[PATCH v2] netfilter: xt_hashlimit: Fix integer divide round to zero.

2017-02-06 Thread Alban Browaeys
Diving the divider by the multiplier before applying to the input.
When this would "divide by zero", divide the multiplier by the divider
first then multiply the input by this value.

Currently user2creds outputs zero when input value is bigger than the
number of slices and  lower than scale.
This as then user input is applied an integer divide operation to
a number greater than itself (scale).
That rounds up to zero, then we mulitply zero by the credits slice size.
  iptables -t filter -I INPUT --protocol tcp --match hashlimit
  --hashlimit 40/second --hashlimit-burst 20 --hashlimit-mode srcip
  --hashlimit-name syn-flood --jump RETURN
thus trigger the overflow detection code:
xt_hashlimit: overflow, try lower: 25000/20
(25000 as hashlimit avd and 20 the burst)
Here:
134217 slices of (HZ * CREDITS_PER_JIFFY) size.
50 is user input value
100 is XT_HASHLIMIT_SCALE_v2
gives: 0 as user2creds output
Setting burst to "1" typically solve the issue ...
but setting it to "40" does too !

This is on 32bit arch calling into revision 2 of hashlimit.

Signed-off-by: Alban Browaeys 
---
v2:
- fix missing conditional statement in revision 1 case
.

I removed the code duplication between revision 1 and 2.

v1: https://lkml.org/lkml/2017/2/4/173
---
 net/netfilter/xt_hashlimit.c | 25 +
 1 file changed, 9 insertions(+), 16 deletions(-)

diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
index 10063408141d..84ad5ab34558 100644
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -463,23 +463,16 @@ static u32 xt_hashlimit_len_to_chunks(u32 len)
 /* Precision saver. */
 static u64 user2credits(u64 user, int revision)
 {
-   if (revision == 1) {
-   /* If multiplying would overflow... */
-   if (user > 0x / (HZ*CREDITS_PER_JIFFY_v1))
-   /* Divide first. */
-   return div64_u64(user, XT_HASHLIMIT_SCALE)
-   * HZ * CREDITS_PER_JIFFY_v1;
-
-   return div64_u64(user * HZ * CREDITS_PER_JIFFY_v1,
-XT_HASHLIMIT_SCALE);
-   } else {
-   if (user > 0xULL / (HZ*CREDITS_PER_JIFFY))
-   return div64_u64(user, XT_HASHLIMIT_SCALE_v2)
-   * HZ * CREDITS_PER_JIFFY;
+   u64 scale = (revision == 1) ?
+   XT_HASHLIMIT_SCALE : XT_HASHLIMIT_SCALE_v2;
+   u64 cpj = (revision == 1) ?
+   CREDITS_PER_JIFFY_v1 : CREDITS_PER_JIFFY;
 
-   return div64_u64(user * HZ * CREDITS_PER_JIFFY,
-XT_HASHLIMIT_SCALE_v2);
-   }
+   /* Avoid overflow: divide the constant operands first */
+   if (scale >= HZ * cpj)
+   return div64_u64(user, div64_u64(scale, HZ * cpj));
+
+   return user * div64_u64(HZ * cpj, scale);
 }
 
 static u32 user2credits_byte(u32 user)
-- 
2.11.0



Re: [PATCH] netfilter: xt_hashlimit: Fix integer divide round to zero.

2017-02-06 Thread Alban Browaeys
Le lundi 06 février 2017 à 14:04 +0100, Pablo Neira Ayuso a écrit :
> On Sat, Feb 04, 2017 at 11:47:31PM +0100, Alban Browaeys wrote:
> > diff --git a/net/netfilter/xt_hashlimit.c
> > b/net/netfilter/xt_hashlimit.c
> > index 10063408141d..df75ad643eef 100644
> > --- a/net/netfilter/xt_hashlimit.c
> > +++ b/net/netfilter/xt_hashlimit.c
> > @@ -463,21 +463,19 @@ static u32 xt_hashlimit_len_to_chunks(u32 len)
> >  /* Precision saver. */
> >  static u64 user2credits(u64 user, int revision)
> >  {
> > > > +   /* Avoid overflow: divide the constant operands first */
> > > >     if (revision == 1) {
> > > > -   /* If multiplying would overflow... */
> > > > -   if (user > 0x / (HZ*CREDITS_PER_JIFFY_v1))
> > > > -   /* Divide first. */
> > > > -   return div64_u64(user, XT_HASHLIMIT_SCALE)
> > > > -   * HZ * CREDITS_PER_JIFFY_v1;
> > > > +   return div64_u64(user, div64_u64(XT_HASHLIMIT_SCALE,
> > > > +   HZ * CREDITS_PER_JIFFY_v1));
> >  
> > > > -   return div64_u64(user * HZ * CREDITS_PER_JIFFY_v1,
> > > > +   return user * div64_u64(HZ * CREDITS_PER_JIFFY_v1,
> >      XT_HASHLIMIT_SCALE);
> 
> I see two return statements here, the one coming later is
> shadowed, this can't be right.

I fixed revision 2 case then copy the code to revision 1
 and lost the condition in the process.
The code duplication is useless. I will rework it in v2.

Thank you for the review.


[PATCH] netfilter: xt_hashlimit: Fix integer divide round to zero.

2017-02-04 Thread Alban Browaeys
Diving the divider by the multiplier before applying to the input.
When this would "divide by zero", divide the multiplier by the divider
first then multiply the input by this value.

