RE: [PATCH V9 2/5] pwm: Add i.MX TPM PWM driver support
Hi, Uwe Best Regards! Anson Huang > -Original Message- > From: Anson Huang > Sent: 2019年3月25日 19:59 > To: 'Uwe Kleine-König' > Cc: thierry.red...@gmail.com; robh...@kernel.org; mark.rutl...@arm.com; > shawn...@kernel.org; s.ha...@pengutronix.de; ker...@pengutronix.de; > feste...@gmail.com; li...@armlinux.org.uk; ste...@agner.ch; > ota...@ossystems.com.br; Leonard Crestez ; > Robin Gong ; jan.tu...@emtrion.com; linux- > p...@vger.kernel.org; devicet...@vger.kernel.org; linux-arm- > ker...@lists.infradead.org; linux-kernel@vger.kernel.org; dl-linux-imx > > Subject: RE: [PATCH V9 2/5] pwm: Add i.MX TPM PWM driver support > > Hi, Uwe > > Best Regards! > Anson Huang > > > -Original Message- > > From: Uwe Kleine-König [mailto:u.kleine-koe...@pengutronix.de] > > Sent: 2019年3月25日 17:30 > > To: Anson Huang > > Cc: thierry.red...@gmail.com; robh...@kernel.org; > > mark.rutl...@arm.com; shawn...@kernel.org; s.ha...@pengutronix.de; > > ker...@pengutronix.de; feste...@gmail.com; li...@armlinux.org.uk; > > ste...@agner.ch; ota...@ossystems.com.br; Leonard Crestez > > ; Robin Gong ; > > jan.tu...@emtrion.com; linux- p...@vger.kernel.org; > > devicet...@vger.kernel.org; linux-arm- ker...@lists.infradead.org; > > linux-kernel@vger.kernel.org; dl-linux-imx > > Subject: Re: [PATCH V9 2/5] pwm: Add i.MX TPM PWM driver support > > > > On Fri, Mar 22, 2019 at 01:48:11AM +, Anson Huang wrote: > > > i.MX7ULP has TPM(Low Power Timer/Pulse Width Modulation Module) > > > inside, it can support multiple PWM channels, all the channels share > > > same counter and period setting, but each channel can configure its > > > duty and polarity independently. > > > > > > There are several TPM modules in i.MX7ULP, the number of channels in > > > TPM modules are different, it can be read from each TPM module's > > > PARAM register. > > > > > > Signed-off-by: Anson Huang > > > --- > > > Changes since V8: > > > - add more limitation notes for period/duty update un-atomic > > limitations; > > > - add waiting for period/duty update actually applied to HW; > > > - move the duty update into period update function to make them to > > be updated > > > as together as possiable; > > > - don't allow PS change if counter is running; > > > - save channel polarity settings and return it directly when > > > .get_state > > is called, > > > as the HW polarity setting could be impacted by enable status. > > > --- > > > drivers/pwm/Kconfig | 11 + > > > drivers/pwm/Makefile | 1 + > > > drivers/pwm/pwm-imx-tpm.c | 518 > > > ++ > > > 3 files changed, 530 insertions(+) > > > create mode 100644 drivers/pwm/pwm-imx-tpm.c > > > > > > diff --git a/drivers/pwm/Kconfig b/drivers/pwm/Kconfig index > > > 54f8238..3ea0391 100644 > > > --- a/drivers/pwm/Kconfig > > > +++ b/drivers/pwm/Kconfig > > > @@ -210,6 +210,17 @@ config PWM_IMX27 > > > To compile this driver as a module, choose M here: the module > > > will be called pwm-imx27. > > > > > > +config PWM_IMX_TPM > > > + tristate "i.MX TPM PWM support" > > > + depends on ARCH_MXC || COMPILE_TEST > > > + depends on HAVE_CLK && HAS_IOMEM > > > + help > > > + Generic PWM framework driver for i.MX7ULP TPM module, TPM's > > full > > > + name is Low Power Timer/Pulse Width Modulation Module. > > > + > > > + To compile this driver as a module, choose M here: the module > > > + will be called pwm-imx-tpm. > > > + > > > config PWM_JZ4740 > > > tristate "Ingenic JZ47xx PWM support" > > > depends on MACH_INGENIC > > > diff --git a/drivers/pwm/Makefile b/drivers/pwm/Makefile index > > > 448825e..c368599 100644 > > > --- a/drivers/pwm/Makefile > > > +++ b/drivers/pwm/Makefile > > > @@ -19,6 +19,7 @@ obj-$(CONFIG_PWM_HIBVT) += pwm- > > hibvt.o > > > obj-$(CONFIG_PWM_IMG)+= pwm-img.o > > > obj-$(CONFIG_PWM_IMX1) += pwm-imx1.o > > > obj-$(CONFIG_PWM_IMX27) += pwm-imx27.o > > > +obj-$(CONFIG_PWM_IMX_TPM)+= pwm-imx-tpm.o > > > obj-$(CONFIG_PWM_JZ4740) += pwm-jz4740.o > > > obj-$(CONFIG_PWM_LP3943) += pwm-lp3943.o > > > obj-$(CONFIG_PWM_LPC18XX_SCT)+= pwm-lpc18xx-sct.o > > > diff --git a/drivers/pwm/pwm-imx-tpm.c b/drivers/pwm/pwm-imx-tpm.c > > new > > > file mode 100644 index 000..58af0915 > > > --- /dev/null > > > +++ b/drivers/pwm/pwm-imx-tpm.c > > > @@ -0,0 +1,518 @@ > > > +// SPDX-License-Identifier: GPL-2.0 > > > +/* > > > + * Copyright 2018-2019 NXP. > > > + * > > > + * Limitations: > > > + * - The TPM counter and period counter are shared between > > > + * multiple channels, so all channels should use same period > > > + * settings. > > > + * - Changes to polarity cannot be latched at the time of the > > > + * next period start. > > > + * - The period and duty changes are NOT atomic, if new period and > > > + * new duty are requested simultaneously when counter is running, > > > + * there could be a small window of running old duty with
RE: [PATCH V9 1/5] dt-bindings: pwm: Add i.MX TPM PWM binding
Hi, Rob
Best Regards!
Anson Huang
> -Original Message-
> From: Anson Huang
> Sent: 2019年3月26日 8:56
> To: 'Rob Herring'
> Cc: thierry.red...@gmail.com; mark.rutl...@arm.com;
> shawn...@kernel.org; s.ha...@pengutronix.de; ker...@pengutronix.de;
> feste...@gmail.com; li...@armlinux.org.uk; ste...@agner.ch;
> ota...@ossystems.com.br; Leonard Crestez ;
> Robin Gong ; jan.tu...@emtrion.com; linux-
> p...@vger.kernel.org; devicet...@vger.kernel.org; linux-arm-
> ker...@lists.infradead.org; linux-kernel@vger.kernel.org; u.kleine-
> koe...@pengutronix.de; dl-linux-imx
> Subject: RE: [PATCH V9 1/5] dt-bindings: pwm: Add i.MX TPM PWM binding
>
> Hi, Rob
>
> Best Regards!
> Anson Huang
>
> > -Original Message-
> > From: Rob Herring [mailto:r...@kernel.org]
> > Sent: 2019年3月26日 4:42
> > To: Anson Huang
> > Cc: thierry.red...@gmail.com; mark.rutl...@arm.com;
> > shawn...@kernel.org; s.ha...@pengutronix.de; ker...@pengutronix.de;
> > feste...@gmail.com; li...@armlinux.org.uk; ste...@agner.ch;
> > ota...@ossystems.com.br; Leonard Crestez ;
> > Robin Gong ; jan.tu...@emtrion.com; linux-
> > p...@vger.kernel.org; devicet...@vger.kernel.org; linux-arm-
> > ker...@lists.infradead.org; linux-kernel@vger.kernel.org; u.kleine-
> > koe...@pengutronix.de; dl-linux-imx
> > Subject: Re: [PATCH V9 1/5] dt-bindings: pwm: Add i.MX TPM PWM binding
> >
> > On Fri, Mar 22, 2019 at 01:48:05AM +, Anson Huang wrote:
> > > Add i.MX TPM(Low Power Timer/Pulse Width Modulation Module) PWM
> > binding.
> > >
> > > Signed-off-by: Anson Huang
> > > ---
> > > No changes.
> >
> > v9? I don't recall seeing any previous versions.
>
> I checked my mailbox, you are in the "to" list in every version. The first
> version's subject is:
> [PATCH 1/5] dt-bindings: pwm: Add i.MX TPM PWM binding...
>
> >
> > > ---
> > > .../devicetree/bindings/pwm/imx-tpm-pwm.txt| 22
> > ++
> > > 1 file changed, 22 insertions(+)
> > > create mode 100644
> > > Documentation/devicetree/bindings/pwm/imx-tpm-pwm.txt
> > >
> > > diff --git a/Documentation/devicetree/bindings/pwm/imx-tpm-pwm.txt
> > > b/Documentation/devicetree/bindings/pwm/imx-tpm-pwm.txt
> > > new file mode 100644
> > > index 000..94f1ad5
> > > --- /dev/null
> > > +++ b/Documentation/devicetree/bindings/pwm/imx-tpm-pwm.txt
> > > @@ -0,0 +1,22 @@
> > > +Freescale i.MX TPM PWM controller
> > > +
> > > +Required properties:
> > > +- compatible : Should be "fsl,imx-tpm".
> >
> > Needs to be SoC specific.
>
> OK, will change it to "fsl,imx7ulp-tpm" in next verson.
As " fsl,imx7ulp-tpm " is already used for timer, TPM can work as a timer
or PWM, so I have to use " fsl,imx7ulp-pwm" in the V10 patch I just sent.
Anson.
>
> >
> > > +- reg: Physical base address and length of the controller's registers.
> > > +- #pwm-cells: Should be 3. See pwm.txt in this directory for a
> > > +description
> > of the cells format.
> > > +- clocks : The clock provided by the SoC to drive the PWM.
> > > +- interrupts: The interrupt for the PWM controller.
> > > +
> > > +Note: The TPM counter and period counter are shared between
> > > +multiple channels, so all channels should use same period setting.
> > > +
> > > +Example:
> > > +
> > > +pwm0: tpm@4025 {
> >
> > pwm@...
>
> I forgot to update the example in DT binding, sorry for that, will update it
> according to below dts node:
>
> pwm0: pwm@4025 {
>
> Anson.
[PATCH V10 5/5] ARM: dts: imx7ulp-evk: Add backlight support
This patch adds i.MX7ULP EVK board MIPI-DSI backlight support.
Signed-off-by: Anson Huang
---
Changes since V9:
- update pwm label name accordingly.
---
arch/arm/boot/dts/imx7ulp-evk.dts | 21 +
1 file changed, 21 insertions(+)
diff --git a/arch/arm/boot/dts/imx7ulp-evk.dts
b/arch/arm/boot/dts/imx7ulp-evk.dts
index a09026a..94891c7 100644
--- a/arch/arm/boot/dts/imx7ulp-evk.dts
+++ b/arch/arm/boot/dts/imx7ulp-evk.dts
@@ -8,6 +8,7 @@
/dts-v1/;
#include "imx7ulp.dtsi"
+#include
/ {
model = "NXP i.MX7ULP EVK";
@@ -22,6 +23,14 @@
reg = <0x6000 0x4000>;
};
+ backlight {
+ compatible = "pwm-backlight";
+ pwms = <&tpm4 1 5 0>;
+ brightness-levels = <0 20 25 30 35 40 100>;
+ default-brightness-level = <6>;
+ status = "okay";
+ };
+
reg_vsd_3v3: regulator-vsd-3v3 {
compatible = "regulator-fixed";
regulator-name = "VSD_3V3";
@@ -40,6 +49,12 @@
status = "okay";
};
+&tpm4 {
+ pinctrl-names = "default";
+ pinctrl-0 = <&pinctrl_pwm0>;
+ status = "okay";
+};
+
&usdhc0 {
pinctrl-names = "default";
pinctrl-0 = <&pinctrl_usdhc0>;
@@ -57,6 +72,12 @@
bias-pull-up;
};
+ pinctrl_pwm0: pwm0grp {
+ fsl,pins = <
+ IMX7ULP_PAD_PTF2__TPM4_CH1 0x2
+ >;
+ };
+
pinctrl_usdhc0: usdhc0grp {
fsl,pins = <
IMX7ULP_PAD_PTD1__SDHC0_CMD 0x43
--
2.7.4
[PATCH V10 4/5] ARM: dts: imx7ulp: Add tpm pwm support
Add i.MX7ULP EVK board PWM support.
Signed-off-by: Anson Huang
---
Changes since V9:
- update compatible name;
- update node name and label;
---
arch/arm/boot/dts/imx7ulp.dtsi | 10 ++
1 file changed, 10 insertions(+)
diff --git a/arch/arm/boot/dts/imx7ulp.dtsi b/arch/arm/boot/dts/imx7ulp.dtsi
index eb349fd..2ee893d 100644
--- a/arch/arm/boot/dts/imx7ulp.dtsi
+++ b/arch/arm/boot/dts/imx7ulp.dtsi
@@ -124,6 +124,16 @@
status = "disabled";
};
+ tpm4: pwm@4025 {
+ compatible = "fsl,imx7ulp-pwm";
+ reg = <0x4025 0x1000>;
+ assigned-clocks = <&pcc2 IMX7ULP_CLK_LPTPM4>;
+ assigned-clock-parents = <&scg1
IMX7ULP_CLK_SOSC_BUS_CLK>;
+ clocks = <&pcc2 IMX7ULP_CLK_LPTPM4>;
+ #pwm-cells = <3>;
+ status = "disabled";
+ };
+
tpm5: tpm@4026 {
compatible = "fsl,imx7ulp-tpm";
reg = <0x4026 0x1000>;
--
2.7.4
[PATCH V10 1/5] dt-bindings: pwm: Add i.MX TPM PWM binding
Add i.MX TPM(Low Power Timer/Pulse Width Modulation Module) PWM binding.
Signed-off-by: Anson Huang
---
Changes since V9:
- update compatible to contain SoC name;
- update example;
---
.../devicetree/bindings/pwm/imx-tpm-pwm.txt| 22 ++
1 file changed, 22 insertions(+)
create mode 100644 Documentation/devicetree/bindings/pwm/imx-tpm-pwm.txt
diff --git a/Documentation/devicetree/bindings/pwm/imx-tpm-pwm.txt
b/Documentation/devicetree/bindings/pwm/imx-tpm-pwm.txt
new file mode 100644
index 000..e9cc199
--- /dev/null
+++ b/Documentation/devicetree/bindings/pwm/imx-tpm-pwm.txt
@@ -0,0 +1,22 @@
+Freescale i.MX TPM PWM controller
+
+Required properties:
+- compatible : Should be "fsl,imx7ulp-pwm".
+- reg: Physical base address and length of the controller's registers.
+- #pwm-cells: Should be 3. See pwm.txt in this directory for a description of
the cells format.
+- clocks : The clock provided by the SoC to drive the PWM.
+- interrupts: The interrupt for the PWM controller.
+
+Note: The TPM counter and period counter are shared between multiple channels,
so all channels
+should use same period setting.
+
+Example:
+
+tpm4: pwm@4025 {
+ compatible = "fsl,imx7ulp-pwm";
+ reg = <0x4025 0x1000>;
+ assigned-clocks = <&pcc2 IMX7ULP_CLK_LPTPM4>;
+ assigned-clock-parents = <&scg1 IMX7ULP_CLK_SOSC_BUS_CLK>;
+ clocks = <&pcc2 IMX7ULP_CLK_LPTPM4>;
+ #pwm-cells = <3>;
+};
--
2.7.4
[PATCH V10 2/5] pwm: Add i.MX TPM PWM driver support
i.MX7ULP has TPM(Low Power Timer/Pulse Width Modulation Module)
inside, it can support multiple PWM channels, all the channels
share same counter and period setting, but each channel can
configure its duty and polarity independently.
There are several TPM modules in i.MX7ULP, the number of channels
in TPM modules are different, it can be read from each TPM module's
PARAM register.
Signed-off-by: Anson Huang
---
Changes since V9:
- improve some comments;
- merge period_duty setting and config_hw to be 1 function, avoid
duplicated duty settings
in some scenario;
- use non "devm_" function for channel data allocation and free.
---
drivers/pwm/Kconfig | 11 ++
drivers/pwm/Makefile | 1 +
drivers/pwm/pwm-imx-tpm.c | 463 ++
3 files changed, 475 insertions(+)
create mode 100644 drivers/pwm/pwm-imx-tpm.c
diff --git a/drivers/pwm/Kconfig b/drivers/pwm/Kconfig
index 54f8238..3ea0391 100644
--- a/drivers/pwm/Kconfig
+++ b/drivers/pwm/Kconfig
@@ -210,6 +210,17 @@ config PWM_IMX27
To compile this driver as a module, choose M here: the module
will be called pwm-imx27.
+config PWM_IMX_TPM
+ tristate "i.MX TPM PWM support"
+ depends on ARCH_MXC || COMPILE_TEST
+ depends on HAVE_CLK && HAS_IOMEM
+ help
+ Generic PWM framework driver for i.MX7ULP TPM module, TPM's full
+ name is Low Power Timer/Pulse Width Modulation Module.
+
+ To compile this driver as a module, choose M here: the module
+ will be called pwm-imx-tpm.
+
config PWM_JZ4740
tristate "Ingenic JZ47xx PWM support"
depends on MACH_INGENIC
diff --git a/drivers/pwm/Makefile b/drivers/pwm/Makefile
index 448825e..c368599 100644
--- a/drivers/pwm/Makefile
+++ b/drivers/pwm/Makefile
@@ -19,6 +19,7 @@ obj-$(CONFIG_PWM_HIBVT) += pwm-hibvt.o
obj-$(CONFIG_PWM_IMG) += pwm-img.o
obj-$(CONFIG_PWM_IMX1) += pwm-imx1.o
obj-$(CONFIG_PWM_IMX27)+= pwm-imx27.o
+obj-$(CONFIG_PWM_IMX_TPM) += pwm-imx-tpm.o
obj-$(CONFIG_PWM_JZ4740) += pwm-jz4740.o
obj-$(CONFIG_PWM_LP3943) += pwm-lp3943.o
obj-$(CONFIG_PWM_LPC18XX_SCT) += pwm-lpc18xx-sct.o
diff --git a/drivers/pwm/pwm-imx-tpm.c b/drivers/pwm/pwm-imx-tpm.c
new file mode 100644
index 000..e1e9b68
--- /dev/null
+++ b/drivers/pwm/pwm-imx-tpm.c
@@ -0,0 +1,463 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright 2018-2019 NXP.
+ *
+ * Limitations:
+ * - The TPM counter and period counter are shared between
+ * multiple channels, so all channels should use same period
+ * settings.
+ * - Changes to polarity cannot be latched at the time of the
+ * next period start.
+ * - Changing period and duty cycle together isn't atomic,
+ * with the wrong timing it might happen that a period is
+ * produced with old duty cycle but new period settings.
+ */
+
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+
+#define PWM_IMX_TPM_PARAM 0x4
+#define PWM_IMX_TPM_GLOBAL 0x8
+#define PWM_IMX_TPM_SC 0x10
+#define PWM_IMX_TPM_CNT0x14
+#define PWM_IMX_TPM_MOD0x18
+#define PWM_IMX_TPM_CnSC(n)(0x20 + (n) * 0x8)
+#define PWM_IMX_TPM_CnV(n) (0x24 + (n) * 0x8)
+
+#define PWM_IMX_TPM_PARAM_CHAN GENMASK(7, 0)
+
+#define PWM_IMX_TPM_SC_PS GENMASK(2, 0)
+#define PWM_IMX_TPM_SC_CMODGENMASK(4, 3)
+#define PWM_IMX_TPM_SC_CMOD_INC_EVERY_CLK FIELD_PREP(PWM_IMX_TPM_SC_CMOD,
1)
+#define PWM_IMX_TPM_SC_CPWMS BIT(5)
+
+#define PWM_IMX_TPM_CnSC_CHF BIT(7)
+#define PWM_IMX_TPM_CnSC_MSB BIT(5)
+#define PWM_IMX_TPM_CnSC_MSA BIT(4)
+
+/*
+ * The reference manual describes this field as two separate bits. The
+ * semantic of the two bits isn't orthogonal though, so they are treated
+ * together as a 2-bit field here.
+ */
+#define PWM_IMX_TPM_CnSC_ELS GENMASK(3, 2)
+#define PWM_IMX_TPM_CnSC_ELS_POLARITY_INVERSED 0x1
+#define PWM_IMX_TPM_CnSC_ELS_INVERSED FIELD_PREP(PWM_IMX_TPM_CnSC_ELS, 1)
+#define PWM_IMX_TPM_CnSC_ELS_NORMALFIELD_PREP(PWM_IMX_TPM_CnSC_ELS, 2)
+
+
+#define PWM_IMX_TPM_MOD_WIDTH 16
+#define PWM_IMX_TPM_MOD_MODGENMASK(PWM_IMX_TPM_MOD_WIDTH - 1, 0)
+
+struct imx_tpm_pwm_chip {
+ struct pwm_chip chip;
+ struct clk *clk;
+ void __iomem *base;
+ struct mutex lock;
+ u32 user_count;
+ u32 enable_count;
+ u32 real_period;
+};
+
+struct imx_tpm_pwm_param {
+ u8 prescale;
+ u32 mod;
+ u32 val;
+};
+
+struct imx_tpm_pwm_channel {
+ enum pwm_polarity polarity;
+};
+
+static inline struct imx_tpm_pwm_chip *to_imx_tpm_pwm_chip(struct pwm_chip
*chip)
+{
+ return container_of(chip, struct imx_tpm_pwm_chip, chip);
+}
+
+static int pwm_imx_tpm_round_state(struct pwm_chip *chip,
+
[PATCH V10 0/5] Add i.MX7ULP EVK PWM backlight support
i.MX7ULP EVK board has MIPI-DSI display, its backlight is supplied by TPM PWM module, this patch set enables i.MX7ULP TPM PWM driver support and also add backlight support for MIPI-DSI display. Changes since V9: - update compatible string in DT binding, pwm driver and DTS file; - update PWM driver logic of changing period and duty, put them in 1 function; - update node name to be "pwm", and label name to be "tpm4". Anson Huang (5): dt-bindings: pwm: Add i.MX TPM PWM binding pwm: Add i.MX TPM PWM driver support ARM: imx_v6_v7_defconfig: Add TPM PWM support by default ARM: dts: imx7ulp: Add tpm pwm support ARM: dts: imx7ulp-evk: Add backlight support .../devicetree/bindings/pwm/imx-tpm-pwm.txt| 22 + arch/arm/boot/dts/imx7ulp-evk.dts | 21 + arch/arm/boot/dts/imx7ulp.dtsi | 10 + arch/arm/configs/imx_v6_v7_defconfig | 1 + drivers/pwm/Kconfig| 11 + drivers/pwm/Makefile | 1 + drivers/pwm/pwm-imx-tpm.c | 463 + 7 files changed, 529 insertions(+) create mode 100644 Documentation/devicetree/bindings/pwm/imx-tpm-pwm.txt create mode 100644 drivers/pwm/pwm-imx-tpm.c -- 2.7.4
[PATCH V10 3/5] ARM: imx_v6_v7_defconfig: Add TPM PWM support by default
Select CONFIG_PWM_IMX_TPM by default to support i.MX7ULP TPM PWM. Signed-off-by: Anson Huang --- No changes. --- arch/arm/configs/imx_v6_v7_defconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/arm/configs/imx_v6_v7_defconfig b/arch/arm/configs/imx_v6_v7_defconfig index 1872dac..2a35806 100644 --- a/arch/arm/configs/imx_v6_v7_defconfig +++ b/arch/arm/configs/imx_v6_v7_defconfig @@ -400,6 +400,7 @@ CONFIG_MPL3115=y CONFIG_PWM=y CONFIG_PWM_FSL_FTM=y CONFIG_PWM_IMX=y +CONFIG_PWM_IMX_TPM=y CONFIG_NVMEM_IMX_OCOTP=y CONFIG_NVMEM_VF610_OCOTP=y CONFIG_TEE=y -- 2.7.4
[PATCH 4.9 00/30] 4.9.166-stable review
This is the start of the stable review cycle for the 4.9.166 release. There are 30 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu Mar 28 04:25:51 UTC 2019. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.166-rc1.gz or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y and the diffstat can be found below. thanks, greg k-h - Pseudo-Shortlog of commits: Greg Kroah-Hartman Linux 4.9.166-rc1 Arnd Bergmann ath10k: avoid possible string overflow Baolin Wang power: supply: charger-manager: Fix incorrect return value Enric Balletbo i Serra pwm-backlight: Enable/disable the PWM before/after LCD enable toggle. Baolin Wang rtc: Fix overflow when converting time64_t to rtc_time kehuanlin scsi: ufs: fix wrong command type of UTRD for UFSHCI v2.1 Andrey Konovalov USB: core: only clean up what we allocated Peter Zijlstra lib/int_sqrt: optimize small argument Lanqing Liu serial: sprd: clear timeout interrupt only rather than all interrupts Qiao Zhou arm64: traps: disable irq in die() Al Viro Hang/soft lockup in d_invalidate with simultaneous calls Wei Qiao serial: sprd: adjust TIMEOUT to a big value Eric Dumazet tcp/dccp: drop SYN packets if accept queue is full Hui Wang ALSA: hda - Enforces runtime_resume after S3 and S4 for each codec Takashi Iwai ALSA: hda - Record the current power state before suspend/resume calls Waiman Long locking/lockdep: Add debug_locks check in __lock_downgrade() Myungho Jung Bluetooth: Fix decrementing reference count twice in releasing socket Hans Verkuil media: v4l2-ctrls.c/uvc: zero v4l2_event zhangyi (F) ext4: brelse all indirect buffer in ext4_ind_remove_space() Lukas Czerner ext4: fix data corruption caused by unaligned direct AIO Jiufei Xue ext4: fix NULL pointer dereference while journal is aborted Josh Poimboeuf objtool: Move objtool_file struct off the stack Chen Jie futex: Ensure that futex address is aligned in handle_futex_death() Archer Yan MIPS: Fix kernel crash for R6 in jump label branch function Yasha Cherikovsky MIPS: Ensure ELF appended dtb is relocated Yifeng Li mips: loongson64: lemote-2f: Add IRQF_NO_SUSPEND to "cascade" irqaction. Jan Kara udf: Fix crash on IO error during truncate Ilya Dryomov libceph: wait for latest osdmap in ceph_monc_blacklist_add() Stanislaw Gruszka iommu/amd: fix sg->dma_address for sg->offset bigger than PAGE_SIZE Thomas Zimmermann drm/vmwgfx: Don't double-free the mode stored in par->set_mode Arnd Bergmann mmc: pxamci: fix enum type confusion - Diffstat: Makefile | 4 +-- arch/arm64/kernel/traps.c | 8 +++-- arch/mips/include/asm/jump_label.h | 8 ++--- arch/mips/kernel/vmlinux.lds.S | 12 --- arch/mips/loongson64/lemote-2f/irq.c | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_fb.c | 12 ++- drivers/iommu/amd_iommu.c | 7 - drivers/media/usb/uvc/uvc_ctrl.c | 2 +- drivers/media/v4l2-core/v4l2-ctrls.c | 2 +- drivers/mmc/host/pxamci.c | 2 +- drivers/net/wireless/ath/ath10k/wmi.c | 2 +- drivers/power/supply/charger-manager.c | 3 +- drivers/rtc/rtc-lib.c | 6 ++-- drivers/scsi/ufs/ufshcd.c | 14 + drivers/tty/serial/sprd_serial.c | 6 ++-- drivers/usb/core/config.c | 9 -- drivers/video/backlight/pwm_bl.c | 9 +++--- fs/dcache.c| 10 +++--- fs/ext4/ext4_jbd2.h| 2 +- fs/ext4/file.c | 2 +- fs/ext4/indirect.c | 12 --- fs/udf/truncate.c | 3 ++ include/linux/ceph/libceph.h | 2 ++ include/net/inet_connection_sock.h | 5 --- kernel/futex.c | 4 +++ kernel/locking/lockdep.c | 3 ++ lib/int_sqrt.c | 3 ++ net/bluetooth/hci_sock.c | 3 +- net/ceph/ceph_common.c | 18 ++- net/ceph/mon_client.c | 9 ++ net/dccp/ipv4.c| 8 + net/dccp/ipv6.c| 2 +- net/ipv4/tcp_input.c | 8 + sound/pci/hda/hda_codec.c | 57 -- tools/objtool/check.c | 3 +- 35 files changed, 175 insertions(+), 87 deletions(-)
[PATCH 2/2] gpio: of: Check for "spi-cs-high" in child instead of parent node
"spi-cs-high" is going to be specified in child node of an SPI
controller's representing attached SPI device, so change the code to
look for it there, instead of checking parent node.
Signed-off-by: Andrey Smirnov
Cc: Linus Walleij
Cc: Bartosz Golaszewski
Cc: Chris Healy
Cc: linux-g...@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
---
drivers/gpio/gpiolib-of.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/gpio/gpiolib-of.c b/drivers/gpio/gpiolib-of.c
index ee7f08386a72..0220dd6d64ed 100644
--- a/drivers/gpio/gpiolib-of.c
+++ b/drivers/gpio/gpiolib-of.c
@@ -143,16 +143,16 @@ static void of_gpio_flags_quirks(struct device_node *np,
* conflict and the "spi-cs-high" flag will
* take precedence.
*/
- if (of_property_read_bool(np, "spi-cs-high")) {
+ if (of_property_read_bool(child,
"spi-cs-high")) {
if (*flags & OF_GPIO_ACTIVE_LOW) {
pr_warn("%s GPIO handle
specifies active low - ignored\n",
- of_node_full_name(np));
+
of_node_full_name(child));
*flags &= ~OF_GPIO_ACTIVE_LOW;
}
} else {
if (!(*flags & OF_GPIO_ACTIVE_LOW))
pr_info("%s enforce active low
on chipselect handle\n",
- of_node_full_name(np));
+
of_node_full_name(child));
*flags |= OF_GPIO_ACTIVE_LOW;
}
break;
--
2.20.1
[PATCH 4.9 14/30] media: v4l2-ctrls.c/uvc: zero v4l2_event
4.9-stable review patch. If anyone has any objections, please let me know.
--
From: Hans Verkuil
commit f45f3f753b0a3d739acda8e311b4f744d82dc52a upstream.
Control events can leak kernel memory since they do not fully zero the
event. The same code is present in both v4l2-ctrls.c and uvc_ctrl.c, so
fix both.
It appears that all other event code is properly zeroing the structure,
it's these two places.
Signed-off-by: Hans Verkuil
Reported-by: syzbot+4f021cf3697781dbd...@syzkaller.appspotmail.com
Reviewed-by: Laurent Pinchart
Signed-off-by: Mauro Carvalho Chehab
Signed-off-by: Greg Kroah-Hartman
---
drivers/media/usb/uvc/uvc_ctrl.c |2 +-
drivers/media/v4l2-core/v4l2-ctrls.c |2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/media/usb/uvc/uvc_ctrl.c
+++ b/drivers/media/usb/uvc/uvc_ctrl.c
@@ -1203,7 +1203,7 @@ static void uvc_ctrl_fill_event(struct u
__uvc_query_v4l2_ctrl(chain, ctrl, mapping, &v4l2_ctrl);
- memset(ev->reserved, 0, sizeof(ev->reserved));
+ memset(ev, 0, sizeof(*ev));
ev->type = V4L2_EVENT_CTRL;
ev->id = v4l2_ctrl.id;
ev->u.ctrl.value = value;
--- a/drivers/media/v4l2-core/v4l2-ctrls.c
+++ b/drivers/media/v4l2-core/v4l2-ctrls.c
@@ -1231,7 +1231,7 @@ static u32 user_flags(const struct v4l2_
static void fill_event(struct v4l2_event *ev, struct v4l2_ctrl *ctrl, u32
changes)
{
- memset(ev->reserved, 0, sizeof(ev->reserved));
+ memset(ev, 0, sizeof(*ev));
ev->type = V4L2_EVENT_CTRL;
ev->id = ctrl->id;
ev->u.ctrl.changes = changes;
[PATCH 0/2] Add Updown Counter support for Milbeaut M10V SoC
This is a series of patch which adds Updown Counter support on Milbeaut M10V SoC. The Updown Counter counts input pulse signal from external quadrature encoder. It also has input pulse signal counter function. Shinji Kanematsu (2): dt-bindings: iio: counter: Add Milbeaut Updown Counter iio: counter: Add support for Milbeaut Updown Counter .../bindings/iio/counter/milbeaut-updown_cnt.txt | 22 ++ drivers/iio/counter/Kconfig| 12 + drivers/iio/counter/Makefile | 1 + drivers/iio/counter/milbeaut-updown.h | 38 ++ drivers/iio/counter/milbeaut-updown_cnt.c | 385 + 5 files changed, 458 insertions(+) create mode 100644 Documentation/devicetree/bindings/iio/counter/milbeaut-updown_cnt.txt create mode 100644 drivers/iio/counter/milbeaut-updown.h create mode 100644 drivers/iio/counter/milbeaut-updown_cnt.c -- 1.9.1
[PATCH] kbuild: fix warning "overriding recipe for target 'Makefile'"
If you do "make Makefile" with GNU Make 3.x, the following warning is displayed: $ make Makefile Makefile:165: warning: overriding recipe for target 'Makefile' Makefile:51: warning: ignoring old recipe for target 'Makefile' make[1]: Nothing to be done for 'Makefile'. make: Nothing to be done for 'Makefile'. Signed-off-by: Masahiro Yamada --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 70fc778..1b361bd 100644 --- a/Makefile +++ b/Makefile @@ -161,7 +161,7 @@ ifeq ($(need-sub-make),1) PHONY += $(MAKECMDGOALS) sub-make -$(filter-out _all sub-make $(CURDIR)/Makefile, $(MAKECMDGOALS)) _all: sub-make +$(filter-out _all sub-make $(lastword $(MAKEFILE_LIST)), $(MAKECMDGOALS)) _all: sub-make @: # Invoke a second make in the output directory, passing relevant variables -- 2.7.4
[PATCH 4.14 03/41] iommu/amd: fix sg->dma_address for sg->offset bigger than PAGE_SIZE
4.14-stable review patch. If anyone has any objections, please let me know.
--
From: Stanislaw Gruszka
commit 4e50ce03976fbc8ae995a000c4b10c737467beaa upstream.
