Zijlstra (Intel) perf/x86/intel: Make cpuc allocations consistent Krzysztof Kozlowski ARM: dts: exynos: Do not ignore real-world fuse values for thermal zone 0 on Exynos5420 Vincent Whitchurch ARM: 8781/1: Fix Thumb-2 syscall return for binutils 2.29+ Ard Biesheuvel drm: disable uncached DMA optimization for ARM and arm64 Marek Szyprowski ARM: dts: exynos: Add minimal clkout parameters to Exynos3250 PMU Marek Szyprowski ARM: dts: exynos: Fix pinctrl definition for eMMC RTSN line on Odroid X2/U3 Peter Zijlstra futex,rt_mutex: Restructure rt_mutex_finish_proxy_lock() Gustavo A. R. Silva scsi: aacraid: Fix missing break in switch statement Gustavo A. R. Silva iscsi_ibft: Fix missing break in switch statement Vincent Batts Input: elan_i2c - add id for touchpad found in Lenovo s21e-20 Jason Gerecke Input: wacom_serial4 - add support for Wacom ArtPad II tablet Tetsuo Handa fs: ratelimit __find_get_block_slow() failure message. Jun-Ru Chang MIPS: Remove function size check in get_frame_info() Huacai Chen MIPS: Loongson: Introduce and use loongson_llsc_mb() Arnaldo Carvalho de Melo perf trace: Support multiple "vfs_getname" probes Jiri Olsa perf symbols: Filter out hidden symbols from labels Julian Wiedmann s390/qeth: fix use-after-free in error path Martynas Pumputis netfilter: nf_nat: skip nat clash resolution for same-origin entries Florian Westphal selftests: netfilter: add simple masq/redirect test cases Naresh Kamboju selftests: netfilter: fix config fragment CONFIG_NF_TABLES_INET Andy Shevchenko dmaengine: dmatest: Abort test in case of mapping error Stefano Garzarella vsock/virtio: reset connected sockets on device removal Stefano Garzarella vsock/virtio: fix kernel panic after device hot-unplug Codrin Ciubotariu dmaengine: at_xdmac: Fix wrongfull report of a channel as in use Paul Kocialkowski drm/sun4i: tcon: Prepare and enable TCON channel 0 clock at init Lubomir Rintel irqchip/mmp: Only touch the PJ4 IRQ & FIQ bits on enable/disable Anders Roxell usb: phy: fix link errors Srinivas Kandagatla arm64: dts: add msm8996 compatible to gicv3 Peng Hao ARM: pxa: ssp: unneeded to free devm_ allocated data Madalin Bucur soc: fsl: qbman: avoid race in clearing QMan interrupt Ian Kent autofs: fix error return in autofs_fill_super() Pan Bian autofs: drop dentry reference only when it is never used Jan Kara fs/drop_caches.c: avoid softlockups in drop_pagecache_sb() Mikhail Zaslonko mm, memory_hotplug: test_pages_in_a_zone do not pass the end of zone Michal Hocko mm, memory_hotplug: is_mem_section_removable do not pass the end of a zone Qian Cai x86_64: increase stack size for KASAN_EXTRA Kairui Song x86/kexec: Don't setup EFI info if EFI runtime is not enabled James Morse arm64: kprobe: Always blacklist the KVM world-switch code Ronnie Sahlberg cifs: fix computation for MAX_SMB2_HDR_SIZE Sinan Kaya platform/x86: Fix unmet dependency warning for SAMSUNG_Q10 Ming Lu scsi: libfc: free skb when receiving invalid flogi resp Manish Chopra qed: Fix VF probe failure while FLR Yao Liu nfs: Fix NULL pointer dereference of dev_name Andrew Lunn gpio: vf610: Mask all GPIO interrupts Alexey Khoroshilov net: stmmac: dwmac-rk: fix error handling in rk_gmac_powerup() Yonglong Liu net: hns: Fix wrong read accesses via Clause 45 MDIO protocol Yonglong Liu net: hns: Fix for missing of_node_put() after of_parse_phandle() Tomonori Sakita net: altera_tse: fix msgdma_tx_completion on non-zero fill_level case Max Filippov xtensa: SMP: limit number of possible CPUs by NR_CPUS Max Filippov xtensa: SMP: mark each possible CPU as present Max Filippov xtensa: smp_lx200_defconfig: fix vectors clash Max Filippov xtensa: SMP: fix secondary CPU initialization Max Filippov xtensa: SMP: fix ccount_timer_shutdown Suravee Suthikulpanit iommu/amd:
[PATCH 4.9 93/96] ARM: dts: exynos: Do not ignore real-world fuse values for thermal zone 0 on Exynos5420
4.9-stable review patch. If anyone has any objections, please let me know.
--
From: Krzysztof Kozlowski
commit 28928a3ce142b2e4e5a7a0f067cefb41a3d2c3f9 upstream.
In Odroid XU3 Lite board, the temperature levels reported for thermal
zone 0 were weird. In warm room:
/sys/class/thermal/thermal_zone0/temp:32000
/sys/class/thermal/thermal_zone1/temp:51000
/sys/class/thermal/thermal_zone2/temp:55000
/sys/class/thermal/thermal_zone3/temp:54000
/sys/class/thermal/thermal_zone4/temp:51000
Sometimes after booting the value was even equal to ambient temperature
which is highly unlikely to be a real temperature of sensor in SoC.
The thermal sensor's calibration (trimming) is based on fused values.
In case of the board above, the fused values are: 35, 52, 43, 58 and 43
(corresponding to each TMU device). However driver defined a minimum value
for fused data as 40 and for smaller values it was using a hard-coded 55
instead. This lead to mapping data from sensor to wrong temperatures
for thermal zone 0.
Various vendor 3.10 trees (Hardkernel's based on Samsung LSI, Artik 10)
do not impose any limits on fused values. Since we do not have any
knowledge about these limits, use 0 as a minimum accepted fused value.
This should essentially allow accepting any reasonable fused value thus
behaving like vendor driver.
The exynos5420-tmu-sensor-conf.dtsi is copied directly from existing
exynos4412 with one change - the samsung,tmu_min_efuse_value.
Signed-off-by: Krzysztof Kozlowski
Acked-by: Bartlomiej Zolnierkiewicz
Acked-by: Eduardo Valentin
Reviewed-by: Javier Martinez Canillas
Tested-by: Javier Martinez Canillas
Reviewed-by: Anand Moon
Tested-by: Anand Moon
Signed-off-by: Greg Kroah-Hartman
---
arch/arm/boot/dts/exynos5420-tmu-sensor-conf.dtsi | 25 ++
arch/arm/boot/dts/exynos5420.dtsi | 10
2 files changed, 30 insertions(+), 5 deletions(-)
--- /dev/null
+++ b/arch/arm/boot/dts/exynos5420-tmu-sensor-conf.dtsi
@@ -0,0 +1,25 @@
+/*
+ * Device tree sources for Exynos5420 TMU sensor configuration
+ *
+ * Copyright (c) 2014 Lukasz Majewski
+ * Copyright (c) 2017 Krzysztof Kozlowski
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ */
+
+#include
+
+#thermal-sensor-cells = <0>;
+samsung,tmu_gain = <8>;
+samsung,tmu_reference_voltage = <16>;
+samsung,tmu_noise_cancel_mode = <4>;
+samsung,tmu_efuse_value = <55>;
+samsung,tmu_min_efuse_value = <0>;
+samsung,tmu_max_efuse_value = <100>;
+samsung,tmu_first_point_trim = <25>;
+samsung,tmu_second_point_trim = <85>;
+samsung,tmu_default_temp_offset = <50>;
+samsung,tmu_cal_type = ;
--- a/arch/arm/boot/dts/exynos5420.dtsi
+++ b/arch/arm/boot/dts/exynos5420.dtsi
@@ -694,7 +694,7 @@
interrupts = <0 65 0>;
clocks = < CLK_TMU>;
clock-names = "tmu_apbif";
- #include "exynos4412-tmu-sensor-conf.dtsi"
+ #include "exynos5420-tmu-sensor-conf.dtsi"
};
tmu_cpu1: tmu@10064000 {
@@ -703,7 +703,7 @@
interrupts = <0 183 0>;
clocks = < CLK_TMU>;
clock-names = "tmu_apbif";
- #include "exynos4412-tmu-sensor-conf.dtsi"
+ #include "exynos5420-tmu-sensor-conf.dtsi"
};
tmu_cpu2: tmu@10068000 {
@@ -712,7 +712,7 @@
interrupts = <0 184 0>;
clocks = < CLK_TMU>, < CLK_TMU>;
clock-names = "tmu_apbif", "tmu_triminfo_apbif";
- #include "exynos4412-tmu-sensor-conf.dtsi"
+ #include "exynos5420-tmu-sensor-conf.dtsi"
};
tmu_cpu3: tmu@1006c000 {
@@ -721,7 +721,7 @@
interrupts = <0 185 0>;
clocks = < CLK_TMU>, < CLK_TMU_GPU>;
clock-names = "tmu_apbif", "tmu_triminfo_apbif";
- #include "exynos4412-tmu-sensor-conf.dtsi"
+ #include "exynos5420-tmu-sensor-conf.dtsi"
};
tmu_gpu: tmu@100a {
@@ -730,7 +730,7 @@
interrupts = <0 215 0>;
clocks = < CLK_TMU_GPU>, < CLK_TMU>;
clock-names = "tmu_apbif", "tmu_triminfo_apbif";
- #include "exynos4412-tmu-sensor-conf.dtsi"
+ #include "exynos5420-tmu-sensor-conf.dtsi"
};
sysmmu_g2dr: sysmmu@0x10A6 {
[PATCH 4.9 96/96] x86: Add TSX Force Abort CPUID/MSR
4.9-stable review patch. If anyone has any objections, please let me know. -- From: "Peter Zijlstra (Intel)" commit 52f64909409c17adf54fcf5f9751e0544ca3a6b4 upstream Skylake systems will receive a microcode update to address a TSX errata. This microcode will (by default) clobber PMC3 when TSX instructions are (speculatively or not) executed. It also provides an MSR to cause all TSX transaction to abort and preserve PMC3. Add the CPUID enumeration and MSR definition. Signed-off-by: Peter Zijlstra (Intel) Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman --- arch/x86/include/asm/cpufeatures.h |1 + arch/x86/include/asm/msr-index.h |6 ++ 2 files changed, 7 insertions(+) --- a/arch/x86/include/asm/cpufeatures.h +++ b/arch/x86/include/asm/cpufeatures.h @@ -314,6 +314,7 @@ /* Intel-defined CPU features, CPUID level 0x0007:0 (EDX), word 18 */ #define X86_FEATURE_AVX512_4VNNIW (18*32+ 2) /* AVX-512 Neural Network Instructions */ #define X86_FEATURE_AVX512_4FMAPS (18*32+ 3) /* AVX-512 Multiply Accumulation Single precision */ +#define X86_FEATURE_TSX_FORCE_ABORT(18*32+13) /* "" TSX_FORCE_ABORT */ #define X86_FEATURE_PCONFIG(18*32+18) /* Intel PCONFIG */ #define X86_FEATURE_SPEC_CTRL (18*32+26) /* "" Speculation Control (IBRS + IBPB) */ #define X86_FEATURE_INTEL_STIBP(18*32+27) /* "" Single Thread Indirect Branch Predictors */ --- a/arch/x86/include/asm/msr-index.h +++ b/arch/x86/include/asm/msr-index.h @@ -575,6 +575,12 @@ #define MSR_IA32_TSC_DEADLINE 0x06E0 + +#define MSR_TSX_FORCE_ABORT0x010F + +#define MSR_TFA_RTM_FORCE_ABORT_BIT0 +#define MSR_TFA_RTM_FORCE_ABORT BIT_ULL(MSR_TFA_RTM_FORCE_ABORT_BIT) + /* P4/Xeon+ specific */ #define MSR_IA32_MCG_EAX 0x0180 #define MSR_IA32_MCG_EBX 0x0181
[PATCH 4.9 32/96] exec: Fix mem leak in kernel_read_file
4.9-stable review patch. If anyone has any objections, please let me know. -- From: YueHaibing commit f612acfae86af7ecad754ae6a46019be9da05b8e upstream. syzkaller report this: BUG: memory leak unreferenced object 0xc9000488d000 (size 9195520): comm "syz-executor.0", pid 2752, jiffies 4294787496 (age 18.757s) hex dump (first 32 bytes): ff ff ff ff ff ff ff ff a8 00 00 00 01 00 00 00 02 00 00 00 00 00 00 00 80 a1 7a c1 ff ff ff ff ..z. backtrace: [<0863775c>] __vmalloc_node mm/vmalloc.c:1795 [inline] [<0863775c>] __vmalloc_node_flags mm/vmalloc.c:1809 [inline] [<0863775c>] vmalloc+0x8c/0xb0 mm/vmalloc.c:1831 [<3f668111>] kernel_read_file+0x58f/0x7d0 fs/exec.c:924 [<2385813f>] kernel_read_file_from_fd+0x49/0x80 fs/exec.c:993 [<11953ff1>] __do_sys_finit_module+0x13b/0x2a0 kernel/module.c:3895 [<6f58491f>] do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290 [] entry_SYSCALL_64_after_hwframe+0x49/0xbe [<241f889b>] 0x It should goto 'out_free' lable to free allocated buf while kernel_read fails. Fixes: 39d637af5aa7 ("vfs: forbid write access when reading a file into memory") Signed-off-by: YueHaibing Signed-off-by: Al Viro Cc: Thibaut Sautereau Signed-off-by: Greg Kroah-Hartman --- fs/exec.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/fs/exec.c +++ b/fs/exec.c @@ -938,7 +938,7 @@ int kernel_read_file(struct file *file, i_size - pos); if (bytes < 0) { ret = bytes; - goto out; + goto out_free; } if (bytes == 0)
[PATCH 4.9 95/96] perf/x86/intel: Generalize dynamic constraint creation
4.9-stable review patch. If anyone has any objections, please let me know.
--
From: "Peter Zijlstra (Intel)"
commit 11f8b2d65ca9029591c8df26bb6bd063c312b7fe upstream
Such that we can re-use it.
Signed-off-by: Peter Zijlstra (Intel)
Signed-off-by: Thomas Gleixner
Signed-off-by: Greg Kroah-Hartman
---
arch/x86/events/intel/core.c | 51 +--
1 file changed, 30 insertions(+), 21 deletions(-)
--- a/arch/x86/events/intel/core.c
+++ b/arch/x86/events/intel/core.c
@@ -2493,6 +2493,35 @@ intel_stop_scheduling(struct cpu_hw_even
}
static struct event_constraint *
+dyn_constraint(struct cpu_hw_events *cpuc, struct event_constraint *c, int idx)
+{
+ WARN_ON_ONCE(!cpuc->constraint_list);
+
+ if (!(c->flags & PERF_X86_EVENT_DYNAMIC)) {
+ struct event_constraint *cx;
+
+ /*
+* grab pre-allocated constraint entry
+*/
+ cx = >constraint_list[idx];
+
+ /*
+* initialize dynamic constraint
+* with static constraint
+*/
+ *cx = *c;
+
+ /*
+* mark constraint as dynamic
+*/
+ cx->flags |= PERF_X86_EVENT_DYNAMIC;
+ c = cx;
+ }
+
+ return c;
+}
+
+static struct event_constraint *
intel_get_excl_constraints(struct cpu_hw_events *cpuc, struct perf_event
*event,
int idx, struct event_constraint *c)
{
@@ -2522,27 +2551,7 @@ intel_get_excl_constraints(struct cpu_hw
* only needed when constraint has not yet
* been cloned (marked dynamic)
*/
- if (!(c->flags & PERF_X86_EVENT_DYNAMIC)) {
- struct event_constraint *cx;
-
- /*
-* grab pre-allocated constraint entry
-*/
- cx = >constraint_list[idx];
-
- /*
-* initialize dynamic constraint
-* with static constraint
-*/
- *cx = *c;
-
- /*
-* mark constraint as dynamic, so we
-* can free it later on
-*/
- cx->flags |= PERF_X86_EVENT_DYNAMIC;
- c = cx;
- }
+ c = dyn_constraint(cpuc, c, idx);
/*
* From here on, the constraint is dynamic.
[PATCH 4.9 86/96] iscsi_ibft: Fix missing break in switch statement
4.9-stable review patch. If anyone has any objections, please let me know.
--
From: Gustavo A. R. Silva
commit df997abeebadaa4824271009e2d2b526a70a11cb upstream.
Add missing break statement in order to prevent the code from falling
through to case ISCSI_BOOT_TGT_NAME, which is unnecessary.
This bug was found thanks to the ongoing efforts to enable
-Wimplicit-fallthrough.
Fixes: b33a84a38477 ("ibft: convert iscsi_ibft module to iscsi boot lib")
Cc: sta...@vger.kernel.org
Signed-off-by: Gustavo A. R. Silva
Signed-off-by: Konrad Rzeszutek Wilk
Signed-off-by: Greg Kroah-Hartman
---
drivers/firmware/iscsi_ibft.c |1 +
1 file changed, 1 insertion(+)
--- a/drivers/firmware/iscsi_ibft.c
+++ b/drivers/firmware/iscsi_ibft.c
@@ -542,6 +542,7 @@ static umode_t __init ibft_check_tgt_for
case ISCSI_BOOT_TGT_NIC_ASSOC:
case ISCSI_BOOT_TGT_CHAP_TYPE:
rc = S_IRUGO;
+ break;
case ISCSI_BOOT_TGT_NAME:
if (tgt->tgt_name_len)
rc = S_IRUGO;
[PATCH 4.9 85/96] Input: elan_i2c - add id for touchpad found in Lenovo s21e-20
4.9-stable review patch. If anyone has any objections, please let me know.
--
From: Vincent Batts
commit e154ab69321ce2c54f19863d75c77b4e2dc9d365 upstream.
Lenovo s21e-20 uses ELAN0601 in its ACPI tables for the Elan touchpad.
Signed-off-by: Vincent Batts
Cc: sta...@vger.kernel.org
Signed-off-by: Dmitry Torokhov
Signed-off-by: Greg Kroah-Hartman
---
drivers/input/mouse/elan_i2c_core.c |1 +
1 file changed, 1 insertion(+)
--- a/drivers/input/mouse/elan_i2c_core.c
+++ b/drivers/input/mouse/elan_i2c_core.c
@@ -1241,6 +1241,7 @@ static const struct acpi_device_id elan_
{ "ELAN", 0 },
{ "ELAN0100", 0 },
{ "ELAN0600", 0 },
+ { "ELAN0601", 0 },
{ "ELAN0602", 0 },
{ "ELAN0605", 0 },
{ "ELAN0608", 0 },
[PATCH 4.9 88/96] futex,rt_mutex: Restructure rt_mutex_finish_proxy_lock()
4.9-stable review patch. If anyone has any objections, please let me know.
--
From: Peter Zijlstra
commit 38d589f2fd08f1296aea3ce62bebd185125c6d81 upstream.
With the ultimate goal of keeping rt_mutex wait_list and futex_q waiters
consistent it's necessary to split 'rt_mutex_futex_lock()' into finer
parts, such that only the actual blocking can be done without hb->lock
held.
Split split_mutex_finish_proxy_lock() into two parts, one that does the
blocking and one that does remove_waiter() when the lock acquire failed.
When the rtmutex was acquired successfully the waiter can be removed in the
acquisiton path safely, since there is no concurrency on the lock owner.
This means that, except for futex_lock_pi(), all wait_list modifications
are done with both hb->lock and wait_lock held.
[bige...@linutronix.de: fix for futex_requeue_pi_signal_restart]
Signed-off-by: Peter Zijlstra (Intel)
Cc: juri.le...@arm.com
Cc: bige...@linutronix.de
Cc: xlp...@redhat.com
Cc: rost...@goodmis.org
Cc: mathieu.desnoy...@efficios.com
Cc: jdesfos...@efficios.com
Cc: dvh...@infradead.org
Cc: bris...@redhat.com
Link: http://lkml.kernel.org/r/20170322104152.001659...@infradead.org
Signed-off-by: Thomas Gleixner
Signed-off-by: Zubin Mithra
Signed-off-by: Greg Kroah-Hartman
---
kernel/futex.c |7 +++--
kernel/locking/rtmutex.c| 52 ++--
kernel/locking/rtmutex_common.h |8 +++---
3 files changed, 55 insertions(+), 12 deletions(-)
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -2966,10 +2966,13 @@ static int futex_wait_requeue_pi(u32 __u
*/
WARN_ON(!q.pi_state);
pi_mutex = _state->pi_mutex;
- ret = rt_mutex_finish_proxy_lock(pi_mutex, to, _waiter);
- debug_rt_mutex_free_waiter(_waiter);
+ ret = rt_mutex_wait_proxy_lock(pi_mutex, to, _waiter);
spin_lock(q.lock_ptr);
+ if (ret && !rt_mutex_cleanup_proxy_lock(pi_mutex, _waiter))
+ ret = 0;
+
+ debug_rt_mutex_free_waiter(_waiter);
/*
* Fixup the pi_state owner and possibly acquire the lock if we
* haven't already.
--- a/kernel/locking/rtmutex.c
+++ b/kernel/locking/rtmutex.c
@@ -1746,21 +1746,23 @@ struct task_struct *rt_mutex_next_owner(
}
/**
- * rt_mutex_finish_proxy_lock() - Complete lock acquisition
+ * rt_mutex_wait_proxy_lock() - Wait for lock acquisition
* @lock: the rt_mutex we were woken on
* @to:the timeout, null if none. hrtimer should
already have
* been started.
* @waiter:the pre-initialized rt_mutex_waiter
*
- * Complete the lock acquisition started our behalf by another thread.
+ * Wait for the the lock acquisition started on our behalf by
+ * rt_mutex_start_proxy_lock(). Upon failure, the caller must call
+ * rt_mutex_cleanup_proxy_lock().
*
* Returns:
* 0 - success
* <0 - error, one of -EINTR, -ETIMEDOUT
*
- * Special API call for PI-futex requeue support
+ * Special API call for PI-futex support
*/
-int rt_mutex_finish_proxy_lock(struct rt_mutex *lock,
+int rt_mutex_wait_proxy_lock(struct rt_mutex *lock,
struct hrtimer_sleeper *to,
struct rt_mutex_waiter *waiter)
{
@@ -1773,9 +1775,6 @@ int rt_mutex_finish_proxy_lock(struct rt
/* sleep on the mutex */
ret = __rt_mutex_slowlock(lock, TASK_INTERRUPTIBLE, to, waiter);
- if (unlikely(ret))
- remove_waiter(lock, waiter);
-
/*
* try_to_take_rt_mutex() sets the waiter bit unconditionally. We might
* have to fix that up.
@@ -1786,3 +1785,42 @@ int rt_mutex_finish_proxy_lock(struct rt
return ret;
}
+
+/**
+ * rt_mutex_cleanup_proxy_lock() - Cleanup failed lock acquisition
+ * @lock: the rt_mutex we were woken on
+ * @waiter:the pre-initialized rt_mutex_waiter
+ *
+ * Attempt to clean up after a failed rt_mutex_wait_proxy_lock().
+ *
+ * Unless we acquired the lock; we're still enqueued on the wait-list and can
+ * in fact still be granted ownership until we're removed. Therefore we can
+ * find we are in fact the owner and must disregard the
+ * rt_mutex_wait_proxy_lock() failure.
+ *
+ * Returns:
+ * true - did the cleanup, we done.
+ * false - we acquired the lock after rt_mutex_wait_proxy_lock() returned,
+ * caller should disregards its return value.
+ *
+ * Special API call for PI-futex support
+ */
+bool rt_mutex_cleanup_proxy_lock(struct rt_mutex *lock,
+struct rt_mutex_waiter *waiter)
+{
+ bool cleanup = false;
+
+ raw_spin_lock_irq(>wait_lock);
+ /*
+* Unless we're the owner; we're still enqueued on the wait_list.
+* So check if we became owner, if not, take us off the wait_list.
+
[PATCH 4.9 87/96] scsi: aacraid: Fix missing break in switch statement
4.9-stable review patch. If anyone has any objections, please let me know.
--
From: Gustavo A. R. Silva
commit 5e420fe635813e5746b296cfc8fff4853ae205a2 upstream.
Add missing break statement and fix identation issue.
This bug was found thanks to the ongoing efforts to enable
-Wimplicit-fallthrough.
Fixes: 9cb62fa24e0d ("aacraid: Log firmware AIF messages")
Cc: sta...@vger.kernel.org
Signed-off-by: Gustavo A. R. Silva
Signed-off-by: Martin K. Petersen
Signed-off-by: Greg Kroah-Hartman
---
drivers/scsi/aacraid/commsup.c |5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/scsi/aacraid/commsup.c
+++ b/drivers/scsi/aacraid/commsup.c
@@ -1179,8 +1179,9 @@ static void aac_handle_aif(struct aac_de
ADD : DELETE;
break;
}
- case AifBuManagerEvent:
- aac_handle_aif_bu(dev, aifcmd);
+ break;
+ case AifBuManagerEvent:
+ aac_handle_aif_bu(dev, aifcmd);
break;
}
[PATCH 4.9 89/96] ARM: dts: exynos: Fix pinctrl definition for eMMC RTSN line on Odroid X2/U3
4.9-stable review patch. If anyone has any objections, please let me know.
--
From: Marek Szyprowski
commit ec33745bccc8f336957c751f4153421cc9ef5a54 upstream.
Commit 225da7e65a03 ("ARM: dts: add eMMC reset line for
exynos4412-odroid-common") added MMC power sequence for eMMC card of
Odroid X2/U3. It reused generic sd1_cd pin control configuration node
and only disabled pull-up. However that time the pinctrl configuration
was not applied during MMC power sequence driver initialization. This
has been changed later by commit d97a1e5d7cd2 ("mmc: pwrseq: convert to
proper platform device").
It turned out then, that the provided pinctrl configuration is not
correct, because the eMMC_RTSN line is being re-configured as 'special
function/card detect function for mmc1 controller' not the simple
'output', thus the power sequence driver doesn't really set the pin
value. This in effect broke the reboot of Odroid X2/U3 boards. Fix this
by providing separate node with eMMC_RTSN pin configuration.
Cc:
Reported-by: Markus Reichl
Suggested-by: Ulf Hansson
Fixes: 225da7e65a03 ("ARM: dts: add eMMC reset line for
exynos4412-odroid-common")
Signed-off-by: Marek Szyprowski
Signed-off-by: Krzysztof Kozlowski
Signed-off-by: Greg Kroah-Hartman
---
arch/arm/boot/dts/exynos4412-odroid-common.dtsi | 13 ++---
1 file changed, 6 insertions(+), 7 deletions(-)
--- a/arch/arm/boot/dts/exynos4412-odroid-common.dtsi
+++ b/arch/arm/boot/dts/exynos4412-odroid-common.dtsi
@@ -70,7 +70,7 @@
};
emmc_pwrseq: pwrseq {
- pinctrl-0 = <_cd>;
+ pinctrl-0 = <_rstn>;
pinctrl-names = "default";
compatible = "mmc-pwrseq-emmc";
reset-gpios = < 2 GPIO_ACTIVE_LOW>;
@@ -161,12 +161,6 @@
cpu0-supply = <_reg>;
};
-/* RSTN signal for eMMC */
-_cd {
- samsung,pin-pud = ;
- samsung,pin-drv = ;
-};
-
_1 {
gpio_power_key: power_key {
samsung,pins = "gpx1-3";
@@ -184,6 +178,11 @@
samsung,pins = "gpx3-7";
samsung,pin-pud = ;
};
+
+ emmc_rstn: emmc-rstn {
+ samsung,pins = "gpk1-2";
+ samsung,pin-pud = ;
+ };
};
{
[PATCH 4.9 82/96] MIPS: Remove function size check in get_frame_info()
4.9-stable review patch. If anyone has any objections, please let me know.
--
[ Upstream commit 2b424cfc69728224fcb5fad138ea7260728e0901 ]
Patch (b6c7a324df37b "MIPS: Fix get_frame_info() handling of
microMIPS function size.") introduces additional function size
check for microMIPS by only checking insn between ip and ip + func_size.
However, func_size in get_frame_info() is always 0 if KALLSYMS is not
enabled. This causes get_frame_info() to return immediately without
calculating correct frame_size, which in turn causes "Can't analyze
schedule() prologue" warning messages at boot time.
This patch removes func_size check, and let the frame_size check run
up to 128 insns for both MIPS and microMIPS.
Signed-off-by: Jun-Ru Chang
Signed-off-by: Tony Wu
Signed-off-by: Paul Burton
Fixes: b6c7a324df37b ("MIPS: Fix get_frame_info() handling of microMIPS
function size.")
Cc:
Cc:
Cc:
Cc:
Cc:
Cc:
Cc:
Cc:
Signed-off-by: Sasha Levin
---
arch/mips/kernel/process.c | 7 +++
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/arch/mips/kernel/process.c b/arch/mips/kernel/process.c
index 1cc133e7026f..fffd031dc6b6 100644
--- a/arch/mips/kernel/process.c
+++ b/arch/mips/kernel/process.c
@@ -344,7 +344,7 @@ static inline int is_sp_move_ins(union mips_instruction *ip)
static int get_frame_info(struct mips_frame_info *info)
{
bool is_mmips = IS_ENABLED(CONFIG_CPU_MICROMIPS);
- union mips_instruction insn, *ip, *ip_end;
+ union mips_instruction insn, *ip;
const unsigned int max_insns = 128;
unsigned int last_insn_size = 0;
unsigned int i;
@@ -356,10 +356,9 @@ static int get_frame_info(struct mips_frame_info *info)
if (!ip)
goto err;
- ip_end = (void *)ip + info->func_size;
-
- for (i = 0; i < max_insns && ip < ip_end; i++) {
+ for (i = 0; i < max_insns; i++) {
ip = (void *)ip + last_insn_size;
+
if (is_mmips && mm_insn_16bit(ip->halfword[0])) {
insn.halfword[0] = 0;
insn.halfword[1] = ip->halfword[0];
--
2.19.1
[PATCH 4.9 21/96] xen-netback: dont populate the hash cache on XenBus disconnect
4.9-stable review patch. If anyone has any objections, please let me know.
--
From: Igor Druzhinin
[ Upstream commit a2288d4e355992d369c50c45d017a85f6061ff71 ]
Occasionally, during the disconnection procedure on XenBus which
includes hash cache deinitialization there might be some packets
still in-flight on other processors. Handling of these packets includes
hashing and hash cache population that finally results in hash cache
data structure corruption.
In order to avoid this we prevent hashing of those packets if there
are no queues initialized. In that case RCU protection of queues guards
the hash cache as well.
Signed-off-by: Igor Druzhinin
Reviewed-by: Paul Durrant
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman
---
drivers/net/xen-netback/hash.c |2 ++
drivers/net/xen-netback/interface.c |7 +++
2 files changed, 9 insertions(+)
--- a/drivers/net/xen-netback/hash.c
+++ b/drivers/net/xen-netback/hash.c
@@ -435,6 +435,8 @@ void xenvif_init_hash(struct xenvif *vif
if (xenvif_hash_cache_size == 0)
return;
+ BUG_ON(vif->hash.cache.count);
+
spin_lock_init(>hash.cache.lock);
INIT_LIST_HEAD(>hash.cache.list);
}
--- a/drivers/net/xen-netback/interface.c
+++ b/drivers/net/xen-netback/interface.c
@@ -152,6 +152,13 @@ static u16 xenvif_select_queue(struct ne
{
struct xenvif *vif = netdev_priv(dev);
unsigned int size = vif->hash.size;
+ unsigned int num_queues;
+
+ /* If queues are not set up internally - always return 0
+* as the packet going to be dropped anyway */
+ num_queues = READ_ONCE(vif->num_queues);
+ if (num_queues < 1)
+ return 0;
if (vif->hash.alg == XEN_NETIF_CTRL_HASH_ALGORITHM_NONE)
return fallback(dev, skb) % dev->real_num_tx_queues;
[PATCH 4.9 90/96] ARM: dts: exynos: Add minimal clkout parameters to Exynos3250 PMU
4.9-stable review patch. If anyone has any objections, please let me know.
--
From: Marek Szyprowski
commit a66352e005488ecb4b534ba1af58a9f671eba9b8 upstream.
Add minimal parameters needed by the Exynos CLKOUT driver to Exynos3250
PMU node. This fixes the following warning on boot:
exynos_clkout_init: failed to register clkout clock
Fixes: d19bb397e19e ("ARM: dts: exynos: Update PMU node with CLKOUT related
data")
Cc:
Signed-off-by: Marek Szyprowski
Signed-off-by: Krzysztof Kozlowski
Signed-off-by: Greg Kroah-Hartman
---
arch/arm/boot/dts/exynos3250.dtsi |3 +++
1 file changed, 3 insertions(+)
--- a/arch/arm/boot/dts/exynos3250.dtsi
+++ b/arch/arm/boot/dts/exynos3250.dtsi
@@ -170,6 +170,9 @@
interrupt-controller;
#interrupt-cells = <3>;
interrupt-parent = <>;
+ clock-names = "clkout8";
+ clocks = < CLK_FIN_PLL>;
+ #clock-cells = <1>;
};
mipi_phy: video-phy {
[PATCH 4.9 42/96] xtensa: SMP: fix ccount_timer_shutdown
4.9-stable review patch. If anyone has any objections, please let me know.
--
[ Upstream commit 4fe8713b873fc881284722ce4ac47995de7cf62c ]
ccount_timer_shutdown is called from the atomic context in the
secondary_start_kernel, resulting in the following BUG:
BUG: sleeping function called from invalid context
in_atomic(): 1, irqs_disabled(): 1, pid: 0, name: swapper/1
Preemption disabled at:
secondary_start_kernel+0xa1/0x130
Call Trace:
___might_sleep+0xe7/0xfc
__might_sleep+0x41/0x44
synchronize_irq+0x24/0x64
disable_irq+0x11/0x14
ccount_timer_shutdown+0x12/0x20
clockevents_switch_state+0x82/0xb4
clockevents_exchange_device+0x54/0x60
tick_check_new_device+0x46/0x70
clockevents_register_device+0x8c/0xc8
clockevents_config_and_register+0x1d/0x2c
local_timer_setup+0x75/0x7c
secondary_start_kernel+0xb4/0x130
should_never_return+0x32/0x35
Use disable_irq_nosync instead of disable_irq to avoid it.
