Re: [PATCH] powerpc/8xx: use SPRN_EIE and SPRN_EID to enable/disable interrupts
Le 18/08/2016 à 19:54, Segher Boessenkool a écrit :
On Thu, Aug 18, 2016 at 06:52:47PM +0200, Christophe Leroy wrote:
Le 18/08/2016 à 18:34, Segher Boessenkool a écrit :
On Thu, Aug 18, 2016 at 05:56:02PM +0200, Christophe Leroy wrote:
The 8xx has two special registers called EID (External Interrupt
Disable) and EIE (External Interrupt Enable) for clearing/setting
EE in MSR. It avoids the three instructions set mfmsr/ori/mtmsr or
mfmsr/rlwinm/mtmsr.
All 8xx? What other models? (5xx for example).
At least 823, 860, 866 and 885 have it.
I haven't been able to find a manual for all 8xx. But there is AN2055,
which suggests EIE etc. is for all 8xx indeed.
Looks like the 5xx have it too (at least the 565). Does Linux supports
that one at all ?
All 5xx have it, there is a manual for *that* ("RCPU") :-)
+/* Special MSR manipulation registers */
+#define SPRN_EIE 80 /* External interrupt enable (EE=1, RI=1) */
+#define SPRN_EID 81 /* External interrupt disable (EE=0, RI=1) */
+#define SPRN_NRI 81 /* Non Recoverable interrupt (EE=0, RI=0) */
Is it correct to set RI in all places you do now?
MSR_KERNEL contains the RI bit.
MSR_KERNEL less MSR_IR and MSR_DR is loaded into MSR in
EXCEPTION_PROLOG_2() in head_8xx.S
Then reloaded with MSR_KERNEL in some places in entry_32.S
And MSR_RI is cleared in restore: in entry_32.S a few insns before the RFI.
So in all C functions, MSR_RI is set.
Christophe
This is wrong (NRI is 82). Don't write code you cannot test / don't submit
code you haven't tested? :-)
Oops. You're right, copy/paste failure.
Was tested on an 885. Unfortunatly SPRN_NRI is not used (yet) :-(
Well, that was my point!
Segher
[PATCH] Documentation: dt: dwc3: note the supported phy-names
The dwc3 driver expicitly looks for "usb2-phy" or "usb3-phy", but we never noted these names in the documentation. Signed-off-by: Brian Norris --- Documentation/devicetree/bindings/usb/dwc3.txt | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Documentation/devicetree/bindings/usb/dwc3.txt b/Documentation/devicetree/bindings/usb/dwc3.txt index 7d7ce089b003..2358779cf6cb 100644 --- a/Documentation/devicetree/bindings/usb/dwc3.txt +++ b/Documentation/devicetree/bindings/usb/dwc3.txt @@ -13,7 +13,8 @@ Optional properties: in the array is expected to be a handle to the USB2/HS PHY and the second element is expected to be a handle to the USB3/SS PHY - phys: from the *Generic PHY* bindings - - phy-names: from the *Generic PHY* bindings + - phy-names: from the *Generic PHY* bindings; supported names are "usb2-phy" + or "usb3-phy". - snps,usb3_lpm_capable: determines if platform is USB3 LPM capable - snps,disable_scramble_quirk: true when SW should disable data scrambling. Only really useful for FPGA builds. -- 2.8.0.rc3.226.g39d4020
[PATCH] IB/qib: Use memdup_user() rather than duplicating its implementation
From: Markus Elfring
Date: Fri, 19 Aug 2016 08:50:23 +0200
Reuse existing functionality from memdup_user() instead of keeping
duplicate source code.
This issue was detected by using the Coccinelle software.
Signed-off-by: Markus Elfring
---
drivers/infiniband/hw/qib/qib_fs.c | 11 +++
1 file changed, 3 insertions(+), 8 deletions(-)
diff --git a/drivers/infiniband/hw/qib/qib_fs.c
b/drivers/infiniband/hw/qib/qib_fs.c
index fcdf3791..910f0d9 100644
--- a/drivers/infiniband/hw/qib/qib_fs.c
+++ b/drivers/infiniband/hw/qib/qib_fs.c
@@ -338,17 +338,12 @@ static ssize_t flash_write(struct file *file, const char
__user *buf,
goto bail;
}
- tmp = kmalloc(count, GFP_KERNEL);
- if (!tmp) {
- ret = -ENOMEM;
+ tmp = memdup_user(buf, count);
+ if (IS_ERR(tmp)) {
+ ret = PTR_ERR(tmp);
goto bail;
}
- if (copy_from_user(tmp, buf, count)) {
- ret = -EFAULT;
- goto bail_tmp;
- }
-
dd = private2dd(file);
if (qib_eeprom_write(dd, pos, tmp, count)) {
ret = -ENXIO;
--
2.9.3
[PATCH 3.12 007/100] um: Remove copy&paste code from init.h
From: Richard Weinberger 3.12-stable review patch. If anyone has any objections, please let me know. === commit 30b11ee9ae23d78de66b9ae315880af17a64ba83 upstream. As we got rid of the __KERNEL__ abuse, we can directly include linux/compiler.h now. This also allows gcc 5 to build UML. Reported-by: Hans-Werner Hilse Signed-off-by: Richard Weinberger Signed-off-by: Jiri Slaby --- arch/um/include/shared/init.h | 22 +- 1 file changed, 1 insertion(+), 21 deletions(-) diff --git a/arch/um/include/shared/init.h b/arch/um/include/shared/init.h index 031ad1d111e7..233e2593eee0 100644 --- a/arch/um/include/shared/init.h +++ b/arch/um/include/shared/init.h @@ -40,28 +40,8 @@ typedef int (*initcall_t)(void); typedef void (*exitcall_t)(void); -#ifdef __UM_HOST__ -#ifndef __section -# define __section(S) __attribute__ ((__section__(#S))) -#endif - -#if __GNUC__ == 3 - -#if __GNUC_MINOR__ >= 3 -# define __used__attribute__((__used__)) -#else -# define __used__attribute__((__unused__)) -#endif - -#else -#if __GNUC__ == 4 -# define __used__attribute__((__used__)) -#endif -#endif - -#else #include -#endif + /* These are for everybody (although not all archs will actually discard it in modules) */ #define __init __section(.init.text) -- 2.9.3
[PATCH 3.12 006/100] um: Fix out-of-tree build
From: Richard Weinberger 3.12-stable review patch. If anyone has any objections, please let me know. === commit 0b5aedfe0e6654ec54f35109e1929a1cf7fc4cdd upstream. Commit 30b11ee9a (um: Remove copy&paste code from init.h) uncovered an issue wrt. out-of-tree builds. For out-of-tree builds, we must not rely on relative paths. Before 30b11ee9a it worked by chance as no host code included generated header files. Acked-by: Randy Dunlap Signed-off-by: Richard Weinberger Signed-off-by: Jiri Slaby --- arch/um/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/um/Makefile b/arch/um/Makefile index 1b3ad7d2430a..911b630d3268 100644 --- a/arch/um/Makefile +++ b/arch/um/Makefile @@ -60,8 +60,8 @@ KBUILD_AFLAGS += $(ARCH_INCLUDE) USER_CFLAGS = $(patsubst $(KERNEL_DEFINES),,$(patsubst -I%,,$(KBUILD_CFLAGS))) \ $(ARCH_INCLUDE) $(MODE_INCLUDE) $(filter -I%,$(CFLAGS)) \ - -D_FILE_OFFSET_BITS=64 -idirafter include \ - -D__KERNEL__ -D__UM_HOST__ + -D_FILE_OFFSET_BITS=64 -idirafter $(srctree)/include \ + -idirafter $(obj)/include -D__KERNEL__ -D__UM_HOST__ #This will adjust *FLAGS accordingly to the platform. include $(srctree)/$(ARCH_DIR)/Makefile-os-$(OS) -- 2.9.3
[PATCH 3.12 005/100] um: Stop abusing __KERNEL__
From: Richard Weinberger
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit 298e20ba8c197e8d429a6c8671550c41c7919033 upstream.
Currently UML is abusing __KERNEL__ to distinguish between
kernel and host code (os-Linux). It is better to use a custom
define such that existing users of __KERNEL__ don't get confused.
Signed-off-by: Richard Weinberger
Signed-off-by: Jiri Slaby
---
arch/um/Makefile| 7 ---
arch/um/drivers/mconsole.h | 2 +-
arch/um/include/shared/init.h | 4 ++--
arch/um/include/shared/user.h | 2 +-
arch/x86/um/shared/sysdep/tls.h | 6 +++---
5 files changed, 11 insertions(+), 10 deletions(-)
diff --git a/arch/um/Makefile b/arch/um/Makefile
index 133f7de2a13d..1b3ad7d2430a 100644
--- a/arch/um/Makefile
+++ b/arch/um/Makefile
@@ -58,9 +58,10 @@ KBUILD_CFLAGS += $(CFLAGS) $(CFLAGS-y) -D__arch_um__ \
KBUILD_AFLAGS += $(ARCH_INCLUDE)
-USER_CFLAGS = $(patsubst $(KERNEL_DEFINES),,$(patsubst -D__KERNEL__,,\
- $(patsubst -I%,,$(KBUILD_CFLAGS $(ARCH_INCLUDE) $(MODE_INCLUDE) \
- $(filter -I%,$(CFLAGS)) -D_FILE_OFFSET_BITS=64 -idirafter include
+USER_CFLAGS = $(patsubst $(KERNEL_DEFINES),,$(patsubst -I%,,$(KBUILD_CFLAGS)))
\
+ $(ARCH_INCLUDE) $(MODE_INCLUDE) $(filter -I%,$(CFLAGS)) \
+ -D_FILE_OFFSET_BITS=64 -idirafter include \
+ -D__KERNEL__ -D__UM_HOST__
#This will adjust *FLAGS accordingly to the platform.
include $(srctree)/$(ARCH_DIR)/Makefile-os-$(OS)
diff --git a/arch/um/drivers/mconsole.h b/arch/um/drivers/mconsole.h
index 8b22535c62ce..44af7379ea19 100644
--- a/arch/um/drivers/mconsole.h
+++ b/arch/um/drivers/mconsole.h
@@ -7,7 +7,7 @@
#ifndef __MCONSOLE_H__
#define __MCONSOLE_H__
-#ifndef __KERNEL__
+#ifdef __UM_HOST__
#include
#define u32 uint32_t
#endif
diff --git a/arch/um/include/shared/init.h b/arch/um/include/shared/init.h
index b3906f860a87..031ad1d111e7 100644
--- a/arch/um/include/shared/init.h
+++ b/arch/um/include/shared/init.h
@@ -40,7 +40,7 @@
typedef int (*initcall_t)(void);
typedef void (*exitcall_t)(void);
-#ifndef __KERNEL__
+#ifdef __UM_HOST__
#ifndef __section
# define __section(S) __attribute__ ((__section__(#S)))
#endif
@@ -131,7 +131,7 @@ extern struct uml_param __uml_setup_start, __uml_setup_end;
#define __uml_postsetup_call __used __section(.uml.postsetup.init)
#define __uml_exit_call__used __section(.uml.exitcall.exit)
-#ifndef __KERNEL__
+#ifdef __UM_HOST__
#define __define_initcall(level,fn) \
static initcall_t __initcall_##fn __used \
diff --git a/arch/um/include/shared/user.h b/arch/um/include/shared/user.h
index cef068563336..4cff19f6207a 100644
--- a/arch/um/include/shared/user.h
+++ b/arch/um/include/shared/user.h
@@ -17,7 +17,7 @@
#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
/* This is to get size_t */
-#ifdef __KERNEL__
+#ifndef __UM_HOST__
#include
#else
#include
diff --git a/arch/x86/um/shared/sysdep/tls.h b/arch/x86/um/shared/sysdep/tls.h
index 27cce00c6b30..a682db13df23 100644
--- a/arch/x86/um/shared/sysdep/tls.h
+++ b/arch/x86/um/shared/sysdep/tls.h
@@ -1,7 +1,7 @@
#ifndef _SYSDEP_TLS_H
#define _SYSDEP_TLS_H
-# ifndef __KERNEL__
+#ifdef __UM_HOST__
/* Change name to avoid conflicts with the original one from , which
* may be named user_desc (but in 2.4 and in header matching its API was named
@@ -22,11 +22,11 @@ typedef struct um_dup_user_desc {
#endif
} user_desc_t;
-# else /* __KERNEL__ */
+#else /* __UM_HOST__ */
typedef struct user_desc user_desc_t;
-# endif /* __KERNEL__ */
+#endif /* __UM_HOST__ */
extern int os_set_thread_area(user_desc_t *info, int pid);
extern int os_get_thread_area(user_desc_t *info, int pid);
--
2.9.3
[PATCH 3.12 035/100] Input: xpad - validate USB endpoint count during probe
From: Cameron Gutman
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit caca925fca4fb30c67be88cacbe908eec6721e43 upstream.
This prevents a malicious USB device from causing an oops.
Signed-off-by: Cameron Gutman
Signed-off-by: Dmitry Torokhov
Signed-off-by: Jiri Slaby
---
drivers/input/joystick/xpad.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/input/joystick/xpad.c b/drivers/input/joystick/xpad.c
index 94d8cb9b4981..5be10fb2edf2 100644
--- a/drivers/input/joystick/xpad.c
+++ b/drivers/input/joystick/xpad.c
@@ -1026,6 +1026,9 @@ static int xpad_probe(struct usb_interface *intf, const
struct usb_device_id *id
int ep_irq_in_idx;
int i, error;
+ if (intf->cur_altsetting->desc.bNumEndpoints != 2)
+ return -ENODEV;
+
for (i = 0; xpad_device[i].idVendor; i++) {
if ((le16_to_cpu(udev->descriptor.idVendor) ==
xpad_device[i].idVendor) &&
(le16_to_cpu(udev->descriptor.idProduct) ==
xpad_device[i].idProduct))
--
2.9.3
[PATCH 3.12 003/100] panic: release stale console lock to always get the logbuf printed out
From: Vitaly Kuznetsov 3.12-stable review patch. If anyone has any objections, please let me know. === commit 08d78658f393fefaa2e6507ea052c6f8ef4002a2 upstream. In some cases we may end up killing the CPU holding the console lock while still having valuable data in logbuf. E.g. I'm observing the following: - A crash is happening on one CPU and console_unlock() is being called on some other. - console_unlock() tries to print out the buffer before releasing the lock and on slow console it takes time. - in the meanwhile crashing CPU does lots of printk()-s with valuable data (which go to the logbuf) and sends IPIs to all other CPUs. - console_unlock() finishes printing previous chunk and enables interrupts before trying to print out the rest, the CPU catches the IPI and never releases console lock. This is not the only possible case: in VT/fb subsystems we have many other console_lock()/console_unlock() users. Non-masked interrupts (or receiving NMI in case of extreme slowness) will have the same result. Getting the whole console buffer printed out on crash should be top priority. [a...@linux-foundation.org: tweak comment text] Signed-off-by: Vitaly Kuznetsov Cc: HATAYAMA Daisuke Cc: Masami Hiramatsu Cc: Jiri Kosina Cc: Baoquan He Cc: Prarit Bhargava Cc: Xie XiuQi Cc: Seth Jennings Cc: "K. Y. Srinivasan" Cc: Jan Kara Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Jiri Slaby --- kernel/panic.c | 10 ++ 1 file changed, 10 insertions(+) diff --git a/kernel/panic.c b/kernel/panic.c index b6c482ccc5db..19cdd89ab78a 100644 --- a/kernel/panic.c +++ b/kernel/panic.c @@ -23,6 +23,7 @@ #include #include #include +#include #define PANIC_TIMER_STEP 100 #define PANIC_BLINK_SPD 18 @@ -133,6 +134,15 @@ void panic(const char *fmt, ...) bust_spinlocks(0); + /* +* We may have ended up stopping the CPU holding the lock (in +* smp_send_stop()) while still having some valuable data in the console +* buffer. Try to acquire the lock then release it regardless of the +* result. The release will also print the buffers out. +*/ + console_trylock(); + console_unlock(); + if (!panic_blink) panic_blink = no_blink; -- 2.9.3
[PATCH 3.12 000/100] 3.12.63-stable review
This is the start of the stable review cycle for the 3.12.63 release. There are 100 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Tue Aug 23 08:55:00 CEST 2016. Anything received after that time might be too late. The whole patch series can be found in one patch at: http://kernel.org/pub/linux/kernel/people/jirislaby/stable-review/patch-3.12.63-rc1.xz and the diffstat can be found below. thanks, js === Alex Deucher (4): drm/radeon: fix asic initialization for virtualized environments drm/radeon: add a delay after ATPX dGPU power off drm/radeon: fix firmware info version checks drm/radeon: support backlight control for UNIPHY3 Alexey Brodkin (1): arc: unwind: warn only once if DW2_UNWIND is disabled Amadeusz Sławiński (1): Bluetooth: Fix l2cap_sock_setsockopt() with optname BT_RCVMTU Andi Kleen (1): x86, asmlinkage, lguest: Pass in globals into assembler statement Andrea Arcangeli (1): mm: thp: fix SMP race condition between THP page fault and MADV_DONTNEED Andrey Grodzovsky (1): xen/pciback: Fix conf_space read/write overlap check. Andy Lutomirski (2): x86/mm: Add barriers and document switch_mm()-vs-flush synchronization x86/mm: Improve switch_mm() barrier comments Anthony Romano (1): tmpfs: don't undo fallocate past its last page Artemy Kovalyov (1): IB/mlx5: Fix MODIFY_QP command input structure Ben Hutchings (1): module: Invalidate signatures on force-loaded modules Benjamin Coddington (1): nfs: don't create zero-length requests Benjamin Tissoires (1): HID: multitouch: Add MT_QUIRK_NOT_SEEN_MEANS_UP to Surface Pro 3 Brian King (1): ipr: Clear interrupt on croc/crocodile when running with LSI Cameron Gutman (1): Input: xpad - validate USB endpoint count during probe Crestez Dan Leonard (1): iio: Fix error handling in iio_trigger_attach_poll_func Daniel Borkmann (1): random32: add prandom_u32_max and convert open coded users Daniele Palmas (1): USB: serial: option: add support for Telit LE910 PID 0x1206 Dave Weinstein (1): arm: oabi compat: add missing access checks David Howells (1): KEYS: 64-bit MIPS needs to use compat_sys_keyctl for 32-bit userspace Dmitri Epshtein (1): net: mvneta: set real interrupt per packet for tx_done Dmitry Torokhov (2): tty/vt/keyboard: fix OOB access in do_compute_shiftstate() Input: i8042 - break load dependency between atkbd/psmouse and i8042 Eli Cohen (1): IB/mlx5: Fix post send fence logic Erez Shitrit (1): IB/IPoIB: Don't update neigh validity for unresolved entries Eric Biggers (1): random: properly align get_random_int_hash Eric Dumazet (1): tcp: make challenge acks less predictable Fabian Frederick (1): sysv, ipc: fix security-layer leaking Florian Westphal (1): netfilter: x_tables: validate targets of jumps Guohua Zhong (1): HID: i2c-hid: set power sleep before shutdown Herbert Xu (2): crypto: gcm - Filter out async ghash if necessary crypto: scatterwalk - Fix test in scatterwalk_done Hugh Dickins (2): mm: migrate dirty page without clear_page_dirty_for_io etc tmpfs: fix regression hang in fallocate undo Ilya Dryomov (1): libceph: apply new_state before new_up_client on incrementals Iosif Harutyunov (1): ubi: Fix race condition between ubi device creation and udev James Hogan (5): MIPS: KVM: Fix mapped fault broken commpage handling MIPS: KVM: Add missing gfn range check MIPS: KVM: Fix gfn range check in kseg0 tlb faults MIPS: KVM: Propagate kseg0/mapped tlb fault errors metag: Fix __cmpxchg_u32 asm constraint for CMP Jan Beulich (1): xen/acpi: allow xen-acpi-processor driver to load on Xen 4.7 Jan Kara (1): ext4: fix deadlock during page writeback Jan Willeke (1): s390/seccomp: fix error return for filtered system calls Javier Martinez Canillas (2): s5p-mfc: Set device name for reserved memory region devs s5p-mfc: Add release callback for memory region devs John Johansen (1): apparmor: fix ref count leak when profile sha1 hash is read Konstantin Neumoin (1): balloon: check the number of available pages in leak balloon Laura Abbott (1): ftrace/recordmcount: Work around for addition of metag magic but not relocations Linus Walleij (1): iio: accel: kxsd9: fix the usage of spi_w8r8() Luis de Bethencourt (1): staging: iio: accel: fix error check Lyude (2): drm/i915/ilk: Don't disable SSC source if it's in use drm/radeon: Poll for both connect/disconnect on analog connectors Mario Kleiner (1): drm/i915/dp: Revert "drm/i915/dp: fall back to 18 bpp when sink capability is unknown" Mark Brown (3): iio:ad7266: Fix broken regulator error handling iio:ad7266: Fix support for optional regulators iio:ad7266: Fix probe deferral for vref Mike Snitzer (1): dm flakey: error READ bios during the down_interval Noa Osherovich (1): IB/mlx5: Fix returned values
[PATCH 3.12 008/100] netfilter: x_tables: validate targets of jumps
From: Florian Westphal
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit 36472341017529e2b12573093cc0f68719300997 upstream.
When we see a jump also check that the offset gets us to beginning of
a rule (an ipt_entry).
The extra overhead is negible, even with absurd cases.
300k custom rules, 300k jumps to 'next' user chain:
[ plus one jump from INPUT to first userchain ]:
Before:
real0m24.874s
user0m7.532s
sys 0m16.076s
After:
real0m27.464s
user0m7.436s
sys 0m18.840s
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
Signed-off-by: Jiri Slaby
---
net/ipv4/netfilter/arp_tables.c | 17 +
net/ipv4/netfilter/ip_tables.c | 17 +
net/ipv6/netfilter/ip6_tables.c | 17 +
3 files changed, 51 insertions(+)
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 95a5f261fe8a..3f58cf8e2fd2 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -358,6 +358,19 @@ static inline bool unconditional(const struct arpt_entry
*e)
memcmp(&e->arp, &uncond, sizeof(uncond)) == 0;
}
+static bool find_jump_target(const struct xt_table_info *t,
+const void *entry0,
+const struct arpt_entry *target)
+{
+ struct arpt_entry *iter;
+
+ xt_entry_foreach(iter, entry0, t->size) {
+if (iter == target)
+ return true;
+ }
+ return false;
+}
+
/* Figures out from what hook each rule can be called: returns 0 if
* there are loops. Puts hook bitmask in comefrom.
*/
@@ -451,6 +464,10 @@ static int mark_source_chains(const struct xt_table_info
*newinfo,
/* This a jump; chase it. */
duprintf("Jump rule %u -> %u\n",
pos, newpos);
+ e = (struct arpt_entry *)
+ (entry0 + newpos);
+ if (!find_jump_target(newinfo, entry0,
e))
+ return 0;
} else {
/* ... this is a fallthru */
newpos = pos + e->next_offset;
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 92c8f2727ee9..9363a37729a8 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -434,6 +434,19 @@ ipt_do_table(struct sk_buff *skb,
#endif
}
+static bool find_jump_target(const struct xt_table_info *t,
+const void *entry0,
+const struct ipt_entry *target)
+{
+ struct ipt_entry *iter;
+
+ xt_entry_foreach(iter, entry0, t->size) {
+if (iter == target)
+ return true;
+ }
+ return false;
+}
+
/* Figures out from what hook each rule can be called: returns 0 if
there are loops. Puts hook bitmask in comefrom. */
static int
@@ -531,6 +544,10 @@ mark_source_chains(const struct xt_table_info *newinfo,
/* This a jump; chase it. */
duprintf("Jump rule %u -> %u\n",
pos, newpos);
+ e = (struct ipt_entry *)
+ (entry0 + newpos);
+ if (!find_jump_target(newinfo, entry0,
e))
+ return 0;
} else {
/* ... this is a fallthru */
newpos = pos + e->next_offset;
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index e214222cd06f..a7d644e62a3e 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -444,6 +444,19 @@ ip6t_do_table(struct sk_buff *skb,
#endif
}
+static bool find_jump_target(const struct xt_table_info *t,
+const void *entry0,
+const struct ip6t_entry *target)
+{
+ struct ip6t_entry *iter;
+
+ xt_entry_foreach(iter, entry0, t->size) {
+if (iter == target)
+ return true;
+ }
+ return false;
+}
+
/* Figures out from what hook each rule can be called: returns 0 if
there are loops. Puts hook bitmask in comefrom. */
static int
@@ -541,6 +554,10 @@ mark_source_chains(const struct xt_table_info *newinfo,
/* This a jump; chase it. */
duprintf("Jump rule %u -> %u\n",
pos, new
[PATCH 3.12 087/100] drm/i915/dp: Revert "drm/i915/dp: fall back to 18 bpp when sink capability is unknown"
From: Mario Kleiner
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit 196f954e250943df414efd3d632254c29be38e59 upstream.
This reverts commit 013dd9e03872
("drm/i915/dp: fall back to 18 bpp when sink capability is unknown")
This commit introduced a regression into stable kernels,
as it reduces output color depth to 6 bpc for any video
sink connected to a Displayport connector if that sink
doesn't report a specific color depth via EDID, or if
our EDID parser doesn't actually recognize the proper
bpc from EDID.
Affected are active DisplayPort->VGA converters and
active DisplayPort->DVI converters. Both should be
able to handle 8 bpc, but are degraded to 6 bpc with
this patch.
The reverted commit was meant to fix
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=105331
A followup patch implements a fix for that specific bug,
which is caused by a faulty EDID of the affected DP panel
by adding a new EDID quirk for that panel.
DP 18 bpp fallback handling and other improvements to
DP sink bpc detection will be handled for future
kernels in a separate series of patches.
Please backport to stable.
Signed-off-by: Mario Kleiner
Acked-by: Jani Nikula
Cc: Ville Syrjälä
Cc: Daniel Vetter
Signed-off-by: Dave Airlie
Signed-off-by: Jiri Slaby
---
drivers/gpu/drm/i915/intel_display.c | 20 +---
1 file changed, 5 insertions(+), 15 deletions(-)
diff --git a/drivers/gpu/drm/i915/intel_display.c
b/drivers/gpu/drm/i915/intel_display.c
index 05f8b51cd42a..57d5abc420d1 100644
--- a/drivers/gpu/drm/i915/intel_display.c
+++ b/drivers/gpu/drm/i915/intel_display.c
@@ -8220,21 +8220,11 @@ connected_sink_compute_bpp(struct intel_connector *
connector,
pipe_config->pipe_bpp = connector->base.display_info.bpc*3;
}
- /* Clamp bpp to default limit on screens without EDID 1.4 */
- if (connector->base.display_info.bpc == 0) {
- int type = connector->base.connector_type;
- int clamp_bpp = 24;
-
- /* Fall back to 18 bpp when DP sink capability is unknown. */
- if (type == DRM_MODE_CONNECTOR_DisplayPort ||
- type == DRM_MODE_CONNECTOR_eDP)
- clamp_bpp = 18;
-
- if (bpp > clamp_bpp) {
- DRM_DEBUG_KMS("clamping display bpp (was %d) to default
limit of %d\n",
- bpp, clamp_bpp);
- pipe_config->pipe_bpp = clamp_bpp;
- }
+ /* Clamp bpp to 8 on screens without EDID 1.4 */
+ if (connector->base.display_info.bpc == 0 && bpp > 24) {
+ DRM_DEBUG_KMS("clamping display bpp (was %d) to default limit
of 24\n",
+ bpp);
+ pipe_config->pipe_bpp = 24;
}
}
--
2.9.3
[PATCH 3.12 097/100] ubi: Fix race condition between ubi device creation and udev
From: Iosif Harutyunov 3.12-stable review patch. If anyone has any objections, please let me know. === commit 714fb87e8bc05ff78255afc0dca981e8c5242785 upstream. Install the UBI device object before we arm sysfs. Otherwise udev tries to read sysfs attributes before UBI is ready and udev rules will not match. Signed-off-by: Iosif Harutyunov [rw: massaged commit message] Signed-off-by: Richard Weinberger Signed-off-by: Jiri Slaby --- drivers/mtd/ubi/build.c | 5 - 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/mtd/ubi/build.c b/drivers/mtd/ubi/build.c index 315dcc6ec1f5..9b89f3dd112c 100644 --- a/drivers/mtd/ubi/build.c +++ b/drivers/mtd/ubi/build.c @@ -998,6 +998,9 @@ int ubi_attach_mtd_dev(struct mtd_info *mtd, int ubi_num, goto out_detach; } + /* Make device "available" before it becomes accessible via sysfs */ + ubi_devices[ubi_num] = ubi; + err = uif_init(ubi, &ref); if (err) goto out_detach; @@ -1042,7 +1045,6 @@ int ubi_attach_mtd_dev(struct mtd_info *mtd, int ubi_num, wake_up_process(ubi->bgt_thread); spin_unlock(&ubi->wl_lock); - ubi_devices[ubi_num] = ubi; ubi_notify_all(ubi, UBI_VOLUME_ADDED, NULL); return ubi_num; @@ -1053,6 +1055,7 @@ out_uif: ubi_assert(ref); uif_close(ubi); out_detach: + ubi_devices[ubi_num] = NULL; ubi_wl_close(ubi); ubi_free_internal_volumes(ubi); vfree(ubi->vtbl); -- 2.9.3
[PATCH 3.12 095/100] IB/mlx4: Fix the SQ size of an RC QP
From: Yishai Hadas
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit f2940e2c76bb554a7fbdd28ca5b90904117a9e96 upstream.