Take into account that sg->offset can be bigger than PAGE_SIZE when
setting segment sg->dma_address. Otherwise sg->dma_address will point
at diffrent page, what makes DMA not possible with erros like this:
xhci_hcd :38:00.3: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x
address=0xfdaa70c0 flags=0x0020]
xhci_hcd :38:00.3: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x
address=0xfdaa7040 flags=0x0020]
xhci_hcd :38:00.3: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x
address=0xfdaa7080 flags=0x0020]
xhci_hcd :38:00.3: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x
address=0xfdaa7100 flags=0x0020]
xhci_hcd :38:00.3: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x
address=0xfdaa7000 flags=0x0020]
Additinally with wrong sg->dma_address unmap_sg will free wrong pages,
what what can cause crashes like this:
Feb 28 19:27:45 kernel: BUG: Bad page state in process cinnamon pfn:39e8b1
Feb 28 19:27:45 kernel: Disabling lock debugging due to kernel taint
Feb 28 19:27:45 kernel: flags: 0x200()
Feb 28 19:27:45 kernel: raw: 0200 0301
Feb 28 19:27:45 kernel: raw: 0001
Feb 28 19:27:45 kernel: page dumped because: nonzero _refcount
Feb 28 19:27:45 kernel: Modules linked in: ccm fuse arc4 nct6775 hwmon_vid
amdgpu nls_iso8859_1 nls_cp437 edac_mce_amd vfat fat kvm_amd ccp rng_core kvm
mt76x0u mt76x0_common mt76x02_usb irqbypass mt76_usb mt76x02_lib mt76
crct10dif_pclmul crc32_pclmul chash mac80211 amd_iommu_v2 ghash_clmulni_intel
gpu_sched i2c_algo_bit ttm wmi_bmof snd_hda_codec_realtek snd_hda_codec_generic
drm_kms_helper snd_hda_codec_hdmi snd_hda_intel drm snd_hda_codec aesni_intel
snd_hda_core snd_hwdep aes_x86_64 crypto_simd snd_pcm cfg80211 cryptd mousedev
snd_timer glue_helper pcspkr r8169 input_leds realtek agpgart libphy rfkill snd
syscopyarea sysfillrect sysimgblt fb_sys_fops soundcore sp5100_tco k10temp
i2c_piix4 wmi evdev gpio_amdpt pinctrl_amd mac_hid pcc_cpufreq acpi_cpufreq sg
ip_tables x_tables ext4(E) crc32c_generic(E) crc16(E) mbcache(E) jbd2(E)
fscrypto(E) sd_mod(E) hid_generic(E) usbhid(E) hid(E) dm_mod(E) serio_raw(E)
atkbd(E) libps2(E) crc32c_intel(E) ahci(E) libahci(E) libata(E) xhci_pci(E)
xhci_hcd(E)
Feb 28 19:27:45 kernel: scsi_mod(E) i8042(E) serio(E) bcache(E) crc64(E)
Feb 28 19:27:45 kernel: CPU: 2 PID: 896 Comm: cinnamon Tainted: GB W E
4.20.12-arch1-1-custom #1
Feb 28 19:27:45 kernel: Hardware name: To Be Filled By O.E.M. To Be Filled By
O.E.M./B450M Pro4, BIOS P1.20 06/26/2018
Feb 28 19:27:45 kernel: Call Trace:
Feb 28 19:27:45 kernel: dump_stack+0x5c/0x80
Feb 28 19:27:45 kernel: bad_page.cold.29+0x7f/0xb2
Feb 28 19:27:45 kernel: __free_pages_ok+0x2c0/0x2d0
Feb 28 19:27:45 kernel: skb_release_data+0x96/0x180
Feb 28 19:27:45 kernel: __kfree_skb+0xe/0x20
Feb 28 19:27:45 kernel: tcp_recvmsg+0x894/0xc60
Feb 28 19:27:45 kernel: ? reuse_swap_page+0x120/0x340
Feb 28 19:27:45 kernel: ? ptep_set_access_flags+0x23/0x30
Feb 28 19:27:45 kernel: inet_recvmsg+0x5b/0x100
Feb 28 19:27:45 kernel: __sys_recvfrom+0xc3/0x180
Feb 28 19:27:45 kernel: ? handle_mm_fault+0x10a/0x250
Feb 28 19:27:45 kernel: ? syscall_trace_enter+0x1d3/0x2d0
Feb 28 19:27:45 kernel: ? __audit_syscall_exit+0x22a/0x290
Feb 28 19:27:45 kernel: __x64_sys_recvfrom+0x24/0x30
Feb 28 19:27:45 kernel: do_syscall_64+0x5b/0x170
Feb 28 19:27:45 kernel: entry_SYSCALL_64_after_hwframe+0x44/0xa9
Cc: sta...@vger.kernel.org
Reported-and-tested-by: Jan Viktorin
Reviewed-by: Alexander Duyck
Signed-off-by: Stanislaw Gruszka
Fixes: 80187fd39dcb ('iommu/amd: Optimize map_sg and unmap_sg')
Signed-off-by: Joerg Roedel
Signed-off-by: Greg Kroah-Hartman
---
drivers/iommu/amd_iommu.c |7 ++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/iommu/amd_iommu.c
+++ b/drivers/iommu/amd_iommu.c
@@ -2548,7 +2548,12 @@ static int map_sg(struct device *dev, st
/* Everything is mapped - write the right values into s->dma_address */
for_each_sg(sglist, s, nelems, i) {
- s->dma_address += address + s->offset;
+ /*
+* Add in the remaining piece of the scatter-gather offset that
+* was masked out when we were determining the physical address
+* via (sg_phys(s) & PAGE_MASK) earlier.
+*/
+ s->dma_address += address + (s->offset & ~PAGE_MASK);
s->dma_length = s->length;
}
[PATCH 4.14 29/41] ALSA: hda - Record the current power state before suspend/resume calls
4.14-stable review patch. If anyone has any objections, please let me know.
--
From: Takashi Iwai
commit 98081ca62cbac31fb0f7efaf90b2e7384ce22257 upstream.
Currently we deal with single codec and suspend codec callbacks for
all S3, S4 and runtime PM handling. But it turned out that we want
distinguish the call patterns sometimes, e.g. for applying some init
sequence only at probing and restoring from hibernate.
This patch slightly modifies the common PM callbacks for HD-audio
codec and stores the currently processed PM event in power_state of
the codec's device.power field, which is currently unused. The codec
callback can take a look at this event value and judges which purpose
it's being called.
Signed-off-by: Takashi Iwai
Signed-off-by: Greg Kroah-Hartman
---
sound/pci/hda/hda_codec.c | 43 +--
1 file changed, 41 insertions(+), 2 deletions(-)
--- a/sound/pci/hda/hda_codec.c
+++ b/sound/pci/hda/hda_codec.c
@@ -2900,6 +2900,7 @@ static void hda_call_codec_resume(struct
hda_jackpoll_work(&codec->jackpoll_work.work);
else
snd_hda_jack_report_sync(codec);
+ codec->core.dev.power.power_state = PMSG_ON;
atomic_dec(&codec->core.in_pm);
}
@@ -2932,10 +2933,48 @@ static int hda_codec_runtime_resume(stru
}
#endif /* CONFIG_PM */
+#ifdef CONFIG_PM_SLEEP
+static int hda_codec_pm_suspend(struct device *dev)
+{
+ dev->power.power_state = PMSG_SUSPEND;
+ return pm_runtime_force_suspend(dev);
+}
+
+static int hda_codec_pm_resume(struct device *dev)
+{
+ dev->power.power_state = PMSG_RESUME;
+ return pm_runtime_force_resume(dev);
+}
+
+static int hda_codec_pm_freeze(struct device *dev)
+{
+ dev->power.power_state = PMSG_FREEZE;
+ return pm_runtime_force_suspend(dev);
+}
+
+static int hda_codec_pm_thaw(struct device *dev)
+{
+ dev->power.power_state = PMSG_THAW;
+ return pm_runtime_force_resume(dev);
+}
+
+static int hda_codec_pm_restore(struct device *dev)
+{
+ dev->power.power_state = PMSG_RESTORE;
+ return pm_runtime_force_resume(dev);
+}
+#endif /* CONFIG_PM_SLEEP */
+
/* referred in hda_bind.c */
const struct dev_pm_ops hda_codec_driver_pm = {
- SET_SYSTEM_SLEEP_PM_OPS(pm_runtime_force_suspend,
- pm_runtime_force_resume)
+#ifdef CONFIG_PM_SLEEP
+ .suspend = hda_codec_pm_suspend,
+ .resume = hda_codec_pm_resume,
+ .freeze = hda_codec_pm_freeze,
+ .thaw = hda_codec_pm_thaw,
+ .poweroff = hda_codec_pm_suspend,
+ .restore = hda_codec_pm_restore,
+#endif /* CONFIG_PM_SLEEP */
SET_RUNTIME_PM_OPS(hda_codec_runtime_suspend, hda_codec_runtime_resume,
NULL)
};
[PATCH 4.14 27/41] locking/lockdep: Add debug_locks check in __lock_downgrade()
4.14-stable review patch. If anyone has any objections, please let me know. -- From: Waiman Long commit 71492580571467fb7177aade19c18ce7486267f5 upstream. Tetsuo Handa had reported he saw an incorrect "downgrading a read lock" warning right after a previous lockdep warning. It is likely that the previous warning turned off lock debugging causing the lockdep to have inconsistency states leading to the lock downgrade warning. Fix that by add a check for debug_locks at the beginning of __lock_downgrade(). Debugged-by: Tetsuo Handa Reported-by: Tetsuo Handa Reported-by: syzbot+53383ae265fb161ef...@syzkaller.appspotmail.com Signed-off-by: Waiman Long Signed-off-by: Peter Zijlstra (Intel) Cc: Andrew Morton Cc: Linus Torvalds Cc: Paul E. McKenney Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: Will Deacon Link: https://lkml.kernel.org/r/1547093005-26085-1-git-send-email-long...@redhat.com Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman --- kernel/locking/lockdep.c |3 +++ 1 file changed, 3 insertions(+) --- a/kernel/locking/lockdep.c +++ b/kernel/locking/lockdep.c @@ -3650,6 +3650,9 @@ __lock_set_class(struct lockdep_map *loc unsigned int depth; int i; + if (unlikely(!debug_locks)) + return 0; + depth = curr->lockdep_depth; /* * This function is about (re)setting the class of a held lock,
Re: [PATCH v11 0/2] PWM support for HiFive Unleashed
'On Mon, Mar 25, 2019 at 9:24 PM Andreas Schwab wrote: > > > I still don't see any improvement. FYI, this is the patch I use for the > device tree: > I am sharing you my test environment which has been working for me so that you can duplicate at your end I have tested the patch on Linux v5.0-rc1 commit id: bfeffd155283772bbe78c6a05dec7c0128ee500c with additional board related patches which can be found at dev/yashs/pwm_5.0-rc1 branch of: https://github.com/yashshah7/riscv-linux.git I have compiled the dt file (found at above repo) and replaced the compiled dtb file with 'fsbl/ux00_fsbl.dtb' and re-build fsbl.bin. Make sure your dt file changes are getting reflected on target under '/proc/device-tree/' Below is the .config file content: # # Automatically generated file; DO NOT EDIT. # Linux/riscv 5.0.0-rc1 Kernel Configuration # # # Compiler: riscv64-unknown-elf-gcc (GCC) 7.2.0 # CONFIG_CC_IS_GCC=y CONFIG_GCC_VERSION=70200 CONFIG_CLANG_VERSION=0 CONFIG_CC_HAS_ASM_GOTO=y CONFIG_IRQ_WORK=y CONFIG_THREAD_INFO_IN_TASK=y # # General setup # CONFIG_INIT_ENV_ARG_LIMIT=32 CONFIG_LOCALVERSION="" CONFIG_LOCALVERSION_AUTO=y CONFIG_BUILD_SALT="" CONFIG_DEFAULT_HOSTNAME="(none)" CONFIG_SWAP=y CONFIG_SYSVIPC=y CONFIG_SYSVIPC_SYSCTL=y CONFIG_POSIX_MQUEUE=y CONFIG_POSIX_MQUEUE_SYSCTL=y CONFIG_CROSS_MEMORY_ATTACH=y # # IRQ subsystem # CONFIG_GENERIC_IRQ_SHOW=y CONFIG_IRQ_DOMAIN=y CONFIG_GENERIC_MSI_IRQ=y CONFIG_SPARSE_IRQ=y CONFIG_GENERIC_IRQ_MULTI_HANDLER=y CONFIG_GENERIC_CLOCKEVENTS=y # # Timers subsystem # CONFIG_HZ_PERIODIC=y CONFIG_PREEMPT_NONE=y # # CPU/Task time and stats accounting # CONFIG_TICK_CPU_ACCOUNTING=y CONFIG_CPU_ISOLATION=y # # RCU Subsystem # CONFIG_TREE_RCU=y CONFIG_SRCU=y CONFIG_TREE_SRCU=y CONFIG_RCU_STALL_COMMON=y CONFIG_RCU_NEED_SEGCBLIST=y CONFIG_BUILD_BIN2C=y CONFIG_IKCONFIG=y CONFIG_IKCONFIG_PROC=y CONFIG_LOG_BUF_SHIFT=17 CONFIG_LOG_CPU_MAX_BUF_SHIFT=12 CONFIG_PRINTK_SAFE_LOG_BUF_SHIFT=13 CONFIG_GENERIC_SCHED_CLOCK=y CONFIG_ARCH_SUPPORTS_INT128=y CONFIG_CGROUPS=y CONFIG_CGROUP_SCHED=y CONFIG_FAIR_GROUP_SCHED=y CONFIG_CFS_BANDWIDTH=y CONFIG_CGROUP_BPF=y CONFIG_SOCK_CGROUP_DATA=y CONFIG_NAMESPACES=y CONFIG_UTS_NS=y CONFIG_IPC_NS=y CONFIG_USER_NS=y CONFIG_PID_NS=y CONFIG_NET_NS=y CONFIG_CHECKPOINT_RESTORE=y CONFIG_BLK_DEV_INITRD=y CONFIG_INITRAMFS_SOURCE="" CONFIG_RD_GZIP=y CONFIG_RD_BZIP2=y CONFIG_RD_LZMA=y CONFIG_RD_XZ=y CONFIG_RD_LZO=y CONFIG_RD_LZ4=y CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE=y CONFIG_SYSCTL=y CONFIG_ANON_INODES=y CONFIG_SYSCTL_EXCEPTION_TRACE=y CONFIG_BPF=y CONFIG_EXPERT=y CONFIG_MULTIUSER=y CONFIG_SYSFS_SYSCALL=y CONFIG_FHANDLE=y CONFIG_POSIX_TIMERS=y CONFIG_PRINTK=y CONFIG_BUG=y CONFIG_ELF_CORE=y CONFIG_BASE_FULL=y CONFIG_FUTEX=y CONFIG_FUTEX_PI=y CONFIG_HAVE_FUTEX_CMPXCHG=y CONFIG_EPOLL=y CONFIG_SIGNALFD=y CONFIG_TIMERFD=y CONFIG_EVENTFD=y CONFIG_SHMEM=y CONFIG_AIO=y CONFIG_ADVISE_SYSCALLS=y CONFIG_MEMBARRIER=y CONFIG_KALLSYMS=y CONFIG_KALLSYMS_BASE_RELATIVE=y CONFIG_BPF_SYSCALL=y CONFIG_HAVE_PERF_EVENTS=y # # Kernel Performance Events And Counters # CONFIG_VM_EVENT_COUNTERS=y CONFIG_SLUB_DEBUG=y CONFIG_COMPAT_BRK=y CONFIG_SLUB=y CONFIG_SLAB_MERGE_DEFAULT=y CONFIG_SLUB_CPU_PARTIAL=y CONFIG_64BIT=y CONFIG_RISCV=y CONFIG_MMU=y CONFIG_ZONE_DMA32=y CONFIG_PAGE_OFFSET=0xffe0 CONFIG_STACKTRACE_SUPPORT=y CONFIG_TRACE_IRQFLAGS_SUPPORT=y CONFIG_RWSEM_GENERIC_SPINLOCK=y CONFIG_GENERIC_BUG=y CONFIG_GENERIC_BUG_RELATIVE_POINTERS=y CONFIG_GENERIC_CALIBRATE_DELAY=y CONFIG_GENERIC_CSUM=y CONFIG_GENERIC_HWEIGHT=y CONFIG_PGTABLE_LEVELS=3 # # Platform type # CONFIG_ARCH_RV64I=y CONFIG_CMODEL_MEDANY=y CONFIG_MODULE_SECTIONS=y CONFIG_MAXPHYSMEM_128GB=y CONFIG_SMP=y CONFIG_NR_CPUS=8 CONFIG_TUNE_GENERIC=y CONFIG_RISCV_ISA_C=y CONFIG_RISCV_ISA_A=y CONFIG_FPU=y # # Kernel features # CONFIG_HZ_250=y CONFIG_HZ=250 # # Boot options # CONFIG_CMDLINE="console=ttySIF0,115200 ignore_loglevel debug" CONFIG_CMDLINE_FALLBACK=y # # General architecture-dependent options # CONFIG_HAVE_64BIT_ALIGNED_ACCESS=y CONFIG_HAVE_ARCH_TRACEHOOK=y CONFIG_HAVE_DMA_CONTIGUOUS=y CONFIG_GENERIC_SMP_IDLE_THREAD=y CONFIG_HAVE_CLK=y CONFIG_CC_HAS_STACKPROTECTOR_NONE=y CONFIG_HAVE_VIRT_CPU_ACCOUNTING_GEN=y CONFIG_HAVE_MOD_ARCH_SPECIFIC=y CONFIG_MODULES_USE_ELF_RELA=y CONFIG_CLONE_BACKWARDS=y # # GCOV-based kernel profiling # CONFIG_PLUGIN_HOSTCC="g++" CONFIG_RT_MUTEXES=y CONFIG_BASE_SMALL=0 CONFIG_MODULES=y CONFIG_MODULE_UNLOAD=y CONFIG_BLOCK=y CONFIG_BLK_SCSI_REQUEST=y CONFIG_BLK_DEV_BSG=y # # Partition Types # CONFIG_MSDOS_PARTITION=y CONFIG_EFI_PARTITION=y CONFIG_BLK_MQ_PCI=y CONFIG_BLK_MQ_VIRTIO=y # # IO Schedulers # CONFIG_MQ_IOSCHED_DEADLINE=y CONFIG_MQ_IOSCHED_KYBER=y CONFIG_INLINE_SPIN_UNLOCK_IRQ=y CONFIG_INLINE_READ_UNLOCK=y CONFIG_INLINE_READ_UNLOCK_IRQ=y CONFIG_INLINE_WRITE_UNLOCK=y CONFIG_INLINE_WRITE_UNLOCK_IRQ=y # # Executable file formats # CONFIG_BINFMT_ELF=y CONFIG_ELFCORE=y CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS=y CONFIG_BINFMT_SCRIPT=y CONFIG_COREDUMP=y # # Memory Management options # C
[PATCH 4.14 26/41] x86/unwind: Add hardcoded ORC entry for NULL
4.14-stable review patch. If anyone has any objections, please let me know.
--
From: Jann Horn
commit ac5ceccce5501e43d217c596e4ee859f2a3fef79 upstream.
When the ORC unwinder is invoked for an oops caused by IP==0,
it currently has no idea what to do because there is no debug information
for the stack frame of NULL.
But if RIP is NULL, it is very likely that the last successfully executed
instruction was an indirect CALL/JMP, and it is possible to unwind out in
the same way as for the first instruction of a normal function. Hardcode
a corresponding ORC entry.
With an artificially-added NULL call in prctl_set_seccomp(), before this
patch, the trace is:
Call Trace:
? __x64_sys_prctl+0x402/0x680
? __ia32_sys_prctl+0x6e0/0x6e0
? __do_page_fault+0x457/0x620
? do_syscall_64+0x6d/0x160
? entry_SYSCALL_64_after_hwframe+0x44/0xa9
After this patch, the trace looks like this:
Call Trace:
__x64_sys_prctl+0x402/0x680
? __ia32_sys_prctl+0x6e0/0x6e0
? __do_page_fault+0x457/0x620
do_syscall_64+0x6d/0x160
entry_SYSCALL_64_after_hwframe+0x44/0xa9
prctl_set_seccomp() still doesn't show up in the trace because for some
reason, tail call optimization is only disabled in builds that use the
frame pointer unwinder.
Signed-off-by: Jann Horn
Signed-off-by: Thomas Gleixner
Acked-by: Josh Poimboeuf
Cc: Borislav Petkov
Cc: Andrew Morton
Cc: syzbot
Cc: "H. Peter Anvin"
Cc: Masahiro Yamada
Cc: Michal Marek
Cc: linux-kbu...@vger.kernel.org
Link: https://lkml.kernel.org/r/20190301031201.7416-2-ja...@google.com
Signed-off-by: Greg Kroah-Hartman
---
arch/x86/kernel/unwind_orc.c | 17 +
1 file changed, 17 insertions(+)
--- a/arch/x86/kernel/unwind_orc.c
+++ b/arch/x86/kernel/unwind_orc.c
@@ -74,11 +74,28 @@ static struct orc_entry *orc_module_find
}
#endif
+/*
+ * If we crash with IP==0, the last successfully executed instruction
+ * was probably an indirect function call with a NULL function pointer,
+ * and we don't have unwind information for NULL.
+ * This hardcoded ORC entry for IP==0 allows us to unwind from a NULL function
+ * pointer into its parent and then continue normally from there.
+ */
+static struct orc_entry null_orc_entry = {
+ .sp_offset = sizeof(long),
+ .sp_reg = ORC_REG_SP,
+ .bp_reg = ORC_REG_UNDEFINED,
+ .type = ORC_TYPE_CALL
+};
+
static struct orc_entry *orc_find(unsigned long ip)
{
if (!orc_init)
return NULL;
+ if (ip == 0)
+ return &null_orc_entry;
+
/* For non-init vmlinux addresses, use the fast lookup table: */
if (ip >= LOOKUP_START_IP && ip < LOOKUP_STOP_IP) {
unsigned int idx, start, stop;
[PATCH 4.14 07/41] MIPS: Ensure ELF appended dtb is relocated
4.14-stable review patch. If anyone has any objections, please let me know.
--
From: Yasha Cherikovsky
commit 3f0a53bc6482fb09770982a8447981260ea258dc upstream.
This fixes booting with the combination of CONFIG_RELOCATABLE=y
and CONFIG_MIPS_ELF_APPENDED_DTB=y.
Sections that appear after the relocation table are not relocated
on system boot (except .bss, which has special handling).
With CONFIG_MIPS_ELF_APPENDED_DTB, the dtb is part of the
vmlinux ELF, so it must be relocated together with everything else.
Fixes: 069fd766271d ("MIPS: Reserve space for relocation table")
Signed-off-by: Yasha Cherikovsky
Signed-off-by: Paul Burton
Cc: Ralf Baechle
Cc: Paul Burton
Cc: James Hogan
Cc: linux-m...@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Cc: sta...@vger.kernel.org # v4.7+
Signed-off-by: Greg Kroah-Hartman
---
arch/mips/kernel/vmlinux.lds.S | 12 +++-
1 file changed, 7 insertions(+), 5 deletions(-)
--- a/arch/mips/kernel/vmlinux.lds.S
+++ b/arch/mips/kernel/vmlinux.lds.S
@@ -140,6 +140,13 @@ SECTIONS
PERCPU_SECTION(1 << CONFIG_MIPS_L1_CACHE_SHIFT)
#endif
+#ifdef CONFIG_MIPS_ELF_APPENDED_DTB
+ .appended_dtb : AT(ADDR(.appended_dtb) - LOAD_OFFSET) {
+ *(.appended_dtb)
+ KEEP(*(.appended_dtb))
+ }
+#endif
+
#ifdef CONFIG_RELOCATABLE
. = ALIGN(4);
@@ -164,11 +171,6 @@ SECTIONS
__appended_dtb = .;
/* leave space for appended DTB */
. += 0x10;
-#elif defined(CONFIG_MIPS_ELF_APPENDED_DTB)
- .appended_dtb : AT(ADDR(.appended_dtb) - LOAD_OFFSET) {
- *(.appended_dtb)
- KEEP(*(.appended_dtb))
- }
#endif
/*
* Align to 64K in attempt to eliminate holes before the
[PATCH 4.14 21/41] Bluetooth: hci_ldisc: Initialize hci_dev before open()
4.14-stable review patch. If anyone has any objections, please let me know.
--
From: Jeremy Cline
commit 32a7b4cbe93b0a0ef7e63d31ca69ce54736c4412 upstream.
The hci_dev struct hdev is referenced in work queues and timers started
by open() in some protocols. This creates a race between the
initialization function and the work or timer which can result hdev
being dereferenced while it is still null.
The syzbot report contains a reliable reproducer which causes a null
pointer dereference of hdev in hci_uart_write_work() by making the
memory allocation for hdev fail.
To fix this, ensure hdev is valid from before calling a protocol's
open() until after calling a protocol's close().
Reported-by: syzbot+257790c15bcdef6fe...@syzkaller.appspotmail.com
Signed-off-by: Jeremy Cline
Signed-off-by: Marcel Holtmann
Signed-off-by: Greg Kroah-Hartman
---
drivers/bluetooth/hci_ldisc.c | 21 ++---
1 file changed, 14 insertions(+), 7 deletions(-)
--- a/drivers/bluetooth/hci_ldisc.c
+++ b/drivers/bluetooth/hci_ldisc.c
@@ -207,11 +207,11 @@ static void hci_uart_init_work(struct wo
err = hci_register_dev(hu->hdev);
if (err < 0) {
BT_ERR("Can't register HCI device");
+ clear_bit(HCI_UART_PROTO_READY, &hu->flags);
+ hu->proto->close(hu);
hdev = hu->hdev;
hu->hdev = NULL;
hci_free_dev(hdev);
- clear_bit(HCI_UART_PROTO_READY, &hu->flags);
- hu->proto->close(hu);
return;
}
@@ -612,6 +612,7 @@ static void hci_uart_tty_receive(struct
static int hci_uart_register_dev(struct hci_uart *hu)
{
struct hci_dev *hdev;
+ int err;
BT_DBG("");
@@ -655,11 +656,22 @@ static int hci_uart_register_dev(struct
else
hdev->dev_type = HCI_PRIMARY;
+ /* Only call open() for the protocol after hdev is fully initialized as
+* open() (or a timer/workqueue it starts) may attempt to reference it.
+*/
+ err = hu->proto->open(hu);
+ if (err) {
+ hu->hdev = NULL;
+ hci_free_dev(hdev);
+ return err;
+ }
+
if (test_bit(HCI_UART_INIT_PENDING, &hu->hdev_flags))
return 0;
if (hci_register_dev(hdev) < 0) {
BT_ERR("Can't register HCI device");
+ hu->proto->close(hu);
hu->hdev = NULL;
hci_free_dev(hdev);
return -ENODEV;
@@ -679,17 +691,12 @@ static int hci_uart_set_proto(struct hci
if (!p)
return -EPROTONOSUPPORT;
- err = p->open(hu);
- if (err)
- return err;
-
hu->proto = p;
set_bit(HCI_UART_PROTO_READY, &hu->flags);
err = hci_uart_register_dev(hu);
if (err) {
clear_bit(HCI_UART_PROTO_READY, &hu->flags);
- p->close(hu);
return err;
}
Re: [BACKPORT 4.4.y 01/25] mmc: pwrseq: constify mmc_pwrseq_ops structures
On Tue, 26 Mar 2019, Greg KH wrote:
> On Fri, Mar 22, 2019 at 04:43:52PM +0100, Arnd Bergmann wrote:
> > From: Julia Lawall
> >
> > The mmc_pwrseq_ops structures are never modified, so declare them as const.
> >
> > Done with the help of Coccinelle.
> >
> > Signed-off-by: Julia Lawall
> > Signed-off-by: Ulf Hansson
> > (cherry picked from commit ffedbd2210f2f4cba490a9205adc11fd1b89a852)
> > Signed-off-by: Arnd Bergmann
> > ---
> > drivers/mmc/core/pwrseq.h| 2 +-
> > drivers/mmc/core/pwrseq_emmc.c | 2 +-
> > drivers/mmc/core/pwrseq_simple.c | 2 +-
> > 3 files changed, 3 insertions(+), 3 deletions(-)
> >
> > diff --git a/drivers/mmc/core/pwrseq.h b/drivers/mmc/core/pwrseq.h
> > index 096da48c6a7e..133de0426687 100644
> > --- a/drivers/mmc/core/pwrseq.h
> > +++ b/drivers/mmc/core/pwrseq.h
> > @@ -16,7 +16,7 @@ struct mmc_pwrseq_ops {
> > };
> >
> > struct mmc_pwrseq {
> > - struct mmc_pwrseq_ops *ops;
> > + const struct mmc_pwrseq_ops *ops;
> > };
> >
> > #ifdef CONFIG_OF
> > diff --git a/drivers/mmc/core/pwrseq_emmc.c b/drivers/mmc/core/pwrseq_emmc.c
> > index ad4f94ec7e8d..4a82bc77fe49 100644
> > --- a/drivers/mmc/core/pwrseq_emmc.c
> > +++ b/drivers/mmc/core/pwrseq_emmc.c
> > @@ -51,7 +51,7 @@ static void mmc_pwrseq_emmc_free(struct mmc_host *host)
> > kfree(pwrseq);
> > }
> >
> > -static struct mmc_pwrseq_ops mmc_pwrseq_emmc_ops = {
> > +static const struct mmc_pwrseq_ops mmc_pwrseq_emmc_ops = {
> > .post_power_on = mmc_pwrseq_emmc_reset,
> > .free = mmc_pwrseq_emmc_free,
> > };
> > diff --git a/drivers/mmc/core/pwrseq_simple.c
> > b/drivers/mmc/core/pwrseq_simple.c
> > index d10538bb5e07..2b16263458af 100644
> > --- a/drivers/mmc/core/pwrseq_simple.c
> > +++ b/drivers/mmc/core/pwrseq_simple.c
> > @@ -87,7 +87,7 @@ static void mmc_pwrseq_simple_free(struct mmc_host *host)
> > kfree(pwrseq);
> > }
> >
> > -static struct mmc_pwrseq_ops mmc_pwrseq_simple_ops = {
> > +static const struct mmc_pwrseq_ops mmc_pwrseq_simple_ops = {
> > .pre_power_on = mmc_pwrseq_simple_pre_power_on,
> > .post_power_on = mmc_pwrseq_simple_post_power_on,
> > .power_off = mmc_pwrseq_simple_power_off,
>
> Why is this needed for a stable patch? It doesn't fix a bug, it just
> looks like it is a "nice thing" to have, right? I don't think any later
> patch in this series relies it it, or am I missing something?
Fine with me.
julia
[PATCH 4.14 34/41] PCI: designware-ep: dw_pcie_ep_set_msi() should only set MMC bits
4.14-stable review patch. If anyone has any objections, please let me know. -- From: Niklas Cassel commit 099a95f3591ade29da52131895a3ba9f92a0e82c upstream. Previously, dw_pcie_ep_set_msi() wrote all bits in the Message Control register, thus overwriting the PCI_MSI_FLAGS_64BIT bit. By clearing the PCI_MSI_FLAGS_64BIT bit, we break MSI on systems where the RC has set a 64 bit MSI address. Fix dw_pcie_ep_set_msi() so that it only sets MMC bits. Tested-by: Gustavo Pimentel Signed-off-by: Niklas Cassel Signed-off-by: Lorenzo Pieralisi Acked-by: Joao Pinto Signed-off-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman --- drivers/pci/dwc/pcie-designware-ep.c |4 +++- drivers/pci/dwc/pcie-designware.h|1 + 2 files changed, 4 insertions(+), 1 deletion(-) --- a/drivers/pci/dwc/pcie-designware-ep.c +++ b/drivers/pci/dwc/pcie-designware-ep.c @@ -214,7 +214,9 @@ static int dw_pcie_ep_set_msi(struct pci struct dw_pcie_ep *ep = epc_get_drvdata(epc); struct dw_pcie *pci = to_dw_pcie_from_ep(ep); - val = (encode_int << MSI_CAP_MMC_SHIFT); + val = dw_pcie_readw_dbi(pci, MSI_MESSAGE_CONTROL); + val &= ~MSI_CAP_MMC_MASK; + val |= (encode_int << MSI_CAP_MMC_SHIFT) & MSI_CAP_MMC_MASK; dw_pcie_writew_dbi(pci, MSI_MESSAGE_CONTROL, val); return 0; --- a/drivers/pci/dwc/pcie-designware.h +++ b/drivers/pci/dwc/pcie-designware.h @@ -99,6 +99,7 @@ #define MSI_MESSAGE_CONTROL0x52 #define MSI_CAP_MMC_SHIFT 1 +#define MSI_CAP_MMC_MASK (7 << MSI_CAP_MMC_SHIFT) #define MSI_CAP_MME_SHIFT 4 #define MSI_CAP_MSI_EN_MASK0x1 #define MSI_CAP_MME_MASK (7 << MSI_CAP_MME_SHIFT)
[PATCH 4.19 01/45] ALSA: hda - add Lenovo IdeaCentre B550 to the power_save_blacklist
4.19-stable review patch. If anyone has any objections, please let me know.
--
From: Jaroslav Kysela
commit 721f1e6c1fd137e7e2053d8e103b666faaa2d50c upstream.
Another machine which does not like the power saving (noise):
https://bugzilla.redhat.com/show_bug.cgi?id=1689623
Also, reorder the Lenovo C50 entry to keep the table sorted.
Reported-by: hs.guimar...@outlook.com
Signed-off-by: Jaroslav Kysela
Cc:
Signed-off-by: Takashi Iwai
Signed-off-by: Greg Kroah-Hartman
---
sound/pci/hda/hda_intel.c |6 --
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/sound/pci/hda/hda_intel.c
+++ b/sound/pci/hda/hda_intel.c
@@ -2274,10 +2274,12 @@ static struct snd_pci_quirk power_save_b
SND_PCI_QUIRK(0x8086, 0x2057, "Intel NUC5i7RYB", 0),
/* https://bugzilla.redhat.com/show_bug.cgi?id=1520902 */
SND_PCI_QUIRK(0x8086, 0x2068, "Intel NUC7i3BNB", 0),
- /* https://bugzilla.redhat.com/show_bug.cgi?id=1572975 */
- SND_PCI_QUIRK(0x17aa, 0x36a7, "Lenovo C50 All in one", 0),
/* https://bugzilla.kernel.org/show_bug.cgi?id=198611 */
SND_PCI_QUIRK(0x17aa, 0x2227, "Lenovo X1 Carbon 3rd Gen", 0),
+ /* https://bugzilla.redhat.com/show_bug.cgi?id=1689623 */
+ SND_PCI_QUIRK(0x17aa, 0x367b, "Lenovo IdeaCentre B550", 0),
+ /* https://bugzilla.redhat.com/show_bug.cgi?id=1572975 */
+ SND_PCI_QUIRK(0x17aa, 0x36a7, "Lenovo C50 All in one", 0),
{}
};
#endif /* CONFIG_PM */
[PATCH 4.14 40/41] power: supply: charger-manager: Fix incorrect return value
4.14-stable review patch. If anyone has any objections, please let me know.
--
From: Baolin Wang
commit f25a646fbe2051527ad9721853e892d13a99199e upstream.
Fix incorrect return value.