This is safe because the ccount timer IRQ is per-CPU, and once IRQ is
masked the ISR will not be called.
Signed-off-by: Max Filippov
Signed-off-by: Sasha Levin
---
arch/xtensa/kernel/time.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/xtensa/kernel/time.c b/arch/xtensa/kernel/time.c
index be81e69b25bc..2251a6e0973a 100644
--- a/arch/xtensa/kernel/time.c
+++ b/arch/xtensa/kernel/time.c
@@ -89,7 +89,7 @@ static int ccount_timer_shutdown(struct clock_event_device
*evt)
container_of(evt, struct ccount_timer, evt);
if (timer->irq_enabled) {
- disable_irq(evt->irq);
+ disable_irq_nosync(evt->irq);
timer->irq_enabled = 0;
}
return 0;
--
2.19.1
[PATCH 4.9 57/96] arm64: kprobe: Always blacklist the KVM world-switch code
4.9-stable review patch. If anyone has any objections, please let me know.
--
[ Upstream commit f2b3d8566d81deaca31f4e3163def0bea7746e11 ]
On systems with VHE the kernel and KVM's world-switch code run at the
same exception level. Code that is only used on a VHE system does not
need to be annotated as __hyp_text as it can reside anywhere in the
kernel text.
__hyp_text was also used to prevent kprobes from patching breakpoint
instructions into this region, as this code runs at a different
exception level. While this is no longer true with VHE, KVM still
switches VBAR_EL1, meaning a kprobe's breakpoint executed in the
world-switch code will cause a hyp-panic.
Move the __hyp_text check in the kprobes blacklist so it applies on
VHE systems too, to cover the common code and guest enter/exit
assembly.
Fixes: 888b3c8720e0 ("arm64: Treat all entry code as non-kprobe-able")
Reviewed-by: Christoffer Dall
Signed-off-by: James Morse
Acked-by: Masami Hiramatsu
Signed-off-by: Will Deacon
Signed-off-by: Sasha Levin
---
arch/arm64/kernel/probes/kprobes.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/arch/arm64/kernel/probes/kprobes.c
b/arch/arm64/kernel/probes/kprobes.c
index 30bcae0aef2a..d2b1b624ddc3 100644
--- a/arch/arm64/kernel/probes/kprobes.c
+++ b/arch/arm64/kernel/probes/kprobes.c
@@ -546,13 +546,13 @@ bool arch_within_kprobe_blacklist(unsigned long addr)
addr < (unsigned long)__entry_text_end) ||
(addr >= (unsigned long)__idmap_text_start &&
addr < (unsigned long)__idmap_text_end) ||
+ (addr >= (unsigned long)__hyp_text_start &&
+ addr < (unsigned long)__hyp_text_end) ||
!!search_exception_tables(addr))
return true;
if (!is_kernel_in_hyp_mode()) {
- if ((addr >= (unsigned long)__hyp_text_start &&
- addr < (unsigned long)__hyp_text_end) ||
- (addr >= (unsigned long)__hyp_idmap_text_start &&
+ if ((addr >= (unsigned long)__hyp_idmap_text_start &&
addr < (unsigned long)__hyp_idmap_text_end))
return true;
}
--
2.19.1
[PATCH 4.9 49/96] net: hns: Fix wrong read accesses via Clause 45 MDIO protocol
4.9-stable review patch. If anyone has any objections, please let me know. -- [ Upstream commit cec8abba13e6a26729dfed41019720068eeeff2b ] When reading phy registers via Clause 45 MDIO protocol, after write address operation, the driver use another write address operation, so can not read the right value of any phy registers. This patch fixes it. Signed-off-by: Yonglong Liu Signed-off-by: Peng Li Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- drivers/net/ethernet/hisilicon/hns_mdio.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/ethernet/hisilicon/hns_mdio.c b/drivers/net/ethernet/hisilicon/hns_mdio.c index 501eb2090ca6..de23a0ead5d7 100644 --- a/drivers/net/ethernet/hisilicon/hns_mdio.c +++ b/drivers/net/ethernet/hisilicon/hns_mdio.c @@ -329,7 +329,7 @@ static int hns_mdio_read(struct mii_bus *bus, int phy_id, int regnum) } hns_mdio_cmd_write(mdio_dev, is_c45, - MDIO_C45_WRITE_ADDR, phy_id, devad); + MDIO_C45_READ, phy_id, devad); } /* Step 5: waitting for MDIO_COMMAND_REG 's mdio_start==0,*/ -- 2.19.1
[PATCH 4.9 66/96] ARM: pxa: ssp: unneeded to free devm_ allocated data
4.9-stable review patch. If anyone has any objections, please let me know.
--
[ Upstream commit ba16adeb346387eb2d1ada69003588be96f098fa ]
devm_ allocated data will be automatically freed. The free
of devm_ allocated data is invalid.
Fixes: 1c459de1e645 ("ARM: pxa: ssp: use devm_ functions")
Signed-off-by: Peng Hao
[title's prefix changed]
Signed-off-by: Robert Jarzmik
Signed-off-by: Sasha Levin
---
arch/arm/plat-pxa/ssp.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/arch/arm/plat-pxa/ssp.c b/arch/arm/plat-pxa/ssp.c
index ba13f793fbce..b92673ef 100644
--- a/arch/arm/plat-pxa/ssp.c
+++ b/arch/arm/plat-pxa/ssp.c
@@ -237,8 +237,6 @@ static int pxa_ssp_remove(struct platform_device *pdev)
if (ssp == NULL)
return -ENODEV;
- iounmap(ssp->mmio_base);
-
res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
release_mem_region(res->start, resource_size(res));
@@ -248,7 +246,6 @@ static int pxa_ssp_remove(struct platform_device *pdev)
list_del(>node);
mutex_unlock(_lock);
- kfree(ssp);
return 0;
}
--
2.19.1
[PATCH 4.9 67/96] arm64: dts: add msm8996 compatible to gicv3
4.9-stable review patch. If anyone has any objections, please let me know.
--
[ Upstream commit 2a81efb0de0e33f2d2c83154af0bd3ce389b3269 ]
Add compatible to gicv3 node to enable quirk required to restrict writing
to GICR_WAKER register which is restricted on msm8996 SoC in Hypervisor.
With this quirk MSM8996 can at least boot out of mainline, which can help
community to work with boards based on MSM8996.
Without this patch Qualcomm DB820c board reboots on mainline.
Signed-off-by: Srinivas Kandagatla
Signed-off-by: Andy Gross
Signed-off-by: Sasha Levin
---
arch/arm64/boot/dts/qcom/msm8996.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/qcom/msm8996.dtsi
b/arch/arm64/boot/dts/qcom/msm8996.dtsi
index 2c93de7fffe5..bdea2d6fde94 100644
--- a/arch/arm64/boot/dts/qcom/msm8996.dtsi
+++ b/arch/arm64/boot/dts/qcom/msm8996.dtsi
@@ -219,7 +219,7 @@
compatible = "simple-bus";
intc: interrupt-controller@9bc {
- compatible = "arm,gic-v3";
+ compatible = "qcom,msm8996-gic-v3", "arm,gic-v3";
#interrupt-cells = <3>;
interrupt-controller;
#redistributor-regions = <1>;
--
2.19.1
[PATCH 4.9 92/96] ARM: 8781/1: Fix Thumb-2 syscall return for binutils 2.29+
4.9-stable review patch. If anyone has any objections, please let me know.
--
[ Upstream commit afc9f65e01cd114cb2cedf544d22239116ce0cc6 ]
When building the kernel as Thumb-2 with binutils 2.29 or newer, if the
assembler has seen the .type directive (via ENDPROC()) for a symbol, it
automatically handles the setting of the lowest bit when the symbol is
used with ADR. The badr macro on the other hand handles this lowest bit
manually. This leads to a jump to a wrong address in the wrong state
in the syscall return path:
Internal error: Oops - undefined instruction: 0 [#2] SMP THUMB2
Modules linked in:
CPU: 0 PID: 652 Comm: modprobe Tainted: G D 4.18.0-rc3+ #8
PC is at ret_fast_syscall+0x4/0x62
LR is at sys_brk+0x109/0x128
pc : [<80101004>]lr : [<801c8a35>]psr: 6013
Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
Control: 50c5387d Table: 9e82006a DAC: 0051
Process modprobe (pid: 652, stack limit = 0x(ptrval))
80101000 :
80101000: b672cpsid i
80101002: f8d9 2008 ldr.w r2, [r9, #8]
80101006: f1b2 4ffe cmp.w r2, #2130706432 ; 0x7f00
80101184 :
80101184: f8d9 a000 ldr.w sl, [r9]
80101188: e92d 0030 stmdb sp!, {r4, r5}
8010118c: f01a 0ff0 tst.w sl, #240; 0xf0
80101190: d117bne.n 801011c2 <__sys_trace>
80101192: 46bamov sl, r7
80101194: f5ba 7fc8 cmp.w sl, #400; 0x190
80101198: bf28it cs
8010119a: f04f 0a00 movcs.w sl, #0
8010119e: f3af 8014 nop.w {20}
801011a2: f2af 1ea2 subwlr, pc, #418; 0x1a2
To fix this, add a new symbol name which doesn't have ENDPROC used on it
and use that with badr. We can't remove the badr usage since that would
would cause breakage with older binutils.
Signed-off-by: Vincent Whitchurch
Signed-off-by: Russell King
Signed-off-by: Sasha Levin
---
arch/arm/kernel/entry-common.S |4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/arch/arm/kernel/entry-common.S
+++ b/arch/arm/kernel/entry-common.S
@@ -32,6 +32,7 @@
* features make this path too inefficient.
*/
ret_fast_syscall:
+__ret_fast_syscall:
UNWIND(.fnstart )
UNWIND(.cantunwind)
disable_irq_notrace @ disable interrupts
@@ -57,6 +58,7 @@ fast_work_pending:
* r0 first to avoid needing to save registers around each C function call.
*/
ret_fast_syscall:
+__ret_fast_syscall:
UNWIND(.fnstart )
UNWIND(.cantunwind)
str r0, [sp, #S_R0 + S_OFF]!@ save returned r0
@@ -223,7 +225,7 @@ local_restart:
tst r10, #_TIF_SYSCALL_WORK @ are we tracing syscalls?
bne __sys_trace
- invoke_syscall tbl, scno, r10, ret_fast_syscall
+ invoke_syscall tbl, scno, r10, __ret_fast_syscall
add r1, sp, #S_OFF
2: cmp scno, #(__ARM_NR_BASE - __NR_SYSCALL_BASE)
[PATCH 4.9 61/96] mm, memory_hotplug: test_pages_in_a_zone do not pass the end of zone
4.9-stable review patch. If anyone has any objections, please let me know. -- [ Upstream commit 24feb47c5fa5b825efb0151f28906dfdad027e61 ] If memory end is not aligned with the sparse memory section boundary, the mapping of such a section is only partly initialized. This may lead to VM_BUG_ON due to uninitialized struct pages access from test_pages_in_a_zone() function triggered by memory_hotplug sysfs handlers. Here are the the panic examples: CONFIG_DEBUG_VM_PGFLAGS=y kernel parameter mem=2050M -- page:03d082008000 is uninitialized and poisoned page dumped because: VM_BUG_ON_PAGE(PagePoisoned(p)) Call Trace: test_pages_in_a_zone+0xde/0x160 show_valid_zones+0x5c/0x190 dev_attr_show+0x34/0x70 sysfs_kf_seq_show+0xc8/0x148 seq_read+0x204/0x480 __vfs_read+0x32/0x178 vfs_read+0x82/0x138 ksys_read+0x5a/0xb0 system_call+0xdc/0x2d8 Last Breaking-Event-Address: test_pages_in_a_zone+0xde/0x160 Kernel panic - not syncing: Fatal exception: panic_on_oops Fix this by checking whether the pfn to check is within the zone. [mho...@suse.com: separated this change from http://lkml.kernel.org/r/20181105150401.97287-2-zaslo...@linux.ibm.com] Link: http://lkml.kernel.org/r/20190128144506.15603-3-mho...@kernel.org [mho...@suse.com: separated this change from http://lkml.kernel.org/r/20181105150401.97287-2-zaslo...@linux.ibm.com] Signed-off-by: Michal Hocko Signed-off-by: Mikhail Zaslonko Tested-by: Mikhail Gavrilov Reviewed-by: Oscar Salvador Tested-by: Gerald Schaefer Cc: Heiko Carstens Cc: Martin Schwidefsky Cc: Mikhail Gavrilov Cc: Pavel Tatashin Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin --- mm/memory_hotplug.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/mm/memory_hotplug.c b/mm/memory_hotplug.c index a03a401f11b6..b4c8d7b9ab82 100644 --- a/mm/memory_hotplug.c +++ b/mm/memory_hotplug.c @@ -1512,6 +1512,9 @@ int test_pages_in_a_zone(unsigned long start_pfn, unsigned long end_pfn, i++; if (i == MAX_ORDER_NR_PAGES || pfn + i >= end_pfn) continue; + /* Check if we got outside of the zone */ + if (zone && !zone_spans_pfn(zone, pfn + i)) + return 0; page = pfn_to_page(pfn + i); if (zone && page_zone(page) != zone) return 0; -- 2.19.1
Re: xen: Can't insert balloon page into VM userspace (WAS Re: [Xen-devel] [linux-linus bisection] complete test-arm64-arm64-xl-xsm)
On 12.03.19 18:14, Matthew Wilcox wrote: > On Tue, Mar 12, 2019 at 05:05:39PM +, Julien Grall wrote: >> On 3/12/19 3:59 PM, Julien Grall wrote: >>> It looks like all the arm test for linus [1] and next [2] tree >>> are now failing. x86 seems to be mostly ok. >>> >>> The bisector fingered the following commit: >>> >>> commit 0ee930e6cafa048c1925893d0ca89918b2814f2c >>> Author: Matthew Wilcox >>> Date: Tue Mar 5 15:46:06 2019 -0800 >>> >>> mm/memory.c: prevent mapping typed pages to userspace >>> Pages which use page_type must never be mapped to userspace as it would >>> destroy their page type. Add an explicit check for this instead of >>> assuming that kernel drivers always get this right. > > Oh good, it found a real problem. > >> It turns out the problem is because the balloon driver will call >> __SetPageOffline() on allocated page. Therefore the page has a type and >> vm_insert_pages will deny the insertion. >> >> My knowledge is quite limited in this area. So I am not sure how we can >> solve the problem. >> >> I would appreciate if someone could provide input of to fix the mapping. > > I don't know the balloon driver, so I don't know why it was doing this, > but what it was doing was Wrong and has been since 2014 with: > > commit d6d86c0a7f8ddc5b38cf089222cb1d9540762dc2 > Author: Konstantin Khlebnikov > Date: Thu Oct 9 15:29:27 2014 -0700 > > mm/balloon_compaction: redesign ballooned pages management > > If ballooned pages are supposed to be mapped into userspace, you can't mark > them as ballooned pages using the mapcount field. > Asking myself why anybody would want to map balloon inflated pages into user space (this just sounds plain wrong but my understanding to what XEN balloon driver does might be limited), but I assume the easy fix would be to revert commit 2f085ff37d08ecbc7849d5abb9424bd7927dda1d Author: David Hildenbrand Date: Wed Mar 6 11:42:24 2019 +1100 xen/balloon: mark inflated pages PG_offline Mark inflated and never onlined pages PG_offline, to tell the world that the content is stale and should not be dumped. -- Thanks, David / dhildenb
[PATCH 4.9 78/96] s390/qeth: fix use-after-free in error path
4.9-stable review patch. If anyone has any objections, please let me know.
--
[ Upstream commit afa0c5904ba16d59b0454f7ee4c807dae350f432 ]
The error path in qeth_alloc_qdio_buffers() that takes care of
cleaning up the Output Queues is buggy. It first frees the queue, but
then calls qeth_clear_outq_buffers() with that very queue struct.
Make the call to qeth_clear_outq_buffers() part of the free action
(in the correct order), and while at it fix the naming of the helper.
Fixes: 0da9581ddb0f ("qeth: exploit asynchronous delivery of storage blocks")
Signed-off-by: Julian Wiedmann
Reviewed-by: Alexandra Winter
Signed-off-by: David S. Miller
Signed-off-by: Sasha Levin
---
drivers/s390/net/qeth_core_main.c | 15 ++-
1 file changed, 6 insertions(+), 9 deletions(-)
diff --git a/drivers/s390/net/qeth_core_main.c
b/drivers/s390/net/qeth_core_main.c
index 8f77fc0630ce..86a02592b982 100644
--- a/drivers/s390/net/qeth_core_main.c
+++ b/drivers/s390/net/qeth_core_main.c
@@ -2449,11 +2449,12 @@ static int qeth_init_qdio_out_buf(struct
qeth_qdio_out_q *q, int bidx)
return rc;
}
-static void qeth_free_qdio_out_buf(struct qeth_qdio_out_q *q)
+static void qeth_free_output_queue(struct qeth_qdio_out_q *q)
{
if (!q)
return;
+ qeth_clear_outq_buffers(q, 1);
qdio_free_buffers(q->qdio_bufs, QDIO_MAX_BUFFERS_PER_Q);
kfree(q);
}
@@ -2526,10 +2527,8 @@ static int qeth_alloc_qdio_buffers(struct qeth_card
*card)
card->qdio.out_qs[i]->bufs[j] = NULL;
}
out_freeoutq:
- while (i > 0) {
- qeth_free_qdio_out_buf(card->qdio.out_qs[--i]);
- qeth_clear_outq_buffers(card->qdio.out_qs[i], 1);
- }
+ while (i > 0)
+ qeth_free_output_queue(card->qdio.out_qs[--i]);
kfree(card->qdio.out_qs);
card->qdio.out_qs = NULL;
out_freepool:
@@ -2562,10 +2561,8 @@ static void qeth_free_qdio_buffers(struct qeth_card
*card)
qeth_free_buffer_pool(card);
/* free outbound qdio_qs */
if (card->qdio.out_qs) {
- for (i = 0; i < card->qdio.no_out_queues; ++i) {
- qeth_clear_outq_buffers(card->qdio.out_qs[i], 1);
- qeth_free_qdio_out_buf(card->qdio.out_qs[i]);
- }
+ for (i = 0; i < card->qdio.no_out_queues; i++)
+ qeth_free_output_queue(card->qdio.out_qs[i]);
kfree(card->qdio.out_qs);
card->qdio.out_qs = NULL;
}
--
2.19.1
[PATCH 4.9 81/96] MIPS: Loongson: Introduce and use loongson_llsc_mb()
4.9-stable review patch. If anyone has any objections, please let me know.
--
[ Upstream commit e02e07e3127d8aec1f4bcdfb2fc52a2d99b4859e ]
On the Loongson-2G/2H/3A/3B there is a hardware flaw that ll/sc and
lld/scd is very weak ordering. We should add sync instructions "before
each ll/lld" and "at the branch-target between ll/sc" to workaround.
Otherwise, this flaw will cause deadlock occasionally (e.g. when doing
heavy load test with LTP).
Below is the explaination of CPU designer:
"For Loongson 3 family, when a memory access instruction (load, store,
or prefetch)'s executing occurs between the execution of LL and SC, the
success or failure of SC is not predictable. Although programmer would
not insert memory access instructions between LL and SC, the memory
instructions before LL in program-order, may dynamically executed
between the execution of LL/SC, so a memory fence (SYNC) is needed
before LL/LLD to avoid this situation.
Since Loongson-3A R2 (3A2000), we have improved our hardware design to
handle this case. But we later deduce a rarely circumstance that some
speculatively executed memory instructions due to branch misprediction
between LL/SC still fall into the above case, so a memory fence (SYNC)
at branch-target (if its target is not between LL/SC) is needed for
Loongson 3A1000, 3B1500, 3A2000 and 3A3000.
Our processor is continually evolving and we aim to to remove all these
workaround-SYNCs around LL/SC for new-come processor."
Here is an example:
Both cpu1 and cpu2 simutaneously run atomic_add by 1 on same atomic var,
this bug cause both 'sc' run by two cpus (in atomic_add) succeed at same
time('sc' return 1), and the variable is only *added by 1*, sometimes,
which is wrong and unacceptable(it should be added by 2).
Why disable fix-loongson3-llsc in compiler?
Because compiler fix will cause problems in kernel's __ex_table section.
This patch fix all the cases in kernel, but:
+. the fix at the end of futex_atomic_cmpxchg_inatomic is for branch-target
of 'bne', there other cases which smp_mb__before_llsc() and smp_llsc_mb() fix
the ll and branch-target coincidently such as atomic_sub_if_positive/
cmpxchg/xchg, just like this one.
+. Loongson 3 does support CONFIG_EDAC_ATOMIC_SCRUB, so no need to touch
edac.h
+. local_ops and cmpxchg_local should not be affected by this bug since
only the owner can write.
+. mips_atomic_set for syscall.c is deprecated and rarely used, just let
it go
Signed-off-by: Huacai Chen
Signed-off-by: Huang Pei
[paul.bur...@mips.com:
- Simplify the addition of -mno-fix-loongson3-llsc to cflags, and add
a comment describing why it's there.
- Make loongson_llsc_mb() a no-op when
CONFIG_CPU_LOONGSON3_WORKAROUNDS=n, rather than a compiler memory
barrier.
- Add a comment describing the bug & how loongson_llsc_mb() helps
in asm/barrier.h.]
Signed-off-by: Paul Burton
Cc: Ralf Baechle
Cc: ambrose...@gmail.com
Cc: Steven J . Hill
Cc: linux-m...@linux-mips.org
Cc: Fuxin Zhang
Cc: Zhangjin Wu
Cc: Li Xuefeng
Cc: Xu Chenghua
Signed-off-by: Sasha Levin
---
arch/mips/Kconfig | 15 ++
arch/mips/include/asm/atomic.h | 6 ++
arch/mips/include/asm/barrier.h | 36 +
arch/mips/include/asm/bitops.h | 5 +
arch/mips/include/asm/futex.h | 3 +++
arch/mips/include/asm/pgtable.h | 2 ++
arch/mips/loongson64/Platform | 23 +
arch/mips/mm/tlbex.c| 10 +
8 files changed, 100 insertions(+)
diff --git a/arch/mips/Kconfig b/arch/mips/Kconfig
index bb9940c6927e..47662626a375 100644
--- a/arch/mips/Kconfig
+++ b/arch/mips/Kconfig
@@ -1396,6 +1396,21 @@ config LOONGSON3_ENHANCEMENT
please say 'N' here. If you want a high-performance kernel to run on
new Loongson 3 machines only, please say 'Y' here.
+config CPU_LOONGSON3_WORKAROUNDS
+ bool "Old Loongson 3 LLSC Workarounds"
+ default y if SMP
+ depends on CPU_LOONGSON3
+ help
+ Loongson 3 processors have the llsc issues which require workarounds.
+ Without workarounds the system may hang unexpectedly.
+
+ Newer Loongson 3 will fix these issues and no workarounds are needed.
+ The workarounds have no significant side effect on them but may
+ decrease the performance of the system so this option should be
+ disabled unless the kernel is intended to be run on old systems.
+
+ If unsure, please say Y.
+
config CPU_LOONGSON2E
bool "Loongson 2E"
depends on SYS_HAS_CPU_LOONGSON2E
diff --git a/arch/mips/include/asm/atomic.h b/arch/mips/include/asm/atomic.h
index 0ab176bdb8e8..8ee17565bc78 100644
--- a/arch/mips/include/asm/atomic.h
+++ b/arch/mips/include/asm/atomic.h
@@ -47,6 +47,7 @@ static __inline__ void atomic_##op(int i, atomic_t * v)
\
if (kernel_uses_llsc && R1_LLSC_WAR) {\
int
[PATCH 4.9 63/96] autofs: drop dentry reference only when it is never used
4.9-stable review patch. If anyone has any objections, please let me know. -- [ Upstream commit 63ce5f552beb9bdb41546b3a26c4374758b21815 ] autofs_expire_run() calls dput(dentry) to drop the reference count of dentry. However, dentry is read via autofs_dentry_ino(dentry) after that. This may result in a use-free-bug. The patch drops the reference count of dentry only when it is never used. Link: http://lkml.kernel.org/r/154725122396.11260.16053424107144453867.stgit@pluto-themaw-net Signed-off-by: Pan Bian Signed-off-by: Ian Kent Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin --- fs/autofs4/expire.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/autofs4/expire.c b/fs/autofs4/expire.c index d8e6d421c27f..2e1f50e467f1 100644 --- a/fs/autofs4/expire.c +++ b/fs/autofs4/expire.c @@ -563,7 +563,6 @@ int autofs4_expire_run(struct super_block *sb, pkt.len = dentry->d_name.len; memcpy(pkt.name, dentry->d_name.name, pkt.len); pkt.name[pkt.len] = '\0'; - dput(dentry); if (copy_to_user(pkt_p, , sizeof(struct autofs_packet_expire))) ret = -EFAULT; @@ -576,6 +575,8 @@ int autofs4_expire_run(struct super_block *sb, complete_all(>expire_complete); spin_unlock(>fs_lock); + dput(dentry); + return ret; } -- 2.19.1
Re: [PATCH v8 0/6] Add Fieldbus subsystem + support HMS Profinet card
On Tue, Mar 12, 2019 at 01:11:11PM -0400, Sven Van Asbroeck wrote: > On Mon, Mar 11, 2019 at 3:13 PM Greg KH wrote: > > > > That sounds like a good plan, I'll take that. Want to respin the > > patches with the code in drivers/staging/ and I'll be glad to queue them > > up after 5.1-rc1 is out. > > Andreas Farber suggested that the patchset may have more success reaching > its target audience by cross-posting in netdev, and maybe linux-serial + > linux-gpio. Does that sound ok? Any other group where the patchset might > be welcome? > > Greg, are you ok with holding off taking the patch for a few days, to give > the netdev/serial/gpio people a chance to react? I can't take anything until after 5.1-rc1 is out. I have no rush, please take your time, get it right :) greg k-h
Re: [RFC PATCH v1] PCI: qcom: Use quirk to override incorrect device class
On 12/03/2019 13:42, Stanimir Varbanov wrote:
> On 3/11/19 4:56 PM, Marc Gonzalez wrote:
>
>> Some chips report an incorrect device class. Override the incorrect
>> value using a quirk, instead of code in the read function.
>>
>> Signed-off-by: Marc Gonzalez
>> ---
>> FWIW, this quirk is no longer required on recent chips:
>> msm8996 (tested by Stanimir), msm8998 (tested by me), sdm845 (untested) are
>> unaffected
>> apq/ipq8064 is affected => what is the device ID for these chips?
>> others?
>>
>> Stanimir added: "this will become a real problem (now we use the driver as
>> RC)
>> when someone decide to use it as an endpoint"
>> ---
>> drivers/pci/controller/dwc/pcie-qcom.c | 14 ++
>> 1 file changed, 6 insertions(+), 8 deletions(-)
>>
>> diff --git a/drivers/pci/controller/dwc/pcie-qcom.c
>> b/drivers/pci/controller/dwc/pcie-qcom.c
>> index 3de5510fd3d5..94da2c9c2ad5 100644
>> --- a/drivers/pci/controller/dwc/pcie-qcom.c
>> +++ b/drivers/pci/controller/dwc/pcie-qcom.c
>> @@ -1136,17 +1136,15 @@ static int qcom_pcie_rd_own_conf(struct pcie_port
>> *pp, int where, int size,
>> {
>> struct dw_pcie *pci = to_dw_pcie_from_pp(pp);
>>
>> -/* the device class is not reported correctly from the register */
>> -if (where == PCI_CLASS_REVISION && size == 4) {
>> -*val = readl(pci->dbi_base + PCI_CLASS_REVISION);
>> -*val &= 0xff; /* keep revision id */
>> -*val |= PCI_CLASS_BRIDGE_PCI << 16;
>> -return PCIBIOS_SUCCESSFUL;
>> -}
>> -
>
> once you dropped the above snippet this function becomes absolutely
> useless so please delete it at all and also from qcom_pcie_dw_ops.
Good catch.
>> return dw_pcie_read(pci->dbi_base + where, size, val);
>> }
>>
>> +static void qcom_fixup_class(struct pci_dev *dev)
>> +{
>> +dev->class = PCI_CLASS_BRIDGE_PCI << 8;
>> +}
>> +DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_QCOM, PCI_ANY_ID, qcom_fixup_class);
>
> I wonder, in case that dw_pcie_setup_rc() already has a write to
> PCI_CLASS_DEVICE configuration register to set it as a bridge do we
> still need to do the above fixup?
I don't know, I don't have an affected device. Unless the msm8998 /is/ affected,
and dw_pcie_setup_rc() actually fixes it?
Regards.
[PATCH 4.9 84/96] Input: wacom_serial4 - add support for Wacom ArtPad II tablet
4.9-stable review patch. If anyone has any objections, please let me know.
--
From: Jason Gerecke
commit 44fc95e218a09d7966a9d448941fdb003f6bb69f upstream.
Tablet initially begins communicating at 9600 baud, so this command
should be used to connect to the device:
$ inputattach --daemon --baud 9600 --wacom_iv /dev/ttyS0
https://github.com/linuxwacom/xf86-input-wacom/issues/40
Signed-off-by: Jason Gerecke
Cc: sta...@vger.kernel.org
Signed-off-by: Dmitry Torokhov
Signed-off-by: Greg Kroah-Hartman
---
drivers/input/tablet/wacom_serial4.c |2 ++
1 file changed, 2 insertions(+)
--- a/drivers/input/tablet/wacom_serial4.c
+++ b/drivers/input/tablet/wacom_serial4.c
@@ -187,6 +187,7 @@ enum {
MODEL_DIGITIZER_II = 0x5544, /* UD */
MODEL_GRAPHIRE = 0x4554, /* ET */
MODEL_PENPARTNER= 0x4354, /* CT */
+ MODEL_ARTPAD_II = 0x4B54, /* KT */
};
static void wacom_handle_model_response(struct wacom *wacom)
@@ -245,6 +246,7 @@ static void wacom_handle_model_response(
wacom->flags = F_HAS_STYLUS2 | F_HAS_SCROLLWHEEL;
break;
+ case MODEL_ARTPAD_II:
case MODEL_DIGITIZER_II:
wacom->dev->name = "Wacom Digitizer II";
wacom->dev->id.version = MODEL_DIGITIZER_II;
[PATCH 4.9 94/96] perf/x86/intel: Make cpuc allocations consistent
4.9-stable review patch. If anyone has any objections, please let me know.
--
From: "Peter Zijlstra (Intel)"
commit d01b1f96a82e5dd7841a1d39db3abfdaf95f70ab upstream
The cpuc data structure allocation is different between fake and real
cpuc's; use the same code to init/free both.
Signed-off-by: Peter Zijlstra (Intel)
Signed-off-by: Thomas Gleixner
Signed-off-by: Greg Kroah-Hartman
---
arch/x86/events/core.c | 13 +
arch/x86/events/intel/core.c | 29 ++---
arch/x86/events/perf_event.h | 11 ---
3 files changed, 31 insertions(+), 22 deletions(-)
--- a/arch/x86/events/core.c
+++ b/arch/x86/events/core.c
@@ -1942,7 +1942,7 @@ static int x86_pmu_commit_txn(struct pmu
*/
static void free_fake_cpuc(struct cpu_hw_events *cpuc)
{
- kfree(cpuc->shared_regs);
+ intel_cpuc_finish(cpuc);
kfree(cpuc);
}
@@ -1954,14 +1954,11 @@ static struct cpu_hw_events *allocate_fa
cpuc = kzalloc(sizeof(*cpuc), GFP_KERNEL);
if (!cpuc)
return ERR_PTR(-ENOMEM);
-
- /* only needed, if we have extra_regs */
- if (x86_pmu.extra_regs) {
- cpuc->shared_regs = allocate_shared_regs(cpu);
- if (!cpuc->shared_regs)
- goto error;
- }
cpuc->is_fake = 1;
+
+ if (intel_cpuc_prepare(cpuc, cpu))
+ goto error;
+
return cpuc;
error:
free_fake_cpuc(cpuc);
--- a/arch/x86/events/intel/core.c
+++ b/arch/x86/events/intel/core.c
@@ -3093,7 +3093,7 @@ ssize_t intel_event_sysfs_show(char *pag
return x86_event_sysfs_show(page, config, event);
}
-struct intel_shared_regs *allocate_shared_regs(int cpu)
+static struct intel_shared_regs *allocate_shared_regs(int cpu)
{
struct intel_shared_regs *regs;
int i;
@@ -3125,10 +3125,9 @@ static struct intel_excl_cntrs *allocate
return c;
}
-static int intel_pmu_cpu_prepare(int cpu)
-{
- struct cpu_hw_events *cpuc = _cpu(cpu_hw_events, cpu);
+int intel_cpuc_prepare(struct cpu_hw_events *cpuc, int cpu)
+{
if (x86_pmu.extra_regs || x86_pmu.lbr_sel_map) {
cpuc->shared_regs = allocate_shared_regs(cpu);
if (!cpuc->shared_regs)
@@ -3138,7 +3137,7 @@ static int intel_pmu_cpu_prepare(int cpu
if (x86_pmu.flags & PMU_FL_EXCL_CNTRS) {
size_t sz = X86_PMC_IDX_MAX * sizeof(struct event_constraint);
- cpuc->constraint_list = kzalloc(sz, GFP_KERNEL);
+ cpuc->constraint_list = kzalloc_node(sz, GFP_KERNEL,
cpu_to_node(cpu));
if (!cpuc->constraint_list)
goto err_shared_regs;
@@ -3163,6 +3162,11 @@ err:
return -ENOMEM;
}
+static int intel_pmu_cpu_prepare(int cpu)
+{
+ return intel_cpuc_prepare(_cpu(cpu_hw_events, cpu), cpu);
+}
+
static void intel_pmu_cpu_starting(int cpu)
{
struct cpu_hw_events *cpuc = _cpu(cpu_hw_events, cpu);
@@ -3218,9 +3222,8 @@ static void intel_pmu_cpu_starting(int c
}
}
-static void free_excl_cntrs(int cpu)
+static void free_excl_cntrs(struct cpu_hw_events *cpuc)
{
- struct cpu_hw_events *cpuc = _cpu(cpu_hw_events, cpu);
struct intel_excl_cntrs *c;
c = cpuc->excl_cntrs;
@@ -3238,9 +3241,8 @@ static void intel_pmu_cpu_dying(int cpu)
fini_debug_store_on_cpu(cpu);
}
-static void intel_pmu_cpu_dead(int cpu)
+void intel_cpuc_finish(struct cpu_hw_events *cpuc)
{
- struct cpu_hw_events *cpuc = _cpu(cpu_hw_events, cpu);
struct intel_shared_regs *pc;
pc = cpuc->shared_regs;
@@ -3250,7 +3252,12 @@ static void intel_pmu_cpu_dead(int cpu)
cpuc->shared_regs = NULL;
}
- free_excl_cntrs(cpu);
+ free_excl_cntrs(cpuc);
+}
+
+static void intel_pmu_cpu_dead(int cpu)
+{
+ intel_cpuc_finish(_cpu(cpu_hw_events, cpu));
}
static void intel_pmu_sched_task(struct perf_event_context *ctx,
@@ -4132,7 +4139,7 @@ static __init int fixup_ht_bug(void)
get_online_cpus();
for_each_online_cpu(c) {
- free_excl_cntrs(c);
+ free_excl_cntrs(_cpu(cpu_hw_events, c));
}
put_online_cpus();
--- a/arch/x86/events/perf_event.h
+++ b/arch/x86/events/perf_event.h
@@ -865,7 +865,8 @@ struct event_constraint *
x86_get_event_constraints(struct cpu_hw_events *cpuc, int idx,
struct perf_event *event);
-struct intel_shared_regs *allocate_shared_regs(int cpu);
+extern int intel_cpuc_prepare(struct cpu_hw_events *cpuc, int cpu);
+extern void intel_cpuc_finish(struct cpu_hw_events *cpuc);
int intel_pmu_init(void);
@@ -995,9 +996,13 @@ static inline int intel_pmu_init(void)
return 0;
}
-static inline struct intel_shared_regs *allocate_shared_regs(int cpu)
+static inline int intel_cpuc_prepare(struct cpu_hw_event *cpuc, int cpu)
+{
+ return 0;
+}
+
+static inline void
[PATCH 4.9 76/96] selftests: netfilter: add simple masq/redirect test cases
4.9-stable review patch. If anyone has any objections, please let me know.