When calculating the required size of an RC QP send queue, leave
enough space for masked atomic operations, which require more space than
"regular" atomic operation.
Fixes: 6fa8f719844b ("IB/mlx4: Add support for masked atomic operations")
Signed-off-by: Yishai Hadas
Reviewed-by: Jack Morgenstein
Reviewed-by: Eran Ben Elisha
Signed-off-by: Leon Romanovsky
Signed-off-by: Doug Ledford
Signed-off-by: Jiri Slaby
---
drivers/infiniband/hw/mlx4/qp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/infiniband/hw/mlx4/qp.c b/drivers/infiniband/hw/mlx4/qp.c
index 262a18437ceb..1fe3bdb0da14 100644
--- a/drivers/infiniband/hw/mlx4/qp.c
+++ b/drivers/infiniband/hw/mlx4/qp.c
@@ -346,7 +346,7 @@ static int send_wqe_overhead(enum mlx4_ib_qp_type type, u32
flags)
sizeof (struct mlx4_wqe_raddr_seg);
case MLX4_IB_QPT_RC:
return sizeof (struct mlx4_wqe_ctrl_seg) +
- sizeof (struct mlx4_wqe_atomic_seg) +
+ sizeof (struct mlx4_wqe_masked_atomic_seg) +
sizeof (struct mlx4_wqe_raddr_seg);
case MLX4_IB_QPT_SMI:
case MLX4_IB_QPT_GSI:
--
2.9.3
[RESEND PATCH] serial: samsung: Register cpufreq notifier only on S3C24xx
The Samsung serial driver registered for CPU frequency transitions to
recalculate its clock when ARM clock frequency changes. Driver is used
on all Samsung SoCs (old S3C and new Exynos) however this is needed only
on S3C24xx platform so limit the ifdef to respective cpufreq driver.
On S3C24xx the ratio between frequencies of UART's parent clock (pclk)
and ARM's parent clock (fclk) remains fixed. Therefore when ARM clock
frequency goes down, the serial is also affected.
Suggested-by: Marek Szyprowski
Signed-off-by: Krzysztof Kozlowski
---
drivers/tty/serial/samsung.c | 2 +-
drivers/tty/serial/samsung.h | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/tty/serial/samsung.c b/drivers/tty/serial/samsung.c
index ae2095a66708..f44615fa474d 100644
--- a/drivers/tty/serial/samsung.c
+++ b/drivers/tty/serial/samsung.c
@@ -1577,7 +1577,7 @@ static void s3c24xx_serial_resetport(struct uart_port
*port,
}
-#ifdef CONFIG_CPU_FREQ
+#ifdef CONFIG_ARM_S3C24XX_CPUFREQ
static int s3c24xx_serial_cpufreq_transition(struct notifier_block *nb,
unsigned long val, void *data)
diff --git a/drivers/tty/serial/samsung.h b/drivers/tty/serial/samsung.h
index 2ae4fcee1814..a04acef1cb20 100644
--- a/drivers/tty/serial/samsung.h
+++ b/drivers/tty/serial/samsung.h
@@ -102,7 +102,7 @@ struct s3c24xx_uart_port {
struct s3c24xx_uart_dma *dma;
-#ifdef CONFIG_CPU_FREQ
+#ifdef CONFIG_ARM_S3C24XX_CPUFREQ
struct notifier_block freq_transition;
#endif
};
--
1.9.1
[PATCH 3.12 090/100] metag: Fix __cmpxchg_u32 asm constraint for CMP
From: James Hogan
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit 6154c187b97ee7513046bb4eb317a89f738f13ef upstream.
The LNKGET based atomic sequence in __cmpxchg_u32 has slightly incorrect
constraints for the return value which under certain circumstances can
allow an address unit register to be used as the first operand of a CMP
instruction. This isn't a valid instruction however as the encodings
only allow a data unit to be specified. This would result in an
assembler error like the following:
Error: failed to assemble instruction: "CMP A0.2,D0Ar6"
Fix by changing the constraint from "=&da" (assigned, early clobbered,
data or address unit register) to "=&d" (data unit register only).
The constraint for the second operand, "bd" (an op2 register where op1
is a data unit register and the instruction supports O2R) is already
correct assuming the first operand is a data unit register.
Other cases of CMP in inline asm have had their constraints checked, and
appear to all be fine.
Fixes: 6006c0d8ce94 ("metag: Atomics, locks and bitops")
Signed-off-by: James Hogan
Cc: linux-me...@vger.kernel.org
Signed-off-by: Jiri Slaby
---
arch/metag/include/asm/cmpxchg_lnkget.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/metag/include/asm/cmpxchg_lnkget.h
b/arch/metag/include/asm/cmpxchg_lnkget.h
index 0154e2807ebb..2369ad394876 100644
--- a/arch/metag/include/asm/cmpxchg_lnkget.h
+++ b/arch/metag/include/asm/cmpxchg_lnkget.h
@@ -73,7 +73,7 @@ static inline unsigned long __cmpxchg_u32(volatile int *m,
unsigned long old,
" DCACHE [%2], %0\n"
#endif
"2:\n"
- : "=&d" (temp), "=&da" (retval)
+ : "=&d" (temp), "=&d" (retval)
: "da" (m), "bd" (old), "da" (new)
: "cc"
);
--
2.9.3
[PATCH 3.12 088/100] balloon: check the number of available pages in leak balloon
From: Konstantin Neumoin
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit 37cf99e08c6fb4dcea0f9ad2b13b6daa8c76a711 upstream.
The balloon has a special mechanism that is subscribed to the oom
notification which leads to deflation for a fixed number of pages.
The number is always fixed even when the balloon is fully deflated.
But leak_balloon did not expect that the pages to deflate will be more
than taken, and raise a "BUG" in balloon_page_dequeue when page list
will be empty.
So, the simplest solution would be to check that the number of releases
pages is less or equal to the number taken pages.
Signed-off-by: Konstantin Neumoin
Signed-off-by: Denis V. Lunev
CC: Michael S. Tsirkin
Signed-off-by: Michael S. Tsirkin
Signed-off-by: Jiri Slaby
---
drivers/virtio/virtio_balloon.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/virtio/virtio_balloon.c b/drivers/virtio/virtio_balloon.c
index 55e284935f10..d6fa59e447c5 100644
--- a/drivers/virtio/virtio_balloon.c
+++ b/drivers/virtio/virtio_balloon.c
@@ -178,6 +178,8 @@ static void leak_balloon(struct virtio_balloon *vb, size_t
num)
num = min(num, ARRAY_SIZE(vb->pfns));
mutex_lock(&vb->balloon_lock);
+ /* We can't release more pages than taken */
+ num = min(num, (size_t)vb->num_pages);
for (vb->num_pfns = 0; vb->num_pfns < num;
vb->num_pfns += VIRTIO_BALLOON_PAGES_PER_PAGE) {
page = balloon_page_dequeue(vb_dev_info);
--
2.9.3
[PATCH 3.12 099/100] dm flakey: error READ bios during the down_interval
From: Mike Snitzer
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit 99f3c90d0d85708e7401a81ce3314e50bf7f2819 upstream.
When the corrupt_bio_byte feature was introduced it caused READ bios to
no longer be errored with -EIO during the down_interval. This had to do
with the complexity of needing to submit READs if the corrupt_bio_byte
feature was used.
Fix it so READ bios are properly errored with -EIO; doing so early in
flakey_map() as long as there isn't a match for the corrupt_bio_byte
feature.
Fixes: a3998799fb4df ("dm flakey: add corrupt_bio_byte feature")
Reported-by: Akira Hayakawa
Signed-off-by: Mike Snitzer
Signed-off-by: Jiri Slaby
---
drivers/md/dm-flakey.c | 23 +++
1 file changed, 15 insertions(+), 8 deletions(-)
diff --git a/drivers/md/dm-flakey.c b/drivers/md/dm-flakey.c
index c80a0ec5f126..8e36248f729f 100644
--- a/drivers/md/dm-flakey.c
+++ b/drivers/md/dm-flakey.c
@@ -286,10 +286,16 @@ static int flakey_map(struct dm_target *ti, struct bio
*bio)
pb->bio_submitted = true;
/*
-* Map reads as normal.
+* Map reads as normal only if corrupt_bio_byte set.
*/
- if (bio_data_dir(bio) == READ)
- goto map_bio;
+ if (bio_data_dir(bio) == READ) {
+ /* If flags were specified, only corrupt those that
match. */
+ if (fc->corrupt_bio_byte && (fc->corrupt_bio_rw ==
READ) &&
+ all_corrupt_bio_flags_match(bio, fc))
+ goto map_bio;
+ else
+ return -EIO;
+ }
/*
* Drop writes?
@@ -327,12 +333,13 @@ static int flakey_end_io(struct dm_target *ti, struct bio
*bio, int error)
/*
* Corrupt successful READs while in down state.
-* If flags were specified, only corrupt those that match.
*/
- if (fc->corrupt_bio_byte && !error && pb->bio_submitted &&
- (bio_data_dir(bio) == READ) && (fc->corrupt_bio_rw == READ) &&
- all_corrupt_bio_flags_match(bio, fc))
- corrupt_bio_data(bio, fc);
+ if (!error && pb->bio_submitted && (bio_data_dir(bio) == READ)) {
+ if (fc->corrupt_bio_byte)
+ corrupt_bio_data(bio, fc);
+ else
+ return -EIO;
+ }
return error;
}
--
2.9.3
[PATCH 3.12 100/100] module: Invalidate signatures on force-loaded modules
From: Ben Hutchings
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit bca014caaa6130e57f69b5bf527967aa8ee70fdd upstream.
Signing a module should only make it trusted by the specific kernel it
was built for, not anything else. Loading a signed module meant for a
kernel with a different ABI could have interesting effects.
Therefore, treat all signatures as invalid when a module is
force-loaded.
Signed-off-by: Ben Hutchings
Signed-off-by: Rusty Russell
Signed-off-by: Jiri Slaby
---
kernel/module.c | 13 +
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/kernel/module.c b/kernel/module.c
index ec40f03aa473..a8c4d4163a41 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -2491,13 +2491,18 @@ static inline void kmemleak_load_module(const struct
module *mod,
#endif
#ifdef CONFIG_MODULE_SIG
-static int module_sig_check(struct load_info *info)
+static int module_sig_check(struct load_info *info, int flags)
{
int err = -ENOKEY;
const unsigned long markerlen = sizeof(MODULE_SIG_STRING) - 1;
const void *mod = info->hdr;
- if (info->len > markerlen &&
+ /*
+* Require flags == 0, as a module with version information
+* removed is no longer the module that was signed
+*/
+ if (flags == 0 &&
+ info->len > markerlen &&
memcmp(mod + info->len - markerlen, MODULE_SIG_STRING, markerlen)
== 0) {
/* We truncate the module to discard the signature */
info->len -= markerlen;
@@ -2519,7 +2524,7 @@ static int module_sig_check(struct load_info *info)
return err;
}
#else /* !CONFIG_MODULE_SIG */
-static int module_sig_check(struct load_info *info)
+static int module_sig_check(struct load_info *info, int flags)
{
return 0;
}
@@ -3247,7 +3252,7 @@ static int load_module(struct load_info *info, const char
__user *uargs,
struct module *mod;
long err;
- err = module_sig_check(info);
+ err = module_sig_check(info, flags);
if (err)
goto free_copy;
--
2.9.3
[PATCH 3.12 096/100] ubi: Make volume resize power cut aware
From: Richard Weinberger
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit 4946784bd3924b1374f05eebff2fd68660bae866 upstream.
When the volume resize operation shrinks a volume,
LEBs will be unmapped. Since unmapping will not erase these
LEBs immediately we have to wait for that operation to finish.
Otherwise in case of a power cut right after writing the new
volume table the UBI attach process can find more LEBs than the
volume table knows. This will render the UBI image unattachable.
Fix this issue by waiting for erase to complete and write the new
volume table afterward.
Reported-by: Boris Brezillon
Reviewed-by: Boris Brezillon
Signed-off-by: Richard Weinberger
Signed-off-by: Jiri Slaby
---
drivers/mtd/ubi/vmt.c | 25 ++---
1 file changed, 18 insertions(+), 7 deletions(-)
diff --git a/drivers/mtd/ubi/vmt.c b/drivers/mtd/ubi/vmt.c
index 8330703c098f..96131eb34c9f 100644
--- a/drivers/mtd/ubi/vmt.c
+++ b/drivers/mtd/ubi/vmt.c
@@ -534,13 +534,6 @@ int ubi_resize_volume(struct ubi_volume_desc *desc, int
reserved_pebs)
spin_unlock(&ubi->volumes_lock);
}
- /* Change volume table record */
- vtbl_rec = ubi->vtbl[vol_id];
- vtbl_rec.reserved_pebs = cpu_to_be32(reserved_pebs);
- err = ubi_change_vtbl_record(ubi, vol_id, &vtbl_rec);
- if (err)
- goto out_acc;
-
if (pebs < 0) {
for (i = 0; i < -pebs; i++) {
err = ubi_eba_unmap_leb(ubi, vol, reserved_pebs + i);
@@ -558,6 +551,24 @@ int ubi_resize_volume(struct ubi_volume_desc *desc, int
reserved_pebs)
spin_unlock(&ubi->volumes_lock);
}
+ /*
+* When we shrink a volume we have to flush all pending (erase) work.
+* Otherwise it can happen that upon next attach UBI finds a LEB with
+* lnum > highest_lnum and refuses to attach.
+*/
+ if (pebs < 0) {
+ err = ubi_wl_flush(ubi, vol_id, UBI_ALL);
+ if (err)
+ goto out_acc;
+ }
+
+ /* Change volume table record */
+ vtbl_rec = ubi->vtbl[vol_id];
+ vtbl_rec.reserved_pebs = cpu_to_be32(reserved_pebs);
+ err = ubi_change_vtbl_record(ubi, vol_id, &vtbl_rec);
+ if (err)
+ goto out_acc;
+
vol->reserved_pebs = reserved_pebs;
if (vol->vol_type == UBI_DYNAMIC_VOLUME) {
vol->used_ebs = reserved_pebs;
--
2.9.3
[PATCH 3.12 074/100] s5p-mfc: Add release callback for memory region devs
From: Javier Martinez Canillas
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit 6311f1261f59ce5e51fbe5cc3b5e7737197316ac upstream.
When s5p_mfc_remove() calls put_device() for the reserved memory region
devs, the driver core warns that the dev doesn't have a release callback:
WARNING: CPU: 0 PID: 591 at drivers/base/core.c:251 device_release+0x8c/0x90
Device 's5p-mfc-l' does not have a release() function, it is broken and must be
fixed.
Also, the declared DMA memory using dma_declare_coherent_memory() isn't
relased so add a dev .release that calls dma_release_declared_memory().
Fixes: 6e83e6e25eb4 ("[media] s5p-mfc: Fix kernel warning on memory init")
Signed-off-by: Javier Martinez Canillas
Tested-by: Marek Szyprowski
Signed-off-by: Sylwester Nawrocki
Signed-off-by: Jiri Slaby
---
drivers/media/platform/s5p-mfc/s5p_mfc.c | 7 +++
1 file changed, 7 insertions(+)
diff --git a/drivers/media/platform/s5p-mfc/s5p_mfc.c
b/drivers/media/platform/s5p-mfc/s5p_mfc.c
index f48655b06aef..bb0c1e6016e2 100644
--- a/drivers/media/platform/s5p-mfc/s5p_mfc.c
+++ b/drivers/media/platform/s5p-mfc/s5p_mfc.c
@@ -1000,6 +1000,11 @@ static int match_child(struct device *dev, void *data)
return !strcmp(dev_name(dev), (char *)data);
}
+static void s5p_mfc_memdev_release(struct device *dev)
+{
+ dma_release_declared_memory(dev);
+}
+
static void *mfc_get_drv_data(struct platform_device *pdev);
static int s5p_mfc_alloc_memdevs(struct s5p_mfc_dev *dev)
@@ -1014,6 +1019,7 @@ static int s5p_mfc_alloc_memdevs(struct s5p_mfc_dev *dev)
}
dev_set_name(dev->mem_dev_l, "%s", "s5p-mfc-l");
+ dev->mem_dev_l->release = s5p_mfc_memdev_release;
device_initialize(dev->mem_dev_l);
of_property_read_u32_array(dev->plat_dev->dev.of_node,
"samsung,mfc-l", mem_info, 2);
@@ -1033,6 +1039,7 @@ static int s5p_mfc_alloc_memdevs(struct s5p_mfc_dev *dev)
}
dev_set_name(dev->mem_dev_r, "%s", "s5p-mfc-r");
+ dev->mem_dev_r->release = s5p_mfc_memdev_release;
device_initialize(dev->mem_dev_r);
of_property_read_u32_array(dev->plat_dev->dev.of_node,
"samsung,mfc-r", mem_info, 2);
--
2.9.3
[PATCH 3.12 092/100] IB/mlx5: Fix returned values of query QP
From: Noa Osherovich
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit 0540d8148d419bf769e5aa99c77027febd8922f0 upstream.
Some variables were not initialized properly: max_recv_wr,
max_recv_sge, max_send_wr, qp_context and max_inline_data.
Fixes: e126ba97dba9 ('mlx5: Add driver for Mellanox Connect-IB...')
Signed-off-by: Noa Osherovich
Signed-off-by: Leon Romanovsky
Reviewed-by: Sagi Grimberg
Signed-off-by: Doug Ledford
Signed-off-by: Jiri Slaby
---
drivers/infiniband/hw/mlx5/qp.c | 14 +-
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/drivers/infiniband/hw/mlx5/qp.c b/drivers/infiniband/hw/mlx5/qp.c
index 5659ea880741..7ece1059f263 100644
--- a/drivers/infiniband/hw/mlx5/qp.c
+++ b/drivers/infiniband/hw/mlx5/qp.c
@@ -169,6 +169,8 @@ static int set_rq_size(struct mlx5_ib_dev *dev, struct
ib_qp_cap *cap,
qp->rq.max_gs = 0;
qp->rq.wqe_cnt = 0;
qp->rq.wqe_shift = 0;
+ cap->max_recv_wr = 0;
+ cap->max_recv_sge = 0;
} else {
if (ucmd) {
qp->rq.wqe_cnt = ucmd->rq_wqe_count;
@@ -2433,17 +2435,19 @@ int mlx5_ib_query_qp(struct ib_qp *ibqp, struct
ib_qp_attr *qp_attr, int qp_attr
qp_attr->cap.max_recv_sge= qp->rq.max_gs;
if (!ibqp->uobject) {
- qp_attr->cap.max_send_wr = qp->sq.wqe_cnt;
+ qp_attr->cap.max_send_wr = qp->sq.max_post;
qp_attr->cap.max_send_sge = qp->sq.max_gs;
+ qp_init_attr->qp_context = ibqp->qp_context;
} else {
qp_attr->cap.max_send_wr = 0;
qp_attr->cap.max_send_sge = 0;
}
- /* We don't support inline sends for kernel QPs (yet), and we
-* don't know what userspace's value should be.
-*/
- qp_attr->cap.max_inline_data = 0;
+ qp_init_attr->qp_type = ibqp->qp_type;
+ qp_init_attr->recv_cq = ibqp->recv_cq;
+ qp_init_attr->send_cq = ibqp->send_cq;
+ qp_init_attr->srq = ibqp->srq;
+ qp_attr->cap.max_inline_data = qp->max_inline_data;
qp_init_attr->cap= qp_attr->cap;
--
2.9.3
[PATCH 3.12 091/100] IB/mlx5: Fix MODIFY_QP command input structure
From: Artemy Kovalyov
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit e3353c268b06236d6c40fa1714c114f21f44451c upstream.
Make MODIFY_QP command input structure compliant to specification
Fixes: e126ba97dba9 ('mlx5: Add driver for Mellanox Connect-IB adapters')
Signed-off-by: Artemy Kovalyov
Signed-off-by: Leon Romanovsky
Signed-off-by: Doug Ledford
Signed-off-by: Jiri Slaby
---
include/linux/mlx5/qp.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/include/linux/mlx5/qp.h b/include/linux/mlx5/qp.h
index d9e3eacb3a7f..4cf637bd42ab 100644
--- a/include/linux/mlx5/qp.h
+++ b/include/linux/mlx5/qp.h
@@ -378,9 +378,9 @@ struct mlx5_destroy_qp_mbox_out {
struct mlx5_modify_qp_mbox_in {
struct mlx5_inbox_hdr hdr;
__be32 qpn;
- u8 rsvd1[4];
- __be32 optparam;
u8 rsvd0[4];
+ __be32 optparam;
+ u8 rsvd1[4];
struct mlx5_qp_context ctx;
};
--
2.9.3
[PATCH 3.12 094/100] IB/IPoIB: Don't update neigh validity for unresolved entries
From: Erez Shitrit
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit 61c78eea9516a921799c17b4c20558e2aa780fd3 upstream.
ipoib_neigh_get unconditionally updates the "alive" variable member on
any packet send. This prevents the neighbor garbage collection from
cleaning out a dead neighbor entry if we are still queueing packets
for it. If the queue for this neighbor is full, then don't update the
alive timestamp. That way the neighbor can time out even if packets
are still being queued as long as none of them are being sent.
Fixes: b63b70d87741 ("IPoIB: Use a private hash table for path lookup in xmit
path")
Signed-off-by: Erez Shitrit
Signed-off-by: Leon Romanovsky
Signed-off-by: Doug Ledford
Signed-off-by: Jiri Slaby
---
drivers/infiniband/ulp/ipoib/ipoib_main.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/infiniband/ulp/ipoib/ipoib_main.c
b/drivers/infiniband/ulp/ipoib/ipoib_main.c
index 82cec1af902c..9cd105ff2427 100644
--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c
@@ -882,7 +882,9 @@ struct ipoib_neigh *ipoib_neigh_get(struct net_device *dev,
u8 *daddr)
neigh = NULL;
goto out_unlock;
}
- neigh->alive = jiffies;
+
+ if (likely(skb_queue_len(&neigh->queue) <
IPOIB_MAX_PATH_REC_QUEUE))
+ neigh->alive = jiffies;
goto out_unlock;
}
}
--
2.9.3
[PATCH 3.12 086/100] drm/radeon: support backlight control for UNIPHY3
From: Alex Deucher
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit d3200be6c423afa1c34f7e39e9f6d04dd5b0af9d upstream.
Same interface as other UNIPHY blocks
Signed-off-by: Alex Deucher
Signed-off-by: Jiri Slaby
---
drivers/gpu/drm/radeon/atombios_encoders.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/radeon/atombios_encoders.c
b/drivers/gpu/drm/radeon/atombios_encoders.c
index a05c4c0e3799..db509f905a95 100644
--- a/drivers/gpu/drm/radeon/atombios_encoders.c
+++ b/drivers/gpu/drm/radeon/atombios_encoders.c
@@ -119,6 +119,7 @@ atombios_set_backlight_level(struct radeon_encoder
*radeon_encoder, u8 level)
case ENCODER_OBJECT_ID_INTERNAL_KLDSCP_LVTMA:
case ENCODER_OBJECT_ID_INTERNAL_UNIPHY1:
case ENCODER_OBJECT_ID_INTERNAL_UNIPHY2:
+ case ENCODER_OBJECT_ID_INTERNAL_UNIPHY3:
if (dig->backlight_level == 0)
atombios_dig_transmitter_setup(encoder,
ATOM_TRANSMITTER_ACTION_LCD_BLOFF, 0, 0);
else {
--
2.9.3
[PATCH 3.12 089/100] ftrace/recordmcount: Work around for addition of metag magic but not relocations
From: Laura Abbott
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit b2e1c26f0b62531636509fbcb6dab65617ed8331 upstream.
glibc recently did a sync up (94e73c95d9b5 "elf.h: Sync with the gabi
webpage") that added a #define for EM_METAG but did not add relocations
This triggers build errors:
scripts/recordmcount.c: In function 'do_file':
scripts/recordmcount.c:466:28: error: 'R_METAG_ADDR32' undeclared (first use in
this function)
case EM_METAG: reltype = R_METAG_ADDR32;
^~
scripts/recordmcount.c:466:28: note: each undeclared identifier is reported
only once for each function it appears in
scripts/recordmcount.c:468:20: error: 'R_METAG_NONE' undeclared (first use in
this function)
rel_type_nop = R_METAG_NONE;
^~~~
Work around this change with some more #ifdefery for the relocations.
Fedora Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1354034
Link:
http://lkml.kernel.org/r/1468005530-14757-1-git-send-email-labb...@redhat.com
Cc: James Hogan
Fixes: 00512bdd4573 ("metag: ftrace support")
Reported-by: Ross Burton
Signed-off-by: Laura Abbott
Signed-off-by: Steven Rostedt
Signed-off-by: Jiri Slaby
---
scripts/recordmcount.c | 9 -
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/scripts/recordmcount.c b/scripts/recordmcount.c
index ee625e3a56ba..4f7d13da04a5 100644
--- a/scripts/recordmcount.c
+++ b/scripts/recordmcount.c
@@ -33,10 +33,17 @@
#include
#include
+/*
+ * glibc synced up and added the metag number but didn't add the relocations.
+ * Work around this in a crude manner for now.
+ */
#ifndef EM_METAG
-/* Remove this when these make it to the standard system elf.h. */
#define EM_METAG 174
+#endif
+#ifndef R_METAG_ADDR32
#define R_METAG_ADDR32 2
+#endif
+#ifndef R_METAG_NONE
#define R_METAG_NONE 3
#endif
--
2.9.3
[PATCH 3.12 093/100] IB/mlx5: Fix post send fence logic
From: Eli Cohen
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit c9b254955b9f8814966f5dabd34c39d0e0a2b437 upstream.
If the caller specified IB_SEND_FENCE in the send flags of the work
request and no previous work request stated that the successive one
should be fenced, the work request would be executed without a fence.
This could result in RDMA read or atomic operations failure due to a MR
being invalidated. Fix this by adding the mlx5 enumeration for fencing
RDMA/atomic operations and fix the logic to apply this.