Signed-off-by: Baolin Wang
Signed-off-by: Sebastian Reichel
Signed-off-by: Greg Kroah-Hartman
---
drivers/power/supply/charger-manager.c |3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/power/supply/charger-manager.c
+++ b/drivers/power/supply/charger-manager.c
@@ -1212,7 +1212,6 @@ static int charger_extcon_init(struct ch
if (ret < 0) {
pr_info("Cannot register extcon_dev for %s(cable: %s)\n",
cable->extcon_name, cable->name);
- ret = -EINVAL;
}
return ret;
@@ -1629,7 +1628,7 @@ static int charger_manager_probe(struct
if (IS_ERR(desc)) {
dev_err(&pdev->dev, "No platform data (desc) found\n");
- return -ENODEV;
+ return PTR_ERR(desc);
}
cm = devm_kzalloc(&pdev->dev, sizeof(*cm), GFP_KERNEL);
[PATCH 4.19 24/45] ALSA: hda/ca0132 - make pci_iounmap() call conditional
4.19-stable review patch. If anyone has any objections, please let me know.
--
From: Arnd Bergmann
commit 1e73359a24fad529b0794515b46cbfff99e5fbe6 upstream.
When building without CONFIG_PCI, we can (depending on the architecture)
get a link failure:
ERROR: "pci_iounmap" [sound/pci/hda/snd-hda-codec-ca0132.ko] undefined!
Adding a compile-time check for PCI gets it to work correctly on
32-bit ARM.
Fixes: d99501b8575d ("ALSA: hda/ca0132 - Call pci_iounmap() instead of
iounmap()")
Signed-off-by: Arnd Bergmann
Signed-off-by: Takashi Iwai
Signed-off-by: Greg Kroah-Hartman
---
sound/pci/hda/patch_ca0132.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/pci/hda/patch_ca0132.c
+++ b/sound/pci/hda/patch_ca0132.c
@@ -7394,7 +7394,7 @@ static void ca0132_free(struct hda_codec
ca0132_exit_chip(codec);
snd_hda_power_down(codec);
- if (spec->mem_base)
+ if (IS_ENABLED(CONFIG_PCI) && spec->mem_base)
pci_iounmap(codec->bus->pci, spec->mem_base);
kfree(spec->spec_init_verbs);
kfree(codec->spec);
[PATCH 4.19 09/45] libceph: wait for latest osdmap in ceph_monc_blacklist_add()
4.19-stable review patch. If anyone has any objections, please let me know.
--
From: Ilya Dryomov
commit bb229bbb3bf63d23128e851a1f3b85c083178fa1 upstream.
Because map updates are distributed lazily, an OSD may not know about
the new blacklist for quite some time after "osd blacklist add" command
is completed. This makes it possible for a blacklisted but still alive
client to overwrite a post-blacklist update, resulting in data
corruption.
Waiting for latest osdmap in ceph_monc_blacklist_add() and thus using
the post-blacklist epoch for all post-blacklist requests ensures that
all such requests "wait" for the blacklist to come into force on their
respective OSDs.
Cc: sta...@vger.kernel.org
Fixes: 6305a3b41515 ("libceph: support for blacklisting clients")
Signed-off-by: Ilya Dryomov
Reviewed-by: Jason Dillaman
Signed-off-by: Greg Kroah-Hartman
---
include/linux/ceph/libceph.h |2 ++
net/ceph/ceph_common.c | 18 +-
net/ceph/mon_client.c|9 +
3 files changed, 28 insertions(+), 1 deletion(-)
--- a/include/linux/ceph/libceph.h
+++ b/include/linux/ceph/libceph.h
@@ -292,6 +292,8 @@ extern void ceph_destroy_client(struct c
extern int __ceph_open_session(struct ceph_client *client,
unsigned long started);
extern int ceph_open_session(struct ceph_client *client);
+int ceph_wait_for_latest_osdmap(struct ceph_client *client,
+ unsigned long timeout);
/* pagevec.c */
extern void ceph_release_page_vector(struct page **pages, int num_pages);
--- a/net/ceph/ceph_common.c
+++ b/net/ceph/ceph_common.c
@@ -729,7 +729,6 @@ int __ceph_open_session(struct ceph_clie
}
EXPORT_SYMBOL(__ceph_open_session);
-
int ceph_open_session(struct ceph_client *client)
{
int ret;
@@ -745,6 +744,23 @@ int ceph_open_session(struct ceph_client
}
EXPORT_SYMBOL(ceph_open_session);
+int ceph_wait_for_latest_osdmap(struct ceph_client *client,
+ unsigned long timeout)
+{
+ u64 newest_epoch;
+ int ret;
+
+ ret = ceph_monc_get_version(&client->monc, "osdmap", &newest_epoch);
+ if (ret)
+ return ret;
+
+ if (client->osdc.osdmap->epoch >= newest_epoch)
+ return 0;
+
+ ceph_osdc_maybe_request_map(&client->osdc);
+ return ceph_monc_wait_osdmap(&client->monc, newest_epoch, timeout);
+}
+EXPORT_SYMBOL(ceph_wait_for_latest_osdmap);
static int __init init_ceph_lib(void)
{
--- a/net/ceph/mon_client.c
+++ b/net/ceph/mon_client.c
@@ -922,6 +922,15 @@ int ceph_monc_blacklist_add(struct ceph_
mutex_unlock(&monc->mutex);
ret = wait_generic_request(req);
+ if (!ret)
+ /*
+* Make sure we have the osdmap that includes the blacklist
+* entry. This is needed to ensure that the OSDs pick up the
+* new blacklist before processing any future requests from
+* this client.
+*/
+ ret = ceph_wait_for_latest_osdmap(monc->client, 0);
+
out:
put_generic_request(req);
return ret;
[PATCH 4.19 20/45] objtool: Move objtool_file struct off the stack
4.19-stable review patch. If anyone has any objections, please let me know.
--
From: Josh Poimboeuf
commit 0c671812f152b628bd87c0af49da032cc2a2c319 upstream.
Objtool uses over 512k of stack, thanks to the hash table embedded in
the objtool_file struct. This causes an unnecessarily large stack
allocation and breaks users with low stack limits.
Move the struct off the stack.
Fixes: 042ba73fe7eb ("objtool: Add several performance improvements")
Reported-by: Vassili Karpov
Signed-off-by: Josh Poimboeuf
Signed-off-by: Thomas Gleixner
Cc: Peter Zijlstra
Cc: sta...@vger.kernel.org
Link:
https://lkml.kernel.org/r/df92dcbc4b84b02ffa252f46876df125fb56e2d7.1552954176.git.jpoim...@redhat.com
Signed-off-by: Greg Kroah-Hartman
---
tools/objtool/check.c |3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/tools/objtool/check.c
+++ b/tools/objtool/check.c
@@ -2157,9 +2157,10 @@ static void cleanup(struct objtool_file
elf_close(file->elf);
}
+static struct objtool_file file;
+
int check(const char *_objname, bool orc)
{
- struct objtool_file file;
int ret, warnings = 0;
objname = _objname;
[PATCH 4.19 32/45] Bluetooth: hci_ldisc: Initialize hci_dev before open()
4.19-stable review patch. If anyone has any objections, please let me know.
--
From: Jeremy Cline
commit 32a7b4cbe93b0a0ef7e63d31ca69ce54736c4412 upstream.
The hci_dev struct hdev is referenced in work queues and timers started
by open() in some protocols. This creates a race between the
initialization function and the work or timer which can result hdev
being dereferenced while it is still null.
The syzbot report contains a reliable reproducer which causes a null
pointer dereference of hdev in hci_uart_write_work() by making the
memory allocation for hdev fail.
To fix this, ensure hdev is valid from before calling a protocol's
open() until after calling a protocol's close().
Reported-by: syzbot+257790c15bcdef6fe...@syzkaller.appspotmail.com
Signed-off-by: Jeremy Cline
Signed-off-by: Marcel Holtmann
Signed-off-by: Greg Kroah-Hartman
---
drivers/bluetooth/hci_ldisc.c | 21 ++---
1 file changed, 14 insertions(+), 7 deletions(-)
--- a/drivers/bluetooth/hci_ldisc.c
+++ b/drivers/bluetooth/hci_ldisc.c
@@ -207,11 +207,11 @@ void hci_uart_init_work(struct work_stru
err = hci_register_dev(hu->hdev);
if (err < 0) {
BT_ERR("Can't register HCI device");
+ clear_bit(HCI_UART_PROTO_READY, &hu->flags);
+ hu->proto->close(hu);
hdev = hu->hdev;
hu->hdev = NULL;
hci_free_dev(hdev);
- clear_bit(HCI_UART_PROTO_READY, &hu->flags);
- hu->proto->close(hu);
return;
}
@@ -616,6 +616,7 @@ static void hci_uart_tty_receive(struct
static int hci_uart_register_dev(struct hci_uart *hu)
{
struct hci_dev *hdev;
+ int err;
BT_DBG("");
@@ -659,11 +660,22 @@ static int hci_uart_register_dev(struct
else
hdev->dev_type = HCI_PRIMARY;
+ /* Only call open() for the protocol after hdev is fully initialized as
+* open() (or a timer/workqueue it starts) may attempt to reference it.
+*/
+ err = hu->proto->open(hu);
+ if (err) {
+ hu->hdev = NULL;
+ hci_free_dev(hdev);
+ return err;
+ }
+
if (test_bit(HCI_UART_INIT_PENDING, &hu->hdev_flags))
return 0;
if (hci_register_dev(hdev) < 0) {
BT_ERR("Can't register HCI device");
+ hu->proto->close(hu);
hu->hdev = NULL;
hci_free_dev(hdev);
return -ENODEV;
@@ -683,17 +695,12 @@ static int hci_uart_set_proto(struct hci
if (!p)
return -EPROTONOSUPPORT;
- err = p->open(hu);
- if (err)
- return err;
-
hu->proto = p;
set_bit(HCI_UART_PROTO_READY, &hu->flags);
err = hci_uart_register_dev(hu);
if (err) {
clear_bit(HCI_UART_PROTO_READY, &hu->flags);
- p->close(hu);
return err;
}
[PATCH 4.19 38/45] loop: access lo_backing_file only when the loop device is Lo_bound
4.19-stable review patch. If anyone has any objections, please let me know.
--
From: Dongli Zhang
commit f7c8a4120eedf24c36090b7542b179ff7a649219 upstream.
Commit 758a58d0bc67 ("loop: set GENHD_FL_NO_PART_SCAN after
blkdev_reread_part()") separates "lo->lo_backing_file = NULL" and
"lo->lo_state = Lo_unbound" into different critical regions protected by
loop_ctl_mutex.
However, there is below race that the NULL lo->lo_backing_file would be
accessed when the backend of a loop is another loop device, e.g., loop0's
backend is a file, while loop1's backend is loop0.
loop0's backend is fileloop1's backend is loop0
__loop_clr_fd()
mutex_lock(&loop_ctl_mutex);
lo->lo_backing_file = NULL; --> set to NULL
mutex_unlock(&loop_ctl_mutex);
loop_set_fd()
mutex_lock_killable(&loop_ctl_mutex);
loop_validate_file()
f = l->lo_backing_file; --> NULL
access if loop0 is not Lo_unbound
mutex_lock(&loop_ctl_mutex);
lo->lo_state = Lo_unbound;
mutex_unlock(&loop_ctl_mutex);
lo->lo_backing_file should be accessed only when the loop device is
Lo_bound.
In fact, the problem has been introduced already in commit 7ccd0791d985
("loop: Push loop_ctl_mutex down into loop_clr_fd()") after which
loop_validate_file() could see devices in Lo_rundown state with which it
did not count. It was harmless at that point but still.
Fixes: 7ccd0791d985 ("loop: Push loop_ctl_mutex down into loop_clr_fd()")
Reported-by: syzbot+9bdc1adc1c55e7fe7...@syzkaller.appspotmail.com
Signed-off-by: Dongli Zhang
Reviewed-by: Jan Kara
Signed-off-by: Jens Axboe
Signed-off-by: Greg Kroah-Hartman
---
drivers/block/loop.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
@@ -657,7 +657,7 @@ static int loop_validate_file(struct fil
return -EBADF;
l = f->f_mapping->host->i_bdev->bd_disk->private_data;
- if (l->lo_state == Lo_unbound) {
+ if (l->lo_state != Lo_bound) {
return -EINVAL;
}
f = l->lo_backing_file;
[PATCH 4.19 06/45] drm/vmwgfx: Dont double-free the mode stored in par->set_mode
4.19-stable review patch. If anyone has any objections, please let me know.
--
From: Thomas Zimmermann
commit c2d311553855395764e2e5bf401d987ba65c2056 upstream.
When calling vmw_fb_set_par(), the mode stored in par->set_mode gets free'd
twice. The first free is in vmw_fb_kms_detach(), the second is near the
end of vmw_fb_set_par() under the name of 'old_mode'. The mode-setting code
only works correctly if the mode doesn't actually change. Removing
'old_mode' in favor of using par->set_mode directly fixes the problem.
Cc:
Fixes: a278724aa23c ("drm/vmwgfx: Implement fbdev on kms v2")
Signed-off-by: Thomas Zimmermann
Reviewed-by: Deepak Rawat
Signed-off-by: Thomas Hellstrom
Signed-off-by: Greg Kroah-Hartman
---
drivers/gpu/drm/vmwgfx/vmwgfx_fb.c | 12 +++-
1 file changed, 3 insertions(+), 9 deletions(-)
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_fb.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_fb.c
@@ -564,11 +564,9 @@ static int vmw_fb_set_par(struct fb_info
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
DRM_MODE_FLAG_NHSYNC | DRM_MODE_FLAG_PVSYNC)
};
- struct drm_display_mode *old_mode;
struct drm_display_mode *mode;
int ret;
- old_mode = par->set_mode;
mode = drm_mode_duplicate(vmw_priv->dev, &new_mode);
if (!mode) {
DRM_ERROR("Could not create new fb mode.\n");
@@ -579,11 +577,7 @@ static int vmw_fb_set_par(struct fb_info
mode->vdisplay = var->yres;
vmw_guess_mode_timing(mode);
- if (old_mode && drm_mode_equal(old_mode, mode)) {
- drm_mode_destroy(vmw_priv->dev, mode);
- mode = old_mode;
- old_mode = NULL;
- } else if (!vmw_kms_validate_mode_vram(vmw_priv,
+ if (!vmw_kms_validate_mode_vram(vmw_priv,
mode->hdisplay *
DIV_ROUND_UP(var->bits_per_pixel, 8),
mode->vdisplay)) {
@@ -620,8 +614,8 @@ static int vmw_fb_set_par(struct fb_info
schedule_delayed_work(&par->local_work, 0);
out_unlock:
- if (old_mode)
- drm_mode_destroy(vmw_priv->dev, old_mode);
+ if (par->set_mode)
+ drm_mode_destroy(vmw_priv->dev, par->set_mode);
par->set_mode = mode;
mutex_unlock(&par->bo_mutex);
[PATCH 4.19 33/45] Bluetooth: hci_ldisc: Postpone HCI_UART_PROTO_READY bit set in hci_uart_set_proto()
4.19-stable review patch. If anyone has any objections, please let me know.
--
From: Kefeng Wang
commit 56897b217a1d0a91c9920cb418d6b3fe922f590a upstream.
task A:task B:
hci_uart_set_proto flush_to_ldisc
- p->open(hu) -> h5_open //alloc h5 - receive_buf
- set_bit HCI_UART_PROTO_READY - tty_port_default_receive_buf
- hci_uart_register_dev - tty_ldisc_receive_buf
- hci_uart_tty_receive
- test_bit HCI_UART_PROTO_READY
- h5_recv
- clear_bit HCI_UART_PROTO_READY while() {
- p->open(hu) -> h5_close //free h5
- h5_rx_3wire_hdr
- h5_reset() //use-after-free
}
It could use ioctl to set hci uart proto, but there is
a use-after-free issue when hci_uart_register_dev() fail in
hci_uart_set_proto(), see stack above, fix this by setting
HCI_UART_PROTO_READY bit only when hci_uart_register_dev()
return success.
Reported-by: syzbot+899a33dc0fa0dbaf0...@syzkaller.appspotmail.com
Signed-off-by: Kefeng Wang
Reviewed-by: Jeremy Cline
Signed-off-by: Marcel Holtmann
Signed-off-by: Greg Kroah-Hartman
---
drivers/bluetooth/hci_ldisc.c |3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/bluetooth/hci_ldisc.c
+++ b/drivers/bluetooth/hci_ldisc.c
@@ -696,14 +696,13 @@ static int hci_uart_set_proto(struct hci
return -EPROTONOSUPPORT;
hu->proto = p;
- set_bit(HCI_UART_PROTO_READY, &hu->flags);
err = hci_uart_register_dev(hu);
if (err) {
- clear_bit(HCI_UART_PROTO_READY, &hu->flags);
return err;
}
+ set_bit(HCI_UART_PROTO_READY, &hu->flags);
return 0;
}
[PATCH 5.0 04/52] mmc: alcor: fix DMA reads
5.0-stable review patch. If anyone has any objections, please let me know.
--
From: Daniel Drake
commit 5ea47691bd99e1100707ec63364aff72324e2af4 upstream.
Setting max_blk_count to 1 here was causing the mmc block layer
to always use the MMC_READ_SINGLE_BLOCK command here, which the
driver does not DMA-accelerate.
Drop the max_blk_ settings here. The mmc host defaults suffice,
along with the max_segs and max_seg_size settings, which I have
now documented in more detail.
Now each MMC command reads 4 512-byte blocks, using DMA instead of
PIO. On my SD card, this increases read performance (measured with dd)
from 167kb/sec to 4.6mb/sec.
Link:
http://lkml.kernel.org/r/cad8lp47l5t3jnajbips1cq+yfa3l6ljtgfvmetnbry63-zd...@mail.gmail.com
Signed-off-by: Daniel Drake
Reviewed-by: Oleksij Rempel
Fixes: c5413ad815a6 ("mmc: add new Alcor Micro Cardreader SD/MMC driver")
Cc: sta...@vger.kernel.org
Signed-off-by: Ulf Hansson
Signed-off-by: Greg Kroah-Hartman
---
drivers/mmc/host/alcor.c | 25 +++--
1 file changed, 19 insertions(+), 6 deletions(-)
--- a/drivers/mmc/host/alcor.c
+++ b/drivers/mmc/host/alcor.c
@@ -1044,14 +1044,27 @@ static void alcor_init_mmc(struct alcor_
mmc->caps2 = MMC_CAP2_NO_SDIO;
mmc->ops = &alcor_sdc_ops;
- /* Hardware cannot do scatter lists */
+ /* The hardware does DMA data transfer of 4096 bytes to/from a single
+* buffer address. Scatterlists are not supported, but upon DMA
+* completion (signalled via IRQ), the original vendor driver does
+* then immediately set up another DMA transfer of the next 4096
+* bytes.
+*
+* This means that we need to handle the I/O in 4096 byte chunks.
+* Lacking a way to limit the sglist entries to 4096 bytes, we instead
+* impose that only one segment is provided, with maximum size 4096,
+* which also happens to be the minimum size. This means that the
+* single-entry sglist handled by this driver can be handed directly
+* to the hardware, nice and simple.
+*
+* Unfortunately though, that means we only do 4096 bytes I/O per
+* MMC command. A future improvement would be to make the driver
+* accept sg lists and entries of any size, and simply iterate
+* through them 4096 bytes at a time.
+*/
mmc->max_segs = AU6601_MAX_DMA_SEGMENTS;
mmc->max_seg_size = AU6601_MAX_DMA_BLOCK_SIZE;
-
- mmc->max_blk_size = mmc->max_seg_size;
- mmc->max_blk_count = mmc->max_segs;
-
- mmc->max_req_size = mmc->max_seg_size * mmc->max_segs;
+ mmc->max_req_size = mmc->max_seg_size;
}
static int alcor_pci_sdmmc_drv_probe(struct platform_device *pdev)
[PATCH 4.19 44/45] ALSA: hda - Enforces runtime_resume after S3 and S4 for each codec
4.19-stable review patch. If anyone has any objections, please let me know.
--
From: Hui Wang
commit b5a236c175b0d984552a5f7c9d35141024c2b261 upstream.
Recently we found the audio jack detection stop working after suspend
on many machines with Realtek codec. Sometimes the audio selection
dialogue didn't show up after users plugged headhphone/headset into
the headset jack, sometimes after uses plugged headphone/headset, then
click the sound icon on the upper-right corner of gnome-desktop, it
also showed the speaker rather than the headphone.
The root cause is that before suspend, the codec already call the
runtime_suspend since this codec is not used by any apps, then in
resume, it will not call runtime_resume for this codec. But for some
realtek codec (so far, alc236, alc255 and alc891) with the specific
BIOS, if it doesn't run runtime_resume after suspend, all codec
functions including jack detection stop working anymore.
This problem existed for a long time, but it was not exposed, that is
because when problem happens, if users play sound or open
sound-setting to check audio device, this will trigger calling to
runtime_resume (via snd_hda_power_up), then the codec starts working
again before users notice this problem.
Since we don't know how many codec and BIOS combinations have this
problem, to fix it, let the driver call runtime_resume for all codecs
in pm_resume, maybe for some codecs, this is not needed, but it is
harmless. After a codec is runtime resumed, if it is not used by any
apps, it will be runtime suspended soon and furthermore we don't run
suspend frequently, this change will not add much power consumption.
Fixes: cc72da7d4d06 ("ALSA: hda - Use standard runtime PM for codec power-save
control")
Signed-off-by: Hui Wang
Signed-off-by: Takashi Iwai
Signed-off-by: Greg Kroah-Hartman
---
sound/pci/hda/hda_codec.c | 20 +---
1 file changed, 17 insertions(+), 3 deletions(-)
--- a/sound/pci/hda/hda_codec.c
+++ b/sound/pci/hda/hda_codec.c
@@ -2944,6 +2944,20 @@ static int hda_codec_runtime_resume(stru
#endif /* CONFIG_PM */
#ifdef CONFIG_PM_SLEEP
+static int hda_codec_force_resume(struct device *dev)
+{
+ int ret;
+
+ /* The get/put pair below enforces the runtime resume even if the
+* device hasn't been used at suspend time. This trick is needed to
+* update the jack state change during the sleep.
+*/
+ pm_runtime_get_noresume(dev);
+ ret = pm_runtime_force_resume(dev);
+ pm_runtime_put(dev);
+ return ret;
+}
+
static int hda_codec_pm_suspend(struct device *dev)
{
dev->power.power_state = PMSG_SUSPEND;
@@ -2953,7 +2967,7 @@ static int hda_codec_pm_suspend(struct d
static int hda_codec_pm_resume(struct device *dev)
{
dev->power.power_state = PMSG_RESUME;
- return pm_runtime_force_resume(dev);
+ return hda_codec_force_resume(dev);
}
static int hda_codec_pm_freeze(struct device *dev)
@@ -2965,13 +2979,13 @@ static int hda_codec_pm_freeze(struct de
static int hda_codec_pm_thaw(struct device *dev)
{
dev->power.power_state = PMSG_THAW;
- return pm_runtime_force_resume(dev);
+ return hda_codec_force_resume(dev);
}
static int hda_codec_pm_restore(struct device *dev)
{
dev->power.power_state = PMSG_RESTORE;
- return pm_runtime_force_resume(dev);
+ return hda_codec_force_resume(dev);
}
#endif /* CONFIG_PM_SLEEP */
[PATCH 5.0 47/52] x86/unwind: Handle NULL pointer calls better in frame unwinder
5.0-stable review patch. If anyone has any objections, please let me know.
--
From: Jann Horn
commit f4f34e1b82eb4219d8eaa1c7e2e17ca219a6a2b5 upstream.
When the frame unwinder is invoked for an oops caused by a call to NULL, it
currently skips the parent function because BP still points to the parent's
stack frame; the (nonexistent) current function only has the first half of
a stack frame, and BP doesn't point to it yet.
Add a special case for IP==0 that calculates a fake BP from SP, then uses
the real BP for the next frame.
Note that this handles first_frame specially: Return information about the
parent function as long as the saved IP is >=first_frame, even if the fake
BP points below it.
With an artificially-added NULL call in prctl_set_seccomp(), before this
patch, the trace is:
Call Trace:
? prctl_set_seccomp+0x3a/0x50
__x64_sys_prctl+0x457/0x6f0
? __ia32_sys_prctl+0x750/0x750
do_syscall_64+0x72/0x160
entry_SYSCALL_64_after_hwframe+0x44/0xa9
After this patch, the trace is:
Call Trace:
prctl_set_seccomp+0x3a/0x50
__x64_sys_prctl+0x457/0x6f0
? __ia32_sys_prctl+0x750/0x750
do_syscall_64+0x72/0x160
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Signed-off-by: Jann Horn
Signed-off-by: Thomas Gleixner
Acked-by: Josh Poimboeuf
Cc: Borislav Petkov
Cc: Andrew Morton
Cc: syzbot
Cc: "H. Peter Anvin"
Cc: Masahiro Yamada
Cc: Michal Marek
Cc: linux-kbu...@vger.kernel.org
Link: https://lkml.kernel.org/r/20190301031201.7416-1-ja...@google.com
Signed-off-by: Greg Kroah-Hartman
---
arch/x86/include/asm/unwind.h |6 ++
arch/x86/kernel/unwind_frame.c | 25 ++---
2 files changed, 28 insertions(+), 3 deletions(-)
--- a/arch/x86/include/asm/unwind.h
+++ b/arch/x86/include/asm/unwind.h
@@ -23,6 +23,12 @@ struct unwind_state {
#elif defined(CONFIG_UNWINDER_FRAME_POINTER)
bool got_irq;
unsigned long *bp, *orig_sp, ip;
+ /*
+* If non-NULL: The current frame is incomplete and doesn't contain a
+* valid BP. When looking for the next frame, use this instead of the
+* non-existent saved BP.
+*/
+ unsigned long *next_bp;
struct pt_regs *regs;
#else
unsigned long *sp;
--- a/arch/x86/kernel/unwind_frame.c
+++ b/arch/x86/kernel/unwind_frame.c
@@ -320,10 +320,14 @@ bool unwind_next_frame(struct unwind_sta
}
/* Get the next frame pointer: */
- if (state->regs)
+ if (state->next_bp) {
+ next_bp = state->next_bp;
+ state->next_bp = NULL;
+ } else if (state->regs) {
next_bp = (unsigned long *)state->regs->bp;
- else
+ } else {
next_bp = (unsigned long *)READ_ONCE_TASK_STACK(state->task,
*state->bp);
+ }
/* Move to the next frame if it's safe: */
if (!update_stack_state(state, next_bp))
@@ -398,6 +402,21 @@ void __unwind_start(struct unwind_state
bp = get_frame_pointer(task, regs);
+ /*
+* If we crash with IP==0, the last successfully executed instruction
+* was probably an indirect function call with a NULL function pointer.
+* That means that SP points into the middle of an incomplete frame:
+* *SP is a return pointer, and *(SP-sizeof(unsigned long)) is where we
+* would have written a frame pointer if we hadn't crashed.
+* Pretend that the frame is complete and that BP points to it, but save
+* the real BP so that we can use it when looking for the next frame.
+*/
+ if (regs && regs->ip == 0 &&
+ (unsigned long *)kernel_stack_pointer(regs) >= first_frame) {
+ state->next_bp = bp;
+ bp = ((unsigned long *)kernel_stack_pointer(regs)) - 1;
+ }
+
/* Initialize stack info and make sure the frame data is accessible: */
get_stack_info(bp, state->task, &state->stack_info,
&state->stack_mask);
@@ -410,7 +429,7 @@ void __unwind_start(struct unwind_state
*/
while (!unwind_done(state) &&
(!on_stack(&state->stack_info, first_frame, sizeof(long)) ||
- state->bp < first_frame))
+ (state->next_bp == NULL && state->bp < first_frame)))
unwind_next_frame(state);
}
EXPORT_SYMBOL_GPL(__unwind_start);
[PATCH 5.0 32/52] ALSA: ac97: Fix of-node refcount unbalance
5.0-stable review patch. If anyone has any objections, please let me know.
--
From: Takashi Iwai
commit 31d2350d602511efc9ef626b848fe521233b0387 upstream.
ac97_of_get_child_device() take the refcount of the node explicitly
via of_node_get(), but this leads to an unbalance. The
for_each_child_of_node() loop itself takes the refcount for each
iteration node, hence you don't need to take the extra refcount
again.
Fixes: 2225a3e6af78 ("ALSA: ac97: add codecs devicetree binding")
Reviewed-by: Robert Jarzmik
Signed-off-by: Takashi Iwai
Signed-off-by: Greg Kroah-Hartman
---
sound/ac97/bus.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/ac97/bus.c
+++ b/sound/ac97/bus.c
@@ -84,7 +84,7 @@ ac97_of_get_child_device(struct ac97_con
if ((idx != of_property_read_u32(node, "reg", ®)) ||
!of_device_is_compatible(node, compat))
continue;
- return of_node_get(node);
+ return node;
}
return NULL;
[PATCH 5.0 17/52] powerpc/vdso64: Fix CLOCK_MONOTONIC inconsistencies across Y2038
5.0-stable review patch. If anyone has any objections, please let me know.
--
From: Michael Ellerman
commit b5b4453e7912f056da1ca7572574cada32ecb60c upstream.
Jakub Drnec reported:
Setting the realtime clock can sometimes make the monotonic clock go
back by over a hundred years. Decreasing the realtime clock across
the y2k38 threshold is one reliable way to reproduce. Allegedly this
can also happen just by running ntpd, I have not managed to
reproduce that other than booting with rtc at >2038 and then running
ntp. When this happens, anything with timers (e.g. openjdk) breaks
rather badly.
And included a test case (slightly edited for brevity):
#define _POSIX_C_SOURCE 199309L
#include
#include
#include
#include
long get_time(void) {
struct timespec tp;
clock_gettime(CLOCK_MONOTONIC, &tp);
return tp.tv_sec + tp.tv_nsec / 10;
}
int main(void) {
long last = get_time();
while(1) {
long now = get_time();
if (now < last) {
printf("clock went backwards by %ld seconds!\n", last - now);
}
last = now;
sleep(1);
}
return 0;
}
Which when run concurrently with:
# date -s 2040-1-1
# date -s 2037-1-1
Will detect the clock going backward.
The root cause is that wtom_clock_sec in struct vdso_data is only a
32-bit signed value, even though we set its value to be equal to
tk->wall_to_monotonic.tv_sec which is 64-bits.
Because the monotonic clock starts at zero when the system boots the
wall_to_montonic.tv_sec offset is negative for current and future
dates. Currently on a freshly booted system the offset will be in the
vicinity of negative 1.5 billion seconds.
However if the wall clock is set past the Y2038 boundary, the offset
from wall to monotonic becomes less than negative 2^31, and no longer
fits in 32-bits. When that value is assigned to wtom_clock_sec it is
truncated and becomes positive, causing the VDSO assembly code to
calculate CLOCK_MONOTONIC incorrectly.
That causes CLOCK_MONOTONIC to jump ahead by ~4 billion seconds which
it is not meant to do. Worse, if the time is then set back before the
Y2038 boundary CLOCK_MONOTONIC will jump backward.
We can fix it simply by storing the full 64-bit offset in the
vdso_data, and using that in the VDSO assembly code. We also shuffle
some of the fields in vdso_data to avoid creating a hole.
The original commit that added the CLOCK_MONOTONIC support to the VDSO
did actually use a 64-bit value for wtom_clock_sec, see commit
a7f290dad32e ("[PATCH] powerpc: Merge vdso's and add vdso support to
32 bits kernel") (Nov 2005). However just 3 days later it was
converted to 32-bits in commit 0c37ec2aa88b ("[PATCH] powerpc: vdso
fixes (take #2)"), and the bug has existed since then AFAICS.
Fixes: 0c37ec2aa88b ("[PATCH] powerpc: vdso fixes (take #2)")
Cc: sta...@vger.kernel.org # v2.6.15+
Link: http://lkml.kernel.org/r/hac.zfes.62bwlnvavmp.1st...@seznam.cz
Reported-by: Jakub Drnec
Signed-off-by: Michael Ellerman
Signed-off-by: Greg Kroah-Hartman
---
arch/powerpc/include/asm/vdso_datapage.h |8
arch/powerpc/kernel/vdso64/gettimeofday.S |4 ++--
2 files changed, 6 insertions(+), 6 deletions(-)
--- a/arch/powerpc/include/asm/vdso_datapage.h
+++ b/arch/powerpc/include/asm/vdso_datapage.h
@@ -82,10 +82,10 @@ struct vdso_data {
__u32 icache_block_size;/* L1 i-cache block size */
__u32 dcache_log_block_size;/* L1 d-cache log block size */
__u32 icache_log_block_size;/* L1 i-cache log block size */
- __s32 wtom_clock_sec; /* Wall to monotonic clock */
- __s32 wtom_clock_nsec;
- struct timespec stamp_xtime;/* xtime as at tb_orig_stamp */
- __u32 stamp_sec_fraction; /* fractional seconds of stamp_xtime */
+ __u32 stamp_sec_fraction; /* fractional seconds of
stamp_xtime */
+ __s32 wtom_clock_nsec; /* Wall to monotonic clock nsec
*/
+ __s64 wtom_clock_sec; /* Wall to monotonic clock sec
*/
+ struct timespec stamp_xtime;/* xtime as at tb_orig_stamp */
__u32 syscall_map_64[SYSCALL_MAP_SIZE]; /* map of syscalls */
__u32 syscall_map_32[SYSCALL_MAP_SIZE]; /* map of syscalls */
};
--- a/arch/powerpc/kernel/vdso64/gettimeofday.S
+++ b/arch/powerpc/kernel/vdso64/gettimeofday.S
@@ -92,7 +92,7 @@ V_FUNCTION_BEGIN(__kernel_clock_gettime)
* At this point, r4,r5 contain our sec/nsec values.
*/
- lwa r6,WTOM_CLOCK_SEC(r3)
+ ld r6,WTOM_CLOCK_SEC(r3)
lwa r9,WTOM_CLOCK_NSEC(r3)
/* We now have our result in r6,r9. We create a fake dependency
@@ -125,7 +125,7 @@ V_FUNCTION_BEGIN(__kernel_clock_gettime)
bne cr6,75f
/* CLOCK_MONOTONIC_COARSE */
- lwa r6,WTOM_CLOCK_SEC(r3)
+ ld r6,WTOM_CLOCK_SEC(r3)
lwa r9,WTOM_CLOCK_N
[PATCH 5.0 09/52] drm/vmwgfx: Return 0 when gmrid::get_node runs out of IDs
5.0-stable review patch. If anyone has any objections, please let me know.
--
From: Deepak Rawat
commit 4b9ce3a651a37c60527101db4451a315a8b9588f upstream.
If it's not a system error and get_node implementation accommodate the
buffer object then it should return 0 with memm::mm_node set to NULL.
v2: Test for id != -ENOMEM instead of id == -ENOSPC.