--
[ Upstream commit 98bfc3414bda335dbd7fec58bde6266f991801d7 ]
Check basic nat/redirect/masquerade for ipv4 and ipv6.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
Signed-off-by: Sasha Levin
---
tools/testing/selftests/netfilter/Makefile | 2 +-
tools/testing/selftests/netfilter/nft_nat.sh | 762 +++
2 files changed, 763 insertions(+), 1 deletion(-)
create mode 100755 tools/testing/selftests/netfilter/nft_nat.sh
diff --git a/tools/testing/selftests/netfilter/Makefile
b/tools/testing/selftests/netfilter/Makefile
index 47ed6cef93fb..c9ff2b47bd1c 100644
--- a/tools/testing/selftests/netfilter/Makefile
+++ b/tools/testing/selftests/netfilter/Makefile
@@ -1,6 +1,6 @@
# SPDX-License-Identifier: GPL-2.0
# Makefile for netfilter selftests
-TEST_PROGS := nft_trans_stress.sh
+TEST_PROGS := nft_trans_stress.sh nft_nat.sh
include ../lib.mk
diff --git a/tools/testing/selftests/netfilter/nft_nat.sh
b/tools/testing/selftests/netfilter/nft_nat.sh
new file mode 100755
index ..8ec76681605c
--- /dev/null
+++ b/tools/testing/selftests/netfilter/nft_nat.sh
@@ -0,0 +1,762 @@
+#!/bin/bash
+#
+# This test is for basic NAT functionality: snat, dnat, redirect, masquerade.
+#
+
+# Kselftest framework requirement - SKIP code is 4.
+ksft_skip=4
+ret=0
+
+nft --version > /dev/null 2>&1
+if [ $? -ne 0 ];then
+ echo "SKIP: Could not run test without nft tool"
+ exit $ksft_skip
+fi
+
+ip -Version > /dev/null 2>&1
+if [ $? -ne 0 ];then
+ echo "SKIP: Could not run test without ip tool"
+ exit $ksft_skip
+fi
+
+ip netns add ns0
+ip netns add ns1
+ip netns add ns2
+
+ip link add veth0 netns ns0 type veth peer name eth0 netns ns1
+ip link add veth1 netns ns0 type veth peer name eth0 netns ns2
+
+ip -net ns0 link set lo up
+ip -net ns0 link set veth0 up
+ip -net ns0 addr add 10.0.1.1/24 dev veth0
+ip -net ns0 addr add dead:1::1/64 dev veth0
+
+ip -net ns0 link set veth1 up
+ip -net ns0 addr add 10.0.2.1/24 dev veth1
+ip -net ns0 addr add dead:2::1/64 dev veth1
+
+for i in 1 2; do
+ ip -net ns$i link set lo up
+ ip -net ns$i link set eth0 up
+ ip -net ns$i addr add 10.0.$i.99/24 dev eth0
+ ip -net ns$i route add default via 10.0.$i.1
+ ip -net ns$i addr add dead:$i::99/64 dev eth0
+ ip -net ns$i route add default via dead:$i::1
+done
+
+bad_counter()
+{
+ local ns=$1
+ local counter=$2
+ local expect=$3
+
+ echo "ERROR: $counter counter in $ns has unexpected value (expected
$expect)" 1>&2
+ ip netns exec $ns nft list counter inet filter $counter 1>&2
+}
+
+check_counters()
+{
+ ns=$1
+ local lret=0
+
+ cnt=$(ip netns exec $ns nft list counter inet filter ns0in | grep -q
"packets 1 bytes 84")
+ if [ $? -ne 0 ]; then
+ bad_counter $ns ns0in "packets 1 bytes 84"
+ lret=1
+ fi
+ cnt=$(ip netns exec $ns nft list counter inet filter ns0out | grep -q
"packets 1 bytes 84")
+ if [ $? -ne 0 ]; then
+ bad_counter $ns ns0out "packets 1 bytes 84"
+ lret=1
+ fi
+
+ expect="packets 1 bytes 104"
+ cnt=$(ip netns exec $ns nft list counter inet filter ns0in6 | grep -q
"$expect")
+ if [ $? -ne 0 ]; then
+ bad_counter $ns ns0in6 "$expect"
+ lret=1
+ fi
+ cnt=$(ip netns exec $ns nft list counter inet filter ns0out6 | grep -q
"$expect")
+ if [ $? -ne 0 ]; then
+ bad_counter $ns ns0out6 "$expect"
+ lret=1
+ fi
+
+ return $lret
+}
+
+check_ns0_counters()
+{
+ local ns=$1
+ local lret=0
+
+ cnt=$(ip netns exec ns0 nft list counter inet filter ns0in | grep -q
"packets 0 bytes 0")
+ if [ $? -ne 0 ]; then
+ bad_counter ns0 ns0in "packets 0 bytes 0"
+ lret=1
+ fi
+
+ cnt=$(ip netns exec ns0 nft list counter inet filter ns0in6 | grep -q
"packets 0 bytes 0")
+ if [ $? -ne 0 ]; then
+ bad_counter ns0 ns0in6 "packets 0 bytes 0"
+ lret=1
+ fi
+
+ cnt=$(ip netns exec ns0 nft list counter inet filter ns0out | grep -q
"packets 0 bytes 0")
+ if [ $? -ne 0 ]; then
+ bad_counter ns0 ns0out "packets 0 bytes 0"
+ lret=1
+ fi
+ cnt=$(ip netns exec ns0 nft list counter inet filter ns0out6 | grep -q
"packets 0 bytes 0")
+ if [ $? -ne 0 ]; then
+ bad_counter ns0 ns0out6 "packets 0 bytes 0"
+ lret=1
+ fi
+
+ for dir in "in" "out" ; do
+ expect="packets 1 bytes 84"
+ cnt=$(ip netns exec ns0 nft list counter inet filter
${ns}${dir} | grep -q "$expect")
+ if [ $? -ne 0 ]; then
+ bad_counter ns0 $ns$dir "$expect"
+ lret=1
+ fi
+
+ expect="packets 1
[PATCH 4.9 83/96] fs: ratelimit __find_get_block_slow() failure message.
4.9-stable review patch. If anyone has any objections, please let me know.
--
[ Upstream commit 43636c804df0126da669c261fc820fb22f62bfc2 ]
When something let __find_get_block_slow() hit all_mapped path, it calls
printk() for 100+ times per a second. But there is no need to print same
message with such high frequency; it is just asking for stall warning, or
at least bloating log files.
[ 399.866302][T15342] __find_get_block_slow() failed. block=1, b_blocknr=8
[ 399.873324][T15342] b_state=0x0029, b_size=512
[ 399.878403][T15342] device loop0 blocksize: 4096
[ 399.883296][T15342] __find_get_block_slow() failed. block=1, b_blocknr=8
[ 399.890400][T15342] b_state=0x0029, b_size=512
[ 399.895595][T15342] device loop0 blocksize: 4096
[ 399.900556][T15342] __find_get_block_slow() failed. block=1, b_blocknr=8
[ 399.907471][T15342] b_state=0x0029, b_size=512
[ 399.912506][T15342] device loop0 blocksize: 4096
This patch reduces frequency to up to once per a second, in addition to
concatenating three lines into one.
[ 399.866302][T15342] __find_get_block_slow() failed. block=1, b_blocknr=8,
b_state=0x0029, b_size=512, device loop0 blocksize: 4096
Signed-off-by: Tetsuo Handa
Reviewed-by: Jan Kara
Cc: Dmitry Vyukov
Signed-off-by: Jens Axboe
Signed-off-by: Sasha Levin
---
fs/buffer.c | 19 ++-
1 file changed, 10 insertions(+), 9 deletions(-)
diff --git a/fs/buffer.c b/fs/buffer.c
index 5d8f496d624e..e0d46d47e358 100644
--- a/fs/buffer.c
+++ b/fs/buffer.c
@@ -207,6 +207,7 @@ __find_get_block_slow(struct block_device *bdev, sector_t
block)
struct buffer_head *head;
struct page *page;
int all_mapped = 1;
+ static DEFINE_RATELIMIT_STATE(last_warned, HZ, 1);
index = block >> (PAGE_SHIFT - bd_inode->i_blkbits);
page = find_get_page_flags(bd_mapping, index, FGP_ACCESSED);
@@ -234,15 +235,15 @@ __find_get_block_slow(struct block_device *bdev, sector_t
block)
* file io on the block device and getblk. It gets dealt with
* elsewhere, don't buffer_error if we had some unmapped buffers
*/
- if (all_mapped) {
- printk("__find_get_block_slow() failed. "
- "block=%llu, b_blocknr=%llu\n",
- (unsigned long long)block,
- (unsigned long long)bh->b_blocknr);
- printk("b_state=0x%08lx, b_size=%zu\n",
- bh->b_state, bh->b_size);
- printk("device %pg blocksize: %d\n", bdev,
- 1 << bd_inode->i_blkbits);
+ ratelimit_set_flags(_warned, RATELIMIT_MSG_ON_RELEASE);
+ if (all_mapped && __ratelimit(_warned)) {
+ printk("__find_get_block_slow() failed. block=%llu, "
+ "b_blocknr=%llu, b_state=0x%08lx, b_size=%zu, "
+ "device %pg blocksize: %d\n",
+ (unsigned long long)block,
+ (unsigned long long)bh->b_blocknr,
+ bh->b_state, bh->b_size, bdev,
+ 1 << bd_inode->i_blkbits);
}
out_unlock:
spin_unlock(_mapping->private_lock);
--
2.19.1
[PATCH 4.9 46/96] xtensa: SMP: limit number of possible CPUs by NR_CPUS
4.9-stable review patch. If anyone has any objections, please let me know.
--
[ Upstream commit 25384ce5f9530def39421597b1457d9462df6455 ]
This fixes the following warning at boot when the kernel is booted on a
board with more CPU cores than was configured in NR_CPUS:
smp_init_cpus: Core Count = 8
smp_init_cpus: Core Id = 0
[ cut here ]
WARNING: CPU: 0 PID: 0 at include/linux/cpumask.h:121 smp_init_cpus+0x54/0x74
Modules linked in:
CPU: 0 PID: 0 Comm: swapper Not tainted 5.0.0-rc3-00015-g1459333f88a0 #124
Call Trace:
__warn$part$3+0x6a/0x7c
warn_slowpath_null+0x35/0x3c
smp_init_cpus+0x54/0x74
setup_arch+0x1c0/0x1d0
start_kernel+0x44/0x310
_startup+0x107/0x107
Signed-off-by: Max Filippov
Signed-off-by: Sasha Levin
---
arch/xtensa/kernel/smp.c | 5 +
1 file changed, 5 insertions(+)
diff --git a/arch/xtensa/kernel/smp.c b/arch/xtensa/kernel/smp.c
index 8329891071aa..44805673a250 100644
--- a/arch/xtensa/kernel/smp.c
+++ b/arch/xtensa/kernel/smp.c
@@ -93,6 +93,11 @@ void __init smp_init_cpus(void)
pr_info("%s: Core Count = %d\n", __func__, ncpus);
pr_info("%s: Core Id = %d\n", __func__, core_id);
+ if (ncpus > NR_CPUS) {
+ ncpus = NR_CPUS;
+ pr_info("%s: limiting core count by %d\n", __func__, ncpus);
+ }
+
for (i = 0; i < ncpus; ++i)
set_cpu_possible(i, true);
}
--
2.19.1
[PATCH 4.9 34/96] vti4: Fix a ipip packet processing bug in IPCOMP virtual tunnel
4.9-stable review patch. If anyone has any objections, please let me know.
--
[ Upstream commit dd9ee3444014e8f28c0eefc9fffc9ac9c5248c12 ]
Recently we run a network test over ipcomp virtual tunnel.We find that
if a ipv4 packet needs fragment, then the peer can't receive
it.
We deep into the code and find that when packet need fragment the smaller
fragment will be encapsulated by ipip not ipcomp. So when the ipip packet
goes into xfrm, it's skb->dev is not properly set. The ipv4 reassembly code
always set skb'dev to the last fragment's dev. After ipv4 defrag processing,
when the kernel rp_filter parameter is set, the skb will be drop by -EXDEV
error.
This patch adds compatible support for the ipip process in ipcomp virtual
tunnel.
Signed-off-by: Su Yanjun
Signed-off-by: Steffen Klassert
Signed-off-by: Sasha Levin
---
net/ipv4/ip_vti.c | 50 +++
1 file changed, 50 insertions(+)
diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c
index cbff0d6ff1ac..270e79f4d40e 100644
--- a/net/ipv4/ip_vti.c
+++ b/net/ipv4/ip_vti.c
@@ -74,6 +74,33 @@ static int vti_input(struct sk_buff *skb, int nexthdr,
__be32 spi,
return 0;
}
+static int vti_input_ipip(struct sk_buff *skb, int nexthdr, __be32 spi,
+int encap_type)
+{
+ struct ip_tunnel *tunnel;
+ const struct iphdr *iph = ip_hdr(skb);
+ struct net *net = dev_net(skb->dev);
+ struct ip_tunnel_net *itn = net_generic(net, vti_net_id);
+
+ tunnel = ip_tunnel_lookup(itn, skb->dev->ifindex, TUNNEL_NO_KEY,
+ iph->saddr, iph->daddr, 0);
+ if (tunnel) {
+ if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb))
+ goto drop;
+
+ XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = tunnel;
+
+ skb->dev = tunnel->dev;
+
+ return xfrm_input(skb, nexthdr, spi, encap_type);
+ }
+
+ return -EINVAL;
+drop:
+ kfree_skb(skb);
+ return 0;
+}
+
static int vti_rcv(struct sk_buff *skb)
{
XFRM_SPI_SKB_CB(skb)->family = AF_INET;
@@ -82,6 +109,14 @@ static int vti_rcv(struct sk_buff *skb)
return vti_input(skb, ip_hdr(skb)->protocol, 0, 0);
}
+static int vti_rcv_ipip(struct sk_buff *skb)
+{
+ XFRM_SPI_SKB_CB(skb)->family = AF_INET;
+ XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr);
+
+ return vti_input_ipip(skb, ip_hdr(skb)->protocol, ip_hdr(skb)->saddr,
0);
+}
+
static int vti_rcv_cb(struct sk_buff *skb, int err)
{
unsigned short family;
@@ -439,6 +474,12 @@ static struct xfrm4_protocol vti_ipcomp4_protocol
__read_mostly = {
.priority = 100,
};
+static struct xfrm_tunnel ipip_handler __read_mostly = {
+ .handler= vti_rcv_ipip,
+ .err_handler= vti4_err,
+ .priority = 0,
+};
+
static int __net_init vti_init_net(struct net *net)
{
int err;
@@ -622,6 +663,13 @@ static int __init vti_init(void)
if (err < 0)
goto xfrm_proto_comp_failed;
+ msg = "ipip tunnel";
+ err = xfrm4_tunnel_register(_handler, AF_INET);
+ if (err < 0) {
+ pr_info("%s: cant't register tunnel\n",__func__);
+ goto xfrm_tunnel_failed;
+ }
+
msg = "netlink interface";
err = rtnl_link_register(_link_ops);
if (err < 0)
@@ -631,6 +679,8 @@ static int __init vti_init(void)
rtnl_link_failed:
xfrm4_protocol_deregister(_ipcomp4_protocol, IPPROTO_COMP);
+xfrm_tunnel_failed:
+ xfrm4_tunnel_deregister(_handler, AF_INET);
xfrm_proto_comp_failed:
xfrm4_protocol_deregister(_ah4_protocol, IPPROTO_AH);
xfrm_proto_ah_failed:
--
2.19.1
[PATCH 4.9 72/96] vsock/virtio: fix kernel panic after device hot-unplug
4.9-stable review patch. If anyone has any objections, please let me know.
--
[ Upstream commit 22b5c0b63f32568e130fa2df4ba23efce3eb495b ]
virtio_vsock_remove() invokes the vsock_core_exit() also if there
are opened sockets for the AF_VSOCK protocol family. In this way
the vsock "transport" pointer is set to NULL, triggering the
kernel panic at the first socket activity.
This patch move the vsock_core_init()/vsock_core_exit() in the
virtio_vsock respectively in module_init and module_exit functions,
that cannot be invoked until there are open sockets.
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1609699
Reported-by: Yan Fu
Signed-off-by: Stefano Garzarella
Acked-by: Stefan Hajnoczi
Signed-off-by: David S. Miller
Signed-off-by: Sasha Levin
---
net/vmw_vsock/virtio_transport.c | 26 ++
1 file changed, 18 insertions(+), 8 deletions(-)
diff --git a/net/vmw_vsock/virtio_transport.c b/net/vmw_vsock/virtio_transport.c
index 936d7eee62d0..6cbc08d82e7f 100644
--- a/net/vmw_vsock/virtio_transport.c
+++ b/net/vmw_vsock/virtio_transport.c
@@ -71,6 +71,9 @@ static u32 virtio_transport_get_local_cid(void)
{
struct virtio_vsock *vsock = virtio_vsock_get();
+ if (!vsock)
+ return VMADDR_CID_ANY;
+
return vsock->guest_cid;
}
@@ -495,10 +498,6 @@ static int virtio_vsock_probe(struct virtio_device *vdev)
virtio_vsock_update_guest_cid(vsock);
- ret = vsock_core_init(_transport.transport);
- if (ret < 0)
- goto out_vqs;
-
vsock->rx_buf_nr = 0;
vsock->rx_buf_max_nr = 0;
atomic_set(>queued_replies, 0);
@@ -526,8 +525,6 @@ static int virtio_vsock_probe(struct virtio_device *vdev)
mutex_unlock(_virtio_vsock_mutex);
return 0;
-out_vqs:
- vsock->vdev->config->del_vqs(vsock->vdev);
out:
kfree(vsock);
mutex_unlock(_virtio_vsock_mutex);
@@ -567,7 +564,6 @@ static void virtio_vsock_remove(struct virtio_device *vdev)
mutex_lock(_virtio_vsock_mutex);
the_virtio_vsock = NULL;
- vsock_core_exit();
mutex_unlock(_virtio_vsock_mutex);
vdev->config->del_vqs(vdev);
@@ -600,14 +596,28 @@ static int __init virtio_vsock_init(void)
virtio_vsock_workqueue = alloc_workqueue("virtio_vsock", 0, 0);
if (!virtio_vsock_workqueue)
return -ENOMEM;
+
ret = register_virtio_driver(_vsock_driver);
if (ret)
- destroy_workqueue(virtio_vsock_workqueue);
+ goto out_wq;
+
+ ret = vsock_core_init(_transport.transport);
+ if (ret)
+ goto out_vdr;
+
+ return 0;
+
+out_vdr:
+ unregister_virtio_driver(_vsock_driver);
+out_wq:
+ destroy_workqueue(virtio_vsock_workqueue);
return ret;
+
}
static void __exit virtio_vsock_exit(void)
{
+ vsock_core_exit();
unregister_virtio_driver(_vsock_driver);
destroy_workqueue(virtio_vsock_workqueue);
}
--
2.19.1
[PATCH 4.9 15/96] hv_netvsc: Fix IP header checksum for coalesced packets
4.9-stable review patch. If anyone has any objections, please let me know.
--
From: Haiyang Zhang
[ Upstream commit bf48648d650db1146b75b9bd358502431e86cf4f ]
Incoming packets may have IP header checksum verified by the host.
They may not have IP header checksum computed after coalescing.
This patch re-compute the checksum when necessary, otherwise the
packets may be dropped, because Linux network stack always checks it.
Signed-off-by: Haiyang Zhang
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman
---
drivers/net/hyperv/netvsc_drv.c | 22 +++---
1 file changed, 19 insertions(+), 3 deletions(-)
--- a/drivers/net/hyperv/netvsc_drv.c
+++ b/drivers/net/hyperv/netvsc_drv.c
@@ -593,6 +593,14 @@ void netvsc_linkstatus_callback(struct h
schedule_delayed_work(_ctx->dwork, 0);
}
+static void netvsc_comp_ipcsum(struct sk_buff *skb)
+{
+ struct iphdr *iph = (struct iphdr *)skb->data;
+
+ iph->check = 0;
+ iph->check = ip_fast_csum(iph, iph->ihl);
+}
+
static struct sk_buff *netvsc_alloc_recv_skb(struct net_device *net,
struct hv_netvsc_packet *packet,
struct ndis_tcp_ip_checksum_info *csum_info,
@@ -616,9 +624,17 @@ static struct sk_buff *netvsc_alloc_recv
/* skb is already created with CHECKSUM_NONE */
skb_checksum_none_assert(skb);
- /*
-* In Linux, the IP checksum is always checked.
-* Do L4 checksum offload if enabled and present.
+ /* Incoming packets may have IP header checksum verified by the host.
+* They may not have IP header checksum computed after coalescing.
+* We compute it here if the flags are set, because on Linux, the IP
+* checksum is always checked.
+*/
+ if (csum_info && csum_info->receive.ip_checksum_value_invalid &&
+ csum_info->receive.ip_checksum_succeeded &&
+ skb->protocol == htons(ETH_P_IP))
+ netvsc_comp_ipcsum(skb);
+
+ /* Do L4 checksum offload if enabled and present.
*/
if (csum_info && (net->features & NETIF_F_RXCSUM)) {
if (csum_info->receive.tcp_checksum_succeeded ||
[PATCH 4.9 43/96] xtensa: SMP: fix secondary CPU initialization
4.9-stable review patch. If anyone has any objections, please let me know.
--
[ Upstream commit 32a7726c4f4aadfabdb82440d84f88a5a2c8fe13 ]
- add missing memory barriers to the secondary CPU synchronization spin
loops; add comment to the matching memory barrier in the boot_secondary
and __cpu_die functions;
- use READ_ONCE/WRITE_ONCE to access cpu_start_id/cpu_start_ccount
instead of reading/writing them directly;
- re-initialize cpu_running every time before starting secondary CPU to
flush possible previous CPU startup results.
Signed-off-by: Max Filippov
Signed-off-by: Sasha Levin
---
arch/xtensa/kernel/head.S | 5 -
arch/xtensa/kernel/smp.c | 34 +-
2 files changed, 25 insertions(+), 14 deletions(-)
diff --git a/arch/xtensa/kernel/head.S b/arch/xtensa/kernel/head.S
index 27c8e07ace43..29f445b410b3 100644
--- a/arch/xtensa/kernel/head.S
+++ b/arch/xtensa/kernel/head.S
@@ -281,12 +281,13 @@ should_never_return:
movia2, cpu_start_ccount
1:
+ memw
l32ia3, a2, 0
beqia3, 0, 1b
movia3, 0
s32ia3, a2, 0
- memw
1:
+ memw
l32ia3, a2, 0
beqia3, 0, 1b
wsr a3, ccount
@@ -323,11 +324,13 @@ ENTRY(cpu_restart)
rsr a0, prid
neg a2, a0
movia3, cpu_start_id
+ memw
s32ia2, a3, 0
#if XCHAL_DCACHE_IS_WRITEBACK
dhwbi a3, 0
#endif
1:
+ memw
l32ia2, a3, 0
dhi a3, 0
bne a2, a0, 1b
diff --git a/arch/xtensa/kernel/smp.c b/arch/xtensa/kernel/smp.c
index fc4ad21a5ed4..fd0f0b50e021 100644
--- a/arch/xtensa/kernel/smp.c
+++ b/arch/xtensa/kernel/smp.c
@@ -192,9 +192,11 @@ static int boot_secondary(unsigned int cpu, struct
task_struct *ts)
int i;
#ifdef CONFIG_HOTPLUG_CPU
- cpu_start_id = cpu;
- system_flush_invalidate_dcache_range(
- (unsigned long)_start_id, sizeof(cpu_start_id));
+ WRITE_ONCE(cpu_start_id, cpu);
+ /* Pairs with the third memw in the cpu_restart */
+ mb();
+ system_flush_invalidate_dcache_range((unsigned long)_start_id,
+sizeof(cpu_start_id));
#endif
smp_call_function_single(0, mx_cpu_start, (void *)cpu, 1);
@@ -203,18 +205,21 @@ static int boot_secondary(unsigned int cpu, struct
task_struct *ts)
ccount = get_ccount();
while (!ccount);
- cpu_start_ccount = ccount;
+ WRITE_ONCE(cpu_start_ccount, ccount);
- while (time_before(jiffies, timeout)) {
+ do {
+ /*
+* Pairs with the first two memws in the
+* .Lboot_secondary.
+*/
mb();
- if (!cpu_start_ccount)
- break;
- }
+ ccount = READ_ONCE(cpu_start_ccount);
+ } while (ccount && time_before(jiffies, timeout));
- if (cpu_start_ccount) {
+ if (ccount) {
smp_call_function_single(0, mx_cpu_stop,
- (void *)cpu, 1);
- cpu_start_ccount = 0;
+(void *)cpu, 1);
+ WRITE_ONCE(cpu_start_ccount, 0);
return -EIO;
}
}
@@ -234,6 +239,7 @@ int __cpu_up(unsigned int cpu, struct task_struct *idle)
pr_debug("%s: Calling wakeup_secondary(cpu:%d, idle:%p, sp: %08lx)\n",
__func__, cpu, idle, start_info.stack);
+ init_completion(_running);
ret = boot_secondary(cpu, idle);
if (ret == 0) {
wait_for_completion_timeout(_running,
@@ -295,8 +301,10 @@ void __cpu_die(unsigned int cpu)
unsigned long timeout = jiffies + msecs_to_jiffies(1000);
while (time_before(jiffies, timeout)) {
system_invalidate_dcache_range((unsigned long)_start_id,
- sizeof(cpu_start_id));
- if (cpu_start_id == -cpu) {
+ sizeof(cpu_start_id));
+ /* Pairs with the second memw in the cpu_restart */
+ mb();
+ if (READ_ONCE(cpu_start_id) == -cpu) {
platform_cpu_kill(cpu);
return;
}
--
2.19.1
[PATCH 4.9 74/96] dmaengine: dmatest: Abort test in case of mapping error
4.9-stable review patch. If anyone has any objections, please let me know.
--
[ Upstream commit 6454368a804c4955ccd116236037536f81e5b1f1 ]
In case of mapping error the DMA addresses are invalid and continuing
will screw system memory or potentially something else.
[ 222.480310] dmatest: dma0chan7-copy0: summary 1 tests, 3 failures 6 iops 349
KB/s (0)
...
[ 240.912725] check: Corrupted low memory at c7c75ac9 (2940 phys) =
5656
[ 240.921998] check: Corrupted low memory at 5715a1cd (2948 phys) =
279f2aca5595ab2b
[ 240.931280] check: Corrupted low memory at 2f4024c0 (2950 phys) =
5e5624f349e793cf
...
Abort any test if mapping failed.
Fixes: 4076e755dbec ("dmatest: convert to dmaengine_unmap_data")
Cc: Dan Williams
Signed-off-by: Andy Shevchenko
Signed-off-by: Vinod Koul
Signed-off-by: Sasha Levin
---
drivers/dma/dmatest.c | 28
1 file changed, 12 insertions(+), 16 deletions(-)
diff --git a/drivers/dma/dmatest.c b/drivers/dma/dmatest.c
index ebe72a466587..7dd46cf5ed84 100644
--- a/drivers/dma/dmatest.c
+++ b/drivers/dma/dmatest.c
@@ -583,11 +583,9 @@ static int dmatest_func(void *data)
srcs[i] = um->addr[i] + src_off;
ret = dma_mapping_error(dev->dev, um->addr[i]);
if (ret) {
- dmaengine_unmap_put(um);
result("src mapping error", total_tests,
src_off, dst_off, len, ret);
- failed_tests++;
- continue;
+ goto error_unmap_continue;
}
um->to_cnt++;
}
@@ -602,11 +600,9 @@ static int dmatest_func(void *data)
DMA_BIDIRECTIONAL);
ret = dma_mapping_error(dev->dev, dsts[i]);
if (ret) {
- dmaengine_unmap_put(um);
result("dst mapping error", total_tests,
src_off, dst_off, len, ret);
- failed_tests++;
- continue;
+ goto error_unmap_continue;
}
um->bidi_cnt++;
}
@@ -643,12 +639,10 @@ static int dmatest_func(void *data)
}
if (!tx) {
- dmaengine_unmap_put(um);
result("prep error", total_tests, src_off,
dst_off, len, ret);
msleep(100);
- failed_tests++;
- continue;
+ goto error_unmap_continue;
}
done->done = false;
@@ -657,12 +651,10 @@ static int dmatest_func(void *data)
cookie = tx->tx_submit(tx);
if (dma_submit_error(cookie)) {
- dmaengine_unmap_put(um);
result("submit error", total_tests, src_off,
dst_off, len, ret);
msleep(100);
- failed_tests++;
- continue;
+ goto error_unmap_continue;
}
dma_async_issue_pending(chan);
@@ -675,16 +667,14 @@ static int dmatest_func(void *data)
dmaengine_unmap_put(um);
result("test timed out", total_tests, src_off, dst_off,
len, 0);
- failed_tests++;
- continue;
+ goto error_unmap_continue;
} else if (status != DMA_COMPLETE) {
dmaengine_unmap_put(um);
result(status == DMA_ERROR ?
"completion error status" :
"completion busy status", total_tests, src_off,
dst_off, len, ret);
- failed_tests++;
- continue;
+ goto error_unmap_continue;
}
dmaengine_unmap_put(um);
@@ -727,6 +717,12 @@ static int dmatest_func(void *data)
verbose_result("test passed", total_tests, src_off,
dst_off, len, 0);
}
+
+ continue;
+
+error_unmap_continue:
+ dmaengine_unmap_put(um);
+ failed_tests++;
}
ktime = ktime_sub(ktime_get(), ktime);
ktime = ktime_sub(ktime, comparetime);
--
2.19.1
[PATCH 4.14 078/135] apparmor: Fix aa_label_build() error handling for failed merges
4.14-stable review patch. If anyone has any objections, please let me know.
--
[ Upstream commit d6d478aee003e19ef90321176552a8ad2929a47f ]
aa_label_merge() can return NULL for memory allocations failures
make sure to handle and set the correct error in this case.
Reported-by: Peng Hao
Signed-off-by: John Johansen
Signed-off-by: Sasha Levin
---
security/apparmor/domain.c | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
index dd754b7850a8..67bf8b7ee8a2 100644
--- a/security/apparmor/domain.c
+++ b/security/apparmor/domain.c
@@ -1260,7 +1260,10 @@ int aa_change_profile(const char *fqname, int flags)
aa_get_label(>label));
if (IS_ERR_OR_NULL(new)) {
info = "failed to build target label";
- error = PTR_ERR(new);
+ if (!new)
+ error = -ENOMEM;
+ else
+ error = PTR_ERR(new);
new = NULL;
perms.allow = 0;
goto audit;
--
2.19.1
[PATCH 4.14 071/135] qed: Fix stack out of bounds bug
4.14-stable review patch. If anyone has any objections, please let me know.
--
[ Upstream commit ffb057f98928aa099b08e419bbe5afc26ec9f448 ]
KASAN reported following bug in qed_init_qm_get_idx_from_flags
due to inappropriate casting of "pq_flags". Fix the type of "pq_flags".