Fixes: e126ba97dba9 ('mlx5: Add driver for Mellanox Connect-IB adapters')
Signed-off-by: Eli Cohen
Signed-off-by: Leon Romanovsky
Signed-off-by: Doug Ledford
Signed-off-by: Jiri Slaby
---
drivers/infiniband/hw/mlx5/qp.c | 7 ---
include/linux/mlx5/qp.h | 1 +
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/infiniband/hw/mlx5/qp.c b/drivers/infiniband/hw/mlx5/qp.c
index 7ece1059f263..2b5fac5c34f6 100644
--- a/drivers/infiniband/hw/mlx5/qp.c
+++ b/drivers/infiniband/hw/mlx5/qp.c
@@ -1971,10 +1971,11 @@ static u8 get_fence(u8 fence, struct ib_send_wr *wr)
return MLX5_FENCE_MODE_SMALL_AND_FENCE;
else
return fence;
-
- } else {
- return 0;
+ } else if (unlikely(wr->send_flags & IB_SEND_FENCE)) {
+ return MLX5_FENCE_MODE_FENCE;
}
+
+ return 0;
}
int mlx5_ib_post_send(struct ib_qp *ibqp, struct ib_send_wr *wr,
diff --git a/include/linux/mlx5/qp.h b/include/linux/mlx5/qp.h
index 4cf637bd42ab..8720a044dfbe 100644
--- a/include/linux/mlx5/qp.h
+++ b/include/linux/mlx5/qp.h
@@ -137,6 +137,7 @@ enum {
enum {
MLX5_FENCE_MODE_NONE= 0 << 5,
MLX5_FENCE_MODE_INITIATOR_SMALL = 1 << 5,
+ MLX5_FENCE_MODE_FENCE = 2 << 5,
MLX5_FENCE_MODE_STRONG_ORDERING = 3 << 5,
MLX5_FENCE_MODE_SMALL_AND_FENCE = 4 << 5,
};
--
2.9.3
Re: [PATCH v5 00/11] Add HW throttle for Tegra soctherm
On 四, 2016-05-26 at 17:42 +0800, Wei Ni wrote: > Hi, > Does there have any comments on this series? > Let me know if someone has suggestions. > I have no objections to this patch set. As 10 patches out of 11, in this patch series, contain changes out of thermal scope, if you prefer this patch set go through thermal tree, I still need ACKs for the changes out of thermal scope. thanks, rui > Thanks. > Wei. > > On 05/11/2016 06:20 PM, Wei Ni wrote: > > > > This series add following functions for Tegra soctherm: > > 1. add HW throttle function. > > 2. enable soctherm node for Tegra124, Tegra132, Tegra210, and > > set "critical", "hot" trips for them. > > > > Main changes from v4: > > 1. drop the "nvidia" prefix from the node name, per Rob's comments. > > > > Main changes from v3: > > 1. change some properties'name and descriptions, per Rob's > > comments. > > 2. change the corresponding driver codes. > > > > Main changes from v2: > > 1. improve the of-binding, per Eduardo's comments, and > > change the corresponding driver codes. > > 2. move two setting critical trip patches in this series, > > 3. fix some bugs in dts changes. > > > > Main changes from v1: > > 1. use readl/writel instead of __raw_readl/__raw_writel. > > 2. rebase on the linux-next. > > > > The v1 series is in: > > https://lkml.org/lkml/2016/3/31/230 > > > > The v2 series is in: > > https://lkml.org/lkml/2016/4/26/1577 > > > > The v3 series is in: > > https://lkml.org/lkml/2016/5/3/274 > > > > The v4 series is in: > > https://lkml.org/lkml/2016/5/9/45 > > > > Wei Ni (11): > > of: Add bindings of hw throttle for Tegra soctherm > > thermal: tegra: add hw-throttle function > > thermal: tegra: add hw-throttle for Tegra132 > > arm: tegra: set critical trips for Tegra124 > > arm: tegra: set hot trips for Tegra124 > > arm64: tegra: use tegra132-soctherm for Tegra132 > > arm64: tegra: set critical trips for Tegra132 > > arm64: tegra: set hot trips for Tegra132 > > arm64: tegra: add soctherm node for Tegra210 > > arm64: tegra: set critical trips for Tegra210 > > arm64: tegra: set hot trips for Tegra210 > > > > .../bindings/thermal/nvidia,tegra124-soctherm.txt | 121 ++- > > arch/arm/boot/dts/tegra124-jetson-tk1.dts | 18 +- > > arch/arm/boot/dts/tegra124.dtsi| 83 +- > > arch/arm64/boot/dts/nvidia/tegra132.dtsi | 119 ++- > > arch/arm64/boot/dts/nvidia/tegra210.dtsi | 127 > > drivers/thermal/tegra/soctherm.c | 842 > > - > > drivers/thermal/tegra/soctherm.h | 10 + > > drivers/thermal/tegra/tegra124-soctherm.c | 18 + > > drivers/thermal/tegra/tegra132-soctherm.c | 18 + > > drivers/thermal/tegra/tegra210-soctherm.c | 18 + > > include/dt-bindings/thermal/tegra124-soctherm.h| 5 + > > 11 files changed, 1344 insertions(+), 35 deletions(-) > >
[PATCH 3.12 098/100] Input: i8042 - break load dependency between atkbd/psmouse and i8042
From: Dmitry Torokhov
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit 4097461897df91041382ff6fcd2bfa7ee6b2448c upstream.
As explained in 1407814240-4275-1-git-send-email-de...@microsoft.com we
have a hard load dependency between i8042 and atkbd which prevents
keyboard from working on Gen2 Hyper-V VMs.
> hyperv_keyboard invokes serio_interrupt(), which needs a valid serio
> driver like atkbd.c. atkbd.c depends on libps2.c because it invokes
> ps2_command(). libps2.c depends on i8042.c because it invokes
> i8042_check_port_owner(). As a result, hyperv_keyboard actually
> depends on i8042.c.
>
> For a Generation 2 Hyper-V VM (meaning no i8042 device emulated), if a
> Linux VM (like Arch Linux) happens to configure CONFIG_SERIO_I8042=m
> rather than =y, atkbd.ko can't load because i8042.ko can't load(due to
> no i8042 device emulated) and finally hyperv_keyboard can't work and
> the user can't input: https://bugs.archlinux.org/task/39820
> (Ubuntu/RHEL/SUSE aren't affected since they use CONFIG_SERIO_I8042=y)
To break the dependency we move away from using i8042_check_port_owner()
and instead allow serio port owner specify a mutex that clients should use
to serialize PS/2 command stream.
Reported-by: Mark Laws
Tested-by: Mark Laws
Signed-off-by: Dmitry Torokhov
Signed-off-by: Jiri Slaby
---
drivers/input/serio/i8042.c | 16 +---
drivers/input/serio/libps2.c | 10 --
include/linux/i8042.h| 6 --
include/linux/serio.h| 24 +++-
4 files changed, 24 insertions(+), 32 deletions(-)
diff --git a/drivers/input/serio/i8042.c b/drivers/input/serio/i8042.c
index 42825216e83d..7ecca05bd7a5 100644
--- a/drivers/input/serio/i8042.c
+++ b/drivers/input/serio/i8042.c
@@ -1230,6 +1230,7 @@ static int __init i8042_create_kbd_port(void)
serio->start= i8042_start;
serio->stop = i8042_stop;
serio->close= i8042_port_close;
+ serio->ps2_cmd_mutex= &i8042_mutex;
serio->port_data= port;
serio->dev.parent = &i8042_platform_device->dev;
strlcpy(serio->name, "i8042 KBD port", sizeof(serio->name));
@@ -1321,21 +1322,6 @@ static void i8042_unregister_ports(void)
}
}
-/*
- * Checks whether port belongs to i8042 controller.
- */
-bool i8042_check_port_owner(const struct serio *port)
-{
- int i;
-
- for (i = 0; i < I8042_NUM_PORTS; i++)
- if (i8042_ports[i].serio == port)
- return true;
-
- return false;
-}
-EXPORT_SYMBOL(i8042_check_port_owner);
-
static void i8042_free_irqs(void)
{
if (i8042_aux_irq_registered)
diff --git a/drivers/input/serio/libps2.c b/drivers/input/serio/libps2.c
index 07a8363f3c5c..b5ec313cb9c9 100644
--- a/drivers/input/serio/libps2.c
+++ b/drivers/input/serio/libps2.c
@@ -57,19 +57,17 @@ EXPORT_SYMBOL(ps2_sendbyte);
void ps2_begin_command(struct ps2dev *ps2dev)
{
- mutex_lock(&ps2dev->cmd_mutex);
+ struct mutex *m = ps2dev->serio->ps2_cmd_mutex ?: &ps2dev->cmd_mutex;
- if (i8042_check_port_owner(ps2dev->serio))
- i8042_lock_chip();
+ mutex_lock(m);
}
EXPORT_SYMBOL(ps2_begin_command);
void ps2_end_command(struct ps2dev *ps2dev)
{
- if (i8042_check_port_owner(ps2dev->serio))
- i8042_unlock_chip();
+ struct mutex *m = ps2dev->serio->ps2_cmd_mutex ?: &ps2dev->cmd_mutex;
- mutex_unlock(&ps2dev->cmd_mutex);
+ mutex_unlock(m);
}
EXPORT_SYMBOL(ps2_end_command);
diff --git a/include/linux/i8042.h b/include/linux/i8042.h
index 0f9bafa17a02..d98780ca9604 100644
--- a/include/linux/i8042.h
+++ b/include/linux/i8042.h
@@ -62,7 +62,6 @@ struct serio;
void i8042_lock_chip(void);
void i8042_unlock_chip(void);
int i8042_command(unsigned char *param, int command);
-bool i8042_check_port_owner(const struct serio *);
int i8042_install_filter(bool (*filter)(unsigned char data, unsigned char str,
struct serio *serio));
int i8042_remove_filter(bool (*filter)(unsigned char data, unsigned char str,
@@ -83,11 +82,6 @@ static inline int i8042_command(unsigned char *param, int
command)
return -ENODEV;
}
-static inline bool i8042_check_port_owner(const struct serio *serio)
-{
- return false;
-}
-
static inline int i8042_install_filter(bool (*filter)(unsigned char data,
unsigned char str,
struct serio *serio))
{
diff --git a/include/linux/serio.h b/include/linux/serio.h
index 9f779c7a2da4..27ae809edd70 100644
--- a/include/linux/serio.h
+++ b/include/linux/serio.h
@@ -29,7 +29,8 @@ struct serio {
struct serio_device_id id;
- spinlock_t lock;/* protects critical sections from
port's interrupt handler */
+ /* Protects critical sections from port's interrupt handler */
+ spinlock_t lock;
in
[PATCH 3.12 084/100] drm/radeon: Poll for both connect/disconnect on analog connectors
From: Lyude
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit 14ff8d48f2235295dfb3117693008e367b49cdb5 upstream.
DRM_CONNECTOR_POLL_CONNECT only enables polling for connections, not
disconnections. Because of this, we end up losing hotplug polling for
analog connectors once they get connected.
Easy way to reproduce:
- Grab a machine with a radeon GPU and a VGA port
- Plug a monitor into the VGA port, wait for it to update the connector
from disconnected to connected
- Disconnect the monitor on VGA, a hotplug event is never sent for the
removal of the connector.
Originally, only using DRM_CONNECTOR_POLL_CONNECT might have been a good
idea since doing VGA polling can sometimes result in having to mess with
the DAC voltages to figure out whether or not there's actually something
there since VGA doesn't have HPD. Doing this would have the potential of
showing visible artifacts on the screen every time we ran a poll while a
VGA display was connected. Luckily, radeon_vga_detect() only resorts to
this sort of polling if the poll is forced, and DRM's polling helper
doesn't force it's polls.
Additionally, this removes some assignments to connector->polled that
weren't actually doing anything.
Signed-off-by: Lyude
Signed-off-by: Alex Deucher
Signed-off-by: Jiri Slaby
---
drivers/gpu/drm/radeon/radeon_connectors.c | 15 +--
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/drivers/gpu/drm/radeon/radeon_connectors.c
b/drivers/gpu/drm/radeon/radeon_connectors.c
index 02cd9585ff83..eee5b80026b2 100644
--- a/drivers/gpu/drm/radeon/radeon_connectors.c
+++ b/drivers/gpu/drm/radeon/radeon_connectors.c
@@ -1712,7 +1712,6 @@ radeon_add_atom_connector(struct drm_device *dev,
1);
/* no HPD on analog connectors */
radeon_connector->hpd.hpd = RADEON_HPD_NONE;
- connector->polled = DRM_CONNECTOR_POLL_CONNECT;
connector->interlace_allowed = true;
connector->doublescan_allowed = true;
break;
@@ -1931,8 +1930,10 @@ radeon_add_atom_connector(struct drm_device *dev,
}
if (radeon_connector->hpd.hpd == RADEON_HPD_NONE) {
- if (i2c_bus->valid)
- connector->polled = DRM_CONNECTOR_POLL_CONNECT;
+ if (i2c_bus->valid) {
+ connector->polled = DRM_CONNECTOR_POLL_CONNECT |
+ DRM_CONNECTOR_POLL_DISCONNECT;
+ }
} else
connector->polled = DRM_CONNECTOR_POLL_HPD;
@@ -2004,7 +2005,6 @@ radeon_add_legacy_connector(struct drm_device *dev,
1);
/* no HPD on analog connectors */
radeon_connector->hpd.hpd = RADEON_HPD_NONE;
- connector->polled = DRM_CONNECTOR_POLL_CONNECT;
connector->interlace_allowed = true;
connector->doublescan_allowed = true;
break;
@@ -2089,10 +2089,13 @@ radeon_add_legacy_connector(struct drm_device *dev,
}
if (radeon_connector->hpd.hpd == RADEON_HPD_NONE) {
- if (i2c_bus->valid)
- connector->polled = DRM_CONNECTOR_POLL_CONNECT;
+ if (i2c_bus->valid) {
+ connector->polled = DRM_CONNECTOR_POLL_CONNECT |
+ DRM_CONNECTOR_POLL_DISCONNECT;
+ }
} else
connector->polled = DRM_CONNECTOR_POLL_HPD;
+
connector->display_info.subpixel_order = subpixel_order;
drm_sysfs_connector_add(connector);
}
--
2.9.3
[PATCH 3.12 083/100] drm/radeon: add a delay after ATPX dGPU power off
From: Alex Deucher 3.12-stable review patch. If anyone has any objections, please let me know. === commit d814b24fb74cb9797d70cb8053961447c5879a5c upstream. ATPX dGPU power control requires a 200ms delay between power off and on. This should fix dGPU failures on resume from power off. Reviewed-by: Hawking Zhang Acked-by: Christian König Signed-off-by: Alex Deucher Signed-off-by: Jiri Slaby --- drivers/gpu/drm/radeon/radeon_atpx_handler.c | 5 + 1 file changed, 5 insertions(+) diff --git a/drivers/gpu/drm/radeon/radeon_atpx_handler.c b/drivers/gpu/drm/radeon/radeon_atpx_handler.c index 7c6e3fd70e65..97dc62140fc9 100644 --- a/drivers/gpu/drm/radeon/radeon_atpx_handler.c +++ b/drivers/gpu/drm/radeon/radeon_atpx_handler.c @@ -11,6 +11,7 @@ #include #include #include +#include #include "radeon_acpi.h" @@ -253,6 +254,10 @@ static int radeon_atpx_set_discrete_state(struct radeon_atpx *atpx, u8 state) if (!info) return -EIO; kfree(info); + + /* 200ms delay is required after off */ + if (state == 0) + msleep(200); } return 0; } -- 2.9.3
[PATCH 3.12 085/100] drm/radeon: fix firmware info version checks
From: Alex Deucher
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit 3edc38a0facef45ee22af8afdce3737f421f36ab upstream.
Some of the checks didn't handle frev 2 tables properly.
Signed-off-by: Alex Deucher
Signed-off-by: Jiri Slaby
---
drivers/gpu/drm/radeon/radeon_atombios.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/radeon/radeon_atombios.c
b/drivers/gpu/drm/radeon/radeon_atombios.c
index 1c71ff82f302..3493ad398801 100644
--- a/drivers/gpu/drm/radeon/radeon_atombios.c
+++ b/drivers/gpu/drm/radeon/radeon_atombios.c
@@ -1145,7 +1145,7 @@ bool radeon_atom_get_clock_info(struct drm_device *dev)
le16_to_cpu(firmware_info->info.usReferenceClock);
p1pll->reference_div = 0;
- if (crev < 2)
+ if ((frev < 2) && (crev < 2))
p1pll->pll_out_min =
le16_to_cpu(firmware_info->info.usMinPixelClockPLL_Output);
else
@@ -1154,7 +1154,7 @@ bool radeon_atom_get_clock_info(struct drm_device *dev)
p1pll->pll_out_max =
le32_to_cpu(firmware_info->info.ulMaxPixelClockPLL_Output);
- if (crev >= 4) {
+ if (((frev < 2) && (crev >= 4)) || (frev >= 2)) {
p1pll->lcd_pll_out_min =
le16_to_cpu(firmware_info->info_14.usLcdMinPixelClockPLL_Output) * 100;
if (p1pll->lcd_pll_out_min == 0)
--
2.9.3
[PATCH 3.12 082/100] netlabel: add address family checks to netlbl_{sock,req}_delattr()
From: Paul Moore
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit 0e0e36774081534783aa8eeb9f6fbddf98d3c061 upstream.
It seems risky to always rely on the caller to ensure the socket's
address family is correct before passing it to the NetLabel kAPI,
especially since we see at least one LSM which didn't. Add address
family checks to the *_delattr() functions to help prevent future
problems.
Reported-by: Maninder Singh
Signed-off-by: Paul Moore
Signed-off-by: Jiri Slaby
---
net/netlabel/netlabel_kapi.c | 12 ++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
index 96a458e12f60..b7aa36fa522f 100644
--- a/net/netlabel/netlabel_kapi.c
+++ b/net/netlabel/netlabel_kapi.c
@@ -700,7 +700,11 @@ socket_setattr_return:
*/
void netlbl_sock_delattr(struct sock *sk)
{
- cipso_v4_sock_delattr(sk);
+ switch (sk->sk_family) {
+ case AF_INET:
+ cipso_v4_sock_delattr(sk);
+ break;
+ }
}
/**
@@ -863,7 +867,11 @@ req_setattr_return:
*/
void netlbl_req_delattr(struct request_sock *req)
{
- cipso_v4_req_delattr(req);
+ switch (req->rsk_ops->family) {
+ case AF_INET:
+ cipso_v4_req_delattr(req);
+ break;
+ }
}
/**
--
2.9.3
[PATCH 3.12 079/100] random: properly align get_random_int_hash
From: Eric Biggers
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit b1132deac01c2332d234fa821a70022796b79182 upstream.
get_random_long() reads from the get_random_int_hash array using an
unsigned long pointer. For this code to be guaranteed correct on all
architectures, the array must be aligned to an unsigned long boundary.
Signed-off-by: Eric Biggers
Signed-off-by: Theodore Ts'o
Signed-off-by: Jiri Slaby
---
drivers/char/random.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/char/random.c b/drivers/char/random.c
index f6b25db16791..85e771c26488 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -1465,13 +1465,15 @@ int random_int_secret_init(void)
return 0;
}
+static DEFINE_PER_CPU(__u32 [MD5_DIGEST_WORDS], get_random_int_hash)
+ __aligned(sizeof(unsigned long));
+
/*
* Get a random word for internal kernel use only. Similar to urandom but
* with the goal of minimal entropy pool depletion. As a result, the random
* value is not cryptographically secure but for several uses the cost of
* depleting entropy is too high
*/
-static DEFINE_PER_CPU(__u32 [MD5_DIGEST_WORDS], get_random_int_hash);
unsigned int get_random_int(void)
{
__u32 *hash;
--
2.9.3
[PATCH 3.12 081/100] ARM: 8579/1: mm: Fix definition of pmd_mknotpresent
From: Steve Capper
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit 56530f5d2ddc9b9fade7ef8db9cb886e9dc689b5 upstream.
Currently pmd_mknotpresent will use a zero entry to respresent an
invalidated pmd.
Unfortunately this definition clashes with pmd_none, thus it is
possible for a race condition to occur if zap_pmd_range sees pmd_none
whilst __split_huge_pmd_locked is running too with pmdp_invalidate
just called.
This patch fixes the race condition by modifying pmd_mknotpresent to
create non-zero faulting entries (as is done in other architectures),
removing the ambiguity with pmd_none.
[catalin.mari...@arm.com: using L_PMD_SECT_VALID instead of PMD_TYPE_SECT]
Fixes: 8d9625070073 ("ARM: mm: Transparent huge page support for LPAE systems.")
Reported-by: Kirill A. Shutemov
Acked-by: Will Deacon
Cc: Russell King
Signed-off-by: Steve Capper
Signed-off-by: Catalin Marinas
Signed-off-by: Russell King
Signed-off-by: Jiri Slaby
---
arch/arm/include/asm/pgtable-3level.h | 7 +--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/arch/arm/include/asm/pgtable-3level.h
b/arch/arm/include/asm/pgtable-3level.h
index 8afa39f81477..0f153b62d253 100644
--- a/arch/arm/include/asm/pgtable-3level.h
+++ b/arch/arm/include/asm/pgtable-3level.h
@@ -237,8 +237,11 @@ PMD_BIT_FUNC(mkyoung, |= PMD_SECT_AF);
#define pfn_pmd(pfn,prot) (__pmd(((phys_addr_t)(pfn) << PAGE_SHIFT) |
pgprot_val(prot)))
#define mk_pmd(page,prot) pfn_pmd(page_to_pfn(page),prot)
-/* represent a notpresent pmd by zero, this is used by pmdp_invalidate */
-#define pmd_mknotpresent(pmd) (__pmd(0))
+/* represent a notpresent pmd by faulting entry, this is used by
pmdp_invalidate */
+static inline pmd_t pmd_mknotpresent(pmd_t pmd)
+{
+ return __pmd(pmd_val(pmd) & ~L_PMD_SECT_VALID);
+}
static inline pmd_t pmd_modify(pmd_t pmd, pgprot_t newprot)
{
--
2.9.3
[PATCH 3.12 072/100] gpio: pca953x: Fix NBANK calculation for PCA9536
From: Vignesh R
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit a246b8198f776a16d1d3a3bbfc2d437bad766b29 upstream.
NBANK() macro assumes that ngpios is a multiple of 8(BANK_SZ) and
hence results in 0 banks for PCA9536 which has just 4 gpios. This is
wrong as PCA9356 has 1 bank with 4 gpios. This results in uninitialized
PCA953X_INVERT register. Fix this by using DIV_ROUND_UP macro in
NBANK().
Signed-off-by: Vignesh R
Signed-off-by: Linus Walleij
Signed-off-by: Jiri Slaby
---
drivers/gpio/gpio-pca953x.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpio/gpio-pca953x.c b/drivers/gpio/gpio-pca953x.c
index cdd1aa12b895..7bb81d63cc3d 100644
--- a/drivers/gpio/gpio-pca953x.c
+++ b/drivers/gpio/gpio-pca953x.c
@@ -75,7 +75,7 @@ MODULE_DEVICE_TABLE(i2c, pca953x_id);
#define MAX_BANK 5
#define BANK_SZ 8
-#define NBANK(chip) (chip->gpio_chip.ngpio / BANK_SZ)
+#define NBANK(chip) DIV_ROUND_UP(chip->gpio_chip.ngpio, BANK_SZ)
struct pca953x_chip {
unsigned gpio_start;
--
2.9.3
[PATCH 3.12 076/100] cifs: Check for existing directory when opening file with O_CREAT
From: Sachin Prabhu
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit 8d9535b6efd86e6c07da59f97e68f44efb7fe080 upstream.
When opening a file with O_CREAT flag, check to see if the file opened
is an existing directory.
This prevents the directory from being opened which subsequently causes
a crash when the close function for directories cifs_closedir() is called
which frees up the file->private_data memory while the file is still
listed on the open file list for the tcon.
Signed-off-by: Sachin Prabhu
Signed-off-by: Steve French
Reported-by: Xiaoli Feng
Signed-off-by: Jiri Slaby
---
fs/cifs/dir.c | 24 +---
1 file changed, 21 insertions(+), 3 deletions(-)
diff --git a/fs/cifs/dir.c b/fs/cifs/dir.c
index f039c23d003d..7347f1678fa7 100644
--- a/fs/cifs/dir.c
+++ b/fs/cifs/dir.c
@@ -229,6 +229,13 @@ cifs_do_create(struct inode *inode, struct dentry
*direntry, unsigned int xid,
goto cifs_create_get_file_info;
}
+ if (S_ISDIR(newinode->i_mode)) {
+ CIFSSMBClose(xid, tcon, fid->netfid);
+ iput(newinode);
+ rc = -EISDIR;
+ goto out;
+ }
+
if (!S_ISREG(newinode->i_mode)) {
/*
* The server may allow us to open things like
@@ -399,10 +406,14 @@ cifs_create_set_dentry:
if (rc != 0) {
cifs_dbg(FYI, "Create worked, get_inode_info failed rc = %d\n",
rc);
- if (server->ops->close)
- server->ops->close(xid, tcon, fid);
- goto out;
+ goto out_err;
}
+
+ if (S_ISDIR(newinode->i_mode)) {
+ rc = -EISDIR;
+ goto out_err;
+ }
+
d_drop(direntry);
d_add(direntry, newinode);
@@ -410,6 +421,13 @@ out:
kfree(buf);
kfree(full_path);
return rc;
+
+out_err:
+ if (server->ops->close)
+ server->ops->close(xid, tcon, fid);
+ if (newinode)
+ iput(newinode);
+ goto out;
}
int
--
2.9.3
[PATCH 3.12 080/100] nfs: don't create zero-length requests
From: Benjamin Coddington
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit 149a4fddd0a72d526abbeac0c8deaab03559836a upstream.
NFS doesn't expect requests with wb_bytes set to zero and may make
unexpected decisions about how to handle that request at the page IO layer.
Skip request creation if we won't have any wb_bytes in the request.
Signed-off-by: Benjamin Coddington
Signed-off-by: Alexey Dobriyan
Reviewed-by: Weston Andros Adamson
Signed-off-by: Trond Myklebust
Signed-off-by: Jiri Slaby
---
fs/nfs/write.c | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/fs/nfs/write.c b/fs/nfs/write.c
index 3a1b1d1a27ce..d194a72b5b66 100644
--- a/fs/nfs/write.c
+++ b/fs/nfs/write.c
@@ -967,6 +967,9 @@ int nfs_updatepage(struct file *file, struct page *page,
file->f_path.dentry->d_name.name, count,
(long long)(page_file_offset(page) + offset));
+ if (!count)
+ goto out;
+
if (nfs_can_extend_write(file, page, inode)) {
count = max(count + offset, nfs_page_length(page));
offset = 0;
@@ -977,7 +980,7 @@ int nfs_updatepage(struct file *file, struct page *page,
nfs_set_pageerror(page);
else
__set_page_dirty_nobuffers(page);
-
+out:
dprintk("NFS: nfs_updatepage returns %d (isize %lld)\n",
status, (long long)i_size_read(inode));
return status;
--
2.9.3
[PATCH 3.12 058/100] KEYS: 64-bit MIPS needs to use compat_sys_keyctl for 32-bit userspace
From: David Howells 3.12-stable review patch. If anyone has any objections, please let me know. === commit 20f06ed9f61a185c6dabd662c310bed6189470df upstream. MIPS64 needs to use compat_sys_keyctl for 32-bit userspace rather than calling sys_keyctl. The latter will work in a lot of cases, thereby hiding the issue. Reported-by: Stephan Mueller Signed-off-by: David Howells Cc: linux-m...@linux-mips.org Cc: linux-kernel@vger.kernel.org Cc: linux-security-mod...@vger.kernel.org Cc: keyri...@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/13832/ Signed-off-by: Ralf Baechle Signed-off-by: Jiri Slaby --- arch/mips/kernel/scall64-n32.S | 2 +- arch/mips/kernel/scall64-o32.S | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/arch/mips/kernel/scall64-n32.S b/arch/mips/kernel/scall64-n32.S index cab150789c8d..b657fbefc466 100644 --- a/arch/mips/kernel/scall64-n32.S +++ b/arch/mips/kernel/scall64-n32.S @@ -349,7 +349,7 @@ EXPORT(sysn32_call_table) PTR sys_ni_syscall /* available, was setaltroot */ PTR sys_add_key PTR sys_request_key - PTR sys_keyctl /* 6245 */ + PTR compat_sys_keyctl /* 6245 */ PTR sys_set_thread_area PTR sys_inotify_init PTR sys_inotify_add_watch diff --git a/arch/mips/kernel/scall64-o32.S b/arch/mips/kernel/scall64-o32.S index 37605dc8eef7..bf56d7e271dd 100644 --- a/arch/mips/kernel/scall64-o32.S +++ b/arch/mips/kernel/scall64-o32.S @@ -474,7 +474,7 @@ sys_call_table: PTR sys_ni_syscall /* available, was setaltroot */ PTR sys_add_key /* 4280 */ PTR sys_request_key - PTR sys_keyctl + PTR compat_sys_keyctl PTR sys_set_thread_area PTR sys_inotify_init PTR sys_inotify_add_watch /* 4285 */ -- 2.9.3
[PATCH 3.12 070/100] usb: renesas_usbhs: protect the CFIFOSEL setting in usbhsg_ep_enable()
From: Yoshihiro Shimoda
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit 15e4292a2d21e9997fdb2b8c014cc461b3f268f0 upstream.
This patch fixes an issue that the CFIFOSEL register value is possible
to be changed by usbhsg_ep_enable() wrongly. And then, a data transfer
using CFIFO may not work correctly.
For example:
# modprobe g_multi file=usb-storage.bin
# ifconfig usb0 192.168.1.1 up
(During the USB host is sending file to the mass storage)
# ifconfig usb0 down
In this case, since the u_ether.c may call usb_ep_enable() in
eth_stop(), if the renesas_usbhs driver is also using CFIFO for
mass storage, the mass storage may not work correctly.
