[PATCH 3.16 080/134] PCI: Disable boot interrupt quirk for ASUS M2N-LR
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
--
From: Stefan Assmann
commit c4e649b09f55595e6df6da5465a5b3cfc93557c1 upstream.
The ASUS M2N-LR should not trigger boot interrupt quirks although it
carries an Intel 6702PXH. On this board the boot interrupt quirks cause
incorrect IRQ assignments and should be disabled.
Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=43074
Tested-by: Solomon Peachy
Signed-off-by: Stefan Assmann
Signed-off-by: Bjorn Helgaas
Signed-off-by: Ben Hutchings
---
drivers/pci/quirks.c | 24
1 file changed, 24 insertions(+)
--- a/drivers/pci/quirks.c
+++ b/drivers/pci/quirks.c
@@ -1637,6 +1637,29 @@ DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_IN
DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, 0x260b, quirk_intel_pcie_pm);
#ifdef CONFIG_X86_IO_APIC
+static int dmi_disable_ioapicreroute(const struct dmi_system_id *d)
+{
+ noioapicreroute = 1;
+ pr_info("%s detected: disable boot interrupt reroute\n", d->ident);
+
+ return 0;
+}
+
+static struct dmi_system_id boot_interrupt_dmi_table[] = {
+ /*
+* Systems to exclude from boot interrupt reroute quirks
+*/
+ {
+ .callback = dmi_disable_ioapicreroute,
+ .ident = "ASUSTek Computer INC. M2N-LR",
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTek Computer INC."),
+ DMI_MATCH(DMI_PRODUCT_NAME, "M2N-LR"),
+ },
+ },
+ {}
+};
+
/*
* Boot interrupts on some chipsets cannot be turned off. For these chipsets,
* remap the original interrupt in the linux kernel to the boot interrupt, so
@@ -1645,6 +1668,7 @@ DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_IN
*/
static void quirk_reroute_to_boot_interrupts_intel(struct pci_dev *dev)
{
+ dmi_check_system(boot_interrupt_dmi_table);
if (noioapicquirk || noioapicreroute)
return;
[PATCH 1/3] jfs: Delete an error message for a failed memory allocation in diMount()
From: Markus Elfring
Date: Fri, 18 Aug 2017 09:19:24 +0200
Omit an extra message for a memory allocation failure in this function.
This issue was detected by using the Coccinelle software.
Signed-off-by: Markus Elfring
---
fs/jfs/jfs_imap.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c
index f36ef68905a7..da8051299e47 100644
--- a/fs/jfs/jfs_imap.c
+++ b/fs/jfs/jfs_imap.c
@@ -119,7 +119,5 @@ int diMount(struct inode *ipimap)
- if (imap == NULL) {
- jfs_err("diMount: kmalloc returned NULL!");
+ if (!imap)
return -ENOMEM;
- }
/* read the on-disk inode map control structure. */
--
2.14.0
[PATCH 3.16 075/134] powerpc/sysfs: Fix reference leak of cpu device_nodes present at boot
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
--
From: Tyrel Datwyler
commit e76ca27790a514590af782f83f6eae49e0ccf8c9 upstream.
For CPUs present at boot each logical CPU acquires a reference to the
associated device node of the core. This happens in register_cpu() which
is called by topology_init(). The result of this is that we end up with
a reference held by each thread of the core. However, these references
are never freed if the CPU core is DLPAR removed.
This patch fixes the reference leaks by acquiring and releasing the references
in the CPU hotplug callbacks un/register_cpu_online(). With this patch symmetric
reference counting is observed with both CPUs present at boot, and those DLPAR
added after boot.
Fixes: f86e4718f24b ("driver/core: cpu: initialize of_node in cpu's device
struture")
Signed-off-by: Tyrel Datwyler
Signed-off-by: Michael Ellerman
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings
---
arch/powerpc/kernel/sysfs.c | 6 ++
1 file changed, 6 insertions(+)
--- a/arch/powerpc/kernel/sysfs.c
+++ b/arch/powerpc/kernel/sysfs.c
@@ -672,6 +672,10 @@ static void register_cpu_online(unsigned
struct device_attribute *attrs, *pmc_attrs;
int i, nattrs;
+ /* For cpus present at boot a reference was already grabbed in
register_cpu() */
+ if (!s->of_node)
+ s->of_node = of_get_cpu_node(cpu, NULL);
+
#ifdef CONFIG_PPC64
if (cpu_has_feature(CPU_FTR_SMT))
device_create_file(s, &dev_attr_smt_snooze_delay);
@@ -825,6 +829,8 @@ static void unregister_cpu_online(unsign
}
#endif
cacheinfo_cpu_offline(cpu);
+ of_node_put(s->of_node);
+ s->of_node = NULL;
}
#ifdef CONFIG_ARCH_CPU_PROBE_RELEASE
[PATCH 3.16 077/134] netfilter: ctnetlink: make it safer when updating ct->status
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
--
From: Liping Zhang
commit 53b56da83d7899de375a9de153fd7f5397de85e6 upstream.
After converting to use rcu for conntrack hash, one CPU may update
the ct->status via ctnetlink, while another CPU may process the
packets and update the ct->status.
So the non-atomic operation "ct->status |= status;" via ctnetlink
becomes unsafe, and this may clear the IPS_DYING_BIT bit set by
another CPU unexpectedly. For example:
CPU0CPU1
ctnetlink_change_status__nf_conntrack_find_get
old = ct->status nf_ct_gc_expired
- nf_ct_kill
- test_and_set_bit(IPS_DYING_BIT
new = old | status; -
ct->status = new; <-- oops, _DYING_ is cleared!
Now using a series of atomic bit operation to solve the above issue.
Also note, user shouldn't set IPS_TEMPLATE, IPS_SEQ_ADJUST directly,
so make these two bits be unchangable too.
If we set the IPS_TEMPLATE_BIT, ct will be freed by nf_ct_tmpl_free,
but actually it is alloced by nf_conntrack_alloc.
If we set the IPS_SEQ_ADJUST_BIT, this may cause the NULL pointer
deference, as the nfct_seqadj(ct) maybe NULL.
Last, add some comments to describe the logic change due to the
commit a963d710f367 ("netfilter: ctnetlink: Fix regression in CTA_STATUS
processing"), which makes me feel a little confusing.
Fixes: 76507f69c44e ("[NETFILTER]: nf_conntrack: use RCU for conntrack hash")
Signed-off-by: Liping Zhang
Signed-off-by: Pablo Neira Ayuso
[bwh: Backported to 3.16: IPS_UNCHANGEABLE_MASK was not previously defined and
ctnetlink_update_status() is not needed]
Signed-off-by: Ben Hutchings
---
--- a/include/uapi/linux/netfilter/nf_conntrack_common.h
+++ b/include/uapi/linux/netfilter/nf_conntrack_common.h
@@ -91,6 +91,15 @@ enum ip_conntrack_status {
/* Conntrack got a helper explicitly attached via CT target. */
IPS_HELPER_BIT = 13,
IPS_HELPER = (1 << IPS_HELPER_BIT),
+
+ /* Be careful here, modifying these bits can make things messy,
+* so don't let users modify them directly.
+*/
+ IPS_UNCHANGEABLE_MASK = (IPS_NAT_DONE_MASK | IPS_NAT_MASK |
+IPS_EXPECTED | IPS_CONFIRMED | IPS_DYING |
+IPS_SEQ_ADJUST | IPS_TEMPLATE),
+
+ __IPS_MAX_BIT = 14,
};
/* Connection tracking event types */
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -1307,6 +1307,24 @@ ctnetlink_parse_nat_setup(struct nf_conn
}
#endif
+static void
+__ctnetlink_change_status(struct nf_conn *ct, unsigned long on,
+ unsigned long off)
+{
+ unsigned int bit;
+
+ /* Ignore these unchangable bits */
+ on &= ~IPS_UNCHANGEABLE_MASK;
+ off &= ~IPS_UNCHANGEABLE_MASK;
+
+ for (bit = 0; bit < __IPS_MAX_BIT; bit++) {
+ if (on & (1 << bit))
+ set_bit(bit, &ct->status);
+ else if (off & (1 << bit))
+ clear_bit(bit, &ct->status);
+ }
+}
+
static int
ctnetlink_change_status(struct nf_conn *ct, const struct nlattr * const cda[])
{
@@ -1326,10 +1344,7 @@ ctnetlink_change_status(struct nf_conn *
/* ASSURED bit can only be set */
return -EBUSY;
- /* Be careful here, modifying NAT bits can screw up things,
-* so don't let users modify them directly if they don't pass
-* nf_nat_range. */
- ct->status |= status & ~(IPS_NAT_DONE_MASK | IPS_NAT_MASK);
+ __ctnetlink_change_status(ct, status, 0);
return 0;
}
@@ -1513,7 +1528,7 @@ ctnetlink_change_seq_adj(struct nf_conn
if (ret < 0)
return ret;
- ct->status |= IPS_SEQ_ADJUST;
+ set_bit(IPS_SEQ_ADJUST_BIT, &ct->status);
}
if (cda[CTA_SEQ_ADJ_REPLY]) {
@@ -1522,7 +1537,7 @@ ctnetlink_change_seq_adj(struct nf_conn
if (ret < 0)
return ret;
- ct->status |= IPS_SEQ_ADJUST;
+ set_bit(IPS_SEQ_ADJUST_BIT, &ct->status);
}
return 0;
[PATCH 2/3] jfs: Improve size determinations in five functions
From: Markus Elfring
Date: Fri, 18 Aug 2017 14:54:11 +0200
* Replace the specification of data structures by pointer dereferences
as the parameter for the operator "sizeof" to make the corresponding size
determination a bit safer according to the Linux coding style convention.
This issue was detected by using the Coccinelle software.
* The script "checkpatch.pl" pointed information out like the following.
ERROR: do not use assignment in if condition
Thus fix two affected source code places.
Signed-off-by: Markus Elfring
---
fs/jfs/jfs_imap.c | 2 +-
fs/jfs/jfs_logmgr.c | 8 +---
fs/jfs/jfs_metapage.c | 2 +-
fs/jfs/super.c| 2 +-
4 files changed, 8 insertions(+), 6 deletions(-)
diff --git a/fs/jfs/jfs_imap.c b/fs/jfs/jfs_imap.c
index da8051299e47..a7e3a61187db 100644
--- a/fs/jfs/jfs_imap.c
+++ b/fs/jfs/jfs_imap.c
@@ -115,5 +115,5 @@ int diMount(struct inode *ipimap)
* allocate/initialize the in-memory inode map control structure
*/
/* allocate the in-memory inode map control structure. */
- imap = kmalloc(sizeof(struct inomap), GFP_KERNEL);
+ imap = kmalloc(sizeof(*imap), GFP_KERNEL);
if (!imap)
diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c
index a21f0e9eecd4..ed103c44bd52 100644
--- a/fs/jfs/jfs_logmgr.c
+++ b/fs/jfs/jfs_logmgr.c
@@ -1109,7 +1109,8 @@ int lmLogOpen(struct super_block *sb)
}
}
- if (!(log = kzalloc(sizeof(struct jfs_log), GFP_KERNEL))) {
+ log = kzalloc(sizeof(*log), GFP_KERNEL);
+ if (!log) {
mutex_unlock(&jfs_log_mutex);
return -ENOMEM;
}
@@ -1178,7 +1179,8 @@ static int open_inline_log(struct super_block *sb)
struct jfs_log *log;
int rc;
- if (!(log = kzalloc(sizeof(struct jfs_log), GFP_KERNEL)))
+ log = kzalloc(sizeof(*log), GFP_KERNEL);
+ if (!log)
return -ENOMEM;
INIT_LIST_HEAD(&log->sb_list);
init_waitqueue_head(&log->syncwait);
@@ -1839,7 +1841,7 @@ static int lbmLogInit(struct jfs_log * log)
goto error;
buffer = page_address(page);
for (offset = 0; offset < PAGE_SIZE; offset += LOGPSIZE) {
- lbuf = kmalloc(sizeof(struct lbuf), GFP_KERNEL);
+ lbuf = kmalloc(sizeof(*lbuf), GFP_KERNEL);
if (lbuf == NULL) {
if (offset == 0)
__free_page(page);
diff --git a/fs/jfs/jfs_metapage.c b/fs/jfs/jfs_metapage.c
index 65120a471729..6c75a7c87c0c 100644
--- a/fs/jfs/jfs_metapage.c
+++ b/fs/jfs/jfs_metapage.c
@@ -107,7 +107,7 @@ static inline int insert_metapage(struct page *page, struct
metapage *mp)
if (PagePrivate(page))
a = mp_anchor(page);
else {
- a = kzalloc(sizeof(struct meta_anchor), GFP_NOFS);
+ a = kzalloc(sizeof(*a), GFP_NOFS);
if (!a)
return -ENOMEM;
set_page_private(page, (unsigned long)a);
diff --git a/fs/jfs/super.c b/fs/jfs/super.c
index 78b41e1d5c67..381476422e8d 100644
--- a/fs/jfs/super.c
+++ b/fs/jfs/super.c
@@ -526,7 +526,7 @@ static int jfs_fill_super(struct super_block *sb, void
*data, int silent)
jfs_info("In jfs_read_super: s_flags=0x%lx", sb->s_flags);
- sbi = kzalloc(sizeof(struct jfs_sb_info), GFP_KERNEL);
+ sbi = kzalloc(sizeof(*sbi), GFP_KERNEL);
if (!sbi)
return -ENOMEM;
--
2.14.0
[PATCH 3.16 079/134] dm era: save spacemap metadata root after the pre-commit
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
--
From: Somasundaram Krishnasamy
commit 117aceb030307dcd431fdcff87ce988d3016c34a upstream.
When committing era metadata to disk, it doesn't always save the latest
spacemap metadata root in superblock. Due to this, metadata is getting
corrupted sometimes when reopening the device. The correct order of update
should be, pre-commit (shadows spacemap root), save the spacemap root
(newly shadowed block) to in-core superblock and then the final commit.
Signed-off-by: Somasundaram Krishnasamy
Signed-off-by: Mike Snitzer
Signed-off-by: Ben Hutchings
---
drivers/md/dm-era-target.c | 8
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/md/dm-era-target.c
+++ b/drivers/md/dm-era-target.c
@@ -957,15 +957,15 @@ static int metadata_commit(struct era_me
}
}
- r = save_sm_root(md);
+ r = dm_tm_pre_commit(md->tm);
if (r) {
- DMERR("%s: save_sm_root failed", __func__);
+ DMERR("%s: pre commit failed", __func__);
return r;
}
- r = dm_tm_pre_commit(md->tm);
+ r = save_sm_root(md);
if (r) {
- DMERR("%s: pre commit failed", __func__);
+ DMERR("%s: save_sm_root failed", __func__);
return r;
}
[PATCH 3.16 069/134] x86/boot: Fix BSS corruption/overwrite bug in early x86 kernel startup
3.16.47-rc1 review patch. If anyone has any objections, please let me know. -- From: Ashish Kalra commit d594aa0277e541bb997aef0bc0a55172d8138340 upstream. The minimum size for a new stack (512 bytes) setup for arch/x86/boot components when the bootloader does not setup/provide a stack for the early boot components is not "enough". The setup code executing as part of early kernel startup code, uses the stack beyond 512 bytes and accidentally overwrites and corrupts part of the BSS section. This is exposed mostly in the early video setup code, where it was corrupting BSS variables like force_x, force_y, which in-turn affected kernel parameters such as screen_info (screen_info.orig_video_cols) and later caused an exception/panic in console_init(). Most recent boot loaders setup the stack for early boot components, so this stack overwriting into BSS section issue has not been exposed. Signed-off-by: Ashish Kalra Cc: Andy Lutomirski Cc: Borislav Petkov Cc: Brian Gerst Cc: Denys Vlasenko Cc: H. Peter Anvin Cc: Josh Poimboeuf Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/20170419152015.10011-1-ashishkalra@Ashishs-MacBook-Pro.local Signed-off-by: Ingo Molnar Signed-off-by: Ben Hutchings --- arch/x86/boot/boot.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/arch/x86/boot/boot.h +++ b/arch/x86/boot/boot.h @@ -16,7 +16,7 @@ #ifndef BOOT_BOOT_H #define BOOT_BOOT_H -#define STACK_SIZE 512 /* Minimum number of bytes for stack */ +#define STACK_SIZE 1024/* Minimum number of bytes for stack */ #ifndef __ASSEMBLY__
[PATCH 3.16 074/134] powerpc/pseries: Fix of_node_put() underflow during DLPAR remove
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
--
From: Tyrel Datwyler
commit 68baf692c435339e6295cb470ea5545cbc28160e upstream.
Historically struct device_node references were tracked using a kref embedded as
a struct field. Commit 75b57ecf9d1d ("of: Make device nodes kobjects so they
show up in sysfs") (Mar 2014) refactored device_nodes to be kobjects such that
the device tree could by more simply exposed to userspace using sysfs.
Commit 0829f6d1f69e ("of: device_node kobject lifecycle fixes") (Mar 2014)
followed up these changes to better control the kobject lifecycle and in
particular the referecne counting via of_node_get(), of_node_put(), and
of_node_init().
A result of this second commit was that it introduced an of_node_put() call when
a dynamic node is detached, in of_node_remove(), that removes the initial kobj
reference created by of_node_init().
Traditionally as the original dynamic device node user the pseries code had
assumed responsibilty for releasing this final reference in its platform
specific DLPAR detach code.
This patch fixes a refcount underflow introduced by commit 0829f6d1f6, and
recently exposed by the upstreaming of the recount API.
Messages like the following are no longer seen in the kernel log with this
patch following DLPAR remove operations of cpus and pci devices.
rpadlpar_io: slot PHB 72 removed
refcount_t: underflow; use-after-free.
[ cut here ]
WARNING: CPU: 5 PID: 3335 at lib/refcount.c:128
refcount_sub_and_test+0xf4/0x110
Fixes: 0829f6d1f69e ("of: device_node kobject lifecycle fixes")
Signed-off-by: Tyrel Datwyler
[mpe: Make change log commit references more verbose]
Signed-off-by: Michael Ellerman
Signed-off-by: Ben Hutchings
---
arch/powerpc/platforms/pseries/dlpar.c | 1 -
1 file changed, 1 deletion(-)
--- a/arch/powerpc/platforms/pseries/dlpar.c
+++ b/arch/powerpc/platforms/pseries/dlpar.c
@@ -298,7 +298,6 @@ int dlpar_detach_node(struct device_node
if (rc)
return rc;
- of_node_put(dn); /* Must decrement the refcount */
return 0;
}
[PATCH 3.16 076/134] netfilter: ctnetlink: fix deadlock due to acquire _expect_lock twice
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
--
From: Liping Zhang
commit 88be4c09d9008f9ff337cbf48c5d0f06c8f872e7 upstream.
Currently, ctnetlink_change_conntrack is always protected by _expect_lock,
but this will cause a deadlock when deleting the helper from a conntrack,
as the _expect_lock will be acquired again by nf_ct_remove_expectations:
CPU0
lock(nf_conntrack_expect_lock);
lock(nf_conntrack_expect_lock);
*** DEADLOCK ***
May be due to missing lock nesting notation
2 locks held by lt-conntrack_gr/12853:
#0: (&table[i].mutex){+.+.+.}, at: []
nfnetlink_rcv_msg+0x399/0x6a9 [nfnetlink]
#1: (nf_conntrack_expect_lock){+.}, at: []
ctnetlink_new_conntrack+0x17f/0x408 [nf_conntrack_netlink]
Call Trace:
dump_stack+0x85/0xc2
__lock_acquire+0x1608/0x1680
? ctnetlink_parse_tuple_proto+0x10f/0x1c0 [nf_conntrack_netlink]
lock_acquire+0x100/0x1f0
? nf_ct_remove_expectations+0x32/0x90 [nf_conntrack]
_raw_spin_lock_bh+0x3f/0x50
? nf_ct_remove_expectations+0x32/0x90 [nf_conntrack]
nf_ct_remove_expectations+0x32/0x90 [nf_conntrack]
ctnetlink_change_helper+0xc6/0x190 [nf_conntrack_netlink]
ctnetlink_new_conntrack+0x1b2/0x408 [nf_conntrack_netlink]
nfnetlink_rcv_msg+0x60a/0x6a9 [nfnetlink]
? nfnetlink_rcv_msg+0x1b9/0x6a9 [nfnetlink]
? nfnetlink_bind+0x1a0/0x1a0 [nfnetlink]
netlink_rcv_skb+0xa4/0xc0
nfnetlink_rcv+0x87/0x770 [nfnetlink]
Since the operations are unrelated to nf_ct_expect, so we can drop the
_expect_lock. Also note, after removing the _expect_lock protection,
another CPU may invoke nf_conntrack_helper_unregister, so we should
use rcu_read_lock to protect __nf_conntrack_helper_find invoked by
ctnetlink_change_helper.
Fixes: ca7433df3a67 ("netfilter: conntrack: seperate expect locking from
nf_conntrack_lock")
Signed-off-by: Liping Zhang
Signed-off-by: Pablo Neira Ayuso
[bwh: Backported to 3.16:
- ctnetlink_change_helper() still auto-loads modules, so update the unlocking
and re-locking there
- Adjust context]
Signed-off-by: Ben Hutchings
---
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -1384,24 +1384,22 @@ ctnetlink_change_helper(struct nf_conn *
return 0;
}
+ rcu_read_lock();
helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct),
nf_ct_protonum(ct));
if (helper == NULL) {
#ifdef CONFIG_MODULES
- spin_unlock_bh(&nf_conntrack_expect_lock);
+ rcu_read_unlock();
- if (request_module("nfct-helper-%s", helpname) < 0) {
- spin_lock_bh(&nf_conntrack_expect_lock);
+ if (request_module("nfct-helper-%s", helpname) < 0)
return -EOPNOTSUPP;
- }
- spin_lock_bh(&nf_conntrack_expect_lock);
+ rcu_read_lock();
helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct),
nf_ct_protonum(ct));
- if (helper)
- return -EAGAIN;
#endif
- return -EOPNOTSUPP;
+ rcu_read_unlock();
+ return helper ? -EAGAIN : -EOPNOTSUPP;
}
if (help) {
@@ -1409,13 +1407,16 @@ ctnetlink_change_helper(struct nf_conn *
/* update private helper data if allowed. */
if (helper->from_nlattr)
helper->from_nlattr(helpinfo, ct);
- return 0;
+ err = 0;
} else
- return -EBUSY;
+ err = -EBUSY;
+ } else {
+ /* we cannot set a helper for an existing conntrack */
+ err = -EOPNOTSUPP;
}
- /* we cannot set a helper for an existing conntrack */
- return -EOPNOTSUPP;
+ rcu_read_unlock();
+ return err;
}
static inline int
@@ -1831,9 +1832,7 @@ ctnetlink_new_conntrack(struct sock *ctn
err = -EEXIST;
ct = nf_ct_tuplehash_to_ctrack(h);
if (!(nlh->nlmsg_flags & NLM_F_EXCL)) {
- spin_lock_bh(&nf_conntrack_expect_lock);
err = ctnetlink_change_conntrack(ct, cda);
- spin_unlock_bh(&nf_conntrack_expect_lock);
if (err == 0) {
nf_conntrack_eventmask_report((1 << IPCT_REPLY) |
(1 << IPCT_ASSURED) |
@@ -2165,11 +2164,7 @@ ctnetlink_nfqueue_parse(const struct nla
if (ret < 0)
return ret;
- spin_lock_bh(&nf_conntrack_expect_lock);
- ret = ctnetlink_nfqueue_parse_ct((const struct nlattr **)cda, ct);
- spin_unlock_bh(&nf_conntrack_expect_lock);
-
- return ret;
+ return ctnetlink_nfqueue_parse_ct((const struc
[PATCH 3.16 073/134] IB/mlx4: Fix ib device initialization error flow
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
--
From: Jack Morgenstein
commit 99e68909d5aba1861897fe7afc3306c3c81b6de0 upstream.
In mlx4_ib_add, procedure mlx4_ib_alloc_eqs is called to allocate EQs.
However, in the mlx4_ib_add error flow, procedure mlx4_ib_free_eqs is not
called to free the allocated EQs.
Fixes: e605b743f33d ("IB/mlx4: Increase the number of vectors (EQs) available
for ULPs")
Signed-off-by: Jack Morgenstein
Signed-off-by: Leon Romanovsky
Signed-off-by: Doug Ledford
Signed-off-by: Ben Hutchings
---
drivers/infiniband/hw/mlx4/main.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/infiniband/hw/mlx4/main.c
+++ b/drivers/infiniband/hw/mlx4/main.c
@@ -2281,6 +2281,7 @@ err_counter:
mlx4_counter_free(ibdev->dev, ibdev->counters[i - 1]);
err_map:
+ mlx4_ib_free_eqs(dev, ibdev);
iounmap(ibdev->uar_map);
err_uar:
[PATCH 3/3] jfs: Adjust 67 checks for null pointers
From: Markus Elfring
Date: Fri, 18 Aug 2017 15:15:02 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The script “checkpatch.pl” pointed information out like the following.
Comparison to NULL could be written !…
Thus fix the affected source code places.
Signed-off-by: Markus Elfring
---
fs/jfs/jfs_dmap.c | 44 ++--
fs/jfs/jfs_dtree.c| 6 +++---
fs/jfs/jfs_imap.c | 25 -
fs/jfs/jfs_logmgr.c | 18 +-
fs/jfs/jfs_metapage.c | 5 ++---
fs/jfs/jfs_mount.c| 6 +++---
fs/jfs/jfs_txnmgr.c | 6 +++---
fs/jfs/jfs_unicode.c | 3 +--
fs/jfs/jfs_xtree.c| 6 +++---
fs/jfs/namei.c| 3 +--
fs/jfs/resize.c | 2 +-
fs/jfs/super.c| 4 ++--
fs/jfs/xattr.c| 10 +-
13 files changed, 67 insertions(+), 71 deletions(-)
diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index 2d514c7affc2..59a8f86984c2 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -174,14 +174,14 @@ int dbMount(struct inode *ipbmap)
*/
/* allocate memory for the in-memory bmap descriptor */
bmp = kmalloc(sizeof(struct bmap), GFP_KERNEL);
- if (bmp == NULL)
+ if (!bmp)
return -ENOMEM;
/* read the on-disk bmap descriptor. */
mp = read_metapage(ipbmap,
BMAPBLKNO << JFS_SBI(ipbmap->i_sb)->l2nbperpage,
PSIZE, 0);
- if (mp == NULL) {
+ if (!mp) {
kfree(bmp);
return -EIO;
}
@@ -274,7 +274,7 @@ int dbSync(struct inode *ipbmap)
mp = read_metapage(ipbmap,
BMAPBLKNO << JFS_SBI(ipbmap->i_sb)->l2nbperpage,
PSIZE, 0);
- if (mp == NULL) {
+ if (!mp) {
jfs_err("dbSync: read_metapage failed!");
return -EIO;
}
@@ -370,7 +370,7 @@ int dbFree(struct inode *ip, s64 blkno, s64 nblocks)
/* get the buffer for the current dmap. */
lblkno = BLKTODMAP(blkno, bmp->db_l2nbperpage);
mp = read_metapage(ipbmap, lblkno, PSIZE, 0);
- if (mp == NULL) {
+ if (!mp) {
IREAD_UNLOCK(ipbmap);
return -EIO;
}
@@ -464,7 +464,7 @@ dbUpdatePMap(struct inode *ipbmap,
mp = read_metapage(bmp->db_ipbmap, lblkno, PSIZE,
0);
- if (mp == NULL)
+ if (!mp)
return -EIO;
metapage_wait_for_io(mp);
}
@@ -780,7 +780,7 @@ int dbAlloc(struct inode *ip, s64 hint, s64 nblocks, s64 *
results)
rc = -EIO;
lblkno = BLKTODMAP(blkno, bmp->db_l2nbperpage);
mp = read_metapage(ipbmap, lblkno, PSIZE, 0);
- if (mp == NULL)
+ if (!mp)
goto read_unlock;
dp = (struct dmap *) mp->data;
@@ -922,7 +922,7 @@ int dbAllocExact(struct inode *ip, s64 blkno, int nblocks)
/* read in the dmap covering the extent */
lblkno = BLKTODMAP(blkno, bmp->db_l2nbperpage);
mp = read_metapage(ipbmap, lblkno, PSIZE, 0);
- if (mp == NULL) {
+ if (!mp) {
IREAD_UNLOCK(ipbmap);
return -EIO;
}
@@ -1078,7 +1078,7 @@ static int dbExtend(struct inode *ip, s64 blkno, s64
nblocks, s64 addnblocks)
*/
lblkno = BLKTODMAP(extblkno, bmp->db_l2nbperpage);
mp = read_metapage(ipbmap, lblkno, PSIZE, 0);
- if (mp == NULL) {
+ if (!mp) {
IREAD_UNLOCK(ipbmap);
return -EIO;
}
@@ -1421,7 +1421,7 @@ dbAllocAG(struct bmap * bmp, int agno, s64 nblocks, int
l2nb, s64 * results)
*/
lblkno = BLKTOCTL(blkno, bmp->db_l2nbperpage, bmp->db_aglevel);
mp = read_metapage(bmp->db_ipbmap, lblkno, PSIZE, 0);
- if (mp == NULL)
+ if (!mp)
return -EIO;
dcp = (struct dmapctl *) mp->data;
budmin = dcp->budmin;
@@ -1642,7 +1642,7 @@ s64 dbDiscardAG(struct inode *ip, int agno, s64 minlen)
do_div(max_ranges, minlen);
range_cnt = min_t(u64, max_ranges + 1, 32 * 1024);
totrim = kmalloc(sizeof(struct range2trim) * range_cnt, GFP_NOFS);
- if (totrim == NULL) {
+ if (!totrim) {
jfs_error(bmp->db_ipbmap->i_sb, "no memory for trim array\n");
IWRITE_UNLOCK(ipbmap);
return 0;
@@ -1743,7 +1743,7 @@ static int dbFindCtl(struct bmap * bmp, int l2nb, int
level, s64 * blkno)
*/
lblkno = BLKTOCTL(b, bmp->db_l2nbperpage, lev);
mp = read_metapage(bmp->db_ipbmap, lblkno, PSIZE, 0);
- if (mp == NULL)
+ if (!mp)
Re: [PATCH v8 2/2] sched/rt: Add support for SD_PREFER_SIBLING on find_lowest_rq()
On Fri, 18 Aug 2017 17:21:59 +0900 Byungchul Park wrote: > It would be better to try to check other siblings first if > SD_PREFER_SIBLING is flaged when pushing tasks - migration. > > Signed-off-by: Byungchul Park Looks good. Reviewed-by: Steven Rostedt (VMware) -- Steve
[PATCH 3.16 068/134] mwifiex: pcie: fix cmd_buf use-after-free in remove/reset
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
--
From: Brian Norris
commit 3c8cb9ad032d737b874e402c59eb51e3c991a144 upstream.
Command buffers (skb's) are allocated by the main driver, and freed upon
the last use. That last use is often in mwifiex_free_cmd_buffer(). In
the meantime, if the command buffer gets used by the PCI driver, we map
it as DMA-able, and store the mapping information in the 'cb' memory.
However, if a command was in-flight when resetting the device (and
therefore was still mapped), we don't get a chance to unmap this memory
until after the core has cleaned up its command handling.
Let's keep a refcount within the PCI driver, so we ensure the memory
only gets freed after we've finished unmapping it.
Noticed by KASAN when forcing a reset via:
echo 1 > /sys/bus/pci/.../reset
The same code path can presumably be exercised in remove() and
shutdown().