Cc:
Fixes: 4eb085e42fde ("drm/vmwgfx: Convert to new IDA API")
Signed-off-by: Deepak Rawat
Reviewed-by: Thomas Hellstrom
Signed-off-by: Thomas Hellstrom
Signed-off-by: Greg Kroah-Hartman
---
drivers/gpu/drm/vmwgfx/vmwgfx_gmrid_manager.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_gmrid_manager.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_gmrid_manager.c
@@ -57,7 +57,7 @@ static int vmw_gmrid_man_get_node(struct
id = ida_alloc_max(&gman->gmr_ida, gman->max_gmr_ids - 1, GFP_KERNEL);
if (id < 0)
- return id;
+ return (id != -ENOMEM ? 0 : id);
spin_lock(&gman->lock);
[PATCH 5.0 46/52] loop: access lo_backing_file only when the loop device is Lo_bound
5.0-stable review patch. If anyone has any objections, please let me know.
--
From: Dongli Zhang
commit f7c8a4120eedf24c36090b7542b179ff7a649219 upstream.
Commit 758a58d0bc67 ("loop: set GENHD_FL_NO_PART_SCAN after
blkdev_reread_part()") separates "lo->lo_backing_file = NULL" and
"lo->lo_state = Lo_unbound" into different critical regions protected by
loop_ctl_mutex.
However, there is below race that the NULL lo->lo_backing_file would be
accessed when the backend of a loop is another loop device, e.g., loop0's
backend is a file, while loop1's backend is loop0.
loop0's backend is fileloop1's backend is loop0
__loop_clr_fd()
mutex_lock(&loop_ctl_mutex);
lo->lo_backing_file = NULL; --> set to NULL
mutex_unlock(&loop_ctl_mutex);
loop_set_fd()
mutex_lock_killable(&loop_ctl_mutex);
loop_validate_file()
f = l->lo_backing_file; --> NULL
access if loop0 is not Lo_unbound
mutex_lock(&loop_ctl_mutex);
lo->lo_state = Lo_unbound;
mutex_unlock(&loop_ctl_mutex);
lo->lo_backing_file should be accessed only when the loop device is
Lo_bound.
In fact, the problem has been introduced already in commit 7ccd0791d985
("loop: Push loop_ctl_mutex down into loop_clr_fd()") after which
loop_validate_file() could see devices in Lo_rundown state with which it
did not count. It was harmless at that point but still.
Fixes: 7ccd0791d985 ("loop: Push loop_ctl_mutex down into loop_clr_fd()")
Reported-by: syzbot+9bdc1adc1c55e7fe7...@syzkaller.appspotmail.com
Signed-off-by: Dongli Zhang
Reviewed-by: Jan Kara
Signed-off-by: Jens Axboe
Signed-off-by: Greg Kroah-Hartman
---
drivers/block/loop.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
@@ -656,7 +656,7 @@ static int loop_validate_file(struct fil
return -EBADF;
l = f->f_mapping->host->i_bdev->bd_disk->private_data;
- if (l->lo_state == Lo_unbound) {
+ if (l->lo_state != Lo_bound) {
return -EINVAL;
}
f = l->lo_backing_file;
[PATCH 5.0 45/52] netfilter: ebtables: remove BUGPRINT messages
5.0-stable review patch. If anyone has any objections, please let me know.
--
From: Florian Westphal
commit d824548dae220820bdf69b2d1561b7c4b072783f upstream.
They are however frequently triggered by syzkaller, so remove them.
ebtables userspace should never trigger any of these, so there is little
value in making them pr_debug (or ratelimited).
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
Signed-off-by: Greg Kroah-Hartman
---
net/bridge/netfilter/ebtables.c | 131 +++-
1 file changed, 39 insertions(+), 92 deletions(-)
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -31,10 +31,6 @@
/* needed for logical [in,out]-dev filtering */
#include "../br_private.h"
-#define BUGPRINT(format, args...) printk("kernel msg: ebtables bug: please "\
-"report to author: "format, ## args)
-/* #define BUGPRINT(format, args...) */
-
/* Each cpu has its own set of counters, so there is no need for write_lock in
* the softirq
* For reading or updating the counters, the user context needs to
@@ -466,8 +462,6 @@ static int ebt_verify_pointers(const str
/* we make userspace set this right,
* so there is no misunderstanding
*/
- BUGPRINT("EBT_ENTRY_OR_ENTRIES shouldn't be set
"
-"in distinguisher\n");
return -EINVAL;
}
if (i != NF_BR_NUMHOOKS)
@@ -485,18 +479,14 @@ static int ebt_verify_pointers(const str
offset += e->next_offset;
}
}
- if (offset != limit) {
- BUGPRINT("entries_size too small\n");
+ if (offset != limit)
return -EINVAL;
- }
/* check if all valid hooks have a chain */
for (i = 0; i < NF_BR_NUMHOOKS; i++) {
if (!newinfo->hook_entry[i] &&
- (valid_hooks & (1 << i))) {
- BUGPRINT("Valid hook without chain\n");
+ (valid_hooks & (1 << i)))
return -EINVAL;
- }
}
return 0;
}
@@ -523,26 +513,20 @@ ebt_check_entry_size_and_hooks(const str
/* this checks if the previous chain has as many entries
* as it said it has
*/
- if (*n != *cnt) {
- BUGPRINT("nentries does not equal the nr of entries "
-"in the chain\n");
+ if (*n != *cnt)
return -EINVAL;
- }
+
if (((struct ebt_entries *)e)->policy != EBT_DROP &&
((struct ebt_entries *)e)->policy != EBT_ACCEPT) {
/* only RETURN from udc */
if (i != NF_BR_NUMHOOKS ||
- ((struct ebt_entries *)e)->policy != EBT_RETURN) {
- BUGPRINT("bad policy\n");
+ ((struct ebt_entries *)e)->policy != EBT_RETURN)
return -EINVAL;
- }
}
if (i == NF_BR_NUMHOOKS) /* it's a user defined chain */
(*udc_cnt)++;
- if (((struct ebt_entries *)e)->counter_offset != *totalcnt) {
- BUGPRINT("counter_offset != totalcnt");
+ if (((struct ebt_entries *)e)->counter_offset != *totalcnt)
return -EINVAL;
- }
*n = ((struct ebt_entries *)e)->nentries;
*cnt = 0;
return 0;
@@ -550,15 +534,13 @@ ebt_check_entry_size_and_hooks(const str
/* a plain old entry, heh */
if (sizeof(struct ebt_entry) > e->watchers_offset ||
e->watchers_offset > e->target_offset ||
- e->target_offset >= e->next_offset) {
- BUGPRINT("entry offsets not in right order\n");
+ e->target_offset >= e->next_offset)
return -EINVAL;
- }
+
/* this is not checked anywhere else */
- if (e->next_offset - e->target_offset < sizeof(struct
ebt_entry_target)) {
- BUGPRINT("target size too small\n");
+ if (e->next_offset - e->target_offset < sizeof(struct ebt_entry_target))
return -EINVAL;
- }
+
(*cnt)++;
(*totalcnt)++;
return 0;
@@ -678,18 +660,15 @@ ebt_check_entry(struct ebt_entry *e, str
if (e->bitmask == 0)
return 0;
- if (e->bitmask & ~EBT_F_MASK) {
- BUGPRINT("Unknown flag for bitmask\n");
+ if (e->bitmask & ~EBT_F_MASK)
return -EINVAL;
- }
- if (e->invflags & ~EBT_INV_MASK) {
- BUGPRINT("Unknown flag f
[PATCH 5.0 37/52] Bluetooth: hci_uart: Check if socket buffer is ERR_PTR in h4_recv_buf()
5.0-stable review patch. If anyone has any objections, please let me know.
--
From: Myungho Jung
commit 1dc2d785156cbdc80806c32e8d2c7c735d0b4721 upstream.
h4_recv_buf() callers store the return value to socket buffer and
recursively pass the buffer to h4_recv_buf() without protection. So,
ERR_PTR returned from h4_recv_buf() can be dereferenced, if called again
before setting the socket buffer to NULL from previous error. Check if
skb is ERR_PTR in h4_recv_buf().
Reported-by: syzbot+017a32f149406df32...@syzkaller.appspotmail.com
Signed-off-by: Myungho Jung
Signed-off-by: Marcel Holtmann
Signed-off-by: Greg Kroah-Hartman
---
drivers/bluetooth/h4_recv.h |4
drivers/bluetooth/hci_h4.c |4
2 files changed, 8 insertions(+)
--- a/drivers/bluetooth/h4_recv.h
+++ b/drivers/bluetooth/h4_recv.h
@@ -60,6 +60,10 @@ static inline struct sk_buff *h4_recv_bu
const struct h4_recv_pkt *pkts,
int pkts_count)
{
+ /* Check for error from previous call */
+ if (IS_ERR(skb))
+ skb = NULL;
+
while (count) {
int i, len;
--- a/drivers/bluetooth/hci_h4.c
+++ b/drivers/bluetooth/hci_h4.c
@@ -174,6 +174,10 @@ struct sk_buff *h4_recv_buf(struct hci_d
struct hci_uart *hu = hci_get_drvdata(hdev);
u8 alignment = hu->alignment ? hu->alignment : 1;
+ /* Check for error from previous call */
+ if (IS_ERR(skb))
+ skb = NULL;
+
while (count) {
int i, len;
[PATCH 5.0 41/52] drm/vkms: Fix flush_work() without INIT_WORK().
5.0-stable review patch. If anyone has any objections, please let me know.
--
From: Tetsuo Handa
commit b30b61ff6b1dc37f276cf56a8328b80086a3ffca upstream.
syzbot is hitting a lockdep warning [1] because flush_work() is called
without INIT_WORK() after kzalloc() at vkms_atomic_crtc_reset().
Commit 6c234fe37c57627a ("drm/vkms: Implement CRC debugfs API") added
INIT_WORK() to only vkms_atomic_crtc_duplicate_state() side. Assuming
that lifecycle of crc_work is appropriately managed, fix this problem
by adding INIT_WORK() to vkms_atomic_crtc_reset() side.
[1]
https://syzkaller.appspot.com/bug?id=a5954455fcfa51c29ca2ab55b203076337e1c770
Reported-and-tested-by: syzbot
Signed-off-by: Tetsuo Handa
Reviewed-by: Shayenne Moura
Signed-off-by: Daniel Vetter
Link:
https://patchwork.freedesktop.org/patch/msgid/1547829823-9877-1-git-send-email-penguin-ker...@i-love.sakura.ne.jp
Signed-off-by: Greg Kroah-Hartman
---
drivers/gpu/drm/vkms/vkms_crtc.c |1 +
1 file changed, 1 insertion(+)
--- a/drivers/gpu/drm/vkms/vkms_crtc.c
+++ b/drivers/gpu/drm/vkms/vkms_crtc.c
@@ -98,6 +98,7 @@ static void vkms_atomic_crtc_reset(struc
vkms_state = kzalloc(sizeof(*vkms_state), GFP_KERNEL);
if (!vkms_state)
return;
+ INIT_WORK(&vkms_state->crc_work, vkms_crc_work_handle);
crtc->state = &vkms_state->base;
crtc->state->crtc = crtc;
[PATCH 5.0 43/52] f2fs: fix to avoid deadlock of atomic file operations
5.0-stable review patch. If anyone has any objections, please let me know. -- From: Chao Yu commit 48432984d718c95cf13e26d487c2d1b697c3c01f upstream. Thread AThread B - __fput - f2fs_release_file - drop_inmem_pages - mutex_lock(&fi->inmem_lock) - __revoke_inmem_pages - lock_page(page) - open - f2fs_setattr - truncate_setsize - truncate_inode_pages_range - lock_page(page) - truncate_cleanup_page - f2fs_invalidate_page - drop_inmem_page - mutex_lock(&fi->inmem_lock); We may encounter above ABBA deadlock as reported by Kyungtae Kim: I'm reporting a bug in linux-4.17.19: "INFO: task hung in drop_inmem_page" (no reproducer) I think this might be somehow related to the following: https://groups.google.com/forum/#!searchin/syzkaller-bugs/INFO$3A$20task$20hung$20in$20%7Csort:date/syzkaller-bugs/c6soBTrdaIo/AjAzPeIzCgAJ = INFO: task syz-executor7:10822 blocked for more than 120 seconds. Not tainted 4.17.19 #1 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. syz-executor7 D27024 10822 6346 0x0004 Call Trace: context_switch kernel/sched/core.c:2867 [inline] __schedule+0x721/0x1e60 kernel/sched/core.c:3515 schedule+0x88/0x1c0 kernel/sched/core.c:3559 schedule_preempt_disabled+0x18/0x30 kernel/sched/core.c:3617 __mutex_lock_common kernel/locking/mutex.c:833 [inline] __mutex_lock+0x5bd/0x1410 kernel/locking/mutex.c:893 mutex_lock_nested+0x1b/0x20 kernel/locking/mutex.c:908 drop_inmem_page+0xcb/0x810 fs/f2fs/segment.c:327 f2fs_invalidate_page+0x337/0x5e0 fs/f2fs/data.c:2401 do_invalidatepage mm/truncate.c:165 [inline] truncate_cleanup_page+0x261/0x330 mm/truncate.c:187 truncate_inode_pages_range+0x552/0x1610 mm/truncate.c:367 truncate_inode_pages mm/truncate.c:478 [inline] truncate_pagecache+0x6d/0x90 mm/truncate.c:801 truncate_setsize+0x81/0xa0 mm/truncate.c:826 f2fs_setattr+0x44f/0x1270 fs/f2fs/file.c:781 notify_change+0xa62/0xe80 fs/attr.c:313 do_truncate+0x12e/0x1e0 fs/open.c:63 do_last fs/namei.c:2955 [inline] path_openat+0x2042/0x29f0 fs/namei.c:3505 do_filp_open+0x1bd/0x2c0 fs/namei.c:3540 do_sys_open+0x35e/0x4e0 fs/open.c:1101 __do_sys_open fs/open.c:1119 [inline] __se_sys_open fs/open.c:1114 [inline] __x64_sys_open+0x89/0xc0 fs/open.c:1114 do_syscall_64+0xc4/0x4e0 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4497b9 RSP: 002b:7f734e459c68 EFLAGS: 0246 ORIG_RAX: 0002 RAX: ffda RBX: 7f734e45a6cc RCX: 004497b9 RDX: 0104 RSI: 000a8280 RDI: 2080 RBP: 0071bea0 R08: R09: R10: R11: 0246 R12: R13: 7230 R14: 006f02d0 R15: 7f734e45a700 INFO: task syz-executor7:10858 blocked for more than 120 seconds. Not tainted 4.17.19 #1 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. syz-executor7 D28880 10858 6346 0x0004 Call Trace: context_switch kernel/sched/core.c:2867 [inline] __schedule+0x721/0x1e60 kernel/sched/core.c:3515 schedule+0x88/0x1c0 kernel/sched/core.c:3559 __rwsem_down_write_failed_common kernel/locking/rwsem-xadd.c:565 [inline] rwsem_down_write_failed+0x5e6/0xc90 kernel/locking/rwsem-xadd.c:594 call_rwsem_down_write_failed+0x17/0x30 arch/x86/lib/rwsem.S:117 __down_write arch/x86/include/asm/rwsem.h:142 [inline] down_write+0x58/0xa0 kernel/locking/rwsem.c:72 inode_lock include/linux/fs.h:713 [inline] do_truncate+0x120/0x1e0 fs/open.c:61 do_last fs/namei.c:2955 [inline] path_openat+0x2042/0x29f0 fs/namei.c:3505 do_filp_open+0x1bd/0x2c0 fs/namei.c:3540 do_sys_open+0x35e/0x4e0 fs/open.c:1101 __do_sys_open fs/open.c:1119 [inline] __se_sys_open fs/open.c:1114 [inline] __x64_sys_open+0x89/0xc0 fs/open.c:1114 do_syscall_64+0xc4/0x4e0 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4497b9 RSP: 002b:7f734e3b4c68 EFLAGS: 0246 ORIG_RAX: 0002 RAX: ffda RBX: 7f734e3b56cc RCX: 004497b9 RDX: 0104 RSI: 000a8280 RDI: 2080 RBP: 0071c238 R08: R09: R10: R11: 0246 R12: R13: 7230 R14: 006f02d0 R15: 7f734e3b5700 INFO: task syz-executor5:10829 blocked for more than 120 seconds. Not tainted 4.17.19 #1 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. syz-executor5 D28760 10829
[PATCH 5.0 44/52] aio: simplify - and fix - fget/fput for io_submit()
5.0-stable review patch. If anyone has any objections, please let me know.
--
From: Linus Torvalds
commit 84c4e1f89fefe70554da0ab33be72c9be7994379 upstream.
Al Viro root-caused a race where the IOCB_CMD_POLL handling of
fget/fput() could cause us to access the file pointer after it had
already been freed:
"In more details - normally IOCB_CMD_POLL handling looks so:
1) io_submit(2) allocates aio_kiocb instance and passes it to
aio_poll()
2) aio_poll() resolves the descriptor to struct file by req->file =
fget(iocb->aio_fildes)
3) aio_poll() sets ->woken to false and raises ->ki_refcnt of that
aio_kiocb to 2 (bumps by 1, that is).
4) aio_poll() calls vfs_poll(). After sanity checks (basically,
"poll_wait() had been called and only once") it locks the queue.
That's what the extra reference to iocb had been for - we know we
can safely access it.
5) With queue locked, we check if ->woken has already been set to
true (by aio_poll_wake()) and, if it had been, we unlock the
queue, drop a reference to aio_kiocb and bugger off - at that
point it's a responsibility to aio_poll_wake() and the stuff
called/scheduled by it. That code will drop the reference to file
in req->file, along with the other reference to our aio_kiocb.
6) otherwise, we see whether we need to wait. If we do, we unlock the
queue, drop one reference to aio_kiocb and go away - eventual
wakeup (or cancel) will deal with the reference to file and with
the other reference to aio_kiocb
7) otherwise we remove ourselves from waitqueue (still under the
queue lock), so that wakeup won't get us. No async activity will
be happening, so we can safely drop req->file and iocb ourselves.
If wakeup happens while we are in vfs_poll(), we are fine - aio_kiocb
won't get freed under us, so we can do all the checks and locking
safely. And we don't touch ->file if we detect that case.
However, vfs_poll() most certainly *does* touch the file it had been
given. So wakeup coming while we are still in ->poll() might end up
doing fput() on that file. That case is not too rare, and usually we
are saved by the still present reference from descriptor table - that
fput() is not the final one.
But if another thread closes that descriptor right after our fget()
and wakeup does happen before ->poll() returns, we are in trouble -
final fput() done while we are in the middle of a method:
Al also wrote a patch to take an extra reference to the file descriptor
to fix this, but I instead suggested we just streamline the whole file
pointer handling by submit_io() so that the generic aio submission code
simply keeps the file pointer around until the aio has completed.
Fixes: bfe4037e722e ("aio: implement IOCB_CMD_POLL")
Acked-by: Al Viro
Reported-by: syzbot+503d4cc169fcec1cb...@syzkaller.appspotmail.com
Signed-off-by: Linus Torvalds
Signed-off-by: Greg Kroah-Hartman
---
fs/aio.c | 72 +
include/linux/fs.h |8 +
2 files changed, 36 insertions(+), 44 deletions(-)
--- a/fs/aio.c
+++ b/fs/aio.c
@@ -167,9 +167,13 @@ struct kioctx {
unsignedid;
};
+/*
+ * First field must be the file pointer in all the
+ * iocb unions! See also 'struct kiocb' in
+ */
struct fsync_iocb {
- struct work_struct work;
struct file *file;
+ struct work_struct work;
booldatasync;
};
@@ -183,8 +187,15 @@ struct poll_iocb {
struct work_struct work;
};
+/*
+ * NOTE! Each of the iocb union members has the file pointer
+ * as the first entry in their struct definition. So you can
+ * access the file pointer through any of the sub-structs,
+ * or directly as just 'ki_filp' in this struct.
+ */
struct aio_kiocb {
union {
+ struct file *ki_filp;
struct kiocbrw;
struct fsync_iocb fsync;
struct poll_iocbpoll;
@@ -1060,6 +1071,8 @@ static inline void iocb_put(struct aio_k
{
if (refcount_read(&iocb->ki_refcnt) == 0 ||
refcount_dec_and_test(&iocb->ki_refcnt)) {
+ if (iocb->ki_filp)
+ fput(iocb->ki_filp);
percpu_ref_put(&iocb->ki_ctx->reqs);
kmem_cache_free(kiocb_cachep, iocb);
}
@@ -1424,7 +1437,6 @@ static void aio_complete_rw(struct kiocb
file_end_write(kiocb->ki_filp);
}
- fput(kiocb->ki_filp);
aio_complete(iocb, res, res2);
}
@@ -1432,9 +1444,6 @@ static int aio_prep_rw(struct kiocb *req
{
int ret;
- req->ki_filp = fget(iocb->aio_fildes);
- if (unlikely(!req->ki_filp))
- return -EBADF;
req->ki_complete = aio_complete_rw;
req->private = NULL;
req->ki_pos = iocb
[PATCH 5.0 40/52] Bluetooth: hci_ldisc: Postpone HCI_UART_PROTO_READY bit set in hci_uart_set_proto()
5.0-stable review patch. If anyone has any objections, please let me know.
--
From: Kefeng Wang
commit 56897b217a1d0a91c9920cb418d6b3fe922f590a upstream.
task A:task B:
hci_uart_set_proto flush_to_ldisc
- p->open(hu) -> h5_open //alloc h5 - receive_buf
- set_bit HCI_UART_PROTO_READY - tty_port_default_receive_buf
- hci_uart_register_dev - tty_ldisc_receive_buf
- hci_uart_tty_receive
- test_bit HCI_UART_PROTO_READY
- h5_recv
- clear_bit HCI_UART_PROTO_READY while() {
- p->open(hu) -> h5_close //free h5
- h5_rx_3wire_hdr
- h5_reset() //use-after-free
}
It could use ioctl to set hci uart proto, but there is
a use-after-free issue when hci_uart_register_dev() fail in
hci_uart_set_proto(), see stack above, fix this by setting
HCI_UART_PROTO_READY bit only when hci_uart_register_dev()
return success.
Reported-by: syzbot+899a33dc0fa0dbaf0...@syzkaller.appspotmail.com
Signed-off-by: Kefeng Wang
Reviewed-by: Jeremy Cline
Signed-off-by: Marcel Holtmann
Signed-off-by: Greg Kroah-Hartman
---
drivers/bluetooth/hci_ldisc.c |3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/bluetooth/hci_ldisc.c
+++ b/drivers/bluetooth/hci_ldisc.c
@@ -696,14 +696,13 @@ static int hci_uart_set_proto(struct hci
return -EPROTONOSUPPORT;
hu->proto = p;
- set_bit(HCI_UART_PROTO_READY, &hu->flags);
err = hci_uart_register_dev(hu);
if (err) {
- clear_bit(HCI_UART_PROTO_READY, &hu->flags);
return err;
}
+ set_bit(HCI_UART_PROTO_READY, &hu->flags);
return 0;
}
[PATCH 5.0 39/52] Bluetooth: hci_ldisc: Initialize hci_dev before open()
5.0-stable review patch. If anyone has any objections, please let me know.
--
From: Jeremy Cline
commit 32a7b4cbe93b0a0ef7e63d31ca69ce54736c4412 upstream.
The hci_dev struct hdev is referenced in work queues and timers started
by open() in some protocols. This creates a race between the
initialization function and the work or timer which can result hdev
being dereferenced while it is still null.
The syzbot report contains a reliable reproducer which causes a null
pointer dereference of hdev in hci_uart_write_work() by making the
memory allocation for hdev fail.
To fix this, ensure hdev is valid from before calling a protocol's
open() until after calling a protocol's close().
Reported-by: syzbot+257790c15bcdef6fe...@syzkaller.appspotmail.com
Signed-off-by: Jeremy Cline
Signed-off-by: Marcel Holtmann
Signed-off-by: Greg Kroah-Hartman
---
drivers/bluetooth/hci_ldisc.c | 21 ++---
1 file changed, 14 insertions(+), 7 deletions(-)
--- a/drivers/bluetooth/hci_ldisc.c
+++ b/drivers/bluetooth/hci_ldisc.c
@@ -207,11 +207,11 @@ void hci_uart_init_work(struct work_stru
err = hci_register_dev(hu->hdev);
if (err < 0) {
BT_ERR("Can't register HCI device");
+ clear_bit(HCI_UART_PROTO_READY, &hu->flags);
+ hu->proto->close(hu);
hdev = hu->hdev;
hu->hdev = NULL;
hci_free_dev(hdev);
- clear_bit(HCI_UART_PROTO_READY, &hu->flags);
- hu->proto->close(hu);
return;
}
@@ -616,6 +616,7 @@ static void hci_uart_tty_receive(struct
static int hci_uart_register_dev(struct hci_uart *hu)
{
struct hci_dev *hdev;
+ int err;
BT_DBG("");
@@ -659,11 +660,22 @@ static int hci_uart_register_dev(struct
else
hdev->dev_type = HCI_PRIMARY;
+ /* Only call open() for the protocol after hdev is fully initialized as
+* open() (or a timer/workqueue it starts) may attempt to reference it.
+*/
+ err = hu->proto->open(hu);
+ if (err) {
+ hu->hdev = NULL;
+ hci_free_dev(hdev);
+ return err;
+ }
+
if (test_bit(HCI_UART_INIT_PENDING, &hu->hdev_flags))
return 0;
if (hci_register_dev(hdev) < 0) {
BT_ERR("Can't register HCI device");
+ hu->proto->close(hu);
hu->hdev = NULL;
hci_free_dev(hdev);
return -ENODEV;
@@ -683,17 +695,12 @@ static int hci_uart_set_proto(struct hci
if (!p)
return -EPROTONOSUPPORT;
- err = p->open(hu);
- if (err)
- return err;
-
hu->proto = p;
set_bit(HCI_UART_PROTO_READY, &hu->flags);
err = hci_uart_register_dev(hu);
if (err) {
clear_bit(HCI_UART_PROTO_READY, &hu->flags);
- p->close(hu);
return err;
}
[PATCH 5.0 42/52] RDMA/cma: Rollback source IP address if failing to acquire device
5.0-stable review patch. If anyone has any objections, please let me know.
--
From: Myungho Jung
commit 5fc01fb846bce8fa6d5f95e2625b8ce0f8e86810 upstream.
If cma_acquire_dev_by_src_ip() returns error in addr_handler(), the
device state changes back to RDMA_CM_ADDR_BOUND but the resolved source
IP address is still left. After that, if rdma_destroy_id() is called
after rdma_listen(), the device is freed without removed from
listen_any_list in cma_cancel_operation(). Revert to the previous IP
address if acquiring device fails.
Reported-by: syzbot+f3ce716af730c8f96...@syzkaller.appspotmail.com
Signed-off-by: Myungho Jung
Reviewed-by: Parav Pandit
Signed-off-by: Jason Gunthorpe
Signed-off-by: Greg Kroah-Hartman
---
drivers/infiniband/core/cma.c | 13 -
1 file changed, 12 insertions(+), 1 deletion(-)
--- a/drivers/infiniband/core/cma.c
+++ b/drivers/infiniband/core/cma.c
@@ -2966,13 +2966,22 @@ static void addr_handler(int status, str
{
struct rdma_id_private *id_priv = context;
struct rdma_cm_event event = {};
+ struct sockaddr *addr;
+ struct sockaddr_storage old_addr;
mutex_lock(&id_priv->handler_mutex);
if (!cma_comp_exch(id_priv, RDMA_CM_ADDR_QUERY,
RDMA_CM_ADDR_RESOLVED))
goto out;
- memcpy(cma_src_addr(id_priv), src_addr, rdma_addr_size(src_addr));
+ /*
+* Store the previous src address, so that if we fail to acquire
+* matching rdma device, old address can be restored back, which helps
+* to cancel the cma listen operation correctly.
+*/
+ addr = cma_src_addr(id_priv);
+ memcpy(&old_addr, addr, rdma_addr_size(addr));
+ memcpy(addr, src_addr, rdma_addr_size(src_addr));
if (!status && !id_priv->cma_dev) {
status = cma_acquire_dev_by_src_ip(id_priv);
if (status)
@@ -2983,6 +2992,8 @@ static void addr_handler(int status, str
}
if (status) {
+ memcpy(addr, &old_addr,
+ rdma_addr_size((struct sockaddr *)&old_addr));
if (!cma_comp_exch(id_priv, RDMA_CM_ADDR_RESOLVED,
RDMA_CM_ADDR_BOUND))
goto out;
[PATCH 5.0 52/52] ALSA: hda - Enforces runtime_resume after S3 and S4 for each codec
5.0-stable review patch. If anyone has any objections, please let me know.
--
From: Hui Wang
commit b5a236c175b0d984552a5f7c9d35141024c2b261 upstream.
Recently we found the audio jack detection stop working after suspend
on many machines with Realtek codec. Sometimes the audio selection
dialogue didn't show up after users plugged headhphone/headset into
the headset jack, sometimes after uses plugged headphone/headset, then
click the sound icon on the upper-right corner of gnome-desktop, it
also showed the speaker rather than the headphone.
The root cause is that before suspend, the codec already call the
runtime_suspend since this codec is not used by any apps, then in
resume, it will not call runtime_resume for this codec. But for some
realtek codec (so far, alc236, alc255 and alc891) with the specific
BIOS, if it doesn't run runtime_resume after suspend, all codec
functions including jack detection stop working anymore.
This problem existed for a long time, but it was not exposed, that is
because when problem happens, if users play sound or open
sound-setting to check audio device, this will trigger calling to
runtime_resume (via snd_hda_power_up), then the codec starts working
again before users notice this problem.
Since we don't know how many codec and BIOS combinations have this
problem, to fix it, let the driver call runtime_resume for all codecs
in pm_resume, maybe for some codecs, this is not needed, but it is
harmless. After a codec is runtime resumed, if it is not used by any
apps, it will be runtime suspended soon and furthermore we don't run
suspend frequently, this change will not add much power consumption.
Fixes: cc72da7d4d06 ("ALSA: hda - Use standard runtime PM for codec power-save
control")
Signed-off-by: Hui Wang
Signed-off-by: Takashi Iwai
Signed-off-by: Greg Kroah-Hartman
---
sound/pci/hda/hda_codec.c | 20 +---
1 file changed, 17 insertions(+), 3 deletions(-)
--- a/sound/pci/hda/hda_codec.c
+++ b/sound/pci/hda/hda_codec.c
@@ -2952,6 +2952,20 @@ static int hda_codec_runtime_resume(stru
#endif /* CONFIG_PM */
#ifdef CONFIG_PM_SLEEP
+static int hda_codec_force_resume(struct device *dev)
+{
+ int ret;
+
+ /* The get/put pair below enforces the runtime resume even if the
+* device hasn't been used at suspend time. This trick is needed to
+* update the jack state change during the sleep.
+*/
+ pm_runtime_get_noresume(dev);
+ ret = pm_runtime_force_resume(dev);
+ pm_runtime_put(dev);
+ return ret;
+}
+
static int hda_codec_pm_suspend(struct device *dev)
{
dev->power.power_state = PMSG_SUSPEND;
@@ -2961,7 +2975,7 @@ static int hda_codec_pm_suspend(struct d
static int hda_codec_pm_resume(struct device *dev)
{
dev->power.power_state = PMSG_RESUME;
- return pm_runtime_force_resume(dev);
+ return hda_codec_force_resume(dev);
}
static int hda_codec_pm_freeze(struct device *dev)
@@ -2973,13 +2987,13 @@ static int hda_codec_pm_freeze(struct de
static int hda_codec_pm_thaw(struct device *dev)
{
dev->power.power_state = PMSG_THAW;
- return pm_runtime_force_resume(dev);
+ return hda_codec_force_resume(dev);
}
static int hda_codec_pm_restore(struct device *dev)
{
dev->power.power_state = PMSG_RESTORE;
- return pm_runtime_force_resume(dev);
+ return hda_codec_force_resume(dev);
}
#endif /* CONFIG_PM_SLEEP */
[PATCH 5.0 26/52] perf probe: Fix getting the kernel map
5.0-stable review patch. If anyone has any objections, please let me know.
--
From: Adrian Hunter
commit eaeffeb9838a7c0dec981d258666bfcc0fa6a947 upstream.
Since commit 4d99e4136580 ("perf machine: Workaround missing maps for
x86 PTI entry trampolines"), perf tools has been creating more than one
kernel map, however 'perf probe' assumed there could be only one.
Fix by using machine__kernel_map() to get the main kernel map.
Signed-off-by: Adrian Hunter
Tested-by: Joseph Qi
Acked-by: Masami Hiramatsu
Cc: Alexander Shishkin
Cc: Andy Lutomirski
Cc: Greg Kroah-Hartman
Cc: Jiufei Xue
Cc: Peter Zijlstra
Cc: sta...@vger.kernel.org
Cc: Xu Yu
Fixes: 4d99e4136580 ("perf machine: Workaround missing maps for x86 PTI entry
trampolines")
Fixes: d83212d5dd67 ("kallsyms, x86: Export addresses of PTI entry trampolines")
Link: http://lkml.kernel.org/r/2ed432de-e904-85d2-5c36-5897ddc5b...@intel.com
Signed-off-by: Arnaldo Carvalho de Melo
Signed-off-by: Greg Kroah-Hartman
---
tools/perf/util/probe-event.c |6 --
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/tools/perf/util/probe-event.c
+++ b/tools/perf/util/probe-event.c
@@ -157,8 +157,10 @@ static struct map *kernel_get_module_map
if (module && strchr(module, '/'))
return dso__new_map(module);
- if (!module)
- module = "kernel";
+ if (!module) {
+ pos = machine__kernel_map(host_machine);
+ return map__get(pos);
+ }
for (pos = maps__first(maps); pos; pos = map__next(pos)) {
/* short_name is "[module]" */
[PATCH 5.0 51/52] ALSA: hda - Record the current power state before suspend/resume calls
5.0-stable review patch. If anyone has any objections, please let me know.
--
From: Takashi Iwai
commit 98081ca62cbac31fb0f7efaf90b2e7384ce22257 upstream.
Currently we deal with single codec and suspend codec callbacks for
all S3, S4 and runtime PM handling. But it turned out that we want
distinguish the call patterns sometimes, e.g. for applying some init
sequence only at probing and restoring from hibernate.
This patch slightly modifies the common PM callbacks for HD-audio
codec and stores the currently processed PM event in power_state of
the codec's device.power field, which is currently unused. The codec
callback can take a look at this event value and judges which purpose
it's being called.