[ 196.624707] BUG: KASAN: stack-out-of-bounds in
qed_init_qm_get_idx_from_flags+0x1a4/0x1b8 [qed]
[ 196.624712] Read of size 8 at addr 809b00bc7360 by task kworker/0:9/1712
[ 196.624714]
[ 196.624720] CPU: 0 PID: 1712 Comm: kworker/0:9 Not tainted
4.18.0-60.el8.aarch64+debug #1
[ 196.624723] Hardware name: To be filled by O.E.M. Saber/Saber, BIOS 0ACKL024
09/26/2018
[ 196.624733] Workqueue: events work_for_cpu_fn
[ 196.624738] Call trace:
[ 196.624742] dump_backtrace+0x0/0x2f8
[ 196.624745] show_stack+0x24/0x30
[ 196.624749] dump_stack+0xe0/0x11c
[ 196.624755] print_address_description+0x68/0x260
[ 196.624759] kasan_report+0x178/0x340
[ 196.624762] __asan_report_load_n_noabort+0x38/0x48
[ 196.624786] qed_init_qm_get_idx_from_flags+0x1a4/0x1b8 [qed]
[ 196.624808] qed_init_qm_info+0xec0/0x2200 [qed]
[ 196.624830] qed_resc_alloc+0x284/0x7e8 [qed]
[ 196.624853] qed_slowpath_start+0x6cc/0x1ae8 [qed]
[ 196.624864] __qede_probe.isra.10+0x1cc/0x12c0 [qede]
[ 196.624874] qede_probe+0x78/0xf0 [qede]
[ 196.624879] local_pci_probe+0xc4/0x180
[ 196.624882] work_for_cpu_fn+0x54/0x98
[ 196.624885] process_one_work+0x758/0x1900
[ 196.624888] worker_thread+0x4e0/0xd18
[ 196.624892] kthread+0x2c8/0x350
[ 196.624897] ret_from_fork+0x10/0x18
[ 196.624899]
[ 196.624902] Allocated by task 2:
[ 196.624906] kasan_kmalloc.part.1+0x40/0x108
[ 196.624909] kasan_kmalloc+0xb4/0xc8
[ 196.624913] kasan_slab_alloc+0x14/0x20
[ 196.624916] kmem_cache_alloc_node+0x1dc/0x480
[ 196.624921] copy_process.isra.1.part.2+0x1d8/0x4a98
[ 196.624924] _do_fork+0x150/0xfa0
[ 196.624926] kernel_thread+0x48/0x58
[ 196.624930] kthreadd+0x3a4/0x5a0
[ 196.624932] ret_from_fork+0x10/0x18
[ 196.624934]
[ 196.624937] Freed by task 0:
[ 196.624938] (stack is not available)
[ 196.624940]
[ 196.624943] The buggy address belongs to the object at 809b00bc
[ 196.624943] which belongs to the cache thread_stack of size 32768
[ 196.624946] The buggy address is located 29536 bytes inside of
[ 196.624946] 32768-byte region [809b00bc, 809b00bc8000)
[ 196.624948] The buggy address belongs to the page:
[ 196.624952] page:7fe026c02e00 count:1 mapcount:0
mapping:809b4001c000 index:0x0 compound_mapcount: 0
[ 196.624960] flags: 0xf808100(slab|head)
[ 196.624967] raw: 0f808100 dead0100 dead0200
809b4001c000
[ 196.624970] raw: 00080008 0001
[ 196.624973] page dumped because: kasan: bad access detected
[ 196.624974]
[ 196.624976] Memory state around the buggy address:
[ 196.624980] 809b00bc7200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00
[ 196.624983] 809b00bc7280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00
[ 196.624985] >809b00bc7300: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 04 f2 f2
f2
[ 196.624988]^
[ 196.624990] 809b00bc7380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00
[ 196.624993] 809b00bc7400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00
[ 196.624995]
==
Signed-off-by: Manish Chopra
Signed-off-by: Ariel Elior
Signed-off-by: David S. Miller
Signed-off-by: Sasha Levin
---
drivers/net/ethernet/qlogic/qed/qed_dev.c | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/net/ethernet/qlogic/qed/qed_dev.c
b/drivers/net/ethernet/qlogic/qed/qed_dev.c
index 16953c4ebd71..410528e7d927 100644
--- a/drivers/net/ethernet/qlogic/qed/qed_dev.c
+++ b/drivers/net/ethernet/qlogic/qed/qed_dev.c
@@ -435,19 +435,19 @@ static void qed_init_qm_pq(struct qed_hwfn *p_hwfn,
/* get pq index according to PQ_FLAGS */
static u16 *qed_init_qm_get_idx_from_flags(struct qed_hwfn *p_hwfn,
- u32 pq_flags)
+ unsigned long pq_flags)
{
struct qed_qm_info *qm_info = _hwfn->qm_info;
/* Can't have multiple flags set here */
- if (bitmap_weight((unsigned long *)_flags,
+ if (bitmap_weight(_flags,
sizeof(pq_flags) * BITS_PER_BYTE) > 1) {
- DP_ERR(p_hwfn, "requested multiple pq flags 0x%x\n", pq_flags);
+ DP_ERR(p_hwfn, "requested multiple pq flags 0x%lx\n", pq_flags);
goto err;
}
if (!(qed_get_pq_flags(p_hwfn) & pq_flags)) {
- DP_ERR(p_hwfn, "pq flag 0x%x is not set\n", pq_flags);
+ DP_ERR(p_hwfn, "pq flag 0x%lx is not set\n", pq_flags);
goto err;
}
--
2.19.1
[PATCH 4.14 084/135] fs/drop_caches.c: avoid softlockups in drop_pagecache_sb()
4.14-stable review patch. If anyone has any objections, please let me know.
--
[ Upstream commit c27d82f52f75fc9d8d9d40d120d2a96fdeeada5e ]
When superblock has lots of inodes without any pagecache (like is the
case for /proc), drop_pagecache_sb() will iterate through all of them
without dropping sb->s_inode_list_lock which can lead to softlockups
(one of our customers hit this).
Fix the problem by going to the slow path and doing cond_resched() in
case the process needs rescheduling.
Link: http://lkml.kernel.org/r/20190114085343.15011-1-j...@suse.cz
Signed-off-by: Jan Kara
Acked-by: Michal Hocko
Reviewed-by: Andrew Morton
Cc: Al Viro
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
Signed-off-by: Sasha Levin
---
fs/drop_caches.c | 8 +++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/fs/drop_caches.c b/fs/drop_caches.c
index 82377017130f..d31b6c72b476 100644
--- a/fs/drop_caches.c
+++ b/fs/drop_caches.c
@@ -21,8 +21,13 @@ static void drop_pagecache_sb(struct super_block *sb, void
*unused)
spin_lock(>s_inode_list_lock);
list_for_each_entry(inode, >s_inodes, i_sb_list) {
spin_lock(>i_lock);
+ /*
+* We must skip inodes in unusual state. We may also skip
+* inodes without pages but we deliberately won't in case
+* we need to reschedule to avoid softlockups.
+*/
if ((inode->i_state & (I_FREEING|I_WILL_FREE|I_NEW)) ||
- (inode->i_mapping->nrpages == 0)) {
+ (inode->i_mapping->nrpages == 0 && !need_resched())) {
spin_unlock(>i_lock);
continue;
}
@@ -30,6 +35,7 @@ static void drop_pagecache_sb(struct super_block *sb, void
*unused)
spin_unlock(>i_lock);
spin_unlock(>s_inode_list_lock);
+ cond_resched();
invalidate_mapping_pages(inode->i_mapping, 0, -1);
iput(toput_inode);
toput_inode = inode;
--
2.19.1
[PATCH 4.14 076/135] x86/microcode/amd: Dont falsely trick the late loading mechanism
4.14-stable review patch. If anyone has any objections, please let me know.
--
[ Upstream commit 912139cfbfa6a2bc1da052314d2c29338dae1f6a ]
The load_microcode_amd() function searches for microcode patches and
attempts to apply a microcode patch if it is of different level than the
currently installed level.
While the processor won't actually load a level that is less than
what is already installed, the logic wrongly returns UCODE_NEW thus
signaling to its caller reload_store() that a late loading should be
attempted.
If the file-system contains an older microcode revision than what is
currently running, such a late microcode reload can result in these
misleading messages:
x86/CPU: CPU features have changed after loading microcode, but might not
take effect.
x86/CPU: Please consider either early loading through initrd/built-in or a
potential BIOS update.
These messages were issued on a system where SME/SEV are not
enabled by the BIOS (MSR C001_0010[23] = 0b) because during boot,
early_detect_mem_encrypt() is called and cleared the SME and SEV
features in this case.
However, after the wrong late load attempt, get_cpu_cap() is called and
reloads the SME and SEV feature bits, resulting in the messages.
Update the microcode level check to not attempt microcode loading if the
current level is greater than(!) and not only equal to the current patch
level.
[ bp: massage commit message. ]
Fixes: 2613f36ed965 ("x86/microcode: Attempt late loading only when new
microcode is present")
Signed-off-by: Tom Lendacky
Signed-off-by: Borislav Petkov
Cc: "H. Peter Anvin"
Cc: Ingo Molnar
Cc: Thomas Gleixner
Cc: x86-ml
Link:
https://lkml.kernel.org/r/154894518427.9406.8246222496874202773.st...@tlendack-t1.amdoffice.net
Signed-off-by: Sasha Levin
---
arch/x86/kernel/cpu/microcode/amd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x86/kernel/cpu/microcode/amd.c
b/arch/x86/kernel/cpu/microcode/amd.c
index 9d33dbf2489e..d0a61d3e2fb9 100644
--- a/arch/x86/kernel/cpu/microcode/amd.c
+++ b/arch/x86/kernel/cpu/microcode/amd.c
@@ -707,7 +707,7 @@ load_microcode_amd(bool save, u8 family, const u8 *data,
size_t size)
if (!p) {
return ret;
} else {
- if (boot_cpu_data.microcode == p->patch_id)
+ if (boot_cpu_data.microcode >= p->patch_id)
return ret;
ret = UCODE_NEW;
--
2.19.1
[PATCH 4.14 068/135] qed: Fix LACP pdu drops for VFs
4.14-stable review patch. If anyone has any objections, please let me know.
--
[ Upstream commit ff9296966e5e00b0d0d00477b2365a178f0f06a3 ]
VF is always configured to drop control frames
(with reserved mac addresses) but to work LACP
on the VFs, it would require LACP control frames
to be forwarded or transmitted successfully.
This patch fixes this in such a way that trusted VFs
(marked through ndo_set_vf_trust) would be allowed to
pass the control frames such as LACP pdus.
Signed-off-by: Manish Chopra
Signed-off-by: Ariel Elior
Signed-off-by: David S. Miller
Signed-off-by: Sasha Levin
---
drivers/net/ethernet/qlogic/qed/qed_l2.c| 5 +
drivers/net/ethernet/qlogic/qed/qed_l2.h| 3 +++
drivers/net/ethernet/qlogic/qed/qed_sriov.c | 10 --
3 files changed, 16 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/qlogic/qed/qed_l2.c
b/drivers/net/ethernet/qlogic/qed/qed_l2.c
index 5191b575d57b..4ffdde755db7 100644
--- a/drivers/net/ethernet/qlogic/qed/qed_l2.c
+++ b/drivers/net/ethernet/qlogic/qed/qed_l2.c
@@ -747,6 +747,11 @@ int qed_sp_vport_update(struct qed_hwfn *p_hwfn,
return rc;
}
+ if (p_params->update_ctl_frame_check) {
+ p_cmn->ctl_frame_mac_check_en = p_params->mac_chk_en;
+ p_cmn->ctl_frame_ethtype_check_en = p_params->ethtype_chk_en;
+ }
+
/* Update mcast bins for VFs, PF doesn't use this functionality */
qed_sp_update_mcast_bin(p_hwfn, p_ramrod, p_params);
diff --git a/drivers/net/ethernet/qlogic/qed/qed_l2.h
b/drivers/net/ethernet/qlogic/qed/qed_l2.h
index 91d383f3a661..7c41142452a3 100644
--- a/drivers/net/ethernet/qlogic/qed/qed_l2.h
+++ b/drivers/net/ethernet/qlogic/qed/qed_l2.h
@@ -218,6 +218,9 @@ struct qed_sp_vport_update_params {
struct qed_rss_params *rss_params;
struct qed_filter_accept_flags accept_flags;
struct qed_sge_tpa_params *sge_tpa_params;
+ u8 update_ctl_frame_check;
+ u8 mac_chk_en;
+ u8 ethtype_chk_en;
};
int qed_sp_vport_update(struct qed_hwfn *p_hwfn,
diff --git a/drivers/net/ethernet/qlogic/qed/qed_sriov.c
b/drivers/net/ethernet/qlogic/qed/qed_sriov.c
index c6411158afd7..65a53d409e77 100644
--- a/drivers/net/ethernet/qlogic/qed/qed_sriov.c
+++ b/drivers/net/ethernet/qlogic/qed/qed_sriov.c
@@ -1963,7 +1963,9 @@ static void qed_iov_vf_mbx_start_vport(struct qed_hwfn
*p_hwfn,
params.vport_id = vf->vport_id;
params.max_buffers_per_cqe = start->max_buffers_per_cqe;
params.mtu = vf->mtu;
- params.check_mac = true;
+
+ /* Non trusted VFs should enable control frame filtering */
+ params.check_mac = !vf->p_vf_info.is_trusted_configured;
rc = qed_sp_eth_vport_start(p_hwfn, );
if (rc) {
@@ -4910,6 +4912,9 @@ static void qed_iov_handle_trust_change(struct qed_hwfn
*hwfn)
params.opaque_fid = vf->opaque_fid;
params.vport_id = vf->vport_id;
+ params.update_ctl_frame_check = 1;
+ params.mac_chk_en = !vf_info->is_trusted_configured;
+
if (vf_info->rx_accept_mode & mask) {
flags->update_rx_mode_config = 1;
flags->rx_accept_filter = vf_info->rx_accept_mode;
@@ -4927,7 +4932,8 @@ static void qed_iov_handle_trust_change(struct qed_hwfn
*hwfn)
}
if (flags->update_rx_mode_config ||
- flags->update_tx_mode_config)
+ flags->update_tx_mode_config ||
+ params.update_ctl_frame_check)
qed_sp_vport_update(hwfn, ,
QED_SPQ_MODE_EBLOCK, NULL);
}
--
2.19.1
[PATCH 4.14 043/135] media: uvcvideo: Fix type check leading to overflow
4.14-stable review patch. If anyone has any objections, please let me know.
--
From: Alistair Strachan
commit 47bb117911b051bbc90764a8bff96543cbd2005f upstream.
When initially testing the Camera Terminal Descriptor wTerminalType
field (buffer[4]), no mask is used. Later in the function, the MSB is
overloaded to store the descriptor subtype, and so a mask of 0x7fff
is used to check the type.
If a descriptor is specially crafted to set this overloaded bit in the
original wTerminalType field, the initial type check will fail (falling
through, without adjusting the buffer size), but the later type checks
will pass, assuming the buffer has been made suitably large, causing an
overflow.
Avoid this problem by checking for the MSB in the wTerminalType field.
If the bit is set, assume the descriptor is bad, and abort parsing it.
Originally reported here:
https://groups.google.com/forum/#!topic/syzkaller/Ot1fOE6v1d8
A similar (non-compiling) patch was provided at that time.
Reported-by: syzbot
Signed-off-by: Alistair Strachan
Signed-off-by: Laurent Pinchart
Signed-off-by: Mauro Carvalho Chehab
Signed-off-by: Greg Kroah-Hartman
---
drivers/media/usb/uvc/uvc_driver.c | 14 +++---
1 file changed, 11 insertions(+), 3 deletions(-)
--- a/drivers/media/usb/uvc/uvc_driver.c
+++ b/drivers/media/usb/uvc/uvc_driver.c
@@ -1054,11 +1054,19 @@ static int uvc_parse_standard_control(st
return -EINVAL;
}
- /* Make sure the terminal type MSB is not null, otherwise it
-* could be confused with a unit.
+ /*
+* Reject invalid terminal types that would cause issues:
+*
+* - The high byte must be non-zero, otherwise it would be
+* confused with a unit.
+*
+* - Bit 15 must be 0, as we use it internally as a terminal
+* direction flag.
+*
+* Other unknown types are accepted.
*/
type = get_unaligned_le16([4]);
- if ((type & 0xff00) == 0) {
+ if ((type & 0x7f00) == 0 || (type & 0x8000) != 0) {
uvc_trace(UVC_TRACE_DESCR, "device %d videocontrol "
"interface %d INPUT_TERMINAL %d has invalid "
"type 0x%04x, skipping\n", udev->devnum,
[PATCH 4.14 049/135] iommu/amd: Unmap all mapped pages in error path of map_sg
4.14-stable review patch. If anyone has any objections, please let me know.
--
[ Upstream commit f1724c0883bb0ce93b8dcb94b53dcca3b75ac9a7 ]
In the error path of map_sg there is an incorrect if condition
for breaking out of the loop that searches the scatterlist
for mapped pages to unmap. Instead of breaking out of the
loop once all the pages that were mapped have been unmapped,
it will break out of the loop after it has unmapped 1 page.
Fix the condition, so it breaks out of the loop only after
all the mapped pages have been unmapped.
Fixes: 80187fd39dcb ("iommu/amd: Optimize map_sg and unmap_sg")
Cc: Joerg Roedel
Signed-off-by: Jerry Snitselaar
Signed-off-by: Joerg Roedel
Signed-off-by: Sasha Levin
---
drivers/iommu/amd_iommu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c
index ded13a6afa66..0c0acf6fda87 100644
--- a/drivers/iommu/amd_iommu.c
+++ b/drivers/iommu/amd_iommu.c
@@ -2560,7 +2560,7 @@ static int map_sg(struct device *dev, struct scatterlist
*sglist,
bus_addr = address + s->dma_address + (j <<
PAGE_SHIFT);
iommu_unmap_page(domain, bus_addr, PAGE_SIZE);
- if (--mapped_pages)
+ if (--mapped_pages == 0)
goto out_free_iova;
}
}
--
2.19.1
[PATCH 4.14 025/135] xen-netback: fix occasional leak of grant ref mappings under memory pressure
4.14-stable review patch. If anyone has any objections, please let me know.
--
From: Igor Druzhinin
[ Upstream commit 99e87f56b48f490fb16b6e0f74691c1e664dea95 ]
Zero-copy callback flag is not yet set on frag list skb at the moment
xenvif_handle_frag_list() returns -ENOMEM. This eventually results in
leaking grant ref mappings since xenvif_zerocopy_callback() is never
called for these fragments. Those eventually build up and cause Xen
to kill Dom0 as the slots get reused for new mappings:
"d0v0 Attempt to implicitly unmap a granted PTE c01329fce005"
That behavior is observed under certain workloads where sudden spikes
of page cache writes coexist with active atomic skb allocations from
network traffic. Additionally, rework the logic to deal with frag_list
deallocation in a single place.
Signed-off-by: Paul Durrant
Signed-off-by: Igor Druzhinin
Acked-by: Wei Liu
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman
---
drivers/net/xen-netback/netback.c | 10 +-
1 file changed, 5 insertions(+), 5 deletions(-)
--- a/drivers/net/xen-netback/netback.c
+++ b/drivers/net/xen-netback/netback.c
@@ -1074,11 +1074,6 @@ static int xenvif_handle_frag_list(struc
skb_frag_size_set([i], len);
}
- /* Copied all the bits from the frag list -- free it. */
- skb_frag_list_init(skb);
- xenvif_skb_zerocopy_prepare(queue, nskb);
- kfree_skb(nskb);
-
/* Release all the original (foreign) frags. */
for (f = 0; f < skb_shinfo(skb)->nr_frags; f++)
skb_frag_unref(skb, f);
@@ -1147,6 +1142,8 @@ static int xenvif_tx_submit(struct xenvi
xenvif_fill_frags(queue, skb);
if (unlikely(skb_has_frag_list(skb))) {
+ struct sk_buff *nskb = skb_shinfo(skb)->frag_list;
+ xenvif_skb_zerocopy_prepare(queue, nskb);
if (xenvif_handle_frag_list(queue, skb)) {
if (net_ratelimit())
netdev_err(queue->vif->dev,
@@ -1155,6 +1152,9 @@ static int xenvif_tx_submit(struct xenvi
kfree_skb(skb);
continue;
}
+ /* Copied all the bits from the frag list -- free it. */
+ skb_frag_list_init(skb);
+ kfree_skb(nskb);
}
skb->dev = queue->vif->dev;
[PATCH 4.14 026/135] net: Add __icmp_send helper.
4.14-stable review patch. If anyone has any objections, please let me know.
--
From: Nazarov Sergey
[ Upstream commit 9ef6b42ad6fd7929dd1b6092cb02014e382c6a91 ]
Add __icmp_send function having ip_options struct parameter
Signed-off-by: Sergey Nazarov
Reviewed-by: Paul Moore
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman
---
include/net/icmp.h |9 -
net/ipv4/icmp.c|7 ---
2 files changed, 12 insertions(+), 4 deletions(-)
--- a/include/net/icmp.h
+++ b/include/net/icmp.h
@@ -22,6 +22,7 @@
#include
#include
+#include
struct icmp_err {
int errno;
@@ -39,7 +40,13 @@ struct net_proto_family;
struct sk_buff;
struct net;
-void icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info);
+void __icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info,
+const struct ip_options *opt);
+static inline void icmp_send(struct sk_buff *skb_in, int type, int code,
__be32 info)
+{
+ __icmp_send(skb_in, type, code, info, (skb_in)->opt);
+}
+
int icmp_rcv(struct sk_buff *skb);
void icmp_err(struct sk_buff *skb, u32 info);
int icmp_init(void);
--- a/net/ipv4/icmp.c
+++ b/net/ipv4/icmp.c
@@ -573,7 +573,8 @@ relookup_failed:
* MUST reply to only the first fragment.
*/
-void icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info)
+void __icmp_send(struct sk_buff *skb_in, int type, int code, __be32 info,
+const struct ip_options *opt)
{
struct iphdr *iph;
int room;
@@ -694,7 +695,7 @@ void icmp_send(struct sk_buff *skb_in, i
iph->tos;
mark = IP4_REPLY_MARK(net, skb_in->mark);
- if (ip_options_echo(net, _param.replyopts.opt.opt, skb_in))
+ if (__ip_options_echo(net, _param.replyopts.opt.opt, skb_in, opt))
goto out_unlock;
@@ -747,7 +748,7 @@ out_bh_enable:
local_bh_enable();
out:;
}
-EXPORT_SYMBOL(icmp_send);
+EXPORT_SYMBOL(__icmp_send);
static void icmp_socket_deliver(struct sk_buff *skb, u32 info)
[PATCH 4.19 147/149] perf/x86/intel: Generalize dynamic constraint creation
4.19-stable review patch. If anyone has any objections, please let me know.
--
From: "Peter Zijlstra (Intel)"
commit 11f8b2d65ca9029591c8df26bb6bd063c312b7fe upstream
Such that we can re-use it.
Signed-off-by: Peter Zijlstra (Intel)
Signed-off-by: Thomas Gleixner
Signed-off-by: Greg Kroah-Hartman
---
arch/x86/events/intel/core.c | 51 +--
1 file changed, 30 insertions(+), 21 deletions(-)
--- a/arch/x86/events/intel/core.c
+++ b/arch/x86/events/intel/core.c
@@ -2653,6 +2653,35 @@ intel_stop_scheduling(struct cpu_hw_even
}
static struct event_constraint *
+dyn_constraint(struct cpu_hw_events *cpuc, struct event_constraint *c, int idx)
+{
+ WARN_ON_ONCE(!cpuc->constraint_list);
+
+ if (!(c->flags & PERF_X86_EVENT_DYNAMIC)) {
+ struct event_constraint *cx;
+
+ /*
+* grab pre-allocated constraint entry
+*/
+ cx = >constraint_list[idx];
+
+ /*
+* initialize dynamic constraint
+* with static constraint
+*/
+ *cx = *c;
+
+ /*
+* mark constraint as dynamic
+*/
+ cx->flags |= PERF_X86_EVENT_DYNAMIC;
+ c = cx;
+ }
+
+ return c;
+}
+
+static struct event_constraint *
intel_get_excl_constraints(struct cpu_hw_events *cpuc, struct perf_event
*event,
int idx, struct event_constraint *c)
{
@@ -2682,27 +2711,7 @@ intel_get_excl_constraints(struct cpu_hw
* only needed when constraint has not yet
* been cloned (marked dynamic)
*/
- if (!(c->flags & PERF_X86_EVENT_DYNAMIC)) {
- struct event_constraint *cx;
-
- /*
-* grab pre-allocated constraint entry
-*/
- cx = >constraint_list[idx];
-
- /*
-* initialize dynamic constraint
-* with static constraint
-*/
- *cx = *c;
-
- /*
-* mark constraint as dynamic, so we
-* can free it later on
-*/
- cx->flags |= PERF_X86_EVENT_DYNAMIC;
- c = cx;
- }
+ c = dyn_constraint(cpuc, c, idx);
/*
* From here on, the constraint is dynamic.
[PATCH 4.14 031/135] tun: fix blocking read
4.14-stable review patch. If anyone has any objections, please let me know.
--
From: Timur Celik
[ Upstream commit 71828b2240692cec0e68b8d867bc00e1745e7fae ]
This patch moves setting of the current state into the loop. Otherwise
the task may end up in a busy wait loop if none of the break conditions
are met.
Signed-off-by: Timur Celik
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman
---
drivers/net/tun.c |4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -1714,9 +1714,9 @@ static struct sk_buff *tun_ring_recv(str
}
add_wait_queue(>wq.wait, );
- current->state = TASK_INTERRUPTIBLE;
while (1) {
+ set_current_state(TASK_INTERRUPTIBLE);
skb = skb_array_consume(>tx_array);
if (skb)
break;
@@ -1732,7 +1732,7 @@ static struct sk_buff *tun_ring_recv(str
schedule();
}
- current->state = TASK_RUNNING;
+ set_current_state(TASK_RUNNING);
remove_wait_queue(>wq.wait, );
out:
[PATCH 4.19 135/149] netfilter: xt_TEE: fix wrong interface selection
4.19-stable review patch. If anyone has any objections, please let me know.
--
[ Upstream commit f24d2d4f9586985509320f90308723d3d0c4e47f ]
TEE netdevice notifier handler checks only interface name. however
each netns can have same interface name. hence other netns's interface
could be selected.
test commands:
%ip netns add vm1
%iptables -I INPUT -p icmp -j TEE --gateway 192.168.1.1 --oif enp2s0
%ip link set enp2s0 netns vm1
Above rule is in the root netns. but that rule could get enp2s0
ifindex of vm1 by notifier handler.
After this patch, TEE rule is added to the per-netns list.
Fixes: 9e2f6c5d78db ("netfilter: Rework xt_TEE netdevice notifier")
Signed-off-by: Taehee Yoo
Signed-off-by: Pablo Neira Ayuso
Signed-off-by: Sasha Levin
---
net/netfilter/xt_TEE.c | 69 +++---
1 file changed, 52 insertions(+), 17 deletions(-)
diff --git a/net/netfilter/xt_TEE.c b/net/netfilter/xt_TEE.c
index 0d0d68c989df..673ad2099f97 100644
--- a/net/netfilter/xt_TEE.c
+++ b/net/netfilter/xt_TEE.c
@@ -14,6 +14,8 @@
#include
#include
#include
+#include
+#include
#include
#include
#include
@@ -25,8 +27,15 @@ struct xt_tee_priv {
int oif;
};
+static unsigned int tee_net_id __read_mostly;
static const union nf_inet_addr tee_zero_address;
+struct tee_net {
+ struct list_head priv_list;
+ /* lock protects the priv_list */
+ struct mutex lock;
+};
+
static unsigned int
tee_tg4(struct sk_buff *skb, const struct xt_action_param *par)
{
@@ -51,17 +60,16 @@ tee_tg6(struct sk_buff *skb, const struct xt_action_param
*par)
}
#endif
-static DEFINE_MUTEX(priv_list_mutex);
-static LIST_HEAD(priv_list);
-
static int tee_netdev_event(struct notifier_block *this, unsigned long event,
void *ptr)
{
struct net_device *dev = netdev_notifier_info_to_dev(ptr);
+ struct net *net = dev_net(dev);
+ struct tee_net *tn = net_generic(net, tee_net_id);
struct xt_tee_priv *priv;
- mutex_lock(_list_mutex);
- list_for_each_entry(priv, _list, list) {
+ mutex_lock(>lock);
+ list_for_each_entry(priv, >priv_list, list) {
switch (event) {
case NETDEV_REGISTER:
if (!strcmp(dev->name, priv->tginfo->oif))
@@ -79,13 +87,14 @@ static int tee_netdev_event(struct notifier_block *this,
unsigned long event,
break;
}
}
- mutex_unlock(_list_mutex);
+ mutex_unlock(>lock);
return NOTIFY_DONE;
}
static int tee_tg_check(const struct xt_tgchk_param *par)
{
+ struct tee_net *tn = net_generic(par->net, tee_net_id);
struct xt_tee_tginfo *info = par->targinfo;
struct xt_tee_priv *priv;
@@ -106,9 +115,9 @@ static int tee_tg_check(const struct xt_tgchk_param *par)
priv->oif = -1;
info->priv= priv;
- mutex_lock(_list_mutex);
- list_add(>list, _list);
- mutex_unlock(_list_mutex);
+ mutex_lock(>lock);
+ list_add(>list, >priv_list);
+ mutex_unlock(>lock);
} else
info->priv = NULL;
@@ -118,12 +127,13 @@ static int tee_tg_check(const struct xt_tgchk_param *par)
static void tee_tg_destroy(const struct xt_tgdtor_param *par)
{
+ struct tee_net *tn = net_generic(par->net, tee_net_id);
struct xt_tee_tginfo *info = par->targinfo;
if (info->priv) {
- mutex_lock(_list_mutex);
+ mutex_lock(>lock);
list_del(>priv->list);
- mutex_unlock(_list_mutex);
+ mutex_unlock(>lock);
kfree(info->priv);
}
static_key_slow_dec(_tee_enabled);
@@ -156,6 +166,21 @@ static struct xt_target tee_tg_reg[] __read_mostly = {
#endif
};
+static int __net_init tee_net_init(struct net *net)
+{
+ struct tee_net *tn = net_generic(net, tee_net_id);
+
+ INIT_LIST_HEAD(>priv_list);
+ mutex_init(>lock);
+ return 0;
+}
+
+static struct pernet_operations tee_net_ops = {
+ .init = tee_net_init,
+ .id = _net_id,
+ .size = sizeof(struct tee_net),
+};
+
static struct notifier_block tee_netdev_notifier = {
.notifier_call = tee_netdev_event,
};
@@ -164,22 +189,32 @@ static int __init tee_tg_init(void)
{
int ret;
- ret = xt_register_targets(tee_tg_reg, ARRAY_SIZE(tee_tg_reg));
- if (ret)
+ ret = register_pernet_subsys(_net_ops);
+ if (ret < 0)
return ret;
+
+ ret = xt_register_targets(tee_tg_reg, ARRAY_SIZE(tee_tg_reg));
+ if (ret < 0)
+ goto cleanup_subsys;
+
ret = register_netdevice_notifier(_netdev_notifier);
- if (ret) {
- xt_unregister_targets(tee_tg_reg, ARRAY_SIZE(tee_tg_reg));
- return ret;
- }
+
[PATCH 4.19 145/149] driver core: Postpone DMA tear-down until after devres release
4.19-stable review patch. If anyone has any objections, please let me know.
--
From: Geert Uytterhoeven
commit 376991db4b6464e906d699ef07681e2ffa8ab08c upstream.
When unbinding the (IOMMU-enabled) R-Car SATA device on Salvator-XS
(R-Car H3 ES2.0), in preparation of rebinding against vfio-platform for
device pass-through for virtualization:
  echo ee30.sata > /sys/bus/platform/drivers/sata_rcar/unbind
the kernel crashes with:
  Unable to handle kernel paging request at virtual address ffbf029c
  Mem abort info:
   ESR = 0x9606
   Exception class = DABT (current EL), IL = 32 bits
   SET = 0, FnV = 0
   EA = 0, S1PTW = 0
  Data abort info:
   ISV = 0, ISS = 0x0006
   CM = 0, WnR = 0
  swapper pgtable: 4k pages, 39-bit VAs, pgdp = 7e8c586c
  [ffbf029c] pgd=00073bfc6003, pud=00073bfc6003,
pmd=
  Internal error: Oops: 9606 [#1] SMP
  Modules linked in:
  CPU: 0 PID: 1098 Comm: bash Not tainted
5.0.0-rc5-salvator-x-00452-g37596f884f4318ef #287
  Hardware name: Renesas Salvator-X 2nd version board based on r8a7795 ES2.0+
(DT)
  pstate: 6045 (nZCv daif +PAN -UAO)
  pc : __free_pages+0x8/0x58
  lr : __dma_direct_free_pages+0x50/0x5c
  sp : ff801268baa0
  x29: ff801268baa0 x28:
  x27: ffc6f9c60bf0 x26: ffc6f9c60bf0
  x25: ffc6f9c60810 x24:
  x23: f000 x22: ff8012145000
  x21: 0800 x20: ffbf029fffc8
  x19: x18: ffc6f86c42c8
  x17: x16: 0070
  x15: 0003 x14:
  x13: ff801103d7f8 x12: 0028
  x11: ff807604 x10: 9ad8
  x9 : ff80110126d0 x8 : ffc6f7563000
  x7 : 6b6b6b6b6b6b6b6b x6 : 0018
  x5 : ff8011cf3cc8 x4 : 4000
  x3 : 0008 x2 : 0001
  x1 : x0 : ffbf029fffc8
  Process bash (pid: 1098, stack limit = 0xc38e3e32)
  Call trace:
   __free_pages+0x8/0x58
   __dma_direct_free_pages+0x50/0x5c
   arch_dma_free+0x1c/0x98
   dma_direct_free+0x14/0x24
   dma_free_attrs+0x9c/0xdc
   dmam_release+0x18/0x20
   release_nodes+0x25c/0x28c
   devres_release_all+0x48/0x4c
   device_release_driver_internal+0x184/0x1f0
   device_release_driver+0x14/0x1c
   unbind_store+0x70/0xb8
   drv_attr_store+0x24/0x34
   sysfs_kf_write+0x4c/0x64
   kernfs_fop_write+0x154/0x1c4
   __vfs_write+0x34/0x164
   vfs_write+0xb4/0x16c
   ksys_write+0x5c/0xbc
   __arm64_sys_write+0x14/0x1c
   el0_svc_common+0x98/0x114
   el0_svc_handler+0x1c/0x24
   el0_svc+0x8/0xc
  Code: d51b4234 17fa a9bf7bfd 910003fd (b9403404)
  ---[ end trace 8c564cdd3a1a840f ]---
While I've bisected this to commit e8e683ae9a736407 ("iommu/of: Fix
probe-deferral"), and reverting that commit on post-v5.0-rc4 kernels
does fix the problem, this turned out to be a red herring.