[ 205.390377] mwifiex_pcie :01:00.0: info: shutdown mwifiex...
[ 205.400393]
==
[ 205.407719] BUG: KASAN: use-after-free in
mwifiex_unmap_pci_memory.isra.14+0x4c/0x100 [mwifiex_pcie] at addr
ffc0ad471b28
[ 205.419040] Read of size 16 by task bash/1913
[ 205.423421]
=
[ 205.431625] BUG skbuff_head_cache (Tainted: GB ): kasan: bad
access detected
[ 205.439815]
-
[ 205.439815]
[ 205.449534] INFO: Allocated in __build_skb+0x48/0x114 age=1311 cpu=4 pid=1913
[ 205.456709] alloc_debug_processing+0x124/0x178
[ 205.461282] ___slab_alloc.constprop.58+0x528/0x608
[ 205.466196] __slab_alloc.isra.54.constprop.57+0x44/0x54
[ 205.471542] kmem_cache_alloc+0xcc/0x278
[ 205.475497] __build_skb+0x48/0x114
[ 205.479019] __netdev_alloc_skb+0xe0/0x170
[ 205.483244] mwifiex_alloc_cmd_buffer+0x68/0xdc [mwifiex]
[ 205.488759] mwifiex_init_fw+0x40/0x6cc [mwifiex]
[ 205.493584] _mwifiex_fw_dpc+0x158/0x520 [mwifiex]
[ 205.498491] mwifiex_reinit_sw+0x2c4/0x398 [mwifiex]
[ 205.503510] mwifiex_pcie_reset_notify+0x114/0x15c [mwifiex_pcie]
[ 205.509643] pci_reset_notify+0x5c/0x6c
[ 205.513519] pci_reset_function+0x6c/0x7c
[ 205.517567] reset_store+0x68/0x98
[ 205.521003] dev_attr_store+0x54/0x60
[ 205.524705] sysfs_kf_write+0x9c/0xb0
[ 205.528413] INFO: Freed in __kfree_skb+0xb0/0xbc age=131 cpu=4 pid=1913
[ 205.535064] free_debug_processing+0x264/0x370
[ 205.539550] __slab_free+0x84/0x40c
[ 205.543075] kmem_cache_free+0x1c8/0x2a0
[ 205.547030] __kfree_skb+0xb0/0xbc
[ 205.550465] consume_skb+0x164/0x178
[ 205.554079] __dev_kfree_skb_any+0x58/0x64
[ 205.558304] mwifiex_free_cmd_buffer+0xa0/0x158 [mwifiex]
[ 205.563817] mwifiex_shutdown_drv+0x578/0x5c4 [mwifiex]
[ 205.569164] mwifiex_shutdown_sw+0x178/0x310 [mwifiex]
[ 205.574353] mwifiex_pcie_reset_notify+0xd4/0x15c [mwifiex_pcie]
[ 205.580398] pci_reset_notify+0x5c/0x6c
[ 205.584274] pci_dev_save_and_disable+0x24/0x6c
[ 205.588837] pci_reset_function+0x30/0x7c
[ 205.592885] reset_store+0x68/0x98
[ 205.596324] dev_attr_store+0x54/0x60
[ 205.600017] sysfs_kf_write+0x9c/0xb0
...
[ 205.800488] Call trace:
[ 205.802980] [] dump_backtrace+0x0/0x190
[ 205.808415] [] show_stack+0x20/0x28
[ 205.813506] [] dump_stack+0xa4/0xcc
[ 205.818598] [] print_trailer+0x158/0x168
[ 205.824120] [] object_err+0x4c/0x5c
[ 205.829210] [] kasan_report+0x334/0x500
[ 205.834641] [] check_memory_region+0x20/0x14c
[ 205.840593] [] __asan_loadN+0x14/0x1c
[ 205.845879] [] mwifiex_unmap_pci_memory.isra.14+0x4c/0x100
[mwifiex_pcie]
[ 205.854282] [] mwifiex_pcie_delete_cmdrsp_buf+0x94/0xa8
[mwifiex_pcie]
[ 205.862421] [] mwifiex_pcie_free_buffers+0x11c/0x158
[mwifiex_pcie]
[ 205.870302] [] mwifiex_pcie_down_dev+0x70/0x80
[mwifiex_pcie]
[ 205.877736] [] mwifiex_shutdown_sw+0x190/0x310 [mwifiex]
[ 205.884658] [] mwifiex_pcie_reset_notify+0xd4/0x15c
[mwifiex_pcie]
[ 205.892446] [] pci_reset_notify+0x5c/0x6c
[ 205.898048] [] pci_dev_save_and_disable+0x24/0x6c
[ 205.904350] [] pci_reset_function+0x30/0x7c
[ 205.910134] [] reset_store+0x68/0x98
[ 205.915312] [] dev_attr_store+0x54/0x60
[ 205.920750] [] sysfs_kf_write+0x9c/0xb0
[ 205.926182] [] kernfs_fop_write+0x184/0x1f8
[ 205.931963] [] __vfs_write+0x6c/0x17c
[ 205.937221] [] vfs_write+0xf0/0x1c4
[ 205.942310] [] SyS_write+0x78/0xd8
[ 205.947312] [] el0_svc_naked+0x24/0x28
...
[ 205.998268]
==
This bug has been around in different forms for a while. It was sort of
noticed in commit 955ab095c51a ("mwifiex: Do not kfree cmd buf while
unregistering PCIe"), but it just fixed the double-free, without
acknowledging the potential for use-after-free.
Fixes: fc3314609047 ("mwifiex: use pci_alloc/free_consistent APIs for PCIe")
Signed-off-by: Brian Norris
Si
[PATCH 3.16 072/134] HSI: ssi_protocol: double free in ssip_pn_xmit()
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
--
From: Dan Carpenter
commit 3026050179a3a9a6f5c892c414b5e36ecf092081 upstream.
If skb_pad() fails then it frees skb and we don't need to free it again
at the end of the function.
Fixes: dc7bf5d7 ("HSI: Introduce driver for SSI Protocol")
Signed-off-by: Dan Carpenter
Signed-off-by: Sebastian Reichel
Signed-off-by: Ben Hutchings
---
drivers/hsi/clients/ssi_protocol.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/hsi/clients/ssi_protocol.c
+++ b/drivers/hsi/clients/ssi_protocol.c
@@ -976,7 +976,7 @@ static int ssip_pn_xmit(struct sk_buff *
goto drop;
/* Pad to 32-bits - FIXME: Revisit*/
if ((skb->len & 3) && skb_pad(skb, 4 - (skb->len & 3)))
- goto drop;
+ goto inc_dropped;
/*
* Modem sends Phonet messages over SSI with its own endianess...
@@ -1028,8 +1028,9 @@ static int ssip_pn_xmit(struct sk_buff *
drop2:
hsi_free_msg(msg);
drop:
- dev->stats.tx_dropped++;
dev_kfree_skb(skb);
+inc_dropped:
+ dev->stats.tx_dropped++;
return 0;
}
[PATCH 3.16 071/134] IB/ipoib: Update broadcast object if PKey value was changed in index 0
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
--
From: Feras Daoud
commit 9a9b8112699d78e7f317019b37f377e90023f3ed upstream.
Update the broadcast address in the priv->broadcast object when the
Pkey value changes in index 0, otherwise the multicast GID value will
keep the previous value of the PKey, and will not be updated.
This leads to interface state down because the interface will keep the
old PKey value.
For example, in SR-IOV environment, if the PF changes the value of PKey
index 0 for one of the VFs, then the VF receives PKey change event that
triggers heavy flush. This flush calls update_parent_pkey that update the
broadcast object and its relevant members. If in this case the multicast
GID will not be updated, the interface state will be down.
Fixes: c2904141696e ("IPoIB: Fix pkey change flow for virtualization
environments")
Signed-off-by: Feras Daoud
Signed-off-by: Erez Shitrit
Reviewed-by: Alex Vesker
Signed-off-by: Leon Romanovsky
Signed-off-by: Doug Ledford
Signed-off-by: Ben Hutchings
---
drivers/infiniband/ulp/ipoib/ipoib_ib.c | 13 +
1 file changed, 13 insertions(+)
--- a/drivers/infiniband/ulp/ipoib/ipoib_ib.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_ib.c
@@ -961,6 +961,19 @@ static inline int update_parent_pkey(str
*/
priv->dev->broadcast[8] = priv->pkey >> 8;
priv->dev->broadcast[9] = priv->pkey & 0xff;
+
+ /*
+* Update the broadcast address in the priv->broadcast object,
+* in case it already exists, otherwise no one will do that.
+*/
+ if (priv->broadcast) {
+ spin_lock_irq(&priv->lock);
+ memcpy(priv->broadcast->mcmember.mgid.raw,
+ priv->dev->broadcast + 4,
+ sizeof(union ib_gid));
+ spin_unlock_irq(&priv->lock);
+ }
+
return 0;
}
[PATCH 3.16 070/134] NFS: Use GFP_NOIO for two allocations in writeback
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
--
From: Benjamin Coddington
commit ae97aa524ef495b6276fd26f5d5449fb22975d7c upstream.
Prevent a deadlock that can occur if we wait on allocations
that try to write back our pages.
Signed-off-by: Benjamin Coddington
Fixes: 00bfa30abe869 ("NFS: Create a common pgio_alloc and pgio_release...")
Signed-off-by: Trond Myklebust
[bwh: Backported to 3.16:
- Drop changes in nfs_pageio_init()
- Adjust context]
Signed-off-by: Ben Hutchings
---
fs/nfs/pagelist.c | 15 +++
1 file changed, 11 insertions(+), 4 deletions(-)
--- a/fs/nfs/pagelist.c
+++ b/fs/nfs/pagelist.c
@@ -29,13 +29,14 @@
static struct kmem_cache *nfs_page_cachep;
static const struct rpc_call_ops nfs_pgio_common_ops;
-static bool nfs_pgarray_set(struct nfs_page_array *p, unsigned int pagecount)
+static bool nfs_pgarray_set(struct nfs_page_array *p, unsigned int pagecount,
+ gfp_t gfp_flags)
{
p->npages = pagecount;
if (pagecount <= ARRAY_SIZE(p->page_array))
p->pagevec = p->page_array;
else {
- p->pagevec = kcalloc(pagecount, sizeof(struct page *),
GFP_KERNEL);
+ p->pagevec = kcalloc(pagecount, sizeof(struct page *),
gfp_flags);
if (!p->pagevec)
p->npages = 0;
}
@@ -739,9 +740,12 @@ int nfs_generic_pgio(struct nfs_pageio_d
struct list_head *head = &desc->pg_list;
struct nfs_commit_info cinfo;
unsigned int pagecount, pageused;
+ gfp_t gfp_flags = GFP_KERNEL;
pagecount = nfs_page_array_len(desc->pg_base, desc->pg_count);
- if (!nfs_pgarray_set(&hdr->page_array, pagecount))
+ if (desc->pg_rw_ops->rw_mode == FMODE_WRITE)
+ gfp_flags = GFP_NOIO;
+ if (!nfs_pgarray_set(&hdr->page_array, pagecount, gfp_flags))
return nfs_pgio_error(desc, hdr);
nfs_init_cinfo(&cinfo, desc->pg_inode, desc->pg_dreq);
[PATCH 3.16 064/134] [media] ov2640: fix vflip control
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
--
From: Frank Schaefer
commit 7f140fc2064bcd23e0490d8210650e2ef21c1c89 upstream.
Enabling vflip currently causes wrong colors.
It seems that (at least with the current sensor setup) REG04_VFLIP_IMG only
changes the vertical readout direction.
Because pixels are arranged RGRG... in odd lines and GBGB... in even lines,
either a one line shift or even/odd line swap is required, too, but
apparently this doesn't happen.
I finally figured out that this can be done manually by setting
REG04_VREF_EN.
Looking at hflip, it turns out that bit REG04_HREF_EN is set there
permanetly, but according to my tests has no effect on the pixel readout
order.
So my conclusion is that the current documentation of sensor register 0x04
is wrong (has changed after preliminary datasheet version 2.2).
I'm pretty sure that automatic vertical line shift/switch can be enabled,
too, but until anyone finds ot how this works, we have to stick with manual
switching.
Signed-off-by: Frank Schäfer
Signed-off-by: Mauro Carvalho Chehab
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings
---
drivers/media/i2c/soc_camera/ov2640.c | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/media/i2c/soc_camera/ov2640.c
+++ b/drivers/media/i2c/soc_camera/ov2640.c
@@ -713,8 +713,10 @@ static int ov2640_s_ctrl(struct v4l2_ctr
switch (ctrl->id) {
case V4L2_CID_VFLIP:
- val = ctrl->val ? REG04_VFLIP_IMG : 0x00;
- return ov2640_mask_set(client, REG04, REG04_VFLIP_IMG, val);
+ val = ctrl->val ? REG04_VFLIP_IMG | REG04_VREF_EN : 0x00;
+ return ov2640_mask_set(client, REG04,
+ REG04_VFLIP_IMG | REG04_VREF_EN, val);
+ /* NOTE: REG04_VREF_EN: 1 line shift / even/odd line swap */
case V4L2_CID_HFLIP:
val = ctrl->val ? REG04_HFLIP_IMG : 0x00;
return ov2640_mask_set(client, REG04, REG04_HFLIP_IMG, val);
[PATCH 3.16 065/134] ath9k: off by one in ath9k_hw_nvram_read_array()
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
--
From: Dan Carpenter
commit b7dcf68f383a05567bd16a390907b67022a62d3d upstream.
The > should be >= or we read one space beyond the end of the array.
Fixes: ab5c4f71d8c7 ("ath9k: allow to load EEPROM content via firmware API")
Signed-off-by: Dan Carpenter
Signed-off-by: Kalle Valo
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings
---
drivers/net/wireless/ath/ath9k/eeprom.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/wireless/ath/ath9k/eeprom.c
+++ b/drivers/net/wireless/ath/ath9k/eeprom.c
@@ -118,7 +118,7 @@ static bool ath9k_hw_nvram_read_blob(str
{
u16 *blob_data;
- if (off * sizeof(u16) > ah->eeprom_blob->size)
+ if (off * sizeof(u16) >= ah->eeprom_blob->size)
return false;
blob_data = (u16 *)ah->eeprom_blob->data;
[PATCH 3.16 060/134] PCI: Freeze PME scan before suspending devices
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
--
From: Lukas Wunner
commit ea00353f36b64375518662a8ad15e39218a1f324 upstream.
Laurent Pinchart reported that the Renesas R-Car H2 Lager board (r8a7790)
crashes during suspend tests. Geert Uytterhoeven managed to reproduce the
issue on an M2-W Koelsch board (r8a7791):
It occurs when the PME scan runs, once per second. During PME scan, the
PCI host bridge (rcar-pci) registers are accessed while its module clock
has already been disabled, leading to the crash.
One reproducer is to configure s2ram to use "s2idle" instead of "deep"
suspend:
# echo 0 > /sys/module/printk/parameters/console_suspend
# echo s2idle > /sys/power/mem_sleep
# echo mem > /sys/power/state
Another reproducer is to write either "platform" or "processors" to
/sys/power/pm_test. It does not (or is less likely) to happen during full
system suspend ("core" or "none") because system suspend also disables
timers, and thus the workqueue handling PME scans no longer runs. Geert
believes the issue may still happen in the small window between disabling
module clocks and disabling timers:
# echo 0 > /sys/module/printk/parameters/console_suspend
# echo platform > /sys/power/pm_test# Or "processors"
# echo mem > /sys/power/state
(Make sure CONFIG_PCI_RCAR_GEN2 and CONFIG_USB_OHCI_HCD_PCI are enabled.)
Rafael Wysocki agrees that PME scans should be suspended before the host
bridge registers become inaccessible. To that end, queue the task on a
workqueue that gets frozen before devices suspend.
Rafael notes however that as a result, some wakeup events may be missed if
they are delivered via PME from a device without working IRQ (which hence
must be polled) and occur after the workqueue has been frozen. If that
turns out to be an issue in practice, it may be possible to solve it by
calling pci_pme_list_scan() once directly from one of the host bridge's
pm_ops callbacks.
Stacktrace for posterity:
PM: Syncing filesystems ... [ 38.566237] done.
PM: Preparing system for sleep (mem)
Freezing user space processes ... [ 38.579813] (elapsed 0.001 seconds) done.
Freezing remaining freezable tasks ... (elapsed 0.001 seconds) done.
PM: Suspending system (mem)
PM: suspend of devices complete after 152.456 msecs
PM: late suspend of devices complete after 2.809 msecs
PM: noirq suspend of devices complete after 29.863 msecs
suspend debug: Waiting for 5 second(s).
Unhandled fault: asynchronous external abort (0x1211) at 0x
pgd = c0003000
[] *pgd=8040004003, *pmd=
Internal error: : 1211 [#1] SMP ARM
Modules linked in:
CPU: 1 PID: 20 Comm: kworker/1:1 Not tainted
4.9.0-rc1-koelsch-00011-g68db9bc814362e7f #3383
Hardware name: Generic R8A7791 (Flattened Device Tree)
Workqueue: events pci_pme_list_scan
task: eb56e140 task.stack: eb58e000
PC is at pci_generic_config_read+0x64/0x6c
LR is at rcar_pci_cfg_base+0x64/0x84
pc : []lr : []psr: 600d0093
sp : eb58fe98 ip : c041d750 fp : 0008
r10: c0e2283c r9 : r8 : 600d0013
r7 : 0008 r6 : eb58fed6 r5 : 0002 r4 : eb58feb4
r3 : r2 : 0044 r1 : 0008 r0 :
Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user
Control: 30c5387d Table: 6a9f6c80 DAC:
Process kworker/1:1 (pid: 20, stack limit = 0xeb58e210)
Stack: (0xeb58fe98 to 0xeb59)
fe80: 0002 0044
fea0: eb6f5800 c041d9b0 eb58feb4 0008 0044 eb78a000 eb78a000
fec0: 0044 eb9aff00 c0424bf0 eb78a000 eb78a000 c0e22830
fee0: ea8a6fc0 c0424c5c eaae79c0 c0424ce0 eb55f380 c0e22838 eb9a9800 c0235fbc
ff00: eb55f380 c0e22838 eb55f380 eb9a9800 eb9a9800 eb58e000 eb9a9824 c0e02100
ff20: eb55f398 c02366c4 eb56e140 eb5631c0 eb55f380 c023641c
ff40: c023a928 cd105598 40506a34 eb55f380
ff60: dead4ead eb58ff74 eb58ff74
ff80: dead4ead eb58ff90 eb58ff90 eb58ffac eb5631c0
ffa0: c023a844 c0206d68
ffc0:
ffe0: 0013 3a81336c 10ccd1dd
[] (pci_generic_config_read) from []
(pci_bus_read_config_word+0x58/0x80)
[] (pci_bus_read_config_word) from []
(pci_check_pme_status+0x34/0x78)
[] (pci_check_pme_status) from []
(pci_pme_wakeup+0x28/0x54)
[] (pci_pme_wakeup) from [] (pci_pme_list_scan+0x58/0xb4)
[] (pci_pme_list_scan) from []
(process_one_work+0x1bc/0x308)
[] (process_one_work) from [] (worker_thread+0x2a8/0x3e0)
[] (worker_thread) from [] (kthread+0xe4/0xfc)
[] (kthread) from [] (ret_from_fork+0x14/0x2c)
Code: ea00 e5903000 f57ff04f e3a0 (e5843000)
---[
[PATCH 3.16 067/134] usb: host: xhci: print correct command ring address
3.16.47-rc1 review patch. If anyone has any objections, please let me know. -- From: Peter Chen commit 6fc091fb0459ade939a795bfdcaf645385b951d4 upstream. Print correct command ring address using 'val_64'. Signed-off-by: Peter Chen Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings --- drivers/usb/host/xhci-mem.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/usb/host/xhci-mem.c +++ b/drivers/usb/host/xhci-mem.c @@ -2459,7 +2459,7 @@ int xhci_mem_init(struct xhci_hcd *xhci, (xhci->cmd_ring->first_seg->dma & (u64) ~CMD_RING_RSVD_BITS) | xhci->cmd_ring->cycle_state; xhci_dbg_trace(xhci, trace_xhci_dbg_init, - "// Setting command ring address to 0x%x", val); + "// Setting command ring address to 0x%016llx", val_64); xhci_write_64(xhci, val_64, &xhci->op_regs->cmd_ring); xhci_dbg_cmd_ptrs(xhci);
[PATCH 3.16 066/134] KVM: arm/arm64: fix races in kvm_psci_vcpu_on
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
--
From: Andrew Jones
commit 6c7a5dce22b3f3cc44be098e2837fa6797edb8b8 upstream.
Fix potential races in kvm_psci_vcpu_on() by taking the kvm->lock
mutex. In general, it's a bad idea to allow more than one PSCI_CPU_ON
to process the same target VCPU at the same time. One such problem
that may arise is that one PSCI_CPU_ON could be resetting the target
vcpu, which fills the entire sys_regs array with a temporary value
including the MPIDR register, while another looks up the VCPU based
on the MPIDR value, resulting in no target VCPU found. Resolves both
races found with the kvm-unit-tests/arm/psci unit test.
Reviewed-by: Marc Zyngier
Reviewed-by: Christoffer Dall
Reported-by: Levente Kurusa
Suggested-by: Christoffer Dall
Signed-off-by: Andrew Jones
Signed-off-by: Christoffer Dall
Signed-off-by: Ben Hutchings
---
arch/arm/kvm/psci.c | 8 +++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/arch/arm/kvm/psci.c
+++ b/arch/arm/kvm/psci.c
@@ -191,9 +191,10 @@ int kvm_psci_version(struct kvm_vcpu *vc
static int kvm_psci_0_2_call(struct kvm_vcpu *vcpu)
{
- int ret = 1;
+ struct kvm *kvm = vcpu->kvm;
unsigned long psci_fn = *vcpu_reg(vcpu, 0) & ~((u32) 0);
unsigned long val;
+ int ret = 1;
switch (psci_fn) {
case PSCI_0_2_FN_PSCI_VERSION:
@@ -213,7 +214,9 @@ static int kvm_psci_0_2_call(struct kvm_
break;
case PSCI_0_2_FN_CPU_ON:
case PSCI_0_2_FN64_CPU_ON:
+ mutex_lock(&kvm->lock);
val = kvm_psci_vcpu_on(vcpu);
+ mutex_unlock(&kvm->lock);
break;
case PSCI_0_2_FN_AFFINITY_INFO:
case PSCI_0_2_FN64_AFFINITY_INFO:
@@ -269,6 +272,7 @@ static int kvm_psci_0_2_call(struct kvm_
static int kvm_psci_0_1_call(struct kvm_vcpu *vcpu)
{
+ struct kvm *kvm = vcpu->kvm;
unsigned long psci_fn = *vcpu_reg(vcpu, 0) & ~((u32) 0);
unsigned long val;
@@ -278,7 +282,9 @@ static int kvm_psci_0_1_call(struct kvm_
val = PSCI_RET_SUCCESS;
break;
case KVM_PSCI_FN_CPU_ON:
+ mutex_lock(&kvm->lock);
val = kvm_psci_vcpu_on(vcpu);
+ mutex_unlock(&kvm->lock);
break;
case KVM_PSCI_FN_CPU_SUSPEND:
case KVM_PSCI_FN_MIGRATE:
[PATCH 3.2 45/59] net: ethernet: ucc_geth: fix MEM_PART_MURAM mode
3.2.92-rc1 review patch. If anyone has any objections, please let me know.
--
From: Christophe Leroy
commit 8b8642af15ed14b9a7a34d3401afbcc274533e13 upstream.
Since commit 5093bb965a163 ("powerpc/QE: switch to the cpm_muram
implementation"), muram area is not part of immrbar mapping anymore
so immrbar_virt_to_phys() is not usable anymore.
Fixes: 5093bb965a163 ("powerpc/QE: switch to the cpm_muram implementation")
Signed-off-by: Christophe Leroy
Acked-by: David S. Miller
Acked-by: Li Yang
Signed-off-by: Scott Wood
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings
---
arch/powerpc/include/asm/qe.h | 1 +
drivers/net/ethernet/freescale/ucc_geth.c | 8 +++-
2 files changed, 4 insertions(+), 5 deletions(-)
--- a/arch/powerpc/include/asm/qe.h
+++ b/arch/powerpc/include/asm/qe.h
@@ -193,6 +193,7 @@ static inline int qe_alive_during_sleep(
#define qe_muram_free cpm_muram_free
#define qe_muram_addr cpm_muram_addr
#define qe_muram_offset cpm_muram_offset
+#define qe_muram_dma cpm_muram_dma
/* Structure that defines QE firmware binary files.
*
--- a/drivers/net/ethernet/freescale/ucc_geth.c
+++ b/drivers/net/ethernet/freescale/ucc_geth.c
@@ -2591,11 +2591,10 @@ static int ucc_geth_startup(struct ucc_g
} else if (ugeth->ug_info->uf_info.bd_mem_part ==
MEM_PART_MURAM) {
out_be32(&ugeth->p_send_q_mem_reg->sqqd[i].bd_ring_base,
-(u32) immrbar_virt_to_phys(ugeth->
- p_tx_bd_ring[i]));
+(u32)qe_muram_dma(ugeth->p_tx_bd_ring[i]));
out_be32(&ugeth->p_send_q_mem_reg->sqqd[i].
last_bd_completed_address,
-(u32) immrbar_virt_to_phys(endOfRing));
+(u32)qe_muram_dma(endOfRing));
}
}
@@ -2856,8 +2855,7 @@ static int ucc_geth_startup(struct ucc_g
} else if (ugeth->ug_info->uf_info.bd_mem_part ==
MEM_PART_MURAM) {
out_be32(&ugeth->p_rx_bd_qs_tbl[i].externalbdbaseptr,
-(u32) immrbar_virt_to_phys(ugeth->
- p_rx_bd_ring[i]));
+(u32)qe_muram_dma(ugeth->p_rx_bd_ring[i]));
}
/* rest of fields handled by QE */
}
[PATCH 3.16 053/134] net: ipv6: send unsolicited NA on admin up
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
--
From: David Ahern
commit 4a6e3c5def13c91adf2acc613837001f09af3baa upstream.
ndisc_notify is the ipv6 equivalent to arp_notify. When arp_notify is
set to 1, gratuitous arp requests are sent when the device is brought up.
The same is expected when ndisc_notify is set to 1 (per ndisc_notify in
Documentation/networking/ip-sysctl.txt). The NA is not sent on NETDEV_UP
event; add it.
Fixes: 5cb04436eef6 ("ipv6: add knob to send unsolicited ND on link-layer
address change")
Signed-off-by: David Ahern
Acked-by: Hannes Frederic Sowa
Signed-off-by: David S. Miller
Signed-off-by: Ben Hutchings
---
net/ipv6/ndisc.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/ipv6/ndisc.c
+++ b/net/ipv6/ndisc.c
@@ -1605,6 +1605,8 @@ static int ndisc_netdev_event(struct not
case NETDEV_CHANGEADDR:
neigh_changeaddr(&nd_tbl, dev);
fib6_run_gc(0, net, false);
+ /* fallthrough */
+ case NETDEV_UP:
idev = in6_dev_get(dev);
if (!idev)
break;
[PATCH 3.16 061/134] USB: serial: ftdi_sio: add device ID for Microsemi/Arrow SF2PLUS Dev Kit
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
--
From: Marek Vasut
commit 31c5d1922b90ddc1da6a6ddecef7cd31f17aa32b upstream.
This development kit has an FT4232 on it with a custom USB VID/PID.
The FT4232 provides four UARTs, but only two are used. The UART 0
is used by the FlashPro5 programmer and UART 2 is connected to the
SmartFusion2 CortexM3 SoC UART port.
Note that the USB VID is registered to Actel according to Linux USB
VID database, but that was acquired by Microsemi.
Signed-off-by: Marek Vasut
Signed-off-by: Johan Hovold
Signed-off-by: Ben Hutchings
---
drivers/usb/serial/ftdi_sio.c | 1 +
drivers/usb/serial/ftdi_sio_ids.h | 6 ++
2 files changed, 7 insertions(+)
--- a/drivers/usb/serial/ftdi_sio.c
+++ b/drivers/usb/serial/ftdi_sio.c
@@ -886,6 +886,7 @@ static const struct usb_device_id id_tab
{ USB_DEVICE_AND_INTERFACE_INFO(MICROCHIP_VID, MICROCHIP_USB_BOARD_PID,
USB_CLASS_VENDOR_SPEC,
USB_SUBCLASS_VENDOR_SPEC, 0x00) },
+ { USB_DEVICE_INTERFACE_NUMBER(ACTEL_VID,
MICROSEMI_ARROW_SF2PLUS_BOARD_PID, 2) },
{ USB_DEVICE(JETI_VID, JETI_SPC1201_PID) },
{ USB_DEVICE(MARVELL_VID, MARVELL_SHEEVAPLUG_PID),
.driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
--- a/drivers/usb/serial/ftdi_sio_ids.h
+++ b/drivers/usb/serial/ftdi_sio_ids.h
@@ -873,6 +873,12 @@
#defineFIC_VID 0x1457
#defineFIC_NEO1973_DEBUG_PID 0x5118
+/*
+ * Actel / Microsemi
+ */
+#define ACTEL_VID 0x1514
+#define MICROSEMI_ARROW_SF2PLUS_BOARD_PID 0x2008
+
/* Olimex */
#define OLIMEX_VID 0x15BA
#define OLIMEX_ARM_USB_OCD_PID 0x0003
[PATCH 3.16 063/134] [media] dw2102: limit messages to buffer size
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
--
From: Alyssa Milburn
commit 950e252cb469f323740d78e4907843acef89eedb upstream.
Otherwise the i2c transfer functions can read or write beyond the end of
stack or heap buffers.