Currently user2creds outputs zero when input value is bigger than the
number of slices and  lower than scale.
This as then user input is applied an integer divide operation to
a number greater than itself (scale).
That rounds up to zero, then we mulitply zero by the credits slice size.
  iptables -t filter -I INPUT --protocol tcp --match hashlimit
  --hashlimit 40/second --hashlimit-burst 20 --hashlimit-mode srcip
  --hashlimit-name syn-flood --jump RETURN
thus trigger the overflow detection code:
xt_hashlimit: overflow, try lower: 25000/20
(25000 as hashlimit avd and 20 the burst)
Here:
134217 slices of (HZ * CREDITS_PER_JIFFY) size.
50 is user input value
100 is XT_HASHLIMIT_SCALE_v2
gives: 0 as user2creds output
Setting burst to "1" typically solve the issue ...
but setting it to "40" does too !

This is on 32bit arch calling into revision 2 of hashlimit.

Signed-off-by: Alban Browaeys 
---
 net/netfilter/xt_hashlimit.c | 18 --
 1 file changed, 8 insertions(+), 10 deletions(-)

diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
index 10063408141d..df75ad643eef 100644
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -463,21 +463,19 @@ static u32 xt_hashlimit_len_to_chunks(u32 len)
 /* Precision saver. */
 static u64 user2credits(u64 user, int revision)
 {
+   /* Avoid overflow: divide the constant operands first */
if (revision == 1) {
-   /* If multiplying would overflow... */
-   if (user > 0x / (HZ*CREDITS_PER_JIFFY_v1))
-   /* Divide first. */
-   return div64_u64(user, XT_HASHLIMIT_SCALE)
-   * HZ * CREDITS_PER_JIFFY_v1;
+   return div64_u64(user, div64_u64(XT_HASHLIMIT_SCALE,
+   HZ * CREDITS_PER_JIFFY_v1));
 
-   return div64_u64(user * HZ * CREDITS_PER_JIFFY_v1,
+   return user * div64_u64(HZ * CREDITS_PER_JIFFY_v1,
 XT_HASHLIMIT_SCALE);
} else {
-   if (user > 0xULL / (HZ*CREDITS_PER_JIFFY))
-   return div64_u64(user, XT_HASHLIMIT_SCALE_v2)
-   * HZ * CREDITS_PER_JIFFY;
+   if (XT_HASHLIMIT_SCALE_v2 >= HZ * CREDITS_PER_JIFFY)
+   return div64_u64(user, div64_u64(XT_HASHLIMIT_SCALE_v2,
+   HZ * CREDITS_PER_JIFFY));
 
-   return div64_u64(user * HZ * CREDITS_PER_JIFFY,
+   return user * div64_u64(HZ * CREDITS_PER_JIFFY,
 XT_HASHLIMIT_SCALE_v2);
}
 }
-- 
2.11.0



Re: Unable to boot linux-next build

2016-10-19 Thread Alban Browaeys
Le dimanche 11 septembre 2016 à 20:00 +0200, Quentin Lambert a écrit :
> 
> On 09/09/2016 10:31, Quentin Lambert wrote:
> >   I have been trying to build and boot the last version available
> > on linux-next.
> >   During the build I am being prompted with "has no CRC!" warnings
> > for a bunch
> >   of modules.

There is a thread about this issue, with patches on the list (lkml)
titled "[GIT PULL] kbuild changes for v4.9-rc1" starting on Mon, 17 Oct
2016, with initial author "Michal Marek".

To sum up, you could disable CONFIG_MODVERSIONS in your config or
downgrade binutils to <= 2.26 or revert 784d5699eddc ("x86: move
exports to actual definitions")  or apply the two patches from the
above thread if on x86:

- first one : from Nicholas Piggin for all archs:
http://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1250340.htm
l

- second from Adam Borowski , x86 specific bits :
http://www.mail-archive.com/linux-kernel@vger.kernel.org/msg1250599.htm
l


Re: genirq: Setting trigger mode 0 for irq 11 failed (txx9_irq_set_type+0x0/0xb8)

2016-09-16 Thread Alban Browaeys
Le vendredi 16 septembre 2016 à 13:55 +0100, Marc Zyngier a écrit :
> At that stage, I'm not sure I should care. Does the workaround make
> your
> platform usable?

However awkward this was all about logs and clearing worries. There was
no change in behavior  between the three cases : upstream, upstream
commit reverted and patched upstream.

Mind this hardware (the Odroid U2) has no hardware buttons. Only power
on plug.

Best regards,
Alban



Re: genirq: Setting trigger mode 0 for irq 11 failed (txx9_irq_set_type+0x0/0xb8)

2016-09-16 Thread Alban Browaeys
Le vendredi 16 septembre 2016 à 08:51 +0100, Marc Zyngier a écrit :
> Hi Alban,
> 
> On 16/09/16 00:02, Alban Browaeys wrote:
> > I am seeing this on arm odroid u2 devicetree :
> > genirq: Setting trigger mode 0 for irq 16 failed
> > (gic_set_type+0x0/0x64)
> 
> Passing IRQ_TYPE_NONE to a cascading interrupt is risky at best...
> Can you point me to the various DTs and their failing interrupts?

mine is:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/arch/arm/boot/dts/exynos4412-odroidu3.dts

I got a report of this issue to another odroid :
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/arch/arm/boot/dts/exynos4412-odroidx2.dts



they both get their settings from :
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/arch/arm/boot/dts/exynos4412.dtsi

relevant in the chain are:
- combiner modified:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/arch/arm/boot/dts/exynos4x12.dtsi#n460
- gic:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/arch/arm/boot/dts/exynos4x12-pinctrl.dtsi#n576
- gic and combiner initial settings:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/arch/arm/boot/dts/exynos4.dtsi#n134



> Also, can you please give the following patch a go and let me know
> if that fixes the issue (I'm interested in the potential warning
> here).