On arm64, arch_teardown_dma_ops() resets dev->dma_ops to NULL.
Hence if a driver has used a managed DMA allocation API, the allocated
DMA memory will be freed using the direct DMA ops, while it may have
been allocated using a custom DMA ops (iommu_dma_ops in this case).
Fix this by reversing the order of the calls to devres_release_all() and
arch_teardown_dma_ops().
Signed-off-by: Geert Uytterhoeven
Acked-by: Christoph Hellwig
Reviewed-by: Rafael J. Wysocki
Cc: stable
Reviewed-by: Robin Murphy
[rm: backport for 4.12-4.19 - kernels before 5.0 will not see
the crash above, but may get silent memory corruption instead]
Signed-off-by: Robin Murphy
Signed-off-by: Greg Kroah-Hartman
---
drivers/base/dd.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/base/dd.c
+++ b/drivers/base/dd.c
@@ -963,9 +963,9 @@ static void __device_release_driver(stru
drv->remove(dev);
device_links_driver_cleanup(dev);
- dma_deconfigure(dev);
devres_release_all(dev);
+ dma_deconfigure(dev);
dev->driver = NULL;
dev_set_drvdata(dev, NULL);
if (dev->pm_domain && dev->pm_domain->dismiss)
[PATCH 4.19 124/149] Input: elan_i2c - add id for touchpad found in Lenovo s21e-20
4.19-stable review patch. If anyone has any objections, please let me know.
--
From: Vincent Batts
commit e154ab69321ce2c54f19863d75c77b4e2dc9d365 upstream.
Lenovo s21e-20 uses ELAN0601 in its ACPI tables for the Elan touchpad.
Signed-off-by: Vincent Batts
Cc: sta...@vger.kernel.org
Signed-off-by: Dmitry Torokhov
Signed-off-by: Greg Kroah-Hartman
---
drivers/input/mouse/elan_i2c_core.c |1 +
1 file changed, 1 insertion(+)
--- a/drivers/input/mouse/elan_i2c_core.c
+++ b/drivers/input/mouse/elan_i2c_core.c
@@ -1337,6 +1337,7 @@ static const struct acpi_device_id elan_
{ "ELAN", 0 },
{ "ELAN0100", 0 },
{ "ELAN0600", 0 },
+ { "ELAN0601", 0 },
{ "ELAN0602", 0 },
{ "ELAN0605", 0 },
{ "ELAN0608", 0 },
[PATCH 4.19 131/149] ARM: dts: exynos: Fix pinctrl definition for eMMC RTSN line on Odroid X2/U3
4.19-stable review patch. If anyone has any objections, please let me know.
--
From: Marek Szyprowski
commit ec33745bccc8f336957c751f4153421cc9ef5a54 upstream.
Commit 225da7e65a03 ("ARM: dts: add eMMC reset line for
exynos4412-odroid-common") added MMC power sequence for eMMC card of
Odroid X2/U3. It reused generic sd1_cd pin control configuration node
and only disabled pull-up. However that time the pinctrl configuration
was not applied during MMC power sequence driver initialization. This
has been changed later by commit d97a1e5d7cd2 ("mmc: pwrseq: convert to
proper platform device").
It turned out then, that the provided pinctrl configuration is not
correct, because the eMMC_RTSN line is being re-configured as 'special
function/card detect function for mmc1 controller' not the simple
'output', thus the power sequence driver doesn't really set the pin
value. This in effect broke the reboot of Odroid X2/U3 boards. Fix this
by providing separate node with eMMC_RTSN pin configuration.
Cc:
Reported-by: Markus Reichl
Suggested-by: Ulf Hansson
Fixes: 225da7e65a03 ("ARM: dts: add eMMC reset line for
exynos4412-odroid-common")
Signed-off-by: Marek Szyprowski
Signed-off-by: Krzysztof Kozlowski
Signed-off-by: Greg Kroah-Hartman
---
arch/arm/boot/dts/exynos4412-odroid-common.dtsi | 13 ++---
1 file changed, 6 insertions(+), 7 deletions(-)
--- a/arch/arm/boot/dts/exynos4412-odroid-common.dtsi
+++ b/arch/arm/boot/dts/exynos4412-odroid-common.dtsi
@@ -49,7 +49,7 @@
};
emmc_pwrseq: pwrseq {
- pinctrl-0 = <_cd>;
+ pinctrl-0 = <_rstn>;
pinctrl-names = "default";
compatible = "mmc-pwrseq-emmc";
reset-gpios = < 2 GPIO_ACTIVE_LOW>;
@@ -161,12 +161,6 @@
cpu0-supply = <_reg>;
};
-/* RSTN signal for eMMC */
-_cd {
- samsung,pin-pud = ;
- samsung,pin-drv = ;
-};
-
_1 {
gpio_power_key: power_key {
samsung,pins = "gpx1-3";
@@ -184,6 +178,11 @@
samsung,pins = "gpx3-7";
samsung,pin-pud = ;
};
+
+ emmc_rstn: emmc-rstn {
+ samsung,pins = "gpk1-2";
+ samsung,pin-pud = ;
+ };
};
{
[PATCH 4.19 122/149] nvme-pci: add missing unlock for reset error
4.19-stable review patch. If anyone has any objections, please let me know.
--
[ Upstream commit 4726bcf30fad37cc555cd9dcd6c73f2b2668c879 ]
The reset work holds a mutex to prevent races with removal modifying the
same resources, but was unlocking only on success. Unlock on failure
too.
Fixes: 5c959d73dba64 ("nvme-pci: fix rapid add remove sequence")
Signed-off-by: Keith Busch
Signed-off-by: Christoph Hellwig
Signed-off-by: Sasha Levin
---
drivers/nvme/host/pci.c | 8 +---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
index 6398ffbce6de..7b9ef8e734e7 100644
--- a/drivers/nvme/host/pci.c
+++ b/drivers/nvme/host/pci.c
@@ -2263,15 +2263,15 @@ static void nvme_reset_work(struct work_struct *work)
mutex_lock(>shutdown_lock);
result = nvme_pci_enable(dev);
if (result)
- goto out;
+ goto out_unlock;
result = nvme_pci_configure_admin_queue(dev);
if (result)
- goto out;
+ goto out_unlock;
result = nvme_alloc_admin_tags(dev);
if (result)
- goto out;
+ goto out_unlock;
/*
* Limit the max command size to prevent iod->sg allocations going
@@ -2354,6 +2354,8 @@ static void nvme_reset_work(struct work_struct *work)
nvme_start_ctrl(>ctrl);
return;
+ out_unlock:
+ mutex_unlock(>shutdown_lock);
out:
nvme_remove_dead_ctrl(dev, result);
}
--
2.19.1
[PATCH 4.19 120/149] qede: Fix system crash on configuring channels.
4.19-stable review patch. If anyone has any objections, please let me know.
--
[ Upstream commit 0aa4febb420d91df5b56b1864a2465765da85f4b ]
Under heavy traffic load, when changing number of channels via
ethtool (ethtool -L) which will cause interface to be reloaded,
it was observed that some packets gets transmitted on old TX
channel/queue id which doesn't really exist after the channel
configuration leads to system crash.
Add a safeguard in the driver by validating queue id through
ndo_select_queue() which is called before the ndo_start_xmit().
Signed-off-by: Sudarsana Reddy Kalluru
Signed-off-by: Ariel Elior
Signed-off-by: David S. Miller
Signed-off-by: Sasha Levin
---
drivers/net/ethernet/qlogic/qede/qede.h | 3 +++
drivers/net/ethernet/qlogic/qede/qede_fp.c | 13 +
drivers/net/ethernet/qlogic/qede/qede_main.c | 3 +++
3 files changed, 19 insertions(+)
diff --git a/drivers/net/ethernet/qlogic/qede/qede.h
b/drivers/net/ethernet/qlogic/qede/qede.h
index 6a4d266fb8e2..d242a5724069 100644
--- a/drivers/net/ethernet/qlogic/qede/qede.h
+++ b/drivers/net/ethernet/qlogic/qede/qede.h
@@ -489,6 +489,9 @@ struct qede_reload_args {
/* Datapath functions definition */
netdev_tx_t qede_start_xmit(struct sk_buff *skb, struct net_device *ndev);
+u16 qede_select_queue(struct net_device *dev, struct sk_buff *skb,
+ struct net_device *sb_dev,
+ select_queue_fallback_t fallback);
netdev_features_t qede_features_check(struct sk_buff *skb,
struct net_device *dev,
netdev_features_t features);
diff --git a/drivers/net/ethernet/qlogic/qede/qede_fp.c
b/drivers/net/ethernet/qlogic/qede/qede_fp.c
index 1a78027de071..a96da16f3404 100644
--- a/drivers/net/ethernet/qlogic/qede/qede_fp.c
+++ b/drivers/net/ethernet/qlogic/qede/qede_fp.c
@@ -1695,6 +1695,19 @@ netdev_tx_t qede_start_xmit(struct sk_buff *skb, struct
net_device *ndev)
return NETDEV_TX_OK;
}
+u16 qede_select_queue(struct net_device *dev, struct sk_buff *skb,
+ struct net_device *sb_dev,
+ select_queue_fallback_t fallback)
+{
+ struct qede_dev *edev = netdev_priv(dev);
+ int total_txq;
+
+ total_txq = QEDE_TSS_COUNT(edev) * edev->dev_info.num_tc;
+
+ return QEDE_TSS_COUNT(edev) ?
+ fallback(dev, skb, NULL) % total_txq : 0;
+}
+
/* 8B udp header + 8B base tunnel header + 32B option length */
#define QEDE_MAX_TUN_HDR_LEN 48
diff --git a/drivers/net/ethernet/qlogic/qede/qede_main.c
b/drivers/net/ethernet/qlogic/qede/qede_main.c
index 46d0f2eaa0c0..f3d9c40c4115 100644
--- a/drivers/net/ethernet/qlogic/qede/qede_main.c
+++ b/drivers/net/ethernet/qlogic/qede/qede_main.c
@@ -631,6 +631,7 @@ static const struct net_device_ops qede_netdev_ops = {
.ndo_open = qede_open,
.ndo_stop = qede_close,
.ndo_start_xmit = qede_start_xmit,
+ .ndo_select_queue = qede_select_queue,
.ndo_set_rx_mode = qede_set_rx_mode,
.ndo_set_mac_address = qede_set_mac_addr,
.ndo_validate_addr = eth_validate_addr,
@@ -666,6 +667,7 @@ static const struct net_device_ops qede_netdev_vf_ops = {
.ndo_open = qede_open,
.ndo_stop = qede_close,
.ndo_start_xmit = qede_start_xmit,
+ .ndo_select_queue = qede_select_queue,
.ndo_set_rx_mode = qede_set_rx_mode,
.ndo_set_mac_address = qede_set_mac_addr,
.ndo_validate_addr = eth_validate_addr,
@@ -684,6 +686,7 @@ static const struct net_device_ops qede_netdev_vf_xdp_ops =
{
.ndo_open = qede_open,
.ndo_stop = qede_close,
.ndo_start_xmit = qede_start_xmit,
+ .ndo_select_queue = qede_select_queue,
.ndo_set_rx_mode = qede_set_rx_mode,
.ndo_set_mac_address = qede_set_mac_addr,
.ndo_validate_addr = eth_validate_addr,
--
2.19.1
[PATCH 4.19 075/149] bpftool: fix percpu maps updating
4.19-stable review patch. If anyone has any objections, please let me know.
--
[ Upstream commit b0ca5ecb8e2279d706261f525f1bd0ba9e3fe800 ]
When updating a percpu map, bpftool currently copies the provided
value only into the first per CPU copy of the specified value,
all others instances are left zeroed.
This change explicitly copies the user-provided bytes to all the
per CPU instances, keeping the sub-command syntax unchanged.
v2 -> v3:
- drop unused argument, as per Quentin's suggestion
v1 -> v2:
- rename the helper as per Quentin's suggestion
Fixes: 71bb428fe2c1 ("tools: bpf: add bpftool")
Signed-off-by: Paolo Abeni
Reviewed-by: Quentin Monnet
Signed-off-by: Daniel Borkmann
Signed-off-by: Sasha Levin
---
tools/bpf/bpftool/map.c | 16
1 file changed, 16 insertions(+)
diff --git a/tools/bpf/bpftool/map.c b/tools/bpf/bpftool/map.c
index b455930a3eaf..ec73d83d0d31 100644
--- a/tools/bpf/bpftool/map.c
+++ b/tools/bpf/bpftool/map.c
@@ -370,6 +370,20 @@ static char **parse_bytes(char **argv, const char *name,
unsigned char *val,
return argv + i;
}
+/* on per cpu maps we must copy the provided value on all value instances */
+static void fill_per_cpu_value(struct bpf_map_info *info, void *value)
+{
+ unsigned int i, n, step;
+
+ if (!map_is_per_cpu(info->type))
+ return;
+
+ n = get_possible_cpus();
+ step = round_up(info->value_size, 8);
+ for (i = 1; i < n; i++)
+ memcpy(value + i * step, value, info->value_size);
+}
+
static int parse_elem(char **argv, struct bpf_map_info *info,
void *key, void *value, __u32 key_size, __u32 value_size,
__u32 *flags, __u32 **value_fd)
@@ -449,6 +463,8 @@ static int parse_elem(char **argv, struct bpf_map_info
*info,
argv = parse_bytes(argv, "value", value, value_size);
if (!argv)
return -1;
+
+ fill_per_cpu_value(info, value);
}
return parse_elem(argv, info, key, NULL, key_size, value_size,
--
2.19.1
[PATCH 4.19 082/149] irqchip/gic-v4: Fix occasional VLPI drop
4.19-stable review patch. If anyone has any objections, please let me know.
--
[ Upstream commit 6479450f72c1391c03f08affe0d0110f41ae7ca0 ]
1. In current implementation, every VLPI will temporarily be mapped to
the first CPU in system (normally CPU0) and then moved to the real
scheduled CPU later.
2. So there is a time window and a VLPI may be sent to CPU0 instead of
the real scheduled vCPU, in a multi-CPU virtual machine.
3. However, CPU0 may have not been scheduled as a virtual CPU after
system boots up, so the value of its GICR_VPROPBASER is unknown at
that moment.
4. If the INTID of VLPI is larger than 2^(GICR_VPROPBASER.IDbits+1),
while IDbits is also in unknown state, GIC will behave as if the VLPI
is out of range and simply drop it, which results in interrupt missing
in Guest.
As no code will clear GICR_VPROPBASER at runtime, we can safely
initialize the IDbits field at boot time for each CPU to get rid of
this issue.
We also clear Valid bit of GICR_VPENDBASER in case any ancient
programming gets left in and causes memory corrupting. A new function
its_clear_vpend_valid() is added to reuse the code in
its_vpe_deschedule().
Fixes: e643d8034036 ("irqchip/gic-v3-its: Add VPE scheduling")
Signed-off-by: Heyi Guo
Signed-off-by: Heyi Guo
Signed-off-by: Marc Zyngier
Signed-off-by: Sasha Levin
---
drivers/irqchip/irq-gic-v3-its.c | 66
1 file changed, 49 insertions(+), 17 deletions(-)
diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c
index 4c2246fe5dbe..d9a880108315 100644
--- a/drivers/irqchip/irq-gic-v3-its.c
+++ b/drivers/irqchip/irq-gic-v3-its.c
@@ -1951,6 +1951,29 @@ static void its_free_pending_table(struct page *pt)
get_order(max_t(u32, LPI_PENDBASE_SZ, SZ_64K)));
}
+static u64 its_clear_vpend_valid(void __iomem *vlpi_base)
+{
+ u32 count = 100;/* 1s! */
+ bool clean;
+ u64 val;
+
+ val = gits_read_vpendbaser(vlpi_base + GICR_VPENDBASER);
+ val &= ~GICR_VPENDBASER_Valid;
+ gits_write_vpendbaser(val, vlpi_base + GICR_VPENDBASER);
+
+ do {
+ val = gits_read_vpendbaser(vlpi_base + GICR_VPENDBASER);
+ clean = !(val & GICR_VPENDBASER_Dirty);
+ if (!clean) {
+ count--;
+ cpu_relax();
+ udelay(1);
+ }
+ } while (!clean && count);
+
+ return val;
+}
+
static void its_cpu_init_lpis(void)
{
void __iomem *rbase = gic_data_rdist_rd_base();
@@ -2024,6 +2047,30 @@ static void its_cpu_init_lpis(void)
val |= GICR_CTLR_ENABLE_LPIS;
writel_relaxed(val, rbase + GICR_CTLR);
+ if (gic_rdists->has_vlpis) {
+ void __iomem *vlpi_base = gic_data_rdist_vlpi_base();
+
+ /*
+* It's possible for CPU to receive VLPIs before it is
+* sheduled as a vPE, especially for the first CPU, and the
+* VLPI with INTID larger than 2^(IDbits+1) will be considered
+* as out of range and dropped by GIC.
+* So we initialize IDbits to known value to avoid VLPI drop.
+*/
+ val = (LPI_NRBITS - 1) & GICR_VPROPBASER_IDBITS_MASK;
+ pr_debug("GICv4: CPU%d: Init IDbits to 0x%llx for
GICR_VPROPBASER\n",
+ smp_processor_id(), val);
+ gits_write_vpropbaser(val, vlpi_base + GICR_VPROPBASER);
+
+ /*
+* Also clear Valid bit of GICR_VPENDBASER, in case some
+* ancient programming gets left in and has possibility of
+* corrupting memory.
+*/
+ val = its_clear_vpend_valid(vlpi_base);
+ WARN_ON(val & GICR_VPENDBASER_Dirty);
+ }
+
/* Make sure the GIC has seen the above */
dsb(sy);
}
@@ -2644,26 +2691,11 @@ static void its_vpe_schedule(struct its_vpe *vpe)
static void its_vpe_deschedule(struct its_vpe *vpe)
{
void __iomem *vlpi_base = gic_data_rdist_vlpi_base();
- u32 count = 100;/* 1s! */
- bool clean;
u64 val;
- /* We're being scheduled out */
- val = gits_read_vpendbaser(vlpi_base + GICR_VPENDBASER);
- val &= ~GICR_VPENDBASER_Valid;
- gits_write_vpendbaser(val, vlpi_base + GICR_VPENDBASER);
-
- do {
- val = gits_read_vpendbaser(vlpi_base + GICR_VPENDBASER);
- clean = !(val & GICR_VPENDBASER_Dirty);
- if (!clean) {
- count--;
- cpu_relax();
- udelay(1);
- }
- } while (!clean && count);
+ val = its_clear_vpend_valid(vlpi_base);
- if (unlikely(!clean && !count)) {
+ if (unlikely(val & GICR_VPENDBASER_Dirty)) {
pr_err_ratelimited("ITS virtual pending table not cleaning\n");
[PATCH 4.19 111/149] MIPS: Remove function size check in get_frame_info()
4.19-stable review patch. If anyone has any objections, please let me know.
--
[ Upstream commit 2b424cfc69728224fcb5fad138ea7260728e0901 ]
Patch (b6c7a324df37b "MIPS: Fix get_frame_info() handling of
microMIPS function size.") introduces additional function size
check for microMIPS by only checking insn between ip and ip + func_size.
However, func_size in get_frame_info() is always 0 if KALLSYMS is not
enabled. This causes get_frame_info() to return immediately without
calculating correct frame_size, which in turn causes "Can't analyze
schedule() prologue" warning messages at boot time.
This patch removes func_size check, and let the frame_size check run
up to 128 insns for both MIPS and microMIPS.
Signed-off-by: Jun-Ru Chang
Signed-off-by: Tony Wu
Signed-off-by: Paul Burton
Fixes: b6c7a324df37b ("MIPS: Fix get_frame_info() handling of microMIPS
function size.")
Cc:
Cc:
Cc:
Cc:
Cc:
Cc:
Cc:
Cc:
Signed-off-by: Sasha Levin
---
arch/mips/kernel/process.c | 7 +++
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/arch/mips/kernel/process.c b/arch/mips/kernel/process.c
index d4f7fd4550e1..85522c137f19 100644
--- a/arch/mips/kernel/process.c
+++ b/arch/mips/kernel/process.c
@@ -371,7 +371,7 @@ static inline int is_sp_move_ins(union mips_instruction
*ip, int *frame_size)
static int get_frame_info(struct mips_frame_info *info)
{
bool is_mmips = IS_ENABLED(CONFIG_CPU_MICROMIPS);
- union mips_instruction insn, *ip, *ip_end;
+ union mips_instruction insn, *ip;
const unsigned int max_insns = 128;
unsigned int last_insn_size = 0;
unsigned int i;
@@ -384,10 +384,9 @@ static int get_frame_info(struct mips_frame_info *info)
if (!ip)
goto err;
- ip_end = (void *)ip + info->func_size;
-
- for (i = 0; i < max_insns && ip < ip_end; i++) {
+ for (i = 0; i < max_insns; i++) {
ip = (void *)ip + last_insn_size;
+
if (is_mmips && mm_insn_16bit(ip->halfword[0])) {
insn.word = ip->halfword[0] << 16;
last_insn_size = 2;
--
2.19.1
[PATCH 4.19 056/149] mm, memory_hotplug: test_pages_in_a_zone do not pass the end of zone
4.19-stable review patch. If anyone has any objections, please let me know. -- [ Upstream commit 24feb47c5fa5b825efb0151f28906dfdad027e61 ] If memory end is not aligned with the sparse memory section boundary, the mapping of such a section is only partly initialized. This may lead to VM_BUG_ON due to uninitialized struct pages access from test_pages_in_a_zone() function triggered by memory_hotplug sysfs handlers. Here are the the panic examples: CONFIG_DEBUG_VM_PGFLAGS=y kernel parameter mem=2050M -- page:03d082008000 is uninitialized and poisoned page dumped because: VM_BUG_ON_PAGE(PagePoisoned(p)) Call Trace: test_pages_in_a_zone+0xde/0x160 show_valid_zones+0x5c/0x190 dev_attr_show+0x34/0x70 sysfs_kf_seq_show+0xc8/0x148 seq_read+0x204/0x480 __vfs_read+0x32/0x178 vfs_read+0x82/0x138 ksys_read+0x5a/0xb0 system_call+0xdc/0x2d8 Last Breaking-Event-Address: test_pages_in_a_zone+0xde/0x160 Kernel panic - not syncing: Fatal exception: panic_on_oops Fix this by checking whether the pfn to check is within the zone. [mho...@suse.com: separated this change from http://lkml.kernel.org/r/20181105150401.97287-2-zaslo...@linux.ibm.com] Link: http://lkml.kernel.org/r/20190128144506.15603-3-mho...@kernel.org [mho...@suse.com: separated this change from http://lkml.kernel.org/r/20181105150401.97287-2-zaslo...@linux.ibm.com] Signed-off-by: Michal Hocko Signed-off-by: Mikhail Zaslonko Tested-by: Mikhail Gavrilov Reviewed-by: Oscar Salvador Tested-by: Gerald Schaefer Cc: Heiko Carstens Cc: Martin Schwidefsky Cc: Mikhail Gavrilov Cc: Pavel Tatashin Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin --- mm/memory_hotplug.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/mm/memory_hotplug.c b/mm/memory_hotplug.c index 34cde04f346d..ff93a57e1694 100644 --- a/mm/memory_hotplug.c +++ b/mm/memory_hotplug.c @@ -1299,6 +1299,9 @@ int test_pages_in_a_zone(unsigned long start_pfn, unsigned long end_pfn, i++; if (i == MAX_ORDER_NR_PAGES || pfn + i >= end_pfn) continue; + /* Check if we got outside of the zone */ + if (zone && !zone_spans_pfn(zone, pfn + i)) + return 0; page = pfn_to_page(pfn + i); if (zone && page_zone(page) != zone) return 0; -- 2.19.1
[PATCH 4.19 061/149] mm, memory_hotplug: fix off-by-one in is_pageblock_removable
4.19-stable review patch. If anyone has any objections, please let me know.
--
[ Upstream commit 891cb2a72d821f930a39d5900cb7a3aa752c1d5b ]
Rong Chen has reported the following boot crash:
PGD 0 P4D 0
Oops: [#1] PREEMPT SMP PTI
CPU: 1 PID: 239 Comm: udevd Not tainted 5.0.0-rc4-00149-gefad4e4 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1
04/01/2014
RIP: 0010:page_mapping+0x12/0x80
Code: 5d c3 48 89 df e8 0e ad 02 00 85 c0 75 da 89 e8 5b 5d c3 0f 1f 44 00
00 53 48 89 fb 48 8b 43 08 48 8d 50 ff a8 01 48 0f 45 da <48> 8b 53 08 48 8d 42
ff 83 e2 01 48 0f 44 c3 48 83 38 ff 74 2f 48
RSP: 0018:88801fa87cd8 EFLAGS: 00010202
RAX: RBX: fffe RCX: 000a
RDX: fffe RSI: 820b9a20 RDI: 88801e5c
RBP: 6db6db6db6db6db7 R08: 88801e8bb000 R09: 01b64d13
R10: 88801fa87cf8 R11: 0001 R12: 88801e64
R13: 820b9a20 R14: 88801f145258 R15: 0001
FS: 7fb2079817c0() GS:88801dd0() knlGS:
CS: 0010 DS: ES: CR0: 80050033
CR2: 0006 CR3: 1fa82000 CR4: 06a0
Call Trace:
__dump_page+0x14/0x2c0
is_mem_section_removable+0x24c/0x2c0
removable_show+0x87/0xa0
dev_attr_show+0x25/0x60
sysfs_kf_seq_show+0xba/0x110
seq_read+0x196/0x3f0
__vfs_read+0x34/0x180
vfs_read+0xa0/0x150
ksys_read+0x44/0xb0
do_syscall_64+0x5e/0x4a0
entry_SYSCALL_64_after_hwframe+0x49/0xbe
and bisected it down to commit efad4e475c31 ("mm, memory_hotplug:
is_mem_section_removable do not pass the end of a zone").
The reason for the crash is that the mapping is garbage for poisoned
(uninitialized) page. This shouldn't happen as all pages in the zone's
boundary should be initialized.
Later debugging revealed that the actual problem is an off-by-one when
evaluating the end_page. 'start_pfn + nr_pages' resp 'zone_end_pfn'
refers to a pfn after the range and as such it might belong to a
differen memory section.
This along with CONFIG_SPARSEMEM then makes the loop condition
completely bogus because a pointer arithmetic doesn't work for pages
from two different sections in that memory model.
Fix the issue by reworking is_pageblock_removable to be pfn based and
only use struct page where necessary. This makes the code slightly
easier to follow and we will remove the problematic pointer arithmetic
completely.
Link: http://lkml.kernel.org/r/20190218181544.14616-1-mho...@kernel.org
Fixes: efad4e475c31 ("mm, memory_hotplug: is_mem_section_removable do not pass
the end of a zone")
Signed-off-by: Michal Hocko
Reported-by:
Tested-by:
Acked-by: Mike Rapoport
Reviewed-by: Oscar Salvador
Cc: Matthew Wilcox
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
Signed-off-by: Sasha Levin
---
mm/memory_hotplug.c | 27 +++
1 file changed, 15 insertions(+), 12 deletions(-)
diff --git a/mm/memory_hotplug.c b/mm/memory_hotplug.c
index ff93a57e1694..156991edec2a 100644
--- a/mm/memory_hotplug.c
+++ b/mm/memory_hotplug.c
@@ -1213,11 +1213,13 @@ static inline int pageblock_free(struct page *page)
return PageBuddy(page) && page_order(page) >= pageblock_order;
}
-/* Return the start of the next active pageblock after a given page */
-static struct page *next_active_pageblock(struct page *page)
+/* Return the pfn of the start of the next active pageblock after a given pfn
*/
+static unsigned long next_active_pageblock(unsigned long pfn)
{
+ struct page *page = pfn_to_page(pfn);
+
/* Ensure the starting page is pageblock-aligned */
- BUG_ON(page_to_pfn(page) & (pageblock_nr_pages - 1));
+ BUG_ON(pfn & (pageblock_nr_pages - 1));
/* If the entire pageblock is free, move to the end of free page */
if (pageblock_free(page)) {
@@ -1225,16 +1227,16 @@ static struct page *next_active_pageblock(struct page
*page)
/* be careful. we don't have locks, page_order can be changed.*/
order = page_order(page);
if ((order < MAX_ORDER) && (order >= pageblock_order))
- return page + (1 << order);
+ return pfn + (1 << order);
}
- return page + pageblock_nr_pages;
+ return pfn + pageblock_nr_pages;
}
-static bool is_pageblock_removable_nolock(struct page *page)
+static bool is_pageblock_removable_nolock(unsigned long pfn)
{
+ struct page *page = pfn_to_page(pfn);
struct zone *zone;
- unsigned long pfn;
/*
* We have to be careful here because we are iterating over memory
@@ -1257,13 +1259,14 @@ static bool is_pageblock_removable_nolock(struct page
*page)
/* Checks if this range of memory is likely to be hot-removable. */
bool is_mem_section_removable(unsigned long start_pfn, unsigned long
[PATCH 4.19 030/149] netfilter: ebtables: compat: un-break 32bit setsockopt when no rules are present
4.19-stable review patch. If anyone has any objections, please let me know.
--
[ Upstream commit 2035f3ff8eaa29cfb5c8e2160b0f6e85eeb21a95 ]
Unlike ip(6)tables ebtables only counts user-defined chains.
The effect is that a 32bit ebtables binary on a 64bit kernel can do
'ebtables -N FOO' only after adding at least one rule, else the request
fails with -EINVAL.
This is a similar fix as done in
3f1e53abff84 ("netfilter: ebtables: don't attempt to allocate 0-sized compat
array").
Fixes: 7d7d7e02111e9 ("netfilter: compat: reject huge allocation requests")
Reported-by: Francesco Ruggeri
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
Signed-off-by: Sasha Levin
---
net/bridge/netfilter/ebtables.c | 9 ++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 5e55cef0cec3..6693e209efe8 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -2293,9 +2293,12 @@ static int compat_do_replace(struct net *net, void
__user *user,
xt_compat_lock(NFPROTO_BRIDGE);
- ret = xt_compat_init_offsets(NFPROTO_BRIDGE, tmp.nentries);
- if (ret < 0)
- goto out_unlock;
+ if (tmp.nentries) {
+ ret = xt_compat_init_offsets(NFPROTO_BRIDGE, tmp.nentries);
+ if (ret < 0)
+ goto out_unlock;
+ }
+
ret = compat_copy_entries(entries_tmp, tmp.entries_size, );
if (ret < 0)
goto out_unlock;
--
2.19.1
[PATCH 4.19 033/149] selftests: timers: use LDLIBS instead of LDFLAGS
4.19-stable review patch. If anyone has any objections, please let me know. -- [ Upstream commit 7d4e591bc051d3382c45caaa2530969fb42ed23d ] posix_timers fails to build due to undefined reference errors: aarch64-linaro-linux-gcc --sysroot=/build/tmp-rpb-glibc/sysroots/hikey -O2 -pipe -g -feliminate-unused-debug-types -O3 -Wl,-no-as-needed -Wall -DKTEST -Wl,-O1 -Wl,--hash-style=gnu -Wl,--as-needed -lrt -lpthread posix_timers.c -o /build/tmp-rpb-glibc/work/hikey-linaro-linux/kselftests/4.12-r0/linux-4.12-rc7/tools/testing/selftests/timers/posix_timers /tmp/cc1FTZzT.o: In function `check_timer_create': /usr/src/debug/kselftests/4.12-r0/linux-4.12-rc7/tools/testing/selftests/timers/posix_timers.c:157: undefined reference to `timer_create' /usr/src/debug/kselftests/4.12-r0/linux-4.12-rc7/tools/testing/selftests/timers/posix_timers.c:170: undefined reference to `timer_settime' collect2: error: ld returned 1 exit status It's GNU Make and linker specific. The default Makefile rule looks like: $(CC) $(CFLAGS) $(LDFLAGS) $@ $^ $(LDLIBS) When linking is done by gcc itself, no issue, but when it needs to be passed to proper ld, only LDLIBS follows and then ld cannot know what libs to link with. More detail: https://www.gnu.org/software/make/manual/html_node/Implicit-Variables.html LDFLAGS Extra flags to give to compilers when they are supposed to invoke the linker, ‘ld’, such as -L. Libraries (-lfoo) should be added to the LDLIBS variable instead. LDLIBS Library flags or names given to compilers when they are supposed to invoke the linker, ‘ld’. LOADLIBES is a deprecated (but still supported) alternative to LDLIBS. Non-library linker flags, such as -L, should go in the LDFLAGS variable. https://lkml.org/lkml/2010/2/10/362 tools/perf: libraries must come after objects Link order matters, use LDLIBS instead of LDFLAGS to properly link against libpthread. Signed-off-by: Denys Dmytriyenko Signed-off-by: Fathi Boudra Signed-off-by: Shuah Khan Signed-off-by: Sasha Levin --- tools/testing/selftests/timers/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/testing/selftests/timers/Makefile b/tools/testing/selftests/timers/Makefile index c02683cfb6c9..7656c7ce79d9 100644 --- a/tools/testing/selftests/timers/Makefile +++ b/tools/testing/selftests/timers/Makefile @@ -1,6 +1,6 @@ # SPDX-License-Identifier: GPL-2.0 CFLAGS += -O3 -Wl,-no-as-needed -Wall -LDFLAGS += -lrt -lpthread -lm +LDLIBS += -lrt -lpthread -lm # these are all "safe" tests that don't modify # system time or require escalated privileges -- 2.19.1
[PATCH 4.19 038/149] qed: Fix system crash in ll2 xmit
4.19-stable review patch. If anyone has any objections, please let me know.