Signed-off-by: Alyssa Milburn
Signed-off-by: Mauro Carvalho Chehab
[bwh: Backported to 3.16:
- Use obuf instead of state->data
- Adjust context]
Signed-off-by: Ben Hutchings
---
drivers/media/usb/dvb-usb/dw2102.c | 54 ++
1 file changed, 54 insertions(+)
--- a/drivers/media/usb/dvb-usb/dw2102.c
+++ b/drivers/media/usb/dvb-usb/dw2102.c
@@ -247,6 +247,20 @@ static int dw2102_serit_i2c_transfer(str
switch (num) {
case 2:
+ if (msg[0].len != 1) {
+ warn("i2c rd: len=%d is not 1!\n",
+msg[0].len);
+ num = -EOPNOTSUPP;
+ break;
+ }
+
+ if (2 + msg[1].len > sizeof(buf6)) {
+ warn("i2c rd: len=%d is too big!\n",
+msg[1].len);
+ num = -EOPNOTSUPP;
+ break;
+ }
+
/* read si2109 register by number */
buf6[0] = msg[0].addr << 1;
buf6[1] = msg[0].len;
@@ -262,6 +276,13 @@ static int dw2102_serit_i2c_transfer(str
case 1:
switch (msg[0].addr) {
case 0x68:
+ if (2 + msg[0].len > sizeof(buf6)) {
+ warn("i2c wr: len=%d is too big!\n",
+msg[0].len);
+ num = -EOPNOTSUPP;
+ break;
+ }
+
/* write to si2109 register */
buf6[0] = msg[0].addr << 1;
buf6[1] = msg[0].len;
@@ -305,6 +326,13 @@ static int dw2102_earda_i2c_transfer(str
/* first write first register number */
u8 ibuf[MAX_XFER_SIZE], obuf[3];
+ if (2 + msg[0].len != sizeof(obuf)) {
+ warn("i2c rd: len=%d is not 1!\n",
+msg[0].len);
+ ret = -EOPNOTSUPP;
+ goto unlock;
+ }
+
if (2 + msg[1].len > sizeof(ibuf)) {
warn("i2c rd: len=%d is too big!\n",
msg[1].len);
@@ -505,6 +533,12 @@ static int dw3101_i2c_transfer(struct i2
/* first write first register number */
u8 ibuf[MAX_XFER_SIZE], obuf[3];
+ if (2 + msg[0].len != sizeof(obuf)) {
+ warn("i2c rd: len=%d is not 1!\n",
+msg[0].len);
+ ret = -EOPNOTSUPP;
+ goto unlock;
+ }
if (2 + msg[1].len > sizeof(ibuf)) {
warn("i2c rd: len=%d is too big!\n",
msg[1].len);
@@ -730,6 +764,13 @@ static int su3000_i2c_transfer(struct i2
msg[0].buf[0] = ibuf[1];
break;
default:
+ if (3 + msg[0].len > sizeof(obuf)) {
+ warn("i2c wr: len=%d is too big!\n",
+msg[0].len);
+ num = -EOPNOTSUPP;
+ break;
+ }
+
/* always i2c write*/
obuf[0] = 0x08;
obuf[1] = msg[0].addr;
@@ -745,6 +786,19 @@ static int su3000_i2c_transfer(struct i2
break;
case 2:
/* always i2c read */
+ if (4 + msg[0].len > sizeof(obuf)) {
+ warn("i2c rd: len=%d is too big!\n",
+msg[0].len);
+ num = -EOPNOTSUPP;
+ break;
+ }
+ if (1 + msg[1].len > sizeof(obuf)) {
+ warn("i2c rd: len=%d is too big!\n",
+msg[1].len);
+ num = -EOPNOTSUPP;
+ break;
+ }
+
obuf[0] = 0x09;
obuf[1] = msg[0].len;
obuf[2] = msg[1].len;
[PATCH 3.16 062/134] [media] ttusb2: limit messages to buffer size
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
--
From: Alyssa Milburn
commit a12b8ab8c5ff7ccd7b107a564743507c850a441d upstream.
Otherwise ttusb2_i2c_xfer can read or write beyond the end of static and
heap buffers.
Signed-off-by: Alyssa Milburn
Signed-off-by: Mauro Carvalho Chehab
Signed-off-by: Ben Hutchings
---
drivers/media/usb/dvb-usb/ttusb2.c | 19 +++
1 file changed, 19 insertions(+)
--- a/drivers/media/usb/dvb-usb/ttusb2.c
+++ b/drivers/media/usb/dvb-usb/ttusb2.c
@@ -78,6 +78,9 @@ static int ttusb2_msg(struct dvb_usb_dev
u8 *s, *r = NULL;
int ret = 0;
+ if (4 + rlen > 64)
+ return -EIO;
+
s = kzalloc(wlen+4, GFP_KERNEL);
if (!s)
return -ENOMEM;
@@ -381,6 +384,22 @@ static int ttusb2_i2c_xfer(struct i2c_ad
write_read = i+1 < num && (msg[i+1].flags & I2C_M_RD);
read = msg[i].flags & I2C_M_RD;
+ if (3 + msg[i].len > sizeof(obuf)) {
+ err("i2c wr len=%d too high", msg[i].len);
+ break;
+ }
+ if (write_read) {
+ if (3 + msg[i+1].len > sizeof(ibuf)) {
+ err("i2c rd len=%d too high", msg[i+1].len);
+ break;
+ }
+ } else if (read) {
+ if (3 + msg[i].len > sizeof(ibuf)) {
+ err("i2c rd len=%d too high", msg[i].len);
+ break;
+ }
+ }
+
obuf[0] = (msg[i].addr << 1) | (write_read | read);
if (read)
obuf[1] = 0;
[PATCH 3.16 057/134] PCI: Ignore write combining when mapping I/O port space
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
--
From: Bjorn Helgaas
commit 3a92c319c44a7bcee9f48dff9d97d001943b54c6 upstream.
PCI exposes files like /proc/bus/pci/00/00.0 in procfs. These files
support operations like this:
ioctl(fd, PCIIOC_MMAP_IS_IO); # request I/O port space
ioctl(fd, PCIIOC_WRITE_COMBINE, 1); # request write-combining
mmap(fd, ...)
Write combining is useful on PCI memory space, but I don't think it makes
sense on PCI I/O port space.
We *could* change proc_bus_pci_ioctl() to make it impossible to set
mmap_state == pci_mmap_io and write_combine at the same time, but that
would break the following sequence, which is currently legal:
mmap(fd, ...) # default is I/O, non-combining
ioctl(fd, PCIIOC_WRITE_COMBINE, 1); # request write-combining
ioctl(fd, PCIIOC_MMAP_IS_MEM); # request memory space
mmap(fd, ...) # get write-combining mapping
Ignore the write-combining flag when mapping I/O port space.
This patch should have no functional effect, based on this analysis of all
implementations of pci_mmap_page_range():
- ia64 mips parisc sh unicore32 x86 do not support mapping of I/O port
space at all.
- arm cris microblaze mn10300 sparc xtensa support mapping of I/O port
space, but ignore the write_combine argument to pci_mmap_page_range().
- powerpc supports mapping of I/O port space and uses write_combine, and
it disables write combining for I/O port space in
__pci_mmap_set_pgprot().
This patch makes it possible to remove __pci_mmap_set_pgprot() from
powerpc, which simplifies that path.
Signed-off-by: Bjorn Helgaas
Signed-off-by: Ben Hutchings
---
drivers/pci/proc.c | 9 ++---
1 file changed, 6 insertions(+), 3 deletions(-)
--- a/drivers/pci/proc.c
+++ b/drivers/pci/proc.c
@@ -231,7 +231,7 @@ static int proc_bus_pci_mmap(struct file
{
struct pci_dev *dev = PDE_DATA(file_inode(file));
struct pci_filp_private *fpriv = file->private_data;
- int i, ret;
+ int i, ret, write_combine;
if (!capable(CAP_SYS_RAWIO))
return -EPERM;
@@ -245,9 +245,12 @@ static int proc_bus_pci_mmap(struct file
if (i >= PCI_ROM_RESOURCE)
return -ENODEV;
+ if (fpriv->mmap_state == pci_mmap_mem)
+ write_combine = fpriv->write_combine;
+ else
+ write_combine = 0;
ret = pci_mmap_page_range(dev, vma,
- fpriv->mmap_state,
- fpriv->write_combine);
+ fpriv->mmap_state, write_combine);
if (ret < 0)
return ret;
[PATCH 3.16 048/134] perf/x86/pebs: Fix handling of PEBS buffer overflows
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
--
From: Stephane Eranian
commit daa864b8f8e34477bde817f26d736d89dc6032f3 upstream.
This patch solves a race condition between PEBS and the PMU handler.
In case multiple PEBS events are sampled at the same time,
it is possible to have GLOBAL_STATUS bit 62 set indicating
PEBS buffer overflow and also seeing at most 3 PEBS counters
having their bits set in the status register. This is a sign
that there was at least one PEBS record pending at the time
of the PMU interrupt. PEBS counters must only be processed
via the drain_pebs() calls, and not via the regular sample
processing loop coming after that the function, otherwise
phony regular samples may be generated in the sampling buffer
not marked with the EXACT tag.
Another possibility is to have one PEBS event and at least
one non-PEBS event whic hoverflows while PEBS has armed. In this
case, bit 62 of GLOBAL_STATUS will not be set, yet the overflow
status bit for the PEBS counter will be on Skylake.
To avoid this problem, we systematically ignore the PEBS-enabled
counters from the GLOBAL_STATUS mask and we always process PEBS
events via drain_pebs().
The problem manifested itself by having non-exact samples when
sampling only PEBS events, i.e., the PERF_SAMPLE_RECORD would
not have the EXACT flag set.
Note that this problem is only present on Skylake processor.
This fix is harmless on older processors.
Reported-by: Peter Zijlstra
Signed-off-by: Stephane Eranian
Signed-off-by: Peter Zijlstra (Intel)
Cc: Alexander Shishkin
Cc: Arnaldo Carvalho de Melo
Cc: Jiri Olsa
Cc: Linus Torvalds
Cc: Thomas Gleixner
Cc: Vince Weaver
Link:
http://lkml.kernel.org/r/1482395366-8992-1-git-send-email-eran...@google.com
Signed-off-by: Ingo Molnar
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings
---
arch/x86/kernel/cpu/perf_event_intel.c | 30 +-
1 file changed, 21 insertions(+), 9 deletions(-)
--- a/arch/x86/kernel/cpu/perf_event_intel.c
+++ b/arch/x86/kernel/cpu/perf_event_intel.c
@@ -1402,20 +1402,33 @@ again:
}
/*
+* In case multiple PEBS events are sampled at the same time,
+* it is possible to have GLOBAL_STATUS bit 62 set indicating
+* PEBS buffer overflow and also seeing at most 3 PEBS counters
+* having their bits set in the status register. This is a sign
+* that there was at least one PEBS record pending at the time
+* of the PMU interrupt. PEBS counters must only be processed
+* via the drain_pebs() calls and not via the regular sample
+* processing loop coming after that the function, otherwise
+* phony regular samples may be generated in the sampling buffer
+* not marked with the EXACT tag. Another possibility is to have
+* one PEBS event and at least one non-PEBS event whic hoverflows
+* while PEBS has armed. In this case, bit 62 of GLOBAL_STATUS will
+* not be set, yet the overflow status bit for the PEBS counter will
+* be on Skylake.
+*
+* To avoid this problem, we systematically ignore the PEBS-enabled
+* counters from the GLOBAL_STATUS mask and we always process PEBS
+* events via drain_pebs().
+*/
+ status &= ~cpuc->pebs_enabled;
+
+ /*
* PEBS overflow sets bit 62 in the global status register
*/
if (__test_and_clear_bit(62, (unsigned long *)&status)) {
handled++;
x86_pmu.drain_pebs(regs);
- /*
-* There are cases where, even though, the PEBS ovfl bit is set
-* in GLOBAL_OVF_STATUS, the PEBS events may also have their
-* overflow bits set for their counters. We must clear them
-* here because they have been processed as exact samples in
-* the drain_pebs() routine. They must not be processed again
-* in the for_each_bit_set() loop for regular samples below.
-*/
- status &= ~cpuc->pebs_enabled;
status &= x86_pmu.intel_ctrl | GLOBAL_STATUS_TRACE_TOPAPMI;
}
Re: [PATCH v2 3/3] vfio/pci: Don't probe devices that can't be reset
On Thu, Aug 17, 2017 at 07:00:17AM -0600, Alex Williamson wrote:
> On Thu, 17 Aug 2017 10:14:23 +0200
> Jan Glauber wrote:
>
> > If a PCI device supports neither function-level reset, nor slot
> > or bus reset then refuse to probe it. A line is printed to inform
> > the user.
>
> But that's not what this does, this requires that the device is on a
> reset-able bus. This is a massive regression. With this we could no
> longer assign devices on the root complex or any device which doesn't
> return from bus reset and currently makes use of the NO_BUS_RESET flag
> and works happily otherwise. Full NAK. Thanks,
Looks like I missed the slot reset check. So how about this:
if (pci_probe_reset_slot(pdev->slot) && pci_probe_reset_bus(pdev->bus)) {
dev_warn(...);
return -ENODEV;
}
Or am I still missing something here?
thanks,
Jan
> Alex
>
> > Without this change starting qemu with a vfio-pci device can lead to
> > a kernel panic on some Cavium cn8xxx systems, depending on the used
> > device.
> >
> > Signed-off-by: Jan Glauber
> > ---
> > drivers/vfio/pci/vfio_pci.c | 6 ++
> > 1 file changed, 6 insertions(+)
> >
> > diff --git a/drivers/vfio/pci/vfio_pci.c b/drivers/vfio/pci/vfio_pci.c
> > index 063c1ce..029ba13 100644
> > --- a/drivers/vfio/pci/vfio_pci.c
> > +++ b/drivers/vfio/pci/vfio_pci.c
> > @@ -1196,6 +1196,12 @@ static int vfio_pci_probe(struct pci_dev *pdev,
> > const struct pci_device_id *id)
> > if (pdev->hdr_type != PCI_HEADER_TYPE_NORMAL)
> > return -EINVAL;
> >
> > + ret = pci_probe_reset_bus(pdev->bus);
> > + if (ret) {
> > + dev_warn(&pdev->dev, "Refusing to probe because reset is not
> > possible.\n");
> > + return ret;
> > + }
> > +
> > group = vfio_iommu_group_get(&pdev->dev);
> > if (!group)
> > return -EINVAL;
[PATCH 3.16 052/134] ftrace: Fix removing of second function probe
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
--
From: "Steven Rostedt (VMware)"
commit 82cc4fc2e70ec5baeff8f776f2773abc8b2cc0ae upstream.
When two function probes are added to set_ftrace_filter, and then one of
them is removed, the update to the function locations is not performed, and
the record keeping of the function states are corrupted, and causes an
ftrace_bug() to occur.
This is easily reproducable by adding two probes, removing one, and then
adding it back again.
# cd /sys/kernel/debug/tracing
# echo schedule:traceoff > set_ftrace_filter
# echo do_IRQ:traceoff > set_ftrace_filter
# echo \!do_IRQ:traceoff > /debug/tracing/set_ftrace_filter
# echo do_IRQ:traceoff > set_ftrace_filter
Causes:
[ cut here ]
WARNING: CPU: 2 PID: 1098 at kernel/trace/ftrace.c:2369
ftrace_get_addr_curr+0x143/0x220
Modules linked in: [...]
CPU: 2 PID: 1098 Comm: bash Not tainted 4.10.0-test+ #405
Hardware name: Hewlett-Packard HP Compaq Pro 6300 SFF/339A, BIOS K01 v02.05
05/07/2012
Call Trace:
dump_stack+0x68/0x9f
__warn+0x111/0x130
? trace_irq_work_interrupt+0xa0/0xa0
warn_slowpath_null+0x1d/0x20
ftrace_get_addr_curr+0x143/0x220
? __fentry__+0x10/0x10
ftrace_replace_code+0xe3/0x4f0
? ftrace_int3_handler+0x90/0x90
? printk+0x99/0xb5
? 0x8100
ftrace_modify_all_code+0x97/0x110
arch_ftrace_update_code+0x10/0x20
ftrace_run_update_code+0x1c/0x60
ftrace_run_modify_code.isra.48.constprop.62+0x8e/0xd0
register_ftrace_function_probe+0x4b6/0x590
? ftrace_startup+0x310/0x310
? debug_lockdep_rcu_enabled.part.4+0x1a/0x30
? update_stack_state+0x88/0x110
? ftrace_regex_write.isra.43.part.44+0x1d3/0x320
? preempt_count_sub+0x18/0xd0
? mutex_lock_nested+0x104/0x800
? ftrace_regex_write.isra.43.part.44+0x1d3/0x320
? __unwind_start+0x1c0/0x1c0
? _mutex_lock_nest_lock+0x800/0x800
ftrace_trace_probe_callback.isra.3+0xc0/0x130
? func_set_flag+0xe0/0xe0
? __lock_acquire+0x642/0x1790
? __might_fault+0x1e/0x20
? trace_get_user+0x398/0x470
? strcmp+0x35/0x60
ftrace_trace_onoff_callback+0x48/0x70
ftrace_regex_write.isra.43.part.44+0x251/0x320
? match_records+0x420/0x420
ftrace_filter_write+0x2b/0x30
__vfs_write+0xd7/0x330
? do_loop_readv_writev+0x120/0x120
? locks_remove_posix+0x90/0x2f0
? do_lock_file_wait+0x160/0x160
? __lock_is_held+0x93/0x100
? rcu_read_lock_sched_held+0x5c/0xb0
? preempt_count_sub+0x18/0xd0
? __sb_start_write+0x10a/0x230
? vfs_write+0x222/0x240
vfs_write+0xef/0x240
SyS_write+0xab/0x130
? SyS_read+0x130/0x130
? trace_hardirqs_on_caller+0x182/0x280
? trace_hardirqs_on_thunk+0x1a/0x1c
entry_SYSCALL_64_fastpath+0x18/0xad
RIP: 0033:0x7fe61c157c30
RSP: 002b:7ffe87890258 EFLAGS: 0246 ORIG_RAX: 0001
RAX: ffda RBX: 8114a410 RCX: 7fe61c157c30
RDX: 0010 RSI: 55814798f5e0 RDI: 0001
RBP: 8800c9027f98 R08: 7fe61c422740 R09: 7fe61ca53700
R10: 0073 R11: 0246 R12: 558147a36400
R13: 7ffe8788f160 R14: 0024 R15: 7ffe8788f15c
? trace_hardirqs_off_caller+0xc0/0x110
---[ end trace 99fa09b3d9869c2c ]---
Bad trampoline accounting at: 81cc3b00 (do_IRQ+0x0/0x150)
Fixes: 59df055f1991 ("ftrace: trace different functions with a different
tracer")
Signed-off-by: Steven Rostedt (VMware)
[bwh: Backported to 3.16:
- Use ftrace_run_update_code() instead of ftrace_run_modify_code(), and
don't define old_hash
- Adjust context]
Signed-off-by: Ben Hutchings
---
--- a/kernel/trace/ftrace.c
+++ b/kernel/trace/ftrace.c
@@ -3119,23 +3119,24 @@ static void __enable_ftrace_function_pro
ftrace_probe_registered = 1;
}
-static void __disable_ftrace_function_probe(void)
+static bool __disable_ftrace_function_probe(void)
{
int i;
if (!ftrace_probe_registered)
- return;
+ return false;
for (i = 0; i < FTRACE_FUNC_HASHSIZE; i++) {
struct hlist_head *hhd = &ftrace_func_hash[i];
if (hhd->first)
- return;
+ return false;
}
/* no more funcs left */
ftrace_shutdown(&trace_probe_ops, 0);
ftrace_probe_registered = 0;
+ return true;
}
@@ -3263,6 +3264,7 @@ __unregister_ftrace_function_probe(char
int type = MATCH_FULL;
int i, len = 0;
char *search;
+ bool disabled;
if (glob && (strcmp(glob, "*") == 0 || !strlen(glob)))
glob = NULL;
@@ -3316,12 +3318,16 @@ __unregister_ftrace_function_probe(char
}
}
mutex_lock(&ftrace_lock);
- __disable_ftrace_function_probe();
+ disabled = __disable_ftrace_function_probe();
/*
* Remove after the disable is called. Otherwise, if the last
* probe is removed, a null hash means *all enabled*.
Re: [PATCH v2] blktrace: Fix potentail deadlock between delete & sysfs ops
On 08/17/2017 07:23 PM, Steven Rostedt wrote: > On Thu, 17 Aug 2017 18:18:18 -0400 > Steven Rostedt wrote: > >> On Thu, 17 Aug 2017 18:13:20 -0400 >> Steven Rostedt wrote: >> >>> On Thu, 17 Aug 2017 17:27:22 -0400 >>> Waiman Long wrote: >>> >>> It is actually what the patch is trying to do by checking for the deletion flag in the mutex_trylock loop. Please note that mutex does not guarantee FIFO ordering of lock acquisition. As a result, cpu1 may call mutex_lock() and wait for it while cpu2 can set the deletion flag later and get the mutex first before cpu1. So checking for the deletion flag before taking the mutex isn't enough. >>> Yeah, I figured that out already (crossed emails). BTW, how did you >>> trigger this warning. I'm playing around with adding loop devices, >>> volume groups, and logical volumes, and reading the trace files >>> created in the sysfs directory, then removing those items, but it's >>> not triggering the "delete" path. What operation deletes the partition? >> I'm guessing that deleting an actual partition may work (unfortunately, >> my test box has no partition to delete ;-) I'll find another box to >> test on. >> > OK, deleting a partition doesn't trigger the lockdep splat. But I also > added a printk in the BLKPG_DEL_PARTITION case switch, which also > doesn't print. What command do I need to do to trigger that path? > > Thanks, > > -- Steve Attached is a reproducer that was used to trigger the warning. Some tuning may be needed depend on the actual configuration of the test machine. Cheers, Longman run_test.sh Description: application/shellscript
Re: [PATCH v2 6/6] kernel: tracepoints: add support for relative references
On Fri, 18 Aug 2017 12:44:17 +0100
Ard Biesheuvel wrote:
> On 18 August 2017 at 12:26, Ard Biesheuvel wrote:
> > To avoid the need for relocating absolute references to tracepoint
> > structures at boot time when running relocatable kernels (which may
> > take a disproportionate amount of space), add the option to emit
> > these tables as relative references instead.
> >
> > Cc: Steven Rostedt
> > Cc: Ingo Molnar
> > Signed-off-by: Ard Biesheuvel
> > ---
> > include/linux/tracepoint.h | 42 ++--
> > kernel/tracepoint.c| 7 +---
> > 2 files changed, 40 insertions(+), 9 deletions(-)
> >
> > diff --git a/include/linux/tracepoint.h b/include/linux/tracepoint.h
> > index a26ffbe09e71..68701821933a 100644
> > --- a/include/linux/tracepoint.h
> > +++ b/include/linux/tracepoint.h
> > @@ -228,6 +228,42 @@ extern void syscall_unregfunc(void);
> > return static_key_false(&__tracepoint_##name.key); \
> > }
> >
> > +#ifdef CONFIG_HAVE_ARCH_PREL32_RELOCATIONS
> > +#define __TRACEPOINT_ENTRY(name) \
> > + asm(" .section \"__tracepoints_ptrs\", \"a\"\n" \
> > + " .balign 4\n"\
> > + " .long " VMLINUX_SYMBOL_STR(__tracepoint_##name) " - .\n"\
> > + " .previous\n")
> > +
> > +struct tracepoint_entry_t {
> > + int tp_offset;
> > +};
> > +
> > +static inline
> > +struct tracepoint *tracepoint_from_entry(const struct tracepoint_entry_t
> > *ent)
> > +{
> > + return (struct tracepoint *)((unsigned long)ent + ent->tp_offset);
> > +}
> > +#else
> > +#define __TRACEPOINT_ENTRY(name)\
> > + static struct tracepoint * const __tracepoint_ptr_##name __used \
> > + __attribute__((section("__tracepoints_ptrs"))) = \
> > + &__tracepoint_##name
> > +
> > +struct tracepoint_entry_t {
> > + struct tracepoint *tp;
> > +};
> > +
> > +static inline
> > +struct tracepoint *tracepoint_from_entry(const struct tracepoint_entry_t
> > *ent)
> > +{
> > + return ent->tp;
> > +}
> > +#endif
> > +
> > +extern struct tracepoint_entry_t const __start___tracepoints_ptrs[];
> > +extern struct tracepoint_entry_t const __stop___tracepoints_ptrs[];
> > +
>
> It appears the stuff above needs to be move inside the double-include
> guard (which oddly enough does not cover the entire file)
Why was this moved to the header file? To fulfill some checkpatch
warning?
-- Steve
>
> > /*
> > * We have no guarantee that gcc and the linker won't up-align the
> > tracepoint
> > * structures, so we create an array of pointers that will be used for
> > iteration
> > @@ -237,11 +273,9 @@ extern void syscall_unregfunc(void);
> > static const char __tpstrtab_##name[]\
> > __attribute__((section("__tracepoints_strings"))) = #name; \
> > struct tracepoint __tracepoint_##name\
> > - __attribute__((section("__tracepoints"))) = \
> > + __attribute__((section("__tracepoints"))) __used = \
> > { __tpstrtab_##name, STATIC_KEY_INIT_FALSE, reg, unreg,
> > NULL };\
> > - static struct tracepoint * const __tracepoint_ptr_##name __used \
> > - __attribute__((section("__tracepoints_ptrs"))) = \
> > - &__tracepoint_##name;
> > + __TRACEPOINT_ENTRY(name);
> >
> > #define DEFINE_TRACE(name) \
> > DEFINE_TRACE_FN(name, NULL, NULL);
> > diff --git a/kernel/tracepoint.c b/kernel/tracepoint.c
> > index 685c50ae6300..21bc41454fd6 100644
> > --- a/kernel/tracepoint.c
> > +++ b/kernel/tracepoint.c
> > @@ -28,9 +28,6 @@
> > #include
> > #include
> >
> > -extern struct tracepoint * const __start___tracepoints_ptrs[];
> > -extern struct tracepoint * const __stop___tracepoints_ptrs[];
> > -
> > /* Set to 1 to enable tracepoint debug output */
> > static const int tracepoint_debug;
> >
> > @@ -508,12 +505,12 @@ static void for_each_tracepoint_range(struct
> > tracepoint * const *begin,
> > void (*fct)(struct tracepoint *tp, void *priv),
> > void *priv)
> > {
> > - struct tracepoint * const *iter;
> > + struct tracepoint_entry_t const *iter;
> >
> > if (!begin)
> > return;
> > for (iter = begin; iter < end; iter++)
> > - fct(*iter, priv);
> > + fct(tracepoint_from_entry(iter), priv);
> > }
> >
> > /**
> > --
> > 2.11.0
> >
Re: [PATCH v2 6/6] kernel: tracepoints: add support for relative references
On 18 August 2017 at 14:43, Steven Rostedt wrote:
> On Fri, 18 Aug 2017 12:44:17 +0100
> Ard Biesheuvel wrote:
>
>> On 18 August 2017 at 12:26, Ard Biesheuvel wrote:
>> > To avoid the need for relocating absolute references to tracepoint
>> > structures at boot time when running relocatable kernels (which may
>> > take a disproportionate amount of space), add the option to emit
>> > these tables as relative references instead.
>> >
>> > Cc: Steven Rostedt
>> > Cc: Ingo Molnar
>> > Signed-off-by: Ard Biesheuvel
>> > ---
>> > include/linux/tracepoint.h | 42 ++--
>> > kernel/tracepoint.c| 7 +---
>> > 2 files changed, 40 insertions(+), 9 deletions(-)
>> >
>> > diff --git a/include/linux/tracepoint.h b/include/linux/tracepoint.h
>> > index a26ffbe09e71..68701821933a 100644
>> > --- a/include/linux/tracepoint.h
>> > +++ b/include/linux/tracepoint.h
>> > @@ -228,6 +228,42 @@ extern void syscall_unregfunc(void);
>> > return static_key_false(&__tracepoint_##name.key); \
>> > }
>> >
>> > +#ifdef CONFIG_HAVE_ARCH_PREL32_RELOCATIONS
>> > +#define __TRACEPOINT_ENTRY(name) \
>> > + asm(" .section \"__tracepoints_ptrs\", \"a\"\n" \
>> > + " .balign 4\n"\
>> > + " .long " VMLINUX_SYMBOL_STR(__tracepoint_##name) " - .\n"\
>> > + " .previous\n")
>> > +
>> > +struct tracepoint_entry_t {
>> > + int tp_offset;
>> > +};
>> > +
>> > +static inline
>> > +struct tracepoint *tracepoint_from_entry(const struct tracepoint_entry_t
>> > *ent)
>> > +{
>> > + return (struct tracepoint *)((unsigned long)ent + ent->tp_offset);
>> > +}
>> > +#else
>> > +#define __TRACEPOINT_ENTRY(name)\
>> > + static struct tracepoint * const __tracepoint_ptr_##name __used \
>> > + __attribute__((section("__tracepoints_ptrs"))) = \
>> > + &__tracepoint_##name
>> > +
>> > +struct tracepoint_entry_t {
>> > + struct tracepoint *tp;
>> > +};
>> > +
>> > +static inline
>> > +struct tracepoint *tracepoint_from_entry(const struct tracepoint_entry_t
>> > *ent)
>> > +{
>> > + return ent->tp;
>> > +}
>> > +#endif
>> > +
>> > +extern struct tracepoint_entry_t const __start___tracepoints_ptrs[];
>> > +extern struct tracepoint_entry_t const __stop___tracepoints_ptrs[];
>> > +
>>
>> It appears the stuff above needs to be move inside the double-include
>> guard (which oddly enough does not cover the entire file)
>
> Why was this moved to the header file? To fulfill some checkpatch
> warning?
>
Yes.
[PATCH 3.16 058/134] PCI: Fix another sanity check bug in /proc/pci mmap
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
--
From: David Woodhouse
commit 17caf56731311c9596e7d38a70c88fcb6afa6a1b upstream.
Don't match MMIO maps with I/O BARs and vice versa.
Signed-off-by: David Woodhouse
Signed-off-by: Bjorn Helgaas
Signed-off-by: Ben Hutchings
---
drivers/pci/proc.c | 10 --
1 file changed, 8 insertions(+), 2 deletions(-)
--- a/drivers/pci/proc.c
+++ b/drivers/pci/proc.c
@@ -231,14 +231,20 @@ static int proc_bus_pci_mmap(struct file
{
struct pci_dev *dev = PDE_DATA(file_inode(file));
struct pci_filp_private *fpriv = file->private_data;
- int i, ret, write_combine;
+ int i, ret, write_combine, res_bit;
if (!capable(CAP_SYS_RAWIO))
return -EPERM;
+ if (fpriv->mmap_state == pci_mmap_io)
+ res_bit = IORESOURCE_IO;
+ else
+ res_bit = IORESOURCE_MEM;
+
/* Make sure the caller is mapping a real resource for this device */
for (i = 0; i < PCI_ROM_RESOURCE; i++) {
- if (pci_mmap_fits(dev, i, vma, PCI_MMAP_PROCFS))
+ if (dev->resource[i].flags & res_bit &&
+ pci_mmap_fits(dev, i, vma, PCI_MMAP_PROCFS))
break;
}
[PATCH 3.16 059/134] PCI: Only allow WC mmap on prefetchable resources
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
--
From: David Woodhouse
commit cef4d02305a06be581bb7f4353446717a1b319ec upstream.
The /proc/bus/pci mmap interface allows the user to specify whether they
want WC or not. Don't let them do so on non-prefetchable BARs.
Signed-off-by: David Woodhouse
Signed-off-by: Bjorn Helgaas
Signed-off-by: Ben Hutchings
---
drivers/pci/proc.c | 13 -
1 file changed, 8 insertions(+), 5 deletions(-)
--- a/drivers/pci/proc.c
+++ b/drivers/pci/proc.c
@@ -231,7 +231,7 @@ static int proc_bus_pci_mmap(struct file
{
struct pci_dev *dev = PDE_DATA(file_inode(file));
struct pci_filp_private *fpriv = file->private_data;
- int i, ret, write_combine, res_bit;
+ int i, ret, write_combine = 0, res_bit;
if (!capable(CAP_SYS_RAWIO))
return -EPERM;
@@ -251,10 +251,13 @@ static int proc_bus_pci_mmap(struct file
if (i >= PCI_ROM_RESOURCE)
return -ENODEV;
- if (fpriv->mmap_state == pci_mmap_mem)
- write_combine = fpriv->write_combine;
- else
- write_combine = 0;
+ if (fpriv->mmap_state == pci_mmap_mem &&
+ fpriv->write_combine) {
+ if (dev->resource[i].flags & IORESOURCE_PREFETCH)
+ write_combine = 1;
+ else
+ return -EINVAL;
+ }
ret = pci_mmap_page_range(dev, vma,
fpriv->mmap_state, write_combine);
if (ret < 0)
Re: [PATCH v4] livepatch: introduce shadow variable API
Joe Lawrence writes:
> +
> +/**
> + * klp_shadow_get() - retrieve a shadow variable data pointer
> + * @obj: pointer to parent object
> + * @id: data identifier
> + *
> + * Return: the shadow variable data element, NULL on failure.