Signed-off-by: Takashi Iwai
Signed-off-by: Greg Kroah-Hartman
---
sound/pci/hda/hda_codec.c | 43 +--
1 file changed, 41 insertions(+), 2 deletions(-)
--- a/sound/pci/hda/hda_codec.c
+++ b/sound/pci/hda/hda_codec.c
@@ -2917,6 +2917,7 @@ static void hda_call_codec_resume(struct
hda_jackpoll_work(&codec->jackpoll_work.work);
else
snd_hda_jack_report_sync(codec);
+ codec->core.dev.power.power_state = PMSG_ON;
snd_hdac_leave_pm(&codec->core);
}
@@ -2950,10 +2951,48 @@ static int hda_codec_runtime_resume(stru
}
#endif /* CONFIG_PM */
+#ifdef CONFIG_PM_SLEEP
+static int hda_codec_pm_suspend(struct device *dev)
+{
+ dev->power.power_state = PMSG_SUSPEND;
+ return pm_runtime_force_suspend(dev);
+}
+
+static int hda_codec_pm_resume(struct device *dev)
+{
+ dev->power.power_state = PMSG_RESUME;
+ return pm_runtime_force_resume(dev);
+}
+
+static int hda_codec_pm_freeze(struct device *dev)
+{
+ dev->power.power_state = PMSG_FREEZE;
+ return pm_runtime_force_suspend(dev);
+}
+
+static int hda_codec_pm_thaw(struct device *dev)
+{
+ dev->power.power_state = PMSG_THAW;
+ return pm_runtime_force_resume(dev);
+}
+
+static int hda_codec_pm_restore(struct device *dev)
+{
+ dev->power.power_state = PMSG_RESTORE;
+ return pm_runtime_force_resume(dev);
+}
+#endif /* CONFIG_PM_SLEEP */
+
/* referred in hda_bind.c */
const struct dev_pm_ops hda_codec_driver_pm = {
- SET_SYSTEM_SLEEP_PM_OPS(pm_runtime_force_suspend,
- pm_runtime_force_resume)
+#ifdef CONFIG_PM_SLEEP
+ .suspend = hda_codec_pm_suspend,
+ .resume = hda_codec_pm_resume,
+ .freeze = hda_codec_pm_freeze,
+ .thaw = hda_codec_pm_thaw,
+ .poweroff = hda_codec_pm_suspend,
+ .restore = hda_codec_pm_restore,
+#endif /* CONFIG_PM_SLEEP */
SET_RUNTIME_PM_OPS(hda_codec_runtime_suspend, hda_codec_runtime_resume,
NULL)
};
[PATCH 5.0 48/52] x86/unwind: Add hardcoded ORC entry for NULL
5.0-stable review patch. If anyone has any objections, please let me know.
--
From: Jann Horn
commit ac5ceccce5501e43d217c596e4ee859f2a3fef79 upstream.
When the ORC unwinder is invoked for an oops caused by IP==0,
it currently has no idea what to do because there is no debug information
for the stack frame of NULL.
But if RIP is NULL, it is very likely that the last successfully executed
instruction was an indirect CALL/JMP, and it is possible to unwind out in
the same way as for the first instruction of a normal function. Hardcode
a corresponding ORC entry.
With an artificially-added NULL call in prctl_set_seccomp(), before this
patch, the trace is:
Call Trace:
? __x64_sys_prctl+0x402/0x680
? __ia32_sys_prctl+0x6e0/0x6e0
? __do_page_fault+0x457/0x620
? do_syscall_64+0x6d/0x160
? entry_SYSCALL_64_after_hwframe+0x44/0xa9
After this patch, the trace looks like this:
Call Trace:
__x64_sys_prctl+0x402/0x680
? __ia32_sys_prctl+0x6e0/0x6e0
? __do_page_fault+0x457/0x620
do_syscall_64+0x6d/0x160
entry_SYSCALL_64_after_hwframe+0x44/0xa9
prctl_set_seccomp() still doesn't show up in the trace because for some
reason, tail call optimization is only disabled in builds that use the
frame pointer unwinder.
Signed-off-by: Jann Horn
Signed-off-by: Thomas Gleixner
Acked-by: Josh Poimboeuf
Cc: Borislav Petkov
Cc: Andrew Morton
Cc: syzbot
Cc: "H. Peter Anvin"
Cc: Masahiro Yamada
Cc: Michal Marek
Cc: linux-kbu...@vger.kernel.org
Link: https://lkml.kernel.org/r/20190301031201.7416-2-ja...@google.com
Signed-off-by: Greg Kroah-Hartman
---
arch/x86/kernel/unwind_orc.c | 17 +
1 file changed, 17 insertions(+)
--- a/arch/x86/kernel/unwind_orc.c
+++ b/arch/x86/kernel/unwind_orc.c
@@ -113,6 +113,20 @@ static struct orc_entry *orc_ftrace_find
}
#endif
+/*
+ * If we crash with IP==0, the last successfully executed instruction
+ * was probably an indirect function call with a NULL function pointer,
+ * and we don't have unwind information for NULL.
+ * This hardcoded ORC entry for IP==0 allows us to unwind from a NULL function
+ * pointer into its parent and then continue normally from there.
+ */
+static struct orc_entry null_orc_entry = {
+ .sp_offset = sizeof(long),
+ .sp_reg = ORC_REG_SP,
+ .bp_reg = ORC_REG_UNDEFINED,
+ .type = ORC_TYPE_CALL
+};
+
static struct orc_entry *orc_find(unsigned long ip)
{
static struct orc_entry *orc;
@@ -120,6 +134,9 @@ static struct orc_entry *orc_find(unsign
if (!orc_init)
return NULL;
+ if (ip == 0)
+ return &null_orc_entry;
+
/* For non-init vmlinux addresses, use the fast lookup table: */
if (ip >= LOOKUP_START_IP && ip < LOOKUP_STOP_IP) {
unsigned int idx, start, stop;
[PATCH 5.0 49/52] locking/lockdep: Add debug_locks check in __lock_downgrade()
5.0-stable review patch. If anyone has any objections, please let me know. -- From: Waiman Long commit 71492580571467fb7177aade19c18ce7486267f5 upstream. Tetsuo Handa had reported he saw an incorrect "downgrading a read lock" warning right after a previous lockdep warning. It is likely that the previous warning turned off lock debugging causing the lockdep to have inconsistency states leading to the lock downgrade warning. Fix that by add a check for debug_locks at the beginning of __lock_downgrade(). Debugged-by: Tetsuo Handa Reported-by: Tetsuo Handa Reported-by: syzbot+53383ae265fb161ef...@syzkaller.appspotmail.com Signed-off-by: Waiman Long Signed-off-by: Peter Zijlstra (Intel) Cc: Andrew Morton Cc: Linus Torvalds Cc: Paul E. McKenney Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: Will Deacon Link: https://lkml.kernel.org/r/1547093005-26085-1-git-send-email-long...@redhat.com Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman --- kernel/locking/lockdep.c |3 +++ 1 file changed, 3 insertions(+) --- a/kernel/locking/lockdep.c +++ b/kernel/locking/lockdep.c @@ -3535,6 +3535,9 @@ static int __lock_downgrade(struct lockd unsigned int depth; int i; + if (unlikely(!debug_locks)) + return 0; + depth = curr->lockdep_depth; /* * This function is about (re)setting the class of a held lock,
[PATCH 5.0 50/52] mm, mempolicy: fix uninit memory access
5.0-stable review patch. If anyone has any objections, please let me know.
--
From: Vlastimil Babka
commit 2e25644e8da4ed3a27e7b8315aaae74660be72dc upstream.
Syzbot with KMSAN reports (excerpt):
==
BUG: KMSAN: uninit-value in mpol_rebind_policy mm/mempolicy.c:353 [inline]
BUG: KMSAN: uninit-value in mpol_rebind_mm+0x249/0x370 mm/mempolicy.c:384
CPU: 1 PID: 17420 Comm: syz-executor4 Not tainted 4.20.0-rc7+ #15
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x173/0x1d0 lib/dump_stack.c:113
kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:613
__msan_warning+0x82/0xf0 mm/kmsan/kmsan_instr.c:295
mpol_rebind_policy mm/mempolicy.c:353 [inline]
mpol_rebind_mm+0x249/0x370 mm/mempolicy.c:384
update_tasks_nodemask+0x608/0xca0 kernel/cgroup/cpuset.c:1120
update_nodemasks_hier kernel/cgroup/cpuset.c:1185 [inline]
update_nodemask kernel/cgroup/cpuset.c:1253 [inline]
cpuset_write_resmask+0x2a98/0x34b0 kernel/cgroup/cpuset.c:1728
...
Uninit was created at:
kmsan_save_stack_with_flags mm/kmsan/kmsan.c:204 [inline]
kmsan_internal_poison_shadow+0x92/0x150 mm/kmsan/kmsan.c:158
kmsan_kmalloc+0xa6/0x130 mm/kmsan/kmsan_hooks.c:176
kmem_cache_alloc+0x572/0xb90 mm/slub.c:2777
mpol_new mm/mempolicy.c:276 [inline]
do_mbind mm/mempolicy.c:1180 [inline]
kernel_mbind+0x8a7/0x31a0 mm/mempolicy.c:1347
__do_sys_mbind mm/mempolicy.c:1354 [inline]
As it's difficult to report where exactly the uninit value resides in
the mempolicy object, we have to guess a bit. mm/mempolicy.c:353
contains this part of mpol_rebind_policy():
if (!mpol_store_user_nodemask(pol) &&
nodes_equal(pol->w.cpuset_mems_allowed, *newmask))
"mpol_store_user_nodemask(pol)" is testing pol->flags, which I couldn't
ever see being uninitialized after leaving mpol_new(). So I'll guess
it's actually about accessing pol->w.cpuset_mems_allowed on line 354,
but still part of statement starting on line 353.
For w.cpuset_mems_allowed to be not initialized, and the nodes_equal()
reachable for a mempolicy where mpol_set_nodemask() is called in
do_mbind(), it seems the only possibility is a MPOL_PREFERRED policy
with empty set of nodes, i.e. MPOL_LOCAL equivalent, with MPOL_F_LOCAL
flag. Let's exclude such policies from the nodes_equal() check. Note
the uninit access should be benign anyway, as rebinding this kind of
policy is always a no-op. Therefore no actual need for stable
inclusion.
Link: http://lkml.kernel.org/r/a71997c3-e8ae-a787-d5ce-3db05768b...@suse.cz
Link: http://lkml.kernel.org/r/73da3e9c-cc84-509e-17d9-0c434bb99...@suse.cz
Signed-off-by: Vlastimil Babka
Reported-by: syzbot+b19c2dc2c990ea657...@syzkaller.appspotmail.com
Cc: Alexander Potapenko
Cc: Dmitry Vyukov
Cc: Andrea Arcangeli
Cc: "Kirill A. Shutemov"
Cc: Michal Hocko
Cc: David Rientjes
Cc: Yisheng Xie
Cc: zhong jiang
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
Signed-off-by: Greg Kroah-Hartman
---
mm/mempolicy.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -350,7 +350,7 @@ static void mpol_rebind_policy(struct me
{
if (!pol)
return;
- if (!mpol_store_user_nodemask(pol) &&
+ if (!mpol_store_user_nodemask(pol) && !(pol->flags & MPOL_F_LOCAL) &&
nodes_equal(pol->w.cpuset_mems_allowed, *newmask))
return;
[PATCH 5.0 38/52] Bluetooth: Fix decrementing reference count twice in releasing socket
5.0-stable review patch. If anyone has any objections, please let me know.
--
From: Myungho Jung
commit e20a2e9c42c9e4002d9e338d74e7819e88d77162 upstream.
When releasing socket, it is possible to enter hci_sock_release() and
hci_sock_dev_event(HCI_DEV_UNREG) at the same time in different thread.
The reference count of hdev should be decremented only once from one of
them but if storing hdev to local variable in hci_sock_release() before
detached from socket and setting to NULL in hci_sock_dev_event(),
hci_dev_put(hdev) is unexpectedly called twice. This is resolved by
referencing hdev from socket after bt_sock_unlink() in
hci_sock_release().
Reported-by: syzbot+fdc3f4efff43b...@syzkaller.appspotmail.com
Signed-off-by: Myungho Jung
Signed-off-by: Marcel Holtmann
Signed-off-by: Greg Kroah-Hartman
---
net/bluetooth/hci_sock.c |3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -831,8 +831,6 @@ static int hci_sock_release(struct socke
if (!sk)
return 0;
- hdev = hci_pi(sk)->hdev;
-
switch (hci_pi(sk)->channel) {
case HCI_CHANNEL_MONITOR:
atomic_dec(&monitor_promisc);
@@ -854,6 +852,7 @@ static int hci_sock_release(struct socke
bt_sock_unlink(&hci_sk_list, sk);
+ hdev = hci_pi(sk)->hdev;
if (hdev) {
if (hci_pi(sk)->channel == HCI_CHANNEL_USER) {
/* When releasing a user channel exclusive access,
[PATCH 5.0 24/52] futex: Ensure that futex address is aligned in handle_futex_death()
5.0-stable review patch. If anyone has any objections, please let me know.
--
From: Chen Jie
commit 5a07168d8d89b00fe1760120714378175b3ef992 upstream.
The futex code requires that the user space addresses of futexes are 32bit
aligned. sys_futex() checks this in futex_get_keys() but the robust list
code has no alignment check in place.
As a consequence the kernel crashes on architectures with strict alignment
requirements in handle_futex_death() when trying to cmpxchg() on an
unaligned futex address which was retrieved from the robust list.
[ tglx: Rewrote changelog, proper sizeof() based alignement check and add
comment ]
Fixes: 0771dfefc9e5 ("[PATCH] lightweight robust futexes: core")
Signed-off-by: Chen Jie
Signed-off-by: Thomas Gleixner
Cc:
Cc:
Cc:
Cc: sta...@vger.kernel.org
Link:
https://lkml.kernel.org/r/1552621478-119787-1-git-send-email-chenj...@huawei.com
Signed-off-by: Greg Kroah-Hartman
---
kernel/futex.c |4
1 file changed, 4 insertions(+)
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -3440,6 +3440,10 @@ static int handle_futex_death(u32 __user
{
u32 uval, uninitialized_var(nval), mval;
+ /* Futex address must be 32bit aligned */
+ if unsigned long)uaddr) % sizeof(*uaddr)) != 0)
+ return -1;
+
retry:
if (get_user(uval, uaddr))
return -1;
[PATCH 5.0 20/52] scsi: core: Avoid that a kernel warning appears during system resume
5.0-stable review patch. If anyone has any objections, please let me know.
--
From: Bart Van Assche
commit 17605afaae825b0291f80c62a7f6565879edaa8a upstream.
Since scsi_device_quiesce() skips SCSI devices that have another state than
RUNNING, OFFLINE or TRANSPORT_OFFLINE, scsi_device_resume() should not
complain about SCSI devices that have been skipped. Hence this patch. This
patch avoids that the following warning appears during resume:
WARNING: CPU: 3 PID: 1039 at blk_clear_pm_only+0x2a/0x30
CPU: 3 PID: 1039 Comm: kworker/u8:49 Not tainted 5.0.0+ #1
Hardware name: LENOVO 4180F42/4180F42, BIOS 83ET75WW (1.45 ) 05/10/2013
Workqueue: events_unbound async_run_entry_fn
RIP: 0010:blk_clear_pm_only+0x2a/0x30
Call Trace:
? scsi_device_resume+0x28/0x50
? scsi_dev_type_resume+0x2b/0x80
? async_run_entry_fn+0x2c/0xd0
? process_one_work+0x1f0/0x3f0
? worker_thread+0x28/0x3c0
? process_one_work+0x3f0/0x3f0
? kthread+0x10c/0x130
? __kthread_create_on_node+0x150/0x150
? ret_from_fork+0x1f/0x30
Cc: Christoph Hellwig
Cc: Hannes Reinecke
Cc: Ming Lei
Cc: Johannes Thumshirn
Cc: Oleksandr Natalenko
Cc: Martin Steigerwald
Cc:
Reported-by: Jisheng Zhang
Tested-by: Jisheng Zhang
Fixes: 3a0a529971ec ("block, scsi: Make SCSI quiesce and resume work reliably")
# v4.15
Signed-off-by: Bart Van Assche
Signed-off-by: Martin K. Petersen
Signed-off-by: Greg Kroah-Hartman
---
drivers/scsi/scsi_lib.c |6 --
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -2598,8 +2598,10 @@ void scsi_device_resume(struct scsi_devi
* device deleted during suspend)
*/
mutex_lock(&sdev->state_mutex);
- sdev->quiesced_by = NULL;
- blk_clear_pm_only(sdev->request_queue);
+ if (sdev->quiesced_by) {
+ sdev->quiesced_by = NULL;
+ blk_clear_pm_only(sdev->request_queue);
+ }
if (sdev->sdev_state == SDEV_QUIESCE)
scsi_device_set_state(sdev, SDEV_RUNNING);
mutex_unlock(&sdev->state_mutex);
[PATCH 5.0 25/52] cifs: allow guest mounts to work for smb3.11
5.0-stable review patch. If anyone has any objections, please let me know.
--
From: Ronnie Sahlberg
commit e71ab2aa06f731a944993120b0eef1556c63b81c upstream.
Fix Guest/Anonymous sessions so that they work with SMB 3.11.
The commit noted below tightened the conditions and forced signing for
the SMB2-TreeConnect commands as per MS-SMB2.
However, this should only apply to normal user sessions and not for
Guest/Anonumous sessions.
Fixes: 6188f28bf608 ("Tree connect for SMB3.1.1 must be signed for
non-encrypted shares")
Signed-off-by: Ronnie Sahlberg
CC: Stable
Signed-off-by: Steve French
Signed-off-by: Greg Kroah-Hartman
---
fs/cifs/smb2pdu.c |8 ++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -1605,9 +1605,13 @@ SMB2_tcon(const unsigned int xid, struct
iov[1].iov_base = unc_path;
iov[1].iov_len = unc_path_len;
- /* 3.11 tcon req must be signed if not encrypted. See MS-SMB2 3.2.4.1.1
*/
+ /*
+* 3.11 tcon req must be signed if not encrypted. See MS-SMB2 3.2.4.1.1
+* unless it is guest or anonymous user. See MS-SMB2 3.2.5.3.1
+*/
if ((ses->server->dialect == SMB311_PROT_ID) &&
- !smb3_encryption_required(tcon))
+ !smb3_encryption_required(tcon) &&
+ !(ses->session_flags &
(SMB2_SESSION_FLAG_IS_GUEST|SMB2_SESSION_FLAG_IS_NULL)))
req->sync_hdr.Flags |= SMB2_FLAGS_SIGNED;
memset(&rqst, 0, sizeof(struct smb_rqst));
[PATCH 5.0 23/52] scsi: ibmvscsi: Fix empty event pool access during host removal
5.0-stable review patch. If anyone has any objections, please let me know.
--
From: Tyrel Datwyler
commit 7f5203c13ba8a7b7f9f6ecfe5a4d5567188d7835 upstream.
The event pool used for queueing commands is destroyed fairly early in the
ibmvscsi_remove() code path. Since, this happens prior to the call so
scsi_remove_host() it is possible for further calls to queuecommand to be
processed which manifest as a panic due to a NULL pointer dereference as
seen here:
PANIC: "Unable to handle kernel paging request for data at address
0x"
Context process backtrace:
DSISR: 4200 Syscall Result:
4 [c2cb3820] memcpy_power7 at c0064204
[Link Register] [c2cb3820] ibmvscsi_send_srp_event at d3ed14a4
5 [c2cb3920] ibmvscsi_send_srp_event at d3ed14a4 [ibmvscsi]
?(unreliable)
6 [c2cb39c0] ibmvscsi_queuecommand at d3ed2388 [ibmvscsi]
7 [c2cb3a70] scsi_dispatch_cmd at d395c2d8 [scsi_mod]
8 [c2cb3af0] scsi_request_fn at d395ef88 [scsi_mod]
9 [c2cb3be0] __blk_run_queue at c0429860
10 [c2cb3c10] blk_delay_work at c042a0ec
11 [c2cb3c40] process_one_work at c00dac30
12 [c2cb3cd0] worker_thread at c00db110
13 [c2cb3d80] kthread at c00e3378
14 [c2cb3e30] ret_from_kernel_thread at c000982c
The kernel buffer log is overfilled with this log:
[11261.952732] ibmvscsi: found no event struct in pool!
This patch reorders the operations during host teardown. Start by calling
the SRP transport and Scsi_Host remove functions to flush any outstanding
work and set the host offline. LLDD teardown follows including destruction
of the event pool, freeing the Command Response Queue (CRQ), and unmapping
any persistent buffers. The event pool destruction is protected by the
scsi_host lock, and the pool is purged prior of any requests for which we
never received a response. Finally, move the removal of the scsi host from
our global list to the end so that the host is easily locatable for
debugging purposes during teardown.
Cc: # v2.6.12+
Signed-off-by: Tyrel Datwyler
Signed-off-by: Martin K. Petersen
Signed-off-by: Greg Kroah-Hartman
---
drivers/scsi/ibmvscsi/ibmvscsi.c | 22 --
1 file changed, 16 insertions(+), 6 deletions(-)
--- a/drivers/scsi/ibmvscsi/ibmvscsi.c
+++ b/drivers/scsi/ibmvscsi/ibmvscsi.c
@@ -2295,17 +2295,27 @@ static int ibmvscsi_probe(struct vio_dev
static int ibmvscsi_remove(struct vio_dev *vdev)
{
struct ibmvscsi_host_data *hostdata = dev_get_drvdata(&vdev->dev);
- spin_lock(&ibmvscsi_driver_lock);
- list_del(&hostdata->host_list);
- spin_unlock(&ibmvscsi_driver_lock);
- unmap_persist_bufs(hostdata);
+ unsigned long flags;
+
+ srp_remove_host(hostdata->host);
+ scsi_remove_host(hostdata->host);
+
+ purge_requests(hostdata, DID_ERROR);
+
+ spin_lock_irqsave(hostdata->host->host_lock, flags);
release_event_pool(&hostdata->pool, hostdata);
+ spin_unlock_irqrestore(hostdata->host->host_lock, flags);
+
ibmvscsi_release_crq_queue(&hostdata->queue, hostdata,
max_events);
kthread_stop(hostdata->work_thread);
- srp_remove_host(hostdata->host);
- scsi_remove_host(hostdata->host);
+ unmap_persist_bufs(hostdata);
+
+ spin_lock(&ibmvscsi_driver_lock);
+ list_del(&hostdata->host_list);
+ spin_unlock(&ibmvscsi_driver_lock);
+
scsi_host_put(hostdata->host);
return 0;
[PATCH 5.0 21/52] scsi: qla2xxx: Fix FC-AL connection target discovery
5.0-stable review patch. If anyone has any objections, please let me know.
--
From: Quinn Tran
commit 4705f10e82c63924bd84a9b31d15839ec9ba3d06 upstream.
Commit 7f147f9bfd44 ("scsi: qla2xxx: Fix N2N target discovery with Local
loop") fixed N2N target discovery for local loop. However, same code is
used for FC-AL discovery as well. Added check to make sure we are bypassing
area and domain check only in N2N topology for target discovery.
Fixes: 7f147f9bfd44 ("scsi: qla2xxx: Fix N2N target discovery with Local loop")
Cc: sta...@vger.kernel.org # 5.0+
Signed-off-by: Quinn Tran
Signed-off-by: Himanshu Madhani
Reviewed-by: Ewan D. Milne
Signed-off-by: Martin K. Petersen
Signed-off-by: Greg Kroah-Hartman
---
drivers/scsi/qla2xxx/qla_init.c |7 +++
1 file changed, 7 insertions(+)
--- a/drivers/scsi/qla2xxx/qla_init.c
+++ b/drivers/scsi/qla2xxx/qla_init.c
@@ -4968,6 +4968,13 @@ qla2x00_configure_local_loop(scsi_qla_ho
(area != vha->d_id.b.area || domain != vha->d_id.b.domain))
continue;
+ /* Bypass if not same domain and area of adapter. */
+ if (area && domain && ((area != vha->d_id.b.area) ||
+ (domain != vha->d_id.b.domain)) &&
+ (ha->current_topology == ISP_CFG_NL))
+ continue;
+
+
/* Bypass invalid local loop ID. */
if (loop_id > LAST_LOCAL_LOOP_ID)
continue;
[PATCH 5.0 22/52] scsi: ibmvscsi: Protect ibmvscsi_head from concurrent modificaiton
5.0-stable review patch. If anyone has any objections, please let me know.
--
From: Tyrel Datwyler
commit 7205981e045e752ccf96cf6ddd703a98c59d4339 upstream.
For each ibmvscsi host created during a probe or destroyed during a remove
we either add or remove that host to/from the global ibmvscsi_head
list. This runs the risk of concurrent modification.
This patch adds a simple spinlock around the list modification calls to
prevent concurrent updates as is done similarly in the ibmvfc driver and
ipr driver.
Fixes: 32d6e4b6e4ea ("scsi: ibmvscsi: add vscsi hosts to global list_head")
Cc: # v4.10+
Signed-off-by: Tyrel Datwyler
Signed-off-by: Martin K. Petersen
Signed-off-by: Greg Kroah-Hartman
---
drivers/scsi/ibmvscsi/ibmvscsi.c |5 +
1 file changed, 5 insertions(+)
--- a/drivers/scsi/ibmvscsi/ibmvscsi.c
+++ b/drivers/scsi/ibmvscsi/ibmvscsi.c
@@ -96,6 +96,7 @@ static int client_reserve = 1;
static char partition_name[96] = "UNKNOWN";
static unsigned int partition_number = -1;
static LIST_HEAD(ibmvscsi_head);
+static DEFINE_SPINLOCK(ibmvscsi_driver_lock);
static struct scsi_transport_template *ibmvscsi_transport_template;
@@ -2270,7 +2271,9 @@ static int ibmvscsi_probe(struct vio_dev
}
dev_set_drvdata(&vdev->dev, hostdata);
+ spin_lock(&ibmvscsi_driver_lock);
list_add_tail(&hostdata->host_list, &ibmvscsi_head);
+ spin_unlock(&ibmvscsi_driver_lock);
return 0;
add_srp_port_failed:
@@ -2292,7 +2295,9 @@ static int ibmvscsi_probe(struct vio_dev
static int ibmvscsi_remove(struct vio_dev *vdev)
{
struct ibmvscsi_host_data *hostdata = dev_get_drvdata(&vdev->dev);
+ spin_lock(&ibmvscsi_driver_lock);
list_del(&hostdata->host_list);
+ spin_unlock(&ibmvscsi_driver_lock);
unmap_persist_bufs(hostdata);
release_event_pool(&hostdata->pool, hostdata);
ibmvscsi_release_crq_queue(&hostdata->queue, hostdata,
[PATCH 5.0 31/52] ALSA: hda - Dont trigger jackpoll_work in azx_resume
5.0-stable review patch. If anyone has any objections, please let me know.
--
From: Hui Wang
commit 744c67ffeb06f2d2493f4049ba0bd19698ce0adf upstream.
The commit 3baffc4a84d7 (ALSA: hda/intel: Refactoring PM code) changed
the behaviour of azx_resume(), it triggers the jackpoll_work after
applying this commit.
This change introduced a new issue, all codecs are runtime active
after S3, and will not call runtime_suspend() automatically.
The root cause is the jackpoll_work calls snd_hda_power_up/down_pm,
and it calls up_pm before snd_hdac_enter_pm is called, while calls
the down_pm in the middle of enter_pm and leave_pm is called. This
makes the dev->power.usage_count unbalanced after S3.
To fix it, let azx_resume() don't trigger jackpoll_work as before
it did.
Fixes: 3baffc4a84d7 ("ALSA: hda/intel: Refactoring PM code")
Signed-off-by: Hui Wang
Signed-off-by: Takashi Iwai
Signed-off-by: Greg Kroah-Hartman
---
sound/pci/hda/hda_intel.c |8
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/sound/pci/hda/hda_intel.c
+++ b/sound/pci/hda/hda_intel.c
@@ -947,7 +947,7 @@ static void __azx_runtime_suspend(struct
display_power(chip, false);
}
-static void __azx_runtime_resume(struct azx *chip)
+static void __azx_runtime_resume(struct azx *chip, bool from_rt)
{
struct hda_intel *hda = container_of(chip, struct hda_intel, chip);
struct hdac_bus *bus = azx_bus(chip);
@@ -964,7 +964,7 @@ static void __azx_runtime_resume(struct
azx_init_pci(chip);
hda_intel_init_chip(chip, true);
- if (status) {
+ if (status && from_rt) {
list_for_each_codec(codec, &chip->bus)
if (status & (1 << codec->addr))
schedule_delayed_work(&codec->jackpoll_work,
@@ -1016,7 +1016,7 @@ static int azx_resume(struct device *dev
chip->msi = 0;
if (azx_acquire_irq(chip, 1) < 0)
return -EIO;
- __azx_runtime_resume(chip);
+ __azx_runtime_resume(chip, false);
snd_power_change_state(card, SNDRV_CTL_POWER_D0);
trace_azx_resume(chip);
@@ -1081,7 +1081,7 @@ static int azx_runtime_resume(struct dev
chip = card->private_data;
if (!azx_has_pm_runtime(chip))
return 0;
- __azx_runtime_resume(chip);
+ __azx_runtime_resume(chip, true);
/* disable controller Wake Up event*/
azx_writew(chip, WAKEEN, azx_readw(chip, WAKEEN) &
[PATCH 5.0 35/52] ext4: brelse all indirect buffer in ext4_ind_remove_space()
5.0-stable review patch. If anyone has any objections, please let me know.
--
From: zhangyi (F)
commit 674a2b27234d1b7afcb0a9162e81b2e53aeef217 upstream.
All indirect buffers get by ext4_find_shared() should be released no
mater the branch should be freed or not. But now, we forget to release
the lower depth indirect buffers when removing space from the same
higher depth indirect block. It will lead to buffer leak and futher
more, it may lead to quota information corruption when using old quota,
consider the following case.
- Create and mount an empty ext4 filesystem without extent and quota
features,
- quotacheck and enable the user & group quota,
- Create some files and write some data to them, and then punch hole
to some files of them, it may trigger the buffer leak problem
mentioned above.
- Disable quota and run quotacheck again, it will create two new
aquota files and write the checked quota information to them, which
probably may reuse the freed indirect block(the buffer and page
cache was not freed) as data block.
- Enable quota again, it will invoke
vfs_load_quota_inode()->invalidate_bdev() to try to clean unused
buffers and pagecache. Unfortunately, because of the buffer of quota
data block is still referenced, quota code cannot read the up to date
quota info from the device and lead to quota information corruption.
This problem can be reproduced by xfstests generic/231 on ext3 file
system or ext4 file system without extent and quota features.
This patch fix this problem by releasing the missing indirect buffers,
in ext4_ind_remove_space().
Reported-by: Hulk Robot
Signed-off-by: zhangyi (F)
Signed-off-by: Theodore Ts'o
Reviewed-by: Jan Kara
Cc: sta...@kernel.org
Signed-off-by: Greg Kroah-Hartman
---
fs/ext4/indirect.c | 12
1 file changed, 8 insertions(+), 4 deletions(-)
--- a/fs/ext4/indirect.c
+++ b/fs/ext4/indirect.c
@@ -1387,10 +1387,14 @@ end_range:
partial->p + 1,
partial2->p,
(chain+n-1) - partial);
- BUFFER_TRACE(partial->bh, "call brelse");
- brelse(partial->bh);
- BUFFER_TRACE(partial2->bh, "call brelse");
- brelse(partial2->bh);
+ while (partial > chain) {
+ BUFFER_TRACE(partial->bh, "call brelse");
+ brelse(partial->bh);
+ }
+ while (partial2 > chain2) {
+ BUFFER_TRACE(partial2->bh, "call brelse");
+ brelse(partial2->bh);
+ }
return 0;
}
[PATCH 5.0 29/52] clocksource/drivers/riscv: Fix clocksource mask
5.0-stable review patch. If anyone has any objections, please let me know.
--
From: Atish Patra
commit 32d0be018f6f5ee2d5d19c4795304613560814cf upstream.
For all riscv architectures (RV32, RV64 and RV128), the clocksource
is a 64 bit incrementing counter.
Fix the clock source mask accordingly.
Tested on both 64bit and 32 bit virt machine in QEMU.
Fixes: 62b019436814 ("clocksource: new RISC-V SBI timer driver")
Signed-off-by: Atish Patra
Signed-off-by: Thomas Gleixner
Reviewed-by: Anup Patel
Cc: Albert Ou
Cc: Daniel Lezcano
Cc: linux-ri...@lists.infradead.org
Cc: Palmer Dabbelt
Cc: Anup Patel
Cc: Damien Le Moal
Cc: sta...@vger.kernel.org
Link: https://lkml.kernel.org/r/20190322215411.19362-1-atish.pa...@wdc.com
Signed-off-by: Greg Kroah-Hartman
---
drivers/clocksource/timer-riscv.c |5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/drivers/clocksource/timer-riscv.c
+++ b/drivers/clocksource/timer-riscv.c
@@ -58,7 +58,7 @@ static u64 riscv_sched_clock(void)
static DEFINE_PER_CPU(struct clocksource, riscv_clocksource) = {
.name = "riscv_clocksource",
.rating = 300,
- .mask = CLOCKSOURCE_MASK(BITS_PER_LONG),
+ .mask = CLOCKSOURCE_MASK(64),
.flags = CLOCK_SOURCE_IS_CONTINUOUS,
.read = riscv_clocksource_rdtime,
};
@@ -103,8 +103,7 @@ static int __init riscv_timer_init_dt(st
cs = per_cpu_ptr(&riscv_clocksource, cpuid);
clocksource_register_hz(cs, riscv_timebase);
- sched_clock_register(riscv_sched_clock,
- BITS_PER_LONG, riscv_timebase);
+ sched_clock_register(riscv_sched_clock, 64, riscv_timebase);
error = cpuhp_setup_state(CPUHP_AP_RISCV_TIMER_STARTING,
"clockevents/riscv/timer:starting",
[PATCH 5.0 18/52] powerpc/security: Fix spectre_v2 reporting
5.0-stable review patch. If anyone has any objections, please let me know.
--
From: Michael Ellerman
commit 92edf8df0ff2ae86cc632eeca0e651fd8431d40d upstream.
When I updated the spectre_v2 reporting to handle software count cache
flush I got the logic wrong when there's no software count cache
enabled at all.
The result is that on systems with the software count cache flush
disabled we print:
Mitigation: Indirect branch cache disabled, Software count cache flush
Which correctly indicates that the count cache is disabled, but
incorrectly says the software count cache flush is enabled.
The root of the problem is that we are trying to handle all
combinations of options. But we know now that we only expect to see
the software count cache flush enabled if the other options are false.
So split the two cases, which simplifies the logic and fixes the bug.
We were also missing a space before "(hardware accelerated)".