So, this patch adds usbhs_lock() and usbhs_unlock() calling in
usbhsg_ep_enable() to protect CFIFOSEL register. This is because:
- CFIFOSEL.CURPIPE = 0 is also needed for the pipe configuration
- The CFIFOSEL (fifo->sel) is already protected by usbhs_lock()
Fixes: 97664a207bc2 ("usb: renesas_usbhs: shrink spin lock area")
Signed-off-by: Yoshihiro Shimoda
Signed-off-by: Felipe Balbi
Signed-off-by: Jiri Slaby
---
drivers/usb/renesas_usbhs/mod_gadget.c | 9 -
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/renesas_usbhs/mod_gadget.c
b/drivers/usb/renesas_usbhs/mod_gadget.c
index 3385aeb5a364..0c71298c7980 100644
--- a/drivers/usb/renesas_usbhs/mod_gadget.c
+++ b/drivers/usb/renesas_usbhs/mod_gadget.c
@@ -558,6 +558,9 @@ static int usbhsg_ep_enable(struct usb_ep *ep,
struct usbhs_priv *priv = usbhsg_gpriv_to_priv(gpriv);
struct usbhs_pipe *pipe;
int ret = -EIO;
+ unsigned long flags;
+
+ usbhs_lock(priv, flags);
/*
* if it already have pipe,
@@ -566,7 +569,8 @@ static int usbhsg_ep_enable(struct usb_ep *ep,
if (uep->pipe) {
usbhs_pipe_clear(uep->pipe);
usbhs_pipe_sequence_data0(uep->pipe);
- return 0;
+ ret = 0;
+ goto usbhsg_ep_enable_end;
}
pipe = usbhs_pipe_malloc(priv,
@@ -594,6 +598,9 @@ static int usbhsg_ep_enable(struct usb_ep *ep,
ret = 0;
}
+usbhsg_ep_enable_end:
+ usbhs_unlock(priv, flags);
+
return ret;
}
--
2.9.3
[PATCH 3.12 066/100] ext4: fix deadlock during page writeback
From: Jan Kara
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit 646caa9c8e196880b41cd3e3d33a2ebc752bdb85 upstream.
Commit 06bd3c36a733 (ext4: fix data exposure after a crash) uncovered a
deadlock in ext4_writepages() which was previously much harder to hit.
After this commit xfstest generic/130 reproduces the deadlock on small
filesystems.
The problem happens when ext4_do_update_inode() sets LARGE_FILE feature
and marks current inode handle as synchronous. That subsequently results
in ext4_journal_stop() called from ext4_writepages() to block waiting for
transaction commit while still holding page locks, reference to io_end,
and some prepared bio in mpd structure each of which can possibly block
transaction commit from completing and thus results in deadlock.
Fix the problem by releasing page locks, io_end reference, and
submitting prepared bio before calling ext4_journal_stop().
[ Changed to defer the call to ext4_journal_stop() only if the handle
is synchronous. --tytso ]
Reported-and-tested-by: Eryu Guan
Signed-off-by: Theodore Ts'o
Signed-off-by: Jan Kara
Signed-off-by: Jiri Slaby
---
fs/ext4/inode.c | 29 ++---
1 file changed, 26 insertions(+), 3 deletions(-)
diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
index cf5070bb8695..3f43c141ab68 100644
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -2575,13 +2575,36 @@ retry:
done = true;
}
}
- ext4_journal_stop(handle);
+ /*
+* Caution: If the handle is synchronous,
+* ext4_journal_stop() can wait for transaction commit
+* to finish which may depend on writeback of pages to
+* complete or on page lock to be released. In that
+* case, we have to wait until after after we have
+* submitted all the IO, released page locks we hold,
+* and dropped io_end reference (for extent conversion
+* to be able to complete) before stopping the handle.
+*/
+ if (!ext4_handle_valid(handle) || handle->h_sync == 0) {
+ ext4_journal_stop(handle);
+ handle = NULL;
+ }
/* Submit prepared bio */
ext4_io_submit(&mpd.io_submit);
/* Unlock pages we didn't use */
mpage_release_unused_pages(&mpd, give_up_on_write);
- /* Drop our io_end reference we got from init */
- ext4_put_io_end(mpd.io_submit.io_end);
+ /*
+* Drop our io_end reference we got from init. We have
+* to be careful and use deferred io_end finishing if
+* we are still holding the transaction as we can
+* release the last reference to io_end which may end
+* up doing unwritten extent conversion.
+*/
+ if (handle) {
+ ext4_put_io_end_defer(mpd.io_submit.io_end);
+ ext4_journal_stop(handle);
+ } else
+ ext4_put_io_end(mpd.io_submit.io_end);
if (ret == -ENOSPC && sbi->s_journal) {
/*
--
2.9.3
[PATCH 3.12 078/100] CIFS: Fix a possible invalid memory access in smb2_query_symlink()
From: Pavel Shilovsky
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit 7893242e2465aea6f2cbc2639da8fa5ce96e8cc2 upstream.
During following a symbolic link we received err_buf from SMB2_open().
While the validity of SMB2 error response is checked previously
in smb2_check_message() a symbolic link payload is not checked at all.
Fix it by adding such checks.
Cc: Dan Carpenter
Signed-off-by: Pavel Shilovsky
Signed-off-by: Steve French
Signed-off-by: Jiri Slaby
---
fs/cifs/smb2ops.c | 30 +-
1 file changed, 29 insertions(+), 1 deletion(-)
diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
index 57519567b2ac..a3a7a52aef04 100644
--- a/fs/cifs/smb2ops.c
+++ b/fs/cifs/smb2ops.c
@@ -598,6 +598,9 @@ smb2_new_lease_key(struct cifs_fid *fid)
get_random_bytes(fid->lease_key, SMB2_LEASE_KEY_SIZE);
}
+#define SMB2_SYMLINK_STRUCT_SIZE \
+ (sizeof(struct smb2_err_rsp) - 1 + sizeof(struct smb2_symlink_err_rsp))
+
static int
smb2_query_symlink(const unsigned int xid, struct cifs_tcon *tcon,
const char *full_path, char **target_path,
@@ -610,7 +613,10 @@ smb2_query_symlink(const unsigned int xid, struct
cifs_tcon *tcon,
struct cifs_fid fid;
struct smb2_err_rsp *err_buf = NULL;
struct smb2_symlink_err_rsp *symlink;
- unsigned int sub_len, sub_offset;
+ unsigned int sub_len;
+ unsigned int sub_offset;
+ unsigned int print_len;
+ unsigned int print_offset;
cifs_dbg(FYI, "%s: path: %s\n", __func__, full_path);
@@ -631,11 +637,33 @@ smb2_query_symlink(const unsigned int xid, struct
cifs_tcon *tcon,
kfree(utf16_path);
return -ENOENT;
}
+
+ if (le32_to_cpu(err_buf->ByteCount) < sizeof(struct
smb2_symlink_err_rsp) ||
+ get_rfc1002_length(err_buf) + 4 < SMB2_SYMLINK_STRUCT_SIZE) {
+ kfree(utf16_path);
+ return -ENOENT;
+ }
+
/* open must fail on symlink - reset rc */
rc = 0;
symlink = (struct smb2_symlink_err_rsp *)err_buf->ErrorData;
sub_len = le16_to_cpu(symlink->SubstituteNameLength);
sub_offset = le16_to_cpu(symlink->SubstituteNameOffset);
+ print_len = le16_to_cpu(symlink->PrintNameLength);
+ print_offset = le16_to_cpu(symlink->PrintNameOffset);
+
+ if (get_rfc1002_length(err_buf) + 4 <
+ SMB2_SYMLINK_STRUCT_SIZE + sub_offset + sub_len) {
+ kfree(utf16_path);
+ return -ENOENT;
+ }
+
+ if (get_rfc1002_length(err_buf) + 4 <
+ SMB2_SYMLINK_STRUCT_SIZE + print_offset + print_len) {
+ kfree(utf16_path);
+ return -ENOENT;
+ }
+
*target_path = cifs_strndup_from_utf16(
(char *)symlink->PathBuffer + sub_offset,
sub_len, true, cifs_sb->local_nls);
--
2.9.3
[PATCH 3.12 073/100] s5p-mfc: Set device name for reserved memory region devs
From: Javier Martinez Canillas
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit 29debab0a94035a390801d1f177d171d014b7765 upstream.
The devices don't have a name set, so makes dev_name() returns NULL which
makes harder to identify the devices that are causing issues, for example:
WARNING: CPU: 2 PID: 616 at drivers/base/core.c:251 device_release+0x8c/0x90
Device '(null)' does not have a release() function, it is broken and must be
fixed.
And after setting the device name:
WARNING: CPU: 0 PID: 591 at drivers/base/core.c:251 device_release+0x8c/0x90
Device 's5p-mfc-l' does not have a release() function, it is broken and must be
fixed.
Fixes: 6e83e6e25eb4 ("[media] s5p-mfc: Fix kernel warning on memory init")
Signed-off-by: Javier Martinez Canillas
Tested-by: Marek Szyprowski
Signed-off-by: Sylwester Nawrocki
Signed-off-by: Jiri Slaby
---
drivers/media/platform/s5p-mfc/s5p_mfc.c | 4
1 file changed, 4 insertions(+)
diff --git a/drivers/media/platform/s5p-mfc/s5p_mfc.c
b/drivers/media/platform/s5p-mfc/s5p_mfc.c
index 4a521a9a6e9d..f48655b06aef 100644
--- a/drivers/media/platform/s5p-mfc/s5p_mfc.c
+++ b/drivers/media/platform/s5p-mfc/s5p_mfc.c
@@ -1012,6 +1012,8 @@ static int s5p_mfc_alloc_memdevs(struct s5p_mfc_dev *dev)
mfc_err("Not enough memory\n");
return -ENOMEM;
}
+
+ dev_set_name(dev->mem_dev_l, "%s", "s5p-mfc-l");
device_initialize(dev->mem_dev_l);
of_property_read_u32_array(dev->plat_dev->dev.of_node,
"samsung,mfc-l", mem_info, 2);
@@ -1029,6 +1031,8 @@ static int s5p_mfc_alloc_memdevs(struct s5p_mfc_dev *dev)
mfc_err("Not enough memory\n");
return -ENOMEM;
}
+
+ dev_set_name(dev->mem_dev_r, "%s", "s5p-mfc-r");
device_initialize(dev->mem_dev_r);
of_property_read_u32_array(dev->plat_dev->dev.of_node,
"samsung,mfc-r", mem_info, 2);
--
2.9.3
[PATCH 3.12 071/100] USB: serial: option: add support for Telit LE910 PID 0x1206
From: Daniele Palmas
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit 3c0415fa08548e3bc63ef741762664497ab187ed upstream.
This patch adds support for 0x1206 PID of Telit LE910.
Since the interfaces positions are the same than the ones for
0x1043 PID of Telit LE922, telit_le922_blacklist_usbcfg3 is used.
Signed-off-by: Daniele Palmas
Signed-off-by: Johan Hovold
Signed-off-by: Jiri Slaby
---
drivers/usb/serial/option.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
index bcb6f5c2bae4..006a2a721edf 100644
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -274,6 +274,7 @@ static void option_instat_callback(struct urb *urb);
#define TELIT_PRODUCT_LE922_USBCFG50x1045
#define TELIT_PRODUCT_LE9200x1200
#define TELIT_PRODUCT_LE9100x1201
+#define TELIT_PRODUCT_LE910_USBCFG40x1206
/* ZTE PRODUCTS */
#define ZTE_VENDOR_ID 0x19d2
@@ -1206,6 +1207,8 @@ static const struct usb_device_id option_ids[] = {
.driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg0 },
{ USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910),
.driver_info = (kernel_ulong_t)&telit_le910_blacklist },
+ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910_USBCFG4),
+ .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg3 },
{ USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920),
.driver_info = (kernel_ulong_t)&telit_le920_blacklist },
{ USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, ZTE_PRODUCT_MF622, 0xff,
0xff, 0xff) }, /* ZTE WCDMA products */
--
2.9.3
[PATCH 3.12 054/100] HID: i2c-hid: set power sleep before shutdown
From: Guohua Zhong
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit d9f448e3d71f3a703977196fa73be533b4b85adc upstream.
Add i2c_hid_shutdown for i2c-hid driver to send suspend cmd & free
irq before device shutdown.
Some HW design (i.e. Umaro, a chromebook model) is that the power to
i2c hid device won't down after device shutdown. Also the i2c-hid driver
do not send suspend cmd to the hid i2c device and free its irq before
shutdown.So if We touch the touchscreen or some other i2c hid device,
the power consumtion will be go up even when the device is in shutdown
state.
Though the root cause maybe a HW issue. But it seems that it is a
good pratice to set power sleep for i2c-hid device before shutdown.
Signed-off-by: Guohua Zhong
Acked-By: Benjamin Tissoires
Signed-off-by: Jiri Kosina
Cc: Oliver Neukum
Signed-off-by: Jiri Slaby
---
drivers/hid/i2c-hid/i2c-hid.c | 10 +-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/drivers/hid/i2c-hid/i2c-hid.c b/drivers/hid/i2c-hid/i2c-hid.c
index f62c65ec117e..0c65412cf5d4 100644
--- a/drivers/hid/i2c-hid/i2c-hid.c
+++ b/drivers/hid/i2c-hid/i2c-hid.c
@@ -1075,6 +1075,14 @@ static int i2c_hid_remove(struct i2c_client *client)
return 0;
}
+static void i2c_hid_shutdown(struct i2c_client *client)
+{
+ struct i2c_hid *ihid = i2c_get_clientdata(client);
+
+ i2c_hid_set_power(client, I2C_HID_PWR_SLEEP);
+ free_irq(client->irq, ihid);
+}
+
#ifdef CONFIG_PM_SLEEP
static int i2c_hid_suspend(struct device *dev)
{
@@ -1125,7 +1133,7 @@ static struct i2c_driver i2c_hid_driver = {
.probe = i2c_hid_probe,
.remove = i2c_hid_remove,
-
+ .shutdown = i2c_hid_shutdown,
.id_table = i2c_hid_id_table,
};
--
2.9.3
[PATCH 3.12 075/100] Bluetooth: Fix l2cap_sock_setsockopt() with optname BT_RCVMTU
From: Amadeusz Sławiński
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit 23bc6ab0a0912146fd674a0becc758c3162baabc upstream.
When we retrieve imtu value from userspace we should use 16 bit pointer
cast instead of 32 as it's defined that way in headers. Fixes setsockopt
calls on big-endian platforms.
Signed-off-by: Amadeusz Sławiński
Signed-off-by: Marcel Holtmann
Signed-off-by: Jiri Slaby
---
net/bluetooth/l2cap_sock.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index 2710e850b74c..1fbd26feda09 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -720,7 +720,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int
level, int optname,
break;
}
- if (get_user(opt, (u32 __user *) optval)) {
+ if (get_user(opt, (u16 __user *) optval)) {
err = -EFAULT;
break;
}
--
2.9.3
[PATCH 3.12 077/100] cifs: fix crash due to race in hmac(md5) handling
From: Rabin Vincent
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit bd975d1eead2558b76e1079e861eacf1f678b73b upstream.
The secmech hmac(md5) structures are present in the TCP_Server_Info
struct and can be shared among multiple CIFS sessions. However, the
server mutex is not currently held when these structures are allocated
and used, which can lead to a kernel crashes, as in the scenario below:
mount.cifs(8) #1mount.cifs(8) #2
Is secmech.sdeschmaccmd5 allocated?
// false
Is secmech.sdeschmaccmd5
allocated?
// false
secmech.hmacmd = crypto_alloc_shash..
secmech.sdeschmaccmd5 = kzalloc..
sdeschmaccmd5->shash.tfm = &secmec.hmacmd;
secmech.sdeschmaccmd5 = kzalloc
// sdeschmaccmd5->shash.tfm
// not yet assigned
crypto_shash_update()
deref NULL sdeschmaccmd5->shash.tfm
Unable to handle kernel paging request at virtual address 0030
epc : 8027ba34 crypto_shash_update+0x38/0x158
ra: 8020f2e8 setup_ntlmv2_rsp+0x4bc/0xa84
Call Trace:
crypto_shash_update+0x38/0x158
setup_ntlmv2_rsp+0x4bc/0xa84
build_ntlmssp_auth_blob+0xbc/0x34c
sess_auth_rawntlmssp_authenticate+0xac/0x248
CIFS_SessSetup+0xf0/0x178
cifs_setup_session+0x4c/0x84
cifs_get_smb_ses+0x2c8/0x314
cifs_mount+0x38c/0x76c
cifs_do_mount+0x98/0x440
mount_fs+0x20/0xc0
vfs_kern_mount+0x58/0x138
do_mount+0x1e8/0xccc
SyS_mount+0x88/0xd4
syscall_common+0x30/0x54
Fix this by locking the srv_mutex around the code which uses these
hmac(md5) structures. All the other secmech algos already have similar
locking.
Fixes: 95dc8dd14e2e84cc ("Limit allocation of crypto mechanisms to dialect
which requires")
Signed-off-by: Rabin Vincent
Acked-by: Sachin Prabhu
Signed-off-by: Steve French
Signed-off-by: Jiri Slaby
---
fs/cifs/cifsencrypt.c | 16 ++--
1 file changed, 10 insertions(+), 6 deletions(-)
diff --git a/fs/cifs/cifsencrypt.c b/fs/cifs/cifsencrypt.c
index 684e1c5ad46d..84ae0a5a8ce0 100644
--- a/fs/cifs/cifsencrypt.c
+++ b/fs/cifs/cifsencrypt.c
@@ -720,24 +720,26 @@ setup_ntlmv2_rsp(struct cifs_ses *ses, const struct
nls_table *nls_cp)
memcpy(ses->auth_key.response + baselen, tiblob, tilen);
+ mutex_lock(&ses->server->srv_mutex);
+
rc = crypto_hmacmd5_alloc(ses->server);
if (rc) {
cifs_dbg(VFS, "could not crypto alloc hmacmd5 rc %d\n", rc);
- goto setup_ntlmv2_rsp_ret;
+ goto unlock;
}
/* calculate ntlmv2_hash */
rc = calc_ntlmv2_hash(ses, ntlmv2_hash, nls_cp);
if (rc) {
cifs_dbg(VFS, "could not get v2 hash rc %d\n", rc);
- goto setup_ntlmv2_rsp_ret;
+ goto unlock;
}
/* calculate first part of the client response (CR1) */
rc = CalcNTLMv2_response(ses, ntlmv2_hash);
if (rc) {
cifs_dbg(VFS, "Could not calculate CR1 rc: %d\n", rc);
- goto setup_ntlmv2_rsp_ret;
+ goto unlock;
}
/* now calculate the session key for NTLMv2 */
@@ -746,13 +748,13 @@ setup_ntlmv2_rsp(struct cifs_ses *ses, const struct
nls_table *nls_cp)
if (rc) {
cifs_dbg(VFS, "%s: Could not set NTLMV2 Hash as a key\n",
__func__);
- goto setup_ntlmv2_rsp_ret;
+ goto unlock;
}
rc = crypto_shash_init(&ses->server->secmech.sdeschmacmd5->shash);
if (rc) {
cifs_dbg(VFS, "%s: Could not init hmacmd5\n", __func__);
- goto setup_ntlmv2_rsp_ret;
+ goto unlock;
}
rc = crypto_shash_update(&ses->server->secmech.sdeschmacmd5->shash,
@@ -760,7 +762,7 @@ setup_ntlmv2_rsp(struct cifs_ses *ses, const struct
nls_table *nls_cp)
CIFS_HMAC_MD5_HASH_SIZE);
if (rc) {
cifs_dbg(VFS, "%s: Could not update with response\n", __func__);
- goto setup_ntlmv2_rsp_ret;
+ goto unlock;
}
rc = crypto_shash_final(&ses->server->secmech.sdeschmacmd5->shash,
@@ -768,6 +770,8 @@ setup_ntlmv2_rsp(struct cifs_ses *ses, const struct
nls_table *nls_cp)
if (rc)
cifs_dbg(VFS, "%s: Could not generate md5 hash\n", __func__);
+unlock:
+ mutex_unlock(&ses->server->srv_mutex);
setup_ntlmv2_rsp_ret:
kfree(tiblob);
--
2.9.3
[PATCH 3.12 067/100] ext4: don't call ext4_should_journal_data() on the journal inode
From: Vegard Nossum
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit 6a7fd522a7c94cdef0a3b08acf8e6702056e635c upstream.
If ext4_fill_super() fails early, it's possible for ext4_evict_inode()
to call ext4_should_journal_data() before superblock options and flags
are fully set up. In that case, the iput() on the journal inode can
end up causing a BUG().
Work around this problem by reordering the tests so we only call
ext4_should_journal_data() after we know it's not the journal inode.
Fixes: 2d859db3e4 ("ext4: fix data corruption in inodes with journalled data")
Fixes: 2b405bfa84 ("ext4: fix data=journal fast mount/umount hang")
Cc: Jan Kara
Signed-off-by: Vegard Nossum
Signed-off-by: Theodore Ts'o
Reviewed-by: Jan Kara
Signed-off-by: Jiri Slaby
---
fs/ext4/inode.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
index 3f43c141ab68..98ba65482e46 100644
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -204,9 +204,9 @@ void ext4_evict_inode(struct inode *inode)
* Note that directories do not have this problem because they
* don't use page cache.
*/
- if (ext4_should_journal_data(inode) &&
- (S_ISLNK(inode->i_mode) || S_ISREG(inode->i_mode)) &&
- inode->i_ino != EXT4_JOURNAL_INO) {
+ if (inode->i_ino != EXT4_JOURNAL_INO &&
+ ext4_should_journal_data(inode) &&
+ (S_ISLNK(inode->i_mode) || S_ISREG(inode->i_mode))) {
journal_t *journal = EXT4_SB(inode->i_sb)->s_journal;
tid_t commit_tid = EXT4_I(inode)->i_datasync_tid;
--
2.9.3
Re: [PATCH][v2] PM / sleep: Increase default DPM watchdog timeout to 120
On Fri 2016-08-19 12:37:23, Chen Yu wrote: > Recently we have a new report that, the harddisk can not > resume on time due to firmware issues, and got a kernel > panic because of DPM watchdog timeout. So adjust the > default timeout from 60 to 120 to survive on this platform, > and make DPM_WATCHDOG depending on EXPERT. > > Link: https://bugzilla.kernel.org/show_bug.cgi?id=117971 Acked-by: Pavel Machek Thanks! Pavel -- (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
[PATCH 3.12 064/100] crypto: scatterwalk - Fix test in scatterwalk_done
From: Herbert Xu
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit 5f070e81bee35f1b7bd1477bb223a873ff657803 upstream.
When there is more data to be processed, the current test in
scatterwalk_done may prevent us from calling pagedone even when
we should.
In particular, if we're on an SG entry spanning multiple pages
where the last page is not a full page, we will incorrectly skip
calling pagedone on the second last page.
This patch fixes this by adding a separate test for whether we've
reached the end of a page.
Signed-off-by: Herbert Xu
Signed-off-by: Jiri Slaby
---
crypto/scatterwalk.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/crypto/scatterwalk.c b/crypto/scatterwalk.c
index 79ca2278c2a3..0ec7a6fa3d4d 100644
--- a/crypto/scatterwalk.c
+++ b/crypto/scatterwalk.c
@@ -68,7 +68,8 @@ static void scatterwalk_pagedone(struct scatter_walk *walk,
int out,
void scatterwalk_done(struct scatter_walk *walk, int out, int more)
{
- if (!(scatterwalk_pagelen(walk) & (PAGE_SIZE - 1)) || !more)
+ if (!more || walk->offset >= walk->sg->offset + walk->sg->length ||
+ !(walk->offset & (PAGE_SIZE - 1)))
scatterwalk_pagedone(walk, out, more);
}
EXPORT_SYMBOL_GPL(scatterwalk_done);
--
2.9.3
[PATCH 3.12 061/100] sysv, ipc: fix security-layer leaking
From: Fabian Frederick
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit 9b24fef9f0410fb5364245d6cc2bd044cc064007 upstream.
Commit 53dad6d3a8e5 ("ipc: fix race with LSMs") updated ipc_rcu_putref()
to receive rcu freeing function but used generic ipc_rcu_free() instead
of msg_rcu_free() which does security cleaning.
Running LTP msgsnd06 with kmemleak gives the following:
cat /sys/kernel/debug/kmemleak
unreferenced object 0x88003c0a11f8 (size 8):
comm "msgsnd06", pid 1645, jiffies 4294672526 (age 6.549s)
hex dump (first 8 bytes):
1b 00 00 00 01 00 00 00
backtrace:
kmemleak_alloc+0x23/0x40
kmem_cache_alloc_trace+0xe1/0x180
selinux_msg_queue_alloc_security+0x3f/0xd0
security_msg_queue_alloc+0x2e/0x40
newque+0x4e/0x150
ipcget+0x159/0x1b0
SyS_msgget+0x39/0x40
entry_SYSCALL_64_fastpath+0x13/0x8f
Manfred Spraul suggested to fix sem.c as well and Davidlohr Bueso to
only use ipc_rcu_free in case of security allocation failure in newary()
Fixes: 53dad6d3a8e ("ipc: fix race with LSMs")
Link: http://lkml.kernel.org/r/1470083552-22966-1-git-send-email-f...@skynet.be
Signed-off-by: Fabian Frederick
Cc: Davidlohr Bueso
Cc: Manfred Spraul
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
Signed-off-by: Jiri Slaby
---
ipc/msg.c | 2 +-
ipc/sem.c | 12 ++--
2 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/ipc/msg.c b/ipc/msg.c
index 32b15c5c..f8c22afff450 100644
--- a/ipc/msg.c
+++ b/ipc/msg.c
@@ -730,7 +730,7 @@ long do_msgsnd(int msqid, long mtype, void __user *mtext,
rcu_read_lock();
ipc_lock_object(&msq->q_perm);
- ipc_rcu_putref(msq, ipc_rcu_free);
+ ipc_rcu_putref(msq, msg_rcu_free);
if (msq->q_perm.deleted) {
err = -EIDRM;
goto out_unlock0;
diff --git a/ipc/sem.c b/ipc/sem.c
index b064468e876f..7fb486739cbb 100644
--- a/ipc/sem.c
+++ b/ipc/sem.c
@@ -442,7 +442,7 @@ static inline struct sem_array
*sem_obtain_object_check(struct ipc_namespace *ns
static inline void sem_lock_and_putref(struct sem_array *sma)
{
sem_lock(sma, NULL, -1);
- ipc_rcu_putref(sma, ipc_rcu_free);
+ ipc_rcu_putref(sma, sem_rcu_free);
}
static inline void sem_rmid(struct ipc_namespace *ns, struct sem_array *s)
@@ -1373,7 +1373,7 @@ static int semctl_main(struct ipc_namespace *ns, int
semid, int semnum,
rcu_read_unlock();
sem_io = ipc_alloc(sizeof(ushort)*nsems);
if(sem_io == NULL) {
- ipc_rcu_putref(sma, ipc_rcu_free);
+ ipc_rcu_putref(sma, sem_rcu_free);
return -ENOMEM;
}
@@ -1407,20 +1407,20 @@ static int semctl_main(struct ipc_namespace *ns, int
semid, int semnum,
if(nsems > SEMMSL_FAST) {
sem_io = ipc_alloc(sizeof(ushort)*nsems);
if(sem_io == NULL) {
- ipc_rcu_putref(sma, ipc_rcu_free);
+ ipc_rcu_putref(sma, sem_rcu_free);
return -ENOMEM;
}
}
if (copy_from_user (sem_io, p, nsems*sizeof(ushort))) {
- ipc_rcu_putref(sma, ipc_rcu_free);
+ ipc_rcu_putref(sma, sem_rcu_free);
err = -EFAULT;
goto out_free;
}
for (i = 0; i < nsems; i++) {
if (sem_io[i] > SEMVMX) {
- ipc_rcu_putref(sma, ipc_rcu_free);
+ ipc_rcu_putref(sma, sem_rcu_free);
err = -ERANGE;
goto out_free;
}
@@ -1710,7 +1710,7 @@ static struct sem_undo *find_alloc_undo(struct
ipc_namespace *ns, int semid)
/* step 2: allocate new undo structure */
new = kzalloc(sizeof(struct sem_undo) + sizeof(short)*nsems,
GFP_KERNEL);
if (!new) {
- ipc_rcu_putref(sma, ipc_rcu_free);
+ ipc_rcu_putref(sma, sem_rcu_free);
return ERR_PTR(-ENOMEM);
}
--
2.9.3
[PATCH 3.12 069/100] ext4: fix reference counting bug on block allocation error
From: Vegard Nossum
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit 554a5ccc4e4a20c5f3ec859de0842db4b4b9c77e upstream.
If we hit this error when mounted with errors=continue or
errors=remount-ro:
EXT4-fs error (device loop0): ext4_mb_mark_diskspace_used:2940: comm
ext4.exe: Allocating blocks 5090-6081 which overlap fs metadata
then ext4_mb_new_blocks() will call ext4_mb_release_context() and try to
continue. However, ext4_mb_release_context() is the wrong thing to call
here since we are still actually using the allocation context.
Instead, just error out. We could retry the allocation, but there is a
possibility of getting stuck in an infinite loop instead, so this seems
safer.