> + */
> +void *klp_shadow_get(void *obj, unsigned long id)
> +{
> + struct klp_shadow *shadow;
> +
> + rcu_read_lock();
> +
> + hash_for_each_possible_rcu(klp_shadow_hash, shadow, node,
> +(unsigned long)obj) {
> +
> + if (klp_shadow_match(shadow, obj, id)) {
> + rcu_read_unlock();
> + return shadow->data;
I had to think a moment about what protects shadow from getting freed by
a concurrent detach after that rcu_read_unlock(). Then I noticed that if
obj and the livepatch are alive, then so is shadow, because there
obviously hasn't been any reason to detach it.
So maybe it would be nice to have an additional comment at
klp_shadow_detach() that it's the API user's responsibility not to use a
shadow instance after detaching it...
Thanks,
Nicolai
> + }
> + }
> +
> + rcu_read_unlock();
> +
> + return NULL;
> +}
> +EXPORT_SYMBOL_GPL(klp_shadow_get);
--
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284
(AG Nürnberg)
[PATCH 3.16 055/134] [media] zr364xx: enforce minimum size when reading header
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
--
From: Alyssa Milburn
commit ee0fe833d96793853335844b6d99fb76bd12cbeb upstream.
This code copies actual_length-128 bytes from the header, which will
underflow if the received buffer is too small.
Signed-off-by: Alyssa Milburn
Signed-off-by: Mauro Carvalho Chehab
Signed-off-by: Ben Hutchings
---
drivers/media/usb/zr364xx/zr364xx.c | 8
1 file changed, 8 insertions(+)
--- a/drivers/media/usb/zr364xx/zr364xx.c
+++ b/drivers/media/usb/zr364xx/zr364xx.c
@@ -605,6 +605,14 @@ static int zr364xx_read_video_callback(s
ptr = pdest = frm->lpvbits;
if (frm->ulState == ZR364XX_READ_IDLE) {
+ if (purb->actual_length < 128) {
+ /* header incomplete */
+ dev_info(&cam->udev->dev,
+"%s: buffer (%d bytes) too small to hold jpeg
header. Discarding.\n",
+__func__, purb->actual_length);
+ return -EINVAL;
+ }
+
frm->ulState = ZR364XX_READ_FRAME;
frm->cur_size = 0;
[PATCH 3.16 049/134] perf/x86: Fix spurious NMI with PEBS Load Latency event
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
--
From: Kan Liang
commit fd583ad1563bec5f00140e1f2444adbcd331caad upstream.
Spurious NMIs will be observed with the following command:
while :; do
perf record -bae "cpu/umask=0x01,event=0xcd,ldlat=0x80/pp"
-e "cpu/umask=0x03,event=0x0/"
-e "cpu/umask=0x02,event=0x0/"
-e cycles,branches,cache-misses
-e cache-references -- sleep 10
done
The bug was introduced by commit:
8077eca079a2 ("perf/x86/pebs: Add workaround for broken OVFL status on HSW+")
That commit clears the status bits for the counters used for PEBS
events, by masking the whole 64 bits pebs_enabled. However, only the
low 32 bits of both status and pebs_enabled are reserved for PEBS-able
counters.
For status bits 32-34 are fixed counter overflow bits. For
pebs_enabled bits 32-34 are for PEBS Load Latency.
In the test case, the PEBS Load Latency event and fixed counter event
could overflow at the same time. The fixed counter overflow bit will
be cleared by mistake. Once it is cleared, the fixed counter overflow
never be processed, which finally trigger spurious NMI.
Correct the PEBS enabled mask by ignoring the non-PEBS bits.
Signed-off-by: Kan Liang
Signed-off-by: Peter Zijlstra (Intel)
Cc: Alexander Shishkin
Cc: Arnaldo Carvalho de Melo
Cc: Jiri Olsa
Cc: Linus Torvalds
Cc: Peter Zijlstra
Cc: Stephane Eranian
Cc: Thomas Gleixner
Cc: Vince Weaver
Fixes: 8077eca079a2 ("perf/x86/pebs: Add workaround for broken OVFL status on
HSW+")
Link:
http://lkml.kernel.org/r/1491333246-3965-1-git-send-email-kan.li...@intel.com
Signed-off-by: Ingo Molnar
[bwh: Backported to 3.16:
- Drop change in get_next_pebs_record_by_bit()
- Adjust filenames]
Signed-off-by: Ben Hutchings
---
--- a/arch/x86/kernel/cpu/perf_event_intel.c
+++ b/arch/x86/kernel/cpu/perf_event_intel.c
@@ -1421,7 +1421,7 @@ again:
* counters from the GLOBAL_STATUS mask and we always process PEBS
* events via drain_pebs().
*/
- status &= ~cpuc->pebs_enabled;
+ status &= ~(cpuc->pebs_enabled & PEBS_COUNTER_MASK);
/*
* PEBS overflow sets bit 62 in the global status register
--- a/arch/x86/kernel/cpu/perf_event.h
+++ b/arch/x86/kernel/cpu/perf_event.h
@@ -79,6 +79,7 @@ struct amd_nb {
/* The maximal number of PEBS events: */
#define MAX_PEBS_EVENTS8
+#define PEBS_COUNTER_MASK ((1ULL << MAX_PEBS_EVENTS) - 1)
/*
* A debug store configuration.
[PATCH 3.16 040/134] perf inject: Don't proceed if perf_session__process_event() fails
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
--
From: David Carrillo-Cisneros
commit bb8d521f77f3e68a713456b7fb1e99f52ff3342c upstream.
All paths following perf_session__process_event() in __cmd_inject() are
useless if __cmd_inject() is to fail, some depend on a correct
session->evlist.
First commit to add code that depends on session->evlist without checking
error was commmit e558a5bd8b ("perf inject: Work with files"). It has
grown since then.
Change __cmd_inject() to fail immediately after
perf_session__process_event() fails.
Signed-off-by: David Carrillo-Cisneros
Acked-by: Jiri Olsa
Cc: Alexander Shishkin
Cc: Andi Kleen
Cc: Andrew Vagin
Cc: He Kuang
Cc: Masami Hiramatsu
Cc: Paul Turner
Cc: Peter Zijlstra
Cc: Simon Que
Cc: Stephane Eranian
Cc: Wang Nan
Fixes: e558a5bd8b74 ("perf inject: Work with files")
Link: http://lkml.kernel.org/r/20170410201432.24807-2-davi...@google.com
Signed-off-by: Arnaldo Carvalho de Melo
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings
---
tools/perf/builtin-inject.c | 2 ++
1 file changed, 2 insertions(+)
--- a/tools/perf/builtin-inject.c
+++ b/tools/perf/builtin-inject.c
@@ -387,6 +387,8 @@ static int __cmd_inject(struct perf_inje
lseek(file_out->fd, session->header.data_offset, SEEK_SET);
ret = perf_session__process_events(session, &inject->tool);
+ if (ret)
+ return ret;
if (!file_out->is_pipe) {
session->header.data_size = inject->bytes_written;
[PATCH 3.16 056/134] regulator: tps65023: Fix inverted core enable logic.
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
--
From: Richard Cochran
commit c90722b54a4f5e21ac59301ed9a6dbaa439bdb16 upstream.
Commit 43530b69d758328d3ffe6ab98fd640463e8e3667 ("regulator: Use
regmap_read/write(), regmap_update_bits functions directly") intended
to replace working inline helper functions with standard regmap
calls. However, it also inverted the set/clear logic of the "CORE ADJ
Allowed" bit. That patch was clearly never tested, since without that
bit cleared, the core VDCDC1 voltage output does not react to I2C
configuration changes.
This patch fixes the issue by clearing the bit as in the original,
correct implementation. Note for stable back porting that, due to
subsequent driver churn, this patch will not apply on every kernel
version.
Fixes: 43530b69d758 ("regulator: Use regmap_read/write(), regmap_update_bits
functions directly")
Signed-off-by: Richard Cochran
Signed-off-by: Mark Brown
Signed-off-by: Ben Hutchings
---
drivers/regulator/tps65023-regulator.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/regulator/tps65023-regulator.c
+++ b/drivers/regulator/tps65023-regulator.c
@@ -293,8 +293,7 @@ static int tps_65023_probe(struct i2c_cl
/* Enable setting output voltage by I2C */
regmap_update_bits(tps->regmap, TPS65023_REG_CON_CTRL2,
- TPS65023_REG_CTRL2_CORE_ADJ,
- TPS65023_REG_CTRL2_CORE_ADJ);
+ TPS65023_REG_CTRL2_CORE_ADJ, 0);
return 0;
}
[PATCH 3.16 051/134] iio: proximity: as3935: fix as3935_write
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
--
From: Matt Ranostay
commit 84ca8e364acb26aba3292bc113ca8ed4335380fd upstream.
AS3935_WRITE_DATA macro bit is incorrect and the actual write
sequence is two leading zeros.
Cc: George McCollister
Signed-off-by: Matt Ranostay
Signed-off-by: Jonathan Cameron
Signed-off-by: Ben Hutchings
---
drivers/iio/proximity/as3935.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/iio/proximity/as3935.c
+++ b/drivers/iio/proximity/as3935.c
@@ -50,7 +50,6 @@
#define AS3935_TUNE_CAP0x08
#define AS3935_CALIBRATE 0x3D
-#define AS3935_WRITE_DATA BIT(15)
#define AS3935_READ_DATA BIT(14)
#define AS3935_ADDRESS(x) ((x) << 8)
@@ -105,7 +104,7 @@ static int as3935_write(struct as3935_st
{
u8 *buf = st->buf;
- buf[0] = (AS3935_WRITE_DATA | AS3935_ADDRESS(reg)) >> 8;
+ buf[0] = AS3935_ADDRESS(reg) >> 8;
buf[1] = val;
return spi_write(st->spi, buf, 2);
Re: [PATCH v4] livepatch: introduce shadow variable API
On 08/17/2017 10:05 AM, Petr Mladek wrote:
> On Mon 2017-08-14 16:02:43, Joe Lawrence wrote:
>> [ ... snip ... ]
>> diff --git a/samples/livepatch/livepatch-shadow-fix1.c
>> b/samples/livepatch/livepatch-shadow-fix1.c
>> new file mode 100644
>> index ..5acc838463d1
>> --- /dev/null
>> +++ b/samples/livepatch/livepatch-shadow-fix1.c
>> +void livepatch_fix1_dummy_free(struct dummy *d)
>> +{
>> +void **shadow_leak;
>> +
>> +/*
>> + * Patch: fetch the saved SV_LEAK shadow variable, detach and
>> + * free it. Note: handle cases where this shadow variable does
>> + * not exist (ie, dummy structures allocated before this livepatch
>> + * was loaded.)
>> + */
>> +shadow_leak = klp_shadow_get(d, SV_LEAK);
>> +if (shadow_leak) {
>> +klp_shadow_detach(d, SV_LEAK);
>> +kfree(*shadow_leak);
>
> This should get removed. The buffer used for the shadow variable
> is freed by kfree_rcu() called from klp_shadow_detach().
>
> Same problem is also in the other livepatch.
>
>> +pr_info("%s: dummy @ %p, prevented leak @ %p\n",
>> + __func__, d, *shadow_leak);
>
> This might access shadow_leak after it was (double) freed.
>
>> +} else {
>> +pr_info("%s: dummy @ %p leaked!\n", __func__, d);
>> +}
>> +
>> +kfree(d);
>> +}
Hi Petr,
I think you're half correct.
The kfree is the crux of the memory leak patch, so it needs to stay.
However, the shadow variable is holding a copy of the pointer to the
memory leak area, so you're right that it can't be safely dereferenced
after the shadow variable is detached*.
The code should to be rearranged like:
void livepatch_fix1_dummy_free(struct dummy *d)
{
void **p_shadow_leak, *shadow_leak;
p_shadow_leak = klp_shadow_get(d, SV_LEAK);
if (p_shadow_leak) {
shadow_leak = *p_shadow_leak; << deref before detach
klp_shadow_detach(d, SV_LEAK);
kfree(shadow_leak);
...
* Aside: I usually develop with slub_debug=FZPU set to catch silly
use-after-frees like this. However, since the shadow variable is
released via kfree_rcu(), I think there was a window before the grace
period where this one worked out okay... once I added a
synchronize_rcu() call in between the klp_shadow_detch() and kfree()
calls, I did see the poison pattern. This is my first time using
kfree_rcu(), so it was interesting to dig into.
Thanks,
-- Joe
Re: [PATCH v3 0/2] cpuset: Allow v2 behavior in v1 cgroup
On 08/18/2017 07:29 AM, Tejun Heo wrote: > On Thu, Aug 17, 2017 at 03:33:08PM -0400, Waiman Long wrote: >> v2->v3: >> - Change the generic CGRP_ROOT_V2_MODE flag to a cpuset specific >>CGRP_ROOT_CPUSET_V2_MODE flag. >> >> v1->v2: >> - Drop the kernel command line option and use cgroupfs mount option >>instead to enable v2 controller behavior in v1 cgroup. >> >> v1: https://lkml.org/lkml/2017/8/15/570 > Waiman, patches look good to me but can you please take care of the > kbuild warnings on 32bit and maybe merge the two patches into one? The kbuild warning is in the __init code of the v1 patch for checking the boot time argument. The __init code was gone in the v3 patch. So if there is no further kbuild warning after a couple of days, I think it should be OK. Cheers, Longman
[PATCH 3.16 032/134] MIPS: Loongson-3: Select MIPS_L1_CACHE_SHIFT_6
3.16.47-rc1 review patch. If anyone has any objections, please let me know. -- From: Huacai Chen commit 17c99d9421695a0e0de18bf1e7091d859e20ec1d upstream. Some newer Loongson-3 have 64 bytes cache lines, so select MIPS_L1_CACHE_SHIFT_6. Signed-off-by: Huacai Chen Cc: John Crispin Cc: Steven J . Hill Cc: Fuxin Zhang Cc: Zhangjin Wu Cc: linux-m...@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/15755/ Signed-off-by: Ralf Baechle [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings --- arch/mips/Kconfig | 1 + 1 file changed, 1 insertion(+) --- a/arch/mips/Kconfig +++ b/arch/mips/Kconfig @@ -1193,6 +1193,7 @@ config CPU_LOONGSON3 select CPU_SUPPORTS_HUGEPAGES select WEAK_ORDERING select WEAK_REORDERING_BEYOND_LLSC + select MIPS_L1_CACHE_SHIFT_6 help The Loongson 3 processor implements the MIPS64R2 instruction set with many extensions.
Re: [PATCH v14 4/5] mm: support reporting free page blocks
On Thu 17-08-17 11:26:55, Wei Wang wrote:
> This patch adds support to walk through the free page blocks in the
> system and report them via a callback function. Some page blocks may
> leave the free list after zone->lock is released, so it is the caller's
> responsibility to either detect or prevent the use of such pages.
This could see more details to be honest. Especially the usecase you are
going to use this for. This will help us to understand the motivation
in future when the current user might be gone a new ones largely diverge
into a different usage. This wouldn't be the first time I have seen
something like that.
> Signed-off-by: Wei Wang
> Signed-off-by: Liang Li
> Cc: Michal Hocko
> Cc: Michael S. Tsirkin
> ---
> include/linux/mm.h | 6 ++
> mm/page_alloc.c| 44
> 2 files changed, 50 insertions(+)
>
> diff --git a/include/linux/mm.h b/include/linux/mm.h
> index 46b9ac5..cd29b9f 100644
> --- a/include/linux/mm.h
> +++ b/include/linux/mm.h
> @@ -1835,6 +1835,12 @@ extern void free_area_init_node(int nid, unsigned long
> * zones_size,
> unsigned long zone_start_pfn, unsigned long *zholes_size);
> extern void free_initmem(void);
>
> +extern void walk_free_mem_block(void *opaque1,
> + unsigned int min_order,
> + void (*visit)(void *opaque2,
> + unsigned long pfn,
> + unsigned long nr_pages));
> +
> /*
> * Free reserved pages within range [PAGE_ALIGN(start), end & PAGE_MASK)
> * into the buddy system. The freed pages will be poisoned with pattern
> diff --git a/mm/page_alloc.c b/mm/page_alloc.c
> index 6d00f74..a721a35 100644
> --- a/mm/page_alloc.c
> +++ b/mm/page_alloc.c
> @@ -4762,6 +4762,50 @@ void show_free_areas(unsigned int filter, nodemask_t
> *nodemask)
> show_swap_cache_info();
> }
>
> +/**
> + * walk_free_mem_block - Walk through the free page blocks in the system
> + * @opaque1: the context passed from the caller
> + * @min_order: the minimum order of free lists to check
> + * @visit: the callback function given by the caller
The original suggestion for using visit was motivated by a visit design
pattern but I can see how this can be confusing. Maybe a more explicit
name wold be better. What about report_free_range.
> + *
> + * The function is used to walk through the free page blocks in the system,
> + * and each free page block is reported to the caller via the @visit
> callback.
> + * Please note:
> + * 1) The function is used to report hints of free pages, so the caller
> should
> + * not use those reported pages after the callback returns.
> + * 2) The callback is invoked with the zone->lock being held, so it should
> not
> + * block and should finish as soon as possible.
I think that the explicit note about zone->lock is not really need. This
can change in future and I would even bet that somebody might rely on
the lock being held for some purpose and silently get broken with the
change. Instead I would much rather see something like the following:
"
Please note that there are no locking guarantees for the callback and
that the reported pfn range might be freed or disappear after the
callback returns so the caller has to be very careful how it is used.
The callback itself must not sleep or perform any operations which would
require any memory allocations directly (not even GFP_NOWAIT/GFP_ATOMIC)
or via any lock dependency. It is generally advisable to implement
the callback as simple as possible and defer any heavy lifting to a
different context.
There is no guarantee that each free range will be reported only once
during one walk_free_mem_block invocation.
pfn_to_page on the given range is strongly discouraged and if there is
an absolute need for that make sure to contact MM people to discuss
potential problems.
The function itself might sleep so it cannot be called from atomic
contexts.
In general low orders tend to be very volatile and so it makes more
sense to query larger ones for various optimizations which like
ballooning etc... This will reduce the overhead as well.
"
> + */
> +void walk_free_mem_block(void *opaque1,
> + unsigned int min_order,
make the order int and...
> + void (*visit)(void *opaque2,
> +unsigned long pfn,
> +unsigned long nr_pages))
> +{
> + struct zone *zone;
> + struct page *page;
> + struct list_head *list;
> + unsigned int order;
> + enum migratetype mt;
> + unsigned long pfn, flags;
> +
> + for_each_populated_zone(zone) {
> + for (order = MAX_ORDER - 1;
> + order < MAX_ORDER && order >= min_order; order--) {
you will not need the underflow check which is just ugly
> + for (mt = 0; mt < MIGRATE_TYPES; mt++) {
> +
[PATCH 3.16 054/134] [media] digitv: limit messages to buffer size
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
--
From: Alyssa Milburn
commit 821117dc21083a99dd99174c10848d70ff43de29 upstream.
Return an error rather than memcpy()ing beyond the end of the buffer.
Internal callers use appropriate sizes, but digitv_i2c_xfer may not.
Signed-off-by: Alyssa Milburn
Signed-off-by: Mauro Carvalho Chehab
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings
---
--- a/drivers/media/usb/dvb-usb/digitv.c
+++ b/drivers/media/usb/dvb-usb/digitv.c
@@ -30,6 +30,10 @@ static int digitv_ctrl_msg(struct dvb_us
{
int wo = (rbuf == NULL || rlen == 0); /* write-only */
u8 sndbuf[7],rcvbuf[7];
+
+ if (wlen > 4 || rlen > 4)
+ return -EIO;
+
memset(sndbuf,0,7); memset(rcvbuf,0,7);
sndbuf[0] = cmd;
[PATCH 3.16 047/134] ARM: dts: at91: sama5d3_xplained: not all ADC channels are available
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
--
From: Ludovic Desroches
commit d3df1ec06353e51fc44563d2e7e18d42811af290 upstream.
Remove ADC channels that are not available by default on the sama5d3_xplained
board (resistor not populated) in order to not create confusion.
Signed-off-by: Ludovic Desroches
Acked-by: Nicolas Ferre
Signed-off-by: Alexandre Belloni
Signed-off-by: Ben Hutchings
---
arch/arm/boot/dts/at91-sama5d3_xplained.dts | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
--- a/arch/arm/boot/dts/at91-sama5d3_xplained.dts
+++ b/arch/arm/boot/dts/at91-sama5d3_xplained.dts
@@ -142,9 +142,9 @@
adc0: adc@f8018000 {
atmel,adc-vref = <3300>;
+ atmel,adc-channels-used = <0xfe>;
pinctrl-0 = <
&pinctrl_adc0_adtrg
- &pinctrl_adc0_ad0
&pinctrl_adc0_ad1
&pinctrl_adc0_ad2
&pinctrl_adc0_ad3
@@ -152,8 +152,6 @@
&pinctrl_adc0_ad5
&pinctrl_adc0_ad6
&pinctrl_adc0_ad7
- &pinctrl_adc0_ad8
- &pinctrl_adc0_ad9
>;
status = "okay";
};
[PATCH 3.16 046/134] ARM: dts: at91: sama5d3_xplained: fix ADC vref
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
--
From: Ludovic Desroches
commit 9cdd31e5913c1f86dce7e201b086155b3f24896b upstream.
The voltage reference for the ADC is not 3V but 3.3V since it is connected to
VDDANA.
Signed-off-by: Ludovic Desroches
Acked-by: Nicolas Ferre
Signed-off-by: Alexandre Belloni
Signed-off-by: Ben Hutchings
---
arch/arm/boot/dts/at91-sama5d3_xplained.dts | 1 +
1 file changed, 1 insertion(+)
--- a/arch/arm/boot/dts/at91-sama5d3_xplained.dts
+++ b/arch/arm/boot/dts/at91-sama5d3_xplained.dts
@@ -141,6 +141,7 @@
};
adc0: adc@f8018000 {
+ atmel,adc-vref = <3300>;
pinctrl-0 = <
&pinctrl_adc0_adtrg
&pinctrl_adc0_ad0
[PATCH 3.16 050/134] iio: dac: ad7303: fix channel description
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
--
From: Pavel Roskin
commit ce420fd4251809b4c3119b3b20c8b13bd8eba150 upstream.
realbits, storagebits and shift should be numbers, not ASCII characters.
Signed-off-by: Pavel Roskin
Reviewed-by: Lars-Peter Clausen
Signed-off-by: Jonathan Cameron
Signed-off-by: Ben Hutchings
---
drivers/iio/dac/ad7303.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/iio/dac/ad7303.c
+++ b/drivers/iio/dac/ad7303.c
@@ -184,9 +184,9 @@ static const struct iio_chan_spec_ext_in
.address = (chan), \
.scan_type = { \
.sign = 'u',\
- .realbits = '8',\
- .storagebits = '8', \
- .shift = '0', \
+ .realbits = 8, \
+ .storagebits = 8, \
+ .shift = 0, \
}, \
.ext_info = ad7303_ext_info,\
}
[PATCH 3.16 044/134] vfio/type1: Remove locked page accounting workqueue
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
--
From: Alex Williamson
commit 0cfef2b7410b64d7a430947e0b533314c4f97153 upstream.
If the mmap_sem is contented then the vfio type1 IOMMU backend will
defer locked page accounting updates to a workqueue task. This has a
few problems and depending on which side the user tries to play, they
might be over-penalized for unmaps that haven't yet been accounted or
race the workqueue to enter more mappings than they're allowed. The
original intent of this workqueue mechanism seems to be focused on
reducing latency through the ioctl, but we cannot do so at the cost
of correctness. Remove this workqueue mechanism and update the
callers to allow for failure. We can also now recheck the limit under
write lock to make sure we don't exceed it.
vfio_pin_pages_remote() also now necessarily includes an unwind path
which we can jump to directly if the consecutive page pinning finds
that we're exceeding the user's memory limits. This avoids the
current lazy approach which does accounting and mapping up to the
fault, only to return an error on the next iteration to unwind the
entire vfio_dma.
Reviewed-by: Peter Xu
Reviewed-by: Kirti Wankhede
Signed-off-by: Alex Williamson
[bwh: Backported to 3.16:
- vfio_lock_acct() always operates on current->mm
- Drop changes to vfio_{,un}pin_page_external() and
vfio_iommu_unmap_unpin_reaccount()
- Drop test of rsvd flag
- Fix up the disable_hugepages case in vfio_pin_pages()
- Use down_write() instead of down_write_killable()
- Adjust context]
Signed-off-by: Ben Hutchings
---
--- a/drivers/vfio/vfio_iommu_type1.c
+++ b/drivers/vfio/vfio_iommu_type1.c
@@ -128,57 +128,37 @@ static void vfio_unlink_dma(struct vfio_
rb_erase(&old->node, &iommu->dma_list);
}
-struct vwork {
- struct mm_struct*mm;
- longnpage;
- struct work_struct work;
-};
-
-/* delayed decrement/increment for locked_vm */
-static void vfio_lock_acct_bg(struct work_struct *work)
+static int vfio_lock_acct(long npage, bool *lock_cap)
{
- struct vwork *vwork = container_of(work, struct vwork, work);
struct mm_struct *mm;
+ int ret;
- mm = vwork->mm;
- down_write(&mm->mmap_sem);
- mm->locked_vm += vwork->npage;
- up_write(&mm->mmap_sem);
- mmput(mm);
- kfree(vwork);
-}
+ if (!npage)
+ return 0;
-static void vfio_lock_acct(long npage)
-{
- struct vwork *vwork;
- struct mm_struct *mm;
+ mm = current->mm;
+ if (!mm)
+ return -ESRCH; /* process exited */
- if (!current->mm || !npage)
- return; /* process exited or nothing to do */
+ ret = 0;
+ down_write(&mm->mmap_sem);
+ if (npage > 0) {
+ if (lock_cap ? !*lock_cap : !capable(CAP_IPC_LOCK)) {
+ unsigned long limit;
- if (down_write_trylock(¤t->mm->mmap_sem)) {
- current->mm->locked_vm += npage;
- up_write(¤t->mm->mmap_sem);
- return;
- }
+ limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT;
- /*
-* Couldn't get mmap_sem lock, so must setup to update
-* mm->locked_vm later. If locked_vm were atomic, we
-* wouldn't need this silliness
-*/
- vwork = kmalloc(sizeof(struct vwork), GFP_KERNEL);
- if (!vwork)
- return;
- mm = get_task_mm(current);
- if (!mm) {
- kfree(vwork);
- return;
+ if (mm->locked_vm + npage > limit)
+ ret = -ENOMEM;
+ }
}
- INIT_WORK(&vwork->work, vfio_lock_acct_bg);
- vwork->mm = mm;
- vwork->npage = npage;
- schedule_work(&vwork->work);
+
+ if (!ret)
+ mm->locked_vm += npage;
+
+ up_write(&mm->mmap_sem);
+
+ return ret;
}
/*
@@ -260,7 +240,7 @@ static int vaddr_get_pfn(unsigned long v
static long vfio_pin_pages(unsigned long vaddr, long npage,
int prot, unsigned long *pfn_base)
{
- unsigned long limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT;
+ unsigned long pfn = 0, limit = rlimit(RLIMIT_MEMLOCK) >> PAGE_SHIFT;
bool lock_cap = capable(CAP_IPC_LOCK);
long ret, i;
@@ -282,14 +262,13 @@ static long vfio_pin_pages(unsigned long
}
if (unlikely(disable_hugepages)) {
- vfio_lock_acct(1);
- return 1;
+ ret = vfio_lock_acct(1, &lock_cap);
+ i = 1;
+ goto unpin_out;
}
/* Lock all the consecutive pages from pfn_base */
for (i = 1, vaddr += PAGE_SIZE; i < npage; i++, vaddr += PAGE_SIZE) {
- unsigned long pfn = 0;
-
ret = vaddr_get_pfn(vaddr, prot, &pfn);
if (ret)
bre
[PATCH 3.16 041/134] serial: omap: fix runtime-pm handling on unbind
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
--
From: Johan Hovold
commit 099bd73dc17ed77aa8c98323e043613b6e8f54fc upstream.
An unbalanced and misplaced synchronous put was used to suspend the
device on driver unbind, something which with a likewise misplaced
pm_runtime_disable leads to external aborts when an open port is being
removed.
Unhandled fault: external abort on non-linefetch (0x1028) at 0xfa024010
...
[] (serial_omap_set_mctrl) from []
(uart_update_mctrl+0x50/0x60)
[] (uart_update_mctrl) from [] (uart_shutdown+0xbc/0x138)
[] (uart_shutdown) from [] (uart_hangup+0x94/0x190)
[] (uart_hangup) from [] (__tty_hangup+0x404/0x41c)
[] (__tty_hangup) from [] (tty_vhangup+0x1c/0x20)
[] (tty_vhangup) from [] (uart_remove_one_port+0xec/0x260)
[] (uart_remove_one_port) from []
(serial_omap_remove+0x40/0x60)
[] (serial_omap_remove) from []
(platform_drv_remove+0x34/0x4c)
Fix this up by resuming the device before deregistering the port and by
suspending and disabling runtime pm only after the port has been
removed.
Also make sure to disable autosuspend before disabling runtime pm so
that the usage count is balanced and device actually suspended before
returning.
Note that due to a negative autosuspend delay being set in probe, the
unbalanced put would actually suspend the device on first driver unbind,
while rebinding and again unbinding would result in a negative
power.usage_count.
Fixes: 7e9c8e7dbf3b ("serial: omap: make sure to suspend device before remove")
Cc: Felipe Balbi
Cc: Santosh Shilimkar
Signed-off-by: Johan Hovold
Acked-by: Tony Lindgren
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Ben Hutchings
---
drivers/tty/serial/omap-serial.c | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/tty/serial/omap-serial.c
+++ b/drivers/tty/serial/omap-serial.c
@@ -1754,9 +1754,13 @@ static int serial_omap_remove(struct pla
{
struct uart_omap_port *up = platform_get_drvdata(dev);
+ pm_runtime_get_sync(up->dev);
+
+ uart_remove_one_port(&serial_omap_reg, &up->port);
+
+ pm_runtime_dont_use_autosuspend(up->dev);
pm_runtime_put_sync(up->dev);
pm_runtime_disable(up->dev);
- uart_remove_one_port(&serial_omap_reg, &up->port);
pm_qos_remove_request(&up->pm_qos_request);
device_init_wakeup(&dev->dev, false);
[PATCH 3.16 045/134] power: supply: lp8788: prevent out of bounds array access
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
--
From: Giedrius Statkevičius
commit bdd9968d35f7fcdb76089347d1529bf079534214 upstream.
val might become 7 in which case stime[7] (array of length 7) would be
accessed during the scnprintf call later and that will cause issues.
Obviously, string concatenation is not intended here so just a comma needs
to be added to fix the issue.
Fixes: 98a276649358 ("power_supply: Add new lp8788 charger driver")
Signed-off-by: Giedrius Statkevičius
Acked-by: Milo Kim
Signed-off-by: Sebastian Reichel
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings
---
drivers/power/lp8788-charger.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/power/lp8788-charger.c
+++ b/drivers/power/lp8788-charger.c
@@ -642,7 +642,7 @@ static ssize_t lp8788_show_eoc_time(stru
{
struct lp8788_charger *pchg = dev_get_drvdata(dev);
char *stime[] = { "400ms", "5min", "10min", "15min",
- "20min", "25min", "30min" "No timeout" };
+ "20min", "25min", "30min", "No timeout" };
u8 val;
lp8788_read_byte(pchg->lp, LP8788_CHG_EOC, &val);
[PATCH 3.16 042/134] serial: omap: suspend device on probe errors
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
--
From: Johan Hovold
commit 77e6fe7fd2b7cba0bf2f2dc8cde51d7b9a35bf74 upstream.