The result is we see one of:
Mitigation: Indirect branch serialisation (kernel only)
Mitigation: Indirect branch cache disabled
Mitigation: Software count cache flush
Mitigation: Software count cache flush (hardware accelerated)
Fixes: ee13cb249fab ("powerpc/64s: Add support for software count cache flush")
Cc: sta...@vger.kernel.org # v4.19+
Signed-off-by: Michael Ellerman
Reviewed-by: Michael Neuling
Reviewed-by: Diana Craciun
Signed-off-by: Michael Ellerman
Signed-off-by: Greg Kroah-Hartman
---
arch/powerpc/kernel/security.c | 23 ---
1 file changed, 8 insertions(+), 15 deletions(-)
--- a/arch/powerpc/kernel/security.c
+++ b/arch/powerpc/kernel/security.c
@@ -190,29 +190,22 @@ ssize_t cpu_show_spectre_v2(struct devic
bcs = security_ftr_enabled(SEC_FTR_BCCTRL_SERIALISED);
ccd = security_ftr_enabled(SEC_FTR_COUNT_CACHE_DISABLED);
- if (bcs || ccd || count_cache_flush_type != COUNT_CACHE_FLUSH_NONE) {
- bool comma = false;
+ if (bcs || ccd) {
seq_buf_printf(&s, "Mitigation: ");
- if (bcs) {
+ if (bcs)
seq_buf_printf(&s, "Indirect branch serialisation
(kernel only)");
- comma = true;
- }
- if (ccd) {
- if (comma)
- seq_buf_printf(&s, ", ");
- seq_buf_printf(&s, "Indirect branch cache disabled");
- comma = true;
- }
-
- if (comma)
+ if (bcs && ccd)
seq_buf_printf(&s, ", ");
- seq_buf_printf(&s, "Software count cache flush");
+ if (ccd)
+ seq_buf_printf(&s, "Indirect branch cache disabled");
+ } else if (count_cache_flush_type != COUNT_CACHE_FLUSH_NONE) {
+ seq_buf_printf(&s, "Mitigation: Software count cache flush");
if (count_cache_flush_type == COUNT_CACHE_FLUSH_HW)
- seq_buf_printf(&s, "(hardware accelerated)");
+ seq_buf_printf(&s, " (hardware accelerated)");
} else if (btb_flush_enabled) {
seq_buf_printf(&s, "Mitigation: Branch predictor state flush");
} else {
[PATCH 5.0 30/52] SMB3: Fix SMB3.1.1 guest mounts to Samba
5.0-stable review patch. If anyone has any objections, please let me know.
--
From: Steve French
commit 8c11a607d1d9cd6e7f01fd6b03923597fb0ef95a upstream.
Workaround problem with Samba responses to SMB3.1.1
null user (guest) mounts. The server doesn't set the
expected flag in the session setup response so we have
to do a similar check to what is done in smb3_validate_negotiate
where we also check if the user is a null user (but not sec=krb5
since username might not be passed in on mount for Kerberos case).
Note that the commit below tightened the conditions and forced signing
for the SMB2-TreeConnect commands as per MS-SMB2.
However, this should only apply to normal user sessions and not for
cases where there is no user (even if server forgets to set the flag
in the response) since we don't have anything useful to sign with.
This is especially important now that the more secure SMB3.1.1 protocol
is in the default dialect list.
An earlier patch ("cifs: allow guest mounts to work for smb3.11") fixed
the guest mounts to Windows.
Fixes: 6188f28bf608 ("Tree connect for SMB3.1.1 must be signed for
non-encrypted shares")
Reviewed-by: Ronnie Sahlberg
Reviewed-by: Paulo Alcantara
CC: Stable
Signed-off-by: Steve French
Signed-off-by: Greg Kroah-Hartman
---
fs/cifs/smb2pdu.c |5 -
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -1608,10 +1608,13 @@ SMB2_tcon(const unsigned int xid, struct
/*
* 3.11 tcon req must be signed if not encrypted. See MS-SMB2 3.2.4.1.1
* unless it is guest or anonymous user. See MS-SMB2 3.2.5.3.1
+* (Samba servers don't always set the flag so also check if null user)
*/
if ((ses->server->dialect == SMB311_PROT_ID) &&
!smb3_encryption_required(tcon) &&
- !(ses->session_flags &
(SMB2_SESSION_FLAG_IS_GUEST|SMB2_SESSION_FLAG_IS_NULL)))
+ !(ses->session_flags &
+ (SMB2_SESSION_FLAG_IS_GUEST|SMB2_SESSION_FLAG_IS_NULL)) &&
+ ((ses->user_name != NULL) || (ses->sectype == Kerberos)))
req->sync_hdr.Flags |= SMB2_FLAGS_SIGNED;
memset(&rqst, 0, sizeof(struct smb_rqst));
[PATCH 5.0 33/52] ext4: fix NULL pointer dereference while journal is aborted
5.0-stable review patch. If anyone has any objections, please let me know.
--
From: Jiufei Xue
commit fa30dde38aa8628c73a6dded7cb0bba38c27b576 upstream.
We see the following NULL pointer dereference while running xfstests
generic/475:
BUG: unable to handle kernel NULL pointer dereference at 0008
PGD 800c84bad067 P4D 800c84bad067 PUD c84e62067 PMD 0
Oops: [#1] SMP PTI
CPU: 7 PID: 9886 Comm: fsstress Kdump: loaded Not tainted 5.0.0-rc8 #10
RIP: 0010:ext4_do_update_inode+0x4ec/0x760
...
Call Trace:
? jbd2_journal_get_write_access+0x42/0x50
? __ext4_journal_get_write_access+0x2c/0x70
? ext4_truncate+0x186/0x3f0
ext4_mark_iloc_dirty+0x61/0x80
ext4_mark_inode_dirty+0x62/0x1b0
ext4_truncate+0x186/0x3f0
? unmap_mapping_pages+0x56/0x100
ext4_setattr+0x817/0x8b0
notify_change+0x1df/0x430
do_truncate+0x5e/0x90
? generic_permission+0x12b/0x1a0
This is triggered because the NULL pointer handle->h_transaction was
dereferenced in function ext4_update_inode_fsync_trans().
I found that the h_transaction was set to NULL in jbd2__journal_restart
but failed to attached to a new transaction while the journal is aborted.
Fix this by checking the handle before updating the inode.
Fixes: b436b9bef84d ("ext4: Wait for proper transaction commit on fsync")
Signed-off-by: Jiufei Xue
Signed-off-by: Theodore Ts'o
Reviewed-by: Joseph Qi
Cc: sta...@kernel.org
Signed-off-by: Greg Kroah-Hartman
---
fs/ext4/ext4_jbd2.h |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/ext4/ext4_jbd2.h
+++ b/fs/ext4/ext4_jbd2.h
@@ -384,7 +384,7 @@ static inline void ext4_update_inode_fsy
{
struct ext4_inode_info *ei = EXT4_I(inode);
- if (ext4_handle_valid(handle)) {
+ if (ext4_handle_valid(handle) && !is_handle_aborted(handle)) {
ei->i_sync_tid = handle->h_transaction->t_tid;
if (datasync)
ei->i_datasync_tid = handle->h_transaction->t_tid;
[PATCH 5.0 28/52] irqchip/gic-v3-its: Fix comparison logic in lpi_range_cmp
5.0-stable review patch. If anyone has any objections, please let me know. -- From: Rasmus Villemoes commit 89dc891792c2e046b030f87600109c22209da32e upstream. The lpi_range_list is supposed to be sorted in ascending order of ->base_id (at least if the range merging is to work), but the current comparison function returns a positive value if rb->base_id > ra->base_id, which means that list_sort() will put A after B in that case - and vice versa, of course. Fixes: 880cb3cddd16 (irqchip/gic-v3-its: Refactor LPI allocator) Cc: sta...@vger.kernel.org (v4.19+) Signed-off-by: Rasmus Villemoes Signed-off-by: Marc Zyngier Signed-off-by: Greg Kroah-Hartman --- drivers/irqchip/irq-gic-v3-its.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/irqchip/irq-gic-v3-its.c +++ b/drivers/irqchip/irq-gic-v3-its.c @@ -1482,7 +1482,7 @@ static int lpi_range_cmp(void *priv, str ra = container_of(a, struct lpi_range, entry); rb = container_of(b, struct lpi_range, entry); - return rb->base_id - ra->base_id; + return ra->base_id - rb->base_id; } static void merge_lpi_ranges(void)
[PATCH 5.0 34/52] ext4: fix data corruption caused by unaligned direct AIO
5.0-stable review patch. If anyone has any objections, please let me know.
--
From: Lukas Czerner
commit 372a03e01853f860560eade508794dd274e9b390 upstream.
Ext4 needs to serialize unaligned direct AIO because the zeroing of
partial blocks of two competing unaligned AIOs can result in data
corruption.
However it decides not to serialize if the potentially unaligned aio is
past i_size with the rationale that no pending writes are possible past
i_size. Unfortunately if the i_size is not block aligned and the second
unaligned write lands past i_size, but still into the same block, it has
the potential of corrupting the previous unaligned write to the same
block.
This is (very simplified) reproducer from Frank
// 41472 = (10 * 4096) + 512
// 37376 = 41472 - 4096
ftruncate(fd, 41472);
io_prep_pwrite(iocbs[0], fd, buf[0], 4096, 37376);
io_prep_pwrite(iocbs[1], fd, buf[1], 4096, 41472);
io_submit(io_ctx, 1, &iocbs[1]);
io_submit(io_ctx, 1, &iocbs[2]);
io_getevents(io_ctx, 2, 2, events, NULL);
Without this patch the 512B range from 40960 up to the start of the
second unaligned write (41472) is going to be zeroed overwriting the data
written by the first write. This is a data corruption.
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*
9200 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
*
a000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*
a200 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31
With this patch the data corruption is avoided because we will recognize
the unaligned_aio and wait for the unwritten extent conversion.
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*
9200 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
*
a200 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31
*
b200
Reported-by: Frank Sorenson
Signed-off-by: Lukas Czerner
Signed-off-by: Theodore Ts'o
Fixes: e9e3bcecf44c ("ext4: serialize unaligned asynchronous DIO")
Cc: sta...@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman
---
fs/ext4/file.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/ext4/file.c
+++ b/fs/ext4/file.c
@@ -125,7 +125,7 @@ ext4_unaligned_aio(struct inode *inode,
struct super_block *sb = inode->i_sb;
int blockmask = sb->s_blocksize - 1;
- if (pos >= i_size_read(inode))
+ if (pos >= ALIGN(i_size_read(inode), sb->s_blocksize))
return 0;
if ((pos | iov_iter_alignment(from)) & blockmask)
[PATCH 5.0 27/52] objtool: Move objtool_file struct off the stack
5.0-stable review patch. If anyone has any objections, please let me know.
--
From: Josh Poimboeuf
commit 0c671812f152b628bd87c0af49da032cc2a2c319 upstream.
Objtool uses over 512k of stack, thanks to the hash table embedded in
the objtool_file struct. This causes an unnecessarily large stack
allocation and breaks users with low stack limits.
Move the struct off the stack.
Fixes: 042ba73fe7eb ("objtool: Add several performance improvements")
Reported-by: Vassili Karpov
Signed-off-by: Josh Poimboeuf
Signed-off-by: Thomas Gleixner
Cc: Peter Zijlstra
Cc: sta...@vger.kernel.org
Link:
https://lkml.kernel.org/r/df92dcbc4b84b02ffa252f46876df125fb56e2d7.1552954176.git.jpoim...@redhat.com
Signed-off-by: Greg Kroah-Hartman
---
tools/objtool/check.c |3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/tools/objtool/check.c
+++ b/tools/objtool/check.c
@@ -2184,9 +2184,10 @@ static void cleanup(struct objtool_file
elf_close(file->elf);
}
+static struct objtool_file file;
+
int check(const char *_objname, bool orc)
{
- struct objtool_file file;
int ret, warnings = 0;
objname = _objname;
[PATCH 5.0 19/52] net/mlx5: Fix DCT creation bad flow
5.0-stable review patch. If anyone has any objections, please let me know.
--
From: Yishai Hadas
commit f84b66b9cce78e8f9d38204fdaa75f07c75f4911 upstream.
In case the DCT creation command has succeeded a DRAIN must be issued
before calling DESTROY.
In addition, the original code used the wrong parameter for the DESTROY
command, 'in' instead of 'din', which caused another creation try instead
of destroying.
Cc: # 4.15
Fixes: 57cda166bbe0 ("net/mlx5: Add DCT command interface")
Signed-off-by: Yishai Hadas
Reviewed-by: Artemy Kovalyov
Signed-off-by: Leon Romanovsky
Signed-off-by: Jason Gunthorpe
Signed-off-by: Greg Kroah-Hartman
---
drivers/net/ethernet/mellanox/mlx5/core/qp.c | 66 ++-
1 file changed, 36 insertions(+), 30 deletions(-)
--- a/drivers/net/ethernet/mellanox/mlx5/core/qp.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/qp.c
@@ -40,6 +40,9 @@
#include "mlx5_core.h"
#include "lib/eq.h"
+static int mlx5_core_drain_dct(struct mlx5_core_dev *dev,
+ struct mlx5_core_dct *dct);
+
static struct mlx5_core_rsc_common *
mlx5_get_rsc(struct mlx5_qp_table *table, u32 rsn)
{
@@ -227,13 +230,42 @@ static void destroy_resource_common(stru
wait_for_completion(&qp->common.free);
}
+static int _mlx5_core_destroy_dct(struct mlx5_core_dev *dev,
+ struct mlx5_core_dct *dct, bool need_cleanup)
+{
+ u32 out[MLX5_ST_SZ_DW(destroy_dct_out)] = {0};
+ u32 in[MLX5_ST_SZ_DW(destroy_dct_in)] = {0};
+ struct mlx5_core_qp *qp = &dct->mqp;
+ int err;
+
+ err = mlx5_core_drain_dct(dev, dct);
+ if (err) {
+ if (dev->state == MLX5_DEVICE_STATE_INTERNAL_ERROR) {
+ goto destroy;
+ } else {
+ mlx5_core_warn(
+ dev, "failed drain DCT 0x%x with error 0x%x\n",
+ qp->qpn, err);
+ return err;
+ }
+ }
+ wait_for_completion(&dct->drained);
+destroy:
+ if (need_cleanup)
+ destroy_resource_common(dev, &dct->mqp);
+ MLX5_SET(destroy_dct_in, in, opcode, MLX5_CMD_OP_DESTROY_DCT);
+ MLX5_SET(destroy_dct_in, in, dctn, qp->qpn);
+ MLX5_SET(destroy_dct_in, in, uid, qp->uid);
+ err = mlx5_cmd_exec(dev, (void *)&in, sizeof(in),
+ (void *)&out, sizeof(out));
+ return err;
+}
+
int mlx5_core_create_dct(struct mlx5_core_dev *dev,
struct mlx5_core_dct *dct,
u32 *in, int inlen)
{
u32 out[MLX5_ST_SZ_DW(create_dct_out)] = {0};
- u32 din[MLX5_ST_SZ_DW(destroy_dct_in)] = {0};
- u32 dout[MLX5_ST_SZ_DW(destroy_dct_out)] = {0};
struct mlx5_core_qp *qp = &dct->mqp;
int err;
@@ -254,11 +286,7 @@ int mlx5_core_create_dct(struct mlx5_cor
return 0;
err_cmd:
- MLX5_SET(destroy_dct_in, din, opcode, MLX5_CMD_OP_DESTROY_DCT);
- MLX5_SET(destroy_dct_in, din, dctn, qp->qpn);
- MLX5_SET(destroy_dct_in, din, uid, qp->uid);
- mlx5_cmd_exec(dev, (void *)&in, sizeof(din),
- (void *)&out, sizeof(dout));
+ _mlx5_core_destroy_dct(dev, dct, false);
return err;
}
EXPORT_SYMBOL_GPL(mlx5_core_create_dct);
@@ -323,29 +351,7 @@ static int mlx5_core_drain_dct(struct ml
int mlx5_core_destroy_dct(struct mlx5_core_dev *dev,
struct mlx5_core_dct *dct)
{
- u32 out[MLX5_ST_SZ_DW(destroy_dct_out)] = {0};
- u32 in[MLX5_ST_SZ_DW(destroy_dct_in)] = {0};
- struct mlx5_core_qp *qp = &dct->mqp;
- int err;
-
- err = mlx5_core_drain_dct(dev, dct);
- if (err) {
- if (dev->state == MLX5_DEVICE_STATE_INTERNAL_ERROR) {
- goto destroy;
- } else {
- mlx5_core_warn(dev, "failed drain DCT 0x%x with error
0x%x\n", qp->qpn, err);
- return err;
- }
- }
- wait_for_completion(&dct->drained);
-destroy:
- destroy_resource_common(dev, &dct->mqp);
- MLX5_SET(destroy_dct_in, in, opcode, MLX5_CMD_OP_DESTROY_DCT);
- MLX5_SET(destroy_dct_in, in, dctn, qp->qpn);
- MLX5_SET(destroy_dct_in, in, uid, qp->uid);
- err = mlx5_cmd_exec(dev, (void *)&in, sizeof(in),
- (void *)&out, sizeof(out));
- return err;
+ return _mlx5_core_destroy_dct(dev, dct, true);
}
EXPORT_SYMBOL_GPL(mlx5_core_destroy_dct);
[PATCH 5.0 08/52] drm/vmwgfx: Dont double-free the mode stored in par->set_mode
5.0-stable review patch. If anyone has any objections, please let me know.
--
From: Thomas Zimmermann
commit c2d311553855395764e2e5bf401d987ba65c2056 upstream.
When calling vmw_fb_set_par(), the mode stored in par->set_mode gets free'd
twice. The first free is in vmw_fb_kms_detach(), the second is near the
end of vmw_fb_set_par() under the name of 'old_mode'. The mode-setting code
only works correctly if the mode doesn't actually change. Removing
'old_mode' in favor of using par->set_mode directly fixes the problem.
Cc:
Fixes: a278724aa23c ("drm/vmwgfx: Implement fbdev on kms v2")
Signed-off-by: Thomas Zimmermann
Reviewed-by: Deepak Rawat
Signed-off-by: Thomas Hellstrom
Signed-off-by: Greg Kroah-Hartman
---
drivers/gpu/drm/vmwgfx/vmwgfx_fb.c | 12 +++-
1 file changed, 3 insertions(+), 9 deletions(-)
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_fb.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_fb.c
@@ -564,11 +564,9 @@ static int vmw_fb_set_par(struct fb_info
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
DRM_MODE_FLAG_NHSYNC | DRM_MODE_FLAG_PVSYNC)
};
- struct drm_display_mode *old_mode;
struct drm_display_mode *mode;
int ret;
- old_mode = par->set_mode;
mode = drm_mode_duplicate(vmw_priv->dev, &new_mode);
if (!mode) {
DRM_ERROR("Could not create new fb mode.\n");
@@ -579,11 +577,7 @@ static int vmw_fb_set_par(struct fb_info
mode->vdisplay = var->yres;
vmw_guess_mode_timing(mode);
- if (old_mode && drm_mode_equal(old_mode, mode)) {
- drm_mode_destroy(vmw_priv->dev, mode);
- mode = old_mode;
- old_mode = NULL;
- } else if (!vmw_kms_validate_mode_vram(vmw_priv,
+ if (!vmw_kms_validate_mode_vram(vmw_priv,
mode->hdisplay *
DIV_ROUND_UP(var->bits_per_pixel, 8),
mode->vdisplay)) {
@@ -620,8 +614,8 @@ static int vmw_fb_set_par(struct fb_info
schedule_delayed_work(&par->local_work, 0);
out_unlock:
- if (old_mode)
- drm_mode_destroy(vmw_priv->dev, old_mode);
+ if (par->set_mode)
+ drm_mode_destroy(vmw_priv->dev, par->set_mode);
par->set_mode = mode;
mutex_unlock(&par->bo_mutex);
[PATCH 5.0 00/52] 5.0.5-stable review
This is the start of the stable review cycle for the 5.0.5 release. There are 52 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu Mar 28 04:26:38 UTC 2019. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.0.5-rc1.gz or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.0.y and the diffstat can be found below. thanks, greg k-h - Pseudo-Shortlog of commits: Greg Kroah-Hartman Linux 5.0.5-rc1 Hui Wang ALSA: hda - Enforces runtime_resume after S3 and S4 for each codec Takashi Iwai ALSA: hda - Record the current power state before suspend/resume calls Vlastimil Babka mm, mempolicy: fix uninit memory access Waiman Long locking/lockdep: Add debug_locks check in __lock_downgrade() Jann Horn x86/unwind: Add hardcoded ORC entry for NULL Jann Horn x86/unwind: Handle NULL pointer calls better in frame unwinder Dongli Zhang loop: access lo_backing_file only when the loop device is Lo_bound Florian Westphal netfilter: ebtables: remove BUGPRINT messages Linus Torvalds aio: simplify - and fix - fget/fput for io_submit() Chao Yu f2fs: fix to avoid deadlock of atomic file operations Myungho Jung RDMA/cma: Rollback source IP address if failing to acquire device Tetsuo Handa drm/vkms: Fix flush_work() without INIT_WORK(). Kefeng Wang Bluetooth: hci_ldisc: Postpone HCI_UART_PROTO_READY bit set in hci_uart_set_proto() Jeremy Cline Bluetooth: hci_ldisc: Initialize hci_dev before open() Myungho Jung Bluetooth: Fix decrementing reference count twice in releasing socket Myungho Jung Bluetooth: hci_uart: Check if socket buffer is ERR_PTR in h4_recv_buf() Hans Verkuil media: v4l2-ctrls.c/uvc: zero v4l2_event zhangyi (F) ext4: brelse all indirect buffer in ext4_ind_remove_space() Lukas Czerner ext4: fix data corruption caused by unaligned direct AIO Jiufei Xue ext4: fix NULL pointer dereference while journal is aborted Takashi Iwai ALSA: ac97: Fix of-node refcount unbalance Hui Wang ALSA: hda - Don't trigger jackpoll_work in azx_resume Steve French SMB3: Fix SMB3.1.1 guest mounts to Samba Atish Patra clocksource/drivers/riscv: Fix clocksource mask Rasmus Villemoes irqchip/gic-v3-its: Fix comparison logic in lpi_range_cmp Josh Poimboeuf objtool: Move objtool_file struct off the stack Adrian Hunter perf probe: Fix getting the kernel map Ronnie Sahlberg cifs: allow guest mounts to work for smb3.11 Chen Jie futex: Ensure that futex address is aligned in handle_futex_death() Tyrel Datwyler scsi: ibmvscsi: Fix empty event pool access during host removal Tyrel Datwyler scsi: ibmvscsi: Protect ibmvscsi_head from concurrent modificaiton Quinn Tran scsi: qla2xxx: Fix FC-AL connection target discovery Bart Van Assche scsi: core: Avoid that a kernel warning appears during system resume Yishai Hadas net/mlx5: Fix DCT creation bad flow Michael Ellerman powerpc/security: Fix spectre_v2 reporting Michael Ellerman powerpc/vdso64: Fix CLOCK_MONOTONIC inconsistencies across Y2038 Archer Yan MIPS: Fix kernel crash for R6 in jump label branch function Yasha Cherikovsky MIPS: Ensure ELF appended dtb is relocated Yifeng Li mips: loongson64: lemote-2f: Add IRQF_NO_SUSPEND to "cascade" irqaction. Jan Kara udf: Fix crash on IO error during truncate Ilya Dryomov libceph: wait for latest osdmap in ceph_monc_blacklist_add() Robert Richter iommu/iova: Fix tracking of recently failed iova address Stanislaw Gruszka iommu/amd: fix sg->dma_address for sg->offset bigger than PAGE_SIZE Deepak Rawat drm/vmwgfx: Return 0 when gmrid::get_node runs out of ID's Thomas Zimmermann drm/vmwgfx: Don't double-free the mode stored in par->set_mode Christian König drm/amdgpu: fix invalid use of change_bit Wolfram Sang mmc: renesas_sdhi: limit block count to 16 bit for old revisions Alexander Shiyan mmc: mxcmmc: "Revert mmc: mxcmmc: handle highmem pages" Daniel Drake mmc: alcor: fix DMA reads Arnd Bergmann mmc: pxamci: fix enum type confusion Takashi Sakamoto ALSA: firewire-motu: use 'version' field of unit directory to identify model Jaroslav Kysela ALSA: hda - add Lenovo IdeaCentre B550 to the power_save_blacklist - Diffstat: Makefile | 4 +- arch/mips/include/asm/jump_label.h| 8 +- arch/mips/kernel/vmlinux.lds.S| 12 ++- arch/mips/loongson64/lemote-2f/irq.c | 2 +- arch/powerpc/include/asm/vdso_datapage.h | 8 +- arch/powerp
[PATCH 5.0 07/52] drm/amdgpu: fix invalid use of change_bit
5.0-stable review patch. If anyone has any objections, please let me know. -- From: Christian König commit 72464382fc2d3673eb51f21a57f2c0a320c1552f upstream. We only need to clear the bit in a 32bit integer. This fixes a crah on ARM64 and PPC64LE caused by "drm/amdgpu: update the vm invalidation engine layout V2" Signed-off-by: Christian König Acked-by: Alex Deucher Cc: sta...@vger.kernel.org Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman --- drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c +++ b/drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c @@ -738,7 +738,7 @@ static int gmc_v9_0_allocate_vm_inv_eng( } ring->vm_inv_eng = inv_eng - 1; - change_bit(inv_eng - 1, (unsigned long *)(&vm_inv_engs[vmhub])); + vm_inv_engs[vmhub] &= ~(1 << ring->vm_inv_eng); dev_info(adev->dev, "ring %s uses VM inv eng %u on hub %u\n", ring->name, ring->vm_inv_eng, ring->funcs->vmhub);
[PATCH 5.0 36/52] media: v4l2-ctrls.c/uvc: zero v4l2_event
5.0-stable review patch. If anyone has any objections, please let me know.
--
From: Hans Verkuil
commit f45f3f753b0a3d739acda8e311b4f744d82dc52a upstream.
Control events can leak kernel memory since they do not fully zero the
event. The same code is present in both v4l2-ctrls.c and uvc_ctrl.c, so
fix both.
It appears that all other event code is properly zeroing the structure,
it's these two places.
Signed-off-by: Hans Verkuil
Reported-by: syzbot+4f021cf3697781dbd...@syzkaller.appspotmail.com
Reviewed-by: Laurent Pinchart
Signed-off-by: Mauro Carvalho Chehab
Signed-off-by: Greg Kroah-Hartman
---
drivers/media/usb/uvc/uvc_ctrl.c |2 +-
drivers/media/v4l2-core/v4l2-ctrls.c |2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/media/usb/uvc/uvc_ctrl.c
+++ b/drivers/media/usb/uvc/uvc_ctrl.c
@@ -1212,7 +1212,7 @@ static void uvc_ctrl_fill_event(struct u
__uvc_query_v4l2_ctrl(chain, ctrl, mapping, &v4l2_ctrl);
- memset(ev->reserved, 0, sizeof(ev->reserved));
+ memset(ev, 0, sizeof(*ev));
ev->type = V4L2_EVENT_CTRL;
ev->id = v4l2_ctrl.id;
ev->u.ctrl.value = value;
--- a/drivers/media/v4l2-core/v4l2-ctrls.c
+++ b/drivers/media/v4l2-core/v4l2-ctrls.c
@@ -1387,7 +1387,7 @@ static u32 user_flags(const struct v4l2_
static void fill_event(struct v4l2_event *ev, struct v4l2_ctrl *ctrl, u32
changes)
{
- memset(ev->reserved, 0, sizeof(ev->reserved));
+ memset(ev, 0, sizeof(*ev));
ev->type = V4L2_EVENT_CTRL;
ev->id = ctrl->id;
ev->u.ctrl.changes = changes;
[PATCH 5.0 12/52] libceph: wait for latest osdmap in ceph_monc_blacklist_add()
5.0-stable review patch. If anyone has any objections, please let me know.
--
From: Ilya Dryomov
commit bb229bbb3bf63d23128e851a1f3b85c083178fa1 upstream.
Because map updates are distributed lazily, an OSD may not know about
the new blacklist for quite some time after "osd blacklist add" command
is completed. This makes it possible for a blacklisted but still alive
client to overwrite a post-blacklist update, resulting in data
corruption.
Waiting for latest osdmap in ceph_monc_blacklist_add() and thus using
the post-blacklist epoch for all post-blacklist requests ensures that
all such requests "wait" for the blacklist to come into force on their
respective OSDs.
Cc: sta...@vger.kernel.org
Fixes: 6305a3b41515 ("libceph: support for blacklisting clients")
Signed-off-by: Ilya Dryomov
Reviewed-by: Jason Dillaman
Signed-off-by: Greg Kroah-Hartman
---
include/linux/ceph/libceph.h |2 ++
net/ceph/ceph_common.c | 18 +-
net/ceph/mon_client.c|9 +
3 files changed, 28 insertions(+), 1 deletion(-)
--- a/include/linux/ceph/libceph.h
+++ b/include/linux/ceph/libceph.h
@@ -294,6 +294,8 @@ extern void ceph_destroy_client(struct c
extern int __ceph_open_session(struct ceph_client *client,
unsigned long started);
extern int ceph_open_session(struct ceph_client *client);
+int ceph_wait_for_latest_osdmap(struct ceph_client *client,
+ unsigned long timeout);
/* pagevec.c */
extern void ceph_release_page_vector(struct page **pages, int num_pages);
--- a/net/ceph/ceph_common.c
+++ b/net/ceph/ceph_common.c
@@ -738,7 +738,6 @@ int __ceph_open_session(struct ceph_clie
}
EXPORT_SYMBOL(__ceph_open_session);
-
int ceph_open_session(struct ceph_client *client)
{
int ret;
@@ -754,6 +753,23 @@ int ceph_open_session(struct ceph_client
}
EXPORT_SYMBOL(ceph_open_session);
+int ceph_wait_for_latest_osdmap(struct ceph_client *client,
+ unsigned long timeout)
+{
+ u64 newest_epoch;
+ int ret;
+
+ ret = ceph_monc_get_version(&client->monc, "osdmap", &newest_epoch);
+ if (ret)
+ return ret;
+
+ if (client->osdc.osdmap->epoch >= newest_epoch)
+ return 0;
+
+ ceph_osdc_maybe_request_map(&client->osdc);
+ return ceph_monc_wait_osdmap(&client->monc, newest_epoch, timeout);
+}
+EXPORT_SYMBOL(ceph_wait_for_latest_osdmap);
static int __init init_ceph_lib(void)
{
--- a/net/ceph/mon_client.c
+++ b/net/ceph/mon_client.c
@@ -922,6 +922,15 @@ int ceph_monc_blacklist_add(struct ceph_
mutex_unlock(&monc->mutex);
ret = wait_generic_request(req);
+ if (!ret)
+ /*
+* Make sure we have the osdmap that includes the blacklist
+* entry. This is needed to ensure that the OSDs pick up the
+* new blacklist before processing any future requests from
+* this client.
+*/
+ ret = ceph_wait_for_latest_osdmap(monc->client, 0);
+
out:
put_generic_request(req);
return ret;
[PATCH 5.0 05/52] mmc: mxcmmc: "Revert mmc: mxcmmc: handle highmem pages"
5.0-stable review patch. If anyone has any objections, please let me know.
--
From: Alexander Shiyan
commit 2b77158ffa92b820a0c5da9a3c6ead7aa069c71c upstream.
This reverts commit b189e7589f6d3411e85c6b7ae6eef158f08f388f.
Unable to handle kernel paging request at virtual address c8358000
pgd = efa405c3
[c8358000] *pgd=
Internal error: Oops: 805 [#1] PREEMPT ARM
CPU: 0 PID: 711 Comm: kworker/0:2 Not tainted 4.20.0+ #30
Hardware name: Freescale i.MX27 (Device Tree Support)
Workqueue: events mxcmci_datawork
PC is at mxcmci_datawork+0xbc/0x2ac
LR is at mxcmci_datawork+0xac/0x2ac
pc : []lr : []psr: 6013
sp : c6c93f08 ip : 24004180 fp : 0008
r10: c8358000 r9 : c78b3e24 r8 : c6c92000
r7 : r6 : c7bb8680 r5 : c7bb86d4 r4 : c78b3de0
r3 : 2502 r2 : c090b2e0 r1 : 0880 r0 :
Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user
Control: 0005317f Table: a68a8000 DAC: 0055
Process kworker/0:2 (pid: 711, stack limit = 0x389543bc)
Stack: (0xc6c93f08 to 0xc6c94000)
3f00: c7bb86d4 c6cbfde0 c7bb86d4 c7ee4200
3f20: c0907ea8 c7bb86d8 c0907ea8 c012077c c6cbfde0 c7bb86d4
3f40: c6cbfde0 c6c92000 c6cbfdf4 c09280ba c0907ea8 c090b2e0 c0907ebc c0120c18
3f60: c6cbfde0 c6cbb580 c7ba7c40 c7837edc c6cbb598
3f80: c6cbfde0 c01208f8 c01254fc c7ba7c40 c0125400
3fa0: c01010d0
3fc0:
3fe0: 0013
[] (mxcmci_datawork) from [] (process_one_work+0x1f0/0x338)
[] (process_one_work) from [] (worker_thread+0x320/0x474)
[] (worker_thread) from [] (kthread+0xfc/0x118)
[] (kthread) from [] (ret_from_fork+0x14/0x24)
Exception stack(0xc6c93fb0 to 0xc6c93ff8)
3fa0:
3fc0:
3fe0: 0013
Code: e350 1a59 e5153050 e5933038 (e48a3004)
---[ end trace 54ca629b75f0e737 ]---
note: kworker/0:2[711] exited with preempt_count 1
Signed-off-by: Alexander Shiyan
Fixes: b189e7589f6d ("mmc: mxcmmc: handle highmem pages")
Cc: sta...@vger.kernel.org
Signed-off-by: Ulf Hansson
Signed-off-by: Greg Kroah-Hartman
---
drivers/mmc/host/mxcmmc.c | 16
1 file changed, 4 insertions(+), 12 deletions(-)
--- a/drivers/mmc/host/mxcmmc.c
+++ b/drivers/mmc/host/mxcmmc.c
@@ -292,11 +292,8 @@ static void mxcmci_swap_buffers(struct m
struct scatterlist *sg;
int i;
- for_each_sg(data->sg, sg, data->sg_len, i) {
- void *buf = kmap_atomic(sg_page(sg) + sg->offset);
- buffer_swap32(buf, sg->length);
- kunmap_atomic(buf);
- }
+ for_each_sg(data->sg, sg, data->sg_len, i)
+ buffer_swap32(sg_virt(sg), sg->length);
}
#else
static inline void mxcmci_swap_buffers(struct mmc_data *data) {}
@@ -613,7 +610,6 @@ static int mxcmci_transfer_data(struct m
{
struct mmc_data *data = host->req->data;
struct scatterlist *sg;
- void *buf;
int stat, i;
host->data = data;
@@ -621,18 +617,14 @@ static int mxcmci_transfer_data(struct m
if (data->flags & MMC_DATA_READ) {
for_each_sg(data->sg, sg, data->sg_len, i) {
- buf = kmap_atomic(sg_page(sg) + sg->offset);
- stat = mxcmci_pull(host, buf, sg->length);
- kunmap(buf);
+ stat = mxcmci_pull(host, sg_virt(sg), sg->length);
if (stat)
return stat;
host->datasize += sg->length;
}
} else {
for_each_sg(data->sg, sg, data->sg_len, i) {
- buf = kmap_atomic(sg_page(sg) + sg->offset);
- stat = mxcmci_push(host, buf, sg->length);
- kunmap(buf);
+ stat = mxcmci_push(host, sg_virt(sg), sg->length);
if (stat)
return stat;
host->datasize += sg->length;
[PATCH 5.0 10/52] iommu/amd: fix sg->dma_address for sg->offset bigger than PAGE_SIZE
5.0-stable review patch. If anyone has any objections, please let me know.