--
[ Upstream commit 7c81626a3c37e4ac320b8ad785694ba498f24794 ]
Cache number of fragments in the skb locally as in case
of linear skb (with zero fragments), tx completion
(or freeing of skb) may happen before driver tries
to get number of frgaments from the skb which could
lead to stale access to an already freed skb.
Signed-off-by: Manish Chopra
Signed-off-by: Ariel Elior
Signed-off-by: David S. Miller
Signed-off-by: Sasha Levin
---
drivers/net/ethernet/qlogic/qed/qed_ll2.c | 20 +++-
1 file changed, 15 insertions(+), 5 deletions(-)
diff --git a/drivers/net/ethernet/qlogic/qed/qed_ll2.c
b/drivers/net/ethernet/qlogic/qed/qed_ll2.c
index 92cd8abeb41d..015de1e0addd 100644
--- a/drivers/net/ethernet/qlogic/qed/qed_ll2.c
+++ b/drivers/net/ethernet/qlogic/qed/qed_ll2.c
@@ -2430,19 +2430,24 @@ static int qed_ll2_start_xmit(struct qed_dev *cdev,
struct sk_buff *skb,
{
struct qed_ll2_tx_pkt_info pkt;
const skb_frag_t *frag;
+ u8 flags = 0, nr_frags;
int rc = -EINVAL, i;
dma_addr_t mapping;
u16 vlan = 0;
- u8 flags = 0;
if (unlikely(skb->ip_summed != CHECKSUM_NONE)) {
DP_INFO(cdev, "Cannot transmit a checksummed packet\n");
return -EINVAL;
}
- if (1 + skb_shinfo(skb)->nr_frags > CORE_LL2_TX_MAX_BDS_PER_PACKET) {
+ /* Cache number of fragments from SKB since SKB may be freed by
+* the completion routine after calling qed_ll2_prepare_tx_packet()
+*/
+ nr_frags = skb_shinfo(skb)->nr_frags;
+
+ if (1 + nr_frags > CORE_LL2_TX_MAX_BDS_PER_PACKET) {
DP_ERR(cdev, "Cannot transmit a packet with %d fragments\n",
- 1 + skb_shinfo(skb)->nr_frags);
+ 1 + nr_frags);
return -EINVAL;
}
@@ -2464,7 +2469,7 @@ static int qed_ll2_start_xmit(struct qed_dev *cdev,
struct sk_buff *skb,
}
memset(, 0, sizeof(pkt));
- pkt.num_of_bds = 1 + skb_shinfo(skb)->nr_frags;
+ pkt.num_of_bds = 1 + nr_frags;
pkt.vlan = vlan;
pkt.bd_flags = flags;
pkt.tx_dest = QED_LL2_TX_DEST_NW;
@@ -2475,12 +2480,17 @@ static int qed_ll2_start_xmit(struct qed_dev *cdev,
struct sk_buff *skb,
test_bit(QED_LL2_XMIT_FLAGS_FIP_DISCOVERY, _flags))
pkt.remove_stag = true;
+ /* qed_ll2_prepare_tx_packet() may actually send the packet if
+* there are no fragments in the skb and subsequently the completion
+* routine may run and free the SKB, so no dereferencing the SKB
+* beyond this point unless skb has any fragments.
+*/
rc = qed_ll2_prepare_tx_packet(>hwfns[0], cdev->ll2->handle,
, 1);
if (rc)
goto err;
- for (i = 0; i < skb_shinfo(skb)->nr_frags; i++) {
+ for (i = 0; i < nr_frags; i++) {
frag = _shinfo(skb)->frags[i];
mapping = skb_frag_dma_map(>pdev->dev, frag, 0,
--
2.19.1
[PATCH 4.20 148/171] netfilter: nft_compat: dont use refcount_inc on newly allocated entry
4.20-stable review patch. If anyone has any objections, please let me know.
--
[ Upstream commit 947e492c0fc2132ae5fca081a9c2952ccaab0404 ]
When I moved the refcount to refcount_t type I missed the fact that
refcount_inc() will result in use-after-free warning with
CONFIG_REFCOUNT_FULL=y builds.
The correct fix would be to init the reference count to 1 at allocation
time, but, unfortunately we cannot do this, as we can't undo that
in case something else fails later in the batch.
So only solution I see is to special-case the 'new entry' condition
and replace refcount_inc() with a "delayed" refcount_set(1) in this case,
as done here.
The .activate callback can be removed to simplify things, we only
need to make sure that deactivate() decrements/unlinks the entry
from the list at end of transaction phase (commit or abort).
Fixes: 12c44aba6618 ("netfilter: nft_compat: use refcnt_t type for nft_xt
reference count")
Reported-by: Jordan Glover
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
Signed-off-by: Sasha Levin
---
net/netfilter/nft_compat.c | 62 ++
1 file changed, 23 insertions(+), 39 deletions(-)
diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c
index 5fd94f7fdb94..0a4bad55a8aa 100644
--- a/net/netfilter/nft_compat.c
+++ b/net/netfilter/nft_compat.c
@@ -61,6 +61,21 @@ static struct nft_compat_net *nft_compat_pernet(struct net
*net)
return net_generic(net, nft_compat_net_id);
}
+static void nft_xt_get(struct nft_xt *xt)
+{
+ /* refcount_inc() warns on 0 -> 1 transition, but we can't
+* init the reference count to 1 in .select_ops -- we can't
+* undo such an increase when another expression inside the same
+* rule fails afterwards.
+*/
+ if (xt->listcnt == 0)
+ refcount_set(>refcnt, 1);
+ else
+ refcount_inc(>refcnt);
+
+ xt->listcnt++;
+}
+
static bool nft_xt_put(struct nft_xt *xt)
{
if (refcount_dec_and_test(>refcnt)) {
@@ -291,7 +306,7 @@ nft_target_init(const struct nft_ctx *ctx, const struct
nft_expr *expr,
return -EINVAL;
nft_xt = container_of(expr->ops, struct nft_xt, ops);
- refcount_inc(_xt->refcnt);
+ nft_xt_get(nft_xt);
return 0;
}
@@ -505,7 +520,7 @@ __nft_match_init(const struct nft_ctx *ctx, const struct
nft_expr *expr,
return ret;
nft_xt = container_of(expr->ops, struct nft_xt, ops);
- refcount_inc(_xt->refcnt);
+ nft_xt_get(nft_xt);
return 0;
}
@@ -559,45 +574,16 @@ nft_match_destroy(const struct nft_ctx *ctx, const struct
nft_expr *expr)
__nft_match_destroy(ctx, expr, nft_expr_priv(expr));
}
-static void nft_compat_activate(const struct nft_ctx *ctx,
- const struct nft_expr *expr,
- struct list_head *h)
-{
- struct nft_xt *xt = container_of(expr->ops, struct nft_xt, ops);
-
- if (xt->listcnt == 0)
- list_add(>head, h);
-
- xt->listcnt++;
-}
-
-static void nft_compat_activate_mt(const struct nft_ctx *ctx,
- const struct nft_expr *expr)
-{
- struct nft_compat_net *cn = nft_compat_pernet(ctx->net);
-
- nft_compat_activate(ctx, expr, >nft_match_list);
-}
-
-static void nft_compat_activate_tg(const struct nft_ctx *ctx,
- const struct nft_expr *expr)
-{
- struct nft_compat_net *cn = nft_compat_pernet(ctx->net);
-
- nft_compat_activate(ctx, expr, >nft_target_list);
-}
-
static void nft_compat_deactivate(const struct nft_ctx *ctx,
const struct nft_expr *expr,
enum nft_trans_phase phase)
{
struct nft_xt *xt = container_of(expr->ops, struct nft_xt, ops);
- if (phase == NFT_TRANS_COMMIT)
- return;
-
- if (--xt->listcnt == 0)
- list_del_init(>head);
+ if (phase == NFT_TRANS_ABORT || phase == NFT_TRANS_COMMIT) {
+ if (--xt->listcnt == 0)
+ list_del_init(>head);
+ }
}
static void
@@ -853,7 +839,6 @@ nft_match_select_ops(const struct nft_ctx *ctx,
nft_match->ops.eval = nft_match_eval;
nft_match->ops.init = nft_match_init;
nft_match->ops.destroy = nft_match_destroy;
- nft_match->ops.activate = nft_compat_activate_mt;
nft_match->ops.deactivate = nft_compat_deactivate;
nft_match->ops.dump = nft_match_dump;
nft_match->ops.validate = nft_match_validate;
@@ -871,7 +856,7 @@ nft_match_select_ops(const struct nft_ctx *ctx,
nft_match->ops.size = matchsize;
- nft_match->listcnt = 1;
+ nft_match->listcnt = 0;
list_add(_match->head, >nft_match_list);
return _match->ops;
@@ -958,7 +943,6 @@ nft_target_select_ops(const struct nft_ctx *ctx,
[PATCH 4.19 001/149] media: uvcvideo: Fix type check leading to overflow
4.19-stable review patch. If anyone has any objections, please let me know.
--
From: Alistair Strachan
commit 47bb117911b051bbc90764a8bff96543cbd2005f upstream.
When initially testing the Camera Terminal Descriptor wTerminalType
field (buffer[4]), no mask is used. Later in the function, the MSB is
overloaded to store the descriptor subtype, and so a mask of 0x7fff
is used to check the type.
If a descriptor is specially crafted to set this overloaded bit in the
original wTerminalType field, the initial type check will fail (falling
through, without adjusting the buffer size), but the later type checks
will pass, assuming the buffer has been made suitably large, causing an
overflow.
Avoid this problem by checking for the MSB in the wTerminalType field.
If the bit is set, assume the descriptor is bad, and abort parsing it.
Originally reported here:
https://groups.google.com/forum/#!topic/syzkaller/Ot1fOE6v1d8
A similar (non-compiling) patch was provided at that time.
Reported-by: syzbot
Signed-off-by: Alistair Strachan
Signed-off-by: Laurent Pinchart
Signed-off-by: Mauro Carvalho Chehab
Signed-off-by: Greg Kroah-Hartman
---
drivers/media/usb/uvc/uvc_driver.c | 14 +++---
1 file changed, 11 insertions(+), 3 deletions(-)
--- a/drivers/media/usb/uvc/uvc_driver.c
+++ b/drivers/media/usb/uvc/uvc_driver.c
@@ -1065,11 +1065,19 @@ static int uvc_parse_standard_control(st
return -EINVAL;
}
- /* Make sure the terminal type MSB is not null, otherwise it
-* could be confused with a unit.
+ /*
+* Reject invalid terminal types that would cause issues:
+*
+* - The high byte must be non-zero, otherwise it would be
+* confused with a unit.
+*
+* - Bit 15 must be 0, as we use it internally as a terminal
+* direction flag.
+*
+* Other unknown types are accepted.
*/
type = get_unaligned_le16([4]);
- if ((type & 0xff00) == 0) {
+ if ((type & 0x7f00) == 0 || (type & 0x8000) != 0) {
uvc_trace(UVC_TRACE_DESCR, "device %d videocontrol "
"interface %d INPUT_TERMINAL %d has invalid "
"type 0x%04x, skipping\n", udev->devnum,
[PATCH 4.19 002/149] vti4: Fix a ipip packet processing bug in IPCOMP virtual tunnel
4.19-stable review patch. If anyone has any objections, please let me know.
--
[ Upstream commit dd9ee3444014e8f28c0eefc9fffc9ac9c5248c12 ]
Recently we run a network test over ipcomp virtual tunnel.We find that
if a ipv4 packet needs fragment, then the peer can't receive
it.
We deep into the code and find that when packet need fragment the smaller
fragment will be encapsulated by ipip not ipcomp. So when the ipip packet
goes into xfrm, it's skb->dev is not properly set. The ipv4 reassembly code
always set skb'dev to the last fragment's dev. After ipv4 defrag processing,
when the kernel rp_filter parameter is set, the skb will be drop by -EXDEV
error.
This patch adds compatible support for the ipip process in ipcomp virtual
tunnel.
Signed-off-by: Su Yanjun
Signed-off-by: Steffen Klassert
Signed-off-by: Sasha Levin
---
net/ipv4/ip_vti.c | 50 +++
1 file changed, 50 insertions(+)
diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c
index 7f56944b020f..40a7cd56e008 100644
--- a/net/ipv4/ip_vti.c
+++ b/net/ipv4/ip_vti.c
@@ -74,6 +74,33 @@ static int vti_input(struct sk_buff *skb, int nexthdr,
__be32 spi,
return 0;
}
+static int vti_input_ipip(struct sk_buff *skb, int nexthdr, __be32 spi,
+int encap_type)
+{
+ struct ip_tunnel *tunnel;
+ const struct iphdr *iph = ip_hdr(skb);
+ struct net *net = dev_net(skb->dev);
+ struct ip_tunnel_net *itn = net_generic(net, vti_net_id);
+
+ tunnel = ip_tunnel_lookup(itn, skb->dev->ifindex, TUNNEL_NO_KEY,
+ iph->saddr, iph->daddr, 0);
+ if (tunnel) {
+ if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb))
+ goto drop;
+
+ XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = tunnel;
+
+ skb->dev = tunnel->dev;
+
+ return xfrm_input(skb, nexthdr, spi, encap_type);
+ }
+
+ return -EINVAL;
+drop:
+ kfree_skb(skb);
+ return 0;
+}
+
static int vti_rcv(struct sk_buff *skb)
{
XFRM_SPI_SKB_CB(skb)->family = AF_INET;
@@ -82,6 +109,14 @@ static int vti_rcv(struct sk_buff *skb)
return vti_input(skb, ip_hdr(skb)->protocol, 0, 0);
}
+static int vti_rcv_ipip(struct sk_buff *skb)
+{
+ XFRM_SPI_SKB_CB(skb)->family = AF_INET;
+ XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr);
+
+ return vti_input_ipip(skb, ip_hdr(skb)->protocol, ip_hdr(skb)->saddr,
0);
+}
+
static int vti_rcv_cb(struct sk_buff *skb, int err)
{
unsigned short family;
@@ -435,6 +470,12 @@ static struct xfrm4_protocol vti_ipcomp4_protocol
__read_mostly = {
.priority = 100,
};
+static struct xfrm_tunnel ipip_handler __read_mostly = {
+ .handler= vti_rcv_ipip,
+ .err_handler= vti4_err,
+ .priority = 0,
+};
+
static int __net_init vti_init_net(struct net *net)
{
int err;
@@ -603,6 +644,13 @@ static int __init vti_init(void)
if (err < 0)
goto xfrm_proto_comp_failed;
+ msg = "ipip tunnel";
+ err = xfrm4_tunnel_register(_handler, AF_INET);
+ if (err < 0) {
+ pr_info("%s: cant't register tunnel\n",__func__);
+ goto xfrm_tunnel_failed;
+ }
+
msg = "netlink interface";
err = rtnl_link_register(_link_ops);
if (err < 0)
@@ -612,6 +660,8 @@ static int __init vti_init(void)
rtnl_link_failed:
xfrm4_protocol_deregister(_ipcomp4_protocol, IPPROTO_COMP);
+xfrm_tunnel_failed:
+ xfrm4_tunnel_deregister(_handler, AF_INET);
xfrm_proto_comp_failed:
xfrm4_protocol_deregister(_ah4_protocol, IPPROTO_AH);
xfrm_proto_ah_failed:
--
2.19.1
[PATCH 4.20 167/171] ath9k: Avoid OF no-EEPROM quirks without qca,no-eeprom
4.20-stable review patch. If anyone has any objections, please let me know.
--
From: Daniel F. Dickinson
commit ce938231bd3b1d7af3cbd8836f084801090470e1 upstream.
ath9k_of_init() function[0] was initially written on the assumption that
if someone had an explicit ath9k OF node that "there must be something
wrong, why would someone add an OF node if everything is fine"[1]
(Quoting Martin Blumenstingl )
"it turns out it's not that simple. with your requirements I'm now aware
of two use-cases where the current code in ath9k_of_init() doesn't work
without modifications"[1]
The "your requirements" Martin speaks of is the result of the fact that I
have a device (PowerCloud Systems CR5000) has some kind of default - not
unique mac address - set and requires to set the correct MAC address via
mac-address devicetree property, however:
"some cards come with a physical EEPROM chip [or OTP] so "qca,no-eeprom"
should not be set (your use-case). in this case AH_USE_EEPROM should be
set (which is the default when there is no OF node)"[1]
The other use case is:
the firmware on some PowerMac G5 seems to add a OF node for the ath9k
card automatically. depending on the EEPROM on the card AH_NO_EEP_SWAP
should be unset (which is the default when there is no OF node). see [3]
After this patch to ath9k_of_init() the new behavior will be:
if there's no OF node then everything is the same as before
if there's an empty OF node then ath9k will use the hardware EEPROM
(before ath9k would fail to initialize because no EEPROM data was
provided by userspace)
if there's an OF node with only a MAC address then ath9k will use
the MAC address and the hardware EEPROM (see the case above)
with "qca,no-eeprom" EEPROM data from userspace will be requested.
the behavior here will not change
[1]
Martin provides additional background on EEPROM swapping[1].
Thanks to Christian Lamparter for all his help on
troubleshooting this issue and the basis for this patch.
[0]https://elixir.bootlin.com/linux/v4.20-rc7/source/drivers/net/wireless/ath/ath9k/init.c#L615
[1]https://github.com/openwrt/openwrt/pull/1645#issuecomment-448027058
[2]https://github.com/openwrt/openwrt/pull/1613
[3]https://patchwork.kernel.org/patch/10241731/
Fixes: 138b41253d9c ("ath9k: parse the device configuration from an OF node")
Reviewed-by: Martin Blumenstingl
Tested-by: Martin Blumenstingl
Signed-off-by: Daniel F. Dickinson
Signed-off-by: Kalle Valo
Cc: Christian Lamparter
Signed-off-by: Greg Kroah-Hartman
---
drivers/net/wireless/ath/ath9k/init.c |6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/net/wireless/ath/ath9k/init.c
+++ b/drivers/net/wireless/ath/ath9k/init.c
@@ -636,15 +636,15 @@ static int ath9k_of_init(struct ath_soft
ret = ath9k_eeprom_request(sc, eeprom_name);
if (ret)
return ret;
+
+ ah->ah_flags &= ~AH_USE_EEPROM;
+ ah->ah_flags |= AH_NO_EEP_SWAP;
}
mac = of_get_mac_address(np);
if (mac)
ether_addr_copy(common->macaddr, mac);
- ah->ah_flags &= ~AH_USE_EEPROM;
- ah->ah_flags |= AH_NO_EEP_SWAP;
-
return 0;
}
[PATCH 4.20 168/171] perf/x86/intel: Make cpuc allocations consistent
4.20-stable review patch. If anyone has any objections, please let me know.
--
From: "Peter Zijlstra (Intel)"
commit d01b1f96a82e5dd7841a1d39db3abfdaf95f70ab upstream
The cpuc data structure allocation is different between fake and real
cpuc's; use the same code to init/free both.
Signed-off-by: Peter Zijlstra (Intel)
Signed-off-by: Thomas Gleixner
Signed-off-by: Greg Kroah-Hartman
---
arch/x86/events/core.c | 13 +
arch/x86/events/intel/core.c | 29 ++---
arch/x86/events/perf_event.h | 11 ---
3 files changed, 31 insertions(+), 22 deletions(-)
--- a/arch/x86/events/core.c
+++ b/arch/x86/events/core.c
@@ -1995,7 +1995,7 @@ static int x86_pmu_commit_txn(struct pmu
*/
static void free_fake_cpuc(struct cpu_hw_events *cpuc)
{
- kfree(cpuc->shared_regs);
+ intel_cpuc_finish(cpuc);
kfree(cpuc);
}
@@ -2007,14 +2007,11 @@ static struct cpu_hw_events *allocate_fa
cpuc = kzalloc(sizeof(*cpuc), GFP_KERNEL);
if (!cpuc)
return ERR_PTR(-ENOMEM);
-
- /* only needed, if we have extra_regs */
- if (x86_pmu.extra_regs) {
- cpuc->shared_regs = allocate_shared_regs(cpu);
- if (!cpuc->shared_regs)
- goto error;
- }
cpuc->is_fake = 1;
+
+ if (intel_cpuc_prepare(cpuc, cpu))
+ goto error;
+
return cpuc;
error:
free_fake_cpuc(cpuc);
--- a/arch/x86/events/intel/core.c
+++ b/arch/x86/events/intel/core.c
@@ -3398,7 +3398,7 @@ ssize_t intel_event_sysfs_show(char *pag
return x86_event_sysfs_show(page, config, event);
}
-struct intel_shared_regs *allocate_shared_regs(int cpu)
+static struct intel_shared_regs *allocate_shared_regs(int cpu)
{
struct intel_shared_regs *regs;
int i;
@@ -3430,10 +3430,9 @@ static struct intel_excl_cntrs *allocate
return c;
}
-static int intel_pmu_cpu_prepare(int cpu)
-{
- struct cpu_hw_events *cpuc = _cpu(cpu_hw_events, cpu);
+int intel_cpuc_prepare(struct cpu_hw_events *cpuc, int cpu)
+{
if (x86_pmu.extra_regs || x86_pmu.lbr_sel_map) {
cpuc->shared_regs = allocate_shared_regs(cpu);
if (!cpuc->shared_regs)
@@ -3443,7 +3442,7 @@ static int intel_pmu_cpu_prepare(int cpu
if (x86_pmu.flags & PMU_FL_EXCL_CNTRS) {
size_t sz = X86_PMC_IDX_MAX * sizeof(struct event_constraint);
- cpuc->constraint_list = kzalloc(sz, GFP_KERNEL);
+ cpuc->constraint_list = kzalloc_node(sz, GFP_KERNEL,
cpu_to_node(cpu));
if (!cpuc->constraint_list)
goto err_shared_regs;
@@ -3468,6 +3467,11 @@ err:
return -ENOMEM;
}
+static int intel_pmu_cpu_prepare(int cpu)
+{
+ return intel_cpuc_prepare(_cpu(cpu_hw_events, cpu), cpu);
+}
+
static void flip_smm_bit(void *data)
{
unsigned long set = *(unsigned long *)data;
@@ -3542,9 +3546,8 @@ static void intel_pmu_cpu_starting(int c
}
}
-static void free_excl_cntrs(int cpu)
+static void free_excl_cntrs(struct cpu_hw_events *cpuc)
{
- struct cpu_hw_events *cpuc = _cpu(cpu_hw_events, cpu);
struct intel_excl_cntrs *c;
c = cpuc->excl_cntrs;
@@ -3565,9 +3568,8 @@ static void intel_pmu_cpu_dying(int cpu)
disable_counter_freeze();
}
-static void intel_pmu_cpu_dead(int cpu)
+void intel_cpuc_finish(struct cpu_hw_events *cpuc)
{
- struct cpu_hw_events *cpuc = _cpu(cpu_hw_events, cpu);
struct intel_shared_regs *pc;
pc = cpuc->shared_regs;
@@ -3577,7 +3579,12 @@ static void intel_pmu_cpu_dead(int cpu)
cpuc->shared_regs = NULL;
}
- free_excl_cntrs(cpu);
+ free_excl_cntrs(cpuc);
+}
+
+static void intel_pmu_cpu_dead(int cpu)
+{
+ intel_cpuc_finish(_cpu(cpu_hw_events, cpu));
}
static void intel_pmu_sched_task(struct perf_event_context *ctx,
@@ -4715,7 +4722,7 @@ static __init int fixup_ht_bug(void)
hardlockup_detector_perf_restart();
for_each_online_cpu(c)
- free_excl_cntrs(c);
+ free_excl_cntrs(_cpu(cpu_hw_events, c));
cpus_read_unlock();
pr_info("PMU erratum BJ122, BV98, HSD29 workaround disabled, HT off\n");
--- a/arch/x86/events/perf_event.h
+++ b/arch/x86/events/perf_event.h
@@ -889,7 +889,8 @@ struct event_constraint *
x86_get_event_constraints(struct cpu_hw_events *cpuc, int idx,
struct perf_event *event);
-struct intel_shared_regs *allocate_shared_regs(int cpu);
+extern int intel_cpuc_prepare(struct cpu_hw_events *cpuc, int cpu);
+extern void intel_cpuc_finish(struct cpu_hw_events *cpuc);
int intel_pmu_init(void);
@@ -1025,9 +1026,13 @@ static inline int intel_pmu_init(void)
return 0;
}
-static inline struct intel_shared_regs *allocate_shared_regs(int cpu)
+static inline int intel_cpuc_prepare(struct cpu_hw_event
[PATCH 4.20 159/171] ARM: dts: exynos: Fix max voltage for buck8 regulator on Odroid XU3/XU4
4.20-stable review patch. If anyone has any objections, please let me know.
--
From: Marek Szyprowski
commit a3238924a820c1d7c977b632b769f3b5690cba09 upstream.
The maximum voltage value for buck8 regulator on Odroid XU3/XU4 boards is
set too low. Increase it to the 2000mV as specified on the board schematic.
So far the board worked fine, because of the bug in the PMIC driver, which
used incorrect step value for that regulator. It interpreted the voltage
value set by the bootloader as 1225mV and kept it unchanged. The regulator
driver has been however fixed recently in the commit 56b5d4ea778c
("regulator: s2mps11: Fix steps for buck7, buck8 and LDO35"), what results
in reading the proper buck8 value and forcing it to 1500mV on boot. This
is not enough for proper board operation and results in eMMC errors during
heavy IO traffic. Increasing maximum voltage value for buck8 restores
original driver behavior and fixes eMMC issues.
Signed-off-by: Marek Szyprowski
Fixes: 86a2d2ac5e5d ("ARM: dts: Add dts file for Odroid XU3 board")
Fixes: 56b5d4ea778c ("regulator: s2mps11: Fix steps for buck7, buck8 and LDO35")
Cc:
Signed-off-by: Krzysztof Kozlowski
Signed-off-by: Arnd Bergmann
Signed-off-by: Greg Kroah-Hartman
---
arch/arm/boot/dts/exynos5422-odroid-core.dtsi |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm/boot/dts/exynos5422-odroid-core.dtsi
+++ b/arch/arm/boot/dts/exynos5422-odroid-core.dtsi
@@ -467,7 +467,7 @@
buck8_reg: BUCK8 {
regulator-name = "vdd_1.8v_ldo";
regulator-min-microvolt = <80>;
- regulator-max-microvolt = <150>;
+ regulator-max-microvolt = <200>;
regulator-always-on;
regulator-boot-on;
};
[PATCH 4.20 146/171] nvme-pci: add missing unlock for reset error
4.20-stable review patch. If anyone has any objections, please let me know.
--
[ Upstream commit 4726bcf30fad37cc555cd9dcd6c73f2b2668c879 ]
The reset work holds a mutex to prevent races with removal modifying the
same resources, but was unlocking only on success. Unlock on failure
too.
Fixes: 5c959d73dba64 ("nvme-pci: fix rapid add remove sequence")
Signed-off-by: Keith Busch
Signed-off-by: Christoph Hellwig
Signed-off-by: Sasha Levin
---
drivers/nvme/host/pci.c | 8 +---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
index 439b9f4eb246..5c58e0ffa3ac 100644
--- a/drivers/nvme/host/pci.c
+++ b/drivers/nvme/host/pci.c
@@ -2283,15 +2283,15 @@ static void nvme_reset_work(struct work_struct *work)
mutex_lock(>shutdown_lock);
result = nvme_pci_enable(dev);
if (result)
- goto out;
+ goto out_unlock;
result = nvme_pci_configure_admin_queue(dev);
if (result)
- goto out;
+ goto out_unlock;
result = nvme_alloc_admin_tags(dev);
if (result)
- goto out;
+ goto out_unlock;
/*
* Limit the max command size to prevent iod->sg allocations going
@@ -2374,6 +2374,8 @@ static void nvme_reset_work(struct work_struct *work)
nvme_start_ctrl(>ctrl);
return;
+ out_unlock:
+ mutex_unlock(>shutdown_lock);
out:
nvme_remove_dead_ctrl(dev, result);
}
--
2.19.1
[PATCH 4.20 145/171] blk-iolatency: fix IO hang due to negative inflight counter
4.20-stable review patch. If anyone has any objections, please let me know.
--
[ Upstream commit 8c772a9bfc7c07c76f4a58b58910452fbb20843b ]
Our test reported the following stack, and vmcore showed that
->inflight counter is -1.
[c9003fcc38d0] __schedule at 8173d95d
[c9003fcc3958] schedule at 8173de26
[c9003fcc3970] io_schedule at 810bb6b6
[c9003fcc3988] blkcg_iolatency_throttle at 813911cb
[c9003fcc3a20] rq_qos_throttle at 813847f3
[c9003fcc3a48] blk_mq_make_request at 8137468a
[c9003fcc3b08] generic_make_request at 81368b49
[c9003fcc3b68] submit_bio at 81368d7d
[c9003fcc3bb8] ext4_io_submit at a031be00 [ext4]
[c9003fcc3c00] ext4_writepages at a03163de [ext4]
[c9003fcc3d68] do_writepages at 811c49ae
[c9003fcc3d78] __filemap_fdatawrite_range at 811b6188
[c9003fcc3e30] filemap_write_and_wait_range at 811b6301
[c9003fcc3e60] ext4_sync_file at a030cee8 [ext4]
[c9003fcc3ea8] vfs_fsync_range at 8128594b
[c9003fcc3ee8] do_fsync at 81285abd
[c9003fcc3f18] sys_fsync at 81285d50
[c9003fcc3f28] do_syscall_64 at 81003c04
[c9003fcc3f50] entry_SYSCALL_64_after_swapgs at 81742b8e
The ->inflight counter may be negative (-1) if
1) blk-iolatency was disabled when the IO was issued,
2) blk-iolatency was enabled before this IO reached its endio,
3) the ->inflight counter is decreased from 0 to -1 in endio()
In fact the hang can be easily reproduced by the below script,
H=/sys/fs/cgroup/unified/
P=/sys/fs/cgroup/unified/test
echo "+io" > $H/cgroup.subtree_control
mkdir -p $P
echo $$ > $P/cgroup.procs
xfs_io -f -d -c "pwrite 0 4k" /dev/sdg
echo "`cat /sys/block/sdg/dev` target=100" > $P/io.latency
xfs_io -f -d -c "pwrite 0 4k" /dev/sdg
This fixes the problem by freezing the queue so that while
enabling/disabling iolatency, there is no inflight rq running.
Note that quiesce_queue is not needed as this only updating iolatency
configuration about which dispatching request_queue doesn't care.
Signed-off-by: Liu Bo
Signed-off-by: Jens Axboe
Signed-off-by: Sasha Levin
---
block/blk-iolatency.c | 52 +--
1 file changed, 45 insertions(+), 7 deletions(-)
diff --git a/block/blk-iolatency.c b/block/blk-iolatency.c
index 38c35c32aff2..c1c72b42dda0 100644
--- a/block/blk-iolatency.c
+++ b/block/blk-iolatency.c
@@ -72,6 +72,7 @@
#include
#include
#include
+#include
#include "blk-rq-qos.h"
#include "blk-stat.h"
@@ -648,6 +649,9 @@ static void blkcg_iolatency_done_bio(struct rq_qos *rqos,
struct bio *bio)
return;
enabled = blk_iolatency_enabled(iolat->blkiolat);
+ if (!enabled)
+ return;
+
while (blkg && blkg->parent) {
iolat = blkg_to_lat(blkg);
if (!iolat) {
@@ -657,7 +661,7 @@ static void blkcg_iolatency_done_bio(struct rq_qos *rqos,
struct bio *bio)
rqw = >rq_wait;
atomic_dec(>inflight);
- if (!enabled || iolat->min_lat_nsec == 0)
+ if (iolat->min_lat_nsec == 0)
goto next;
iolatency_record_time(iolat, >bi_issue, now,
issue_as_root);
@@ -801,10 +805,13 @@ int blk_iolatency_init(struct request_queue *q)
return 0;
}
-static void iolatency_set_min_lat_nsec(struct blkcg_gq *blkg, u64 val)
+/*
+ * return 1 for enabling iolatency, return -1 for disabling iolatency,
otherwise
+ * return 0.
+ */
+static int iolatency_set_min_lat_nsec(struct blkcg_gq *blkg, u64 val)
{
struct iolatency_grp *iolat = blkg_to_lat(blkg);
- struct blk_iolatency *blkiolat = iolat->blkiolat;
u64 oldval = iolat->min_lat_nsec;
iolat->min_lat_nsec = val;
@@ -813,9 +820,10 @@ static void iolatency_set_min_lat_nsec(struct blkcg_gq
*blkg, u64 val)
BLKIOLATENCY_MAX_WIN_SIZE);
if (!oldval && val)
- atomic_inc(>enabled);
+ return 1;
if (oldval && !val)
- atomic_dec(>enabled);
+ return -1;
+ return 0;
}
static void iolatency_clear_scaling(struct blkcg_gq *blkg)
@@ -847,6 +855,7 @@ static ssize_t iolatency_set_limit(struct kernfs_open_file
*of, char *buf,
u64 lat_val = 0;
u64 oldval;
int ret;
+ int enable = 0;
ret = blkg_conf_prep(blkcg, _policy_iolatency, buf, );
if (ret)
@@ -881,7 +890,12 @@ static ssize_t iolatency_set_limit(struct kernfs_open_file
*of, char *buf,
blkg = ctx.blkg;
oldval = iolat->min_lat_nsec;
- iolatency_set_min_lat_nsec(blkg, lat_val);
+ enable = iolatency_set_min_lat_nsec(blkg, lat_val);
+ if (enable) {
+ WARN_ON_ONCE(!blk_get_queue(blkg->q));
+
[PATCH 4.20 127/171] s390/qeth: cancel close_dev work before removing a card
4.20-stable review patch. If anyone has any objections, please let me know.
--
[ Upstream commit c2780c1a3fb724560b1d44f7976e0de17bf153c7 ]
A card's close_dev work is scheduled on a driver-wide workqueue. If the
card is removed and freed while the work is still active, this causes a
use-after-free.