Make sure to actually suspend the device before returning after a failed
(or deferred) probe.
Note that autosuspend must be disabled before runtime pm is disabled in
order to balance the usage count due to a negative autosuspend delay as
well as to make the final put suspend the device synchronously.
Fixes: 388bc2622680 ("omap-serial: Fix the error handling in the omap_serial
probe")
Cc: Shubhrajyoti D
Signed-off-by: Johan Hovold
Acked-by: Tony Lindgren
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Ben Hutchings
---
drivers/tty/serial/omap-serial.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/tty/serial/omap-serial.c
+++ b/drivers/tty/serial/omap-serial.c
@@ -1741,7 +1741,8 @@ static int serial_omap_probe(struct plat
return 0;
err_add_port:
- pm_runtime_put(&pdev->dev);
+ pm_runtime_dont_use_autosuspend(&pdev->dev);
+ pm_runtime_put_sync(&pdev->dev);
pm_runtime_disable(&pdev->dev);
err_rs485:
err_port_line:
[PATCH 3.16 043/134] PCI: Fix pci_mmap_fits() for HAVE_PCI_RESOURCE_TO_USER platforms
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
--
From: David Woodhouse
commit 6bccc7f426abd640f08d8c75fb22f99483f201b4 upstream.
In the PCI_MMAP_PROCFS case when the address being passed by the user is a
'user visible' resource address based on the bus window, and not the actual
contents of the resource, that's what we need to be checking it against.
Signed-off-by: David Woodhouse
Signed-off-by: Bjorn Helgaas
Signed-off-by: Ben Hutchings
---
drivers/pci/pci-sysfs.c | 10 +++---
1 file changed, 7 insertions(+), 3 deletions(-)
--- a/drivers/pci/pci-sysfs.c
+++ b/drivers/pci/pci-sysfs.c
@@ -965,15 +965,19 @@ void pci_remove_legacy_files(struct pci_
int pci_mmap_fits(struct pci_dev *pdev, int resno, struct vm_area_struct *vma,
enum pci_mmap_api mmap_api)
{
- unsigned long nr, start, size, pci_start;
+ unsigned long nr, start, size;
+ resource_size_t pci_start = 0, pci_end;
if (pci_resource_len(pdev, resno) == 0)
return 0;
nr = vma_pages(vma);
start = vma->vm_pgoff;
size = ((pci_resource_len(pdev, resno) - 1) >> PAGE_SHIFT) + 1;
- pci_start = (mmap_api == PCI_MMAP_PROCFS) ?
- pci_resource_start(pdev, resno) >> PAGE_SHIFT : 0;
+ if (mmap_api == PCI_MMAP_PROCFS) {
+ pci_resource_to_user(pdev, resno, &pdev->resource[resno],
+&pci_start, &pci_end);
+ pci_start >>= PAGE_SHIFT;
+ }
if (start >= pci_start && start < pci_start + size &&
start + nr <= pci_start + size)
return 1;
[PATCH 3.2 57/59] timerfd: Protect the might cancel mechanism proper
3.2.92-rc1 review patch. If anyone has any objections, please let me know.
--
From: Thomas Gleixner
commit 1e38da300e1e395a15048b0af1e5305bd91402f6 upstream.
The handling of the might_cancel queueing is not properly protected, so
parallel operations on the file descriptor can race with each other and
lead to list corruptions or use after free.
Protect the context for these operations with a seperate lock.
The wait queue lock cannot be reused for this because that would create a
lock inversion scenario vs. the cancel lock. Replacing might_cancel with an
atomic (atomic_t or atomic bit) does not help either because it still can
race vs. the actual list operation.
Reported-by: Dmitry Vyukov
Signed-off-by: Thomas Gleixner
Cc: "linux-fsde...@vger.kernel.org"
Cc: syzkaller
Cc: Al Viro
Cc: linux-fsde...@vger.kernel.org
Link: http://lkml.kernel.org/r/alpine.DEB.2.20.1701311521430.3457@nanos
Signed-off-by: Thomas Gleixner
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings
---
fs/timerfd.c | 17 ++---
1 file changed, 14 insertions(+), 3 deletions(-)
--- a/fs/timerfd.c
+++ b/fs/timerfd.c
@@ -34,6 +34,7 @@ struct timerfd_ctx {
int clockid;
struct rcu_head rcu;
struct list_head clist;
+ spinlock_t cancel_lock;
bool might_cancel;
};
@@ -86,7 +87,7 @@ void timerfd_clock_was_set(void)
rcu_read_unlock();
}
-static void timerfd_remove_cancel(struct timerfd_ctx *ctx)
+static void __timerfd_remove_cancel(struct timerfd_ctx *ctx)
{
if (ctx->might_cancel) {
ctx->might_cancel = false;
@@ -96,6 +97,13 @@ static void timerfd_remove_cancel(struct
}
}
+static void timerfd_remove_cancel(struct timerfd_ctx *ctx)
+{
+ spin_lock(&ctx->cancel_lock);
+ __timerfd_remove_cancel(ctx);
+ spin_unlock(&ctx->cancel_lock);
+}
+
static bool timerfd_canceled(struct timerfd_ctx *ctx)
{
if (!ctx->might_cancel || ctx->moffs.tv64 != KTIME_MAX)
@@ -106,6 +114,7 @@ static bool timerfd_canceled(struct time
static void timerfd_setup_cancel(struct timerfd_ctx *ctx, int flags)
{
+ spin_lock(&ctx->cancel_lock);
if (ctx->clockid == CLOCK_REALTIME && (flags & TFD_TIMER_ABSTIME) &&
(flags & TFD_TIMER_CANCEL_ON_SET)) {
if (!ctx->might_cancel) {
@@ -114,9 +123,10 @@ static void timerfd_setup_cancel(struct
list_add_rcu(&ctx->clist, &cancel_list);
spin_unlock(&cancel_lock);
}
- } else if (ctx->might_cancel) {
- timerfd_remove_cancel(ctx);
+ } else {
+ __timerfd_remove_cancel(ctx);
}
+ spin_unlock(&ctx->cancel_lock);
}
static ktime_t timerfd_get_remaining(struct timerfd_ctx *ctx)
@@ -268,6 +278,7 @@ SYSCALL_DEFINE2(timerfd_create, int, clo
return -ENOMEM;
init_waitqueue_head(&ctx->wqh);
+ spin_lock_init(&ctx->cancel_lock);
ctx->clockid = clockid;
hrtimer_init(&ctx->tmr, clockid, HRTIMER_MODE_ABS);
ctx->moffs = ktime_get_monotonic_offset();
[PATCH] mlx5: ensure 0 is returned when vport is zero
From: Colin Ian King
Currently, if vport is zero then then an uninialized return status
in err is returned. Since the only return status at the end of the
function esw_add_uc_addr is zero for the current set of return paths
we may as well just return 0 rather than err to fix this issue.
Detected by CoverityScan, CID#1452698 ("Uninitialized scalar variable")
Fixes: eeb66cdb6826 ("net/mlx5: Separate between E-Switch and MPFS")
Signed-off-by: Colin Ian King
---
drivers/net/ethernet/mellanox/mlx5/core/eswitch.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
index 6d9fb6ac6e9b..c77f4c0c7769 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
@@ -401,7 +401,7 @@ static int esw_add_uc_addr(struct mlx5_eswitch *esw, struct
vport_addr *vaddr)
esw_debug(esw->dev, "\tADDED UC MAC: vport[%d] %pM fr(%p)\n",
vport, mac, vaddr->flow_rule);
- return err;
+ return 0;
}
static int esw_del_uc_addr(struct mlx5_eswitch *esw, struct vport_addr *vaddr)
--
2.11.0
[PATCH v5 2/7] KVM: arm64: Save ESR_EL2 on guest SError
From: James Morse
When we exit a guest due to an SError the vcpu fault info isn't updated
with the ESR. Today this is only done for traps.
The v8.2 RAS Extensions define ISS values for SError. Update the vcpu's
fault_info with the ESR on SError so that handle_exit() can determine
if this was a RAS SError and decode its severity.
Signed-off-by: James Morse
---
arch/arm64/kvm/hyp/switch.c | 15 ---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/arch/arm64/kvm/hyp/switch.c b/arch/arm64/kvm/hyp/switch.c
index 945e79c641c4..c6f17c7675ad 100644
--- a/arch/arm64/kvm/hyp/switch.c
+++ b/arch/arm64/kvm/hyp/switch.c
@@ -226,13 +226,20 @@ static bool __hyp_text __translate_far_to_hpfar(u64 far,
u64 *hpfar)
return true;
}
+static void __hyp_text __populate_fault_info_esr(struct kvm_vcpu *vcpu)
+{
+ vcpu->arch.fault.esr_el2 = read_sysreg_el2(esr);
+}
+
static bool __hyp_text __populate_fault_info(struct kvm_vcpu *vcpu)
{
- u64 esr = read_sysreg_el2(esr);
- u8 ec = ESR_ELx_EC(esr);
+ u8 ec;
+ u64 esr;
u64 hpfar, far;
- vcpu->arch.fault.esr_el2 = esr;
+ __populate_fault_info_esr(vcpu);
+ esr = vcpu->arch.fault.esr_el2;
+ ec = ESR_ELx_EC(esr);
if (ec != ESR_ELx_EC_DABT_LOW && ec != ESR_ELx_EC_IABT_LOW)
return true;
@@ -321,6 +328,8 @@ int __hyp_text __kvm_vcpu_run(struct kvm_vcpu *vcpu)
*/
if (exit_code == ARM_EXCEPTION_TRAP && !__populate_fault_info(vcpu))
goto again;
+ else if (ARM_EXCEPTION_CODE(exit_code) == ARM_EXCEPTION_EL1_SERROR)
+ __populate_fault_info_esr(vcpu);
if (static_branch_unlikely(&vgic_v2_cpuif_trap) &&
exit_code == ARM_EXCEPTION_TRAP) {
--
2.14.0
[PATCH v5 7/7] arm64: kvm: handle SEI notification and inject virtual SError
After receive SError, KVM firstly call memory failure to
deal with the Error. If memory failure wants user space to
handle it, it will notify user space. This patch adds support
to userspace that injects virtual SError with specified
syndrome. This syndrome value will be set to the VSESR_EL2.
VSESR_EL2 is a new RAS extensions register which provides the
syndrome value reported to software on taking a virtual SError
interrupt exception.
Signed-off-by: Dongjiu Geng
Signed-off-by: Quanming Wu
---
arch/arm/include/asm/kvm_host.h | 2 ++
arch/arm/kvm/guest.c | 5 +
arch/arm64/include/asm/kvm_emulate.h | 10 ++
arch/arm64/include/asm/kvm_host.h| 2 ++
arch/arm64/include/asm/sysreg.h | 3 +++
arch/arm64/include/asm/system_misc.h | 1 +
arch/arm64/kvm/guest.c | 13 +
arch/arm64/kvm/handle_exit.c | 21 +++--
arch/arm64/kvm/hyp/switch.c | 14 ++
include/uapi/linux/kvm.h | 2 ++
virt/kvm/arm/arm.c | 7 +++
11 files changed, 78 insertions(+), 2 deletions(-)
diff --git a/arch/arm/include/asm/kvm_host.h b/arch/arm/include/asm/kvm_host.h
index 127e2dd2e21c..bdb6ea690257 100644
--- a/arch/arm/include/asm/kvm_host.h
+++ b/arch/arm/include/asm/kvm_host.h
@@ -244,6 +244,8 @@ int kvm_arm_coproc_set_reg(struct kvm_vcpu *vcpu, const
struct kvm_one_reg *);
int handle_exit(struct kvm_vcpu *vcpu, struct kvm_run *run,
int exception_index);
+int kvm_vcpu_ioctl_sei(struct kvm_vcpu *vcpu, u64 *syndrome);
+
static inline void __cpu_init_hyp_mode(phys_addr_t pgd_ptr,
unsigned long hyp_stack_ptr,
unsigned long vector_ptr)
diff --git a/arch/arm/kvm/guest.c b/arch/arm/kvm/guest.c
index 1e0784ebbfd6..c23df72d9bec 100644
--- a/arch/arm/kvm/guest.c
+++ b/arch/arm/kvm/guest.c
@@ -248,6 +248,11 @@ int kvm_arch_vcpu_ioctl_set_sregs(struct kvm_vcpu *vcpu,
return -EINVAL;
}
+int kvm_vcpu_ioctl_sei(struct kvm_vcpu *vcpu, u64 *syndrome)
+{
+ return 0;
+}
+
int __attribute_const__ kvm_target_cpu(void)
{
switch (read_cpuid_part()) {
diff --git a/arch/arm64/include/asm/kvm_emulate.h
b/arch/arm64/include/asm/kvm_emulate.h
index 47983db27de2..74213bd539dc 100644
--- a/arch/arm64/include/asm/kvm_emulate.h
+++ b/arch/arm64/include/asm/kvm_emulate.h
@@ -155,6 +155,16 @@ static inline u32 kvm_vcpu_get_hsr(const struct kvm_vcpu
*vcpu)
return vcpu->arch.fault.esr_el2;
}
+static inline u32 kvm_vcpu_get_vsesr(const struct kvm_vcpu *vcpu)
+{
+ return vcpu->arch.fault.vsesr_el2;
+}
+
+static inline void kvm_vcpu_set_vsesr(struct kvm_vcpu *vcpu, unsigned long val)
+{
+ vcpu->arch.fault.vsesr_el2 = val;
+}
+
static inline int kvm_vcpu_get_condition(const struct kvm_vcpu *vcpu)
{
u32 esr = kvm_vcpu_get_hsr(vcpu);
diff --git a/arch/arm64/include/asm/kvm_host.h
b/arch/arm64/include/asm/kvm_host.h
index d68630007b14..57b011261597 100644
--- a/arch/arm64/include/asm/kvm_host.h
+++ b/arch/arm64/include/asm/kvm_host.h
@@ -88,6 +88,7 @@ struct kvm_vcpu_fault_info {
u32 esr_el2;/* Hyp Syndrom Register */
u64 far_el2;/* Hyp Fault Address Register */
u64 hpfar_el2; /* Hyp IPA Fault Address Register */
+ u32 vsesr_el2; /* Virtual SError Exception Syndrome Register */
};
/*
@@ -381,6 +382,7 @@ int kvm_arm_vcpu_arch_get_attr(struct kvm_vcpu *vcpu,
struct kvm_device_attr *attr);
int kvm_arm_vcpu_arch_has_attr(struct kvm_vcpu *vcpu,
struct kvm_device_attr *attr);
+int kvm_vcpu_ioctl_sei(struct kvm_vcpu *vcpu, u64 *syndrome);
static inline void __cpu_init_stage2(void)
{
diff --git a/arch/arm64/include/asm/sysreg.h b/arch/arm64/include/asm/sysreg.h
index 35b786b43ee4..06059eef0f5d 100644
--- a/arch/arm64/include/asm/sysreg.h
+++ b/arch/arm64/include/asm/sysreg.h
@@ -86,6 +86,9 @@
#define REG_PSTATE_PAN_IMM sys_reg(0, 0, 4, 0, 4)
#define REG_PSTATE_UAO_IMM sys_reg(0, 0, 4, 0, 3)
+/* virtual SError exception syndrome register in armv8.2 */
+#define REG_VSESR_EL2 sys_reg(3, 4, 5, 2, 3)
+
#define SET_PSTATE_PAN(x) __emit_inst(0xd500 | REG_PSTATE_PAN_IMM |
\
(!!x)<<8 | 0x1f)
#define SET_PSTATE_UAO(x) __emit_inst(0xd500 | REG_PSTATE_UAO_IMM |
\
diff --git a/arch/arm64/include/asm/system_misc.h
b/arch/arm64/include/asm/system_misc.h
index 07aa8e3c5630..7d07aeb02bc4 100644
--- a/arch/arm64/include/asm/system_misc.h
+++ b/arch/arm64/include/asm/system_misc.h
@@ -57,6 +57,7 @@ extern void (*arm_pm_restart)(enum reboot_mode reboot_mode,
const char *cmd);
})
int handle_guest_sea(phys_addr_t addr, unsigned int esr);
+int handle_guest_sei(phys_addr_t addr, unsigned int esr);
#endif /* __ASSEMBLY__ */
diff --git a/arch/arm64/
[GIT PULL] apparmor updates for next
Hi James, Please pull these apparmor changes for next. Thanks! -Kees The following changes since commit 706224ae390ddbf1871abb7938245be45bf04104: samples: Unrename SECCOMP_RET_KILL (2017-08-17 14:17:07 +1000) are available in the git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor for-security for you to fetch changes up to 76e22e212a850bbd16cf49f9c586d4635507e0b5: apparmor: fix incorrect type assignment when freeing proxies (2017-08-18 06:45:37 -0700) Christos Gkekas (1): apparmor: Fix logical error in verify_header() Dan Carpenter (1): apparmor: Fix an error code in aafs_create() Geert Uytterhoeven (1): apparmor: Fix shadowed local variable in unpack_trans_table() John Johansen (12): apparmor: Redundant condition: prev_ns. in [label.c:1498] apparmor: add the ability to mediate signals apparmor: add mount mediation apparmor: cleanup conditional check for label in label_print apparmor: add support for absolute root view based labels apparmor: make policy_unpack able to audit different info messages apparmor: add more debug asserts to apparmorfs apparmor: add base infastructure for socket mediation apparmor: move new_null_profile to after profile lookup fns() apparmor: fix race condition in null profile creation apparmor: ensure unconfined profiles have dfas initialized apparmor: fix incorrect type assignment when freeing proxies security/apparmor/.gitignore | 1 + security/apparmor/Makefile| 43 ++- security/apparmor/apparmorfs.c| 37 +- security/apparmor/domain.c| 4 +- security/apparmor/file.c | 30 ++ security/apparmor/include/apparmor.h | 2 + security/apparmor/include/audit.h | 39 +- security/apparmor/include/domain.h| 5 + security/apparmor/include/ipc.h | 6 + security/apparmor/include/label.h | 1 + security/apparmor/include/mount.h | 54 +++ security/apparmor/include/net.h | 114 ++ security/apparmor/include/perms.h | 5 +- security/apparmor/include/policy.h| 13 + security/apparmor/include/sig_names.h | 95 + security/apparmor/ipc.c | 99 + security/apparmor/label.c | 36 +- security/apparmor/lib.c | 5 +- security/apparmor/lsm.c | 472 +++ security/apparmor/mount.c | 696 ++ security/apparmor/net.c | 184 + security/apparmor/policy.c| 166 security/apparmor/policy_ns.c | 2 + security/apparmor/policy_unpack.c | 105 - 24 files changed, 2081 insertions(+), 133 deletions(-) create mode 100644 security/apparmor/include/mount.h create mode 100644 security/apparmor/include/net.h create mode 100644 security/apparmor/include/sig_names.h create mode 100644 security/apparmor/mount.c create mode 100644 security/apparmor/net.c
[PATCH v5 0/7] Add RAS virtualization support to SEA/SEI notification type
In the firmware-first RAS solution, corrupt data is detected in a memory location when guest OS application software executing at EL0 or guest OS kernel El1 software are reading from the memory. The memory node records errors in an error record accessible using system registers. Because SCR_EL3.EA is 1, then CPU will trap to El3 firmware, EL3 firmware records the error to APEI table through reading system register. Because the error was taken from a lower Exception leve, if the exception is SEA/SEI and HCR_EL2.TEA/HCR_EL2.AMO is 1, firmware sets ESR_EL2/FAR_El to fake a exception trap to EL2, then transfers to hypervisor. Hypervisor calls the momory failure to deal with this error, momory failure read the APEI table and decide whether it needs to deliver SIGBUS signal to user space, the advantage of using SIGBUS signal to notify user space is that it can be compatible Non-Kvm users. Dongjiu Geng (5): acpi: apei: Add SEI notification type support for ARMv8 support user space to query RAS extension feature arm64: kvm: route synchronous external abort exceptions to el2 KVM: arm/arm64: Allow get exception syndrome and arm64: kvm: handle SEI notification and inject virtual SError James Morse (1): KVM: arm64: Save ESR_EL2 on guest SError Xie XiuQi (1): arm64: cpufeature: Detect CPU RAS Extentions arch/arm/include/asm/kvm_host.h | 2 ++ arch/arm/kvm/guest.c | 5 +++ arch/arm64/Kconfig | 16 ++ arch/arm64/include/asm/barrier.h | 1 + arch/arm64/include/asm/cpucaps.h | 3 +- arch/arm64/include/asm/kvm_arm.h | 2 ++ arch/arm64/include/asm/kvm_emulate.h | 17 ++ arch/arm64/include/asm/kvm_host.h| 2 ++ arch/arm64/include/asm/sysreg.h | 5 +++ arch/arm64/include/asm/system_misc.h | 1 + arch/arm64/include/uapi/asm/kvm.h| 5 +++ arch/arm64/kernel/cpufeature.c | 13 arch/arm64/kernel/process.c | 3 ++ arch/arm64/kvm/guest.c | 48 + arch/arm64/kvm/handle_exit.c | 21 +++-- arch/arm64/kvm/hyp/switch.c | 29 +++-- arch/arm64/kvm/reset.c | 3 ++ arch/arm64/mm/fault.c| 21 +++-- drivers/acpi/apei/Kconfig| 15 + drivers/acpi/apei/ghes.c | 60 +++- include/acpi/ghes.h | 2 +- include/uapi/linux/kvm.h | 3 ++ virt/kvm/arm/arm.c | 7 + 23 files changed, 254 insertions(+), 30 deletions(-) -- 2.14.0
[PATCH v5 5/7] arm64: kvm: route synchronous external abort exceptions to el2
ARMv8.2 adds a new bit HCR_EL2.TEA which controls to
route synchronous external aborts to EL2, and add a
trap control bit HCR_EL2.TERR which will control to
trap all Non-secure EL1&0 error record accesses to EL2.
This patch will enable the two bits for the guest OS.
when an synchronous abort is generated in the guest OS,
it will trap to EL3 firmware, firmware will be according
to the HCR_EL2.TEA to decide to jump to hypervisor or host
OS. In the guest OS, RAS error record access will trap to
EL2.
Signed-off-by: Dongjiu Geng
---
arch/arm64/include/asm/kvm_arm.h | 2 ++
arch/arm64/include/asm/kvm_emulate.h | 7 +++
2 files changed, 9 insertions(+)
diff --git a/arch/arm64/include/asm/kvm_arm.h b/arch/arm64/include/asm/kvm_arm.h
index 61d694c2eae5..1188272003c4 100644
--- a/arch/arm64/include/asm/kvm_arm.h
+++ b/arch/arm64/include/asm/kvm_arm.h
@@ -23,6 +23,8 @@
#include
/* Hyp Configuration Register (HCR) bits */
+#define HCR_TEA(UL(1) << 37)
+#define HCR_TERR (UL(1) << 36)
#define HCR_E2H(UL(1) << 34)
#define HCR_ID (UL(1) << 33)
#define HCR_CD (UL(1) << 32)
diff --git a/arch/arm64/include/asm/kvm_emulate.h
b/arch/arm64/include/asm/kvm_emulate.h
index fe39e6841326..47983db27de2 100644
--- a/arch/arm64/include/asm/kvm_emulate.h
+++ b/arch/arm64/include/asm/kvm_emulate.h
@@ -47,6 +47,13 @@ static inline void vcpu_reset_hcr(struct kvm_vcpu *vcpu)
vcpu->arch.hcr_el2 = HCR_GUEST_FLAGS;
if (is_kernel_in_hyp_mode())
vcpu->arch.hcr_el2 |= HCR_E2H;
+ if (cpus_have_const_cap(ARM64_HAS_RAS_EXTN)) {
+ /* route synchronous external abort exceptions to EL2 */
+ vcpu->arch.hcr_el2 |= HCR_TEA;
+ /* trap error record accesses */
+ vcpu->arch.hcr_el2 |= HCR_TERR;
+ }
+
if (test_bit(KVM_ARM_VCPU_EL1_32BIT, vcpu->arch.features))
vcpu->arch.hcr_el2 &= ~HCR_RW;
}
--
2.14.0
[PATCH v5 1/7] arm64: cpufeature: Detect CPU RAS Extentions
From: Xie XiuQi
ARM's v8.2 Extentions add support for Reliability, Availability and
Serviceability (RAS). On CPUs with these extensions system software
can use additional barriers to isolate errors and determine if faults
are pending.
Add cpufeature detection and a barrier in the context-switch code.
There is no need to use alternatives for this as CPUs that don't
support this feature will treat the instruction as a nop.
Platform level RAS support may require additional firmware support.
Signed-off-by: Xie XiuQi
[Rebased, added esb and config option, reworded commit message]
Signed-off-by: James Morse
---
arch/arm64/Kconfig | 16
arch/arm64/include/asm/barrier.h | 1 +
arch/arm64/include/asm/cpucaps.h | 3 ++-
arch/arm64/include/asm/sysreg.h | 2 ++
arch/arm64/kernel/cpufeature.c | 13 +
arch/arm64/kernel/process.c | 3 +++
6 files changed, 37 insertions(+), 1 deletion(-)
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index dfd908630631..4d87aa963d83 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -960,6 +960,22 @@ config ARM64_UAO
regular load/store instructions if the cpu does not implement the
feature.
+config ARM64_RAS_EXTN
+ bool "Enable support for RAS CPU Extensions"
+ default y
+ help
+ CPUs that support the Reliability, Availability and Serviceability
+ (RAS) Extensions, part of ARMv8.2 are able to track faults and
+ errors, classify them and report them to software.
+
+ On CPUs with these extensions system software can use additional
+ barriers to determine if faults are pending and read the
+ classification from a new set of registers.
+
+ Selecting this feature will allow the kernel to use these barriers
+ and access the new registers if the system supports the extension.
+ Platform RAS features may additionally depend on firmware support.
+
endmenu
config ARM64_MODULE_CMODEL_LARGE
diff --git a/arch/arm64/include/asm/barrier.h b/arch/arm64/include/asm/barrier.h
index 0fe7e43b7fbc..8b0a0eb67625 100644
--- a/arch/arm64/include/asm/barrier.h
+++ b/arch/arm64/include/asm/barrier.h
@@ -30,6 +30,7 @@
#define isb() asm volatile("isb" : : : "memory")
#define dmb(opt) asm volatile("dmb " #opt : : : "memory")
#define dsb(opt) asm volatile("dsb " #opt : : : "memory")
+#define esb() asm volatile("hint #16" : : : "memory")
#define mb() dsb(sy)
#define rmb() dsb(ld)
diff --git a/arch/arm64/include/asm/cpucaps.h b/arch/arm64/include/asm/cpucaps.h
index 8d2272c6822c..f93bf77f1f74 100644
--- a/arch/arm64/include/asm/cpucaps.h
+++ b/arch/arm64/include/asm/cpucaps.h
@@ -39,7 +39,8 @@
#define ARM64_WORKAROUND_QCOM_FALKOR_E1003 18
#define ARM64_WORKAROUND_85892119
#define ARM64_WORKAROUND_CAVIUM_30115 20
+#define ARM64_HAS_RAS_EXTN 21
-#define ARM64_NCAPS21
+#define ARM64_NCAPS22
#endif /* __ASM_CPUCAPS_H */
diff --git a/arch/arm64/include/asm/sysreg.h b/arch/arm64/include/asm/sysreg.h
index 248339e4aaf5..35b786b43ee4 100644
--- a/arch/arm64/include/asm/sysreg.h
+++ b/arch/arm64/include/asm/sysreg.h
@@ -331,6 +331,7 @@
#define ID_AA64ISAR1_JSCVT_SHIFT 12
/* id_aa64pfr0 */
+#define ID_AA64PFR0_RAS_SHIFT 28
#define ID_AA64PFR0_GIC_SHIFT 24
#define ID_AA64PFR0_ASIMD_SHIFT20
#define ID_AA64PFR0_FP_SHIFT 16
@@ -339,6 +340,7 @@
#define ID_AA64PFR0_EL1_SHIFT 4
#define ID_AA64PFR0_EL0_SHIFT 0
+#define ID_AA64PFR0_RAS_V1 0x1
#define ID_AA64PFR0_FP_NI 0xf
#define ID_AA64PFR0_FP_SUPPORTED 0x0
#define ID_AA64PFR0_ASIMD_NI 0xf
diff --git a/arch/arm64/kernel/cpufeature.c b/arch/arm64/kernel/cpufeature.c
index 9f9e0064c8c1..a807ab55ee10 100644
--- a/arch/arm64/kernel/cpufeature.c
+++ b/arch/arm64/kernel/cpufeature.c
@@ -124,6 +124,7 @@ static const struct arm64_ftr_bits ftr_id_aa64isar1[] = {
};
static const struct arm64_ftr_bits ftr_id_aa64pfr0[] = {
+ ARM64_FTR_BITS(FTR_HIDDEN, FTR_STRICT, FTR_EXACT,
ID_AA64PFR0_RAS_SHIFT, 4, 0),
ARM64_FTR_BITS(FTR_HIDDEN, FTR_STRICT, FTR_EXACT,
ID_AA64PFR0_GIC_SHIFT, 4, 0),
S_ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE,
ID_AA64PFR0_ASIMD_SHIFT, 4, ID_AA64PFR0_ASIMD_NI),
S_ARM64_FTR_BITS(FTR_VISIBLE, FTR_STRICT, FTR_LOWER_SAFE,
ID_AA64PFR0_FP_SHIFT, 4, ID_AA64PFR0_FP_NI),
@@ -888,6 +889,18 @@ static const struct arm64_cpu_capabilities
arm64_features[] = {
.min_field_value = 0,
.matches = has_no_fpsimd,
},
+#ifdef CONFIG_ARM64_RAS_EXTN
+ {
+ .desc = "RAS Extension Support",
+ .capability = ARM64_HAS_RAS_EXTN,
+ .def_scope = SCOPE_SYSTEM,
+ .matches = has_cp
[PATCH v5 4/7] support user space to query RAS extension feature
In armv8.2 RAS extension, it adds virtual SError exception
syndrome registeri(VSESR_EL2), user space will specify that
value. so user space will check whether CPU feature has RAS
extension. if has, it will specify the virtual SError syndrome
value. Otherwise, it will not set. This patch adds this support
Signed-off-by: Dongjiu Geng
---
arch/arm64/kvm/reset.c | 3 +++
include/uapi/linux/kvm.h | 1 +
2 files changed, 4 insertions(+)
diff --git a/arch/arm64/kvm/reset.c b/arch/arm64/kvm/reset.c
index 3256b9228e75..b7313ee028e9 100644
--- a/arch/arm64/kvm/reset.c
+++ b/arch/arm64/kvm/reset.c
@@ -77,6 +77,9 @@ int kvm_arch_dev_ioctl_check_extension(struct kvm *kvm, long
ext)
case KVM_CAP_ARM_PMU_V3:
r = kvm_arm_support_pmu_v3();
break;
+ case KVM_CAP_ARM_RAS_EXTENSION:
+ r = cpus_have_const_cap(ARM64_HAS_RAS_EXTN);
+ break;
case KVM_CAP_SET_GUEST_DEBUG:
case KVM_CAP_VCPU_ATTRIBUTES:
r = 1;
diff --git a/include/uapi/linux/kvm.h b/include/uapi/linux/kvm.h
index 6cd63c18708a..5a2a338cae57 100644
--- a/include/uapi/linux/kvm.h
+++ b/include/uapi/linux/kvm.h
@@ -929,6 +929,7 @@ struct kvm_ppc_resize_hpt {
#define KVM_CAP_PPC_SMT_POSSIBLE 147
#define KVM_CAP_HYPERV_SYNIC2 148
#define KVM_CAP_HYPERV_VP_INDEX 149
+#define KVM_CAP_ARM_RAS_EXTENSION 150
#ifdef KVM_CAP_IRQ_ROUTING
--
2.14.0
[PATCH v5 3/7] acpi: apei: Add SEI notification type support for ARMv8
ARMV8.2 requires implementation of the RAS extension, in
this extension it adds SEI(SError Interrupt) notification
type, this patch addes a new GHES error source handling
function for SEI. Because this error source parse and handling
method are similar with the SEA. so use one function to handle
them.