1st batch of warnings is :

[ cut here ]
WARNING: CPU: 0 PID: 0 at kernel/irq/chip.c:833 __irq_do_set_handler+0x1c0/0x1c4
Modules linked in:
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.8.0-rc6-debug+ #30
Hardware name: ODROID-U2/U3
[] (unwind_backtrace) from [] (show_stack+0x10/0x14)
[] (show_stack) from [] (dump_stack+0xa8/0xd4)
[] (dump_stack) from [] (__warn+0xe8/0x100)
[] (__warn) from [] (warn_slowpath_null+0x20/0x28)
[] (warn_slowpath_null) from [] 
(__irq_do_set_handler+0x1c0/0x1c4)
[] (__irq_do_set_handler) from [] 
(irq_set_chained_handler_and_data+0x38/0x54)
[] (irq_set_chained_handler_and_data) from [] 
(combiner_of_init+0x1a0/0x1c4)
[] (combiner_of_init) from [] (of_irq_init+0x194/0x2e8)
[] (of_irq_init) from [] (exynos_init_irq+0x8/0x3c)
[] (exynos_init_irq) from [] (init_IRQ+0x2c/0x88)
[] (init_IRQ) from [] (start_kernel+0x284/0x388)
[] (start_kernel) from [<40008078>] (0x40008078)
---[ end trace f68728a0d3053b52 ]---

2nd batch is :

[ cut here ]
WARNING: CPU: 1 PID: 1 at kernel/irq/chip.c:833 __irq_do_set_handler+0x1c0/0x1c4
Modules linked in:
CPU: 1 PID: 1 Comm: swapper/0 Tainted: GW   4.8.0-rc6-debug+ #30
Hardware name: ODROID-U2/U3
[] (unwind_backtrace) from [] (show_stack+0x10/0x14)
[] (show_stack) from [] (dump_stack+0xa8/0xd4)
[] (dump_stack) from [] (__warn+0xe8/0x100)
[] (__warn) from [] (warn_slowpath_null+0x20/0x28)
[] (warn_slowpath_null) from [] 
(__irq_do_set_handler+0x1c0/0x1c4)
[] (__irq_do_set_handler) from [] 
(irq_set_chained_handler_and_data+0x38/0x54)
[] (irq_set_chained_handler_and_data) from [] 
(exynos_eint_wkup_init+0x188/0x2dc)
[] (exynos_eint_wkup_init) from [] 
(samsung_pinctrl_probe+0x874/0xa18)
[] (samsung_pinctrl_probe) from [] 
(platform_drv_probe+0x4c/0xb0)
[] (platform_drv_probe) from [] 
(driver_probe_device+0x24c/0x440)
[] (driver_probe_device) from [] 
(bus_for_each_drv+0x64/0x98)
[] (bus_for_each_drv) from [] (__device_attach+0xb4/0x144)
[] (__device_attach) from [] (bus_probe_device+0x88/0x90)
[] (bus_probe_device) from [] (device_add+0x428/0x5c8)
[] (device_add) from [] 
(of_platform_device_create_pdata+0x84/0xb8)
[] (of_platform_device_create_pdata) from [] 
(of_platform_bus_create+0x164/0x440)
[] (of_platform_bus_create) from [] 
(of_platform_populate+0x80/0x114)
[] (of_platform_populate) from [] 
(of_platform_default_populate_init+0x6c/0x80)
[] (of_platform_default_populate_init) from [] 
(do_one_initcall+0x50/0x198)
[] (do_one_initcall) from [] 
(kernel_init_freeable+0x250/0x2f0)
[] (kernel_init_freeable) from [] (kernel_init+0x8/0x114)
[] (kernel_init) from [] (ret_from_fork+0x14/0x24)
---[ end trace f68728a0d3053b66 ]---



Best regards,
Alban


Re: genirq: Setting trigger mode 0 for irq 11 failed (txx9_irq_set_type+0x0/0xb8)

2016-09-15 Thread Alban Browaeys
Le mercredi 14 septembre 2016 à 21:25 +0200, Geert Uytterhoeven a
écrit :
> JFYI, with v4.8-rc6 I'm seeing
> 
> genirq: Setting trigger mode 0 for irq 11 failed
> (txx9_irq_set_type+0x0/0xb8)
> 
> on rbtx4927. This did not happen with v4.8-rc3.


txx9_irq_set_type receives a type IRQ_TYPE_NONE from the call to
__irq_set_trigger added in:
1e12c4a939 ("genirq: Correctly configure the trigger on chained interrupts")


This patch is a regression fix for :

Desc: irqdomain: Don't set type when mapping an IRQ breaks nexus7 gpio buttons
Repo: 2016-07-30 https://marc.info/?l=linux-kernel&m=146985356305280&w=2

I am seeing this on arm odroid u2 devicetree :
genirq: Setting trigger mode 0 for irq 16 failed (gic_set_type+0x0/0x64)


Alban


Re: [PATCH 1/2] clk: Fix __clk_get access to already freed owner field.

2015-02-06 Thread Alban Browaeys
Le jeudi 05 février 2015 à 13:45 -0800, Stephen Boyd a écrit :
> On 02/05/15 13:30, Alban Browaeys wrote:
> >> Thanks for the information. Can you please try the patch in this other
> >> thread[1]? I think you're seeing the same problem.
> >>
> >> [1] https://lkml.org/lkml/2015/2/5/595
> >
> > This fixes both oops : the one from __clk_get and the next from
> > hlist_del.
> >
> 
> Great! Can I take this as your Tested-by?


Tested-by: Alban Browaeys 

Well done!

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/


Re: [PATCH 1/2] clk: Fix __clk_get access to already freed owner field.