--
From: Stanislaw Gruszka
commit 4e50ce03976fbc8ae995a000c4b10c737467beaa upstream.
Take into account that sg->offset can be bigger than PAGE_SIZE when
setting segment sg->dma_address. Otherwise sg->dma_address will point
at diffrent page, what makes DMA not possible with erros like this:
xhci_hcd :38:00.3: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x
address=0xfdaa70c0 flags=0x0020]
xhci_hcd :38:00.3: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x
address=0xfdaa7040 flags=0x0020]
xhci_hcd :38:00.3: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x
address=0xfdaa7080 flags=0x0020]
xhci_hcd :38:00.3: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x
address=0xfdaa7100 flags=0x0020]
xhci_hcd :38:00.3: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x
address=0xfdaa7000 flags=0x0020]
Additinally with wrong sg->dma_address unmap_sg will free wrong pages,
what what can cause crashes like this:
Feb 28 19:27:45 kernel: BUG: Bad page state in process cinnamon pfn:39e8b1
Feb 28 19:27:45 kernel: Disabling lock debugging due to kernel taint
Feb 28 19:27:45 kernel: flags: 0x200()
Feb 28 19:27:45 kernel: raw: 0200 0301
Feb 28 19:27:45 kernel: raw: 0001
Feb 28 19:27:45 kernel: page dumped because: nonzero _refcount
Feb 28 19:27:45 kernel: Modules linked in: ccm fuse arc4 nct6775 hwmon_vid
amdgpu nls_iso8859_1 nls_cp437 edac_mce_amd vfat fat kvm_amd ccp rng_core kvm
mt76x0u mt76x0_common mt76x02_usb irqbypass mt76_usb mt76x02_lib mt76
crct10dif_pclmul crc32_pclmul chash mac80211 amd_iommu_v2 ghash_clmulni_intel
gpu_sched i2c_algo_bit ttm wmi_bmof snd_hda_codec_realtek snd_hda_codec_generic
drm_kms_helper snd_hda_codec_hdmi snd_hda_intel drm snd_hda_codec aesni_intel
snd_hda_core snd_hwdep aes_x86_64 crypto_simd snd_pcm cfg80211 cryptd mousedev
snd_timer glue_helper pcspkr r8169 input_leds realtek agpgart libphy rfkill snd
syscopyarea sysfillrect sysimgblt fb_sys_fops soundcore sp5100_tco k10temp
i2c_piix4 wmi evdev gpio_amdpt pinctrl_amd mac_hid pcc_cpufreq acpi_cpufreq sg
ip_tables x_tables ext4(E) crc32c_generic(E) crc16(E) mbcache(E) jbd2(E)
fscrypto(E) sd_mod(E) hid_generic(E) usbhid(E) hid(E) dm_mod(E) serio_raw(E)
atkbd(E) libps2(E) crc32c_intel(E) ahci(E) libahci(E) libata(E) xhci_pci(E)
xhci_hcd(E)
Feb 28 19:27:45 kernel: scsi_mod(E) i8042(E) serio(E) bcache(E) crc64(E)
Feb 28 19:27:45 kernel: CPU: 2 PID: 896 Comm: cinnamon Tainted: GB W E
4.20.12-arch1-1-custom #1
Feb 28 19:27:45 kernel: Hardware name: To Be Filled By O.E.M. To Be Filled By
O.E.M./B450M Pro4, BIOS P1.20 06/26/2018
Feb 28 19:27:45 kernel: Call Trace:
Feb 28 19:27:45 kernel: dump_stack+0x5c/0x80
Feb 28 19:27:45 kernel: bad_page.cold.29+0x7f/0xb2
Feb 28 19:27:45 kernel: __free_pages_ok+0x2c0/0x2d0
Feb 28 19:27:45 kernel: skb_release_data+0x96/0x180
Feb 28 19:27:45 kernel: __kfree_skb+0xe/0x20
Feb 28 19:27:45 kernel: tcp_recvmsg+0x894/0xc60
Feb 28 19:27:45 kernel: ? reuse_swap_page+0x120/0x340
Feb 28 19:27:45 kernel: ? ptep_set_access_flags+0x23/0x30
Feb 28 19:27:45 kernel: inet_recvmsg+0x5b/0x100
Feb 28 19:27:45 kernel: __sys_recvfrom+0xc3/0x180
Feb 28 19:27:45 kernel: ? handle_mm_fault+0x10a/0x250
Feb 28 19:27:45 kernel: ? syscall_trace_enter+0x1d3/0x2d0
Feb 28 19:27:45 kernel: ? __audit_syscall_exit+0x22a/0x290
Feb 28 19:27:45 kernel: __x64_sys_recvfrom+0x24/0x30
Feb 28 19:27:45 kernel: do_syscall_64+0x5b/0x170
Feb 28 19:27:45 kernel: entry_SYSCALL_64_after_hwframe+0x44/0xa9
Cc: sta...@vger.kernel.org
Reported-and-tested-by: Jan Viktorin
Reviewed-by: Alexander Duyck
Signed-off-by: Stanislaw Gruszka
Fixes: 80187fd39dcb ('iommu/amd: Optimize map_sg and unmap_sg')
Signed-off-by: Joerg Roedel
Signed-off-by: Greg Kroah-Hartman
---
drivers/iommu/amd_iommu.c |7 ++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/iommu/amd_iommu.c
+++ b/drivers/iommu/amd_iommu.c
@@ -2605,7 +2605,12 @@ static int map_sg(struct device *dev, st
/* Everything is mapped - write the right values into s->dma_address */
for_each_sg(sglist, s, nelems, i) {
- s->dma_address += address + s->offset;
+ /*
+* Add in the remaining piece of the scatter-gather offset that
+* was masked out when we were determining the physical address
+* via (sg_phys(s) & PAGE_MASK) earlier.
+*/
+ s->dma_address += address + (s->offset & ~PAGE_MASK);
s->dma_length = s->length;
}
[PATCH 5.0 11/52] iommu/iova: Fix tracking of recently failed iova address
5.0-stable review patch. If anyone has any objections, please let me know.
--
From: Robert Richter
commit 80ef4464d5e27408685e609d389663aad46644b9 upstream.
If a 32 bit allocation request is too big to possibly succeed, it
early exits with a failure and then should never update max32_alloc_
size. This patch fixes current code, now the size is only updated if
the slow path failed while walking the tree. Without the fix the
allocation may enter the slow path again even if there was a failure
before of a request with the same or a smaller size.
Cc: # 4.20+
Fixes: bee60e94a1e2 ("iommu/iova: Optimise attempts to allocate iova from 32bit
address range")
Reviewed-by: Robin Murphy
Signed-off-by: Robert Richter
Signed-off-by: Joerg Roedel
Signed-off-by: Greg Kroah-Hartman
---
drivers/iommu/iova.c |5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/iommu/iova.c
+++ b/drivers/iommu/iova.c
@@ -207,8 +207,10 @@ static int __alloc_and_insert_iova_range
curr_iova = rb_entry(curr, struct iova, node);
} while (curr && new_pfn <= curr_iova->pfn_hi);
- if (limit_pfn < size || new_pfn < iovad->start_pfn)
+ if (limit_pfn < size || new_pfn < iovad->start_pfn) {
+ iovad->max32_alloc_size = size;
goto iova32_full;
+ }
/* pfn_lo will point to size aligned address if size_aligned is set */
new->pfn_lo = new_pfn;
@@ -222,7 +224,6 @@ static int __alloc_and_insert_iova_range
return 0;
iova32_full:
- iovad->max32_alloc_size = size;
spin_unlock_irqrestore(&iovad->iova_rbtree_lock, flags);
return -ENOMEM;
}
[PATCH 5.0 15/52] MIPS: Ensure ELF appended dtb is relocated
5.0-stable review patch. If anyone has any objections, please let me know.
--
From: Yasha Cherikovsky
commit 3f0a53bc6482fb09770982a8447981260ea258dc upstream.
This fixes booting with the combination of CONFIG_RELOCATABLE=y
and CONFIG_MIPS_ELF_APPENDED_DTB=y.
Sections that appear after the relocation table are not relocated
on system boot (except .bss, which has special handling).
With CONFIG_MIPS_ELF_APPENDED_DTB, the dtb is part of the
vmlinux ELF, so it must be relocated together with everything else.
Fixes: 069fd766271d ("MIPS: Reserve space for relocation table")
Signed-off-by: Yasha Cherikovsky
Signed-off-by: Paul Burton
Cc: Ralf Baechle
Cc: Paul Burton
Cc: James Hogan
Cc: linux-m...@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Cc: sta...@vger.kernel.org # v4.7+
Signed-off-by: Greg Kroah-Hartman
---
arch/mips/kernel/vmlinux.lds.S | 12 +++-
1 file changed, 7 insertions(+), 5 deletions(-)
--- a/arch/mips/kernel/vmlinux.lds.S
+++ b/arch/mips/kernel/vmlinux.lds.S
@@ -140,6 +140,13 @@ SECTIONS
PERCPU_SECTION(1 << CONFIG_MIPS_L1_CACHE_SHIFT)
#endif
+#ifdef CONFIG_MIPS_ELF_APPENDED_DTB
+ .appended_dtb : AT(ADDR(.appended_dtb) - LOAD_OFFSET) {
+ *(.appended_dtb)
+ KEEP(*(.appended_dtb))
+ }
+#endif
+
#ifdef CONFIG_RELOCATABLE
. = ALIGN(4);
@@ -164,11 +171,6 @@ SECTIONS
__appended_dtb = .;
/* leave space for appended DTB */
. += 0x10;
-#elif defined(CONFIG_MIPS_ELF_APPENDED_DTB)
- .appended_dtb : AT(ADDR(.appended_dtb) - LOAD_OFFSET) {
- *(.appended_dtb)
- KEEP(*(.appended_dtb))
- }
#endif
/*
* Align to 64K in attempt to eliminate holes before the
[PATCH 5.0 02/52] ALSA: firewire-motu: use version field of unit directory to identify model
5.0-stable review patch. If anyone has any objections, please let me know.
--
From: Takashi Sakamoto
commit 2d012c65a9ca26a0ef87ea0a42f1653dd37155f5 upstream.
Current ALSA firewire-motu driver uses the value of 'model' field
of unit directory in configuration ROM for modalias for MOTU
FireWire models. However, as long as I checked, Pre8 and
828mk3(Hybrid) have the same value for the field (=0x100800).
unit| version | model
--- | - | --
828mkII | 0x03 | 0x101800
Traveler| 0x09 | 0x107800
Pre8| 0x0f | 0x100800 <-
828mk3(FW) | 0x15 | 0x106800
AudioExpress| 0x33 | 0x104800
828mk3(Hybrid) | 0x35 | 0x100800 <-
When updating firmware for MOTU 8pre FireWire from v1.0.0 to v1.0.3,
I got change of the value from 0x100800 to 0x103800. On the other
hand, the value of 'version' field is fixed to 0x0f. As a quick
glance, the higher 12 bits of the value of 'version' field represent
firmware version, while the lower 12 bits is unknown.
By induction, the value of 'version' field represents actual model.
This commit changes modalias to match the value of 'version' field,
instead of 'model' field. For degug, long name of added sound card
includes hexadecimal value of 'model' field.
Fixes: 6c5e1ac0e144 ("ALSA: firewire-motu: add support for Motu Traveler")
Signed-off-by: Takashi Sakamoto
Cc: # v4.19+
Signed-off-by: Takashi Iwai
Signed-off-by: Greg Kroah-Hartman
---
sound/firewire/motu/motu.c | 20 ++--
1 file changed, 10 insertions(+), 10 deletions(-)
--- a/sound/firewire/motu/motu.c
+++ b/sound/firewire/motu/motu.c
@@ -36,7 +36,7 @@ static void name_card(struct snd_motu *m
fw_csr_iterator_init(&it, motu->unit->directory);
while (fw_csr_iterator_next(&it, &key, &val)) {
switch (key) {
- case CSR_VERSION:
+ case CSR_MODEL:
version = val;
break;
}
@@ -46,7 +46,7 @@ static void name_card(struct snd_motu *m
strcpy(motu->card->shortname, motu->spec->name);
strcpy(motu->card->mixername, motu->spec->name);
snprintf(motu->card->longname, sizeof(motu->card->longname),
-"MOTU %s (version:%d), GUID %08x%08x at %s, S%d",
+"MOTU %s (version:%06x), GUID %08x%08x at %s, S%d",
motu->spec->name, version,
fw_dev->config_rom[3], fw_dev->config_rom[4],
dev_name(&motu->unit->device), 100 << fw_dev->max_speed);
@@ -237,20 +237,20 @@ static const struct snd_motu_spec motu_a
#define SND_MOTU_DEV_ENTRY(model, data)\
{ \
.match_flags= IEEE1394_MATCH_VENDOR_ID |\
- IEEE1394_MATCH_MODEL_ID | \
- IEEE1394_MATCH_SPECIFIER_ID, \
+ IEEE1394_MATCH_SPECIFIER_ID | \
+ IEEE1394_MATCH_VERSION, \
.vendor_id = OUI_MOTU, \
- .model_id = model,\
.specifier_id = OUI_MOTU, \
+ .version= model,\
.driver_data= (kernel_ulong_t)data, \
}
static const struct ieee1394_device_id motu_id_table[] = {
- SND_MOTU_DEV_ENTRY(0x101800, &motu_828mk2),
- SND_MOTU_DEV_ENTRY(0x107800, &snd_motu_spec_traveler),
- SND_MOTU_DEV_ENTRY(0x106800, &motu_828mk3), /* FireWire only. */
- SND_MOTU_DEV_ENTRY(0x100800, &motu_828mk3), /* Hybrid. */
- SND_MOTU_DEV_ENTRY(0x104800, &motu_audio_express),
+ SND_MOTU_DEV_ENTRY(0x03, &motu_828mk2),
+ SND_MOTU_DEV_ENTRY(0x09, &snd_motu_spec_traveler),
+ SND_MOTU_DEV_ENTRY(0x15, &motu_828mk3), /* FireWire only. */
+ SND_MOTU_DEV_ENTRY(0x35, &motu_828mk3), /* Hybrid. */
+ SND_MOTU_DEV_ENTRY(0x33, &motu_audio_express),
{ }
};
MODULE_DEVICE_TABLE(ieee1394, motu_id_table);
[PATCH 5.0 03/52] mmc: pxamci: fix enum type confusion
5.0-stable review patch. If anyone has any objections, please let me know.
--
From: Arnd Bergmann
commit e60a582bcde01158a64ff948fb799f21f5d31a11 upstream.
clang points out several instances of mismatched types in this drivers,
all coming from a single declaration:
drivers/mmc/host/pxamci.c:193:15: error: implicit conversion from enumeration
type 'enum dma_transfer_direction' to
different enumeration type 'enum dma_data_direction'
[-Werror,-Wenum-conversion]
direction = DMA_DEV_TO_MEM;
~ ^~
drivers/mmc/host/pxamci.c:212:62: error: implicit conversion from enumeration
type 'enum dma_data_direction' to
different enumeration type 'enum dma_transfer_direction'
[-Werror,-Wenum-conversion]
tx = dmaengine_prep_slave_sg(chan, data->sg, host->dma_len, direction,
The behavior is correct, so this must be a simply typo from
dma_data_direction and dma_transfer_direction being similarly named
types with a similar purpose.
Fixes: 6464b7140951 ("mmc: pxamci: switch over to dmaengine use")
Signed-off-by: Arnd Bergmann
Reviewed-by: Nathan Chancellor
Acked-by: Robert Jarzmik
Cc: sta...@vger.kernel.org
Signed-off-by: Ulf Hansson
Signed-off-by: Greg Kroah-Hartman
---
drivers/mmc/host/pxamci.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/mmc/host/pxamci.c
+++ b/drivers/mmc/host/pxamci.c
@@ -162,7 +162,7 @@ static void pxamci_dma_irq(void *param);
static void pxamci_setup_data(struct pxamci_host *host, struct mmc_data *data)
{
struct dma_async_tx_descriptor *tx;
- enum dma_data_direction direction;
+ enum dma_transfer_direction direction;
struct dma_slave_config config;
struct dma_chan *chan;
unsigned int nob = data->blocks;
[PATCH 5.0 01/52] ALSA: hda - add Lenovo IdeaCentre B550 to the power_save_blacklist
5.0-stable review patch. If anyone has any objections, please let me know.
--
From: Jaroslav Kysela
commit 721f1e6c1fd137e7e2053d8e103b666faaa2d50c upstream.
Another machine which does not like the power saving (noise):
https://bugzilla.redhat.com/show_bug.cgi?id=1689623
Also, reorder the Lenovo C50 entry to keep the table sorted.
Reported-by: hs.guimar...@outlook.com
Signed-off-by: Jaroslav Kysela
Cc:
Signed-off-by: Takashi Iwai
Signed-off-by: Greg Kroah-Hartman
---
sound/pci/hda/hda_intel.c |6 --
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/sound/pci/hda/hda_intel.c
+++ b/sound/pci/hda/hda_intel.c
@@ -2144,10 +2144,12 @@ static struct snd_pci_quirk power_save_b
SND_PCI_QUIRK(0x8086, 0x2057, "Intel NUC5i7RYB", 0),
/* https://bugzilla.redhat.com/show_bug.cgi?id=1520902 */
SND_PCI_QUIRK(0x8086, 0x2068, "Intel NUC7i3BNB", 0),
- /* https://bugzilla.redhat.com/show_bug.cgi?id=1572975 */
- SND_PCI_QUIRK(0x17aa, 0x36a7, "Lenovo C50 All in one", 0),
/* https://bugzilla.kernel.org/show_bug.cgi?id=198611 */
SND_PCI_QUIRK(0x17aa, 0x2227, "Lenovo X1 Carbon 3rd Gen", 0),
+ /* https://bugzilla.redhat.com/show_bug.cgi?id=1689623 */
+ SND_PCI_QUIRK(0x17aa, 0x367b, "Lenovo IdeaCentre B550", 0),
+ /* https://bugzilla.redhat.com/show_bug.cgi?id=1572975 */
+ SND_PCI_QUIRK(0x17aa, 0x36a7, "Lenovo C50 All in one", 0),
{}
};
#endif /* CONFIG_PM */
[PATCH 5.0 13/52] udf: Fix crash on IO error during truncate
5.0-stable review patch. If anyone has any objections, please let me know. -- From: Jan Kara commit d3ca4651d05c0ff7259d087d8c949bcf3e14fb46 upstream. When truncate(2) hits IO error when reading indirect extent block the code just bugs with: kernel BUG at linux-4.15.0/fs/udf/truncate.c:249! ... Fix the problem by bailing out cleanly in case of IO error. CC: sta...@vger.kernel.org Reported-by: jean-luc malet Signed-off-by: Jan Kara Signed-off-by: Greg Kroah-Hartman --- fs/udf/truncate.c |3 +++ 1 file changed, 3 insertions(+) --- a/fs/udf/truncate.c +++ b/fs/udf/truncate.c @@ -260,6 +260,9 @@ void udf_truncate_extents(struct inode * epos.block = eloc; epos.bh = udf_tread(sb, udf_get_lb_pblock(sb, &eloc, 0)); + /* Error reading indirect block? */ + if (!epos.bh) + return; if (elen) indirect_ext_len = (elen + sb->s_blocksize - 1) >>
[PATCH 5.0 14/52] mips: loongson64: lemote-2f: Add IRQF_NO_SUSPEND to "cascade" irqaction.
5.0-stable review patch. If anyone has any objections, please let me know.
--
From: Yifeng Li
commit 5f5f67da9781770df0403269bc57d7aae608fecd upstream.
Timekeeping IRQs from CS5536 MFGPT are routed to i8259, which then
triggers the "cascade" IRQ on MIPS CPU. Without IRQF_NO_SUSPEND in
cascade_irqaction, MFGPT interrupts will be masked in suspend mode,
and the machine would be unable to resume once suspended.
Previously, MIPS IRQs were not disabled properly, so the original
code appeared to work. Commit a3e6c1eff5 ("MIPS: IRQ: Fix disable_irq on
CPU IRQs") uncovers the bug. To fix it, add IRQF_NO_SUSPEND to
cascade_irqaction.
This commit is functionally identical to 0add9c2f1cff ("MIPS:
Loongson-3: Add IRQF_NO_SUSPEND to Cascade irqaction"), but it forgot
to apply the same fix to Loongson2.
Signed-off-by: Yifeng Li
Signed-off-by: Paul Burton
Cc: linux-m...@vger.kernel.org
Cc: Jiaxun Yang
Cc: Huacai Chen
Cc: Ralf Baechle
Cc: James Hogan
Cc: linux-kernel@vger.kernel.org
Cc: sta...@vger.kernel.org # v3.19+
Signed-off-by: Greg Kroah-Hartman
---
arch/mips/loongson64/lemote-2f/irq.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/mips/loongson64/lemote-2f/irq.c
+++ b/arch/mips/loongson64/lemote-2f/irq.c
@@ -103,7 +103,7 @@ static struct irqaction ip6_irqaction =
static struct irqaction cascade_irqaction = {
.handler = no_action,
.name = "cascade",
- .flags = IRQF_NO_THREAD,
+ .flags = IRQF_NO_THREAD | IRQF_NO_SUSPEND,
};
void __init mach_init_irq(void)
[PATCH 5.0 16/52] MIPS: Fix kernel crash for R6 in jump label branch function
5.0-stable review patch. If anyone has any objections, please let me know.
--
From: Archer Yan
commit 47c25036b60f27b86ab44b66a8861bcf81cde39b upstream.
Insert Branch instruction instead of NOP to make sure assembler don't
patch code in forbidden slot. In jump label function, it might
be possible to patch Control Transfer Instructions(CTIs) into
forbidden slot, which will generate Reserved Instruction exception
in MIPS release 6.
Signed-off-by: Archer Yan
Reviewed-by: Paul Burton
[paul.bur...@mips.com:
- Add MIPS prefix to subject.
- Mark for stable from v4.0, which introduced r6 support, onwards.]
Signed-off-by: Paul Burton
Cc: linux-m...@vger.kernel.org
Cc: sta...@vger.kernel.org # v4.0+
Signed-off-by: Greg Kroah-Hartman
---
arch/mips/include/asm/jump_label.h |8
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/arch/mips/include/asm/jump_label.h
+++ b/arch/mips/include/asm/jump_label.h
@@ -21,15 +21,15 @@
#endif
#ifdef CONFIG_CPU_MICROMIPS
-#define NOP_INSN "nop32"
+#define B_INSN "b32"
#else
-#define NOP_INSN "nop"
+#define B_INSN "b"
#endif
static __always_inline bool arch_static_branch(struct static_key *key, bool
branch)
{
- asm_volatile_goto("1:\t" NOP_INSN "\n\t"
- "nop\n\t"
+ asm_volatile_goto("1:\t" B_INSN " 2f\n\t"
+ "2:\tnop\n\t"
".pushsection __jump_table, \"aw\"\n\t"
WORD_INSN " 1b, %l[l_yes], %0\n\t"
".popsection\n\t"
[PATCH 4.19 35/45] RDMA/cma: Rollback source IP address if failing to acquire device
4.19-stable review patch. If anyone has any objections, please let me know.
--
From: Myungho Jung
commit 5fc01fb846bce8fa6d5f95e2625b8ce0f8e86810 upstream.
If cma_acquire_dev_by_src_ip() returns error in addr_handler(), the
device state changes back to RDMA_CM_ADDR_BOUND but the resolved source
IP address is still left. After that, if rdma_destroy_id() is called
after rdma_listen(), the device is freed without removed from
listen_any_list in cma_cancel_operation(). Revert to the previous IP
address if acquiring device fails.
Reported-by: syzbot+f3ce716af730c8f96...@syzkaller.appspotmail.com
Signed-off-by: Myungho Jung
Reviewed-by: Parav Pandit
Signed-off-by: Jason Gunthorpe
Signed-off-by: Greg Kroah-Hartman
---
drivers/infiniband/core/cma.c | 13 -
1 file changed, 12 insertions(+), 1 deletion(-)
--- a/drivers/infiniband/core/cma.c
+++ b/drivers/infiniband/core/cma.c
@@ -2854,13 +2854,22 @@ static void addr_handler(int status, str
{
struct rdma_id_private *id_priv = context;
struct rdma_cm_event event = {};
+ struct sockaddr *addr;
+ struct sockaddr_storage old_addr;
mutex_lock(&id_priv->handler_mutex);
if (!cma_comp_exch(id_priv, RDMA_CM_ADDR_QUERY,
RDMA_CM_ADDR_RESOLVED))
goto out;
- memcpy(cma_src_addr(id_priv), src_addr, rdma_addr_size(src_addr));
+ /*
+* Store the previous src address, so that if we fail to acquire
+* matching rdma device, old address can be restored back, which helps
+* to cancel the cma listen operation correctly.
+*/
+ addr = cma_src_addr(id_priv);
+ memcpy(&old_addr, addr, rdma_addr_size(addr));
+ memcpy(addr, src_addr, rdma_addr_size(src_addr));
if (!status && !id_priv->cma_dev) {
status = cma_acquire_dev(id_priv, NULL);
if (status)
@@ -2871,6 +2880,8 @@ static void addr_handler(int status, str
}
if (status) {
+ memcpy(addr, &old_addr,
+ rdma_addr_size((struct sockaddr *)&old_addr));
if (!cma_comp_exch(id_priv, RDMA_CM_ADDR_RESOLVED,
RDMA_CM_ADDR_BOUND))
goto out;
[PATCH 5.0 06/52] mmc: renesas_sdhi: limit block count to 16 bit for old revisions
5.0-stable review patch. If anyone has any objections, please let me know.
--
From: Wolfram Sang
commit c9a9497ccef205ed4ed2e247011382627876d831 upstream.
R-Car Gen2 has two different SDHI incarnations in the same chip. The
older one does not support the recently introduced 32 bit register
access to the block count register. Make sure we use this feature only
after the first known version.
Thanks to the Renesas Testing team for this bug report!
Fixes: 5603731a15ef ("mmc: tmio: fix access width of Block Count Register")
Reported-by: Yoshihiro Shimoda
Signed-off-by: Wolfram Sang
Reviewed-by: Simon Horman
Tested-by: Phong Hoang
Cc: sta...@vger.kernel.org
Signed-off-by: Ulf Hansson
Signed-off-by: Greg Kroah-Hartman
---
drivers/mmc/host/renesas_sdhi_core.c |8 +++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/mmc/host/renesas_sdhi_core.c
+++ b/drivers/mmc/host/renesas_sdhi_core.c
@@ -634,6 +634,7 @@ int renesas_sdhi_probe(struct platform_d
struct renesas_sdhi *priv;
struct resource *res;
int irq, ret, i;
+ u16 ver;
of_data = of_device_get_match_data(&pdev->dev);
@@ -766,12 +767,17 @@ int renesas_sdhi_probe(struct platform_d
if (ret)
goto efree;
+ ver = sd_ctrl_read16(host, CTL_VERSION);
+ /* GEN2_SDR104 is first known SDHI to use 32bit block count */
+ if (ver < SDHI_VER_GEN2_SDR104 && mmc_data->max_blk_count > U16_MAX)
+ mmc_data->max_blk_count = U16_MAX;
+
ret = tmio_mmc_host_probe(host);
if (ret < 0)
goto edisclk;
/* One Gen2 SDHI incarnation does NOT have a CBSY bit */
- if (sd_ctrl_read16(host, CTL_VERSION) == SDHI_VER_GEN2_SDR50)
+ if (ver == SDHI_VER_GEN2_SDR50)
mmc_data->flags &= ~TMIO_MMC_HAVE_CBSY;
/* Enable tuning iff we have an SCC and a supported mode */
[PATCH 4.19 42/45] mm, mempolicy: fix uninit memory access
4.19-stable review patch. If anyone has any objections, please let me know.
--
From: Vlastimil Babka
commit 2e25644e8da4ed3a27e7b8315aaae74660be72dc upstream.
Syzbot with KMSAN reports (excerpt):
==
BUG: KMSAN: uninit-value in mpol_rebind_policy mm/mempolicy.c:353 [inline]
BUG: KMSAN: uninit-value in mpol_rebind_mm+0x249/0x370 mm/mempolicy.c:384
CPU: 1 PID: 17420 Comm: syz-executor4 Not tainted 4.20.0-rc7+ #15
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x173/0x1d0 lib/dump_stack.c:113
kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:613
__msan_warning+0x82/0xf0 mm/kmsan/kmsan_instr.c:295
mpol_rebind_policy mm/mempolicy.c:353 [inline]
mpol_rebind_mm+0x249/0x370 mm/mempolicy.c:384
update_tasks_nodemask+0x608/0xca0 kernel/cgroup/cpuset.c:1120
update_nodemasks_hier kernel/cgroup/cpuset.c:1185 [inline]
update_nodemask kernel/cgroup/cpuset.c:1253 [inline]
cpuset_write_resmask+0x2a98/0x34b0 kernel/cgroup/cpuset.c:1728
...
Uninit was created at:
kmsan_save_stack_with_flags mm/kmsan/kmsan.c:204 [inline]
kmsan_internal_poison_shadow+0x92/0x150 mm/kmsan/kmsan.c:158
kmsan_kmalloc+0xa6/0x130 mm/kmsan/kmsan_hooks.c:176
kmem_cache_alloc+0x572/0xb90 mm/slub.c:2777
mpol_new mm/mempolicy.c:276 [inline]
do_mbind mm/mempolicy.c:1180 [inline]
kernel_mbind+0x8a7/0x31a0 mm/mempolicy.c:1347
__do_sys_mbind mm/mempolicy.c:1354 [inline]
As it's difficult to report where exactly the uninit value resides in
the mempolicy object, we have to guess a bit. mm/mempolicy.c:353
contains this part of mpol_rebind_policy():
if (!mpol_store_user_nodemask(pol) &&
nodes_equal(pol->w.cpuset_mems_allowed, *newmask))
"mpol_store_user_nodemask(pol)" is testing pol->flags, which I couldn't
ever see being uninitialized after leaving mpol_new(). So I'll guess
it's actually about accessing pol->w.cpuset_mems_allowed on line 354,
but still part of statement starting on line 353.
For w.cpuset_mems_allowed to be not initialized, and the nodes_equal()
reachable for a mempolicy where mpol_set_nodemask() is called in
do_mbind(), it seems the only possibility is a MPOL_PREFERRED policy
with empty set of nodes, i.e. MPOL_LOCAL equivalent, with MPOL_F_LOCAL
flag. Let's exclude such policies from the nodes_equal() check. Note
the uninit access should be benign anyway, as rebinding this kind of
policy is always a no-op. Therefore no actual need for stable
inclusion.
Link: http://lkml.kernel.org/r/a71997c3-e8ae-a787-d5ce-3db05768b...@suse.cz
Link: http://lkml.kernel.org/r/73da3e9c-cc84-509e-17d9-0c434bb99...@suse.cz
Signed-off-by: Vlastimil Babka
Reported-by: syzbot+b19c2dc2c990ea657...@syzkaller.appspotmail.com
Cc: Alexander Potapenko
Cc: Dmitry Vyukov
Cc: Andrea Arcangeli
Cc: "Kirill A. Shutemov"
Cc: Michal Hocko
Cc: David Rientjes
Cc: Yisheng Xie
Cc: zhong jiang
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
Signed-off-by: Greg Kroah-Hartman
---
mm/mempolicy.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -350,7 +350,7 @@ static void mpol_rebind_policy(struct me
{
if (!pol)
return;
- if (!mpol_store_user_nodemask(pol) &&
+ if (!mpol_store_user_nodemask(pol) && !(pol->flags & MPOL_F_LOCAL) &&
nodes_equal(pol->w.cpuset_mems_allowed, *newmask))
return;
[PATCH 4.19 39/45] x86/unwind: Handle NULL pointer calls better in frame unwinder
4.19-stable review patch. If anyone has any objections, please let me know.
--
From: Jann Horn
commit f4f34e1b82eb4219d8eaa1c7e2e17ca219a6a2b5 upstream.
When the frame unwinder is invoked for an oops caused by a call to NULL, it
currently skips the parent function because BP still points to the parent's
stack frame; the (nonexistent) current function only has the first half of
a stack frame, and BP doesn't point to it yet.
Add a special case for IP==0 that calculates a fake BP from SP, then uses
the real BP for the next frame.
Note that this handles first_frame specially: Return information about the
parent function as long as the saved IP is >=first_frame, even if the fake
BP points below it.
With an artificially-added NULL call in prctl_set_seccomp(), before this
patch, the trace is:
Call Trace:
? prctl_set_seccomp+0x3a/0x50
__x64_sys_prctl+0x457/0x6f0
? __ia32_sys_prctl+0x750/0x750
do_syscall_64+0x72/0x160
entry_SYSCALL_64_after_hwframe+0x44/0xa9
After this patch, the trace is:
Call Trace:
prctl_set_seccomp+0x3a/0x50
__x64_sys_prctl+0x457/0x6f0
? __ia32_sys_prctl+0x750/0x750
do_syscall_64+0x72/0x160
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Signed-off-by: Jann Horn
Signed-off-by: Thomas Gleixner
Acked-by: Josh Poimboeuf
Cc: Borislav Petkov
Cc: Andrew Morton
Cc: syzbot
Cc: "H. Peter Anvin"
Cc: Masahiro Yamada
Cc: Michal Marek
Cc: linux-kbu...@vger.kernel.org
Link: https://lkml.kernel.org/r/20190301031201.7416-1-ja...@google.com
Signed-off-by: Greg Kroah-Hartman
---
arch/x86/include/asm/unwind.h |6 ++
arch/x86/kernel/unwind_frame.c | 25 ++---
2 files changed, 28 insertions(+), 3 deletions(-)
--- a/arch/x86/include/asm/unwind.h
+++ b/arch/x86/include/asm/unwind.h
@@ -23,6 +23,12 @@ struct unwind_state {
#elif defined(CONFIG_UNWINDER_FRAME_POINTER)
bool got_irq;
unsigned long *bp, *orig_sp, ip;
+ /*
+* If non-NULL: The current frame is incomplete and doesn't contain a
+* valid BP. When looking for the next frame, use this instead of the
+* non-existent saved BP.