In current code logic, The two functions ghes_sea_add() and
ghes_sea_remove() are only called when CONFIG_ACPI_APEI_SEA
and CONFIG_ACPI_APEI_SEI are defined. If not, it will return
errors in the ghes_probe() and do not continue, so remove the
useless code that handling CONFIG_ACPI_APEI_SEA and
CONFIG_ACPI_APEI_SEI do not defined.
Expose one API ghes_notify_sex() to external, external modules
can call this exposed APIs to parse and handling the SEA/SEI.
Signed-off-by: Dongjiu Geng
---
arch/arm64/mm/fault.c | 21 +++--
drivers/acpi/apei/Kconfig | 15
drivers/acpi/apei/ghes.c | 60 ++-
include/acpi/ghes.h | 2 +-
4 files changed, 74 insertions(+), 24 deletions(-)
diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c
index 2509e4fe6992..0aa92a69c280 100644
--- a/arch/arm64/mm/fault.c
+++ b/arch/arm64/mm/fault.c
@@ -585,7 +585,7 @@ static int do_sea(unsigned long addr, unsigned int esr,
struct pt_regs *regs)
if (interrupts_enabled(regs))
nmi_enter();
- ret = ghes_notify_sea();
+ ret = ghes_notify_sex(ACPI_HEST_NOTIFY_SEA);
if (interrupts_enabled(regs))
nmi_exit();
@@ -682,7 +682,24 @@ int handle_guest_sea(phys_addr_t addr, unsigned int esr)
int ret = -ENOENT;
if (IS_ENABLED(CONFIG_ACPI_APEI_SEA))
- ret = ghes_notify_sea();
+ ret = ghes_notify_sex(ACPI_HEST_NOTIFY_SEA);
+
+ return ret;
+}
+
+/*
+ * Handle SError interrupt that occur in a guest kernel.
+ *
+ * The return value will be zero if the SEI was successfully handled
+ * and non-zero if there was an error processing the error or there was
+ * no error to process.
+ */
+int handle_guest_sei(phys_addr_t addr, unsigned int esr)
+{
+ int ret = -ENOENT;
+
+ if (IS_ENABLED(CONFIG_ACPI_APEI_SEI))
+ ret = ghes_notify_sex(ACPI_HEST_NOTIFY_SEI);
return ret;
}
diff --git a/drivers/acpi/apei/Kconfig b/drivers/acpi/apei/Kconfig
index de14d49a5c90..556370c763ec 100644
--- a/drivers/acpi/apei/Kconfig
+++ b/drivers/acpi/apei/Kconfig
@@ -54,6 +54,21 @@ config ACPI_APEI_SEA
option allows the OS to look for such hardware error record, and
take appropriate action.
+config ACPI_APEI_SEI
+ bool "APEI Asynchronous SError Interrupt logging/recovering support"
+ depends on ARM64 && ACPI_APEI_GHES
+ default y
+ help
+ This option should be enabled if the system supports
+ firmware first handling of SEI (asynchronous SError interrupt).
+
+ SEI happens with invalid instruction access or asynchronous exceptions
+ on ARMv8 systems. If a system supports firmware first handling of SEI,
+ the platform analyzes and handles hardware error notifications from
+ SEI, and it may then form a HW error record for the OS to parse and
+ handle. This option allows the OS to look for such hardware error
+ record, and take appropriate action.
+
config ACPI_APEI_MEMORY_FAILURE
bool "APEI memory error recovering support"
depends on ACPI_APEI && MEMORY_FAILURE
diff --git a/drivers/acpi/apei/ghes.c b/drivers/acpi/apei/ghes.c
index d661d452b238..705738aa48b8 100644
--- a/drivers/acpi/apei/ghes.c
+++ b/drivers/acpi/apei/ghes.c
@@ -813,20 +813,21 @@ static struct notifier_block ghes_notifier_hed = {
.notifier_call = ghes_notify_hed,
};
-#ifdef CONFIG_ACPI_APEI_SEA
static LIST_HEAD(ghes_sea);
+static LIST_HEAD(ghes_sei);
/*
* Return 0 only if one of the SEA error sources successfully reported an error
* record sent from the firmware.
*/
-int ghes_notify_sea(void)
+
+int ghes_handle_sex(struct list_head *head)
{
struct ghes *ghes;
int ret = -ENOENT;
rcu_read_lock();
- list_for_each_entry_rcu(ghes, &ghes_sea, list) {
+ list_for_each_entry_rcu(ghes, head, list) {
if (!ghes_proc(ghes))
ret = 0;
}
@@ -834,33 +835,41 @@ int ghes_notify_sea(void)
return ret;
}
-static void ghes_sea_add(struct ghes *ghes)
+int ghes_notify_sex(u8 type)
+{
+ if (type == ACPI_HEST_NOTIFY_SEA)
+ return ghes_handle_sex(&ghes_sea);
+ else if (type == ACPI_HEST_NOTIFY_SEI)
+ return ghes_handle_sex(&ghes_sei);
+
+ return -ENOENT;
+}
+
+/*
+ * This function is only called when the CONFIG_HAVE_ACPI_APEI_SEA or
+ * CONFIG_HAVE_ACPI_APEI_SEA is enabled. when disabled, it will return
+ * error in the ghes_probe
+ */
+static void ghes_sex_add(struct ghes *ghes)
{
+ u8
[PATCH v5 6/7] KVM: arm64: Allow get exception information from userspace
when userspace gets SIGBUS signal, it does not know whether
this is a synchronous external abort or SError, so needs
to get the exception syndrome. so this patch allows userspace
can get this values. For syndrome, only give userspace
syndrome EC and ISS.
Now we move the synchronous external abort injection logic to
userspace, when userspace injects the SEA exception to guest
OS, it needs to specify the far_el1 value, so this patch give
the exception virtual address to user space.
Signed-off-by: Dongjiu Geng
Signed-off-by: Quanming Wu
---
arch/arm64/include/uapi/asm/kvm.h | 5 +
arch/arm64/kvm/guest.c| 35 +++
2 files changed, 40 insertions(+)
diff --git a/arch/arm64/include/uapi/asm/kvm.h
b/arch/arm64/include/uapi/asm/kvm.h
index 9f3ca24bbcc6..514261f682b8 100644
--- a/arch/arm64/include/uapi/asm/kvm.h
+++ b/arch/arm64/include/uapi/asm/kvm.h
@@ -181,6 +181,11 @@ struct kvm_arch_memory_slot {
#define KVM_REG_ARM64_SYSREG_OP2_MASK 0x0007
#define KVM_REG_ARM64_SYSREG_OP2_SHIFT 0
+/* AArch64 fault registers */
+#define KVM_REG_ARM64_FAULT(0x0014 << KVM_REG_ARM_COPROC_SHIFT)
+#define KVM_REG_ARM64_FAULT_ESR_EC_ISS (0)
+#define KVM_REG_ARM64_FAULT_FAR(1)
+
#define ARM64_SYS_REG_SHIFT_MASK(x,n) \
(((x) << KVM_REG_ARM64_SYSREG_ ## n ## _SHIFT) & \
KVM_REG_ARM64_SYSREG_ ## n ## _MASK)
diff --git a/arch/arm64/kvm/guest.c b/arch/arm64/kvm/guest.c
index 5c7f657dd207..cb383c310f18 100644
--- a/arch/arm64/kvm/guest.c
+++ b/arch/arm64/kvm/guest.c
@@ -128,6 +128,38 @@ static int set_core_reg(struct kvm_vcpu *vcpu, const
struct kvm_one_reg *reg)
out:
return err;
}
+static int get_fault_reg(struct kvm_vcpu *vcpu, const struct kvm_one_reg *reg)
+{
+ void __user *uaddr = (void __user *)(unsigned long)reg->addr;
+ u32 ec, value;
+ u32 id = reg->id & ~(KVM_REG_ARCH_MASK |
+ KVM_REG_SIZE_MASK | KVM_REG_ARM64_FAULT);
+
+ switch (id) {
+ case KVM_REG_ARM64_FAULT_ESR_EC_ISS:
+ /* The user space needs to know the fault exception
+* class field
+*/
+ ec = kvm_vcpu_get_hsr(vcpu) & ESR_ELx_EC_MASK;
+ value = ec | (kvm_vcpu_get_hsr(vcpu) & ESR_ELx_ISS_MASK);
+
+ if (copy_to_user(uaddr, &value, KVM_REG_SIZE(reg->id)) != 0)
+ return -EFAULT;
+ break;
+ case KVM_REG_ARM64_FAULT_FAR:
+ /* when user space injects synchronized abort, it needs
+* to inject the fault address.
+*/
+ if (copy_to_user(uaddr, &(vcpu->arch.fault.far_el2),
+ KVM_REG_SIZE(reg->id)) != 0)
+ return -EFAULT;
+ break;
+ default:
+ return -ENOENT;
+ }
+ return 0;
+}
+
int kvm_arch_vcpu_ioctl_get_regs(struct kvm_vcpu *vcpu, struct kvm_regs *regs)
{
@@ -243,6 +275,9 @@ int kvm_arm_get_reg(struct kvm_vcpu *vcpu, const struct
kvm_one_reg *reg)
if ((reg->id & KVM_REG_ARM_COPROC_MASK) == KVM_REG_ARM_CORE)
return get_core_reg(vcpu, reg);
+ if ((reg->id & KVM_REG_ARM_COPROC_MASK) == KVM_REG_ARM64_FAULT)
+ return get_fault_reg(vcpu, reg);
+
if (is_timer_reg(reg->id))
return get_timer_reg(vcpu, reg);
--
2.14.0
Re: [PATCH v2 6/6] kernel: tracepoints: add support for relative references
On Fri, 18 Aug 2017 14:44:15 +0100 Ard Biesheuvel wrote: > >> It appears the stuff above needs to be move inside the double-include > >> guard (which oddly enough does not cover the entire file) > > > > Why was this moved to the header file? To fulfill some checkpatch > > warning? > > > > Yes. My preference is to ignore that checkpatch warning. The section variables are created by linker magic, and not normal "extern" variables. They are only used in one location, and I like to keep them where they are used, and not be something other places might think they can be used. In other words, keep them by the C code, and out of headers. Tracepoints and linker/asm work always triggers a lot of bogus checkpatch warnings. Which is unfortunate. :-/ Thanks! -- Steve
[PATCH] drm/msm/: make clk_init_data const
Make these const as they are only stored in the init field of a clk_hw
structure, which is const.
Done using Coccinelle.
Signed-off-by: Bhumika Goyal
---
drivers/gpu/drm/msm/hdmi/hdmi_phy_8996.c | 2 +-
drivers/gpu/drm/msm/hdmi/hdmi_pll_8960.c | 2 +-
drivers/gpu/drm/msm/mdp/mdp4/mdp4_lvds_pll.c | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/msm/hdmi/hdmi_phy_8996.c
b/drivers/gpu/drm/msm/hdmi/hdmi_phy_8996.c
index 1fb7645..dea4697 100644
--- a/drivers/gpu/drm/msm/hdmi/hdmi_phy_8996.c
+++ b/drivers/gpu/drm/msm/hdmi/hdmi_phy_8996.c
@@ -702,7 +702,7 @@ static int hdmi_8996_pll_is_enabled(struct clk_hw *hw)
"xo",
};
-static struct clk_init_data pll_init = {
+static const struct clk_init_data pll_init = {
.name = "hdmipll",
.ops = &hdmi_8996_pll_ops,
.parent_names = hdmi_pll_parents,
diff --git a/drivers/gpu/drm/msm/hdmi/hdmi_pll_8960.c
b/drivers/gpu/drm/msm/hdmi/hdmi_pll_8960.c
index 9959075..2e3c147 100644
--- a/drivers/gpu/drm/msm/hdmi/hdmi_pll_8960.c
+++ b/drivers/gpu/drm/msm/hdmi/hdmi_pll_8960.c
@@ -419,7 +419,7 @@ static int hdmi_pll_set_rate(struct clk_hw *hw, unsigned
long rate,
"pxo",
};
-static struct clk_init_data pll_init = {
+static const struct clk_init_data pll_init = {
.name = "hdmi_pll",
.ops = &hdmi_pll_ops,
.parent_names = hdmi_pll_parents,
diff --git a/drivers/gpu/drm/msm/mdp/mdp4/mdp4_lvds_pll.c
b/drivers/gpu/drm/msm/mdp/mdp4/mdp4_lvds_pll.c
index ce42459..b9a7104 100644
--- a/drivers/gpu/drm/msm/mdp/mdp4/mdp4_lvds_pll.c
+++ b/drivers/gpu/drm/msm/mdp/mdp4/mdp4_lvds_pll.c
@@ -137,7 +137,7 @@ static int mpd4_lvds_pll_set_rate(struct clk_hw *hw,
unsigned long rate,
"pxo",
};
-static struct clk_init_data pll_init = {
+static const struct clk_init_data pll_init = {
.name = "mpd4_lvds_pll",
.ops = &mpd4_lvds_pll_ops,
.parent_names = mpd4_lvds_pll_parents,
--
1.9.1
[PATCH 3.16 035/134] [media] cx231xx-cards: fix NULL-deref at probe
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
--
From: Johan Hovold
commit 0cd273bb5e4d1828efaaa8dfd11b7928131ed149 upstream.
Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer or accessing memory beyond the endpoint array should a
malicious device lack the expected endpoints.
Fixes: e0d3bafd0258 ("V4L/DVB (10954): Add cx231xx USB driver")
Cc: Sri Deevi
Signed-off-by: Johan Hovold
Signed-off-by: Hans Verkuil
Signed-off-by: Mauro Carvalho Chehab
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings
---
drivers/media/usb/cx231xx/cx231xx-cards.c | 45 +++
1 file changed, 40 insertions(+), 5 deletions(-)
--- a/drivers/media/usb/cx231xx/cx231xx-cards.c
+++ b/drivers/media/usb/cx231xx/cx231xx-cards.c
@@ -1258,6 +1258,9 @@ static int cx231xx_usb_probe(struct usb_
uif = udev->actconfig->interface[dev->current_pcb_config.
hs_config_info[0].interface_info.video_index + 1];
+ if (uif->altsetting[0].desc.bNumEndpoints < isoc_pipe + 1)
+ return -ENODEV;
+
dev->video_mode.end_point_addr = uif->altsetting[0].
endpoint[isoc_pipe].desc.bEndpointAddress;
@@ -1275,8 +1278,12 @@ static int cx231xx_usb_probe(struct usb_
}
for (i = 0; i < dev->video_mode.num_alt; i++) {
- u16 tmp = le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe].
- desc.wMaxPacketSize);
+ u16 tmp;
+
+ if (uif->altsetting[i].desc.bNumEndpoints < isoc_pipe + 1)
+ return -ENODEV;
+
+ tmp =
le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe].desc.wMaxPacketSize);
dev->video_mode.alt_max_pkt_size[i] =
(tmp & 0x07ff) * (((tmp & 0x1800) >> 11) + 1);
cx231xx_info("Alternate setting %i, max size= %i\n", i,
@@ -1288,6 +1295,9 @@ static int cx231xx_usb_probe(struct usb_
hs_config_info[0].interface_info.
vanc_index + 1];
+ if (uif->altsetting[0].desc.bNumEndpoints < isoc_pipe + 1)
+ return -ENODEV;
+
dev->vbi_mode.end_point_addr =
uif->altsetting[0].endpoint[isoc_pipe].desc.
bEndpointAddress;
@@ -1306,8 +1316,12 @@ static int cx231xx_usb_probe(struct usb_
}
for (i = 0; i < dev->vbi_mode.num_alt; i++) {
- u16 tmp =
- le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe].
+ u16 tmp;
+
+ if (uif->altsetting[i].desc.bNumEndpoints < isoc_pipe + 1)
+ return -ENODEV;
+
+ tmp = le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe].
desc.wMaxPacketSize);
dev->vbi_mode.alt_max_pkt_size[i] =
(tmp & 0x07ff) * (((tmp & 0x1800) >> 11) + 1);
@@ -1320,6 +1334,9 @@ static int cx231xx_usb_probe(struct usb_
hs_config_info[0].interface_info.
hanc_index + 1];
+ if (uif->altsetting[0].desc.bNumEndpoints < isoc_pipe + 1)
+ return -ENODEV;
+
dev->sliced_cc_mode.end_point_addr =
uif->altsetting[0].endpoint[isoc_pipe].desc.
bEndpointAddress;
@@ -1338,7 +1355,12 @@ static int cx231xx_usb_probe(struct usb_
}
for (i = 0; i < dev->sliced_cc_mode.num_alt; i++) {
- u16 tmp = le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe].
+ u16 tmp;
+
+ if (uif->altsetting[i].desc.bNumEndpoints < isoc_pipe + 1)
+ return -ENODEV;
+
+ tmp = le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe].
desc.wMaxPacketSize);
dev->sliced_cc_mode.alt_max_pkt_size[i] =
(tmp & 0x07ff) * (((tmp & 0x1800) >> 11) + 1);
@@ -1353,6 +1375,11 @@ static int cx231xx_usb_probe(struct usb_
interface_info.
ts1_index + 1];
+ if (uif->altsetting[0].desc.bNumEndpoints < isoc_pipe + 1) {
+ retval = -ENODEV;
+ goto err_video_alt;
+ }
+
dev->ts1_mode.end_point_addr =
uif->altsetting[0].endpoint[isoc_pipe].
desc.bEndpointAddress;
@@ -1371,7 +1398,14 @@ static int cx231xx_usb_probe(struct usb_
}
for (i = 0; i < dev->ts1_mode.num_alt; i++) {
- u16 tmp = le16_to_cpu(uif->altsetting[i].
+ u16 tmp;
+
+ if (uif->altsetting[i].desc.bNumEndpoints < isoc_pipe +
1) {
+ retval = -ENODEV;
+
Re: [PATCH 3.16 119/134] ipv4: restore rt->fi for reference counting
On Fri, Aug 18, 2017 at 6:13 AM, Ben Hutchings wrote:
> 3.16.47-rc1 review patch. If anyone has any objections, please let me know.
>
> --
>
> From: WANG Cong
>
> commit 82486aa6f1b9bc8145e6d0fa2bc0b44307f3b875 upstream.
>
> IPv4 dst could use fi->fib_metrics to store metrics but fib_info
> itself is refcnt'ed, so without taking a refcnt fi and
> fi->fib_metrics could be freed while dst metrics still points to
> it. This triggers use-after-free as reported by Andrey twice.
>
> This patch reverts commit 2860583fe840 ("ipv4: Kill rt->fi") to
> restore this reference counting. It is a quick fix for -net and
> -stable, for -net-next, as Eric suggested, we can consider doing
> reference counting for metrics itself instead of relying on fib_info.
>
> IPv6 is very different, it copies or steals the metrics from mx6_config
> in fib6_commit_metrics() so probably doesn't need a refcnt.
>
> Decnet has already done the refcnt'ing, see dn_fib_semantic_match().
>
> Fixes: 2860583fe840 ("ipv4: Kill rt->fi")
> Reported-by: Andrey Konovalov
> Tested-by: Andrey Konovalov
> Signed-off-by: Cong Wang
> Acked-by: Eric Dumazet
> Signed-off-by: David S. Miller
> [bwh: Backported to 3.16:
> - Update all 5 places where rtable is initialised
> - Open-code fib_info_hold()
> - Adjust context]
> Signed-off-by: Ben Hutchings
> ---
I thought we refined this later with :
commit 3fb07daff8e99243366a081e5129560734de4ada
Author: Eric Dumazet
Date: Thu May 25 14:27:35 2017 -0700
ipv4: add reference counting to metrics
Andrey Konovalov reported crashes in ipv4_mtu()
I could reproduce the issue with KASAN kernels, between
10.246.7.151 and 10.246.7.152 :
1) 20 concurrent netperf -t TCP_RR -H 10.246.7.152 -l 1000 &
2) At the same time run following loop :
while :
do
ip ro add 10.246.7.152 dev eth0 src 10.246.7.151 mtu 1500
ip ro del 10.246.7.152 dev eth0 src 10.246.7.151 mtu 1500
done
Cong Wang attempted to add back rt->fi in commit
82486aa6f1b9 ("ipv4: restore rt->fi for reference counting")
but this proved to add some issues that were complex to solve.
Instead, I suggested to add a refcount to the metrics themselves,
being a standalone object (in particular, no reference to other objects)
I tried to make this patch as small as possible to ease its backport,
instead of being super clean. Note that we believe that only ipv4 dst
need to take care of the metric refcount. But if this is wrong,
this patch adds the basic infrastructure to extend this to other
families.
Many thanks to Julian Anastasov for reviewing this patch, and Cong Wang
for his efforts on this problem.
Fixes: 2860583fe840 ("ipv4: Kill rt->fi")
Signed-off-by: Eric Dumazet
Reported-by: Andrey Konovalov
Reviewed-by: Julian Anastasov
Acked-by: Cong Wang
Signed-off-by: David S. Miller
And then :
commit 187e5b3ac84d3421d2de3aca949b2791fbcad554
Author: Eric Dumazet
Date: Tue Aug 15 05:26:17 2017 -0700
ipv4: fix NULL dereference in free_fib_info_rcu()
If fi->fib_metrics could not be allocated in fib_create_info()
we attempt to dereference a NULL pointer in free_fib_info_rcu() :
m = fi->fib_metrics;
if (m != &dst_default_metrics && atomic_dec_and_test(&m->refcnt))
kfree(m);
Before my recent patch, we used to call kfree(NULL) and nothing wrong
happened.
Instead of using RCU to defer freeing while we are under memory stress,
it seems better to take immediate action.
This was reported by syzkaller team.
Fixes: 3fb07daff8e9 ("ipv4: add reference counting to metrics")
Signed-off-by: Eric Dumazet
Reported-by: Dmitry Vyukov
Signed-off-by: David S. Miller
[PATCH 3.16 034/134] [media] usbvision: fix NULL-deref at probe
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
--
From: Johan Hovold
commit eacb975b48272f54532b62f515a3cf7eefa35123 upstream.
Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer or accessing memory beyond the endpoint array should a
malicious device lack the expected endpoints.
Fixes: 2a9f8b5d25be ("V4L/DVB (5206): Usbvision: set alternate interface
modification")
Cc: Thierry MERLE
Signed-off-by: Johan Hovold
Signed-off-by: Hans Verkuil
Signed-off-by: Mauro Carvalho Chehab
Signed-off-by: Ben Hutchings
---
drivers/media/usb/usbvision/usbvision-video.c | 9 -
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/drivers/media/usb/usbvision/usbvision-video.c
+++ b/drivers/media/usb/usbvision/usbvision-video.c
@@ -1599,7 +1599,14 @@ static int usbvision_probe(struct usb_in
}
for (i = 0; i < usbvision->num_alt; i++) {
- u16 tmp = le16_to_cpu(uif->altsetting[i].endpoint[1].desc.
+ u16 tmp;
+
+ if (uif->altsetting[i].desc.bNumEndpoints < 2) {
+ ret = -ENODEV;
+ goto err_pkt;
+ }
+
+ tmp = le16_to_cpu(uif->altsetting[i].endpoint[1].desc.
wMaxPacketSize);
usbvision->alt_max_pkt_size[i] =
(tmp & 0x07ff) * (((tmp & 0x1800) >> 11) + 1);
Re: [PATCH v4 4/8] irqchip/irq-goldfish-pic: Add Goldfish PIC driver
On 18/08/17 14:08, Aleksandar Markovic wrote:
> From: Miodrag Dinic
>
> Add device driver for a virtual programmable interrupt controller
>
> The virtual PIC is designed as a device tree-based interrupt controller.
>
> The compatible string used by OS for binding the driver is
> "google,goldfish-pic".
>
> Signed-off-by: Miodrag Dinic
> Signed-off-by: Goran Ferenc
> Signed-off-by: Aleksandar Markovic
> ---
> MAINTAINERS| 1 +
> drivers/irqchip/Kconfig| 8 ++
> drivers/irqchip/Makefile | 1 +
> drivers/irqchip/irq-goldfish-pic.c | 145
> +
> 4 files changed, 155 insertions(+)
> create mode 100644 drivers/irqchip/irq-goldfish-pic.c
>
> diff --git a/MAINTAINERS b/MAINTAINERS
> index 013da1d..6426875 100644
> --- a/MAINTAINERS
> +++ b/MAINTAINERS
> @@ -844,6 +844,7 @@ ANDROID GOLDFISH PIC DRIVER
> M: Miodrag Dinic
> S: Supported
> F:
> Documentation/devicetree/bindings/interrupt-controller/google,goldfish-pic.txt
> +F: drivers/irqchip/irq-goldfish-pic.c
>
> ANDROID GOLDFISH RTC DRIVER
> M: Miodrag Dinic
> diff --git a/drivers/irqchip/Kconfig b/drivers/irqchip/Kconfig
> index f1fd5f4..21fab14 100644
> --- a/drivers/irqchip/Kconfig
> +++ b/drivers/irqchip/Kconfig
> @@ -306,3 +306,11 @@ config QCOM_IRQ_COMBINER
> help
> Say yes here to add support for the IRQ combiner devices embedded
> in Qualcomm Technologies chips.
> +
> +config GOLDFISH_PIC
> + bool "Goldfish programmable interrupt controller"
> + depends on MIPS && (GOLDFISH || COMPILE_TEST)
> + select IRQ_DOMAIN
> + help
> + Say yes here to enable Goldfish interrupt controller driver used
> + for Goldfish based virtual platforms.
> diff --git a/drivers/irqchip/Makefile b/drivers/irqchip/Makefile
> index e88d856..ade04a1 100644
> --- a/drivers/irqchip/Makefile
> +++ b/drivers/irqchip/Makefile
> @@ -78,3 +78,4 @@ obj-$(CONFIG_EZNPS_GIC) += irq-eznps.o
> obj-$(CONFIG_ARCH_ASPEED)+= irq-aspeed-vic.o irq-aspeed-i2c-ic.o
> obj-$(CONFIG_STM32_EXTI) += irq-stm32-exti.o
> obj-$(CONFIG_QCOM_IRQ_COMBINER) += qcom-irq-combiner.o
> +obj-$(CONFIG_GOLDFISH_PIC) += irq-goldfish-pic.o
> diff --git a/drivers/irqchip/irq-goldfish-pic.c
> b/drivers/irqchip/irq-goldfish-pic.c
> new file mode 100644
> index 000..948c35e
> --- /dev/null
> +++ b/drivers/irqchip/irq-goldfish-pic.c
> @@ -0,0 +1,145 @@
> +/*
> + * Copyright (C) 2017 Imagination Technologies Ltd. All rights reserved
> + * Author: Miodrag Dinic
> + *
> + * This file implements interrupt controller driver for MIPS Goldfish PIC.
> + *
> + * This program is free software; you can redistribute it and/or
> modify it
> + * under the terms of the GNU General Public License as published by
> the
> + * Free Software Foundation; either version 2 of the License, or (at your
> + * option) any later version.
> + */
> +
> +#include
> +#include
> +#include
> +#include
> +#include
> +#include
> +#include
> +#include
> +
> +#include
> +
> +/* 0..7 MIPS CPU interrupts */
> +#define GF_CPU_IRQ_PIC (MIPS_CPU_IRQ_BASE + 2)
> +#define GF_CPU_IRQ_COMPARE (MIPS_CPU_IRQ_BASE + 7)
> +
> +#define GF_NR_IRQS 40
> +/* 8..39 Cascaded Goldfish PIC interrupts */
> +#define GF_IRQ_OFFSET8
> +
> +#define GF_PIC_NUMBER0x04
> +#define GF_PIC_DISABLE_ALL 0x08
> +#define GF_PIC_DISABLE 0x0c
> +#define GF_PIC_ENABLE0x10
> +
> +static struct irq_domain *irq_domain;
> +static void __iomem *gf_pic_base;
> +
> +static inline void unmask_goldfish_irq(struct irq_data *d)
> +{
> + writel(d->hwirq - GF_IRQ_OFFSET,
> +gf_pic_base + GF_PIC_ENABLE);
> + irq_enable_hazard();
> +}
> +
> +static inline void mask_goldfish_irq(struct irq_data *d)
> +{
> + writel(d->hwirq - GF_IRQ_OFFSET,
> +gf_pic_base + GF_PIC_DISABLE);
> + irq_disable_hazard();
> +}
> +
> +static struct irq_chip goldfish_irq_controller = {
> + .name = "Goldfish PIC",
> + .irq_ack= mask_goldfish_irq,
I'm slightly puzzled.
> + .irq_mask = mask_goldfish_irq,
> + .irq_mask_ack = mask_goldfish_irq,
What does it mean to have irq_mask_ack implemented as mask?
> + .irq_unmask = unmask_goldfish_irq,
> + .irq_eoi= unmask_goldfish_irq,
Really? Are you joking?
> + .irq_disable= mask_goldfish_irq,
> + .irq_enable = unmask_goldfish_irq,
If enable/disable are the same as mask/unmask, you don't need separate
entry points.
> +};
> +
> +static void goldfish_irq_dispatch(void)
> +{
> + u32 irq;
> + u32 virq;
> +
> + irq = readl(gf_pic_base + GF_PIC_NUMBER);
> + if (irq == 0) {
> + /* Timer interrupt */
> + do_IRQ(GF_CPU_IRQ_COMPARE);
> + return;
> + }
Why isn't this indirected through
[PATCH 3.16 031/134] scsi: scsi_error: count medium access timeout only once per EH run
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
--
From: Hannes Reinecke
commit 7a38dc0bfb4cc39ed57e120e2224673f3d4d200f upstream.
The current medium access timeout counter will be increased for
each command, so if there are enough failed commands we'll hit
the medium access timeout for even a single device failure and
the following kernel message is displayed:
sd H:C:T:L: [sdXY] Medium access timeout failure. Offlining disk!
Fix this by making the timeout per EH run, ie the counter will
only be increased once per device and EH run.
Fixes: 18a4d0a ("[SCSI] Handle disk devices which can not process medium access
commands")
Cc: Ewan Milne
Cc: Lawrence Obermann
Cc: Benjamin Block
Cc: Steffen Maier
Signed-off-by: Hannes Reinecke
Reviewed-by: Christoph Hellwig
Signed-off-by: Martin K. Petersen
[bwh: Backported to 3.16:
- Open-code blk_rq_is_passthrough()
- Adjust context]
Signed-off-by: Ben Hutchings
---
drivers/scsi/scsi_error.c | 18 ++
drivers/scsi/sd.c | 27 ++-
drivers/scsi/sd.h | 1 +
include/scsi/scsi_driver.h | 1 +
4 files changed, 46 insertions(+), 1 deletion(-)
--- a/drivers/scsi/scsi_error.c
+++ b/drivers/scsi/scsi_error.c
@@ -224,6 +224,23 @@ scsi_abort_command(struct scsi_cmnd *scm
}
/**
+ * scsi_eh_reset - call into ->eh_action to reset internal counters
+ * @scmd: scmd to run eh on.
+ *
+ * The scsi driver might be carrying internal state about the
+ * devices, so we need to call into the driver to reset the
+ * internal state once the error handler is started.