2015-02-05 Thread Alban Browaeys

> 
> Thanks for the information. Can you please try the patch in this other
> thread[1]? I think you're seeing the same problem.
> 
> [1] https://lkml.org/lkml/2015/2/5/595


This fixes both oops : the one from __clk_get and the next from
hlist_del.

Thanks
Alban

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/


Re: [PATCH 2/2] clk: Fix OOPS calling hlist_del on an already poisoned hlist.

2015-02-05 Thread Alban Browaeys
Le jeudi 05 février 2015 à 11:33 -0800, Stephen Boyd a écrit :
> On 02/05/15 10:24, Alban Browaeys wrote:
> > Put is called more than once, thus hlist_del ends up on a poisoned
> > list.
> 
> Why is clk_put() called more than once on the same clk pointer? Where
> does this happe
> 

With only patch 1 from this set applied I get another oops: 


[7.346612] Unable to handle kernel paging request at virtual address 
00200200
[7.353686] pgd = ebbf4000
[7.355939] [00200200] *pgd=
[7.359444] Internal error: Oops: 805 [#1] PREEMPT SMP ARM
[7.364914] Modules linked in: exynosdrm(+) drm_kms_helper phy_exynos_usb2 
fuse
[7.372201] CPU: 3 PID: 102 Comm: systemd-modules Not tainted 
3.19.0-rc7-next-20150204-00053-g17e4521 #93
[7.381764] Hardware name: SAMSUNG EXYNOS (Flattened Device Tree)
[7.387832] task: eb0a8f00 ti: ebbfe000 task.ti: ebbfe000
[7.393213] PC is at __clk_put+0x64/0xdc
[7.397111] LR is at clk_prepare_lock+0x20/0x100
[7.401712] pc : []lr : []psr: 200f0053
[7.401712] sp : ebbffbb8  ip : ebbffba0  fp : ebbffbcc
[7.413185] r10: ee0ff600  r9 : 0001  r8 : 
[7.413188] r7 : ebbffbf8  r6 :   r5 : ee5c7d80  r4 : ee0ff600
[7.413195] r3 : 00100100  r2 : 00200200  r1 : 080007ff  r0 : 0001
[7.413200] Flags: nzCv  IRQs on  FIQs off  Mode SVC_32  ISA ARM  Segment 
user
[7.413204] Control: 10c5387d  Table: 6bbf404a  DAC: 0015
[7.413208] Process systemd-modules (pid: 102, stack limit = 0xebbfe218)
[7.413211] Stack: (0xebbffbb8 to 0xebc0)
[7.413215] fba0:   
 ee106400
[7.413222] fbc0: ebbffbdc ebbffbd0 c055222c c0556114 ebbffc6c ebbffbe0 
c0558604 c0552220
[7.413228] fbe0: ebbffbf8 c01cc560 ebbbc310 ee2b5200 ebbffc14 c01ced00 
ee5e0d3c 0001
[7.413234] fc00: 0181 ee2b5200 ebbffc34 ebbbc100  c08c5790 
ee2b5200 ebbbc300
[7.413239] fc20: 0001 0006 ebbffc5c ebbffc38 c01ced00 c01cb2d0 
ed834850 
[7.413245] fc40: ed834858 ed834850 ed834850 bf06c0b4 c0aa82b8  
bf06c0b4 0006
[7.413251] fc60: ebbffc8c ebbffc70 c044213c c055846c ed834850 c0b61248 
c0b61254 c0aa82b8
[7.413257] fc80: ebbffcc4 ebbffc90 c043ff34 c0442120 ed834850 bf06c0b4 
ed834884 ed834850
[7.413263] fca0: bf06c0b4 ed834884  bf0631f0 eb3cfc00 c0a4f40c 
ebbffce4 ebbffcc8
[7.413269] fcc0: c044020c c043fdc8   bf06c0b4 c0440194 
ebbffd0c ebbffce8
[7.413275] fce0: c043ded8 c04401a0 ee284e38 ed830900 c06f5720 bf06c0b4 
eb329cc0 c0a87448
[7.413280] fd00: ebbffd1c ebbffd10 c043fa14 c043de88 ebbffd44 ebbffd20 
c043f460 c043f9f4
[7.413286] fd20: bf069280 ebbffd30 bf06c0b4  bf0631e8 bf06c388 
ebbffd5c ebbffd48
[7.413292] fd40: c0440bfc c043f370 0001  ebbffd6c ebbffd60 
c0442094 c0440b50
[7.413298] fd60: ebbffdbc ebbffd70 bf04ca08 c044203c  bf065090 
 
[7.413303] fd80:       
c0a53b20 bf06c208
[7.413309] fda0: c0a53b20 bf04c950  c0a53b20 ebbffe4c ebbffdc0 
c0008b28 bf04c95c
[7.413315] fdc0: 001f  ebbffdec ebbffdd8 c00504f4 c006dde0 
ebbfe000 
[7.413321] fde0: ee002140 00d0 c06ed168 000c c0a50600 0001 
ebbffe4c ebbffe08
[7.413327] fe00: c01541d8 c0153934 ebbfe008 ebbffe08 0001 ebbfe008 
ee002140 dc8cb100
[7.41] fe20: 0001 bf06c208 0001 eb3cfd00 eb3cf000 0001 
14c3101c eb3cf008
[7.413339] fe40: ebbffe74 ebbffe50 c06ed1a4 c00089ec ebbffe74 ebbffe60 
c014496c ebbfff48
[7.413345] fe60: 0001 bf06c208 ebbfff3c ebbffe78 c00af61c c06ed140 
bf06c214 7fff
[7.413350] fe80: c00ac6a8 ebbfff48 ebbffeb4 f0473db8 0780 0777 
f0473e84 bf06c214
[7.413356] fea0: bf06c378 b6dc99f8 bf06c250 c0a4f40c c00ad024 c0169924 
 