[ Fixed up so we don't return EAGAIN to userspace. --tytso ]
Fixes: 8556e8f3b6 ("ext4: Don't allow new groups to be added during block
allocation")
Signed-off-by: Vegard Nossum
Signed-off-by: Theodore Ts'o
Cc: Aneesh Kumar K.V
Signed-off-by: Jiri Slaby
---
fs/ext4/mballoc.c | 17 +++--
1 file changed, 3 insertions(+), 14 deletions(-)
diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
index 4a79ce1ecaa1..fcb205f69ed6 100644
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -2897,7 +2897,7 @@ ext4_mb_mark_diskspace_used(struct
ext4_allocation_context *ac,
ext4_error(sb, "Allocating blocks %llu-%llu which overlap "
"fs metadata", block, block+len);
/* File system mounted not to panic on error
-* Fix the bitmap and repeat the block allocation
+* Fix the bitmap and return EUCLEAN
* We leak some of the blocks here.
*/
ext4_lock_group(sb, ac->ac_b_ex.fe_group);
@@ -2906,7 +2906,7 @@ ext4_mb_mark_diskspace_used(struct
ext4_allocation_context *ac,
ext4_unlock_group(sb, ac->ac_b_ex.fe_group);
err = ext4_handle_dirty_metadata(handle, NULL, bitmap_bh);
if (!err)
- err = -EAGAIN;
+ err = -EUCLEAN;
goto out_err;
}
@@ -4476,18 +4476,7 @@ repeat:
}
if (likely(ac->ac_status == AC_STATUS_FOUND)) {
*errp = ext4_mb_mark_diskspace_used(ac, handle, reserv_clstrs);
- if (*errp == -EAGAIN) {
- /*
-* drop the reference that we took
-* in ext4_mb_use_best_found
-*/
- ext4_mb_release_context(ac);
- ac->ac_b_ex.fe_group = 0;
- ac->ac_b_ex.fe_start = 0;
- ac->ac_b_ex.fe_len = 0;
- ac->ac_status = AC_STATUS_CONTINUE;
- goto repeat;
- } else if (*errp) {
+ if (*errp) {
ext4_discard_allocated_blocks(ac);
goto errout;
} else {
--
2.9.3
[PATCH 3.12 065/100] ext4: check for extents that wrap around
From: Vegard Nossum
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit f70749ca42943faa4d4dcce46dfdcaadb1d0c4b6 upstream.
An extent with lblock = 4294967295 and len = 1 will pass the
ext4_valid_extent() test:
ext4_lblk_t last = lblock + len - 1;
if (len == 0 || lblock > last)
return 0;
since last = 4294967295 + 1 - 1 = 4294967295. This would later trigger
the BUG_ON(es->es_lblk + es->es_len < es->es_lblk) in ext4_es_end().
We can simplify it by removing the - 1 altogether and changing the test
to use lblock + len <= lblock, since now if len = 0, then lblock + 0 ==
lblock and it fails, and if len > 0 then lblock + len > lblock in order
to pass (i.e. it doesn't overflow).
Fixes: 5946d0893 ("ext4: check for overlapping extents in
ext4_valid_extent_entries()")
Fixes: 2f974865f ("ext4: check for zero length extent explicitly")
Cc: Eryu Guan
Signed-off-by: Phil Turnbull
Signed-off-by: Vegard Nossum
Signed-off-by: Theodore Ts'o
Signed-off-by: Jiri Slaby
---
fs/ext4/extents.c | 8 ++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
index 6b9d96bdd35c..1a13089883af 100644
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -359,9 +359,13 @@ static int ext4_valid_extent(struct inode *inode, struct
ext4_extent *ext)
ext4_fsblk_t block = ext4_ext_pblock(ext);
int len = ext4_ext_get_actual_len(ext);
ext4_lblk_t lblock = le32_to_cpu(ext->ee_block);
- ext4_lblk_t last = lblock + len - 1;
- if (len == 0 || lblock > last)
+ /*
+* We allow neither:
+* - zero length
+* - overflow/wrap-around
+*/
+ if (lblock + len <= lblock)
return 0;
return ext4_data_block_valid(EXT4_SB(inode->i_sb), block, len);
}
--
2.9.3
[PATCH 3.12 062/100] fuse: fix wrong assignment of ->flags in fuse_send_init()
From: Wei Fang
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit 9446385f05c9af25fed53dbed3cc75763730be52 upstream.
FUSE_HAS_IOCTL_DIR should be assigned to ->flags, it may be a typo.
Signed-off-by: Wei Fang
Signed-off-by: Miklos Szeredi
Fixes: 69fe05c90ed5 ("fuse: add missing INIT flags")
Signed-off-by: Jiri Slaby
---
fs/fuse/inode.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c
index 68f12d51dbea..d6ce83edc800 100644
--- a/fs/fuse/inode.c
+++ b/fs/fuse/inode.c
@@ -913,7 +913,7 @@ static void fuse_send_init(struct fuse_conn *fc, struct
fuse_req *req)
arg->flags |= FUSE_ASYNC_READ | FUSE_POSIX_LOCKS | FUSE_ATOMIC_O_TRUNC |
FUSE_EXPORT_SUPPORT | FUSE_BIG_WRITES | FUSE_DONT_MASK |
FUSE_SPLICE_WRITE | FUSE_SPLICE_MOVE | FUSE_SPLICE_READ |
- FUSE_FLOCK_LOCKS | FUSE_IOCTL_DIR | FUSE_AUTO_INVAL_DATA |
+ FUSE_FLOCK_LOCKS | FUSE_HAS_IOCTL_DIR | FUSE_AUTO_INVAL_DATA |
FUSE_DO_READDIRPLUS | FUSE_READDIRPLUS_AUTO | FUSE_ASYNC_DIO;
req->in.h.opcode = FUSE_INIT;
req->in.numargs = 1;
--
2.9.3
[PATCH 3.12 063/100] crypto: gcm - Filter out async ghash if necessary
From: Herbert Xu 3.12-stable review patch. If anyone has any objections, please let me know. === commit b30bdfa86431afbafe15284a3ad5ac19b49b88e3 upstream. As it is if you ask for a sync gcm you may actually end up with an async one because it does not filter out async implementations of ghash. This patch fixes this by adding the necessary filter when looking for ghash. Signed-off-by: Herbert Xu Signed-off-by: Jiri Slaby --- crypto/gcm.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/crypto/gcm.c b/crypto/gcm.c index f0bd00b15f26..d2a0f7371cf0 100644 --- a/crypto/gcm.c +++ b/crypto/gcm.c @@ -716,7 +716,9 @@ static struct crypto_instance *crypto_gcm_alloc_common(struct rtattr **tb, ghash_alg = crypto_find_alg(ghash_name, &crypto_ahash_type, CRYPTO_ALG_TYPE_HASH, - CRYPTO_ALG_TYPE_AHASH_MASK); + CRYPTO_ALG_TYPE_AHASH_MASK | + crypto_requires_sync(algt->type, +algt->mask)); if (IS_ERR(ghash_alg)) return ERR_CAST(ghash_alg); -- 2.9.3
[PATCH 3.12 043/100] can: fix oops caused by wrong rtnl dellink usage
From: Oliver Hartkopp
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit 25e1ed6e64f52a692ba3191c4fde650aab3ecc07 upstream.
For 'real' hardware CAN devices the netlink interface is used to set CAN
specific communication parameters. Real CAN hardware can not be created nor
removed with the ip tool ...
This patch adds a private dellink function for the CAN device driver interface
that does just nothing.
It's a follow up to commit 993e6f2fd ("can: fix oops caused by wrong rtnl
newlink usage") but for dellink.
Reported-by: ajneu
Signed-off-by: Oliver Hartkopp
Signed-off-by: Marc Kleine-Budde
Signed-off-by: Jiri Slaby
---
drivers/net/can/dev.c | 6 ++
1 file changed, 6 insertions(+)
diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c
index 3c1a7f8211be..561bed7eb6a5 100644
--- a/drivers/net/can/dev.c
+++ b/drivers/net/can/dev.c
@@ -775,6 +775,11 @@ static int can_newlink(struct net *src_net, struct
net_device *dev,
return -EOPNOTSUPP;
}
+static void can_dellink(struct net_device *dev, struct list_head *head)
+{
+ return;
+}
+
static struct rtnl_link_ops can_link_ops __read_mostly = {
.kind = "can",
.maxtype= IFLA_CAN_MAX,
@@ -782,6 +787,7 @@ static struct rtnl_link_ops can_link_ops __read_mostly = {
.setup = can_setup,
.newlink= can_newlink,
.changelink = can_changelink,
+ .dellink= can_dellink,
.get_size = can_get_size,
.fill_info = can_fill_info,
.get_xstats_size = can_get_xstats_size,
--
2.9.3
Re: [PATCH][RFC v2] PCI: Workaround to enable poweroff on Mac Pro 11
On Fri, Aug 19, 2016 at 01:44:52AM +0800, Chen Yu wrote:
> People reported that they can not do a poweroff nor a
> suspend to memory on their Mac Pro 11. After some investigations
> it was found that, once the PCI bridge :00:1c.0 reassigns its
> mm windows([mem 0x7fa0-0x7fbf] and
> [mem 0x7fc0-0x7fdf 64bit pref]), the region of ACPI
> io resource 0x1804 becomes unaccessible immediately, where the
> ACPI Sleep register is located, as a result neither poweroff(S5)
> nor suspend to memory(S3) works.
>
> As suggested by Bjorn, further testing shows that, there is an
> unreported device may be (using) conflict with above aperture,
> so if we reassign the memory aperture to other place, the poweroff
> works again.
>
> As we did not find any resource declared in _CRS which contain above
> memory aperture, thus we choose a simple workaround to clear the hotplug
> flag(suggested by Yinghai Lu), thus do not allocate any resource for
> this pci bridge.
>
> Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=103211
> Cc: Bjorn Helgaas
> Cc: Rafael J. Wysocki
> Signed-off-by: Chen Yu
> ---
> drivers/pci/quirks.c | 21 +
> 1 file changed, 21 insertions(+)
>
> diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
> index 37ff015..47b303a 100644
> --- a/drivers/pci/quirks.c
> +++ b/drivers/pci/quirks.c
> @@ -2776,6 +2776,27 @@ static void quirk_hotplug_bridge(struct pci_dev *dev)
> DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_HINT, 0x0020, quirk_hotplug_bridge);
>
> /*
> + * Apple: Avoid programming the memory/io aperture of 00:1c.0
> + *
> + * BIOS does not declare any resource for 00:1c.0, but with
> + * hotplug flag set, thus OS allocate:
> + * [mem 0x7fa0 - 0x7fbf]
> + * [mem 0x7fc0-0x7fdf 64bit pref]
> + * which is conflict with an unreported device, which
> + * causes unpredictable result such as accessing io port.
> + * So clear the hotplug flag to work around it.
> + */
> +static void quirk_apple_mbp_poweroff(struct pci_dev *dev)
> +{
> + if (dmi_match(DMI_BOARD_VENDOR, "Apple Inc.") &&
> + dmi_match(DMI_PRODUCT_NAME, "MacBookPro11,4") ||
> + dmi_match(DMI_PRODUCT_NAME, "MacBookPro11,5"))
&& has higher precedence than ||, so you would need parentheses here.
However I don't think there's another vendor using those product names,
so it's probably safe to drop the check for the vendor altogether.
Best regards,
Lukas
> + dev->is_hotplug_bridge = 0;
> +}
> +
> +DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, 0x8c10,
> quirk_apple_mbp_poweroff);
> +
> +/*
> * This is a quirk for the Ricoh MMC controller found as a part of
> * some mulifunction chips.
>
> --
> 2.7.4
[PATCH 3.12 068/100] ext4: short-cut orphan cleanup on error
From: Vegard Nossum
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit c65d5c6c81a1f27dec5f627f67840726fcd146de upstream.
If we encounter a filesystem error during orphan cleanup, we should stop.
Otherwise, we may end up in an infinite loop where the same inode is
processed again and again.
EXT4-fs (loop0): warning: checktime reached, running e2fsck is recommended
EXT4-fs error (device loop0): ext4_mb_generate_buddy:758: group 2, block
bitmap and bg descriptor inconsistent: 6117 vs 0 free clusters
Aborting journal on device loop0-8.
EXT4-fs (loop0): Remounting filesystem read-only
EXT4-fs error (device loop0) in ext4_free_blocks:4895: Journal has aborted
EXT4-fs error (device loop0) in ext4_do_update_inode:4893: Journal has
aborted
EXT4-fs error (device loop0) in ext4_do_update_inode:4893: Journal has
aborted
EXT4-fs error (device loop0) in ext4_ext_remove_space:3068: IO failure
EXT4-fs error (device loop0) in ext4_ext_truncate:4667: Journal has aborted
EXT4-fs error (device loop0) in ext4_orphan_del:2927: Journal has aborted
EXT4-fs error (device loop0) in ext4_do_update_inode:4893: Journal has
aborted
EXT4-fs (loop0): Inode 16 (618192a0): orphan list check failed!
[...]
EXT4-fs (loop0): Inode 16 (61819748): orphan list check failed!
[...]
EXT4-fs (loop0): Inode 16 (61819bf0): orphan list check failed!
[...]
See-also: c9eb13a9105 ("ext4: fix hang when processing corrupted orphaned inode
list")
Cc: Jan Kara
Signed-off-by: Vegard Nossum
Signed-off-by: Theodore Ts'o
Signed-off-by: Jiri Slaby
---
fs/ext4/super.c | 10 ++
1 file changed, 10 insertions(+)
diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index ab5829f298e7..238c24b606f0 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -2203,6 +2203,16 @@ static void ext4_orphan_cleanup(struct super_block *sb,
while (es->s_last_orphan) {
struct inode *inode;
+ /*
+* We may have encountered an error during cleanup; if
+* so, skip the rest.
+*/
+ if (EXT4_SB(sb)->s_mount_state & EXT4_ERROR_FS) {
+ jbd_debug(1, "Skipping orphan recovery on fs with
errors.\n");
+ es->s_last_orphan = 0;
+ break;
+ }
+
inode = ext4_orphan_get(sb, le32_to_cpu(es->s_last_orphan));
if (IS_ERR(inode)) {
es->s_last_orphan = 0;
--
2.9.3
Re: [LKP] [lkp] [sctp] a6c2f79287: netperf.Throughput_Mbps -37.2% regression
Hi, Em 19-08-2016 02:29, Aaron Lu escreveu: ... It doesn't look insane and sctp_wait_for_sndbuf may actually have something to do with a larger sctp_chunk I suppose? The same perf record doesn't capture any sample for the good commit, which suggests the nerperf process doesn't sleep in sctp_wait_for_sndbuf. Ahhh yes! It does, and then it would mean your txbuf is too small for the chunk sizes you're using (sctp tests option -m). What's your netperf cmdline again please? Regards, Marcelo
[PATCH 3.12 041/100] can: at91_can: RX queue could get stuck at high bus load
From: Wolfgang Grandegger
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit 43200a4480cbbe660309621817f54cbb93907108 upstream.
At high bus load it could happen that "at91_poll()" enters with all RX
message boxes filled up. If then at the end the "quota" is exceeded as
well, "rx_next" will not be reset to the first RX mailbox and hence the
interrupts remain disabled.
Signed-off-by: Wolfgang Grandegger
Tested-by: Amr Bekhit
Signed-off-by: Marc Kleine-Budde
Signed-off-by: Jiri Slaby
---
drivers/net/can/at91_can.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/net/can/at91_can.c b/drivers/net/can/at91_can.c
index 693d8ffe4653..67e08af13eb0 100644
--- a/drivers/net/can/at91_can.c
+++ b/drivers/net/can/at91_can.c
@@ -731,9 +731,10 @@ static int at91_poll_rx(struct net_device *dev, int quota)
/* upper group completed, look again in lower */
if (priv->rx_next > get_mb_rx_low_last(priv) &&
- quota > 0 && mb > get_mb_rx_last(priv)) {
+ mb > get_mb_rx_last(priv)) {
priv->rx_next = get_mb_rx_first(priv);
- goto again;
+ if (quota > 0)
+ goto again;
}
return received;
--
2.9.3
[PATCH 3.12 053/100] MIPS: KVM: Propagate kseg0/mapped tlb fault errors
From: James Hogan
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit 9b731bcfdec4c159ad2e4312e25d69221709b96a upstream.
Propagate errors from kvm_mips_handle_kseg0_tlb_fault() and
kvm_mips_handle_mapped_seg_tlb_fault(), usually triggering an internal
error since they normally indicate the guest accessed bad physical
memory or the commpage in an unexpected way.
Fixes: 858dd5d45733 ("KVM/MIPS32: MMU/TLB operations for the Guest.")
Fixes: e685c689f3a8 ("KVM/MIPS32: Privileged instruction/target branch
emulation.")
Signed-off-by: James Hogan
Cc: Paolo Bonzini
Cc: "Radim Krčmář"
Cc: Ralf Baechle
Cc: linux-m...@linux-mips.org
Cc: k...@vger.kernel.org
Signed-off-by: Radim Krčmář
[james.ho...@imgtec.com: Backport to v3.10.y - v3.15.y]
Signed-off-by: James Hogan
Signed-off-by: Jiri Slaby
---
arch/mips/kvm/kvm_mips_emul.c | 33 -
arch/mips/kvm/kvm_tlb.c | 14 ++
2 files changed, 34 insertions(+), 13 deletions(-)
diff --git a/arch/mips/kvm/kvm_mips_emul.c b/arch/mips/kvm/kvm_mips_emul.c
index 33085819cd89..9f7643874fba 100644
--- a/arch/mips/kvm/kvm_mips_emul.c
+++ b/arch/mips/kvm/kvm_mips_emul.c
@@ -972,8 +972,13 @@ kvm_mips_emulate_cache(uint32_t inst, uint32_t *opc,
uint32_t cause,
preempt_disable();
if (KVM_GUEST_KSEGX(va) == KVM_GUEST_KSEG0) {
- if (kvm_mips_host_tlb_lookup(vcpu, va) < 0) {
- kvm_mips_handle_kseg0_tlb_fault(va, vcpu);
+ if (kvm_mips_host_tlb_lookup(vcpu, va) < 0 &&
+ kvm_mips_handle_kseg0_tlb_fault(va, vcpu)) {
+ kvm_err("%s: handling mapped kseg0 tlb fault for %lx,
vcpu: %p, ASID: %#lx\n",
+ __func__, va, vcpu, read_c0_entryhi());
+ er = EMULATE_FAIL;
+ preempt_enable();
+ goto done;
}
} else if ((KVM_GUEST_KSEGX(va) < KVM_GUEST_KSEG0) ||
KVM_GUEST_KSEGX(va) == KVM_GUEST_KSEG23) {
@@ -1006,11 +1011,16 @@ kvm_mips_emulate_cache(uint32_t inst, uint32_t *opc,
uint32_t cause,
run, vcpu);
preempt_enable();
goto dont_update_pc;
- } else {
- /* We fault an entry from the guest tlb to the
shadow host TLB */
- kvm_mips_handle_mapped_seg_tlb_fault(vcpu, tlb,
-NULL,
-NULL);
+ }
+ /* We fault an entry from the guest tlb to the shadow
host TLB */
+ if (kvm_mips_handle_mapped_seg_tlb_fault(vcpu, tlb,
+NULL, NULL)) {
+ kvm_err("%s: handling mapped seg tlb fault for
%lx, index: %u, vcpu: %p, ASID: %#lx\n",
+ __func__, va, index, vcpu,
+ read_c0_entryhi());
+ er = EMULATE_FAIL;
+ preempt_enable();
+ goto done;
}
}
} else {
@@ -1821,8 +1831,13 @@ kvm_mips_handle_tlbmiss(unsigned long cause, uint32_t
*opc,
tlb->tlb_hi, tlb->tlb_lo0, tlb->tlb_lo1);
#endif
/* OK we have a Guest TLB entry, now inject it into the
shadow host TLB */
- kvm_mips_handle_mapped_seg_tlb_fault(vcpu, tlb, NULL,
-NULL);
+ if (kvm_mips_handle_mapped_seg_tlb_fault(vcpu, tlb,
+NULL, NULL)) {
+ kvm_err("%s: handling mapped seg tlb fault for
%lx, index: %u, vcpu: %p, ASID: %#lx\n",
+ __func__, va, index, vcpu,
+ read_c0_entryhi());
+ er = EMULATE_FAIL;
+ }
}
}
diff --git a/arch/mips/kvm/kvm_tlb.c b/arch/mips/kvm/kvm_tlb.c
index 5a3c3731214f..4bee4397dca8 100644
--- a/arch/mips/kvm/kvm_tlb.c
+++ b/arch/mips/kvm/kvm_tlb.c
@@ -926,10 +926,16 @@ uint32_t kvm_get_inst(uint32_t *opc, struct kvm_vcpu
*vcpu)
local_irq_restore(flags);
return KVM_INVALID_INST;
}
- kvm_mips_handle_mapped_seg_tlb_fault(vcpu,
-&vcpu->arch.
-guest_tlb[index],
-
[PATCH 3.12 056/100] x86/mm: Improve switch_mm() barrier comments
From: Andy Lutomirski
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit 4eaffdd5a5fe6ff9f95e1ab4de1ac904d5e0fa8b upstream.
My previous comments were still a bit confusing and there was a
typo. Fix it up.
Reported-by: Peter Zijlstra
Signed-off-by: Andy Lutomirski
Cc: Andy Lutomirski
Cc: Borislav Petkov
Cc: Brian Gerst
Cc: Dave Hansen
Cc: Denys Vlasenko
Cc: H. Peter Anvin
Cc: Linus Torvalds
Cc: Rik van Riel
Cc: Thomas Gleixner
Cc: sta...@vger.kernel.org
Fixes: 71b3c126e611 ("x86/mm: Add barriers and document switch_mm()-vs-flush
synchronization")
Link:
http://lkml.kernel.org/r/0a0b43cdcdd241c5faaaecfbcc91a155ddedc9a1.1452631609.git.l...@kernel.org
Signed-off-by: Ingo Molnar
Signed-off-by: Jiri Slaby
---
arch/x86/include/asm/mmu_context.h | 15 ---
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/arch/x86/include/asm/mmu_context.h
b/arch/x86/include/asm/mmu_context.h
index 20cf2c4e1872..50f622dc0b1a 100644
--- a/arch/x86/include/asm/mmu_context.h
+++ b/arch/x86/include/asm/mmu_context.h
@@ -102,14 +102,16 @@ static inline void switch_mm(struct mm_struct *prev,
struct mm_struct *next,
* be sent, and CPU 0's TLB will contain a stale entry.)
*
* The bad outcome can occur if either CPU's load is
-* reordered before that CPU's store, so both CPUs much
+* reordered before that CPU's store, so both CPUs must
* execute full barriers to prevent this from happening.
*
* Thus, switch_mm needs a full barrier between the
* store to mm_cpumask and any operation that could load
-* from next->pgd. This barrier synchronizes with
-* remote TLB flushers. Fortunately, load_cr3 is
-* serializing and thus acts as a full barrier.
+* from next->pgd. TLB fills are special and can happen
+* due to instruction fetches or for no reason at all,
+* and neither LOCK nor MFENCE orders them.
+* Fortunately, load_cr3() is serializing and gives the
+* ordering guarantee we need.
*
*/
load_cr3(next->pgd);
@@ -140,9 +142,8 @@ static inline void switch_mm(struct mm_struct *prev, struct
mm_struct *next,
* tlb flush IPI delivery. We must reload CR3
* to make sure to use no freed page tables.
*
-* As above, this is a barrier that forces
-* TLB repopulation to be ordered after the
-* store to mm_cpumask.
+* As above, load_cr3() is serializing and orders TLB
+* fills with respect to the mm_cpumask write.
*/
load_cr3(next->pgd);
load_mm_ldt(next);
--
2.9.3
[PATCH 3.12 059/100] apparmor: fix ref count leak when profile sha1 hash is read
From: John Johansen 3.12-stable review patch. If anyone has any objections, please let me know. === commit 0b938a2e2cf0b0a2c8bac9769111545aff0fee97 upstream. Signed-off-by: John Johansen Acked-by: Seth Arnold Signed-off-by: Jiri Slaby --- security/apparmor/apparmorfs.c | 1 + 1 file changed, 1 insertion(+) diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c index 7db9954f1af2..b30489856741 100644 --- a/security/apparmor/apparmorfs.c +++ b/security/apparmor/apparmorfs.c @@ -331,6 +331,7 @@ static int aa_fs_seq_hash_show(struct seq_file *seq, void *v) seq_printf(seq, "%.2x", profile->hash[i]); seq_puts(seq, "\n"); } + aa_put_profile(profile); return 0; } -- 2.9.3
[PATCH 3.12 060/100] block: fix use-after-free in seq file
From: Vegard Nossum
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit 77da160530dd1dc94f6ae15a981f24e5f0021e84 upstream.
I got a KASAN report of use-after-free:
==
BUG: KASAN: use-after-free in klist_iter_exit+0x61/0x70 at addr
8800b6581508
Read of size 8 by task trinity-c1/315
=
BUG kmalloc-32 (Not tainted): kasan: bad access detected
-
Disabling lock debugging due to kernel taint
INFO: Allocated in disk_seqf_start+0x66/0x110 age=144 cpu=1 pid=315
___slab_alloc+0x4f1/0x520
__slab_alloc.isra.58+0x56/0x80
kmem_cache_alloc_trace+0x260/0x2a0
disk_seqf_start+0x66/0x110
traverse+0x176/0x860
seq_read+0x7e3/0x11a0
proc_reg_read+0xbc/0x180
do_loop_readv_writev+0x134/0x210
do_readv_writev+0x565/0x660
vfs_readv+0x67/0xa0
do_preadv+0x126/0x170
SyS_preadv+0xc/0x10
do_syscall_64+0x1a1/0x460
return_from_SYSCALL_64+0x0/0x6a
INFO: Freed in disk_seqf_stop+0x42/0x50 age=160 cpu=1 pid=315
__slab_free+0x17a/0x2c0
kfree+0x20a/0x220
disk_seqf_stop+0x42/0x50
traverse+0x3b5/0x860
seq_read+0x7e3/0x11a0
proc_reg_read+0xbc/0x180
do_loop_readv_writev+0x134/0x210
do_readv_writev+0x565/0x660
vfs_readv+0x67/0xa0
do_preadv+0x126/0x170
SyS_preadv+0xc/0x10
do_syscall_64+0x1a1/0x460
return_from_SYSCALL_64+0x0/0x6a
CPU: 1 PID: 315 Comm: trinity-c1 Tainted: GB 4.7.0+ #62
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
Ubuntu-1.8.2-1ubuntu1 04/01/2014
ea0002d96000 880119b9f918 81d6ce81 88011a804480
8800b6581500 880119b9f948 8146c7bd 88011a804480
ea0002d96000 8800b6581500 fff4 880119b9f970
Call Trace:
[] dump_stack+0x65/0x84
[] print_trailer+0x10d/0x1a0
[] object_err+0x2f/0x40
[] kasan_report_error+0x221/0x520
[] __asan_report_load8_noabort+0x3e/0x40
[] klist_iter_exit+0x61/0x70
[] class_dev_iter_exit+0x9/0x10
[] disk_seqf_stop+0x3a/0x50
[] seq_read+0x4b2/0x11a0
[] proc_reg_read+0xbc/0x180
[] do_loop_readv_writev+0x134/0x210
[] do_readv_writev+0x565/0x660
[] vfs_readv+0x67/0xa0
[] do_preadv+0x126/0x170
[] SyS_preadv+0xc/0x10
This problem can occur in the following situation:
open()
- pread()
- .seq_start()
- iter = kmalloc() // succeeds
- seqf->private = iter
- .seq_stop()
- kfree(seqf->private)
- pread()
- .seq_start()
- iter = kmalloc() // fails
- .seq_stop()
- class_dev_iter_exit(seqf->private) // boom! old pointer
As the comment in disk_seqf_stop() says, stop is called even if start
failed, so we need to reinitialise the private pointer to NULL when seq
iteration stops.
An alternative would be to set the private pointer to NULL when the
kmalloc() in disk_seqf_start() fails.