+ */
+static void scsi_eh_reset(struct scsi_cmnd *scmd)
+{
+ if (scmd->request->cmd_type == REQ_TYPE_FS) {
+ struct scsi_driver *sdrv = scsi_cmd_to_driver(scmd);
+ if (sdrv->eh_reset)
+ sdrv->eh_reset(scmd);
+ }
+}
+
+/**
* scsi_eh_scmd_add - add scsi cmd to error handling.
* @scmd: scmd to run eh on.
* @eh_flag: optional SCSI_EH flag.
@@ -252,6 +269,7 @@ int scsi_eh_scmd_add(struct scsi_cmnd *s
if (scmd->eh_eflags & SCSI_EH_ABORT_SCHEDULED)
eh_flag &= ~SCSI_EH_CANCEL_CMD;
scmd->eh_eflags |= eh_flag;
+ scsi_eh_reset(scmd);
list_add_tail(&scmd->eh_entry, &shost->eh_cmd_q);
shost->host_failed++;
scsi_eh_wakeup(shost);
--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -112,6 +112,7 @@ static void sd_rescan(struct device *);
static int sd_init_command(struct scsi_cmnd *SCpnt);
static void sd_uninit_command(struct scsi_cmnd *SCpnt);
static int sd_done(struct scsi_cmnd *);
+static void sd_eh_reset(struct scsi_cmnd *);
static int sd_eh_action(struct scsi_cmnd *, int);
static void sd_read_capacity(struct scsi_disk *sdkp, unsigned char *buffer);
static void scsi_disk_release(struct device *cdev);
@@ -509,6 +510,7 @@ static struct scsi_driver sd_template =
.uninit_command = sd_uninit_command,
.done = sd_done,
.eh_action = sd_eh_action,
+ .eh_reset = sd_eh_reset,
};
/*
@@ -1536,6 +1538,26 @@ static const struct block_device_operati
};
/**
+ * sd_eh_reset - reset error handling callback
+ * @scmd: sd-issued command that has failed
+ *
+ * This function is called by the SCSI midlayer before starting
+ * SCSI EH. When counting medium access failures we have to be
+ * careful to register it only only once per device and SCSI EH run;
+ * there might be several timed out commands which will cause the
+ * 'max_medium_access_timeouts' counter to trigger after the first
+ * SCSI EH run already and set the device to offline.
+ * So this function resets the internal counter before starting SCSI EH.
+ **/
+static void sd_eh_reset(struct scsi_cmnd *scmd)
+{
+ struct scsi_disk *sdkp = scsi_disk(scmd->request->rq_disk);
+
+ /* New SCSI EH run, reset gate variable */
+ sdkp->ignore_medium_access_errors = false;
+}
+
+/**
* sd_eh_action - error handling callback
* @scmd: sd-issued command that has failed
* @eh_disp: The recovery disposition suggested by the midlayer
@@ -1564,7 +1586,10 @@ static int sd_eh_action(struct scsi_cmnd
* process of recovering or has it suffered an internal failure
* that prevents access to the storage medium.
*/
- sdkp->medium_access_timed_out++;
+ if (!sdkp->ignore_medium_access_errors) {
+ sdkp->medium_access_timed_out++;
+ sdkp->ignore_medium_access_errors = true;
+ }
/*
* If the device keeps failing read/write commands but TEST UNIT
--- a/drivers/scsi/sd.h
+++ b/drivers/scsi/sd.h
@@ -90,6 +90,7 @@ struct scsi_disk {
unsignedlbpvpd : 1;
unsignedws10 : 1;
unsignedws16 : 1;
+ unsignedignore_medium_access_errors : 1;
};
#define
[PATCH 3.16 037/134] [media] cx231xx-audio: fix NULL-deref at probe
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
--
From: Johan Hovold
commit 65f921647f4c89a2068478c89691f39b309b58f7 upstream.
Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer or accessing memory beyond the endpoint array should a
malicious device lack the expected endpoints.
Fixes: e0d3bafd0258 ("V4L/DVB (10954): Add cx231xx USB driver")
Cc: Sri Deevi
Signed-off-by: Johan Hovold
Signed-off-by: Hans Verkuil
Signed-off-by: Mauro Carvalho Chehab
Signed-off-by: Ben Hutchings
---
drivers/media/usb/cx231xx/cx231xx-audio.c | 17 +++--
1 file changed, 15 insertions(+), 2 deletions(-)
--- a/drivers/media/usb/cx231xx/cx231xx-audio.c
+++ b/drivers/media/usb/cx231xx/cx231xx-audio.c
@@ -699,6 +699,11 @@ static int cx231xx_audio_init(struct cx2
hs_config_info[0].interface_info.
audio_index + 1];
+ if (uif->altsetting[0].desc.bNumEndpoints < isoc_pipe + 1) {
+ err = -ENODEV;
+ goto err_free_card;
+ }
+
adev->end_point_addr =
uif->altsetting[0].endpoint[isoc_pipe].desc.
bEndpointAddress;
@@ -714,8 +719,14 @@ static int cx231xx_audio_init(struct cx2
}
for (i = 0; i < adev->num_alt; i++) {
- u16 tmp =
- le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe].desc.
+ u16 tmp;
+
+ if (uif->altsetting[i].desc.bNumEndpoints < isoc_pipe + 1) {
+ err = -ENODEV;
+ goto err_free_pkt_size;
+ }
+
+ tmp = le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe].desc.
wMaxPacketSize);
adev->alt_max_pkt_size[i] =
(tmp & 0x07ff) * (((tmp & 0x1800) >> 11) + 1);
@@ -725,6 +736,8 @@ static int cx231xx_audio_init(struct cx2
return 0;
+err_free_pkt_size:
+ kfree(adev->alt_max_pkt_size);
err_free_card:
snd_card_free(card);
Re: [PATCH v2 6/6] kernel: tracepoints: add support for relative references
On 18 August 2017 at 14:52, Steven Rostedt wrote: > On Fri, 18 Aug 2017 14:44:15 +0100 > Ard Biesheuvel wrote: > >> >> It appears the stuff above needs to be move inside the double-include >> >> guard (which oddly enough does not cover the entire file) >> > >> > Why was this moved to the header file? To fulfill some checkpatch >> > warning? >> > >> >> Yes. > > My preference is to ignore that checkpatch warning. The section > variables are created by linker magic, and not normal "extern" > variables. They are only used in one location, and I like to keep them > where they are used, and not be something other places might think they > can be used. In other words, keep them by the C code, and out of > headers. > > Tracepoints and linker/asm work always triggers a lot of bogus > checkpatch warnings. Which is unfortunate. :-/ > Actually, I couldn't agree more. I will backpedal on the checkpatch appeasement in v3 in general. Thanks, Ard.
[PATCH 3.16 036/134] [media] cx231xx-audio: fix init error path
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
--
From: Johan Hovold
commit fff1abc4d54e469140a699612b4db8d6397bfcba upstream.
Make sure to release the snd_card also on a late allocation error.
Fixes: e0d3bafd0258 ("V4L/DVB (10954): Add cx231xx USB driver")
Cc: Sri Deevi
Signed-off-by: Johan Hovold
Signed-off-by: Hans Verkuil
Signed-off-by: Mauro Carvalho Chehab
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings
---
--- a/drivers/media/usb/cx231xx/cx231xx-audio.c
+++ b/drivers/media/usb/cx231xx/cx231xx-audio.c
@@ -672,10 +672,8 @@ static int cx231xx_audio_init(struct cx2
spin_lock_init(&adev->slock);
err = snd_pcm_new(card, "Cx231xx Audio", 0, 0, 1, &pcm);
- if (err < 0) {
- snd_card_free(card);
- return err;
- }
+ if (err < 0)
+ goto err_free_card;
snd_pcm_set_ops(pcm, SNDRV_PCM_STREAM_CAPTURE,
&snd_cx231xx_pcm_capture);
@@ -689,10 +687,9 @@ static int cx231xx_audio_init(struct cx2
INIT_WORK(&dev->wq_trigger, audio_trigger);
err = snd_card_register(card);
- if (err < 0) {
- snd_card_free(card);
- return err;
- }
+ if (err < 0)
+ goto err_free_card;
+
adev->sndcard = card;
adev->udev = dev->udev;
@@ -710,10 +707,10 @@ static int cx231xx_audio_init(struct cx2
cx231xx_info("EndPoint Addr 0x%x, Alternate settings: %i\n",
adev->end_point_addr, adev->num_alt);
adev->alt_max_pkt_size = kmalloc(32 * adev->num_alt, GFP_KERNEL);
-
- if (adev->alt_max_pkt_size == NULL) {
+ if (!adev->alt_max_pkt_size) {
cx231xx_errdev("out of memory!\n");
- return -ENOMEM;
+ err = -ENOMEM;
+ goto err_free_card;
}
for (i = 0; i < adev->num_alt; i++) {
@@ -727,6 +724,11 @@ static int cx231xx_audio_init(struct cx2
}
return 0;
+
+err_free_card:
+ snd_card_free(card);
+
+ return err;
}
static int cx231xx_audio_fini(struct cx231xx *dev)
[PATCH 3.16 038/134] [media] uvcvideo: Fix empty packet statistic
3.16.47-rc1 review patch. If anyone has any objections, please let me know. -- From: Kieran Bingham commit 360a3a90c6261fe24a959ff38f8f6c3a8468f23c upstream. The frame counters are inadvertently counting packets with content as empty. Fix it by correcting the logic expression Fixes: 7bc5edb00bbd [media] uvcvideo: Extract video stream statistics Signed-off-by: Kieran Bingham Signed-off-by: Laurent Pinchart Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Ben Hutchings --- drivers/media/usb/uvc/uvc_video.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/media/usb/uvc/uvc_video.c +++ b/drivers/media/usb/uvc/uvc_video.c @@ -810,7 +810,7 @@ static void uvc_video_stats_decode(struc /* Update the packets counters. */ stream->stats.frame.nb_packets++; - if (len > header_size) + if (len <= header_size) stream->stats.frame.nb_empty++; if (data[1] & UVC_STREAM_ERR)
[PATCH 1/1] crypto: stm32/hash - Remove uninitialized symbol
Remove err symbol as this is not used in the thread context
and the variable is not initialized.
Signed-off-by: Lionel Debieve
---
drivers/crypto/stm32/stm32-hash.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/crypto/stm32/stm32-hash.c
b/drivers/crypto/stm32/stm32-hash.c
index b585ce5..b34ee85 100644
--- a/drivers/crypto/stm32/stm32-hash.c
+++ b/drivers/crypto/stm32/stm32-hash.c
@@ -1067,7 +1067,6 @@ static int stm32_hash_cra_sha256_init(struct crypto_tfm
*tfm)
static irqreturn_t stm32_hash_irq_thread(int irq, void *dev_id)
{
struct stm32_hash_dev *hdev = dev_id;
- int err;
if (HASH_FLAGS_CPU & hdev->flags) {
if (HASH_FLAGS_OUTPUT_READY & hdev->flags) {
@@ -1084,8 +1083,8 @@ static irqreturn_t stm32_hash_irq_thread(int irq, void
*dev_id)
return IRQ_HANDLED;
finish:
- /*Finish current request */
- stm32_hash_finish_req(hdev->req, err);
+ /* Finish current request */
+ stm32_hash_finish_req(hdev->req, 0);
return IRQ_HANDLED;
}
--
2.7.4
[PATCH 3.16 039/134] padata: free correct variable
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
--
From: "Jason A. Donenfeld"
commit 07a77929ba672d93642a56dc2255dd21e6e2290b upstream.
The author meant to free the variable that was just allocated, instead
of the one that failed to be allocated, but made a simple typo. This
patch rectifies that.
Signed-off-by: Jason A. Donenfeld
Signed-off-by: Herbert Xu
Signed-off-by: Ben Hutchings
---
kernel/padata.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/kernel/padata.c
+++ b/kernel/padata.c
@@ -356,7 +356,7 @@ static int padata_setup_cpumasks(struct
cpumask_and(pd->cpumask.pcpu, pcpumask, cpu_online_mask);
if (!alloc_cpumask_var(&pd->cpumask.cbcpu, GFP_KERNEL)) {
- free_cpumask_var(pd->cpumask.cbcpu);
+ free_cpumask_var(pd->cpumask.pcpu);
return -ENOMEM;
}
[PATCH 3.16 027/134] IPoIB: Remove unnecessary test for NULL before debugfs_remove()
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
--
From: Fabian Frederick
commit e42fa2092c1049ac9c0e38aaac39ef3c40e91a36 upstream.
Fix checkpatch warning:
WARNING: debugfs_remove(NULL) is safe this check is probably not required
Signed-off-by: Fabian Frederick
Signed-off-by: Doug Ledford
Signed-off-by: Roland Dreier
Signed-off-by: Ben Hutchings
---
drivers/infiniband/ulp/ipoib/ipoib_fs.c | 6 ++
1 file changed, 2 insertions(+), 4 deletions(-)
--- a/drivers/infiniband/ulp/ipoib/ipoib_fs.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_fs.c
@@ -281,10 +281,8 @@ void ipoib_delete_debug_files(struct net
{
struct ipoib_dev_priv *priv = netdev_priv(dev);
- if (priv->mcg_dentry)
- debugfs_remove(priv->mcg_dentry);
- if (priv->path_dentry)
- debugfs_remove(priv->path_dentry);
+ debugfs_remove(priv->mcg_dentry);
+ debugfs_remove(priv->path_dentry);
}
int ipoib_register_debugfs(void)
Re: [PATCH v2] blktrace: Fix potentail deadlock between delete & sysfs ops
On 08/17/2017 05:30 PM, Steven Rostedt wrote: > On Thu, 17 Aug 2017 17:10:07 -0400 > Steven Rostedt wrote: > > >> Instead of playing games with taking the lock, the only way this race >> is hit, is if the partition is being deleted and the sysfs attribute is >> being read at the same time, correct? In that case, just return >> -ENODEV, and be done with it. > Nevermind that wont work. Too bad there's not a mutex_lock_timeout() > that we could use in a loop. It would solve the issue of forward > progress with RT tasks, and will break after a timeout in case of > deadlock. > > -- Steve I think it will be useful to have mutex_timed_lock(). RT-mutex does have a timed version, so I guess it shouldn't be hard to implement one for mutex. I can take a shot at trying to do that. Thanks, Longman
[PATCH 3.16 028/134] IB/IPoIB: ibX: failed to create mcg debug file
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
--
From: Shamir Rabinovitch
commit 771a52584096c45e4565e8aabb596eece9d73d61 upstream.
When udev renames the netdev devices, ipoib debugfs entries does not
get renamed. As a result, if subsequent probe of ipoib device reuse the
name then creating a debugfs entry for the new device would fail.
Also, moved ipoib_create_debug_files and ipoib_delete_debug_files as part
of ipoib event handling in order to avoid any race condition between these.
Fixes: 1732b0ef3b3a ([IPoIB] add path record information in debugfs)
Signed-off-by: Vijay Kumar
Signed-off-by: Shamir Rabinovitch
Reviewed-by: Mark Bloch
Signed-off-by: Doug Ledford
Signed-off-by: Ben Hutchings
---
drivers/infiniband/ulp/ipoib/ipoib_fs.c | 3 +++
drivers/infiniband/ulp/ipoib/ipoib_main.c | 44 +++
drivers/infiniband/ulp/ipoib/ipoib_vlan.c | 3 ---
3 files changed, 42 insertions(+), 8 deletions(-)
--- a/drivers/infiniband/ulp/ipoib/ipoib_fs.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_fs.c
@@ -281,8 +281,11 @@ void ipoib_delete_debug_files(struct net
{
struct ipoib_dev_priv *priv = netdev_priv(dev);
+ WARN_ONCE(!priv->mcg_dentry, "null mcg debug file\n");
+ WARN_ONCE(!priv->path_dentry, "null path debug file\n");
debugfs_remove(priv->mcg_dentry);
debugfs_remove(priv->path_dentry);
+ priv->mcg_dentry = priv->path_dentry = NULL;
}
int ipoib_register_debugfs(void)
--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c
@@ -98,6 +98,33 @@ static struct ib_client ipoib_client = {
.remove = ipoib_remove_one
};
+#ifdef CONFIG_INFINIBAND_IPOIB_DEBUG
+static int ipoib_netdev_event(struct notifier_block *this,
+ unsigned long event, void *ptr)
+{
+ struct netdev_notifier_info *ni = ptr;
+ struct net_device *dev = ni->dev;
+
+ if (dev->netdev_ops->ndo_open != ipoib_open)
+ return NOTIFY_DONE;
+
+ switch (event) {
+ case NETDEV_REGISTER:
+ ipoib_create_debug_files(dev);
+ break;
+ case NETDEV_CHANGENAME:
+ ipoib_delete_debug_files(dev);
+ ipoib_create_debug_files(dev);
+ break;
+ case NETDEV_UNREGISTER:
+ ipoib_delete_debug_files(dev);
+ break;
+ }
+
+ return NOTIFY_DONE;
+}
+#endif
+
int ipoib_open(struct net_device *dev)
{
struct ipoib_dev_priv *priv = netdev_priv(dev);
@@ -1313,8 +1340,6 @@ void ipoib_dev_cleanup(struct net_device
ASSERT_RTNL();
- ipoib_delete_debug_files(dev);
-
/* Delete any child interfaces first */
list_for_each_entry_safe(cpriv, tcpriv, &priv->child_intfs, list) {
/* Stop GC on child */
@@ -1620,8 +1645,6 @@ static struct net_device *ipoib_add_port
goto register_failed;
}
- ipoib_create_debug_files(priv->dev);
-
if (ipoib_cm_add_mode_attr(priv->dev))
goto sysfs_failed;
if (ipoib_add_pkey_attr(priv->dev))
@@ -1636,7 +1659,6 @@ static struct net_device *ipoib_add_port
return priv->dev;
sysfs_failed:
- ipoib_delete_debug_files(priv->dev);
unregister_netdev(priv->dev);
register_failed:
@@ -1727,6 +1749,12 @@ static void ipoib_remove_one(struct ib_d
kfree(dev_list);
}
+#ifdef CONFIG_INFINIBAND_IPOIB_DEBUG
+static struct notifier_block ipoib_netdev_notifier = {
+ .notifier_call = ipoib_netdev_event,
+};
+#endif
+
static int __init ipoib_init_module(void)
{
int ret;
@@ -1776,6 +1804,9 @@ static int __init ipoib_init_module(void
if (ret)
goto err_client;
+#ifdef CONFIG_INFINIBAND_IPOIB_DEBUG
+ register_netdevice_notifier(&ipoib_netdev_notifier);
+#endif
return 0;
err_client:
@@ -1793,6 +1824,9 @@ err_fs:
static void __exit ipoib_cleanup_module(void)
{
+#ifdef CONFIG_INFINIBAND_IPOIB_DEBUG
+ unregister_netdevice_notifier(&ipoib_netdev_notifier);
+#endif
ipoib_netlink_fini();
ib_unregister_client(&ipoib_client);
ib_sa_unregister_client(&ipoib_sa_client);
--- a/drivers/infiniband/ulp/ipoib/ipoib_vlan.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_vlan.c
@@ -86,8 +86,6 @@ int __ipoib_vlan_add(struct ipoib_dev_pr
priv->parent = ppriv->dev;
- ipoib_create_debug_files(priv->dev);
-
/* RTNL childs don't need proprietary sysfs entries */
if (type == IPOIB_LEGACY_CHILD) {
if (ipoib_cm_add_mode_attr(priv->dev))
@@ -109,7 +107,6 @@ int __ipoib_vlan_add(struct ipoib_dev_pr
sysfs_failed:
result = -ENOMEM;
- ipoib_delete_debug_files(priv->dev);
unregister_netdevice(priv->dev);
register_failed:
[PATCH 3.16 029/134] [media] gspca: konica: add missing endpoint sanity check
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
--
From: Johan Hovold
commit aa58fedb8c7b6cf2f05941d238495f9e2f29655c upstream.
Make sure to check the number of endpoints to avoid accessing memory
beyond the endpoint array should a device lack the expected endpoints.
Note that, as far as I can tell, the gspca framework has already made
sure there is at least one endpoint in the current alternate setting so
there should be no risk for a NULL-pointer dereference here.
Fixes: b517af722860 ("V4L/DVB: gspca_konica: New gspca subdriver for
konica chipset using cams")
Cc: Hans de Goede
Signed-off-by: Johan Hovold
Signed-off-by: Hans Verkuil
Signed-off-by: Mauro Carvalho Chehab
Signed-off-by: Ben Hutchings
---
drivers/media/usb/gspca/konica.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/media/usb/gspca/konica.c
+++ b/drivers/media/usb/gspca/konica.c
@@ -188,6 +188,9 @@ static int sd_start(struct gspca_dev *gs
return -EIO;
}
+ if (alt->desc.bNumEndpoints < 2)
+ return -ENODEV;
+
packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize);
n = gspca_dev->cam.cam_mode[gspca_dev->curr_mode].priv;
[PATCH 3.16 033/134] [media] dib0700: fix NULL-deref at probe
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
--
From: Johan Hovold
commit d5823511c0f8719a39e72ede1bce65411ac653b7 upstream.
Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer should a malicious device lack endpoints.
Fixes: c4018fa2e4c0 ("[media] dib0700: fix RC support on Hauppauge
Nova-TD")
Cc: Mauro Carvalho Chehab
Signed-off-by: Johan Hovold
Signed-off-by: Hans Verkuil
Signed-off-by: Mauro Carvalho Chehab
Signed-off-by: Ben Hutchings
---
drivers/media/usb/dvb-usb/dib0700_core.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/media/usb/dvb-usb/dib0700_core.c
+++ b/drivers/media/usb/dvb-usb/dib0700_core.c
@@ -769,6 +769,9 @@ int dib0700_rc_setup(struct dvb_usb_devi
/* Starting in firmware 1.20, the RC info is provided on a bulk pipe */
+ if (intf->altsetting[0].desc.bNumEndpoints < rc_ep + 1)
+ return -ENODEV;
+
purb = usb_alloc_urb(0, GFP_KERNEL);
if (purb == NULL) {
err("rc usb alloc urb failed");
[PATCH 3.16 030/134] [media] s5p-mfc: Fix unbalanced call to clock management
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
--
From: Marek Szyprowski
commit a5cb00eb4223458250b55daf03ac7ea5f424d601 upstream.
Clock should be turned off after calling s5p_mfc_init_hw() from the
watchdog worker, like it is already done in the s5p_mfc_open() which also
calls this function.
Fixes: af93574678108 ("[media] MFC: Add MFC 5.1 V4L2 driver")
Signed-off-by: Marek Szyprowski
Signed-off-by: Sylwester Nawrocki
Signed-off-by: Mauro Carvalho Chehab
Signed-off-by: Ben Hutchings
---
drivers/media/platform/s5p-mfc/s5p_mfc.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/media/platform/s5p-mfc/s5p_mfc.c
+++ b/drivers/media/platform/s5p-mfc/s5p_mfc.c
@@ -169,6 +169,7 @@ static void s5p_mfc_watchdog_worker(stru
}
s5p_mfc_clock_on();
ret = s5p_mfc_init_hw(dev);
+ s5p_mfc_clock_off();
if (ret)
mfc_err("Failed to reinit FW\n");
}
[PATCH 3.16 022/134] pinctrl: sh-pfc: r8a7791: Fix SCIF2 pinmux data
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
--
From: Sergei Shtylyov
commit 58439280f84e6b39fd7d61f25ab30489c1aaf0a9 upstream.
PINMUX_IPSR_MSEL() macro invocation for the TX2 signal has apparently wrong
1st argument -- most probably a result of cut&paste programming...
Fixes: 508845196238 ("pinctrl: sh-pfc: r8a7791 PFC support")
Signed-off-by: Sergei Shtylyov
Signed-off-by: Geert Uytterhoeven
[bwh: Backported to 3.16:
- Use PINMUX_IPSR_MODSEL_DATA() instead of PINMUX_IPSR_MSEL()
- Adjust context]
Signed-off-by: Ben Hutchings
---
drivers/pinctrl/sh-pfc/pfc-r8a7791.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/pinctrl/sh-pfc/pfc-r8a7791.c
+++ b/drivers/pinctrl/sh-pfc/pfc-r8a7791.c
@@ -1092,7 +1092,7 @@ static const u16 pinmux_data[] = {
PINMUX_IPSR_MODSEL_DATA(IP6_5_3, FMIN_E, SEL_FM_4),
PINMUX_IPSR_DATA(IP6_7_6, AUDIO_CLKOUT),
PINMUX_IPSR_MODSEL_DATA(IP6_7_6, MSIOF1_SS1_B, SEL_SOF1_1),
- PINMUX_IPSR_MODSEL_DATA(IP6_5_3, TX2, SEL_SCIF2_0),
+ PINMUX_IPSR_MODSEL_DATA(IP6_7_6, TX2, SEL_SCIF2_0),
PINMUX_IPSR_MODSEL_DATA(IP6_7_6, SCIFA2_TXD, SEL_SCIFA2_0),
PINMUX_IPSR_DATA(IP6_9_8, IRQ0),
PINMUX_IPSR_MODSEL_DATA(IP6_9_8, SCIFB1_RXD_D, SEL_SCIFB1_3),
[PATCH 3.16 025/134] PCI: dwc: Fix uninitialized variable in dw_handle_msi_irq()
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
--
From: Dan Carpenter
commit 1b497e6493c49bbb55c89f53562f7f853495e90d upstream.
The bug is that "val" is unsigned long but we only initialize 32 bits of
it. Then we test "if (val)" and that might be true not because we set the
bits but because some were never initialized.
Fixes: f342d940ee0e ("PCI: exynos: Add support for MSI")
Signed-off-by: Dan Carpenter
Signed-off-by: Bjorn Helgaas
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings
---
drivers/pci/host/pcie-designware.c | 7 ---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/drivers/pci/host/pcie-designware.c
+++ b/drivers/pci/host/pcie-designware.c
@@ -158,19 +158,20 @@ static struct irq_chip dw_msi_irq_chip =
/* MSI int handler */
irqreturn_t dw_handle_msi_irq(struct pcie_port *pp)
{
- unsigned long val;
+ u32 val;
int i, pos, irq;
irqreturn_t ret = IRQ_NONE;
for (i = 0; i < MAX_MSI_CTRLS; i++) {
dw_pcie_rd_own_conf(pp, PCIE_MSI_INTR0_STATUS + i * 12, 4,
- (u32 *)&val);
+ &val);
if (!val)
continue;
ret = IRQ_HANDLED;
pos = 0;
- while ((pos = find_next_bit(&val, 32, pos)) != 32) {
+ while ((pos = find_next_bit((unsigned long *) &val, 32,
+ pos)) != 32) {
irq = irq_find_mapping(pp->irq_domain, i * 32 + pos);
dw_pcie_wr_own_conf(pp, PCIE_MSI_INTR0_STATUS + i * 12,
4, 1 << pos);
[PATCH 3.16 024/134] PCI: dwc: Unindent dw_handle_msi_irq() loop
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
--
From: Bjorn Helgaas
commit dbe4a09e8bbcf88809a8394d6a359d8cebd22a86 upstream.
Use "continue" to skip rest of the loop when possible to save an indent
level. No functional change intended.
Suggested-by: walter harms
Signed-off-by: Bjorn Helgaas
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings
---
drivers/pci/host/pcie-designware.c | 22 +++---
1 file changed, 11 insertions(+), 11 deletions(-)
--- a/drivers/pci/host/pcie-designware.c
+++ b/drivers/pci/host/pcie-designware.c
@@ -165,18 +165,17 @@ irqreturn_t dw_handle_msi_irq(struct pci
for (i = 0; i < MAX_MSI_CTRLS; i++) {
dw_pcie_rd_own_conf(pp, PCIE_MSI_INTR0_STATUS + i * 12, 4,
(u32 *)&val);
- if (val) {
- ret = IRQ_HANDLED;
- pos = 0;
- while ((pos = find_next_bit(&val, 32, pos)) != 32) {
- irq = irq_find_mapping(pp->irq_domain,
- i * 32 + pos);
- dw_pcie_wr_own_conf(pp,
- PCIE_MSI_INTR0_STATUS + i * 12,
- 4, 1 << pos);
- generic_handle_irq(irq);
- pos++;
- }
+ if (!val)
+ continue;
+
+ ret = IRQ_HANDLED;
+ pos = 0;
+ while ((pos = find_next_bit(&val, 32, pos)) != 32) {
+ irq = irq_find_mapping(pp->irq_domain, i * 32 + pos);
+ dw_pcie_wr_own_conf(pp, PCIE_MSI_INTR0_STATUS + i * 12,
+ 4, 1 << pos);
+ generic_handle_irq(irq);
+ pos++;
}
}
Re: [kernel-hardening] [RFC] memory allocations in genalloc
On 08/17/2017 09:26 AM, Igor Stoppa wrote:
> Foreword:
> If I should direct this message to someone else, please let me know.
> I couldn't get a clear idea, by looking at both MAINTAINERS and git blame.
>
>
>
> Hi,
>
> I'm currently trying to convert the SE Linux policy db into using a
> protectable memory allocator (pmalloc) that I have developed.
>
> Such allocator is based on genalloc: I had come up with an
> implementation that was pretty similar to what genalloc already does, so
> it was pointed out to me that I could have a look at it.
>
> And, indeed, it seemed a perfect choice.
>
> But ... when freeing memory, genalloc wants that the caller also states
> how large each specific memory allocation is.
>
> This, per se, is not an issue, although genalloc doesn't seen to check
> if the memory being freed is really matching a previous allocation request.
>
> However, this design doesn't sit well with the use case I have in mind.
>
> In particular, when the SE Linux policy db is populated, the creation of
> one or more specific entry of the db might fail.
> In this case, the memory previously allocated for said entry, is
> released with kfree, which doesn't need to know the size of the chunk
> being freed.
>
> I would like to add similar capability to genalloc.
>
> genalloc already uses bitmaps, to track what words are allocated (1) and
> which are free (0)
>
> What I would like to do is to add another bitmap, which would track the
> beginning of each individual allocation (1 on the first allocation unit
> of each allocation, 0 otherwise).
>
> Such enhancement would enable also the detection of calls to free with
> incorrect / misaligned addresses - right now it is possible to
> successfully free a memory area that overlaps the interface of two
> adjacent allocations, without fully covering either of them.
>
> Would this change be acceptable?
> Is there any better way to achieve what I want?
>
In general, I don't see anything wrong with wanting to let gen_pool_free
not take a size. It's hard to say anything more without a patch to review.
My biggest concern would be keeping existing behavior and managing two
bitmaps locklessly.
>
> ---
>
> I have also a question wrt the use of spinlocks in genalloc.
> Why a spinlock?
>
> Freeing a chunk of memory previously allocated with vmalloc requires
> invoking vfree_atomic, instead of vfree, because the list of chunks is
> walked with the spinlock held, and vfree can sleep.
>
> Why not using a mutex?
>
>From the git history, gen_pool used to use a reader/writer lock and
was switched to be lockless so it could be used in NMI contexts
7f184275aa30 ("lib, Make gen_pool memory allocator lockless").
This looks to be an intentional choice, presumably so regions can be
added in atomic contexts. Again, if you have a specific patch or
proposal this would be easier to review.
Thanks,
Laura
>
> --
> TIA, igor
>
Re: [PATCH v3] livepatch: add (un)patch callbacks
On Wed 2017-08-16 15:17:04, Joe Lawrence wrote:
> Provide livepatch modules a klp_object (un)patching notification
> mechanism. Pre and post-(un)patch callbacks allow livepatch modules to
> setup or synchronize changes that would be difficult to support in only
> patched-or-unpatched code contexts.