[7.413362] fec0: bf063194 0009   6e72656b 6c65 
 
[7.413367] fee0:       
 
[7.413373] ff00:    dc8cb100 ebbfff2c  
0006 b6dc99f8
[7.413379] ff20: 017b c000fb64 ebbfe000  ebbfffa4 ebbfff40 
c00afdec c00ada4c
[7.413385] ff40: c0180738  f0454000 002bb414 f070ec6c f066643f 
f066dd80 00020390
[7.413390] ff60: 00026450 bf06c1f0 0001  002f 0030 
001a 
[7.413396] ff80: 0008   b6dca7d4 00028948 e1c5e100 
 ebbfffa8
[7.413402] ffa0: c000f9c0 c00afd54 b6dca7d4 00028948 0006 b6dc99f8 
 b6dca31c
[7.413408] ffc0: b6dca7d4 00028948 e1c5e100 017b 0002 00015964 
00015f34 0002e640
[7.413414] ffe0: bedc0268 bedc0258 b6dc3c4b b6e6cd42 600d0070 0006 
6f7fd821 6f7fdc21
[7.413427] [] (__clk_put) from [] (clk_put+0x18/0x1c)
[7.413438] [] (clk_put) from [] 
(of_c

Re: [PATCH 1/2] clk: Fix __clk_get access to already freed owner field.

2015-02-05 Thread Alban Browaeys
Le jeudi 05 février 2015 à 11:30 -0800, Stephen Boyd a écrit :

> > Signed-off-by: Alban Browaeys 
> > ---
> >  drivers/clk/clk.c | 17 +
> >  1 file changed, 9 insertions(+), 8 deletions(-)
> >
> > diff --git a/drivers/clk/clk.c b/drivers/clk/clk.c
> > index df94668..8f33722 100644
> > --- a/drivers/clk/clk.c
> > +++ b/drivers/clk/clk.c
> > @@ -2485,15 +2485,18 @@ EXPORT_SYMBOL_GPL(clk_register);
> >   */
> >  static void __clk_release(struct kref *ref)
> >  {
> > -   struct clk_core *clk = container_of(ref, struct clk_core, ref);
> > -   int i = clk->num_parents;
> > +   struct clk_core *core = container_of(ref, struct clk_core, ref);
> > +   struct clk *clk = container_of(&core, struct clk, core);
> 
> How does this work? struct clk_core doesn't have a struct clk inside it.
> 

Seems I am confused. The aim is  to get the clk struct from its core
field. If I cannot do that from within __clk_release , this fix is
doomed.

> > +   int i = core->num_parents;
> >  
> > -   kfree(clk->parents);
> > +   kfree(core->parents);
> > while (--i >= 0)
> > -   kfree_const(clk->parent_names[i]);
> > +   kfree_const(core->parent_names[i]);
> 
> We don't have kfree_const() in the clk-next tree so please resend based
> on clk-next, not linux-next.
> 

I will do after we confirmed there is a way to get to clk from clk_core.
Otherwise the fix makes no sense. 

> I'm still confused. Care to send the actual backtrace and describe which
> hardware you're running on (perhaps some dts file to look at)?
> 

This is the initial oops before any change (based on linux-next
20150204). 

[7.264186] Unable to handle kernel paging request at virtual address 
6b6b6b77
[7.270206] pgd = eb0b4000
[7.272809] [6b6b6b77] *pgd=
[7.276466] Internal error: Oops: 5 [#1] PREEMPT SMP ARM
[7.281667] Modules linked in: exynosdrm(+) drm_kms_helper phy_exynos_usb2 
fuse
[7.288950] CPU: 1 PID: 98 Comm: systemd-modules Not tainted 
3.19.0-rc7-next-20150204-00052-g1059e6a #91
[7.298424] Hardware name: SAMSUNG EXYNOS (Flattened Device Tree)
[7.304488] task: ebae3c00 ti: eb0bc000 task.ti: eb0bc000
[7.309888] PC is at __clk_get+0x30/0xa0
[7.313781] LR is at of_clk_get_by_clkspec+0x38/0x54
[7.318722] pc : []lr : []psr: 200d0053
[7.318722] sp : eb0bdbb0  ip : eb0bdbc8  fp : eb0bdbc4
[7.330187] r10: 0006  r9 : 0001  r8 : 
[7.335398] r7 : eb0bdbf8  r6 :   r5 : ee5c7d80  r4 : 6b6b6b6b
[7.341913] r3 : 0001  r2 : 0011  r1 : ee0b7004  r0 : ee0ff600
[7.341923] Flags: nzCv  IRQs on  FIQs off  Mode SVC_32  ISA ARM  Segment 
user
[7.341927] Control: 10c5387d  Table: 6b0b404a  DAC: 0015
[7.341931] Process systemd-modules (pid: 98, stack limit = 0xeb0bc218)
[7.341934] Stack: (0xeb0bdbb0 to 0xeb0be000)
[7.341939] dba0: 0001 ee0ff600 
eb0bdbdc eb0bdbc8
[7.341945] dbc0: c055231c c0556074 0001 ed834850 eb0bdc6c eb0bdbe0 
c0558528 c05522f0
[7.341950] dbe0: eb0bdbf8 c01cc560 eb3e4710 ee2b4200 eb0bdc14 c01ced00 
ee5e0d3c 0001
[7.341956] dc00: 0011 ee2b4200 eb0bdc34 eb3e4900  c08c5790 
ee2b4200 eb3e4700
[7.341962] dc20: 0001 0006 eb0bdc5c eb0bdc38 c01ced00 c01cb2d0 
ed834850 
[7.341968] dc40: ed834858 ed834850 ed834850 bf06c0b4 c0aa82b8  
bf06c0b4 0006
[7.341974] dc60: eb0bdc8c eb0bdc70 c044213c c0558474 ed834850 c0b61248 
c0b61254 c0aa82b8
[7.341979] dc80: eb0bdcc4 eb0bdc90 c043ff34 c0442120  bf0631f0 
e9c3b700 ed834850
[7.341985] dca0: bf06c0b4 ed834884  bf0631f0 e9c3b700 c0a4f40c 
eb0bdce4 eb0bdcc8
[7.341991] dcc0: c044020c c043fdc8   bf06c0b4 c0440194 
eb0bdd0c eb0bdce8
[7.341997] dce0: c043ded8 c04401a0 ee284e38 ed830900 c06f5728 bf06c0b4 
eb1477c0 c0a87448
[7.342003] dd00: eb0bdd1c eb0bdd10 c043fa14 c043de88 eb0bdd44 eb0bdd20 
c043f460 c043f9f4
[7.342009] dd20: bf069280 eb0bdd30 bf06c0b4  bf0631e8 bf06c388 
eb0bdd5c eb0bdd48
[7.342014] dd40: c0440bfc c043f370 0001  eb0bdd6c eb0bdd60 
c0442094 c0440b50
[7.342020] dd60: eb0bddbc eb0bdd70 bf04ca08 c044203c  bf065090 
 