+*/
+ unsigned long *next_bp;
struct pt_regs *regs;
#else
unsigned long *sp;
--- a/arch/x86/kernel/unwind_frame.c
+++ b/arch/x86/kernel/unwind_frame.c
@@ -320,10 +320,14 @@ bool unwind_next_frame(struct unwind_sta
}
/* Get the next frame pointer: */
- if (state->regs)
+ if (state->next_bp) {
+ next_bp = state->next_bp;
+ state->next_bp = NULL;
+ } else if (state->regs) {
next_bp = (unsigned long *)state->regs->bp;
- else
+ } else {
next_bp = (unsigned long *)READ_ONCE_TASK_STACK(state->task,
*state->bp);
+ }
/* Move to the next frame if it's safe: */
if (!update_stack_state(state, next_bp))
@@ -398,6 +402,21 @@ void __unwind_start(struct unwind_state
bp = get_frame_pointer(task, regs);
+ /*
+* If we crash with IP==0, the last successfully executed instruction
+* was probably an indirect function call with a NULL function pointer.
+* That means that SP points into the middle of an incomplete frame:
+* *SP is a return pointer, and *(SP-sizeof(unsigned long)) is where we
+* would have written a frame pointer if we hadn't crashed.
+* Pretend that the frame is complete and that BP points to it, but save
+* the real BP so that we can use it when looking for the next frame.
+*/
+ if (regs && regs->ip == 0 &&
+ (unsigned long *)kernel_stack_pointer(regs) >= first_frame) {
+ state->next_bp = bp;
+ bp = ((unsigned long *)kernel_stack_pointer(regs)) - 1;
+ }
+
/* Initialize stack info and make sure the frame data is accessible: */
get_stack_info(bp, state->task, &state->stack_info,
&state->stack_mask);
@@ -410,7 +429,7 @@ void __unwind_start(struct unwind_state
*/
while (!unwind_done(state) &&
(!on_stack(&state->stack_info, first_frame, sizeof(long)) ||
- state->bp < first_frame))
+ (state->next_bp == NULL && state->bp < first_frame)))
unwind_next_frame(state);
}
EXPORT_SYMBOL_GPL(__unwind_start);
[PATCH 4.19 41/45] locking/lockdep: Add debug_locks check in __lock_downgrade()
4.19-stable review patch. If anyone has any objections, please let me know. -- From: Waiman Long commit 71492580571467fb7177aade19c18ce7486267f5 upstream. Tetsuo Handa had reported he saw an incorrect "downgrading a read lock" warning right after a previous lockdep warning. It is likely that the previous warning turned off lock debugging causing the lockdep to have inconsistency states leading to the lock downgrade warning. Fix that by add a check for debug_locks at the beginning of __lock_downgrade(). Debugged-by: Tetsuo Handa Reported-by: Tetsuo Handa Reported-by: syzbot+53383ae265fb161ef...@syzkaller.appspotmail.com Signed-off-by: Waiman Long Signed-off-by: Peter Zijlstra (Intel) Cc: Andrew Morton Cc: Linus Torvalds Cc: Paul E. McKenney Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: Will Deacon Link: https://lkml.kernel.org/r/1547093005-26085-1-git-send-email-long...@redhat.com Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman --- kernel/locking/lockdep.c |3 +++ 1 file changed, 3 insertions(+) --- a/kernel/locking/lockdep.c +++ b/kernel/locking/lockdep.c @@ -3567,6 +3567,9 @@ __lock_set_class(struct lockdep_map *loc unsigned int depth; int i; + if (unlikely(!debug_locks)) + return 0; + depth = curr->lockdep_depth; /* * This function is about (re)setting the class of a held lock,
[PATCH 4.19 43/45] ALSA: hda - Record the current power state before suspend/resume calls
4.19-stable review patch. If anyone has any objections, please let me know.
--
From: Takashi Iwai
commit 98081ca62cbac31fb0f7efaf90b2e7384ce22257 upstream.
Currently we deal with single codec and suspend codec callbacks for
all S3, S4 and runtime PM handling. But it turned out that we want
distinguish the call patterns sometimes, e.g. for applying some init
sequence only at probing and restoring from hibernate.
This patch slightly modifies the common PM callbacks for HD-audio
codec and stores the currently processed PM event in power_state of
the codec's device.power field, which is currently unused. The codec
callback can take a look at this event value and judges which purpose
it's being called.
Signed-off-by: Takashi Iwai
Signed-off-by: Greg Kroah-Hartman
---
sound/pci/hda/hda_codec.c | 43 +--
1 file changed, 41 insertions(+), 2 deletions(-)
--- a/sound/pci/hda/hda_codec.c
+++ b/sound/pci/hda/hda_codec.c
@@ -2909,6 +2909,7 @@ static void hda_call_codec_resume(struct
hda_jackpoll_work(&codec->jackpoll_work.work);
else
snd_hda_jack_report_sync(codec);
+ codec->core.dev.power.power_state = PMSG_ON;
snd_hdac_leave_pm(&codec->core);
}
@@ -2942,10 +2943,48 @@ static int hda_codec_runtime_resume(stru
}
#endif /* CONFIG_PM */
+#ifdef CONFIG_PM_SLEEP
+static int hda_codec_pm_suspend(struct device *dev)
+{
+ dev->power.power_state = PMSG_SUSPEND;
+ return pm_runtime_force_suspend(dev);
+}
+
+static int hda_codec_pm_resume(struct device *dev)
+{
+ dev->power.power_state = PMSG_RESUME;
+ return pm_runtime_force_resume(dev);
+}
+
+static int hda_codec_pm_freeze(struct device *dev)
+{
+ dev->power.power_state = PMSG_FREEZE;
+ return pm_runtime_force_suspend(dev);
+}
+
+static int hda_codec_pm_thaw(struct device *dev)
+{
+ dev->power.power_state = PMSG_THAW;
+ return pm_runtime_force_resume(dev);
+}
+
+static int hda_codec_pm_restore(struct device *dev)
+{
+ dev->power.power_state = PMSG_RESTORE;
+ return pm_runtime_force_resume(dev);
+}
+#endif /* CONFIG_PM_SLEEP */
+
/* referred in hda_bind.c */
const struct dev_pm_ops hda_codec_driver_pm = {
- SET_SYSTEM_SLEEP_PM_OPS(pm_runtime_force_suspend,
- pm_runtime_force_resume)
+#ifdef CONFIG_PM_SLEEP
+ .suspend = hda_codec_pm_suspend,
+ .resume = hda_codec_pm_resume,
+ .freeze = hda_codec_pm_freeze,
+ .thaw = hda_codec_pm_thaw,
+ .poweroff = hda_codec_pm_suspend,
+ .restore = hda_codec_pm_restore,
+#endif /* CONFIG_PM_SLEEP */
SET_RUNTIME_PM_OPS(hda_codec_runtime_suspend, hda_codec_runtime_resume,
NULL)
};
[PATCH 4.19 40/45] x86/unwind: Add hardcoded ORC entry for NULL
4.19-stable review patch. If anyone has any objections, please let me know.
--
From: Jann Horn
commit ac5ceccce5501e43d217c596e4ee859f2a3fef79 upstream.
When the ORC unwinder is invoked for an oops caused by IP==0,
it currently has no idea what to do because there is no debug information
for the stack frame of NULL.
But if RIP is NULL, it is very likely that the last successfully executed
instruction was an indirect CALL/JMP, and it is possible to unwind out in
the same way as for the first instruction of a normal function. Hardcode
a corresponding ORC entry.
With an artificially-added NULL call in prctl_set_seccomp(), before this
patch, the trace is:
Call Trace:
? __x64_sys_prctl+0x402/0x680
? __ia32_sys_prctl+0x6e0/0x6e0
? __do_page_fault+0x457/0x620
? do_syscall_64+0x6d/0x160
? entry_SYSCALL_64_after_hwframe+0x44/0xa9
After this patch, the trace looks like this:
Call Trace:
__x64_sys_prctl+0x402/0x680
? __ia32_sys_prctl+0x6e0/0x6e0
? __do_page_fault+0x457/0x620
do_syscall_64+0x6d/0x160
entry_SYSCALL_64_after_hwframe+0x44/0xa9
prctl_set_seccomp() still doesn't show up in the trace because for some
reason, tail call optimization is only disabled in builds that use the
frame pointer unwinder.
Signed-off-by: Jann Horn
Signed-off-by: Thomas Gleixner
Acked-by: Josh Poimboeuf
Cc: Borislav Petkov
Cc: Andrew Morton
Cc: syzbot
Cc: "H. Peter Anvin"
Cc: Masahiro Yamada
Cc: Michal Marek
Cc: linux-kbu...@vger.kernel.org
Link: https://lkml.kernel.org/r/20190301031201.7416-2-ja...@google.com
Signed-off-by: Greg Kroah-Hartman
---
arch/x86/kernel/unwind_orc.c | 17 +
1 file changed, 17 insertions(+)
--- a/arch/x86/kernel/unwind_orc.c
+++ b/arch/x86/kernel/unwind_orc.c
@@ -113,6 +113,20 @@ static struct orc_entry *orc_ftrace_find
}
#endif
+/*
+ * If we crash with IP==0, the last successfully executed instruction
+ * was probably an indirect function call with a NULL function pointer,
+ * and we don't have unwind information for NULL.
+ * This hardcoded ORC entry for IP==0 allows us to unwind from a NULL function
+ * pointer into its parent and then continue normally from there.
+ */
+static struct orc_entry null_orc_entry = {
+ .sp_offset = sizeof(long),
+ .sp_reg = ORC_REG_SP,
+ .bp_reg = ORC_REG_UNDEFINED,
+ .type = ORC_TYPE_CALL
+};
+
static struct orc_entry *orc_find(unsigned long ip)
{
static struct orc_entry *orc;
@@ -120,6 +134,9 @@ static struct orc_entry *orc_find(unsign
if (!orc_init)
return NULL;
+ if (ip == 0)
+ return &null_orc_entry;
+
/* For non-init vmlinux addresses, use the fast lookup table: */
if (ip >= LOOKUP_START_IP && ip < LOOKUP_STOP_IP) {
unsigned int idx, start, stop;
[PATCH 4.19 37/45] netfilter: ebtables: remove BUGPRINT messages
4.19-stable review patch. If anyone has any objections, please let me know.
--
From: Florian Westphal
commit d824548dae220820bdf69b2d1561b7c4b072783f upstream.
They are however frequently triggered by syzkaller, so remove them.
ebtables userspace should never trigger any of these, so there is little
value in making them pr_debug (or ratelimited).
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
Signed-off-by: Greg Kroah-Hartman
---
net/bridge/netfilter/ebtables.c | 131 +++-
1 file changed, 39 insertions(+), 92 deletions(-)
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -31,10 +31,6 @@
/* needed for logical [in,out]-dev filtering */
#include "../br_private.h"
-#define BUGPRINT(format, args...) printk("kernel msg: ebtables bug: please "\
-"report to author: "format, ## args)
-/* #define BUGPRINT(format, args...) */
-
/* Each cpu has its own set of counters, so there is no need for write_lock in
* the softirq
* For reading or updating the counters, the user context needs to
@@ -466,8 +462,6 @@ static int ebt_verify_pointers(const str
/* we make userspace set this right,
* so there is no misunderstanding
*/
- BUGPRINT("EBT_ENTRY_OR_ENTRIES shouldn't be set
"
-"in distinguisher\n");
return -EINVAL;
}
if (i != NF_BR_NUMHOOKS)
@@ -485,18 +479,14 @@ static int ebt_verify_pointers(const str
offset += e->next_offset;
}
}
- if (offset != limit) {
- BUGPRINT("entries_size too small\n");
+ if (offset != limit)
return -EINVAL;
- }
/* check if all valid hooks have a chain */
for (i = 0; i < NF_BR_NUMHOOKS; i++) {
if (!newinfo->hook_entry[i] &&
- (valid_hooks & (1 << i))) {
- BUGPRINT("Valid hook without chain\n");
+ (valid_hooks & (1 << i)))
return -EINVAL;
- }
}
return 0;
}
@@ -523,26 +513,20 @@ ebt_check_entry_size_and_hooks(const str
/* this checks if the previous chain has as many entries
* as it said it has
*/
- if (*n != *cnt) {
- BUGPRINT("nentries does not equal the nr of entries "
-"in the chain\n");
+ if (*n != *cnt)
return -EINVAL;
- }
+
if (((struct ebt_entries *)e)->policy != EBT_DROP &&
((struct ebt_entries *)e)->policy != EBT_ACCEPT) {
/* only RETURN from udc */
if (i != NF_BR_NUMHOOKS ||
- ((struct ebt_entries *)e)->policy != EBT_RETURN) {
- BUGPRINT("bad policy\n");
+ ((struct ebt_entries *)e)->policy != EBT_RETURN)
return -EINVAL;
- }
}
if (i == NF_BR_NUMHOOKS) /* it's a user defined chain */
(*udc_cnt)++;
- if (((struct ebt_entries *)e)->counter_offset != *totalcnt) {
- BUGPRINT("counter_offset != totalcnt");
+ if (((struct ebt_entries *)e)->counter_offset != *totalcnt)
return -EINVAL;
- }
*n = ((struct ebt_entries *)e)->nentries;
*cnt = 0;
return 0;
@@ -550,15 +534,13 @@ ebt_check_entry_size_and_hooks(const str
/* a plain old entry, heh */
if (sizeof(struct ebt_entry) > e->watchers_offset ||
e->watchers_offset > e->target_offset ||
- e->target_offset >= e->next_offset) {
- BUGPRINT("entry offsets not in right order\n");
+ e->target_offset >= e->next_offset)
return -EINVAL;
- }
+
/* this is not checked anywhere else */
- if (e->next_offset - e->target_offset < sizeof(struct
ebt_entry_target)) {
- BUGPRINT("target size too small\n");
+ if (e->next_offset - e->target_offset < sizeof(struct ebt_entry_target))
return -EINVAL;
- }
+
(*cnt)++;
(*totalcnt)++;
return 0;
@@ -678,18 +660,15 @@ ebt_check_entry(struct ebt_entry *e, str
if (e->bitmask == 0)
return 0;
- if (e->bitmask & ~EBT_F_MASK) {
- BUGPRINT("Unknown flag for bitmask\n");
+ if (e->bitmask & ~EBT_F_MASK)
return -EINVAL;
- }
- if (e->invflags & ~EBT_INV_MASK) {
- BUGPRINT("Unknown flag
[PATCH 4.19 22/45] SMB3: Fix SMB3.1.1 guest mounts to Samba
4.19-stable review patch. If anyone has any objections, please let me know.
--
From: Steve French
commit 8c11a607d1d9cd6e7f01fd6b03923597fb0ef95a upstream.
Workaround problem with Samba responses to SMB3.1.1
null user (guest) mounts. The server doesn't set the
expected flag in the session setup response so we have
to do a similar check to what is done in smb3_validate_negotiate
where we also check if the user is a null user (but not sec=krb5
since username might not be passed in on mount for Kerberos case).
Note that the commit below tightened the conditions and forced signing
for the SMB2-TreeConnect commands as per MS-SMB2.
However, this should only apply to normal user sessions and not for
cases where there is no user (even if server forgets to set the flag
in the response) since we don't have anything useful to sign with.
This is especially important now that the more secure SMB3.1.1 protocol
is in the default dialect list.
An earlier patch ("cifs: allow guest mounts to work for smb3.11") fixed
the guest mounts to Windows.
Fixes: 6188f28bf608 ("Tree connect for SMB3.1.1 must be signed for
non-encrypted shares")
Reviewed-by: Ronnie Sahlberg
Reviewed-by: Paulo Alcantara
CC: Stable
Signed-off-by: Steve French
Signed-off-by: Greg Kroah-Hartman
---
fs/cifs/smb2pdu.c |5 -
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -1503,10 +1503,13 @@ SMB2_tcon(const unsigned int xid, struct
/*
* 3.11 tcon req must be signed if not encrypted. See MS-SMB2 3.2.4.1.1
* unless it is guest or anonymous user. See MS-SMB2 3.2.5.3.1
+* (Samba servers don't always set the flag so also check if null user)
*/
if ((ses->server->dialect == SMB311_PROT_ID) &&
!smb3_encryption_required(tcon) &&
- !(ses->session_flags &
(SMB2_SESSION_FLAG_IS_GUEST|SMB2_SESSION_FLAG_IS_NULL)))
+ !(ses->session_flags &
+ (SMB2_SESSION_FLAG_IS_GUEST|SMB2_SESSION_FLAG_IS_NULL)) &&
+ ((ses->user_name != NULL) || (ses->sectype == Kerberos)))
req->sync_hdr.Flags |= SMB2_FLAGS_SIGNED;
memset(&rqst, 0, sizeof(struct smb_rqst));
[PATCH 4.19 36/45] f2fs: fix to avoid deadlock of atomic file operations
4.19-stable review patch. If anyone has any objections, please let me know. -- From: Chao Yu commit 48432984d718c95cf13e26d487c2d1b697c3c01f upstream. Thread AThread B - __fput - f2fs_release_file - drop_inmem_pages - mutex_lock(&fi->inmem_lock) - __revoke_inmem_pages - lock_page(page) - open - f2fs_setattr - truncate_setsize - truncate_inode_pages_range - lock_page(page) - truncate_cleanup_page - f2fs_invalidate_page - drop_inmem_page - mutex_lock(&fi->inmem_lock); We may encounter above ABBA deadlock as reported by Kyungtae Kim: I'm reporting a bug in linux-4.17.19: "INFO: task hung in drop_inmem_page" (no reproducer) I think this might be somehow related to the following: https://groups.google.com/forum/#!searchin/syzkaller-bugs/INFO$3A$20task$20hung$20in$20%7Csort:date/syzkaller-bugs/c6soBTrdaIo/AjAzPeIzCgAJ = INFO: task syz-executor7:10822 blocked for more than 120 seconds. Not tainted 4.17.19 #1 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. syz-executor7 D27024 10822 6346 0x0004 Call Trace: context_switch kernel/sched/core.c:2867 [inline] __schedule+0x721/0x1e60 kernel/sched/core.c:3515 schedule+0x88/0x1c0 kernel/sched/core.c:3559 schedule_preempt_disabled+0x18/0x30 kernel/sched/core.c:3617 __mutex_lock_common kernel/locking/mutex.c:833 [inline] __mutex_lock+0x5bd/0x1410 kernel/locking/mutex.c:893 mutex_lock_nested+0x1b/0x20 kernel/locking/mutex.c:908 drop_inmem_page+0xcb/0x810 fs/f2fs/segment.c:327 f2fs_invalidate_page+0x337/0x5e0 fs/f2fs/data.c:2401 do_invalidatepage mm/truncate.c:165 [inline] truncate_cleanup_page+0x261/0x330 mm/truncate.c:187 truncate_inode_pages_range+0x552/0x1610 mm/truncate.c:367 truncate_inode_pages mm/truncate.c:478 [inline] truncate_pagecache+0x6d/0x90 mm/truncate.c:801 truncate_setsize+0x81/0xa0 mm/truncate.c:826 f2fs_setattr+0x44f/0x1270 fs/f2fs/file.c:781 notify_change+0xa62/0xe80 fs/attr.c:313 do_truncate+0x12e/0x1e0 fs/open.c:63 do_last fs/namei.c:2955 [inline] path_openat+0x2042/0x29f0 fs/namei.c:3505 do_filp_open+0x1bd/0x2c0 fs/namei.c:3540 do_sys_open+0x35e/0x4e0 fs/open.c:1101 __do_sys_open fs/open.c:1119 [inline] __se_sys_open fs/open.c:1114 [inline] __x64_sys_open+0x89/0xc0 fs/open.c:1114 do_syscall_64+0xc4/0x4e0 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4497b9 RSP: 002b:7f734e459c68 EFLAGS: 0246 ORIG_RAX: 0002 RAX: ffda RBX: 7f734e45a6cc RCX: 004497b9 RDX: 0104 RSI: 000a8280 RDI: 2080 RBP: 0071bea0 R08: R09: R10: R11: 0246 R12: R13: 7230 R14: 006f02d0 R15: 7f734e45a700 INFO: task syz-executor7:10858 blocked for more than 120 seconds. Not tainted 4.17.19 #1 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. syz-executor7 D28880 10858 6346 0x0004 Call Trace: context_switch kernel/sched/core.c:2867 [inline] __schedule+0x721/0x1e60 kernel/sched/core.c:3515 schedule+0x88/0x1c0 kernel/sched/core.c:3559 __rwsem_down_write_failed_common kernel/locking/rwsem-xadd.c:565 [inline] rwsem_down_write_failed+0x5e6/0xc90 kernel/locking/rwsem-xadd.c:594 call_rwsem_down_write_failed+0x17/0x30 arch/x86/lib/rwsem.S:117 __down_write arch/x86/include/asm/rwsem.h:142 [inline] down_write+0x58/0xa0 kernel/locking/rwsem.c:72 inode_lock include/linux/fs.h:713 [inline] do_truncate+0x120/0x1e0 fs/open.c:61 do_last fs/namei.c:2955 [inline] path_openat+0x2042/0x29f0 fs/namei.c:3505 do_filp_open+0x1bd/0x2c0 fs/namei.c:3540 do_sys_open+0x35e/0x4e0 fs/open.c:1101 __do_sys_open fs/open.c:1119 [inline] __se_sys_open fs/open.c:1114 [inline] __x64_sys_open+0x89/0xc0 fs/open.c:1114 do_syscall_64+0xc4/0x4e0 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4497b9 RSP: 002b:7f734e3b4c68 EFLAGS: 0246 ORIG_RAX: 0002 RAX: ffda RBX: 7f734e3b56cc RCX: 004497b9 RDX: 0104 RSI: 000a8280 RDI: 2080 RBP: 0071c238 R08: R09: R10: R11: 0246 R12: R13: 7230 R14: 006f02d0 R15: 7f734e3b5700 INFO: task syz-executor5:10829 blocked for more than 120 seconds. Not tainted 4.17.19 #1 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. syz-executor5 D28760 1082
[PATCH 4.19 45/45] power: supply: charger-manager: Fix incorrect return value
4.19-stable review patch. If anyone has any objections, please let me know.
--
From: Baolin Wang
commit f25a646fbe2051527ad9721853e892d13a99199e upstream.
Fix incorrect return value.
Signed-off-by: Baolin Wang
Signed-off-by: Sebastian Reichel
Signed-off-by: Greg Kroah-Hartman
---
drivers/power/supply/charger-manager.c |3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/power/supply/charger-manager.c
+++ b/drivers/power/supply/charger-manager.c
@@ -1212,7 +1212,6 @@ static int charger_extcon_init(struct ch
if (ret < 0) {
pr_info("Cannot register extcon_dev for %s(cable: %s)\n",
cable->extcon_name, cable->name);
- ret = -EINVAL;
}
return ret;
@@ -1633,7 +1632,7 @@ static int charger_manager_probe(struct
if (IS_ERR(desc)) {
dev_err(&pdev->dev, "No platform data (desc) found\n");
- return -ENODEV;
+ return PTR_ERR(desc);
}
cm = devm_kzalloc(&pdev->dev, sizeof(*cm), GFP_KERNEL);
[PATCH 4.19 21/45] irqchip/gic-v3-its: Fix comparison logic in lpi_range_cmp
4.19-stable review patch. If anyone has any objections, please let me know. -- From: Rasmus Villemoes commit 89dc891792c2e046b030f87600109c22209da32e upstream. The lpi_range_list is supposed to be sorted in ascending order of ->base_id (at least if the range merging is to work), but the current comparison function returns a positive value if rb->base_id > ra->base_id, which means that list_sort() will put A after B in that case - and vice versa, of course. Fixes: 880cb3cddd16 (irqchip/gic-v3-its: Refactor LPI allocator) Cc: sta...@vger.kernel.org (v4.19+) Signed-off-by: Rasmus Villemoes Signed-off-by: Marc Zyngier Signed-off-by: Greg Kroah-Hartman --- drivers/irqchip/irq-gic-v3-its.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/irqchip/irq-gic-v3-its.c +++ b/drivers/irqchip/irq-gic-v3-its.c @@ -1477,7 +1477,7 @@ static int lpi_range_cmp(void *priv, str ra = container_of(a, struct lpi_range, entry); rb = container_of(b, struct lpi_range, entry); - return rb->base_id - ra->base_id; + return ra->base_id - rb->base_id; } static void merge_lpi_ranges(void)
[PATCH 4.19 23/45] ALSA: x86: Fix runtime PM for hdmi-lpe-audio
4.19-stable review patch. If anyone has any objections, please let me know.
--
From: Ville Syrjälä
commit 8dfb839cfe737a17def8e5f88ee13c295230364a upstream.
Commit 46e831abe864 ("drm/i915/lpe: Mark LPE audio runtime pm as
"no callbacks"") broke runtime PM with lpe audio. We can no longer
runtime suspend the GPU since the sysfs power/control for the
lpe-audio device no longer exists and the device is considered
always active. We can fix this by not marking the device as
active.
Cc: Chris Wilson
Cc: Takashi Iwai
Cc: Pierre-Louis Bossart
Fixes: 46e831abe864 ("drm/i915/lpe: Mark LPE audio runtime pm as "no
callbacks"")
Signed-off-by: Ville Syrjälä
Link:
https://patchwork.freedesktop.org/patch/msgid/20181024154825.18185-1-ville.syrj...@linux.intel.com
Reviewed-by: Chris Wilson
Acked-by: Takashi Iwai
Signed-off-by: Greg Kroah-Hartman
---
sound/x86/intel_hdmi_audio.c |1 -
1 file changed, 1 deletion(-)
--- a/sound/x86/intel_hdmi_audio.c
+++ b/sound/x86/intel_hdmi_audio.c
@@ -1900,7 +1900,6 @@ static int hdmi_lpe_audio_probe(struct p
pm_runtime_use_autosuspend(&pdev->dev);
pm_runtime_mark_last_busy(&pdev->dev);
- pm_runtime_set_active(&pdev->dev);
dev_dbg(&pdev->dev, "%s: handle pending notification\n", __func__);
for_each_port(card_ctx, port) {
[PATCH 4.19 14/45] powerpc/vdso64: Fix CLOCK_MONOTONIC inconsistencies across Y2038
4.19-stable review patch. If anyone has any objections, please let me know.
--
From: Michael Ellerman
commit b5b4453e7912f056da1ca7572574cada32ecb60c upstream.
Jakub Drnec reported:
Setting the realtime clock can sometimes make the monotonic clock go
back by over a hundred years. Decreasing the realtime clock across
the y2k38 threshold is one reliable way to reproduce. Allegedly this
can also happen just by running ntpd, I have not managed to
reproduce that other than booting with rtc at >2038 and then running
ntp. When this happens, anything with timers (e.g. openjdk) breaks
rather badly.
And included a test case (slightly edited for brevity):
#define _POSIX_C_SOURCE 199309L
#include
#include
#include
#include
long get_time(void) {
struct timespec tp;
clock_gettime(CLOCK_MONOTONIC, &tp);
return tp.tv_sec + tp.tv_nsec / 10;
}
int main(void) {
long last = get_time();
while(1) {
long now = get_time();
if (now < last) {
printf("clock went backwards by %ld seconds!\n", last - now);
}
last = now;
sleep(1);
}
return 0;
}
Which when run concurrently with:
# date -s 2040-1-1
# date -s 2037-1-1
Will detect the clock going backward.
The root cause is that wtom_clock_sec in struct vdso_data is only a
32-bit signed value, even though we set its value to be equal to
tk->wall_to_monotonic.tv_sec which is 64-bits.
Because the monotonic clock starts at zero when the system boots the
wall_to_montonic.tv_sec offset is negative for current and future
dates. Currently on a freshly booted system the offset will be in the
vicinity of negative 1.5 billion seconds.
However if the wall clock is set past the Y2038 boundary, the offset
from wall to monotonic becomes less than negative 2^31, and no longer
fits in 32-bits. When that value is assigned to wtom_clock_sec it is
truncated and becomes positive, causing the VDSO assembly code to
calculate CLOCK_MONOTONIC incorrectly.
That causes CLOCK_MONOTONIC to jump ahead by ~4 billion seconds which
it is not meant to do. Worse, if the time is then set back before the
Y2038 boundary CLOCK_MONOTONIC will jump backward.
We can fix it simply by storing the full 64-bit offset in the
vdso_data, and using that in the VDSO assembly code. We also shuffle
some of the fields in vdso_data to avoid creating a hole.
The original commit that added the CLOCK_MONOTONIC support to the VDSO
did actually use a 64-bit value for wtom_clock_sec, see commit
a7f290dad32e ("[PATCH] powerpc: Merge vdso's and add vdso support to
32 bits kernel") (Nov 2005). However just 3 days later it was
converted to 32-bits in commit 0c37ec2aa88b ("[PATCH] powerpc: vdso
fixes (take #2)"), and the bug has existed since then AFAICS.
Fixes: 0c37ec2aa88b ("[PATCH] powerpc: vdso fixes (take #2)")
Cc: sta...@vger.kernel.org # v2.6.15+
Link: http://lkml.kernel.org/r/hac.zfes.62bwlnvavmp.1st...@seznam.cz
Reported-by: Jakub Drnec
Signed-off-by: Michael Ellerman
Signed-off-by: Greg Kroah-Hartman
---
arch/powerpc/include/asm/vdso_datapage.h |8
arch/powerpc/kernel/vdso64/gettimeofday.S |4 ++--
2 files changed, 6 insertions(+), 6 deletions(-)
--- a/arch/powerpc/include/asm/vdso_datapage.h
+++ b/arch/powerpc/include/asm/vdso_datapage.h
@@ -82,10 +82,10 @@ struct vdso_data {
__u32 icache_block_size;/* L1 i-cache block size */
__u32 dcache_log_block_size;/* L1 d-cache log block size */
__u32 icache_log_block_size;/* L1 i-cache log block size */
- __s32 wtom_clock_sec; /* Wall to monotonic clock */
- __s32 wtom_clock_nsec;
- struct timespec stamp_xtime;/* xtime as at tb_orig_stamp */
- __u32 stamp_sec_fraction; /* fractional seconds of stamp_xtime */
+ __u32 stamp_sec_fraction; /* fractional seconds of
stamp_xtime */
+ __s32 wtom_clock_nsec; /* Wall to monotonic clock nsec
*/
+ __s64 wtom_clock_sec; /* Wall to monotonic clock sec
*/
+ struct timespec stamp_xtime;/* xtime as at tb_orig_stamp */
__u32 syscall_map_64[SYSCALL_MAP_SIZE]; /* map of syscalls */
__u32 syscall_map_32[SYSCALL_MAP_SIZE]; /* map of syscalls */
};
--- a/arch/powerpc/kernel/vdso64/gettimeofday.S
+++ b/arch/powerpc/kernel/vdso64/gettimeofday.S
@@ -92,7 +92,7 @@ V_FUNCTION_BEGIN(__kernel_clock_gettime)
* At this point, r4,r5 contain our sec/nsec values.
*/
- lwa r6,WTOM_CLOCK_SEC(r3)
+ ld r6,WTOM_CLOCK_SEC(r3)
lwa r9,WTOM_CLOCK_NSEC(r3)
/* We now have our result in r6,r9. We create a fake dependency
@@ -125,7 +125,7 @@ V_FUNCTION_BEGIN(__kernel_clock_gettime)
bne cr6,75f
/* CLOCK_MONOTONIC_COARSE */
- lwa r6,WTOM_CLOCK_SEC(r3)
+ ld r6,WTOM_CLOCK_SEC(r3)
lwa r9,WTOM_CLOCK_
[PATCH 4.19 19/45] perf probe: Fix getting the kernel map
4.19-stable review patch. If anyone has any objections, please let me know.
--
From: Adrian Hunter
commit eaeffeb9838a7c0dec981d258666bfcc0fa6a947 upstream.
Since commit 4d99e4136580 ("perf machine: Workaround missing maps for
x86 PTI entry trampolines"), perf tools has been creating more than one
kernel map, however 'perf probe' assumed there could be only one.
Fix by using machine__kernel_map() to get the main kernel map.
Signed-off-by: Adrian Hunter
Tested-by: Joseph Qi
Acked-by: Masami Hiramatsu
Cc: Alexander Shishkin
Cc: Andy Lutomirski
Cc: Greg Kroah-Hartman
Cc: Jiufei Xue
Cc: Peter Zijlstra
Cc: sta...@vger.kernel.org
Cc: Xu Yu
Fixes: 4d99e4136580 ("perf machine: Workaround missing maps for x86 PTI entry
trampolines")
Fixes: d83212d5dd67 ("kallsyms, x86: Export addresses of PTI entry trampolines")
Link: http://lkml.kernel.org/r/2ed432de-e904-85d2-5c36-5897ddc5b...@intel.com
Signed-off-by: Arnaldo Carvalho de Melo
Signed-off-by: Greg Kroah-Hartman
---
tools/perf/util/probe-event.c |6 --
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/tools/perf/util/probe-event.c
+++ b/tools/perf/util/probe-event.c
@@ -157,8 +157,10 @@ static struct map *kernel_get_module_map
if (module && strchr(module, '/'))
return dso__new_map(module);
- if (!module)
- module = "kernel";
+ if (!module) {
+ pos = machine__kernel_map(host_machine);
+ return map__get(pos);
+ }
for (pos = maps__first(maps); pos; pos = map__next(pos)) {
/* short_name is "[module]" */
[PATCH 4.19 18/45] cifs: allow guest mounts to work for smb3.11
4.19-stable review patch. If anyone has any objections, please let me know.
--
From: Ronnie Sahlberg
commit e71ab2aa06f731a944993120b0eef1556c63b81c upstream.
Fix Guest/Anonymous sessions so that they work with SMB 3.11.
The commit noted below tightened the conditions and forced signing for
the SMB2-TreeConnect commands as per MS-SMB2.
However, this should only apply to normal user sessions and not for
Guest/Anonumous sessions.
Fixes: 6188f28bf608 ("Tree connect for SMB3.1.1 must be signed for
non-encrypted shares")
Signed-off-by: Ronnie Sahlberg
CC: Stable
Signed-off-by: Steve French
Signed-off-by: Greg Kroah-Hartman
---
fs/cifs/smb2pdu.c |8 ++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -1500,9 +1500,13 @@ SMB2_tcon(const unsigned int xid, struct
iov[1].iov_base = unc_path;
iov[1].iov_len = unc_path_len;
- /* 3.11 tcon req must be signed if not encrypted. See MS-SMB2 3.2.4.1.1
*/
+ /*
+* 3.11 tcon req must be signed if not encrypted. See MS-SMB2 3.2.4.1.1
+* unless it is guest or anonymous user. See MS-SMB2 3.2.5.3.1
+*/
if ((ses->server->dialect == SMB311_PROT_ID) &&
- !smb3_encryption_required(tcon))
+ !smb3_encryption_required(tcon) &&
+ !(ses->session_flags &
(SMB2_SESSION_FLAG_IS_GUEST|SMB2_SESSION_FLAG_IS_NULL)))
req->sync_hdr.Flags |= SMB2_FLAGS_SIGNED;
memset(&rqst, 0, sizeof(struct smb_rqst));