Signed-off-by: Vegard Nossum
Acked-by: Tejun Heo
Signed-off-by: Jens Axboe
Signed-off-by: Jiri Slaby
---
block/genhd.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/block/genhd.c b/block/genhd.c
index 9316f5fd416f..38d4ba122a43 100644
--- a/block/genhd.c
+++ b/block/genhd.c
@@ -829,6 +829,7 @@ static void disk_seqf_stop(struct seq_file *seqf, void *v)
if (iter) {
class_dev_iter_exit(iter);
kfree(iter);
+ seqf->private = NULL;
}
}
--
2.9.3
[PATCH 3.12 057/100] arm: oabi compat: add missing access checks
From: Dave Weinstein 3.12-stable review patch. If anyone has any objections, please let me know. === commit 7de249964f5578e67b99699c5f0b405738d820a2 upstream. Add access checks to sys_oabi_epoll_wait() and sys_oabi_semtimedop(). This fixes CVE-2016-3857, a local privilege escalation under CONFIG_OABI_COMPAT. Reported-by: Chiachih Wu Reviewed-by: Kees Cook Reviewed-by: Nicolas Pitre Signed-off-by: Dave Weinstein Signed-off-by: Linus Torvalds Signed-off-by: Jiri Slaby --- arch/arm/kernel/sys_oabi-compat.c | 8 +++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/arch/arm/kernel/sys_oabi-compat.c b/arch/arm/kernel/sys_oabi-compat.c index 3e94811690ce..a0aee80b608d 100644 --- a/arch/arm/kernel/sys_oabi-compat.c +++ b/arch/arm/kernel/sys_oabi-compat.c @@ -275,8 +275,12 @@ asmlinkage long sys_oabi_epoll_wait(int epfd, mm_segment_t fs; long ret, err, i; - if (maxevents <= 0 || maxevents > (INT_MAX/sizeof(struct epoll_event))) + if (maxevents <= 0 || + maxevents > (INT_MAX/sizeof(*kbuf)) || + maxevents > (INT_MAX/sizeof(*events))) return -EINVAL; + if (!access_ok(VERIFY_WRITE, events, sizeof(*events) * maxevents)) + return -EFAULT; kbuf = kmalloc(sizeof(*kbuf) * maxevents, GFP_KERNEL); if (!kbuf) return -ENOMEM; @@ -313,6 +317,8 @@ asmlinkage long sys_oabi_semtimedop(int semid, if (nsops < 1 || nsops > SEMOPM) return -EINVAL; + if (!access_ok(VERIFY_READ, tsops, sizeof(*tsops) * nsops)) + return -EFAULT; sops = kmalloc(sizeof(*sops) * nsops, GFP_KERNEL); if (!sops) return -ENOMEM; -- 2.9.3
[PATCH 3.12 052/100] MIPS: KVM: Fix gfn range check in kseg0 tlb faults
From: James Hogan
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit 0741f52d1b980dbeb290afe67d88fc2928edd8ab upstream.
Two consecutive gfns are loaded into host TLB, so ensure the range check
isn't off by one if guest_pmap_npages is odd.
Fixes: 858dd5d45733 ("KVM/MIPS32: MMU/TLB operations for the Guest.")
Signed-off-by: James Hogan
Cc: Paolo Bonzini
Cc: "Radim Krčmář"
Cc: Ralf Baechle
Cc: linux-m...@linux-mips.org
Cc: k...@vger.kernel.org
Signed-off-by: Radim Krčmář
[james.ho...@imgtec.com: Backport to v3.10.y - v3.15.y]
Signed-off-by: James Hogan
Signed-off-by: Jiri Slaby
---
arch/mips/kvm/kvm_tlb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/mips/kvm/kvm_tlb.c b/arch/mips/kvm/kvm_tlb.c
index 8aba2e54f90f..5a3c3731214f 100644
--- a/arch/mips/kvm/kvm_tlb.c
+++ b/arch/mips/kvm/kvm_tlb.c
@@ -312,7 +312,7 @@ int kvm_mips_handle_kseg0_tlb_fault(unsigned long badvaddr,
}
gfn = (KVM_GUEST_CPHYSADDR(badvaddr) >> PAGE_SHIFT);
- if (gfn >= kvm->arch.guest_pmap_npages) {
+ if ((gfn | 1) >= kvm->arch.guest_pmap_npages) {
kvm_err("%s: Invalid gfn: %#llx, BadVaddr: %#lx\n", __func__,
gfn, badvaddr);
kvm_mips_dump_host_tlbs();
--
2.9.3
Re: [LKP] [lkp] [sctp] a6c2f79287: netperf.Throughput_Mbps -37.2% regression
On Fri, Aug 19, 2016 at 04:19:39AM -0300, Marcelo Ricardo Leitner wrote: > Hi, > > Em 19-08-2016 02:29, Aaron Lu escreveu: > ... > > It doesn't look insane and sctp_wait_for_sndbuf may actually have > > something to do with a larger sctp_chunk I suppose? > > > > The same perf record doesn't capture any sample for the good commit, > > which suggests the nerperf process doesn't sleep in sctp_wait_for_sndbuf. > > Ahhh yes! It does, and then it would mean your txbuf is too small for the > chunk sizes you're using (sctp tests option -m). > > What's your netperf cmdline again please? netperf -4 -t SCTP_STREAM_MANY -c -C -l 300 -- -m 10K -H 127.0.0.1 Is the 10K used here a problem? If so, can you suggest a proper value for our netperf performance test? Thanks. Regards, Aaron
[PATCH 3.12 055/100] HID: multitouch: Add MT_QUIRK_NOT_SEEN_MEANS_UP to Surface Pro 3
From: Benjamin Tissoires
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit a80e803a2ae4efa5efbcfa97dcbbc48d15226cf9 upstream.
The firmware found in the touch screen of an SP3 is buggy and may miss
to send lift off reports for contacts. Try to work around that issue by
using MT_QUIRK_NOT_SEEN_MEANS_UP.
based on a patch from: Daniel Martin
Signed-off-by: Benjamin Tissoires
Signed-off-by: Jiri Kosina
Cc: Oliver Neukum
Signed-off-by: Jiri Slaby
---
drivers/hid/hid-multitouch.c | 5 +
1 file changed, 5 insertions(+)
diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c
index e7c2af5d3811..0ffc0a4d5182 100644
--- a/drivers/hid/hid-multitouch.c
+++ b/drivers/hid/hid-multitouch.c
@@ -1281,6 +1281,11 @@ static const struct hid_device_id mt_devices[] = {
MT_USB_DEVICE(USB_VENDOR_ID_PENMOUNT,
USB_DEVICE_ID_PENMOUNT_PCI) },
+ /* Ntrig Panel */
+ { .driver_data = MT_CLS_NSMU,
+ HID_DEVICE(BUS_I2C, HID_GROUP_MULTITOUCH_WIN_8,
+ USB_VENDOR_ID_NTRIG, 0x1b05) },
+
/* PixArt optical touch screen */
{ .driver_data = MT_CLS_INRANGE_CONTACTNUMBER,
MT_USB_DEVICE(USB_VENDOR_ID_PIXART,
--
2.9.3
[PATCH 3.12 049/100] tcp: consider recv buf for the initial window scale
From: Soheil Hassas Yeganeh
3.12-stable review patch. If anyone has any objections, please let me know.
===
[ Upstream commit f626300a3e776ccc9671b0dd94698fb3aa315966 ]
tcp_select_initial_window() intends to advertise a window
scaling for the maximum possible window size. To do so,
it considers the maximum of net.ipv4.tcp_rmem[2] and
net.core.rmem_max as the only possible upper-bounds.
However, users with CAP_NET_ADMIN can use SO_RCVBUFFORCE
to set the socket's receive buffer size to values
larger than net.ipv4.tcp_rmem[2] and net.core.rmem_max.
Thus, SO_RCVBUFFORCE is effectively ignored by
tcp_select_initial_window().
To fix this, consider the maximum of net.ipv4.tcp_rmem[2],
net.core.rmem_max and socket's initial buffer space.
Fixes: b0573dea1fb3 ("[NET]: Introduce SO_{SND,RCV}BUFFORCE socket options")
Signed-off-by: Soheil Hassas Yeganeh
Suggested-by: Neal Cardwell
Acked-by: Neal Cardwell
Signed-off-by: David S. Miller
Signed-off-by: Jiri Slaby
---
net/ipv4/tcp_output.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 47b27e9dd8cc..aa72c9d604a0 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -242,7 +242,8 @@ void tcp_select_initial_window(int __space, __u32 mss,
/* Set window scaling on max possible window
* See RFC1323 for an explanation of the limit to 14
*/
- space = max_t(u32, sysctl_tcp_rmem[2], sysctl_rmem_max);
+ space = max_t(u32, space, sysctl_tcp_rmem[2]);
+ space = max_t(u32, space, sysctl_rmem_max);
space = min_t(u32, space, *window_clamp);
while (space > 65535 && (*rcv_wscale) < 14) {
space >>= 1;
--
2.9.3
[PATCH 3.12 045/100] net: mvneta: set real interrupt per packet for tx_done
From: Dmitri Epshtein
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit 06708f81528725148473c0869d6af5f809c6824b upstream.
Commit aebea2ba0f74 ("net: mvneta: fix Tx interrupt delay") intended to
set coalescing threshold to a value guaranteeing interrupt generation
per each sent packet, so that buffers can be released with no delay.
In fact setting threshold to '1' was wrong, because it causes interrupt
every two packets. According to the documentation a reason behind it is
following - interrupt occurs once sent buffers counter reaches a value,
which is higher than one specified in MVNETA_TXQ_SIZE_REG(q). This
behavior was confirmed during tests. Also when testing the SoC working
as a NAS device, better performance was observed with int-per-packet,
as it strongly depends on the fact that all transmitted packets are
released immediately.
This commit enables NETA controller work in interrupt per sent packet mode
by setting coalescing threshold to 0.
Signed-off-by: Dmitri Epshtein
Signed-off-by: Marcin Wojtas
Fixes aebea2ba0f74 ("net: mvneta: fix Tx interrupt delay")
Acked-by: Willy Tarreau
Signed-off-by: David S. Miller
Signed-off-by: Jiri Slaby
---
drivers/net/ethernet/marvell/mvneta.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/marvell/mvneta.c
b/drivers/net/ethernet/marvell/mvneta.c
index 5902e6a93167..8c07b331ef58 100644
--- a/drivers/net/ethernet/marvell/mvneta.c
+++ b/drivers/net/ethernet/marvell/mvneta.c
@@ -212,7 +212,7 @@
/* Various constants */
/* Coalescing */
-#define MVNETA_TXDONE_COAL_PKTS1
+#define MVNETA_TXDONE_COAL_PKTS0 /* interrupt per packet
*/
#define MVNETA_RX_COAL_PKTS32
#define MVNETA_RX_COAL_USEC100
--
2.9.3
[PATCH 3.12 042/100] can: fix handling of unmodifiable configuration options fix
From: Oliver Hartkopp
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit bce271f255dae8335dc4d2ee2c4531e09cc67f5a upstream.
With upstream commit bb208f144cf3f59 (can: fix handling of unmodifiable
configuration options) a new can_validate() function was introduced.
When invoking 'ip link set can0 type can' without any configuration data
can_validate() tries to validate the content without taking into account that
there's totally no content. This patch adds a check for missing content.
Reported-by: ajneu
Signed-off-by: Oliver Hartkopp
Signed-off-by: Marc Kleine-Budde
Signed-off-by: Jiri Slaby
---
drivers/net/can/dev.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c
index f66aeb79abdf..3c1a7f8211be 100644
--- a/drivers/net/can/dev.c
+++ b/drivers/net/can/dev.c
@@ -644,6 +644,9 @@ static int can_changelink(struct net_device *dev,
/* We need synchronization with dev->stop() */
ASSERT_RTNL();
+ if (!data)
+ return 0;
+
if (data[IFLA_CAN_CTRLMODE]) {
struct can_ctrlmode *cm;
--
2.9.3
[PATCH 3.12 051/100] MIPS: KVM: Add missing gfn range check
From: James Hogan
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit 8985d50382359e5bf118fdbefc859d0dbf6cebc7 upstream.
kvm_mips_handle_mapped_seg_tlb_fault() calculates the guest frame number
based on the guest TLB EntryLo values, however it is not range checked
to ensure it lies within the guest_pmap. If the physical memory the
guest refers to is out of range then dump the guest TLB and emit an
internal error.
Fixes: 858dd5d45733 ("KVM/MIPS32: MMU/TLB operations for the Guest.")
Signed-off-by: James Hogan
Cc: Paolo Bonzini
Cc: "Radim Krčmář"
Cc: Ralf Baechle
Cc: linux-m...@linux-mips.org
Cc: k...@vger.kernel.org
Signed-off-by: Radim Krčmář
[james.ho...@imgtec.com: Backport to v3.10.y - v3.15.y]
Signed-off-by: James Hogan
Signed-off-by: Jiri Slaby
---
arch/mips/kvm/kvm_tlb.c | 19 +++
1 file changed, 15 insertions(+), 4 deletions(-)
diff --git a/arch/mips/kvm/kvm_tlb.c b/arch/mips/kvm/kvm_tlb.c
index 1e6b1f124377..8aba2e54f90f 100644
--- a/arch/mips/kvm/kvm_tlb.c
+++ b/arch/mips/kvm/kvm_tlb.c
@@ -397,6 +397,7 @@ kvm_mips_handle_mapped_seg_tlb_fault(struct kvm_vcpu *vcpu,
unsigned long entryhi = 0, entrylo0 = 0, entrylo1 = 0;
struct kvm *kvm = vcpu->kvm;
pfn_t pfn0, pfn1;
+ gfn_t gfn0, gfn1;
long tlb_lo[2];
tlb_lo[0] = tlb->tlb_lo0;
@@ -410,14 +411,24 @@ kvm_mips_handle_mapped_seg_tlb_fault(struct kvm_vcpu
*vcpu,
VPN2_MASK & (PAGE_MASK << 1)))
tlb_lo[(KVM_GUEST_COMMPAGE_ADDR >> PAGE_SHIFT) & 1] = 0;
- if (kvm_mips_map_page(kvm, mips3_tlbpfn_to_paddr(tlb_lo[0]) >>
PAGE_SHIFT) < 0)
+ gfn0 = mips3_tlbpfn_to_paddr(tlb_lo[0]) >> PAGE_SHIFT;
+ gfn1 = mips3_tlbpfn_to_paddr(tlb_lo[1]) >> PAGE_SHIFT;
+ if (gfn0 >= kvm->arch.guest_pmap_npages ||
+ gfn1 >= kvm->arch.guest_pmap_npages) {
+ kvm_err("%s: Invalid gfn: [%#llx, %#llx], EHi: %#lx\n",
+ __func__, gfn0, gfn1, tlb->tlb_hi);
+ kvm_mips_dump_guest_tlbs(vcpu);
+ return -1;
+ }
+
+ if (kvm_mips_map_page(kvm, gfn0) < 0)
return -1;
- if (kvm_mips_map_page(kvm, mips3_tlbpfn_to_paddr(tlb_lo[1]) >>
PAGE_SHIFT) < 0)
+ if (kvm_mips_map_page(kvm, gfn1) < 0)
return -1;
- pfn0 = kvm->arch.guest_pmap[mips3_tlbpfn_to_paddr(tlb_lo[0]) >>
PAGE_SHIFT];
- pfn1 = kvm->arch.guest_pmap[mips3_tlbpfn_to_paddr(tlb_lo[1]) >>
PAGE_SHIFT];
+ pfn0 = kvm->arch.guest_pmap[gfn0];
+ pfn1 = kvm->arch.guest_pmap[gfn1];
if (hpa0)
*hpa0 = pfn0 << PAGE_SHIFT;
--
2.9.3
[PATCH 3.12 039/100] mm: thp: fix SMP race condition between THP page fault and MADV_DONTNEED
From: Andrea Arcangeli 3.12-stable review patch. If anyone has any objections, please let me know. === commit ad33bb04b2a6cee6c1f99fabb15cddbf93ff0433 upstream. pmd_trans_unstable()/pmd_none_or_trans_huge_or_clear_bad() were introduced to locklessy (but atomically) detect when a pmd is a regular (stable) pmd or when the pmd is unstable and can infinitely transition from pmd_none() and pmd_trans_huge() from under us, while only holding the mmap_sem for reading (for writing not). While holding the mmap_sem only for reading, MADV_DONTNEED can run from under us and so before we can assume the pmd to be a regular stable pmd we need to compare it against pmd_none() and pmd_trans_huge() in an atomic way, with pmd_trans_unstable(). The old pmd_trans_huge() left a tiny window for a race. Useful applications are unlikely to notice the difference as doing MADV_DONTNEED concurrently with a page fault would lead to undefined behavior. [js] 3.12 backport: no pmd_devmap in 3.12 yet. [a...@linux-foundation.org: tidy up comment grammar/layout] Signed-off-by: Andrea Arcangeli Reported-by: Kirill A. Shutemov Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Cc: Vlastimil Babka Signed-off-by: Jiri Slaby --- mm/memory.c | 14 -- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/mm/memory.c b/mm/memory.c index d0d84c36cd5c..61926356c09a 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -3814,8 +3814,18 @@ static int __handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma, if (unlikely(pmd_none(*pmd)) && unlikely(__pte_alloc(mm, vma, pmd, address))) return VM_FAULT_OOM; - /* if an huge pmd materialized from under us just retry later */ - if (unlikely(pmd_trans_huge(*pmd))) + /* +* If a huge pmd materialized under us just retry later. Use +* pmd_trans_unstable() instead of pmd_trans_huge() to ensure the pmd +* didn't become pmd_trans_huge under us and then back to pmd_none, as +* a result of MADV_DONTNEED running immediately after a huge pmd fault +* in a different thread of this mm, in turn leading to a misleading +* pmd_trans_huge() retval. All we have to ensure is that it is a +* regular pmd that we can walk with pte_offset_map() and we can do that +* through an atomic read in C, which is what pmd_trans_unstable() +* provides. +*/ + if (unlikely(pmd_trans_unstable(pmd))) return 0; /* * A regular pmd is established and it can't morph into a huge pmd -- 2.9.3
[PATCH 3.12 050/100] MIPS: KVM: Fix mapped fault broken commpage handling
From: James Hogan
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit c604cffa93478fbec62b23d6073dad03d43a upstream.
kvm_mips_handle_mapped_seg_tlb_fault() appears to map the guest page at
virtual address 0 to PFN 0 if the guest has created its own mapping
there. The intention is unclear, but it may have been an attempt to
protect the zero page from being mapped to anything but the comm page in
code paths you wouldn't expect from genuine commpage accesses (guest
kernel mode cache instructions on that address, hitting trapping
instructions when executing from that address with a coincidental TLB
eviction during the KVM handling, and guest user mode accesses to that
address).
Fix this to check for mappings exactly at KVM_GUEST_COMMPAGE_ADDR (it
may not be at address 0 since commit 42aa12e74e91 ("MIPS: KVM: Move
commpage so 0x0 is unmapped")), and set the corresponding EntryLo to be
interpreted as 0 (invalid).
Fixes: 858dd5d45733 ("KVM/MIPS32: MMU/TLB operations for the Guest.")
Signed-off-by: James Hogan
Cc: Paolo Bonzini
Cc: "Radim Krčmář"
Cc: Ralf Baechle
Cc: linux-m...@linux-mips.org
Cc: k...@vger.kernel.org
Signed-off-by: Radim Krčmář
[james.ho...@imgtec.com: Backport to v3.10.y - v3.15.y]
Signed-off-by: James Hogan
Signed-off-by: Jiri Slaby
---
arch/mips/kvm/kvm_tlb.c | 32 +++-
1 file changed, 19 insertions(+), 13 deletions(-)
diff --git a/arch/mips/kvm/kvm_tlb.c b/arch/mips/kvm/kvm_tlb.c
index c777dd36d4a8..1e6b1f124377 100644
--- a/arch/mips/kvm/kvm_tlb.c
+++ b/arch/mips/kvm/kvm_tlb.c
@@ -397,21 +397,27 @@ kvm_mips_handle_mapped_seg_tlb_fault(struct kvm_vcpu
*vcpu,
unsigned long entryhi = 0, entrylo0 = 0, entrylo1 = 0;
struct kvm *kvm = vcpu->kvm;
pfn_t pfn0, pfn1;
+ long tlb_lo[2];
+ tlb_lo[0] = tlb->tlb_lo0;
+ tlb_lo[1] = tlb->tlb_lo1;
- if ((tlb->tlb_hi & VPN2_MASK) == 0) {
- pfn0 = 0;
- pfn1 = 0;
- } else {
- if (kvm_mips_map_page(kvm, mips3_tlbpfn_to_paddr(tlb->tlb_lo0)
>> PAGE_SHIFT) < 0)
- return -1;
+ /*
+* The commpage address must not be mapped to anything else if the guest
+* TLB contains entries nearby, or commpage accesses will break.
+*/
+ if (!((tlb->tlb_hi ^ KVM_GUEST_COMMPAGE_ADDR) &
+ VPN2_MASK & (PAGE_MASK << 1)))
+ tlb_lo[(KVM_GUEST_COMMPAGE_ADDR >> PAGE_SHIFT) & 1] = 0;
- if (kvm_mips_map_page(kvm, mips3_tlbpfn_to_paddr(tlb->tlb_lo1)
>> PAGE_SHIFT) < 0)
- return -1;
+ if (kvm_mips_map_page(kvm, mips3_tlbpfn_to_paddr(tlb_lo[0]) >>
PAGE_SHIFT) < 0)
+ return -1;
- pfn0 = kvm->arch.guest_pmap[mips3_tlbpfn_to_paddr(tlb->tlb_lo0)
>> PAGE_SHIFT];
- pfn1 = kvm->arch.guest_pmap[mips3_tlbpfn_to_paddr(tlb->tlb_lo1)
>> PAGE_SHIFT];
- }
+ if (kvm_mips_map_page(kvm, mips3_tlbpfn_to_paddr(tlb_lo[1]) >>
PAGE_SHIFT) < 0)
+ return -1;
+
+ pfn0 = kvm->arch.guest_pmap[mips3_tlbpfn_to_paddr(tlb_lo[0]) >>
PAGE_SHIFT];
+ pfn1 = kvm->arch.guest_pmap[mips3_tlbpfn_to_paddr(tlb_lo[1]) >>
PAGE_SHIFT];
if (hpa0)
*hpa0 = pfn0 << PAGE_SHIFT;
@@ -423,9 +429,9 @@ kvm_mips_handle_mapped_seg_tlb_fault(struct kvm_vcpu *vcpu,
entryhi = (tlb->tlb_hi & VPN2_MASK) | (KVM_GUEST_KERNEL_MODE(vcpu) ?
kvm_mips_get_kernel_asid(vcpu) :
kvm_mips_get_user_asid(vcpu));
entrylo0 = mips3_paddr_to_tlbpfn(pfn0 << PAGE_SHIFT) | (0x3 << 3) |
- (tlb->tlb_lo0 & MIPS3_PG_D) | (tlb->tlb_lo0 &
MIPS3_PG_V);
+ (tlb_lo[0] & MIPS3_PG_D) | (tlb_lo[0] & MIPS3_PG_V);
entrylo1 = mips3_paddr_to_tlbpfn(pfn1 << PAGE_SHIFT) | (0x3 << 3) |
- (tlb->tlb_lo1 & MIPS3_PG_D) | (tlb->tlb_lo1 &
MIPS3_PG_V);
+ (tlb_lo[1] & MIPS3_PG_D) | (tlb_lo[1] & MIPS3_PG_V);
#ifdef DEBUG
kvm_debug("@ %#lx tlb_lo0: 0x%08lx tlb_lo1: 0x%08lx\n", vcpu->arch.pc,
--
2.9.3
[PATCH 3.12 048/100] net/irda: fix NULL pointer dereference on memory allocation failure
From: Vegard Nossum
3.12-stable review patch. If anyone has any objections, please let me know.
===
[ Upstream commit d3e6952cfb7ba5f4bfa29d4803ba91f96ce1204d ]
I ran into this:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: [#1] PREEMPT SMP KASAN
CPU: 2 PID: 2012 Comm: trinity-c3 Not tainted 4.7.0-rc7+ #19
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
Ubuntu-1.8.2-1ubuntu1 04/01/2014
task: 8800b745f2c0 ti: 88011174 task.ti: 88011174
RIP: 0010:[] []
irttp_connect_request+0x36/0x710
RSP: 0018:880111747bb8 EFLAGS: 00010286
RAX: dc00 RBX: RCX: 69dd8358
RDX: 0009 RSI: 0027 RDI: 0048
RBP: 880111747c00 R08: R09:
R10: 69dd8358 R11: 10759723 R12:
R13: 88011a7e4780 R14: 0027 R15:
FS: 7fc738404700() GS:88011af0() knlGS:
CS: 0010 DS: ES: CR0: 80050033
CR2: 7fc737fdfb10 CR3: 000118087000 CR4: 06e0
Stack:
0200 880111747bd8 810ee611 880119f1f220
880119f1f4f8 880119f1f4f0 88011a7e4780 880119f1f232
880119f1f220 880111747d58 82bca542
Call Trace:
[] irda_connect+0x562/0x1190
[] SYSC_connect+0x202/0x2a0
[] SyS_connect+0x9/0x10
[] do_syscall_64+0x19c/0x410
[] entry_SYSCALL64_slow_path+0x25/0x25
Code: 41 89 ca 48 89 e5 41 57 41 56 41 55 41 54 41 89 d7 53 48 89 fb 48 83
c7 48 48 89 fa 41 89 f6 48 c1 ea 03 48 83 ec 20 4c 8b 65 10 <0f> b6 04 02 84 c0
74 08 84 c0 0f 8e 4c 04 00 00 80 7b 48 00 74
RIP [] irttp_connect_request+0x36/0x710
RSP
---[ end trace 4cda2588bc055b30 ]---
The problem is that irda_open_tsap() can fail and leave self->tsap = NULL,
and then irttp_connect_request() almost immediately dereferences it.
Cc: sta...@vger.kernel.org
Signed-off-by: Vegard Nossum
Signed-off-by: David S. Miller
Signed-off-by: Jiri Slaby
---
net/irda/af_irda.c | 7 +--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c
index f8133ff5b081..c95bafa65f5b 100644
--- a/net/irda/af_irda.c
+++ b/net/irda/af_irda.c
@@ -1039,8 +1039,11 @@ static int irda_connect(struct socket *sock, struct
sockaddr *uaddr,
}
/* Check if we have opened a local TSAP */
- if (!self->tsap)
- irda_open_tsap(self, LSAP_ANY, addr->sir_name);
+ if (!self->tsap) {
+ err = irda_open_tsap(self, LSAP_ANY, addr->sir_name);
+ if (err)
+ goto out;
+ }
/* Move to connecting socket, start sending Connect Requests */
sock->state = SS_CONNECTING;
--
2.9.3
[PATCH 3.12 040/100] x86, asmlinkage, lguest: Pass in globals into assembler statement
From: Andi Kleen
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit cdd77e87eae52b7251acc5990207a1c4500a84ce upstream.
Tell the compiler that the inline assembler statement
references lguest_entry.
This fixes compile problems with LTO where the variable
and the assembler code may end up in different files.
Cc: x...@kernel.org
Cc: ru...@rustcorp.com.au
Signed-off-by: Andi Kleen
Signed-off-by: Rusty Russell
Signed-off-by: Jiri Slaby
---
drivers/lguest/x86/core.c | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/lguest/x86/core.c b/drivers/lguest/x86/core.c
index 516923926335..922a1acbf652 100644
--- a/drivers/lguest/x86/core.c
+++ b/drivers/lguest/x86/core.c
@@ -157,7 +157,7 @@ static void run_guest_once(struct lg_cpu *cpu, struct
lguest_pages *pages)
* stack, then the address of this call. This stack layout happens to
* exactly match the stack layout created by an interrupt...
*/
- asm volatile("pushf; lcall *lguest_entry"
+ asm volatile("pushf; lcall *%4"
/*
* This is how we tell GCC that %eax ("a") and %ebx ("b")
* are changed by this routine. The "=" means output.
@@ -169,7 +169,9 @@ static void run_guest_once(struct lg_cpu *cpu, struct
lguest_pages *pages)
* physical address of the Guest's top-level page
* directory.
*/
-: "0"(pages),
"1"(__pa(cpu->lg->pgdirs[cpu->cpu_pgd].pgdir))
+: "0"(pages),
+ "1"(__pa(cpu->lg->pgdirs[cpu->cpu_pgd].pgdir)),
+ "m"(lguest_entry)
/*
* We tell gcc that all these registers could change,
* which means we don't have to save and restore them in
--
2.9.3
[PATCH 3.12 046/100] random32: add prandom_u32_max and convert open coded users
From: Daniel Borkmann
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit f337db64af059c9a94278a8b0ab97d87259ff62f upstream.
Many functions have open coded a function that returns a random
number in range [0,N-1]. Under the assumption that we have a PRNG
such as taus113 with being well distributed in [0, ~0U] space,
we can implement such a function as uword t = (n*m')>>32, where
m' is a random number obtained from PRNG, n the right open interval
border and t our resulting random number, with n,m',t in u32 universe.
Lets go with Joe and simply call it prandom_u32_max(), although
technically we have an right open interval endpoint, but that we
have documented. Other users can further be migrated to the new
prandom_u32_max() function later on; for now, we need to make sure
to migrate reciprocal_divide() users for the reciprocal_divide()
follow-up fixup since their function signatures are going to change.
Joint work with Hannes Frederic Sowa.