[7.342026] dd80:       
c0a53b20 bf06c208
[7.342031] dda0: c0a53b20 bf04c950  c0a53b20 eb0bde4c eb0bddc0 
c0008b28 bf04c95c
[7.342037] ddc0: 001f  eb0bddec eb0bddd8 c00504f4 c006dde0 
eb0bc000 
[7.342043] dde0: ee002140 00d0 c06ed170 000c c0a50600  
eb0bde4c eb0bde08
[7.342049] de00: c01541d8 c0153934 eb0bc008 eb0bde08  eb0bc008 
ee002140 dc8cb100
[7.342055] de20: 0001 bf06c208 

[PATCH 2/2] clk: Fix OOPS calling hlist_del on an already poisoned hlist.

2015-02-05 Thread Alban Browaeys
Put is called more than once, thus hlist_del ends up on a poisoned
list.

Move hlist_del to the __clk_release handler managed by kref instead
of calling it in _clk_put.

Fixes: 1c8e600440c7 ("clk: Add rate constraints to clocks")
Signed-off-by: Alban Browaeys 
---
 drivers/clk/clk.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/clk/clk.c b/drivers/clk/clk.c
index 8f33722..f1d4b33 100644
--- a/drivers/clk/clk.c
+++ b/drivers/clk/clk.c
@@ -2489,6 +2489,9 @@ static void __clk_release(struct kref *ref)
struct clk *clk = container_of(&core, struct clk, core);
int i = core->num_parents;
 
+   hlist_del(&clk->child_node);
+   clk_core_set_rate_nolock(clk->core, clk->core->req_rate);
+
kfree(core->parents);
while (--i >= 0)
kfree_const(core->parent_names[i]);
@@ -2666,8 +2669,6 @@ void __clk_put(struct clk *clk)
 
clk_prepare_lock();
 
-   hlist_del(&clk->child_node);
-   clk_core_set_rate_nolock(clk->core, clk->core->req_rate);
owner = clk->core->owner;
kref_put(&clk->core->ref, __clk_release);
 
-- 
2.1.4

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/


[PATCH 1/2] clk: Fix __clk_get access to already freed owner field.

2015-02-05 Thread Alban Browaeys
On the second call to __set_clk_parents from of_clk_set_defaults, here
when registering the second fimc device the kernel OOPS in an "unhandled
paging request at virtual address 6b6b6b77". This in __clk_get when
dereferencing clk->owner.

Move the clk free in the kref managed _clk_release call instead of
plain __clk_put.

Fixes: 035a61c314eb ("clk: Make clk API return per-user struct clk
instances)

Signed-off-by: Alban Browaeys 
---
 drivers/clk/clk.c | 17 +
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/drivers/clk/clk.c b/drivers/clk/clk.c
index df94668..8f33722 100644
--- a/drivers/clk/clk.c
+++ b/drivers/clk/clk.c
@@ -2485,15 +2485,18 @@ EXPORT_SYMBOL_GPL(clk_register);
  */
 static void __clk_release(struct kref *ref)
 {
-   struct clk_core *clk = container_of(ref, struct clk_core, ref);
-   int i = clk->num_parents;
+   struct clk_core *core = container_of(ref, struct clk_core, ref);
+   struct clk *clk = container_of(&core, struct clk, core);
+   int i = core->num_parents;
 
-   kfree(clk->parents);
+   kfree(core->parents);
while (--i >= 0)
-   kfree_const(clk->parent_names[i]);
+   kfree_const(core->parent_names[i]);
+
+   kfree(core->parent_names);
+   kfree_const(core->name);
+   kfree(core);
 
-   kfree(clk->parent_names);
-   kfree_const(clk->name);
kfree(clk);
 }
 
@@ -2671,8 +2674,6 @@ void __clk_put(struct clk *clk)
clk_prepare_unlock();
 
module_put(owner);
-
-   kfree(clk);
 }
 
 /***clk rate change notifiers***/
-- 
2.1.4

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/


usb: misc: usb3503: connect and intn mismatch in OF vs variable assignments

2013-08-16 Thread Alban Browaeys
hub->gpio_intn  = of_get_named_gpio(np, "connect-gpios", 0);
and
hub->gpio_connect = of_get_named_gpio(np, "intn-gpios", 0);

I guess they should be switched , that is connect-gpios bound to 
hub->gpio_connect
and intn-gpios to hub->gpio_int.