So make sure that the work is completed before freeing the card.
Fixes: 0f54761d167f ("qeth: Support VEPA mode")
Signed-off-by: Julian Wiedmann
Signed-off-by: David S. Miller
Signed-off-by: Sasha Levin
---
drivers/s390/net/qeth_core.h| 1 +
drivers/s390/net/qeth_l2_main.c | 2 ++
drivers/s390/net/qeth_l3_main.c | 1 +
3 files changed, 4 insertions(+)
diff --git a/drivers/s390/net/qeth_core.h b/drivers/s390/net/qeth_core.h
index 99af1a0a3314..8999be74c545 100644
--- a/drivers/s390/net/qeth_core.h
+++ b/drivers/s390/net/qeth_core.h
@@ -22,6 +22,7 @@
#include
#include
#include
+#include
#include
#include
diff --git a/drivers/s390/net/qeth_l2_main.c b/drivers/s390/net/qeth_l2_main.c
index 8d3601891c62..49fa09c67d49 100644
--- a/drivers/s390/net/qeth_l2_main.c
+++ b/drivers/s390/net/qeth_l2_main.c
@@ -823,6 +823,8 @@ static void qeth_l2_remove_device(struct ccwgroup_device
*cgdev)
if (cgdev->state == CCWGROUP_ONLINE)
qeth_l2_set_offline(cgdev);
+
+ cancel_work_sync(>close_dev_work);
if (qeth_netdev_is_registered(card->dev))
unregister_netdev(card->dev);
}
diff --git a/drivers/s390/net/qeth_l3_main.c b/drivers/s390/net/qeth_l3_main.c
index f08b745c2007..d1bf55b5c8e1 100644
--- a/drivers/s390/net/qeth_l3_main.c
+++ b/drivers/s390/net/qeth_l3_main.c
@@ -2428,6 +2428,7 @@ static void qeth_l3_remove_device(struct ccwgroup_device
*cgdev)
if (cgdev->state == CCWGROUP_ONLINE)
qeth_l3_set_offline(cgdev);
+ cancel_work_sync(>close_dev_work);
if (qeth_netdev_is_registered(card->dev))
unregister_netdev(card->dev);
qeth_l3_clear_ip_htable(card, 0);
--
2.19.1
[PATCH 4.20 120/171] vsock/virtio: reset connected sockets on device removal
4.20-stable review patch. If anyone has any objections, please let me know. -- [ Upstream commit 85965487abc540368393a15491e6e7fcd230039d ] When the virtio transport device disappear, we should reset all connected sockets in order to inform the users. Signed-off-by: Stefano Garzarella Reviewed-by: Stefan Hajnoczi Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- net/vmw_vsock/virtio_transport.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/vmw_vsock/virtio_transport.c b/net/vmw_vsock/virtio_transport.c index 9dae54698737..15eb5d3d4750 100644 --- a/net/vmw_vsock/virtio_transport.c +++ b/net/vmw_vsock/virtio_transport.c @@ -634,6 +634,9 @@ static void virtio_vsock_remove(struct virtio_device *vdev) flush_work(>event_work); flush_work(>send_pkt_work); + /* Reset all connected sockets when the device disappear */ + vsock_for_each_connected_socket(virtio_vsock_reset_sock); + vdev->config->reset(vdev); mutex_lock(>rx_lock); -- 2.19.1
[PATCH 4.20 119/171] vsock/virtio: fix kernel panic after device hot-unplug
4.20-stable review patch. If anyone has any objections, please let me know.
--
[ Upstream commit 22b5c0b63f32568e130fa2df4ba23efce3eb495b ]
virtio_vsock_remove() invokes the vsock_core_exit() also if there
are opened sockets for the AF_VSOCK protocol family. In this way
the vsock "transport" pointer is set to NULL, triggering the
kernel panic at the first socket activity.
This patch move the vsock_core_init()/vsock_core_exit() in the
virtio_vsock respectively in module_init and module_exit functions,
that cannot be invoked until there are open sockets.
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1609699
Reported-by: Yan Fu
Signed-off-by: Stefano Garzarella
Acked-by: Stefan Hajnoczi
Signed-off-by: David S. Miller
Signed-off-by: Sasha Levin
---
net/vmw_vsock/virtio_transport.c | 26 ++
1 file changed, 18 insertions(+), 8 deletions(-)
diff --git a/net/vmw_vsock/virtio_transport.c b/net/vmw_vsock/virtio_transport.c
index 5d3cce9e8744..9dae54698737 100644
--- a/net/vmw_vsock/virtio_transport.c
+++ b/net/vmw_vsock/virtio_transport.c
@@ -75,6 +75,9 @@ static u32 virtio_transport_get_local_cid(void)
{
struct virtio_vsock *vsock = virtio_vsock_get();
+ if (!vsock)
+ return VMADDR_CID_ANY;
+
return vsock->guest_cid;
}
@@ -584,10 +587,6 @@ static int virtio_vsock_probe(struct virtio_device *vdev)
virtio_vsock_update_guest_cid(vsock);
- ret = vsock_core_init(_transport.transport);
- if (ret < 0)
- goto out_vqs;
-
vsock->rx_buf_nr = 0;
vsock->rx_buf_max_nr = 0;
atomic_set(>queued_replies, 0);
@@ -618,8 +617,6 @@ static int virtio_vsock_probe(struct virtio_device *vdev)
mutex_unlock(_virtio_vsock_mutex);
return 0;
-out_vqs:
- vsock->vdev->config->del_vqs(vsock->vdev);
out:
kfree(vsock);
mutex_unlock(_virtio_vsock_mutex);
@@ -669,7 +666,6 @@ static void virtio_vsock_remove(struct virtio_device *vdev)
mutex_lock(_virtio_vsock_mutex);
the_virtio_vsock = NULL;
- vsock_core_exit();
mutex_unlock(_virtio_vsock_mutex);
vdev->config->del_vqs(vdev);
@@ -702,14 +698,28 @@ static int __init virtio_vsock_init(void)
virtio_vsock_workqueue = alloc_workqueue("virtio_vsock", 0, 0);
if (!virtio_vsock_workqueue)
return -ENOMEM;
+
ret = register_virtio_driver(_vsock_driver);
if (ret)
- destroy_workqueue(virtio_vsock_workqueue);
+ goto out_wq;
+
+ ret = vsock_core_init(_transport.transport);
+ if (ret)
+ goto out_vdr;
+
+ return 0;
+
+out_vdr:
+ unregister_virtio_driver(_vsock_driver);
+out_wq:
+ destroy_workqueue(virtio_vsock_workqueue);
return ret;
+
}
static void __exit virtio_vsock_exit(void)
{
+ vsock_core_exit();
unregister_virtio_driver(_vsock_driver);
destroy_workqueue(virtio_vsock_workqueue);
}
--
2.19.1
[PATCH 4.20 098/171] irqchip/gic-v4: Fix occasional VLPI drop
4.20-stable review patch. If anyone has any objections, please let me know.
--
[ Upstream commit 6479450f72c1391c03f08affe0d0110f41ae7ca0 ]
1. In current implementation, every VLPI will temporarily be mapped to
the first CPU in system (normally CPU0) and then moved to the real
scheduled CPU later.
2. So there is a time window and a VLPI may be sent to CPU0 instead of
the real scheduled vCPU, in a multi-CPU virtual machine.
3. However, CPU0 may have not been scheduled as a virtual CPU after
system boots up, so the value of its GICR_VPROPBASER is unknown at
that moment.
4. If the INTID of VLPI is larger than 2^(GICR_VPROPBASER.IDbits+1),
while IDbits is also in unknown state, GIC will behave as if the VLPI
is out of range and simply drop it, which results in interrupt missing
in Guest.
As no code will clear GICR_VPROPBASER at runtime, we can safely
initialize the IDbits field at boot time for each CPU to get rid of
this issue.
We also clear Valid bit of GICR_VPENDBASER in case any ancient
programming gets left in and causes memory corrupting. A new function
its_clear_vpend_valid() is added to reuse the code in
its_vpe_deschedule().
Fixes: e643d8034036 ("irqchip/gic-v3-its: Add VPE scheduling")
Signed-off-by: Heyi Guo
Signed-off-by: Heyi Guo
Signed-off-by: Marc Zyngier
Signed-off-by: Sasha Levin
---
drivers/irqchip/irq-gic-v3-its.c | 66
1 file changed, 49 insertions(+), 17 deletions(-)
diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c
index 350f999d205b..f25ec92f23ee 100644
--- a/drivers/irqchip/irq-gic-v3-its.c
+++ b/drivers/irqchip/irq-gic-v3-its.c
@@ -2065,6 +2065,29 @@ static int __init allocate_lpi_tables(void)
return 0;
}
+static u64 its_clear_vpend_valid(void __iomem *vlpi_base)
+{
+ u32 count = 100;/* 1s! */
+ bool clean;
+ u64 val;
+
+ val = gits_read_vpendbaser(vlpi_base + GICR_VPENDBASER);
+ val &= ~GICR_VPENDBASER_Valid;
+ gits_write_vpendbaser(val, vlpi_base + GICR_VPENDBASER);
+
+ do {
+ val = gits_read_vpendbaser(vlpi_base + GICR_VPENDBASER);
+ clean = !(val & GICR_VPENDBASER_Dirty);
+ if (!clean) {
+ count--;
+ cpu_relax();
+ udelay(1);
+ }
+ } while (!clean && count);
+
+ return val;
+}
+
static void its_cpu_init_lpis(void)
{
void __iomem *rbase = gic_data_rdist_rd_base();
@@ -2150,6 +2173,30 @@ static void its_cpu_init_lpis(void)
val |= GICR_CTLR_ENABLE_LPIS;
writel_relaxed(val, rbase + GICR_CTLR);
+ if (gic_rdists->has_vlpis) {
+ void __iomem *vlpi_base = gic_data_rdist_vlpi_base();
+
+ /*
+* It's possible for CPU to receive VLPIs before it is
+* sheduled as a vPE, especially for the first CPU, and the
+* VLPI with INTID larger than 2^(IDbits+1) will be considered
+* as out of range and dropped by GIC.
+* So we initialize IDbits to known value to avoid VLPI drop.
+*/
+ val = (LPI_NRBITS - 1) & GICR_VPROPBASER_IDBITS_MASK;
+ pr_debug("GICv4: CPU%d: Init IDbits to 0x%llx for
GICR_VPROPBASER\n",
+ smp_processor_id(), val);
+ gits_write_vpropbaser(val, vlpi_base + GICR_VPROPBASER);
+
+ /*
+* Also clear Valid bit of GICR_VPENDBASER, in case some
+* ancient programming gets left in and has possibility of
+* corrupting memory.
+*/
+ val = its_clear_vpend_valid(vlpi_base);
+ WARN_ON(val & GICR_VPENDBASER_Dirty);
+ }
+
/* Make sure the GIC has seen the above */
dsb(sy);
out:
@@ -2776,26 +2823,11 @@ static void its_vpe_schedule(struct its_vpe *vpe)
static void its_vpe_deschedule(struct its_vpe *vpe)
{
void __iomem *vlpi_base = gic_data_rdist_vlpi_base();
- u32 count = 100;/* 1s! */
- bool clean;
u64 val;
- /* We're being scheduled out */
- val = gits_read_vpendbaser(vlpi_base + GICR_VPENDBASER);
- val &= ~GICR_VPENDBASER_Valid;
- gits_write_vpendbaser(val, vlpi_base + GICR_VPENDBASER);
-
- do {
- val = gits_read_vpendbaser(vlpi_base + GICR_VPENDBASER);
- clean = !(val & GICR_VPENDBASER_Dirty);
- if (!clean) {
- count--;
- cpu_relax();
- udelay(1);
- }
- } while (!clean && count);
+ val = its_clear_vpend_valid(vlpi_base);
- if (unlikely(!clean && !count)) {
+ if (unlikely(val & GICR_VPENDBASER_Dirty)) {
pr_err_ratelimited("ITS virtual pending table not cleaning\n");
vpe->idai = false;
vpe->pending_last =
[PATCH 4.20 085/171] bpftool: Fix prog dump by tag
4.20-stable review patch. If anyone has any objections, please let me know.
--
[ Upstream commit 752bcf80f5549c9901b2e8bc77b2138de55b1026 ]
Lance reported an issue with bpftool not being able to
dump program if there are more programs loaded and you
want to dump any but the first program, like:
# bpftool prog
28: kprobe name trace_req_start tag 1dfc28ba8b3dd597 gpl
loaded_at 2019-01-18T17:02:40+1100 uid 0
xlated 112B jited 109B memlock 4096B map_ids 13
29: kprobe name trace_req_compl tag 5b6a5ecc6030a683 gpl
loaded_at 2019-01-18T17:02:40+1100 uid 0
xlated 928B jited 575B memlock 4096B map_ids 13,14
# bpftool prog dum jited tag 1dfc28ba8b3dd597
0: push %rbp
1: mov%rsp,%rbp
...
# bpftool prog dum jited tag 5b6a5ecc6030a683
Error: can't get prog info (29): Bad address
The problem is in the prog_fd_by_tag function not cleaning
the struct bpf_prog_info before another request, so the
previous program length is still in there and kernel assumes
it needs to dump the program, which fails because there's no
user pointer set.
Moving the struct bpf_prog_info declaration into the loop,
so it gets cleaned before each query.
Fixes: 71bb428fe2c1 ("tools: bpf: add bpftool")
Reported-by: Lance Digby
Signed-off-by: Jiri Olsa
Reviewed-by: Quentin Monnet
Acked-by: Jakub Kicinski
Signed-off-by: Daniel Borkmann
Signed-off-by: Sasha Levin
---
tools/bpf/bpftool/prog.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/tools/bpf/bpftool/prog.c b/tools/bpf/bpftool/prog.c
index 69b01a6158bd..91b9de5f4e17 100644
--- a/tools/bpf/bpftool/prog.c
+++ b/tools/bpf/bpftool/prog.c
@@ -130,13 +130,14 @@ static void print_boot_time(__u64 nsecs, char *buf,
unsigned int size)
static int prog_fd_by_tag(unsigned char *tag)
{
- struct bpf_prog_info info = {};
- __u32 len = sizeof(info);
unsigned int id = 0;
int err;
int fd;
while (true) {
+ struct bpf_prog_info info = {};
+ __u32 len = sizeof(info);
+
err = bpf_prog_get_next_id(id, );
if (err) {
p_err("%s", strerror(errno));
--
2.19.1
[PATCH 4.20 080/171] arm64: dts: renesas: r8a7796: Enable DMA for SCIF2
4.20-stable review patch. If anyone has any objections, please let me know.
--
[ Upstream commit 97f26702bc95b5c3a72671d5c6675e4d6ee0a2f4 ]
SCIF2 on R-Car M3-W can be used with both DMAC1 and DMAC2.
Fixes: dbcae5ea4bd27409 ("arm64: dts: r8a7796: Enable SCIF DMA")
Signed-off-by: Geert Uytterhoeven
Signed-off-by: Simon Horman
Signed-off-by: Sasha Levin
---
arch/arm64/boot/dts/renesas/r8a7796.dtsi | 3 +++
1 file changed, 3 insertions(+)
diff --git a/arch/arm64/boot/dts/renesas/r8a7796.dtsi
b/arch/arm64/boot/dts/renesas/r8a7796.dtsi
index 1ec6aaa520c1..09320caea54e 100644
--- a/arch/arm64/boot/dts/renesas/r8a7796.dtsi
+++ b/arch/arm64/boot/dts/renesas/r8a7796.dtsi
@@ -1160,6 +1160,9 @@
< CPG_CORE R8A7796_CLK_S3D1>,
<_clk>;
clock-names = "fck", "brg_int", "scif_clk";
+ dmas = < 0x13>, < 0x12>,
+ < 0x13>, < 0x12>;
+ dma-names = "tx", "rx", "tx", "rx";
power-domains = < R8A7796_PD_ALWAYS_ON>;
resets = < 310>;
status = "disabled";
--
2.19.1
[PATCH 4.20 064/171] mm, memory_hotplug: test_pages_in_a_zone do not pass the end of zone
4.20-stable review patch. If anyone has any objections, please let me know. -- [ Upstream commit 24feb47c5fa5b825efb0151f28906dfdad027e61 ] If memory end is not aligned with the sparse memory section boundary, the mapping of such a section is only partly initialized. This may lead to VM_BUG_ON due to uninitialized struct pages access from test_pages_in_a_zone() function triggered by memory_hotplug sysfs handlers. Here are the the panic examples: CONFIG_DEBUG_VM_PGFLAGS=y kernel parameter mem=2050M -- page:03d082008000 is uninitialized and poisoned page dumped because: VM_BUG_ON_PAGE(PagePoisoned(p)) Call Trace: test_pages_in_a_zone+0xde/0x160 show_valid_zones+0x5c/0x190 dev_attr_show+0x34/0x70 sysfs_kf_seq_show+0xc8/0x148 seq_read+0x204/0x480 __vfs_read+0x32/0x178 vfs_read+0x82/0x138 ksys_read+0x5a/0xb0 system_call+0xdc/0x2d8 Last Breaking-Event-Address: test_pages_in_a_zone+0xde/0x160 Kernel panic - not syncing: Fatal exception: panic_on_oops Fix this by checking whether the pfn to check is within the zone. [mho...@suse.com: separated this change from http://lkml.kernel.org/r/20181105150401.97287-2-zaslo...@linux.ibm.com] Link: http://lkml.kernel.org/r/20190128144506.15603-3-mho...@kernel.org [mho...@suse.com: separated this change from http://lkml.kernel.org/r/20181105150401.97287-2-zaslo...@linux.ibm.com] Signed-off-by: Michal Hocko Signed-off-by: Mikhail Zaslonko Tested-by: Mikhail Gavrilov Reviewed-by: Oscar Salvador Tested-by: Gerald Schaefer Cc: Heiko Carstens Cc: Martin Schwidefsky Cc: Mikhail Gavrilov Cc: Pavel Tatashin Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin --- mm/memory_hotplug.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/mm/memory_hotplug.c b/mm/memory_hotplug.c index 5ce0d929ff48..488aa11495d2 100644 --- a/mm/memory_hotplug.c +++ b/mm/memory_hotplug.c @@ -1275,6 +1275,9 @@ int test_pages_in_a_zone(unsigned long start_pfn, unsigned long end_pfn, i++; if (i == MAX_ORDER_NR_PAGES || pfn + i >= end_pfn) continue; + /* Check if we got outside of the zone */ + if (zone && !zone_spans_pfn(zone, pfn + i)) + return 0; page = pfn_to_page(pfn + i); if (zone && page_zone(page) != zone) return 0; -- 2.19.1
[PATCH 4.20 073/171] ARM: dts: sun8i: h3: Add ethernet0 alias to Beelink X2
4.20-stable review patch. If anyone has any objections, please let me know.
--
[ Upstream commit cc4bddade114b696ab27c1a77cfc7040151306da ]
Because "ethernet0" alias is missing, U-Boot doesn't generate board
specific MAC address. Effect of this is random MAC address every boot
and thus new IP address is assigned to the board.
Fix this by adding alias.
Fixes: 7389172fc3ed ("ARM: dts: sun8i: h3: Enable dwmac-sun8i on the Beelink
X2")
Signed-off-by: Jernej Skrabec
[Maxime: Removed unneeded comment]
Signed-off-by: Maxime Ripard
Signed-off-by: Sasha Levin
---
arch/arm/boot/dts/sun8i-h3-beelink-x2.dts | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm/boot/dts/sun8i-h3-beelink-x2.dts
b/arch/arm/boot/dts/sun8i-h3-beelink-x2.dts
index 5d23667dc2d2..25540b7694d5 100644
--- a/arch/arm/boot/dts/sun8i-h3-beelink-x2.dts
+++ b/arch/arm/boot/dts/sun8i-h3-beelink-x2.dts
@@ -53,7 +53,7 @@
aliases {
serial0 =
- /* ethernet0 is the H3 emac, defined in sun8i-h3.dtsi */
+ ethernet0 =
ethernet1 =
};
--
2.19.1
[PATCH 4.20 070/171] mm, memory_hotplug: fix off-by-one in is_pageblock_removable
4.20-stable review patch. If anyone has any objections, please let me know.
--
[ Upstream commit 891cb2a72d821f930a39d5900cb7a3aa752c1d5b ]
Rong Chen has reported the following boot crash:
PGD 0 P4D 0
Oops: [#1] PREEMPT SMP PTI
CPU: 1 PID: 239 Comm: udevd Not tainted 5.0.0-rc4-00149-gefad4e4 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1
04/01/2014
RIP: 0010:page_mapping+0x12/0x80
Code: 5d c3 48 89 df e8 0e ad 02 00 85 c0 75 da 89 e8 5b 5d c3 0f 1f 44 00
00 53 48 89 fb 48 8b 43 08 48 8d 50 ff a8 01 48 0f 45 da <48> 8b 53 08 48 8d 42
ff 83 e2 01 48 0f 44 c3 48 83 38 ff 74 2f 48
RSP: 0018:88801fa87cd8 EFLAGS: 00010202
RAX: RBX: fffe RCX: 000a
RDX: fffe RSI: 820b9a20 RDI: 88801e5c
RBP: 6db6db6db6db6db7 R08: 88801e8bb000 R09: 01b64d13
R10: 88801fa87cf8 R11: 0001 R12: 88801e64
R13: 820b9a20 R14: 88801f145258 R15: 0001
FS: 7fb2079817c0() GS:88801dd0() knlGS:
CS: 0010 DS: ES: CR0: 80050033
CR2: 0006 CR3: 1fa82000 CR4: 06a0
Call Trace:
__dump_page+0x14/0x2c0
is_mem_section_removable+0x24c/0x2c0
removable_show+0x87/0xa0
dev_attr_show+0x25/0x60
sysfs_kf_seq_show+0xba/0x110
seq_read+0x196/0x3f0
__vfs_read+0x34/0x180
vfs_read+0xa0/0x150
ksys_read+0x44/0xb0
do_syscall_64+0x5e/0x4a0
entry_SYSCALL_64_after_hwframe+0x49/0xbe
and bisected it down to commit efad4e475c31 ("mm, memory_hotplug:
is_mem_section_removable do not pass the end of a zone").
The reason for the crash is that the mapping is garbage for poisoned
(uninitialized) page. This shouldn't happen as all pages in the zone's
boundary should be initialized.
Later debugging revealed that the actual problem is an off-by-one when
evaluating the end_page. 'start_pfn + nr_pages' resp 'zone_end_pfn'
refers to a pfn after the range and as such it might belong to a
differen memory section.
This along with CONFIG_SPARSEMEM then makes the loop condition
completely bogus because a pointer arithmetic doesn't work for pages
from two different sections in that memory model.
Fix the issue by reworking is_pageblock_removable to be pfn based and
only use struct page where necessary. This makes the code slightly
easier to follow and we will remove the problematic pointer arithmetic
completely.
Link: http://lkml.kernel.org/r/20190218181544.14616-1-mho...@kernel.org
Fixes: efad4e475c31 ("mm, memory_hotplug: is_mem_section_removable do not pass
the end of a zone")
Signed-off-by: Michal Hocko
Reported-by:
Tested-by:
Acked-by: Mike Rapoport
Reviewed-by: Oscar Salvador
Cc: Matthew Wilcox
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
Signed-off-by: Sasha Levin
---
mm/memory_hotplug.c | 27 +++
1 file changed, 15 insertions(+), 12 deletions(-)
diff --git a/mm/memory_hotplug.c b/mm/memory_hotplug.c
index 488aa11495d2..cb201163666f 100644
--- a/mm/memory_hotplug.c
+++ b/mm/memory_hotplug.c
@@ -1189,11 +1189,13 @@ static inline int pageblock_free(struct page *page)
return PageBuddy(page) && page_order(page) >= pageblock_order;
}
-/* Return the start of the next active pageblock after a given page */
-static struct page *next_active_pageblock(struct page *page)
+/* Return the pfn of the start of the next active pageblock after a given pfn
*/
+static unsigned long next_active_pageblock(unsigned long pfn)
{
+ struct page *page = pfn_to_page(pfn);
+
/* Ensure the starting page is pageblock-aligned */
- BUG_ON(page_to_pfn(page) & (pageblock_nr_pages - 1));
+ BUG_ON(pfn & (pageblock_nr_pages - 1));
/* If the entire pageblock is free, move to the end of free page */
if (pageblock_free(page)) {
@@ -1201,16 +1203,16 @@ static struct page *next_active_pageblock(struct page
*page)
/* be careful. we don't have locks, page_order can be changed.*/
order = page_order(page);
if ((order < MAX_ORDER) && (order >= pageblock_order))
- return page + (1 << order);
+ return pfn + (1 << order);
}
- return page + pageblock_nr_pages;
+ return pfn + pageblock_nr_pages;
}
-static bool is_pageblock_removable_nolock(struct page *page)
+static bool is_pageblock_removable_nolock(unsigned long pfn)
{
+ struct page *page = pfn_to_page(pfn);
struct zone *zone;
- unsigned long pfn;
/*
* We have to be careful here because we are iterating over memory
@@ -1233,13 +1235,14 @@ static bool is_pageblock_removable_nolock(struct page
*page)
/* Checks if this range of memory is likely to be hot-removable. */
bool is_mem_section_removable(unsigned long start_pfn, unsigned long
[PATCH 4.20 052/171] x86/cpu: Add Atom Tremont (Jacobsville)
4.20-stable review patch. If anyone has any objections, please let me know. -- [ Upstream commit 00ae831dfe4474ef6029558f5eb3ef0332d80043 ] Add the Atom Tremont model number to the Intel family list. [ Tony: Also update comment at head of file to say "_X" suffix is also used for microserver parts. ] Signed-off-by: Kan Liang Signed-off-by: Qiuxu Zhuo Signed-off-by: Tony Luck Signed-off-by: Borislav Petkov Cc: Andy Shevchenko Cc: Aristeu Rozanski Cc: "H. Peter Anvin" Cc: Ingo Molnar Cc: linux-edac Cc: Mauro Carvalho Chehab Cc: Megha Dey Cc: Peter Zijlstra Cc: Qiuxu Zhuo Cc: Rajneesh Bhardwaj Cc: Thomas Gleixner Cc: x86-ml Link: https://lkml.kernel.org/r/20190125195902.17109-4-tony.l...@intel.com Signed-off-by: Sasha Levin --- arch/x86/include/asm/intel-family.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/arch/x86/include/asm/intel-family.h b/arch/x86/include/asm/intel-family.h index 0dd6b0f4000e..d9a9993af882 100644 --- a/arch/x86/include/asm/intel-family.h +++ b/arch/x86/include/asm/intel-family.h @@ -6,7 +6,7 @@ * "Big Core" Processors (Branded as Core, Xeon, etc...) * * The "_X" parts are generally the EP and EX Xeons, or the - * "Extreme" ones, like Broadwell-E. + * "Extreme" ones, like Broadwell-E, or Atom microserver. * * While adding a new CPUID for a new microarchitecture, add a new * group to keep logically sorted out in chronological order. Within @@ -71,6 +71,7 @@ #define INTEL_FAM6_ATOM_GOLDMONT 0x5C /* Apollo Lake */ #define INTEL_FAM6_ATOM_GOLDMONT_X 0x5F /* Denverton */ #define INTEL_FAM6_ATOM_GOLDMONT_PLUS 0x7A /* Gemini Lake */ +#define INTEL_FAM6_ATOM_TREMONT_X 0x86 /* Jacobsville */ /* Xeon Phi */ -- 2.19.1
[PATCH 4.20 056/171] x86/microcode/amd: Dont falsely trick the late loading mechanism
4.20-stable review patch. If anyone has any objections, please let me know.
--
[ Upstream commit 912139cfbfa6a2bc1da052314d2c29338dae1f6a ]
The load_microcode_amd() function searches for microcode patches and
attempts to apply a microcode patch if it is of different level than the
currently installed level.
While the processor won't actually load a level that is less than
what is already installed, the logic wrongly returns UCODE_NEW thus
signaling to its caller reload_store() that a late loading should be
attempted.
If the file-system contains an older microcode revision than what is
currently running, such a late microcode reload can result in these
misleading messages:
x86/CPU: CPU features have changed after loading microcode, but might not
take effect.
x86/CPU: Please consider either early loading through initrd/built-in or a
potential BIOS update.
These messages were issued on a system where SME/SEV are not
enabled by the BIOS (MSR C001_0010[23] = 0b) because during boot,
early_detect_mem_encrypt() is called and cleared the SME and SEV
features in this case.
However, after the wrong late load attempt, get_cpu_cap() is called and
reloads the SME and SEV feature bits, resulting in the messages.
Update the microcode level check to not attempt microcode loading if the
current level is greater than(!) and not only equal to the current patch
level.
[ bp: massage commit message. ]
Fixes: 2613f36ed965 ("x86/microcode: Attempt late loading only when new
microcode is present")
Signed-off-by: Tom Lendacky
Signed-off-by: Borislav Petkov
Cc: "H. Peter Anvin"
Cc: Ingo Molnar
Cc: Thomas Gleixner
Cc: x86-ml
Link:
https://lkml.kernel.org/r/154894518427.9406.8246222496874202773.st...@tlendack-t1.amdoffice.net
Signed-off-by: Sasha Levin
---
arch/x86/kernel/cpu/microcode/amd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x86/kernel/cpu/microcode/amd.c
b/arch/x86/kernel/cpu/microcode/amd.c
index 07b5fc00b188..a4e7e100ed26 100644
--- a/arch/x86/kernel/cpu/microcode/amd.c
+++ b/arch/x86/kernel/cpu/microcode/amd.c
@@ -707,7 +707,7 @@ load_microcode_amd(bool save, u8 family, const u8 *data,
size_t size)
if (!p) {
return ret;
} else {
- if (boot_cpu_data.microcode == p->patch_id)
+ if (boot_cpu_data.microcode >= p->patch_id)
return ret;
ret = UCODE_NEW;
--
2.19.1
[PATCH 4.20 044/171] qed: Fix system crash in ll2 xmit
4.20-stable review patch. If anyone has any objections, please let me know.
--
[ Upstream commit 7c81626a3c37e4ac320b8ad785694ba498f24794 ]
Cache number of fragments in the skb locally as in case
of linear skb (with zero fragments), tx completion
(or freeing of skb) may happen before driver tries
to get number of frgaments from the skb which could
lead to stale access to an already freed skb.
Signed-off-by: Manish Chopra
Signed-off-by: Ariel Elior
Signed-off-by: David S. Miller
Signed-off-by: Sasha Levin
---
drivers/net/ethernet/qlogic/qed/qed_ll2.c | 20 +++-
1 file changed, 15 insertions(+), 5 deletions(-)
diff --git a/drivers/net/ethernet/qlogic/qed/qed_ll2.c
b/drivers/net/ethernet/qlogic/qed/qed_ll2.c
index 9e728ec82c21..25f67c0d5c57 100644
--- a/drivers/net/ethernet/qlogic/qed/qed_ll2.c
+++ b/drivers/net/ethernet/qlogic/qed/qed_ll2.c
@@ -2441,19 +2441,24 @@ static int qed_ll2_start_xmit(struct qed_dev *cdev,
struct sk_buff *skb,
{
struct qed_ll2_tx_pkt_info pkt;
const skb_frag_t *frag;
+ u8 flags = 0, nr_frags;
int rc = -EINVAL, i;
dma_addr_t mapping;
u16 vlan = 0;
- u8 flags = 0;
if (unlikely(skb->ip_summed != CHECKSUM_NONE)) {
DP_INFO(cdev, "Cannot transmit a checksummed packet\n");
return -EINVAL;
}
- if (1 + skb_shinfo(skb)->nr_frags > CORE_LL2_TX_MAX_BDS_PER_PACKET) {
+ /* Cache number of fragments from SKB since SKB may be freed by
+* the completion routine after calling qed_ll2_prepare_tx_packet()
+*/
+ nr_frags = skb_shinfo(skb)->nr_frags;
+
+ if (1 + nr_frags > CORE_LL2_TX_MAX_BDS_PER_PACKET) {
DP_ERR(cdev, "Cannot transmit a packet with %d fragments\n",
- 1 + skb_shinfo(skb)->nr_frags);
+ 1 + nr_frags);
return -EINVAL;
}
@@ -2475,7 +2480,7 @@ static int qed_ll2_start_xmit(struct qed_dev *cdev,
struct sk_buff *skb,
}
memset(, 0, sizeof(pkt));
- pkt.num_of_bds = 1 + skb_shinfo(skb)->nr_frags;
+ pkt.num_of_bds = 1 + nr_frags;
pkt.vlan = vlan;
pkt.bd_flags = flags;
pkt.tx_dest = QED_LL2_TX_DEST_NW;
@@ -2486,12 +2491,17 @@ static int qed_ll2_start_xmit(struct qed_dev *cdev,
struct sk_buff *skb,
test_bit(QED_LL2_XMIT_FLAGS_FIP_DISCOVERY, _flags))
pkt.remove_stag = true;
+ /* qed_ll2_prepare_tx_packet() may actually send the packet if
+* there are no fragments in the skb and subsequently the completion
+* routine may run and free the SKB, so no dereferencing the SKB
+* beyond this point unless skb has any fragments.
+*/
rc = qed_ll2_prepare_tx_packet(>hwfns[0], cdev->ll2->handle,
, 1);
if (rc)
goto err;
- for (i = 0; i < skb_shinfo(skb)->nr_frags; i++) {
+ for (i = 0; i < nr_frags; i++) {
frag = _shinfo(skb)->frags[i];
mapping = skb_frag_dma_map(>pdev->dev, frag, 0,
--
2.19.1
[PATCH 4.20 036/171] netfilter: ebtables: compat: un-break 32bit setsockopt when no rules are present
4.20-stable review patch. If anyone has any objections, please let me know.
--
[ Upstream commit 2035f3ff8eaa29cfb5c8e2160b0f6e85eeb21a95 ]
Unlike ip(6)tables ebtables only counts user-defined chains.
The effect is that a 32bit ebtables binary on a 64bit kernel can do
'ebtables -N FOO' only after adding at least one rule, else the request
fails with -EINVAL.