Cc: Jakub Zawadzki
Cc: Eric Dumazet
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Hannes Frederic Sowa
Signed-off-by: Daniel Borkmann
Signed-off-by: David S. Miller
Signed-off-by: Jiri Slaby
---
drivers/net/team/team_mode_random.c | 8 +---
include/linux/random.h | 18 +-
net/packet/af_packet.c | 2 +-
net/sched/sch_choke.c | 9 +
4 files changed, 20 insertions(+), 17 deletions(-)
diff --git a/drivers/net/team/team_mode_random.c
b/drivers/net/team/team_mode_random.c
index 7f032e211343..cd2f692b8074 100644
--- a/drivers/net/team/team_mode_random.c
+++ b/drivers/net/team/team_mode_random.c
@@ -13,20 +13,14 @@
#include
#include
#include
-#include
#include
-static u32 random_N(unsigned int N)
-{
- return reciprocal_divide(prandom_u32(), N);
-}
-
static bool rnd_transmit(struct team *team, struct sk_buff *skb)
{
struct team_port *port;
int port_index;
- port_index = random_N(team->en_port_count);
+ port_index = prandom_u32_max(team->en_port_count);
port = team_get_port_by_index_rcu(team, port_index);
if (unlikely(!port))
goto drop;
diff --git a/include/linux/random.h b/include/linux/random.h
index bf9085e89fb5..230040642bea 100644
--- a/include/linux/random.h
+++ b/include/linux/random.h
@@ -8,7 +8,6 @@
#include
-
extern void add_device_randomness(const void *, unsigned int);
extern void add_input_randomness(unsigned int type, unsigned int code,
unsigned int value);
@@ -33,6 +32,23 @@ void prandom_seed(u32 seed);
u32 prandom_u32_state(struct rnd_state *);
void prandom_bytes_state(struct rnd_state *state, void *buf, int nbytes);
+/**
+ * prandom_u32_max - returns a pseudo-random number in interval [0, ep_ro)
+ * @ep_ro: right open interval endpoint
+ *
+ * Returns a pseudo-random number that is in interval [0, ep_ro). Note
+ * that the result depends on PRNG being well distributed in [0, ~0U]
+ * u32 space. Here we use maximally equidistributed combined Tausworthe
+ * generator, that is, prandom_u32(). This is useful when requesting a
+ * random index of an array containing ep_ro elements, for example.
+ *
+ * Returns: pseudo-random number in interval [0, ep_ro)
+ */
+static inline u32 prandom_u32_max(u32 ep_ro)
+{
+ return (u32)(((u64) prandom_u32() * ep_ro) >> 32);
+}
+
/*
* Handle minimum values for seeds
*/
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 63d0f92f45d0..1e9cb9921daa 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -1178,7 +1178,7 @@ static unsigned int fanout_demux_rnd(struct packet_fanout
*f,
struct sk_buff *skb,
unsigned int num)
{
- return reciprocal_divide(prandom_u32(), num);
+ return prandom_u32_max(num);
}
static unsigned int fanout_demux_rollover(struct packet_fanout *f,
diff --git a/net/sched/sch_choke.c b/net/sched/sch_choke.c
index ddd73cb2d7ba..2aee02802c27 100644
--- a/net/sched/sch_choke.c
+++ b/net/sched/sch_choke.c
@@ -14,7 +14,6 @@
#include
#include
#include
-#include
#include
#include
#include
@@ -77,12 +76,6 @@ struct choke_sched_data {
struct sk_buff **tab;
};
-/* deliver a random number between 0 and N - 1 */
-static u32 random_N(unsigned int N)
-{
- return reciprocal_divide(prandom_u32(), N);
-}
-
/* number of elements in queue including holes */
static unsigned int choke_len(const struct choke_sched_data *q)
{
@@ -233,7 +226,7 @@ static struct sk_buff *choke_peek_random(const struct
choke_sched_data *q,
int retrys = 3;
do {
- *pidx = (q->head + random_N(choke_len(q))) & q->tab_mask;
+ *pidx = (q->head + prandom_u32_max(choke_len(q))) & q->tab_mask;
skb = q->tab[*pidx];
if (skb)
return skb;
--
2.9.3
[PATCH 3.12 047/100] tcp: make challenge acks less predictable
From: Eric Dumazet
3.12-stable review patch. If anyone has any objections, please let me know.
===
[ Upstream commit 75ff39ccc1bd5d3c455b6822ab09e533c551f758 ]
Yue Cao claims that current host rate limiting of challenge ACKS
(RFC 5961) could leak enough information to allow a patient attacker
to hijack TCP sessions. He will soon provide details in an academic
paper.
This patch increases the default limit from 100 to 1000, and adds
some randomization so that the attacker can no longer hijack
sessions without spending a considerable amount of probes.
Based on initial analysis and patch from Linus.
Note that we also have per socket rate limiting, so it is tempting
to remove the host limit in the future.
v2: randomize the count of challenge acks per second, not the period.
js: backport to 3.12
Fixes: 282f23c6ee34 ("tcp: implement RFC 5961 3.2")
Reported-by: Yue Cao
Signed-off-by: Eric Dumazet
Suggested-by: Linus Torvalds
Cc: Yuchung Cheng
Cc: Neal Cardwell
Acked-by: Neal Cardwell
Acked-by: Yuchung Cheng
Signed-off-by: David S. Miller
Signed-off-by: Jiri Slaby
---
net/ipv4/tcp_input.c | 13 +
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 3062acf74165..9eef76176704 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -87,7 +87,7 @@ int sysctl_tcp_adv_win_scale __read_mostly = 1;
EXPORT_SYMBOL(sysctl_tcp_adv_win_scale);
/* rfc5961 challenge ack rate limiting */
-int sysctl_tcp_challenge_ack_limit = 100;
+int sysctl_tcp_challenge_ack_limit = 1000;
int sysctl_tcp_stdurg __read_mostly;
int sysctl_tcp_rfc1337 __read_mostly;
@@ -3242,13 +3242,18 @@ static void tcp_send_challenge_ack(struct sock *sk)
/* unprotected vars, we dont care of overwrites */
static u32 challenge_timestamp;
static unsigned int challenge_count;
- u32 now = jiffies / HZ;
+ u32 count, now = jiffies / HZ;
if (now != challenge_timestamp) {
+ u32 half = (sysctl_tcp_challenge_ack_limit + 1) >> 1;
+
challenge_timestamp = now;
- challenge_count = 0;
+ WRITE_ONCE(challenge_count, half +
+ prandom_u32_max(sysctl_tcp_challenge_ack_limit));
}
- if (++challenge_count <= sysctl_tcp_challenge_ack_limit) {
+ count = READ_ONCE(challenge_count);
+ if (count > 0) {
+ WRITE_ONCE(challenge_count, count - 1);
NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPCHALLENGEACK);
tcp_send_ack(sk);
}
--
2.9.3
[PATCH 3.12 044/100] ipr: Clear interrupt on croc/crocodile when running with LSI
From: Brian King
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit 54e430bbd490e18ab116afa4cd90dcc45787b3df upstream.
If we fall back to using LSI on the Croc or Crocodile chip we need to
clear the interrupt so we don't hang the system.
Tested-by: Benjamin Herrenschmidt
Signed-off-by: Brian King
Signed-off-by: Martin K. Petersen
Signed-off-by: Jiri Slaby
---
drivers/scsi/ipr.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/scsi/ipr.c b/drivers/scsi/ipr.c
index d4473d2f8739..676c03e63cae 100644
--- a/drivers/scsi/ipr.c
+++ b/drivers/scsi/ipr.c
@@ -9644,6 +9644,7 @@ static int ipr_probe_ioa(struct pci_dev *pdev,
ioa_cfg->intr_flag = IPR_USE_MSI;
else {
ioa_cfg->intr_flag = IPR_USE_LSI;
+ ioa_cfg->clear_isr = 1;
ioa_cfg->nvectors = 1;
dev_info(&pdev->dev, "Cannot enable MSI.\n");
}
--
2.9.3
[PATCH 3.12 018/100] iio:ad7266: Fix broken regulator error handling
From: Mark Brown
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit 6b7f4e25f3309f106a5c7ff42c8231494cf285d3 upstream.
All regulator_get() variants return either a pointer to a regulator or an
ERR_PTR() so testing for NULL makes no sense and may lead to bugs if we
use NULL as a valid regulator. Fix this by using IS_ERR() as expected.
Signed-off-by: Mark Brown
Signed-off-by: Jonathan Cameron
Signed-off-by: Jiri Slaby
---
drivers/iio/adc/ad7266.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/iio/adc/ad7266.c b/drivers/iio/adc/ad7266.c
index 371731df1634..c9b150d39166 100644
--- a/drivers/iio/adc/ad7266.c
+++ b/drivers/iio/adc/ad7266.c
@@ -406,7 +406,7 @@ static int ad7266_probe(struct spi_device *spi)
st = iio_priv(indio_dev);
st->reg = devm_regulator_get(&spi->dev, "vref");
- if (!IS_ERR_OR_NULL(st->reg)) {
+ if (!IS_ERR(st->reg)) {
ret = regulator_enable(st->reg);
if (ret)
return ret;
--
2.9.3
[PATCH 3.12 038/100] mmc: block: fix packed command header endianness
From: Taras Kondratiuk
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit f68381a70bb2b26c31b13fdaf67c778f92fd32b4 upstream.
The code that fills packed command header assumes that CPU runs in
little-endian mode. Hence the header is malformed in big-endian mode
and causes MMC data transfer errors:
[ 563.200828] mmcblk0: error -110 transferring data, sector 2048, nr 8, cmd
response 0x900, card status 0xc40
[ 563.219647] mmcblk0: packed cmd failed, nr 2, sectors 16, failure index: -1
Convert header data to LE.
Signed-off-by: Taras Kondratiuk
Fixes: ce39f9d17c14 ("mmc: support packed write command for eMMC4.5 devices")
Signed-off-by: Ulf Hansson
Signed-off-by: Jiri Slaby
---
drivers/mmc/card/block.c | 12 ++--
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c
index ee76ff2af935..0405fba9f7a8 100644
--- a/drivers/mmc/card/block.c
+++ b/drivers/mmc/card/block.c
@@ -1610,8 +1610,8 @@ static void mmc_blk_packed_hdr_wrq_prep(struct
mmc_queue_req *mqrq,
packed_cmd_hdr = packed->cmd_hdr;
memset(packed_cmd_hdr, 0, sizeof(packed->cmd_hdr));
- packed_cmd_hdr[0] = (packed->nr_entries << 16) |
- (PACKED_CMD_WR << 8) | PACKED_CMD_VER;
+ packed_cmd_hdr[0] = cpu_to_le32((packed->nr_entries << 16) |
+ (PACKED_CMD_WR << 8) | PACKED_CMD_VER);
hdr_blocks = mmc_large_sector(card) ? 8 : 1;
/*
@@ -1625,14 +1625,14 @@ static void mmc_blk_packed_hdr_wrq_prep(struct
mmc_queue_req *mqrq,
((brq->data.blocks * brq->data.blksz) >=
card->ext_csd.data_tag_unit_size);
/* Argument of CMD23 */
- packed_cmd_hdr[(i * 2)] =
+ packed_cmd_hdr[(i * 2)] = cpu_to_le32(
(do_rel_wr ? MMC_CMD23_ARG_REL_WR : 0) |
(do_data_tag ? MMC_CMD23_ARG_TAG_REQ : 0) |
- blk_rq_sectors(prq);
+ blk_rq_sectors(prq));
/* Argument of CMD18 or CMD25 */
- packed_cmd_hdr[((i * 2)) + 1] =
+ packed_cmd_hdr[((i * 2)) + 1] = cpu_to_le32(
mmc_card_blockaddr(card) ?
- blk_rq_pos(prq) : blk_rq_pos(prq) << 9;
+ blk_rq_pos(prq) : blk_rq_pos(prq) << 9);
packed->blocks += blk_rq_sectors(prq);
i++;
}
--
2.9.3
[PATCH 3.12 037/100] qeth: delete napi struct when removing a qeth device
From: Ursula Braun
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit 7831b4ff0d926e0deeaabef9db8800ed069a2757 upstream.
A qeth_card contains a napi_struct linked to the net_device during
device probing. This struct must be deleted when removing the qeth
device, otherwise Panic on oops can occur when qeth devices are
repeatedly removed and added.
Fixes: a1c3ed4c9ca ("qeth: NAPI support for l2 and l3 discipline")
Signed-off-by: Ursula Braun
Tested-by: Alexander Klein
Signed-off-by: David S. Miller
Signed-off-by: Jiri Slaby
---
drivers/s390/net/qeth_l2_main.c | 1 +
drivers/s390/net/qeth_l3_main.c | 1 +
2 files changed, 2 insertions(+)
diff --git a/drivers/s390/net/qeth_l2_main.c b/drivers/s390/net/qeth_l2_main.c
index ec8ccdae7aba..0090de46aa5e 100644
--- a/drivers/s390/net/qeth_l2_main.c
+++ b/drivers/s390/net/qeth_l2_main.c
@@ -898,6 +898,7 @@ static void qeth_l2_remove_device(struct ccwgroup_device
*cgdev)
qeth_l2_set_offline(cgdev);
if (card->dev) {
+ netif_napi_del(&card->napi);
unregister_netdev(card->dev);
card->dev = NULL;
}
diff --git a/drivers/s390/net/qeth_l3_main.c b/drivers/s390/net/qeth_l3_main.c
index c1b0b2761f8d..7366bef742de 100644
--- a/drivers/s390/net/qeth_l3_main.c
+++ b/drivers/s390/net/qeth_l3_main.c
@@ -,6 +,7 @@ static void qeth_l3_remove_device(struct ccwgroup_device
*cgdev)
qeth_l3_set_offline(cgdev);
if (card->dev) {
+ netif_napi_del(&card->napi);
unregister_netdev(card->dev);
card->dev = NULL;
}
--
2.9.3
[PATCH 3.12 033/100] xen/pciback: Fix conf_space read/write overlap check.
From: Andrey Grodzovsky
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit 02ef871ecac290919ea0c783d05da7eedeffc10e upstream.
Current overlap check is evaluating to false a case where a filter
field is fully contained (proper subset) of a r/w request. This
change applies classical overlap check instead to include all the
scenarios.
More specifically, for (Hilscher GmbH CIFX 50E-DP(M/S)) device driver
the logic is such that the entire confspace is read and written in 4
byte chunks. In this case as an example, CACHE_LINE_SIZE,
LATENCY_TIMER and PCI_BIST are arriving together in one call to
xen_pcibk_config_write() with offset == 0xc and size == 4. With the
exsisting overlap check the LATENCY_TIMER field (offset == 0xd, length
== 1) is fully contained in the write request and hence is excluded
from write, which is incorrect.
Signed-off-by: Andrey Grodzovsky
Reviewed-by: Boris Ostrovsky
Reviewed-by: Jan Beulich
Signed-off-by: David Vrabel
Signed-off-by: Jiri Slaby
---
drivers/xen/xen-pciback/conf_space.c | 6 ++
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/drivers/xen/xen-pciback/conf_space.c
b/drivers/xen/xen-pciback/conf_space.c
index 75fe3d466515..ba3fac8318bb 100644
--- a/drivers/xen/xen-pciback/conf_space.c
+++ b/drivers/xen/xen-pciback/conf_space.c
@@ -183,8 +183,7 @@ int xen_pcibk_config_read(struct pci_dev *dev, int offset,
int size,
field_start = OFFSET(cfg_entry);
field_end = OFFSET(cfg_entry) + field->size;
- if ((req_start >= field_start && req_start < field_end)
- || (req_end > field_start && req_end <= field_end)) {
+if (req_end > field_start && field_end > req_start) {
err = conf_space_read(dev, cfg_entry, field_start,
&tmp_val);
if (err)
@@ -230,8 +229,7 @@ int xen_pcibk_config_write(struct pci_dev *dev, int offset,
int size, u32 value)
field_start = OFFSET(cfg_entry);
field_end = OFFSET(cfg_entry) + field->size;
- if ((req_start >= field_start && req_start < field_end)
- || (req_end > field_start && req_end <= field_end)) {
+if (req_end > field_start && field_end > req_start) {
tmp_val = 0;
err = xen_pcibk_config_read(dev, field_start,
--
2.9.3
[PATCH 3.12 032/100] arc: unwind: warn only once if DW2_UNWIND is disabled
From: Alexey Brodkin
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit 9bd54517ee86cb164c734f72ea95aeba4804f10b upstream.
If CONFIG_ARC_DW2_UNWIND is disabled every time arc_unwind_core()
gets called following message gets printed in debug console:
->8---
CONFIG_ARC_DW2_UNWIND needs to be enabled
->8---
That message makes sense if user indeed wants to see a backtrace or
get nice function call-graphs in perf but what if user disabled
unwinder for the purpose? Why pollute his debug console?
So instead we'll warn user about possibly missing feature once and
let him decide if that was what he or she really wanted.
Signed-off-by: Alexey Brodkin
Signed-off-by: Vineet Gupta
Signed-off-by: Jiri Slaby
---
arch/arc/kernel/stacktrace.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arc/kernel/stacktrace.c b/arch/arc/kernel/stacktrace.c
index 9c9e1d3ec5fe..0ebb921e8786 100644
--- a/arch/arc/kernel/stacktrace.c
+++ b/arch/arc/kernel/stacktrace.c
@@ -131,7 +131,7 @@ arc_unwind_core(struct task_struct *tsk, struct pt_regs
*regs,
* prelogue is setup (callee regs saved and then fp set and not other
* way around
*/
- pr_warn("CONFIG_ARC_DW2_UNWIND needs to be enabled\n");
+ pr_warn_once("CONFIG_ARC_DW2_UNWIND needs to be enabled\n");
return 0;
#endif
--
2.9.3
[PATCH 3.12 029/100] tmpfs: fix regression hang in fallocate undo
From: Hugh Dickins
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit 7f556567036cb7f89aabe2f0954b08566b4efb53 upstream.
The well-spotted fallocate undo fix is good in most cases, but not when
fallocate failed on the very first page. index 0 then passes lend -1
to shmem_undo_range(), and that has two bad effects: (a) that it will
undo every fallocation throughout the file, unrestricted by the current
range; but more importantly (b) it can cause the undo to hang, because
lend -1 is treated as truncation, which makes it keep on retrying until
every page has gone, but those already fully instantiated will never go
away. Big thank you to xfstests generic/269 which demonstrates this.
Fixes: b9b4bb26af01 ("tmpfs: don't undo fallocate past its last page")
Signed-off-by: Hugh Dickins
Signed-off-by: Linus Torvalds
Signed-off-by: Jiri Slaby
---
mm/shmem.c | 8 +---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/mm/shmem.c b/mm/shmem.c
index ff42f161fc32..fb31c6984c09 100644
--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -1895,9 +1895,11 @@ static long shmem_fallocate(struct file *file, int mode,
loff_t offset,
NULL);
if (error) {
/* Remove the !PageUptodate pages we added */
- shmem_undo_range(inode,
- (loff_t)start << PAGE_CACHE_SHIFT,
- ((loff_t)index << PAGE_CACHE_SHIFT) - 1, true);
+ if (index > start) {
+ shmem_undo_range(inode,
+(loff_t)start << PAGE_CACHE_SHIFT,
+((loff_t)index << PAGE_CACHE_SHIFT) - 1, true);
+ }
goto undone;
}
--
2.9.3
[PATCH 3.12 030/100] s390/seccomp: fix error return for filtered system calls
From: Jan Willeke
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit dc295880c6752076f8b94ba3885d0bfff09e3e82 upstream.
The syscall_set_return_value function of s390 negates the error argument
before storing the value to the return register gpr2. This is incorrect,
the seccomp code already passes the negative error value.
Store the unmodified error value to gpr2.
Signed-off-by: Jan Willeke
Signed-off-by: Martin Schwidefsky
Signed-off-by: Jiri Slaby
---
arch/s390/include/asm/syscall.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/s390/include/asm/syscall.h b/arch/s390/include/asm/syscall.h
index cd29d2f4e4f3..749313b452ae 100644
--- a/arch/s390/include/asm/syscall.h
+++ b/arch/s390/include/asm/syscall.h
@@ -54,7 +54,7 @@ static inline void syscall_set_return_value(struct
task_struct *task,
struct pt_regs *regs,
int error, long val)
{
- regs->gprs[2] = error ? -error : val;
+ regs->gprs[2] = error ? error : val;
}
static inline void syscall_get_arguments(struct task_struct *task,
--
2.9.3
[PATCH 3.12 019/100] iio:ad7266: Fix support for optional regulators
From: Mark Brown
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit e5511c816e5ac4909bdd38e85ac344e2b9b8e984 upstream.
The ad7266 driver attempts to support deciding between the use of internal
and external power supplies by checking to see if an error is returned when
requesting the regulator. This doesn't work with the current code since the
driver uses a normal regulator_get() which is for non-optional supplies
and so assumes that if a regulator is not provided by the platform then
this is a bug in the platform integration and so substitutes a dummy
regulator. Use regulator_get_optional() instead which indicates to the
framework that the regulator may be absent and provides a dummy regulator
instead.
Signed-off-by: Mark Brown
Signed-off-by: Jonathan Cameron
Signed-off-by: Jiri Slaby
---
drivers/iio/adc/ad7266.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/iio/adc/ad7266.c b/drivers/iio/adc/ad7266.c
index c9b150d39166..5154041257c2 100644
--- a/drivers/iio/adc/ad7266.c
+++ b/drivers/iio/adc/ad7266.c
@@ -405,7 +405,7 @@ static int ad7266_probe(struct spi_device *spi)
st = iio_priv(indio_dev);
- st->reg = devm_regulator_get(&spi->dev, "vref");
+ st->reg = devm_regulator_get_optional(&spi->dev, "vref");
if (!IS_ERR(st->reg)) {
ret = regulator_enable(st->reg);
if (ret)
--
2.9.3
[PATCH 3.12 034/100] Input: wacom_w8001 - w8001_MAX_LENGTH should be 13
From: Ping Cheng
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit 12afb34400eb2b301f06b2aa3535497d14faee59 upstream.
Somehow the patch that added two-finger touch support forgot to update
W8001_MAX_LENGTH from 11 to 13.
Signed-off-by: Ping Cheng
Reviewed-by: Peter Hutterer
Signed-off-by: Dmitry Torokhov
Signed-off-by: Jiri Slaby
---
drivers/input/touchscreen/wacom_w8001.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/input/touchscreen/wacom_w8001.c
b/drivers/input/touchscreen/wacom_w8001.c
index 9a83be6b6584..abba11220f29 100644
--- a/drivers/input/touchscreen/wacom_w8001.c
+++ b/drivers/input/touchscreen/wacom_w8001.c
@@ -28,7 +28,7 @@ MODULE_AUTHOR("Jaya Kumar ");
MODULE_DESCRIPTION(DRIVER_DESC);
MODULE_LICENSE("GPL");
-#define W8001_MAX_LENGTH 11
+#define W8001_MAX_LENGTH 13
#define W8001_LEAD_MASK0x80
#define W8001_LEAD_BYTE0x80
#define W8001_TAB_MASK 0x40
--
2.9.3
[PATCH 3.12 031/100] fs/nilfs2: fix potential underflow in call to crc32_le
From: Torsten Hilbrich 3.12-stable review patch. If anyone has any objections, please let me know. === commit 63d2f95d63396059200c391ca87161897b99e74a upstream. The value `bytes' comes from the filesystem which is about to be mounted. We cannot trust that the value is always in the range we expect it to be. Check its value before using it to calculate the length for the crc32_le call. It value must be larger (or equal) sumoff + 4. This fixes a kernel bug when accidentially mounting an image file which had the nilfs2 magic value 0x3434 at the right offset 0x406 by chance. The bytes 0x01 0x00 were stored at 0x408 and were interpreted as a s_bytes value of 1. This caused an underflow when substracting sumoff + 4 (20) in the call to crc32_le. BUG: unable to handle kernel paging request at 88021e60 IP: crc32_le+0x36/0x100 ... Call Trace: nilfs_valid_sb.part.5+0x52/0x60 [nilfs2] nilfs_load_super_block+0x142/0x300 [nilfs2] init_nilfs+0x60/0x390 [nilfs2] nilfs_mount+0x302/0x520 [nilfs2] mount_fs+0x38/0x160 vfs_kern_mount+0x67/0x110 do_mount+0x269/0xe00 SyS_mount+0x9f/0x100 entry_SYSCALL_64_fastpath+0x16/0x71 Link: http://lkml.kernel.org/r/1466778587-5184-2-git-send-email-konishi.ryus...@lab.ntt.co.jp Signed-off-by: Torsten Hilbrich Tested-by: Torsten Hilbrich Signed-off-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Jiri Slaby --- fs/nilfs2/the_nilfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/nilfs2/the_nilfs.c b/fs/nilfs2/the_nilfs.c index 94c451ce6d24..30c047e0bad2 100644 --- a/fs/nilfs2/the_nilfs.c +++ b/fs/nilfs2/the_nilfs.c @@ -431,7 +431,7 @@ static int nilfs_valid_sb(struct nilfs_super_block *sbp) if (!sbp || le16_to_cpu(sbp->s_magic) != NILFS_SUPER_MAGIC) return 0; bytes = le16_to_cpu(sbp->s_bytes); - if (bytes > BLOCK_SIZE) + if (bytes < sumoff + 4 || bytes > BLOCK_SIZE) return 0; crc = crc32_le(le32_to_cpu(sbp->s_crc_seed), (unsigned char *)sbp, sumoff); -- 2.9.3
[PATCH 3.12 028/100] tmpfs: don't undo fallocate past its last page
From: Anthony Romano
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit b9b4bb26af017dbe930cd4df7f9b2fc3a0497bfe upstream.
When fallocate is interrupted it will undo a range that extends one byte
past its range of allocated pages. This can corrupt an in-use page by
zeroing out its first byte. Instead, undo using the inclusive byte
range.
Fixes: 1635f6a74152f1d ("tmpfs: undo fallocation on failure")
Link:
http://lkml.kernel.org/r/1462713387-16724-1-git-send-email-anthony.rom...@coreos.com
Signed-off-by: Anthony Romano
Cc: Vlastimil Babka
Cc: Hugh Dickins
Cc: Brandon Philips
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
Signed-off-by: Jiri Slaby
---
mm/shmem.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/mm/shmem.c b/mm/shmem.c
index e9502a67e300..ff42f161fc32 100644
--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -1897,7 +1897,7 @@ static long shmem_fallocate(struct file *file, int mode,
loff_t offset,
/* Remove the !PageUptodate pages we added */
shmem_undo_range(inode,
(loff_t)start << PAGE_CACHE_SHIFT,
- (loff_t)index << PAGE_CACHE_SHIFT, true);
+ ((loff_t)index << PAGE_CACHE_SHIFT) - 1, true);
goto undone;
}
--
2.9.3
[PATCH 3.12 036/100] ext4: verify extent header depth
From: Vegard Nossum
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit 7bc9491645118c9461bd21099c31755ff6783593 upstream.
Although the extent tree depth of 5 should enough be for the worst
case of 2*32 extents of length 1, the extent tree code does not
currently to merge nodes which are less than half-full with a sibling
node, or to shrink the tree depth if possible. So it's possible, at
least in theory, for the tree depth to be greater than 5. However,
even in the worst case, a tree depth of 32 is highly unlikely, and if
the file system is maliciously corrupted, an insanely large eh_depth
can cause memory allocation failures that will trigger kernel warnings
(here, eh_depth = 65280):
JBD2: ext4.exe wants too many credits credits:195849 rsv_credits:0 max:256
[ cut here ]
WARNING: CPU: 0 PID: 50 at fs/jbd2/transaction.c:293
start_this_handle+0x569/0x580
CPU: 0 PID: 50 Comm: ext4.exe Not tainted 4.7.0-rc5+ #508
Stack:
604a8947 625badd8 0002fd09
60078643 62623910 601bf9bc
62623970 6002fc84 626239b0 90125
Call Trace:
[<6001c2dc>] show_stack+0xdc/0x1a0
[<601bf9bc>] dump_stack+0x2a/0x2e
[<6002fc84>] __warn+0x114/0x140
[<6002fdff>] warn_slowpath_null+0x1f/0x30
[<60165829>] start_this_handle+0x569/0x580
[<60165d4e>] jbd2__journal_start+0x11e/0x220
[<60146690>] __ext4_journal_start_sb+0x60/0xa0
[<60120a81>] ext4_truncate+0x131/0x3a0
[<60123677>] ext4_setattr+0x757/0x840
[<600d5d0f>] notify_change+0x16f/0x2a0
[<600b2b16>] do_truncate+0x76/0xc0
[<600c3e56>] path_openat+0x806/0x1300
[<600c55c9>] do_filp_open+0x89/0xf0
[<600b4074>] do_sys_open+0x134/0x1e0
[<600b4140>] SyS_open+0x20/0x30
[<6001ea68>] handle_syscall+0x88/0x90
[<600295fd>] userspace+0x3fd/0x500
[<6001ac55>] fork_handler+0x85/0x90
---[ end trace 08b0b88b6387a244 ]---
[ Commit message modified and the extent tree depath check changed
from 5 to 32 -- tytso ]
Cc: Darrick J. Wong
Signed-off-by: Vegard Nossum
Signed-off-by: Theodore Ts'o
Signed-off-by: Jiri Slaby
---
fs/ext4/extents.c | 4
1 file changed, 4 insertions(+)
diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
index a9d23daa0d6f..6b9d96bdd35c 100644
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -452,6 +452,10 @@ static int __ext4_ext_check(const char *function, unsigned
int line,
error_msg = "invalid extent entries";
goto corrupted;
}
+ if (unlikely(depth > 32)) {
+ error_msg = "too large eh_depth";
+ goto corrupted;
+ }
/* Verify checksum on non-root extent tree nodes */
if (ext_depth(inode) != depth &&
!ext4_extent_block_csum_verify(inode, eh)) {
--
2.9.3
[PATCH 3.12 023/100] ALSA: au88x0: Fix calculation in vortex_wtdma_bufshift()
From: Takashi Iwai
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit 62db7152c924e4c060e42b34a69cd39658e8a0dc upstream.
vortex_wtdma_bufshift() function does calculate the page index
wrongly, first masking then shift, which always results in zero.