Sorry not to provides a patch. I thought that this issue might ends up with dts 
relying
on this broken behaviour if not pointed early ...
Either way if not fixed soon , I will have completed my branch cleanup (I also 
have other patches
to this file ie drivers/usb/misc/usb3503.c).

Best regards
Alban

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/


[PATCH 4/4] [media] em28xx: Fix vidioc fmt vid cap v4l2 compliance

2013-07-16 Thread Alban Browaeys
Set fmt.pix.priv to zero in vidioc_g_fmt_vid_cap
 and vidioc_try_fmt_vid_cap.

Catched by v4l2-compliance.

Signed-off-by: Alban Browaeys 
---
 drivers/media/usb/em28xx/em28xx-video.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/media/usb/em28xx/em28xx-video.c 
b/drivers/media/usb/em28xx/em28xx-video.c
index 1a577ed..42930a4 100644
--- a/drivers/media/usb/em28xx/em28xx-video.c
+++ b/drivers/media/usb/em28xx/em28xx-video.c
@@ -943,6 +943,8 @@ static int vidioc_g_fmt_vid_cap(struct file *file, void 
*priv,
else
f->fmt.pix.field = dev->interlaced ?
   V4L2_FIELD_INTERLACED : V4L2_FIELD_TOP;
+   f->fmt.pix.priv = 0;
+
return 0;
 }
 
@@ -1008,6 +1010,7 @@ static int vidioc_try_fmt_vid_cap(struct file *file, void 
*priv,
else
f->fmt.pix.field = dev->interlaced ?
   V4L2_FIELD_INTERLACED : V4L2_FIELD_TOP;
+   f->fmt.pix.priv = 0;
 
return 0;
 }
-- 
1.8.3.2

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/


[PATCH 3/4] [media] em28xx: usb power config is in the low byte.

2013-07-16 Thread Alban Browaeys
According to the em2860 datasheet, eeprom byte 08H is Chip
Configuration Low Byte and 09H is High Byte.
Usb power configuration is in the Low byte (same as the usb audio
 class config).

Signed-off-by: Alban Browaeys 
---
 drivers/media/usb/em28xx/em28xx-i2c.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/media/usb/em28xx/em28xx-i2c.c 
b/drivers/media/usb/em28xx/em28xx-i2c.c
index c4ff973..6ff7415 100644
--- a/drivers/media/usb/em28xx/em28xx-i2c.c
+++ b/drivers/media/usb/em28xx/em28xx-i2c.c
@@ -743,13 +743,13 @@ static int em28xx_i2c_eeprom(struct em28xx *dev, unsigned 
bus,
break;
}
 
-   if (le16_to_cpu(dev_config->chip_conf) & 1 << 3)
+   if (le16_to_cpu(dev_config->chip_conf) >> 4 & 1 << 3)
em28xx_info("\tUSB Remote wakeup capable\n");
 
-   if (le16_to_cpu(dev_config->chip_conf) & 1 << 2)
+   if (le16_to_cpu(dev_config->chip_conf) >> 4 & 1 << 2)
em28xx_info("\tUSB Self power capable\n");
 
-   switch (le16_to_cpu(dev_config->chip_conf) & 0x3) {
+   switch (le16_to_cpu(dev_config->chip_conf) >> 4 & 0x3) {
case 0:
em28xx_info("\t500mA max power\n");
break;
-- 
1.8.3.2

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/


[PATCH 2/4] [media] em28xx: i2s 5 sample rates is a subset of 3 one.

2013-07-16 Thread Alban Browaeys
As:
EM28XX_CHIPCFG_I2S_3_SAMPRATES 0x20
EM28XX_CHIPCFG_I2S_5_SAMPRATES 0x30

the board chipcfg is 0xf0 thus if 3_SAMPRATES is tested
first and matches while it is a 5_SAMPRATES.

Signed-off-by: Alban Browaeys 
---
 drivers/media/usb/em28xx/em28xx-core.c | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/media/usb/em28xx/em28xx-core.c 
b/drivers/media/usb/em28xx/em28xx-core.c
index fc157af..3c0c5e9 100644
--- a/drivers/media/usb/em28xx/em28xx-core.c
+++ b/drivers/media/usb/em28xx/em28xx-core.c
@@ -505,13 +505,13 @@ int em28xx_audio_setup(struct em28xx *dev)
dev->audio_mode.has_audio = false;
return 0;
} else if ((cfg & EM28XX_CHIPCFG_AUDIOMASK) ==
-  EM28XX_CHIPCFG_I2S_3_SAMPRATES) {
-   em28xx_info("I2S Audio (3 sample rates)\n");
-   dev->audio_mode.i2s_3rates = 1;
-   } else if ((cfg & EM28XX_CHIPCFG_AUDIOMASK) ==
   EM28XX_CHIPCFG_I2S_5_SAMPRATES) {
em28xx_info("I2S Audio (5 sample rates)\n");
dev->audio_mode.i2s_5rates = 1;
+   } else if ((cfg & EM28XX_CHIPCFG_AUDIOMASK) ==
+  EM28XX_CHIPCFG_I2S_3_SAMPRATES) {
+   em28xx_info("I2S Audio (3 sample rates)\n");
+   dev->audio_mode.i2s_3rates = 1;
}
 
if ((cfg & EM28XX_CHIPCFG_AUDIOMASK) != EM28XX_CHIPCFG_AC97) {
-- 
1.8.3.2

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/


[PATCH 1/4] [media] em28xx: fix assignment of the eeprom data.