This is a similar fix as done in
3f1e53abff84 ("netfilter: ebtables: don't attempt to allocate 0-sized compat
array").
Fixes: 7d7d7e02111e9 ("netfilter: compat: reject huge allocation requests")
Reported-by: Francesco Ruggeri
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
Signed-off-by: Sasha Levin
---
net/bridge/netfilter/ebtables.c | 9 ++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 5e55cef0cec3..6693e209efe8 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -2293,9 +2293,12 @@ static int compat_do_replace(struct net *net, void
__user *user,
xt_compat_lock(NFPROTO_BRIDGE);
- ret = xt_compat_init_offsets(NFPROTO_BRIDGE, tmp.nentries);
- if (ret < 0)
- goto out_unlock;
+ if (tmp.nentries) {
+ ret = xt_compat_init_offsets(NFPROTO_BRIDGE, tmp.nentries);
+ if (ret < 0)
+ goto out_unlock;
+ }
+
ret = compat_copy_entries(entries_tmp, tmp.entries_size, );
if (ret < 0)
goto out_unlock;
--
2.19.1
[PATCH 4.20 021/171] RDMA/umem: Add missing initialization of owning_mm
4.20-stable review patch. If anyone has any objections, please let me know.
--
[ Upstream commit a2093dd35f8cfb28dd7c878ccbd020c1bb20d0d7 ]
When allocating a umem leaf for implicit ODP MR during page fault the
field owning_mm was not set.
Initialize and take a reference on this field to avoid kernel panic when
trying to access this field.
BUG: unable to handle kernel NULL pointer dereference at 0058
PGD 80022dfed067 P4D 80022dfed067 PUD 22dfcf067 PMD 0
Oops: [#1] SMP PTI
CPU: 0 PID: 634 Comm: kworker/u33:0 Not tainted 4.20.0-rc6+ #89
Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
Workqueue: mlx5_ib_page_fault mlx5_ib_eqe_pf_action [mlx5_ib]
RIP: 0010:ib_umem_odp_map_dma_pages+0xf3/0x710 [ib_core]
Code: 45 c0 48 21 f3 48 89 75 b0 31 f6 4a 8d 04 33 48 89 45 a8 49 8b 44 24 60
48 8b 78 10 e8 66 16 a8 c5 49 8b 54 24 08 48 89 45 98 <8b> 42 58 85 c0 0f 84 8e
05 00 00 8d 48 01 48 8d 72 58 f0 0f b1 4a
RSP: :b610813a7c20 EFLAGS: 00010202
RAX: 95ace6e8ac80 RBX: RCX: 000c
RDX: RSI: 0850 RDI: 95aceaadae80
RBP: b610813a7ce0 R08: R09: 00080c77
R10: 95acfffdbd00 R11: R12: 95aceaa20a00
R13: 1000 R14: 1000 R15: 000c
FS: () GS:95acf780() knlGS:
CS: 0010 DS: ES: CR0: 80050033
CR2: 0058 CR3: 00022c834001 CR4: 001606f0
Call Trace:
pagefault_single_data_segment+0x1df/0xc60 [mlx5_ib]
mlx5_ib_eqe_pf_action+0x7bc/0xa70 [mlx5_ib]
? __switch_to+0xe1/0x470
process_one_work+0x174/0x390
worker_thread+0x4f/0x3e0
kthread+0x102/0x140
? drain_workqueue+0x130/0x130
? kthread_stop+0x110/0x110
ret_from_fork+0x1f/0x30
Fixes: f27a0d50a4bc ("RDMA/umem: Use umem->owning_mm inside ODP")
Signed-off-by: Artemy Kovalyov
Signed-off-by: Moni Shoua
Signed-off-by: Leon Romanovsky
Signed-off-by: Jason Gunthorpe
Signed-off-by: Sasha Levin
---
drivers/infiniband/core/umem_odp.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/infiniband/core/umem_odp.c
b/drivers/infiniband/core/umem_odp.c
index 676c1fd1119d..7ef385db52c3 100644
--- a/drivers/infiniband/core/umem_odp.c
+++ b/drivers/infiniband/core/umem_odp.c
@@ -356,6 +356,8 @@ struct ib_umem_odp *ib_alloc_odp_umem(struct
ib_ucontext_per_mm *per_mm,
umem->writable = 1;
umem->is_odp = 1;
odp_data->per_mm = per_mm;
+ umem->owning_mm = per_mm->mm;
+ mmgrab(umem->owning_mm);
mutex_init(_data->umem_mutex);
init_completion(_data->notifier_completion);
@@ -388,6 +390,7 @@ struct ib_umem_odp *ib_alloc_odp_umem(struct
ib_ucontext_per_mm *per_mm,
out_page_list:
vfree(odp_data->page_list);
out_odp_data:
+ mmdrop(umem->owning_mm);
kfree(odp_data);
return ERR_PTR(ret);
}
--
2.19.1
[PATCH 4.20 015/171] riscv: fixup max_low_pfn with PFN_DOWN.
4.20-stable review patch. If anyone has any objections, please let me know.
--
[ Upstream commit 28198c4639b39899a728ac89aea29d2a7a72562f ]
max_low_pfn should be pfn_size not byte_size.
Signed-off-by: Guo Ren
Signed-off-by: Mao Han
Signed-off-by: Palmer Dabbelt
Signed-off-by: Sasha Levin
---
arch/riscv/kernel/setup.c | 2 +-
arch/riscv/mm/init.c | 3 ++-
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/arch/riscv/kernel/setup.c b/arch/riscv/kernel/setup.c
index 2c290e6aaa6e..6d652826b5cb 100644
--- a/arch/riscv/kernel/setup.c
+++ b/arch/riscv/kernel/setup.c
@@ -196,7 +196,7 @@ static void __init setup_bootmem(void)
BUG_ON(mem_size == 0);
set_max_mapnr(PFN_DOWN(mem_size));
- max_low_pfn = memblock_end_of_DRAM();
+ max_low_pfn = PFN_DOWN(memblock_end_of_DRAM());
#ifdef CONFIG_BLK_DEV_INITRD
setup_initrd();
diff --git a/arch/riscv/mm/init.c b/arch/riscv/mm/init.c
index 1d9bfaff60bc..658ebf645f42 100644
--- a/arch/riscv/mm/init.c
+++ b/arch/riscv/mm/init.c
@@ -28,7 +28,8 @@ static void __init zone_sizes_init(void)
unsigned long max_zone_pfns[MAX_NR_ZONES] = { 0, };
#ifdef CONFIG_ZONE_DMA32
- max_zone_pfns[ZONE_DMA32] = PFN_DOWN(min(4UL * SZ_1G, max_low_pfn));
+ max_zone_pfns[ZONE_DMA32] = PFN_DOWN(min(4UL * SZ_1G,
+ (unsigned long) PFN_PHYS(max_low_pfn)));
#endif
max_zone_pfns[ZONE_NORMAL] = max_low_pfn;
--
2.19.1
[PATCH 4.20 032/171] net: hns: Fix for missing of_node_put() after of_parse_phandle()
4.20-stable review patch. If anyone has any objections, please let me know.
--
[ Upstream commit 263c6d75f9a544a3c2f8f6a26de4f4808d8f59cf ]
In hns enet driver, we use of_parse_handle() to get hold of the
device node related to "ae-handle" but we have missed to put
the node reference using of_node_put() after we are done using
the node. This patch fixes it.
Note:
This problem is stated in Link: https://lkml.org/lkml/2018/12/22/217
Fixes: 48189d6aaf1e ("net: hns: enet specifies a reference to dsaf")
Reported-by: Alexey Khoroshilov
Signed-off-by: Yonglong Liu
Signed-off-by: Peng Li
Signed-off-by: David S. Miller
Signed-off-by: Sasha Levin
---
drivers/net/ethernet/hisilicon/hns/hns_enet.c | 5 +
1 file changed, 5 insertions(+)
diff --git a/drivers/net/ethernet/hisilicon/hns/hns_enet.c
b/drivers/net/ethernet/hisilicon/hns/hns_enet.c
index 6242249c9f4c..b043370c2685 100644
--- a/drivers/net/ethernet/hisilicon/hns/hns_enet.c
+++ b/drivers/net/ethernet/hisilicon/hns/hns_enet.c
@@ -2419,6 +2419,8 @@ static int hns_nic_dev_probe(struct platform_device *pdev)
out_notify_fail:
(void)cancel_work_sync(>service_task);
out_read_prop_fail:
+ /* safe for ACPI FW */
+ of_node_put(to_of_node(priv->fwnode));
free_netdev(ndev);
return ret;
}
@@ -2448,6 +2450,9 @@ static int hns_nic_dev_remove(struct platform_device
*pdev)
set_bit(NIC_STATE_REMOVING, >state);
(void)cancel_work_sync(>service_task);
+ /* safe for ACPI FW */
+ of_node_put(to_of_node(priv->fwnode));
+
free_netdev(ndev);
return 0;
}
--
2.19.1
[PATCH 4.20 029/171] iomap: fix a use after free in iomap_dio_rw
4.20-stable review patch. If anyone has any objections, please let me know.
--
[ Upstream commit 4ea899ead2786a30aaa8181fefa81a3df4ad28f6 ]
Introduce a local wait_for_completion variable to avoid an access to the
potentially freed dio struture after dropping the last reference count.
Also use the chance to document the completion behavior to make the
refcounting clear to the reader of the code.
Fixes: ff6a9292e6 ("iomap: implement direct I/O")
Reported-by: Chandan Rajendra
Reported-by: Darrick J. Wong
Signed-off-by: Christoph Hellwig
Tested-by: Chandan Rajendra
Tested-by: Darrick J. Wong
Reviewed-by: Dave Chinner
Reviewed-by: Darrick J. Wong
Signed-off-by: Darrick J. Wong
Signed-off-by: Sasha Levin
---
fs/iomap.c | 28 +---
1 file changed, 21 insertions(+), 7 deletions(-)
diff --git a/fs/iomap.c b/fs/iomap.c
index 7793e9e42ad5..83d9a196fe3e 100644
--- a/fs/iomap.c
+++ b/fs/iomap.c
@@ -1806,6 +1806,7 @@ iomap_dio_rw(struct kiocb *iocb, struct iov_iter *iter,
loff_t pos = iocb->ki_pos, start = pos;
loff_t end = iocb->ki_pos + count - 1, ret = 0;
unsigned int flags = IOMAP_DIRECT;
+ bool wait_for_completion = is_sync_kiocb(iocb);
struct blk_plug plug;
struct iomap_dio *dio;
@@ -1825,7 +1826,6 @@ iomap_dio_rw(struct kiocb *iocb, struct iov_iter *iter,
dio->end_io = end_io;
dio->error = 0;
dio->flags = 0;
- dio->wait_for_completion = is_sync_kiocb(iocb);
dio->submit.iter = iter;
dio->submit.waiter = current;
@@ -1880,7 +1880,7 @@ iomap_dio_rw(struct kiocb *iocb, struct iov_iter *iter,
dio_warn_stale_pagecache(iocb->ki_filp);
ret = 0;
- if (iov_iter_rw(iter) == WRITE && !dio->wait_for_completion &&
+ if (iov_iter_rw(iter) == WRITE && !wait_for_completion &&
!inode->i_sb->s_dio_done_wq) {
ret = sb_init_dio_done_wq(inode->i_sb);
if (ret < 0)
@@ -1896,7 +1896,7 @@ iomap_dio_rw(struct kiocb *iocb, struct iov_iter *iter,
if (ret <= 0) {
/* magic error code to fall back to buffered I/O */
if (ret == -ENOTBLK) {
- dio->wait_for_completion = true;
+ wait_for_completion = true;
ret = 0;
}
break;
@@ -1918,8 +1918,24 @@ iomap_dio_rw(struct kiocb *iocb, struct iov_iter *iter,
if (dio->flags & IOMAP_DIO_WRITE_FUA)
dio->flags &= ~IOMAP_DIO_NEED_SYNC;
+ /*
+* We are about to drop our additional submission reference, which
+* might be the last reference to the dio. There are three three
+* different ways we can progress here:
+*
+* (a) If this is the last reference we will always complete and free
+* the dio ourselves.
+* (b) If this is not the last reference, and we serve an asynchronous
+* iocb, we must never touch the dio after the decrement, the
+* I/O completion handler will complete and free it.
+* (c) If this is not the last reference, but we serve a synchronous
+* iocb, the I/O completion handler will wake us up on the drop
+* of the final reference, and we will complete and free it here
+* after we got woken by the I/O completion handler.
+*/
+ dio->wait_for_completion = wait_for_completion;
if (!atomic_dec_and_test(>ref)) {
- if (!dio->wait_for_completion)
+ if (!wait_for_completion)
return -EIOCBQUEUED;
for (;;) {
@@ -1936,9 +1952,7 @@ iomap_dio_rw(struct kiocb *iocb, struct iov_iter *iter,
__set_current_state(TASK_RUNNING);
}
- ret = iomap_dio_complete(dio);
-
- return ret;
+ return iomap_dio_complete(dio);
out_free_dio:
kfree(dio);
--
2.19.1
[PATCH 4.20 008/171] perf core: Fix perf_proc_update_handler() bug
4.20-stable review patch. If anyone has any objections, please let me know.
--
[ Upstream commit 1a51c5da5acc6c188c917ba572eebac5f8793432 ]
The perf_proc_update_handler() handles
/proc/sys/kernel/perf_event_max_sample_rate
syctl variable. When the PMU IRQ handler timing monitoring is disabled, i.e,
when /proc/sys/kernel/perf_cpu_time_max_percent is equal to 0 or 100,
then no modification to sysctl_perf_event_sample_rate is allowed to prevent
possible hang from wrong values.
The problem is that the test to prevent modification is made after the
sysctl variable is modified in perf_proc_update_handler().
You get an error:
$ echo 10001 >/proc/sys/kernel/perf_event_max_sample_rate
echo: write error: invalid argument
But the value is still modified causing all sorts of inconsistencies:
$ cat /proc/sys/kernel/perf_event_max_sample_rate
10001
This patch fixes the problem by moving the parsing of the value after
the test.
Committer testing:
# echo 100 > /proc/sys/kernel/perf_cpu_time_max_percent
# echo 10001 > /proc/sys/kernel/perf_event_max_sample_rate
-bash: echo: write error: Invalid argument
# cat /proc/sys/kernel/perf_event_max_sample_rate
10001
#
Signed-off-by: Stephane Eranian
Reviewed-by: Andi Kleen
Reviewed-by: Jiri Olsa
Tested-by: Arnaldo Carvalho de Melo
Cc: Kan Liang
Cc: Peter Zijlstra
Link:
http://lkml.kernel.org/r/1547169436-6266-1-git-send-email-eran...@google.com
Signed-off-by: Arnaldo Carvalho de Melo
Signed-off-by: Sasha Levin
---
kernel/events/core.c | 14 +++---
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/kernel/events/core.c b/kernel/events/core.c
index 699bc25d6204..18997730b665 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -436,18 +436,18 @@ int perf_proc_update_handler(struct ctl_table *table, int
write,
void __user *buffer, size_t *lenp,
loff_t *ppos)
{
- int ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos);
-
- if (ret || !write)
- return ret;
-
+ int ret;
+ int perf_cpu = sysctl_perf_cpu_time_max_percent;
/*
* If throttling is disabled don't allow the write:
*/
- if (sysctl_perf_cpu_time_max_percent == 100 ||
- sysctl_perf_cpu_time_max_percent == 0)
+ if (write && (perf_cpu == 100 || perf_cpu == 0))
return -EINVAL;
+ ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos);
+ if (ret || !write)
+ return ret;
+
max_samples_per_tick = DIV_ROUND_UP(sysctl_perf_event_sample_rate, HZ);
perf_sample_period_ns = NSEC_PER_SEC / sysctl_perf_event_sample_rate;
update_perf_cpu_limits();
--
2.19.1
[PATCH 4.20 006/171] netfilter: nft_compat: destroy function must not have side effects
4.20-stable review patch. If anyone has any objections, please let me know.
--
[ Upstream commit b2e3d68d1251a051a620f9086e18f7ffa6833b5b ]
The nft_compat destroy function deletes the nft_xt object from a list.
This isn't allowed anymore. Destroy functions are called asynchronously,
i.e. next batch can find the object that has a pending ->destroy()
invocation:
cpu0 cpu1
worker
->destroy for_each_entry()
if (x == ...
return x->ops;
list_del(x)
kfree_rcu(x)
expr->ops->... // ops was free'd
To resolve this, the list_del needs to occur before the transaction
mutex gets released. nf_tables has a 'deactivate' hook for this
purpose, so use that to unlink the object from the list.
Fixes: 0935d5588400 ("netfilter: nf_tables: asynchronous release")
Reported-by: Taehee Yoo
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
Signed-off-by: Sasha Levin
---
net/netfilter/nft_compat.c | 48 +-
1 file changed, 47 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c
index d3412138e000..a354e9771697 100644
--- a/net/netfilter/nft_compat.c
+++ b/net/netfilter/nft_compat.c
@@ -29,6 +29,9 @@ struct nft_xt {
struct nft_expr_ops ops;
refcount_t refcnt;
+ /* used only when transaction mutex is locked */
+ unsigned intlistcnt;
+
/* Unlike other expressions, ops doesn't have static storage duration.
* nft core assumes they do. We use kfree_rcu so that nft core can
* can check expr->ops->size even after nft_compat->destroy() frees
@@ -61,7 +64,7 @@ static struct nft_compat_net *nft_compat_pernet(struct net
*net)
static bool nft_xt_put(struct nft_xt *xt)
{
if (refcount_dec_and_test(>refcnt)) {
- list_del(>head);
+ WARN_ON_ONCE(!list_empty(>head));
kfree_rcu(xt, rcu_head);
return true;
}
@@ -556,6 +559,43 @@ nft_match_destroy(const struct nft_ctx *ctx, const struct
nft_expr *expr)
__nft_match_destroy(ctx, expr, nft_expr_priv(expr));
}
+static void nft_compat_activate(const struct nft_ctx *ctx,
+ const struct nft_expr *expr,
+ struct list_head *h)
+{
+ struct nft_xt *xt = container_of(expr->ops, struct nft_xt, ops);
+
+ if (xt->listcnt == 0)
+ list_add(>head, h);
+
+ xt->listcnt++;
+}
+
+static void nft_compat_activate_mt(const struct nft_ctx *ctx,
+ const struct nft_expr *expr)
+{
+ struct nft_compat_net *cn = nft_compat_pernet(ctx->net);
+
+ nft_compat_activate(ctx, expr, >nft_match_list);
+}
+
+static void nft_compat_activate_tg(const struct nft_ctx *ctx,
+ const struct nft_expr *expr)
+{
+ struct nft_compat_net *cn = nft_compat_pernet(ctx->net);
+
+ nft_compat_activate(ctx, expr, >nft_target_list);
+}
+
+static void nft_compat_deactivate(const struct nft_ctx *ctx,
+ const struct nft_expr *expr)
+{
+ struct nft_xt *xt = container_of(expr->ops, struct nft_xt, ops);
+
+ if (--xt->listcnt == 0)
+ list_del_init(>head);
+}
+
static void
nft_match_large_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr)
{
@@ -809,6 +849,8 @@ nft_match_select_ops(const struct nft_ctx *ctx,
nft_match->ops.eval = nft_match_eval;
nft_match->ops.init = nft_match_init;
nft_match->ops.destroy = nft_match_destroy;
+ nft_match->ops.activate = nft_compat_activate_mt;
+ nft_match->ops.deactivate = nft_compat_deactivate;
nft_match->ops.dump = nft_match_dump;
nft_match->ops.validate = nft_match_validate;
nft_match->ops.data = match;
@@ -825,6 +867,7 @@ nft_match_select_ops(const struct nft_ctx *ctx,
nft_match->ops.size = matchsize;
+ nft_match->listcnt = 1;
list_add(_match->head, >nft_match_list);
return _match->ops;
@@ -911,6 +954,8 @@ nft_target_select_ops(const struct nft_ctx *ctx,
nft_target->ops.size = NFT_EXPR_SIZE(XT_ALIGN(target->targetsize));
nft_target->ops.init = nft_target_init;
nft_target->ops.destroy = nft_target_destroy;
+ nft_target->ops.activate = nft_compat_activate_tg;
+ nft_target->ops.deactivate = nft_compat_deactivate;
nft_target->ops.dump = nft_target_dump;
nft_target->ops.validate = nft_target_validate;
nft_target->ops.data = target;
@@ -920,6 +965,7 @@ nft_target_select_ops(const struct nft_ctx *ctx,
else
nft_target->ops.eval = nft_target_eval_xt;
+ nft_target->listcnt = 1;
list_add(_target->head, >nft_target_list);
return _target->ops;
--
2.19.1
[PATCH 4.20 002/171] vti4: Fix a ipip packet processing bug in IPCOMP virtual tunnel
4.20-stable review patch. If anyone has any objections, please let me know.
--
[ Upstream commit dd9ee3444014e8f28c0eefc9fffc9ac9c5248c12 ]
Recently we run a network test over ipcomp virtual tunnel.We find that
if a ipv4 packet needs fragment, then the peer can't receive
it.
We deep into the code and find that when packet need fragment the smaller
fragment will be encapsulated by ipip not ipcomp. So when the ipip packet
goes into xfrm, it's skb->dev is not properly set. The ipv4 reassembly code
always set skb'dev to the last fragment's dev. After ipv4 defrag processing,
when the kernel rp_filter parameter is set, the skb will be drop by -EXDEV
error.
This patch adds compatible support for the ipip process in ipcomp virtual
tunnel.
Signed-off-by: Su Yanjun
Signed-off-by: Steffen Klassert
Signed-off-by: Sasha Levin
---
net/ipv4/ip_vti.c | 50 +++
1 file changed, 50 insertions(+)
diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c
index d7b43e700023..68a21bf75dd0 100644
--- a/net/ipv4/ip_vti.c
+++ b/net/ipv4/ip_vti.c
@@ -74,6 +74,33 @@ static int vti_input(struct sk_buff *skb, int nexthdr,
__be32 spi,
return 0;
}
+static int vti_input_ipip(struct sk_buff *skb, int nexthdr, __be32 spi,
+int encap_type)
+{
+ struct ip_tunnel *tunnel;
+ const struct iphdr *iph = ip_hdr(skb);
+ struct net *net = dev_net(skb->dev);
+ struct ip_tunnel_net *itn = net_generic(net, vti_net_id);
+
+ tunnel = ip_tunnel_lookup(itn, skb->dev->ifindex, TUNNEL_NO_KEY,
+ iph->saddr, iph->daddr, 0);
+ if (tunnel) {
+ if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb))
+ goto drop;
+
+ XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = tunnel;
+
+ skb->dev = tunnel->dev;
+
+ return xfrm_input(skb, nexthdr, spi, encap_type);
+ }
+
+ return -EINVAL;
+drop:
+ kfree_skb(skb);
+ return 0;
+}
+
static int vti_rcv(struct sk_buff *skb)
{
XFRM_SPI_SKB_CB(skb)->family = AF_INET;
@@ -82,6 +109,14 @@ static int vti_rcv(struct sk_buff *skb)
return vti_input(skb, ip_hdr(skb)->protocol, 0, 0);
}
+static int vti_rcv_ipip(struct sk_buff *skb)
+{
+ XFRM_SPI_SKB_CB(skb)->family = AF_INET;
+ XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr);
+
+ return vti_input_ipip(skb, ip_hdr(skb)->protocol, ip_hdr(skb)->saddr,
0);
+}
+
static int vti_rcv_cb(struct sk_buff *skb, int err)
{
unsigned short family;
@@ -435,6 +470,12 @@ static struct xfrm4_protocol vti_ipcomp4_protocol
__read_mostly = {
.priority = 100,
};
+static struct xfrm_tunnel ipip_handler __read_mostly = {
+ .handler= vti_rcv_ipip,
+ .err_handler= vti4_err,
+ .priority = 0,
+};
+
static int __net_init vti_init_net(struct net *net)
{
int err;
@@ -603,6 +644,13 @@ static int __init vti_init(void)
if (err < 0)
goto xfrm_proto_comp_failed;
+ msg = "ipip tunnel";
+ err = xfrm4_tunnel_register(_handler, AF_INET);
+ if (err < 0) {
+ pr_info("%s: cant't register tunnel\n",__func__);
+ goto xfrm_tunnel_failed;
+ }
+
msg = "netlink interface";
err = rtnl_link_register(_link_ops);
if (err < 0)
@@ -612,6 +660,8 @@ static int __init vti_init(void)
rtnl_link_failed:
xfrm4_protocol_deregister(_ipcomp4_protocol, IPPROTO_COMP);
+xfrm_tunnel_failed:
+ xfrm4_tunnel_deregister(_handler, AF_INET);
xfrm_proto_comp_failed:
xfrm4_protocol_deregister(_ah4_protocol, IPPROTO_AH);
xfrm_proto_ah_failed:
--
2.19.1
[PATCH 4.20 013/171] iommu/amd: Call free_iova_fast with pfn in map_sg
4.20-stable review patch. If anyone has any objections, please let me know.
--
[ Upstream commit 51d8838d66d3249508940d8f59b07701f2129723 ]
In the error path of map_sg, free_iova_fast is being called with
address instead of the pfn. This results in a bad value getting into
the rcache, and can result in hitting a BUG_ON when
iova_magazine_free_pfns is called.
Cc: Joerg Roedel
Cc: Suravee Suthikulpanit
Signed-off-by: Jerry Snitselaar
Fixes: 80187fd39dcb ("iommu/amd: Optimize map_sg and unmap_sg")
Signed-off-by: Joerg Roedel
Signed-off-by: Sasha Levin
---
drivers/iommu/amd_iommu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c
index 325f3bad118b..5f33f843d30a 100644
--- a/drivers/iommu/amd_iommu.c
+++ b/drivers/iommu/amd_iommu.c
@@ -2561,7 +2561,7 @@ static int map_sg(struct device *dev, struct scatterlist
*sglist,
}
out_free_iova:
- free_iova_fast(_dom->iovad, address, npages);
+ free_iova_fast(_dom->iovad, address >> PAGE_SHIFT, npages);
out_err:
return 0;
--
2.19.1
[PATCH 5.0 03/25] Input: elan_i2c - add id for touchpad found in Lenovo s21e-20
5.0-stable review patch. If anyone has any objections, please let me know.
--
From: Vincent Batts
commit e154ab69321ce2c54f19863d75c77b4e2dc9d365 upstream.
Lenovo s21e-20 uses ELAN0601 in its ACPI tables for the Elan touchpad.
Signed-off-by: Vincent Batts
Cc: sta...@vger.kernel.org
Signed-off-by: Dmitry Torokhov
Signed-off-by: Greg Kroah-Hartman
---
drivers/input/mouse/elan_i2c_core.c |1 +
1 file changed, 1 insertion(+)
--- a/drivers/input/mouse/elan_i2c_core.c
+++ b/drivers/input/mouse/elan_i2c_core.c
@@ -1337,6 +1337,7 @@ static const struct acpi_device_id elan_
{ "ELAN", 0 },
{ "ELAN0100", 0 },
{ "ELAN0600", 0 },
+ { "ELAN0601", 0 },
{ "ELAN0602", 0 },
{ "ELAN0605", 0 },
{ "ELAN0608", 0 },
[PATCH 4.20 010/171] perf tools: Handle TOPOLOGY headers with no CPU
4.20-stable review patch. If anyone has any objections, please let me know.
--
[ Upstream commit 1497e804d1a6e2bd9107ddf64b0310449f4673eb ]
This patch fixes an issue in cpumap.c when used with the TOPOLOGY
header. In some configurations, some NUMA nodes may have no CPU (empty
cpulist). Yet a cpumap map must be created otherwise perf abort with an
error. This patch handles this case by creating a dummy map.
Before:
$ perf record -o - -e cycles noploop 2 | perf script -i -
0x6e8 [0x6c]: failed to process type: 80
After:
$ perf record -o - -e cycles noploop 2 | perf script -i -
noploop for 2 seconds
Signed-off-by: Stephane Eranian
Acked-by: Jiri Olsa
Cc: Andi Kleen
Cc: Kan Liang
Cc: Peter Zijlstra
Link:
http://lkml.kernel.org/r/1547885559-1657-1-git-send-email-eran...@google.com
Signed-off-by: Arnaldo Carvalho de Melo
Signed-off-by: Sasha Levin
---
tools/perf/util/cpumap.c | 11 +--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/tools/perf/util/cpumap.c b/tools/perf/util/cpumap.c
index 1ccbd3342069..383674f448fc 100644
--- a/tools/perf/util/cpumap.c
+++ b/tools/perf/util/cpumap.c
@@ -134,7 +134,12 @@ struct cpu_map *cpu_map__new(const char *cpu_list)
if (!cpu_list)
return cpu_map__read_all_cpu_map();
- if (!isdigit(*cpu_list))
+ /*
+* must handle the case of empty cpumap to cover
+* TOPOLOGY header for NUMA nodes with no CPU
+* ( e.g., because of CPU hotplug)
+*/
+ if (!isdigit(*cpu_list) && *cpu_list != '\0')
goto out;
while (isdigit(*cpu_list)) {
@@ -181,8 +186,10 @@ struct cpu_map *cpu_map__new(const char *cpu_list)
if (nr_cpus > 0)
cpus = cpu_map__trim_new(nr_cpus, tmp_cpus);
- else
+ else if (*cpu_list != '\0')
cpus = cpu_map__default_new();
+ else
+ cpus = cpu_map__dummy_new();
invalid:
free(tmp_cpus);
out:
--
2.19.1
[PATCH 4.20 001/171] media: uvcvideo: Fix type check leading to overflow
4.20-stable review patch. If anyone has any objections, please let me know.
--
From: Alistair Strachan
commit 47bb117911b051bbc90764a8bff96543cbd2005f upstream.
When initially testing the Camera Terminal Descriptor wTerminalType
field (buffer[4]), no mask is used. Later in the function, the MSB is
overloaded to store the descriptor subtype, and so a mask of 0x7fff
is used to check the type.
If a descriptor is specially crafted to set this overloaded bit in the
original wTerminalType field, the initial type check will fail (falling
through, without adjusting the buffer size), but the later type checks
will pass, assuming the buffer has been made suitably large, causing an
overflow.
Avoid this problem by checking for the MSB in the wTerminalType field.
If the bit is set, assume the descriptor is bad, and abort parsing it.
Originally reported here:
https://groups.google.com/forum/#!topic/syzkaller/Ot1fOE6v1d8
A similar (non-compiling) patch was provided at that time.
Reported-by: syzbot
Signed-off-by: Alistair Strachan
Signed-off-by: Laurent Pinchart
Signed-off-by: Mauro Carvalho Chehab
Signed-off-by: Greg Kroah-Hartman
---
drivers/media/usb/uvc/uvc_driver.c | 14 +++---
1 file changed, 11 insertions(+), 3 deletions(-)
--- a/drivers/media/usb/uvc/uvc_driver.c
+++ b/drivers/media/usb/uvc/uvc_driver.c
@@ -1065,11 +1065,19 @@ static int uvc_parse_standard_control(st
return -EINVAL;
}
- /* Make sure the terminal type MSB is not null, otherwise it
-* could be confused with a unit.
+ /*
+* Reject invalid terminal types that would cause issues:
+*
+* - The high byte must be non-zero, otherwise it would be
+* confused with a unit.
+*
+* - Bit 15 must be 0, as we use it internally as a terminal
+* direction flag.
+*
+* Other unknown types are accepted.
*/
type = get_unaligned_le16([4]);
- if ((type & 0xff00) == 0) {
+ if ((type & 0x7f00) == 0 || (type & 0x8000) != 0) {
uvc_trace(UVC_TRACE_DESCR, "device %d videocontrol "
"interface %d INPUT_TERMINAL %d has invalid "
"type 0x%04x, skipping\n", udev->devnum,
[PATCH 5.0 01/25] media: uvcvideo: Fix type check leading to overflow
5.0-stable review patch. If anyone has any objections, please let me know.
--
From: Alistair Strachan
commit 47bb117911b051bbc90764a8bff96543cbd2005f upstream.
When initially testing the Camera Terminal Descriptor wTerminalType
field (buffer[4]), no mask is used. Later in the function, the MSB is
overloaded to store the descriptor subtype, and so a mask of 0x7fff
is used to check the type.
If a descriptor is specially crafted to set this overloaded bit in the
original wTerminalType field, the initial type check will fail (falling
through, without adjusting the buffer size), but the later type checks
will pass, assuming the buffer has been made suitably large, causing an
overflow.
Avoid this problem by checking for the MSB in the wTerminalType field.
If the bit is set, assume the descriptor is bad, and abort parsing it.
Originally reported here:
https://groups.google.com/forum/#!topic/syzkaller/Ot1fOE6v1d8
A similar (non-compiling) patch was provided at that time.
Reported-by: syzbot
Signed-off-by: Alistair Strachan
Signed-off-by: Laurent Pinchart
Signed-off-by: Mauro Carvalho Chehab
Signed-off-by: Greg Kroah-Hartman
---
drivers/media/usb/uvc/uvc_driver.c | 14 +++---
1 file changed, 11 insertions(+), 3 deletions(-)
--- a/drivers/media/usb/uvc/uvc_driver.c
+++ b/drivers/media/usb/uvc/uvc_driver.c
@@ -1106,11 +1106,19 @@ static int uvc_parse_standard_control(st
return -EINVAL;
}
- /* Make sure the terminal type MSB is not null, otherwise it
-* could be confused with a unit.
+ /*
+* Reject invalid terminal types that would cause issues:
+*
+* - The high byte must be non-zero, otherwise it would be
+* confused with a unit.
+*
+* - Bit 15 must be 0, as we use it internally as a terminal
+* direction flag.
+*
+* Other unknown types are accepted.
*/
type = get_unaligned_le16([4]);
- if ((type & 0xff00) == 0) {
+ if ((type & 0x7f00) == 0 || (type & 0x8000) != 0) {
uvc_trace(UVC_TRACE_DESCR, "device %d videocontrol "
"interface %d INPUT_TERMINAL %d has invalid "
"type 0x%04x, skipping\n", udev->devnum,