The proper computation is to first shift, then mask.
Reported-by: Dan Carpenter
Signed-off-by: Takashi Iwai
Signed-off-by: Jiri Slaby
---
sound/pci/au88x0/au88x0_core.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/sound/pci/au88x0/au88x0_core.c b/sound/pci/au88x0/au88x0_core.c
index ae59dbaa53d9..42d4b13f1fa7 100644
--- a/sound/pci/au88x0/au88x0_core.c
+++ b/sound/pci/au88x0/au88x0_core.c
@@ -1442,9 +1442,8 @@ static int vortex_wtdma_bufshift(vortex_t * vortex, int
wtdma)
int page, p, pp, delta, i;
page =
- (hwread(vortex->mmio, VORTEX_WTDMA_STAT + (wtdma << 2)) &
-WT_SUBBUF_MASK)
- >> WT_SUBBUF_SHIFT;
+ (hwread(vortex->mmio, VORTEX_WTDMA_STAT + (wtdma << 2))
+>> WT_SUBBUF_SHIFT) & WT_SUBBUF_MASK;
if (dma->nr_periods >= 4)
delta = (page - dma->period_real) & 3;
else {
--
2.9.3
[PATCH 3.12 025/100] scsi: fix race between simultaneous decrements of ->host_failed
From: Wei Fang
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit 72d8c36ec364c82bf1bf0c64dfa1041cfaf139f7 upstream.
sas_ata_strategy_handler() adds the works of the ata error handler to
system_unbound_wq. This workqueue asynchronously runs work items, so the
ata error handler will be performed concurrently on different CPUs. In
this case, ->host_failed will be decreased simultaneously in
scsi_eh_finish_cmd() on different CPUs, and become abnormal.
It will lead to permanently inequality between ->host_failed and
->host_busy, and scsi error handler thread won't start running. IO
errors after that won't be handled.
Since all scmds must have been handled in the strategy handler, just
remove the decrement in scsi_eh_finish_cmd() and zero ->host_busy after
the strategy handler to fix this race.
Fixes: 50824d6c5657 ("[SCSI] libsas: async ata-eh")
Signed-off-by: Wei Fang
Reviewed-by: James Bottomley
Signed-off-by: Martin K. Petersen
Signed-off-by: Jiri Slaby
---
Documentation/scsi/scsi_eh.txt | 8 ++--
drivers/ata/libata-eh.c| 2 +-
drivers/scsi/scsi_error.c | 4 +++-
3 files changed, 10 insertions(+), 4 deletions(-)
diff --git a/Documentation/scsi/scsi_eh.txt b/Documentation/scsi/scsi_eh.txt
index 6ff16b620d84..c08b62d63afa 100644
--- a/Documentation/scsi/scsi_eh.txt
+++ b/Documentation/scsi/scsi_eh.txt
@@ -255,19 +255,23 @@ scmd->allowed.
3. scmd recovered
ACTION: scsi_eh_finish_cmd() is invoked to EH-finish scmd
- - shost->host_failed--
- clear scmd->eh_eflags
- scsi_setup_cmd_retry()
- move from local eh_work_q to local eh_done_q
LOCKING: none
+CONCURRENCY: at most one thread per separate eh_work_q to
+keep queue manipulation lockless
4. EH completes
ACTION: scsi_eh_flush_done_q() retries scmds or notifies upper
- layer of failure.
+ layer of failure. May be called concurrently but must have
+ a no more than one thread per separate eh_work_q to
+ manipulate the queue locklessly
- scmd is removed from eh_done_q and scmd->eh_entry is cleared
- if retry is necessary, scmd is requeued using
scsi_queue_insert()
- otherwise, scsi_finish_command() is invoked for scmd
+ - zero shost->host_failed
LOCKING: queue or finish function performs appropriate locking
diff --git a/drivers/ata/libata-eh.c b/drivers/ata/libata-eh.c
index 063036d876b0..126eb86f239f 100644
--- a/drivers/ata/libata-eh.c
+++ b/drivers/ata/libata-eh.c
@@ -604,7 +604,7 @@ void ata_scsi_error(struct Scsi_Host *host)
ata_scsi_port_error_handler(host, ap);
/* finish or retry handled scmd's and clean up */
- WARN_ON(host->host_failed || !list_empty(&eh_work_q));
+ WARN_ON(!list_empty(&eh_work_q));
DPRINTK("EXIT\n");
}
diff --git a/drivers/scsi/scsi_error.c b/drivers/scsi/scsi_error.c
index ff2689d01209..bb40359ba620 100644
--- a/drivers/scsi/scsi_error.c
+++ b/drivers/scsi/scsi_error.c
@@ -960,7 +960,6 @@ static int scsi_request_sense(struct scsi_cmnd *scmd)
*/
void scsi_eh_finish_cmd(struct scsi_cmnd *scmd, struct list_head *done_q)
{
- scmd->device->host->host_failed--;
scmd->eh_eflags = 0;
list_move_tail(&scmd->eh_entry, done_q);
}
@@ -1949,6 +1948,9 @@ int scsi_error_handler(void *data)
else
scsi_unjam_host(shost);
+ /* All scmds have been handled */
+ shost->host_failed = 0;
+
/*
* Note - if the above fails completely, the action is to take
* individual devices offline and flush the queue of any
--
2.9.3
[PATCH 3.12 026/100] Fix reconnect to not defer smb3 session reconnect long after socket reconnect
From: Steve French
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit 4fcd1813e6404dd4420c7d12fb483f9320f0bf93 upstream.
Azure server blocks clients that open a socket and don't do anything on it.
In our reconnect scenarios, we can reconnect the tcp session and
detect the socket is available but we defer the negprot and SMB3 session
setup and tree connect reconnection until the next i/o is requested, but
this looks suspicous to some servers who expect SMB3 negprog and session
setup soon after a socket is created.
In the echo thread, reconnect SMB3 sessions and tree connections
that are disconnected. A later patch will replay persistent (and
resilient) handle opens.
Signed-off-by: Steve French
Acked-by: Pavel Shilovsky
Signed-off-by: Jiri Slaby
---
fs/cifs/connect.c | 4 +++-
fs/cifs/smb2pdu.c | 27 +++
2 files changed, 30 insertions(+), 1 deletion(-)
diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
index ebad721656f3..7bdcf8fbc1ff 100644
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -410,7 +410,9 @@ cifs_echo_request(struct work_struct *work)
* server->ops->need_neg() == true. Also, no need to ping if
* we got a response recently.
*/
- if (!server->ops->need_neg || server->ops->need_neg(server) ||
+
+ if (server->tcpStatus == CifsNeedReconnect ||
+ server->tcpStatus == CifsExiting || server->tcpStatus == CifsNew ||
(server->ops->can_echo && !server->ops->can_echo(server)) ||
time_before(jiffies, server->lstrp + SMB_ECHO_INTERVAL - HZ))
goto requeue_echo;
diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
index 439cb86ed488..609350a69680 100644
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -1552,6 +1552,33 @@ SMB2_echo(struct TCP_Server_Info *server)
cifs_dbg(FYI, "In echo request\n");
+ if (server->tcpStatus == CifsNeedNegotiate) {
+ struct list_head *tmp, *tmp2;
+ struct cifs_ses *ses;
+ struct cifs_tcon *tcon;
+
+ cifs_dbg(FYI, "Need negotiate, reconnecting tcons\n");
+ spin_lock(&cifs_tcp_ses_lock);
+ list_for_each(tmp, &server->smb_ses_list) {
+ ses = list_entry(tmp, struct cifs_ses, smb_ses_list);
+ list_for_each(tmp2, &ses->tcon_list) {
+ tcon = list_entry(tmp2, struct cifs_tcon,
+ tcon_list);
+ /* add check for persistent handle reconnect */
+ if (tcon && tcon->need_reconnect) {
+ spin_unlock(&cifs_tcp_ses_lock);
+ rc = smb2_reconnect(SMB2_ECHO, tcon);
+ spin_lock(&cifs_tcp_ses_lock);
+ }
+ }
+ }
+ spin_unlock(&cifs_tcp_ses_lock);
+ }
+
+ /* if no session, renegotiate failed above */
+ if (server->tcpStatus == CifsNeedNegotiate)
+ return -EIO;
+
rc = small_smb2_init(SMB2_ECHO, NULL, (void **)&req);
if (rc)
return rc;
--
2.9.3
Re: [PATCH 1/1] ARM: dma: fix dma_max_pfn()
Hi Santosh,
On 19/08/16 05:01, Santosh Shilimkar wrote:
> On 8/18/2016 4:07 PM, Russell King - ARM Linux wrote:
>> On Thu, Aug 18, 2016 at 09:55:55AM -0700, Santosh Shilimkar wrote:
>>> Hi Russell,
>>>
>>> On 8/18/2016 7:24 AM, Russell King - ARM Linux wrote:
On Wed, Aug 17, 2016 at 03:05:17PM +0300, Roger Quadros wrote:
> Since commit 6ce0d2001692 ("ARM: dma: Use dma_pfn_offset for dma address
> translation"),
> dma_to_pfn() already returns the PFN with the physical memory start offset
> so we don't need to add it again.
>
> This fixes USB mass storage lock-up problem on systems that can't do DMA
> over the entire physical memory range (e.g.) Keystone 2 systems with 4GB
> RAM
> can only do DMA over the first 2GB. [K2E-EVM].
>
> What happens there is that without this patch SCSI layer sets a wrong
> bounce buffer limit in scsi_calculate_bounce_limit() for the USB mass
> storage device. dma_max_pfn() evaluates to 0x8f and bounce_limit
> is set to 0x8f000 whereas maximum DMA'ble physical memory on Keystone
> 2
> is 0x87fff. This results in non DMA'ble pages being given to the
> USB controller and hence the lock-up.
>
> NOTE: in the above case, USB-SCSI-device's dma_pfn_offset was showing as
> 0.
> This should have really been 0x78 as on K2e, LOWMEM_START is
> 0x8000
> and HIGHMEM_START is 0x8. DMA zone is 2GB so dma_max_pfn should be
> 0x87. The incorrect dma_pfn_offset for the USB storage device is
> because
> USB devices are not correctly inheriting the dma_pfn_offset from the
> USB host controller. This will be fixed by a separate patch.
I'd like to hear from Santosh, as the author of the original change.
The original commit doesn't mention which platform it was intended for
or what the problem was, which would've been helpful.
>>> From what I recollect, we did these changes to make the max pfn behave
>>> same on ARM arch as other archs. This patch was evolved as part of
>>> fixing the max*pfn assumption.
>>
>> To me, the proposed patch _looks_ correct, because...
>>
> diff --git a/arch/arm/include/asm/dma-mapping.h
> b/arch/arm/include/asm/dma-mapping.h
> index d009f79..bf02dbd 100644
> --- a/arch/arm/include/asm/dma-mapping.h
> +++ b/arch/arm/include/asm/dma-mapping.h
> @@ -111,7 +111,7 @@ static inline dma_addr_t virt_to_dma(struct device
> *dev, void *addr)
> /* The ARM override for dma_max_pfn() */
> static inline unsigned long dma_max_pfn(struct device *dev)
> {
> -return PHYS_PFN_OFFSET + dma_to_pfn(dev, *dev->dma_mask);
> +return dma_to_pfn(dev, *dev->dma_mask);
> }
> #define dma_max_pfn(dev) dma_max_pfn(dev)
>>> By doing this change I hope we don't break other drivers on Keystone so
>>> am not sure about the change.
>>
>> dma_to_pfn() returns the page frame number referenced from physical
>> address zero - the default implementation of dma_to_pfn() is
>> bus_to_pfn(), which is __phys_to_pfn(x), which is just x >> PAGE_SHIFT.
>> The other thing about dma_to_pfn() is that it should return a
>> zero-referenced PFN number, where PFN 0 = physical address 0.
>>
>> If there is some offset for keystone2, that should be taken care of
>> via "dev->dma_pfn_offset", and not offsetting the return value from
>> dma_to_pfn().
>>
>> So I'm 99.9% convinced that the proposed change is correct.
>>
> I will got with that then :-) and take my objection back. Just
> saying that if there other breakages which I can't recollect now,
> those drivers needs to be patched as well.
>
I was able to boot the Keystone2 Edison EVM over NFS with the $subject patch.
Boot log is below. Do you see anything suspicious?
---
U-Boot SPL 2016.05-00100-g052f3bf-dirty (Aug 10 2016 - 12:28:40)
Trying to boot from SPI
U-Boot 2016.05-00100-g052f3bf-dirty (Aug 10 2016 - 12:28:40 +0300)
CPU: 66AK2Ex SR1.0
I2C: ready
DRAM: DDR3A Speed will be configured for 1600 Operation.
Detected SO-DIMM [18KSF51272HZ-1G6K2]
DDR3 speed 1600
DRAM: 4 GiB
Clear entire DDR3 memory to enable ECC
2 GiB
NAND: 512 MiB
Net: eth0: netcp@2400
Hit any key to stop autoboot: 0
netcp@2400 Waiting for SGMII auto negotiation to complete. done
Using netcp@2400 device
TFTP from server 192.168.1.36; our IP address is 192.168.1.90
Filename '/tftpboot/k2-fw-initrd.cpio.gz'.
Load address: 0x8808
Loading: ##
958 KiB/s
done
Bytes transferred = 48117 (bbf5 hex)
netcp@2400 Waiting for SGMII auto negotiation to complete. done
Using netcp@2400 device
TFTP from server 192.168.1.36; our IP address is 192.168.1.90
Filename 'keystone-k2e-evm.dtb'.
Load address: 0x8800
Loading: #
884.8 KiB/s
done
Bytes transferred = 22660 (5884 hex)
netcp@2400 Waiting for SGMII auto negotiation to complete. done
Using netcp@2400 device
TFTP from server 192.168.1.36; our IP address is 192.1
[PATCH 3.12 024/100] ALSA: ctl: Stop notification after disconnection
From: Takashi Iwai 3.12-stable review patch. If anyone has any objections, please let me know. === commit f388cdcdd160687c6650833f286b9c89c50960ff upstream. snd_ctl_remove() has a notification for the removal event. It's superfluous when done during the device got disconnected. Although the notification itself is mostly harmless, it may potentially be harmful, and should be suppressed. Actually some components PCM may free ctl elements during the disconnect or free callbacks, thus it's no theoretical issue. This patch adds the check of card->shutdown flag for avoiding unnecessary notifications after (or during) the disconnect. Signed-off-by: Takashi Iwai Signed-off-by: Jiri Slaby --- sound/core/control.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sound/core/control.c b/sound/core/control.c index 3fcead61f0ef..251bc575f5c3 100644 --- a/sound/core/control.c +++ b/sound/core/control.c @@ -150,6 +150,8 @@ void snd_ctl_notify(struct snd_card *card, unsigned int mask, if (snd_BUG_ON(!card || !id)) return; + if (card->shutdown) + return; read_lock(&card->ctl_files_rwlock); #if defined(CONFIG_SND_MIXER_OSS) || defined(CONFIG_SND_MIXER_OSS_MODULE) card->mixer_oss_change_count++; -- 2.9.3
[PATCH 3.12 017/100] iio: accel: kxsd9: fix the usage of spi_w8r8()
From: Linus Walleij
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit 0c1f91b98552da49d9d8eed32b3132a58d2f4598 upstream.
These two spi_w8r8() calls return a value with is used by the code
following the error check. The dubious use was caused by a cleanup
patch.
Fixes: d34dbee8ac8e ("staging:iio:accel:kxsd9 cleanup and conversion to
iio_chan_spec.")
Signed-off-by: Linus Walleij
Signed-off-by: Jonathan Cameron
Signed-off-by: Jiri Slaby
---
drivers/iio/accel/kxsd9.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/iio/accel/kxsd9.c b/drivers/iio/accel/kxsd9.c
index 34277153c211..61dcbcf73c22 100644
--- a/drivers/iio/accel/kxsd9.c
+++ b/drivers/iio/accel/kxsd9.c
@@ -81,7 +81,7 @@ static int kxsd9_write_scale(struct iio_dev *indio_dev, int
micro)
mutex_lock(&st->buf_lock);
ret = spi_w8r8(st->us, KXSD9_READ(KXSD9_REG_CTRL_C));
- if (ret)
+ if (ret < 0)
goto error_ret;
st->tx[0] = KXSD9_WRITE(KXSD9_REG_CTRL_C);
st->tx[1] = (ret & ~KXSD9_FS_MASK) | i;
@@ -163,7 +163,7 @@ static int kxsd9_read_raw(struct iio_dev *indio_dev,
break;
case IIO_CHAN_INFO_SCALE:
ret = spi_w8r8(st->us, KXSD9_READ(KXSD9_REG_CTRL_C));
- if (ret)
+ if (ret < 0)
goto error_ret;
*val2 = kxsd9_micro_scales[ret & KXSD9_FS_MASK];
ret = IIO_VAL_INT_PLUS_MICRO;
--
2.9.3
[PATCH 3.12 021/100] tty/vt/keyboard: fix OOB access in do_compute_shiftstate()
From: Dmitry Torokhov
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit 510cccb5b0c8868a2b302a0ab524da7912da648b upstream.
The size of individual keymap in drivers/tty/vt/keyboard.c is NR_KEYS,
which is currently 256, whereas number of keys/buttons in input device (and
therefor in key_down) is much larger - KEY_CNT - 768, and that can cause
out-of-bound access when we do
sym = U(key_maps[0][k]);
with large 'k'.
To fix it we should not attempt iterating beyond smaller of NR_KEYS and
KEY_CNT.
Also while at it let's switch to for_each_set_bit() instead of open-coding
it.
Reported-by: Sasha Levin
Reviewed-by: Guenter Roeck
Signed-off-by: Dmitry Torokhov
Signed-off-by: Jiri Slaby
---
drivers/tty/vt/keyboard.c | 30 +-
1 file changed, 9 insertions(+), 21 deletions(-)
diff --git a/drivers/tty/vt/keyboard.c b/drivers/tty/vt/keyboard.c
index d0e3a4497707..adf4d3124cc6 100644
--- a/drivers/tty/vt/keyboard.c
+++ b/drivers/tty/vt/keyboard.c
@@ -365,34 +365,22 @@ static void to_utf8(struct vc_data *vc, uint c)
static void do_compute_shiftstate(void)
{
- unsigned int i, j, k, sym, val;
+ unsigned int k, sym, val;
shift_state = 0;
memset(shift_down, 0, sizeof(shift_down));
- for (i = 0; i < ARRAY_SIZE(key_down); i++) {
-
- if (!key_down[i])
+ for_each_set_bit(k, key_down, min(NR_KEYS, KEY_CNT)) {
+ sym = U(key_maps[0][k]);
+ if (KTYP(sym) != KT_SHIFT && KTYP(sym) != KT_SLOCK)
continue;
- k = i * BITS_PER_LONG;
-
- for (j = 0; j < BITS_PER_LONG; j++, k++) {
-
- if (!test_bit(k, key_down))
- continue;
+ val = KVAL(sym);
+ if (val == KVAL(K_CAPSSHIFT))
+ val = KVAL(K_SHIFT);
- sym = U(key_maps[0][k]);
- if (KTYP(sym) != KT_SHIFT && KTYP(sym) != KT_SLOCK)
- continue;
-
- val = KVAL(sym);
- if (val == KVAL(K_CAPSSHIFT))
- val = KVAL(K_SHIFT);
-
- shift_down[val]++;
- shift_state |= (1 << val);
- }
+ shift_down[val]++;
+ shift_state |= BIT(val);
}
}
--
2.9.3
[PATCH 3.12 022/100] ALSA: dummy: Fix a use-after-free at closing
From: Takashi Iwai
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit d5dbbe6569481bf12dcbe3e12cff72c5f78d272c upstream.
syzkaller fuzzer spotted a potential use-after-free case in snd-dummy
driver when hrtimer is used as backend:
> ==
> BUG: KASAN: use-after-free in rb_erase+0x1b17/0x2010 at addr 88005e5b6f68
> Read of size 8 by task syz-executor/8984
> =
> BUG kmalloc-192 (Not tainted): kasan: bad access detected
> -
>
> Disabling lock debugging due to kernel taint
> INFO: Allocated in 0x age=18446705582212484632
>
> [< none >] dummy_hrtimer_create+0x49/0x1a0 sound/drivers/dummy.c:464
>
> INFO: Freed in 0xfffd8e09 age=18446705496313138713 cpu=2164287125 pid=-1
> [< none >] dummy_hrtimer_free+0x68/0x80 sound/drivers/dummy.c:481
>
> Call Trace:
> [] __asan_report_load8_noabort+0x3e/0x40
> mm/kasan/report.c:333
> [< inline >] rb_set_parent include/linux/rbtree_augmented.h:111
> [< inline >] __rb_erase_augmented
> include/linux/rbtree_augmented.h:218
> [] rb_erase+0x1b17/0x2010 lib/rbtree.c:427
> [] timerqueue_del+0x78/0x170 lib/timerqueue.c:86
> [] __remove_hrtimer+0x90/0x220 kernel/time/hrtimer.c:903
> [< inline >] remove_hrtimer kernel/time/hrtimer.c:945
> [] hrtimer_try_to_cancel+0x22a/0x570
> kernel/time/hrtimer.c:1046
> [] hrtimer_cancel+0x22/0x40 kernel/time/hrtimer.c:1066
> [] dummy_hrtimer_stop+0x91/0xb0 sound/drivers/dummy.c:417
> [] dummy_pcm_trigger+0x17f/0x1e0 sound/drivers/dummy.c:507
> [] snd_pcm_do_stop+0x160/0x1b0 sound/core/pcm_native.c:1106
> [] snd_pcm_action_single+0x76/0x120
> sound/core/pcm_native.c:956
> [] snd_pcm_action+0x231/0x290 sound/core/pcm_native.c:974
> [< inline >] snd_pcm_stop sound/core/pcm_native.c:1139
> [] snd_pcm_drop+0x12d/0x1d0 sound/core/pcm_native.c:1784
> [] snd_pcm_common_ioctl1+0xfae/0x2150
> sound/core/pcm_native.c:2805
> [] snd_pcm_capture_ioctl1+0x2a1/0x5e0
> sound/core/pcm_native.c:2976
> [] snd_pcm_kernel_ioctl+0x11c/0x160
> sound/core/pcm_native.c:3020
> [] snd_pcm_oss_sync+0x3a4/0xa30
> sound/core/oss/pcm_oss.c:1693
> [] snd_pcm_oss_release+0x1ad/0x280
> sound/core/oss/pcm_oss.c:2483
> .
A workaround is to call hrtimer_cancel() in dummy_hrtimer_sync() which
is called certainly before other blocking ops.
Reported-by: Dmitry Vyukov
Tested-by: Dmitry Vyukov
Signed-off-by: Takashi Iwai
Signed-off-by: Jiri Slaby
---
sound/drivers/dummy.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/drivers/dummy.c b/sound/drivers/dummy.c
index 8946cef245fc..fe5750a05368 100644
--- a/sound/drivers/dummy.c
+++ b/sound/drivers/dummy.c
@@ -422,6 +422,7 @@ static int dummy_hrtimer_stop(struct snd_pcm_substream
*substream)
static inline void dummy_hrtimer_sync(struct dummy_hrtimer_pcm *dpcm)
{
+ hrtimer_cancel(&dpcm->timer);
tasklet_kill(&dpcm->tasklet);
}
--
2.9.3
[PATCH 3.12 027/100] xen/acpi: allow xen-acpi-processor driver to load on Xen 4.7
From: Jan Beulich
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit 6f2d9d99213514360034c6d52d2c3919290b3504 upstream.
As of Xen 4.7 PV CPUID doesn't expose either of CPUID[1].ECX[7] and
CPUID[0x8007].EDX[7] anymore, causing the driver to fail to load on
both Intel and AMD systems. Doing any kind of hardware capability
checks in the driver as a prerequisite was wrong anyway: With the
hypervisor being in charge, all such checking should be done by it. If
ACPI data gets uploaded despite some missing capability, the hypervisor
is free to ignore part or all of that data.
Ditch the entire check_prereq() function, and do the only valid check
(xen_initial_domain()) in the caller in its place.
Signed-off-by: Jan Beulich
Signed-off-by: David Vrabel
Signed-off-by: Jiri Slaby
---
drivers/xen/xen-acpi-processor.c | 35 +++
1 file changed, 3 insertions(+), 32 deletions(-)
diff --git a/drivers/xen/xen-acpi-processor.c b/drivers/xen/xen-acpi-processor.c
index 13bc6c31c060..77658030259e 100644
--- a/drivers/xen/xen-acpi-processor.c
+++ b/drivers/xen/xen-acpi-processor.c
@@ -425,36 +425,7 @@ upload:
return 0;
}
-static int __init check_prereq(void)
-{
- struct cpuinfo_x86 *c = &cpu_data(0);
-
- if (!xen_initial_domain())
- return -ENODEV;
-
- if (!acpi_gbl_FADT.smi_command)
- return -ENODEV;
-
- if (c->x86_vendor == X86_VENDOR_INTEL) {
- if (!cpu_has(c, X86_FEATURE_EST))
- return -ENODEV;
- return 0;
- }
- if (c->x86_vendor == X86_VENDOR_AMD) {
- /* Copied from powernow-k8.h, can't include ../cpufreq/powernow
-* as we get compile warnings for the static functions.
-*/
-#define CPUID_FREQ_VOLT_CAPABILITIES0x8007
-#define USE_HW_PSTATE 0x0080
- u32 eax, ebx, ecx, edx;
- cpuid(CPUID_FREQ_VOLT_CAPABILITIES, &eax, &ebx, &ecx, &edx);
- if ((edx & USE_HW_PSTATE) != USE_HW_PSTATE)
- return -ENODEV;
- return 0;
- }
- return -ENODEV;
-}
/* acpi_perf_data is a pointer to percpu data. */
static struct acpi_processor_performance __percpu *acpi_perf_data;
@@ -510,10 +481,10 @@ static struct syscore_ops xap_syscore_ops = {
static int __init xen_acpi_processor_init(void)
{
unsigned int i;
- int rc = check_prereq();
+ int rc;
- if (rc)
- return rc;
+ if (!xen_initial_domain())
+ return -ENODEV;
nr_acpi_bits = get_max_acpi_id() + 1;
acpi_ids_done = kcalloc(BITS_TO_LONGS(nr_acpi_bits), sizeof(unsigned
long), GFP_KERNEL);
--
2.9.3
[PATCH 3.12 020/100] iio:ad7266: Fix probe deferral for vref
From: Mark Brown
3.12-stable review patch. If anyone has any objections, please let me know.
===
commit 68b356eb3d9f5e38910fb62e22a78e2a18d544ae upstream.
Currently the ad7266 driver treats any failure to get vref as though the
regulator were not present but this means that if probe deferral is
triggered the driver will act as though the regulator were not present.
Instead only use the internal reference if we explicitly got -ENODEV which
is what is returned for absent regulators.
Signed-off-by: Mark Brown
Signed-off-by: Jonathan Cameron
Signed-off-by: Jiri Slaby
---
drivers/iio/adc/ad7266.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/iio/adc/ad7266.c b/drivers/iio/adc/ad7266.c
index 5154041257c2..1094bdfcfa6e 100644
--- a/drivers/iio/adc/ad7266.c
+++ b/drivers/iio/adc/ad7266.c
@@ -417,6 +417,9 @@ static int ad7266_probe(struct spi_device *spi)
st->vref_uv = ret;
} else {
+ /* Any other error indicates that the regulator does exist */
+ if (PTR_ERR(st->reg) != -ENODEV)
+ return PTR_ERR(st->reg);
/* Use internal reference */
st->vref_uv = 250;
}
--
2.9.3