2013-07-16 Thread Alban Browaeys
Set the config structure pointer to the eeprom data pointer (data,
here eedata dereferenced) not the pointer to the pointer to
the eeprom data (eedata itself).

Signed-off-by: Alban Browaeys 
---
 drivers/media/usb/em28xx/em28xx-i2c.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/media/usb/em28xx/em28xx-i2c.c 
b/drivers/media/usb/em28xx/em28xx-i2c.c
index 4851cc2..c4ff973 100644
--- a/drivers/media/usb/em28xx/em28xx-i2c.c
+++ b/drivers/media/usb/em28xx/em28xx-i2c.c
@@ -726,7 +726,7 @@ static int em28xx_i2c_eeprom(struct em28xx *dev, unsigned 
bus,
 
*eedata = data;
*eedata_len = len;
-   dev_config = (void *)eedata;
+   dev_config = (void *)*eedata;
 
switch (le16_to_cpu(dev_config->chip_conf) >> 4 & 0x3) {
case 0:
-- 
1.8.3.2

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/


Re: thoughts on kernel security issues

2005-01-18 Thread Alban Browaeys
Bill Davidsen  tmr.com> writes:

> 
> With no disrespect, I don't believe you have ever been a full-time 
> employee system administrator for any commercial or government 
> organization, and I don't believe you have any experience trying to do 
> security when change must be reviewed by technically naive management to 
> justify cost, time, and policy implications. The people on the list who 
> disagree may view the security information issue in a very different 
> context.

Basically you are saying that if i disagree, my view is irrelevant. What do you
expect with this kind of start. 

> Linus Torvalds wrote:
> 
> > What vendor-sec does is to make it "socially acceptable" to be a parasite. 
> > 
> > I personally think that such behaviour simply should not be encouraged. If
> > you have a security "researcher" that has some reason to delay his
> > disclosure, you should see for for what he is: looking for cheap PR. You
> > shouldn't make excuses for it. Any research organization that sees PR as a
> > primary objective is just misguided.
> 
> There are damn fine reasons for not having immediate public disclosure, 
> it allows vandors and administrators to close the hole before the script 
> kiddies get a hold of it. And they are the real problem, because there 
> are so MANY of them, and they tend to do slash and burn stuff, wipe out 
> your files, steal your identity, and other things you have to notice. 
> They aren't smart enough to find holes themselves in most cases, they 
> are too lazy in many cases to read the high-level hacker boards, and a 
> few weeks of delay in many cases lets the careful avoid damage.
> 
> Security through obscurity doesn't work, but a small delay for a fix to 
> be developed can prevent a lot of problems. And of course the 
> information should be released, it encourages the creation and 
> installation of fixes.
>
> Oh, and many of the problem reports result in "cheap PR" consisting of a 
> single line mention in a CERT report or similar. Most people are not 
> doing it for the glory.

Nobody told against a small delay , in most of the case that is already what is
happening today. 
There is a little problem in this rhetoric. You want fix fast and disclosure
latter. As soon as the fix (we are talking about source available) is out, the
hole is too. Wondering if chiken or egg is great flame subject.

> 
> > What's the alternative? I'd like to foster a culture of
> > 
> >  (a) accepting that bugs happen, and that they aren't news, but making 
> >  sure that the very openness of the process means that people know
> >  what's going on exactly because it is _open_, not because some news 
> >  organization had to make a big stink about it just to make a vendor
> >  take notice.
> 
> Linux vendors aside, many vendors react in direct proportion to the bad 
> publicity engendered. I'd like the world to work that way, but in many 
> places it doesn't.
> > 
> >  Right now, people seem to think that big news media warnings on 
> >  cnet.com about SP2 fixing 15 vulnerabilities or similar is the proper
> >  way to get people to upgrade. That just -cannot- be right.
> 
> Unfortunately reality doesn't agree with you. Many organizations have no 
> other effective way to convince management of the need for a fix except 
> newspaper articles and magazine articles. A sometimes that has to get to 
> the horror story stage before action is possible.


All those to lines to say one thing . Managing security requires social skills.

 
> > And let's not kid ourselves: the security firms may have resources that 
> > they put into it, but the worst-case schenario is actual criminal intent. 
> > People who really have resources to study security problems, and who have 
> > _no_ advantage of using vendor-sec at all. And in that case, vendor-sec is 
> > _REALLY_ a huge mistake. 
> 
> I think you are still missing the point, I don't care if a security firm 
> reads mailing lists or tea leaves, does research or just knows where to 
> find it, they are paid to do it and if they do it well and report the 
> problems which apply to me and the source of the fixes they keep me from 
> missing something and at the same time save me time. Even reading only 
> good mailing lists and newsgroups it takes a lot of time to keep 
> current, and you see a lot of stuff you don't need.
> 

Does this resume to :
I want my company to be in control. And nobody else please, because i do not
trust them.
Who would you want in this security board ? No hackers i believe they have no
incentive to shut the *** up, they do not care about money or their buisness or
who knows why.

So you want :
a/ everyboddy is wrong, we cannot understand,
b/ crackers "are too lazy in many cases to read the high-level hacker boards"
c/ "How can i have fix without ever having a hole ?".
Close your eyes and believe, that s the only way to achieved absolute safety.
I am not kidding, billions of people does this, it seems effi

Re: Linux Kernel Audit Project?

2005-01-16 Thread Alban Browaeys
John Richard Moser  comcast.net> writes:

> Is there an official Linux Kernel Audit Project to actively and
> aggressively security audit all patches going into the Linux Kernel, or
> do they just get a cursory scan for bugs and obvious screwups?

>From a user point of view , there is at least tracking: patches are signed and
approved by the "component" maintenair before reaching mainline.



-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/