>
> diff --git a/include/linux/livepatch.h b/include/linux/livepatch.h
> index 194991ef9347..500dc9b2b361 100644
> --- a/include/linux/livepatch.h
> +++ b/include/linux/livepatch.h
> @@ -138,6 +154,71 @@ struct klp_patch {
>func->old_name || func->new_func || func->old_sympos; \
>func++)
>
> +/**
> + * klp_is_object_loaded() - is klp_object currently loaded?
> + * @obj: klp_object pointer
> + *
> + * Return: true if klp_object is loaded (always true for vmlinux)
> + */
> +static inline bool klp_is_object_loaded(struct klp_object *obj)
> +{
> + return !obj->name || obj->mod;
> +}
> +
> +/**
> + * klp_pre_patch_callback - execute before klp_object is patched
> + * @obj: invoke callback for this klp_object
> + *
> + * Return: status from callback
> + *
> + * Callers should ensure obj->patched is *not* set.
> + */
> +static inline int klp_pre_patch_callback(struct klp_object *obj)
> +{
> + if (obj->callbacks.pre_patch)
> + return (*obj->callbacks.pre_patch)(obj);
> + return 0;
> +}
> +
> +/**
> + * klp_post_patch_callback() - execute after klp_object is patched
> + * @obj: invoke callback for this klp_object
> + *
> + * Callers should ensure obj->patched is set.
> + */
> +static inline void klp_post_patch_callback(struct klp_object *obj)
> +{
> + if (obj->callbacks.post_patch)
> + (*obj->callbacks.post_patch)(obj);
> +}
> +
> +/**
> + * klp_pre_unpatch_callback() - execute before klp_object is unpatched
> + * and is active across all tasks
> + * @obj: invoke callback for this klp_object
> + *
> + * Callers should ensure obj->patched is set.
> + */
> +static inline void klp_pre_unpatch_callback(struct klp_object *obj)
> +{
> + if (obj->callbacks.pre_unpatch)
> + (*obj->callbacks.pre_unpatch)(obj);
> +}
> +
> +/**
> + * klp_post_unpatch_callback() - execute after klp_object is unpatched,
> + * all code has been restored and no tasks
> + * are running patched code
> + * @obj: invoke callback for this klp_object
> + *
> + * Callers should ensure obj->patched is *not* set.
> + */
> +static inline void klp_post_unpatch_callback(struct klp_object *obj)
> +{
> + if (obj->callbacks.post_unpatch)
> + (*obj->callbacks.post_unpatch)(obj);
> +}
I guess that we do not want to make these function usable
outside livepatch code. Thefore these inliners should go
to kernel/livepatch/core.h or so.
> +
> int klp_register_patch(struct klp_patch *);
> int klp_unregister_patch(struct klp_patch *);
> int klp_enable_patch(struct klp_patch *);
> diff --git a/kernel/livepatch/core.c b/kernel/livepatch/core.c
> index b9628e43c78f..ddb23e18a357 100644
> --- a/kernel/livepatch/core.c
> +++ b/kernel/livepatch/core.c
> @@ -878,6 +890,8 @@ int klp_module_coming(struct module *mod)
> goto err;
> }
>
> + klp_post_patch_callback(obj);
This should be called only if (patch != klp_transition_patch).
Otherwise, it would be called too early.
> +
> break;
> }
> }
> @@ -929,7 +943,10 @@ void klp_module_going(struct module *mod)
> if (patch->enabled || patch == klp_transition_patch) {
> pr_notice("reverting patch '%s' on unloading
> module '%s'\n",
> patch->mod->name, obj->mod->name);
> +
> + klp_pre_unpatch_callback(obj);
Also the pre_unpatch() callback should be called only
if (patch != klp_transition_patch). Otherwise, it should have
already been called. It is not the current case but see below.
> klp_unpatch_object(obj);
> + klp_post_unpatch_callback(obj);
> }
>
> klp_free_object_loaded(obj);
> diff --git a/kernel/livepatch/patch.c b/kernel/livepatch/patch.c
> index 52c4e907c14b..0eed0df6e6d9 100644
> --- a/kernel/livepatch/patch.c
> +++ b/kernel/livepatch/patch.c
> @@ -257,6 +257,7 @@ int klp_patch_object(struct klp_object *obj)
> klp_for_each_func(obj, func) {
> ret = klp_patch_func(func);
> if (ret) {
> + klp_pre_unpatch_callback(obj);
This looks strange (somehow asymetric). IMHO, it should not be
needed. klp_pre_unpatch_callback() should revert changes done
by klp_post_patch_callback() that has not run yet.
> klp_unpatch_object(obj);
> return ret;
> }
> @@ -271,6 +272,8 @@ void klp_unpatch_o
Re: [PATCH] KVM/x86: Increase max vcpu number to 352
On Tue, Aug 15, 2017 at 06:13:29PM +0200, Radim Krčmář wrote: > (Missed this mail before my last reply.) > > 2017-08-15 10:10-0400, Konrad Rzeszutek Wilk: > > On Tue, Aug 15, 2017 at 11:00:04AM +0800, Lan Tianyu wrote: > > > On 2017年08月12日 03:35, Konrad Rzeszutek Wilk wrote: > > > > Migration with 352 CPUs all being busy dirtying memory and also poking > > > > at various I/O ports (say all of them dirtying the VGA) is no problem? > > > > > > This depends on what kind of workload is running during migration. I > > > think this may affect service down time since there maybe a lot of dirty > > > memory data to transfer after stopping vcpus. This also depends on how > > > user sets "migrate_set_downtime" for qemu. But I think increasing vcpus > > > will break migration function. > > > > OK, so let me take a step back. > > > > I see this nice 'supported' CPU count that is exposed in kvm module. > > > > Then there is QEMU throwing out a warning if you crank up the CPU count > > above that number. > > I find the range between "recommended max" and "hard max" VCPU count > confusing at best ... IIUC, it was there because KVM internals had > problems with scaling and we will hit more in the future because some > loops still are linear on VCPU count. Is that documented somewhere? There are some folks would be interested in looking at that if it was known what exactly to look for.. > > The exposed value doesn't say whether migration will work, because that > is a userspace thing and we're not aware of bottlenecks on the KVM side. > > > Red Hat's web-pages talk about CPU count as well. > > > > And I am assuming all of those are around what has been tested and > > what has shown to work. And one of those test-cases surely must > > be migration. > > Right, Red Hat will only allow/support what it has tested, even if > upstream has a practically unlimited count. I think the upstream number > used to be raised by Red Hat, which is why upstream isn't at the hard > implementation limit ... Aim for the sky! Perhaps then lets crank it up to 4096 upstream and let each vendor/distro/cloud decide the right number based on their testing. And also have more folks report issues as they try running say running these huge vCPU guests? > > > Ergo, if the vCPU count increase will break migration, then it is > > a regression. > > Raising the limit would not break existing guests, but I would rather > avoid adding higher VCPU count as a feature that disables migration. > > > Or a fix/work needs to be done to support a higher CPU count for > > migrating? > > Post-copy migration should handle higher CPU count and it is the default > fallback on QEMU. Asking the question on a userspace list would yield > better answers, though. > > Thanks.
[PATCH 3.16 026/134] ath9k_htc: fix NULL-deref at probe
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
--
From: Johan Hovold
commit ebeb36670ecac36c179b5fb5d5c88ff03ba191ec upstream.
Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer or accessing memory beyond the endpoint array should a
malicious device lack the expected endpoints.
Fixes: 36bcce430657 ("ath9k_htc: Handle storage devices")
Signed-off-by: Johan Hovold
Signed-off-by: Kalle Valo
Signed-off-by: Ben Hutchings
---
drivers/net/wireless/ath/ath9k/hif_usb.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/net/wireless/ath/ath9k/hif_usb.c
+++ b/drivers/net/wireless/ath/ath9k/hif_usb.c
@@ -1145,6 +1145,9 @@ static int send_eject_command(struct usb
u8 bulk_out_ep;
int r;
+ if (iface_desc->desc.bNumEndpoints < 2)
+ return -ENODEV;
+
/* Find bulk out endpoint */
for (r = 1; r >= 0; r--) {
endpoint = &iface_desc->endpoint[r].desc;
[PATCH 3.16 017/134] staging: iio: tsl2x7x_core: Fix standard deviation calculation
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
--
From: Eva Rachel Retuya
commit cf6c77323a96fc40309cc8a4921ef206cccdd961 upstream.
Standard deviation is calculated as the square root of the variance
where variance is the mean of sample_sum and length. Correct the
computation of statP->stddev in accordance to the proper calculation.
Fixes: 3c97c08b5735 ("staging: iio: add TAOS tsl2x7x driver")
Reported-by: Abhiram Balasubramanian
Signed-off-by: Eva Rachel Retuya
Signed-off-by: Jonathan Cameron
Signed-off-by: Ben Hutchings
---
drivers/staging/iio/light/tsl2x7x_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/staging/iio/light/tsl2x7x_core.c
+++ b/drivers/staging/iio/light/tsl2x7x_core.c
@@ -849,7 +849,7 @@ void tsl2x7x_prox_calculate(int *data, i
tmp = data[i] - statP->mean;
sample_sum += tmp * tmp;
}
- statP->stddev = int_sqrt((long)sample_sum)/length;
+ statP->stddev = int_sqrt((long)sample_sum / length);
}
/**
[PATCH 3.16 023/134] pinctrl: sh-pfc: r8a7791: Fix IPSR comment typos
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
--
From: Sergei Shtylyov
commit 0cbdc11482d72ad164e33ef7cc57b01e8b61e40d upstream.
The IPSR field names in the comments have been fat-fingered in a couple
places -- fix those silly typos...
Fixes: 508845196238 ("pinctrl: sh-pfc: r8a7791 PFC support")
Signed-off-by: Sergei Shtylyov
Signed-off-by: Geert Uytterhoeven
Signed-off-by: Ben Hutchings
---
drivers/pinctrl/sh-pfc/pfc-r8a7791.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/pinctrl/sh-pfc/pfc-r8a7791.c
+++ b/drivers/pinctrl/sh-pfc/pfc-r8a7791.c
@@ -4960,7 +4960,7 @@ static const struct pinmux_cfg_reg pinmu
},
{ PINMUX_CFG_REG_VAR("IPSR2", 0xE6060028, 32,
2, 3, 2, 2, 2, 2, 3, 3, 3, 3, 2, 2, 3) {
- /* IP2_31_20 [2] */
+ /* IP2_31_30 [2] */
0, 0, 0, 0,
/* IP2_29_27 [3] */
FN_EX_CS3_N, FN_ATADIR0_N, FN_MSIOF2_TXD,
@@ -4980,7 +4980,7 @@ static const struct pinmux_cfg_reg pinmu
/* IP2_15_13 [3] */
FN_A24, FN_DREQ2, FN_IO3, FN_TX1, FN_SCIFA1_TXD,
0, 0, 0,
- /* IP2_12_0 [3] */
+ /* IP2_12_10 [3] */
FN_A23, FN_IO2, FN_BPFCLK_B, FN_RX0, FN_SCIFA0_RXD,
0, 0, 0,
/* IP2_9_7 [3] */
@@ -5291,7 +5291,7 @@ static const struct pinmux_cfg_reg pinmu
/* IP10_24_22 [3] */
FN_VI0_R1, FN_VI2_DATA2, FN_GLO_I1_B, FN_TS_SCK0_C, FN_ATAG1_N,
0, 0, 0,
- /* IP10_21_29 [3] */
+ /* IP10_21_19 [3] */
FN_VI0_R0, FN_VI2_DATA1, FN_GLO_I0_B,
FN_TS_SDATA0_C, FN_ATACS11_N,
0, 0, 0,
[PATCH 3.16 020/134] pinctrl: sh-pfc: r8a7791: Add missing HSCIF1 pinmux data
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
--
From: Sergei Shtylyov
commit da7a692fbbab07f4e9798b5b52798f6e3256dd8f upstream.
The R8A7791 PFC driver was apparently based on the preliminary revisions
of the user's manual, which omitted the HSCIF1 group E signals in the
IPSR4 register description. This would cause HSCIF1's probe to fail with
the messages like below:
sh-pfc e606.pfc: cannot locate data/mark enum_id for mark 1989
sh-sci e62c8000.serial: Error applying setting, reverse things back
sh-sci: probe of e62c8000.serial failed with error -22
Add the neceassary PINMUX_IPSR_MSEL() invocations for the HSCK1_E,
HCTS1#_E, and HRTS1#_E signals...
Fixes: 508845196238 ("pinctrl: sh-pfc: r8a7791 PFC support")
Signed-off-by: Sergei Shtylyov
Signed-off-by: Geert Uytterhoeven
[bwh: Backported to 3.16:
- Use PINMUX_IPSR_MODSEL_DATA() instead of PINMUX_IPSR_MSEL()
- Adjust context]
Signed-off-by: Ben Hutchings
---
drivers/pinctrl/sh-pfc/pfc-r8a7791.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/pinctrl/sh-pfc/pfc-r8a7791.c
+++ b/drivers/pinctrl/sh-pfc/pfc-r8a7791.c
@@ -999,14 +999,17 @@ static const u16 pinmux_data[] = {
PINMUX_IPSR_MODSEL_DATA(IP4_12_10, SCL2, SEL_IIC2_0),
PINMUX_IPSR_MODSEL_DATA(IP4_12_10, GPS_CLK_B, SEL_GPS_1),
PINMUX_IPSR_MODSEL_DATA(IP4_12_10, GLO_Q0_D, SEL_GPS_3),
+ PINMUX_IPSR_MODSEL_DATA(IP4_12_10, HSCK1_E, SEL_HSCIF1_4),
PINMUX_IPSR_DATA(IP4_15_13, SSI_WS2),
PINMUX_IPSR_MODSEL_DATA(IP4_15_13, SDA2, SEL_IIC2_0),
PINMUX_IPSR_MODSEL_DATA(IP4_15_13, GPS_SIGN_B, SEL_GPS_1),
PINMUX_IPSR_MODSEL_DATA(IP4_15_13, RX2_E, SEL_SCIF2_4),
PINMUX_IPSR_MODSEL_DATA(IP4_15_13, GLO_Q1_D, SEL_GPS_3),
+ PINMUX_IPSR_MODSEL_DATA(IP4_15_13, HCTS1_N_E, SEL_HSCIF1_4),
PINMUX_IPSR_DATA(IP4_18_16, SSI_SDATA2),
PINMUX_IPSR_MODSEL_DATA(IP4_18_16, GPS_MAG_B, SEL_GPS_1),
PINMUX_IPSR_MODSEL_DATA(IP4_18_16, TX2_E, SEL_SCIF2_4),
+ PINMUX_IPSR_MODSEL_DATA(IP4_18_16, HRTS1_N_E, SEL_HSCIF1_4),
PINMUX_IPSR_DATA(IP4_19, SSI_SCK34),
PINMUX_IPSR_DATA(IP4_20, SSI_WS34),
PINMUX_IPSR_DATA(IP4_21, SSI_SDATA3),
[PATCH 3.16 021/134] pinctrl: sh-pfc: r8a7791: Add missing DVC_MUTE signal
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
--
From: Sergei Shtylyov
commit 3908632fb829d73317c64c3d04f584b49f62e4ae upstream.
The R8A7791 PFC driver was apparently based on the preliminary revisions
of the user's manual, which omitted the DVC_MUTE signal altogether in
the PFC section. The modern manual has the signal described, so just add
the necassary data to the driver...
Fixes: 508845196238 ("pinctrl: sh-pfc: r8a7791 PFC support")
Signed-off-by: Sergei Shtylyov
Signed-off-by: Geert Uytterhoeven
[bwh: Backported to 3.16:
- Use PINMUX_IPSR_DATA() instead of PINMUX_IPSR_GPSR()
- Adjust context]
Signed-off-by: Ben Hutchings
---
drivers/pinctrl/sh-pfc/pfc-r8a7791.c | 7 ---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/drivers/pinctrl/sh-pfc/pfc-r8a7791.c
+++ b/drivers/pinctrl/sh-pfc/pfc-r8a7791.c
@@ -192,7 +192,7 @@ enum {
/* IPSR6 */
FN_AUDIO_CLKB, FN_STP_OPWM_0_B, FN_MSIOF1_SCK_B,
- FN_SCIF_CLK, FN_BPFCLK_E,
+ FN_SCIF_CLK, FN_DVC_MUTE, FN_BPFCLK_E,
FN_AUDIO_CLKC, FN_SCIFB0_SCK_C, FN_MSIOF1_SYNC_B, FN_RX2,
FN_SCIFA2_RXD, FN_FMIN_E,
FN_AUDIO_CLKOUT, FN_MSIOF1_SS1_B, FN_TX2, FN_SCIFA2_TXD,
@@ -562,7 +562,7 @@ enum {
/* IPSR6 */
AUDIO_CLKB_MARK, STP_OPWM_0_B_MARK, MSIOF1_SCK_B_MARK,
- SCIF_CLK_MARK, BPFCLK_E_MARK,
+ SCIF_CLK_MARK, DVC_MUTE_MARK, BPFCLK_E_MARK,
AUDIO_CLKC_MARK, SCIFB0_SCK_C_MARK, MSIOF1_SYNC_B_MARK, RX2_MARK,
SCIFA2_RXD_MARK, FMIN_E_MARK,
AUDIO_CLKOUT_MARK, MSIOF1_SS1_B_MARK, TX2_MARK, SCIFA2_TXD_MARK,
@@ -1082,6 +1082,7 @@ static const u16 pinmux_data[] = {
PINMUX_IPSR_MODSEL_DATA(IP6_2_0, STP_OPWM_0_B, SEL_SSP_1),
PINMUX_IPSR_MODSEL_DATA(IP6_2_0, MSIOF1_SCK_B, SEL_SOF1_1),
PINMUX_IPSR_MODSEL_DATA(IP6_2_0, SCIF_CLK, SEL_SCIF_0),
+ PINMUX_IPSR_DATA(IP6_2_0, DVC_MUTE),
PINMUX_IPSR_MODSEL_DATA(IP6_2_0, BPFCLK_E, SEL_FM_4),
PINMUX_IPSR_DATA(IP6_5_3, AUDIO_CLKC),
PINMUX_IPSR_MODSEL_DATA(IP6_5_3, SCIFB0_SCK_C, SEL_SCIFB_2),
@@ -5148,7 +5149,7 @@ static const struct pinmux_cfg_reg pinmu
0, 0,
/* IP6_2_0 [3] */
FN_AUDIO_CLKB, FN_STP_OPWM_0_B, FN_MSIOF1_SCK_B,
- FN_SCIF_CLK, 0, FN_BPFCLK_E,
+ FN_SCIF_CLK, FN_DVC_MUTE, FN_BPFCLK_E,
0, 0, }
},
{ PINMUX_CFG_REG_VAR("IPSR7", 0xE606003C, 32,
[PATCH 3.16 016/134] [media] mceusb: fix NULL-deref at probe
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
--
From: Johan Hovold
commit 03eb2a557ed552e920a0942b774aaf931596eec1 upstream.
Make sure to check for the required out endpoint to avoid dereferencing
a NULL-pointer in mce_request_packet should a malicious device lack such
an endpoint. Note that this path is hit during probe.
Fixes: 66e89522aff7 ("V4L/DVB: IR: add mceusb IR receiver driver")
Signed-off-by: Johan Hovold
Signed-off-by: Sean Young
Signed-off-by: Mauro Carvalho Chehab
Signed-off-by: Ben Hutchings
---
drivers/media/rc/mceusb.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/media/rc/mceusb.c
+++ b/drivers/media/rc/mceusb.c
@@ -1299,8 +1299,8 @@ static int mceusb_dev_probe(struct usb_i
}
}
}
- if (ep_in == NULL) {
- dev_dbg(&intf->dev, "inbound and/or endpoint not found");
+ if (!ep_in || !ep_out) {
+ dev_dbg(&intf->dev, "required endpoints not found\n");
return -ENODEV;
}
[PATCH 3.16 018/134] USB: Proper handling of Race Condition when two USB class drivers try to call init_usb_class simultaneously
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
--
From: Ajay Kaher
commit 2f86a96be0ccb1302b7eee7855dbee5ce4dc5dfb upstream.
There is race condition when two USB class drivers try to call
init_usb_class at the same time and leads to crash.
code path: probe->usb_register_dev->init_usb_class
To solve this, mutex locking has been added in init_usb_class() and
destroy_usb_class().
As pointed by Alan, removed "if (usb_class)" test from destroy_usb_class()
because usb_class can never be NULL there.
Signed-off-by: Ajay Kaher
Acked-by: Alan Stern
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Ben Hutchings
---
drivers/usb/core/file.c | 9 +++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/drivers/usb/core/file.c
+++ b/drivers/usb/core/file.c
@@ -26,6 +26,7 @@
#define MAX_USB_MINORS 256
static const struct file_operations *usb_minors[MAX_USB_MINORS];
static DECLARE_RWSEM(minor_rwsem);
+static DEFINE_MUTEX(init_usb_class_mutex);
static int usb_open(struct inode *inode, struct file *file)
{
@@ -108,8 +109,9 @@ static void release_usb_class(struct kre
static void destroy_usb_class(void)
{
- if (usb_class)
- kref_put(&usb_class->kref, release_usb_class);
+ mutex_lock(&init_usb_class_mutex);
+ kref_put(&usb_class->kref, release_usb_class);
+ mutex_unlock(&init_usb_class_mutex);
}
int usb_major_init(void)
@@ -171,7 +173,10 @@ int usb_register_dev(struct usb_interfac
if (intf->minor >= 0)
return -EADDRINUSE;
+ mutex_lock(&init_usb_class_mutex);
retval = init_usb_class();
+ mutex_unlock(&init_usb_class_mutex);
+
if (retval)
return retval;
[PATCH 3.16 019/134] cdc-acm: fix possible invalid access when processing notification
3.16.47-rc1 review patch. If anyone has any objections, please let me know.
--
From: Tobias Herzog
commit 1bb9914e1730417d530de9ed37e59efdc647146b upstream.
Notifications may only be 8 bytes long. Accessing the 9th and
10th byte of unimplemented/unknown notifications may be insecure.
Also check the length of known notifications before accessing anything
behind the 8th byte.
Signed-off-by: Tobias Herzog
Acked-by: Oliver Neukum
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Ben Hutchings
---
drivers/usb/class/cdc-acm.c | 13 +
1 file changed, 9 insertions(+), 4 deletions(-)
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -312,6 +312,12 @@ static void acm_ctrl_irq(struct urb *urb
break;
case USB_CDC_NOTIFY_SERIAL_STATE:
+ if (le16_to_cpu(dr->wLength) != 2) {
+ dev_dbg(&acm->control->dev,
+ "%s - malformed serial state\n", __func__);
+ break;
+ }
+
newctrl = get_unaligned_le16(data);
if (!acm->clocal && (acm->ctrlin & ~newctrl & ACM_CTRL_DCD)) {
@@ -348,11 +354,10 @@ static void acm_ctrl_irq(struct urb *urb
default:
dev_dbg(&acm->control->dev,
- "%s - unknown notification %d received: index %d "
- "len %d data0 %d data1 %d\n",
+ "%s - unknown notification %d received: index %d len
%d\n",
__func__,
- dr->bNotificationType, dr->wIndex,
- dr->wLength, data[0], data[1]);
+ dr->bNotificationType, dr->wIndex, dr->wLength);
+
break;
}
exit:
[PATCH 3.2 30/59] PCI: Freeze PME scan before suspending devices
3.2.92-rc1 review patch. If anyone has any objections, please let me know.
--
From: Lukas Wunner
commit ea00353f36b64375518662a8ad15e39218a1f324 upstream.
Laurent Pinchart reported that the Renesas R-Car H2 Lager board (r8a7790)
crashes during suspend tests. Geert Uytterhoeven managed to reproduce the
issue on an M2-W Koelsch board (r8a7791):
It occurs when the PME scan runs, once per second. During PME scan, the
PCI host bridge (rcar-pci) registers are accessed while its module clock
has already been disabled, leading to the crash.
One reproducer is to configure s2ram to use "s2idle" instead of "deep"
suspend:
# echo 0 > /sys/module/printk/parameters/console_suspend
# echo s2idle > /sys/power/mem_sleep
# echo mem > /sys/power/state
Another reproducer is to write either "platform" or "processors" to
/sys/power/pm_test. It does not (or is less likely) to happen during full
system suspend ("core" or "none") because system suspend also disables
timers, and thus the workqueue handling PME scans no longer runs. Geert
believes the issue may still happen in the small window between disabling
module clocks and disabling timers:
# echo 0 > /sys/module/printk/parameters/console_suspend
# echo platform > /sys/power/pm_test# Or "processors"
# echo mem > /sys/power/state
(Make sure CONFIG_PCI_RCAR_GEN2 and CONFIG_USB_OHCI_HCD_PCI are enabled.)
Rafael Wysocki agrees that PME scans should be suspended before the host
bridge registers become inaccessible. To that end, queue the task on a
workqueue that gets frozen before devices suspend.
Rafael notes however that as a result, some wakeup events may be missed if
they are delivered via PME from a device without working IRQ (which hence
must be polled) and occur after the workqueue has been frozen. If that
turns out to be an issue in practice, it may be possible to solve it by
calling pci_pme_list_scan() once directly from one of the host bridge's
pm_ops callbacks.
Stacktrace for posterity:
PM: Syncing filesystems ... [ 38.566237] done.
PM: Preparing system for sleep (mem)
Freezing user space processes ... [ 38.579813] (elapsed 0.001 seconds) done.
Freezing remaining freezable tasks ... (elapsed 0.001 seconds) done.
PM: Suspending system (mem)
PM: suspend of devices complete after 152.456 msecs
PM: late suspend of devices complete after 2.809 msecs
PM: noirq suspend of devices complete after 29.863 msecs
suspend debug: Waiting for 5 second(s).
Unhandled fault: asynchronous external abort (0x1211) at 0x
pgd = c0003000
[] *pgd=8040004003, *pmd=
Internal error: : 1211 [#1] SMP ARM
Modules linked in:
CPU: 1 PID: 20 Comm: kworker/1:1 Not tainted
4.9.0-rc1-koelsch-00011-g68db9bc814362e7f #3383
Hardware name: Generic R8A7791 (Flattened Device Tree)
Workqueue: events pci_pme_list_scan
task: eb56e140 task.stack: eb58e000
PC is at pci_generic_config_read+0x64/0x6c
LR is at rcar_pci_cfg_base+0x64/0x84
pc : []lr : []psr: 600d0093
sp : eb58fe98 ip : c041d750 fp : 0008
r10: c0e2283c r9 : r8 : 600d0013
r7 : 0008 r6 : eb58fed6 r5 : 0002 r4 : eb58feb4
r3 : r2 : 0044 r1 : 0008 r0 :
Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user
Control: 30c5387d Table: 6a9f6c80 DAC:
Process kworker/1:1 (pid: 20, stack limit = 0xeb58e210)
Stack: (0xeb58fe98 to 0xeb59)
fe80: 0002 0044
fea0: eb6f5800 c041d9b0 eb58feb4 0008 0044 eb78a000 eb78a000
fec0: 0044 eb9aff00 c0424bf0 eb78a000 eb78a000 c0e22830
fee0: ea8a6fc0 c0424c5c eaae79c0 c0424ce0 eb55f380 c0e22838 eb9a9800 c0235fbc
ff00: eb55f380 c0e22838 eb55f380 eb9a9800 eb9a9800 eb58e000 eb9a9824 c0e02100
ff20: eb55f398 c02366c4 eb56e140 eb5631c0 eb55f380 c023641c
ff40: c023a928 cd105598 40506a34 eb55f380
ff60: dead4ead eb58ff74 eb58ff74
ff80: dead4ead eb58ff90 eb58ff90 eb58ffac eb5631c0
ffa0: c023a844 c0206d68
ffc0:
ffe0: 0013 3a81336c 10ccd1dd
[] (pci_generic_config_read) from []
(pci_bus_read_config_word+0x58/0x80)
[] (pci_bus_read_config_word) from []
(pci_check_pme_status+0x34/0x78)
[] (pci_check_pme_status) from []
(pci_pme_wakeup+0x28/0x54)
[] (pci_pme_wakeup) from [] (pci_pme_list_scan+0x58/0xb4)
[] (pci_pme_list_scan) from []
(process_one_work+0x1bc/0x308)
[] (process_one_work) from [] (worker_thread+0x2a8/0x3e0)
[] (worker_thread) from [] (kthread+0xe4/0xfc)
[] (kthread) from [] (ret_from_fork+0x14/0x2c)
Code: ea00 e5903000 f57ff04f e3a0 (e5843000)
---[ e
[PATCH v11 0/6] Add RAS virtualization support for armv8 SEA and SEI
In the armv8 platform, the mainly processor hardware error notification
type are synchronous external abort(SEA) and SError Interrupt (SEI), For
the ARMv8 SEA/SEI, KVM or host kernel will deliver SIGBUS or use other
interface to notify user space. After user space gets the notification,
it will record the CPER to simulate GHES for guest OS and inject the a
exception(SEA/SEI) to KVM.
This series patch has two parts, one part handles synchronous external
abort(SEA) exception and SError Interrupt (SEI) exception; another part
is generating APEI table when guest OS boot up, and dynamically record
CPER for the guest OS about the generic hardware errors. Currently the
userspace only handles the memory section hardware errors. Before Qemu
record the CPER, it needs to check the ACK value written by the guest
OS to avoid read-write race condition. In the simulated APEI/GHESV2/CPER
table, the max number of error soure is 11, which is classified by
notification type, now only enable the SEA/SEI notification type error
source to avoid OS boot warning.
About the whole solution we ever discuessed it in here before:
https://patchwork.kernel.org/patch/9633105/
Below is the APEI/GHESV2/CPER table layout, the max number of error soure is 11:
etc/acpi/tables etc/hardware_errors
==
+ +--++--+
| | HEST ||address |
+--+
| +--+|registers | |
Error Status |
| | GHES0|| ++ |
Data Block 0 |
| +--+ +->| |status_address0 |->|
++
| | .| | | ++ | |
CPER |
| | error_status_address-+-+ +--->| |status_address1 |--+ | |
CPER |
| | .| || ++ | | |
|
| | read_ack_register+-+ || . | | | |
CPER |
| | read_ack_preserve| | |+--+ | |
++
| | read_ack_write | | | +->| |status_address10|+ | |
Error Status |
+ +--+ | | | | ++| | |
Data Block 1 |
| | GHES1| +-+-+->| | ack_value0 || +-->|
++
+ +--+ | | | ++| | |
CPER |
| | .| | | +--->| | ack_value1 || | |
CPER |
| | error_status_address-+---+ | || ++| | |
|
| | .| | || | . || | |
CPER |
| | read_ack_register+-+-+| ++|
+-++
| | read_ack_preserve| | +->| | ack_value10|| |
|.. |
| | read_ack_write | | | | ++| |
++
+ +--| | | | |
Error Status |
| | ... | | | | |
Data Block 10|
+ +--+ | | +>|
++
| | GHES10 | | || |
CPER |
+ +--+ | || |
CPER |
| | .| | || |
|
| | error_status_address-+-+ || |
CPER |
| | .| |
+-++
| | read_ack_register+-+
| | read_ack_preserve|
| | read_ack_write |
+ +--+
--
How to test guest OS do SEA/SEI recovery:
1. In the guest OS, trigger a SEA or SEI.
2. Then you will see below error log that printed by the memory failure
3. Memory failure will do the recovery for the error.
Such as the below shown kernel log:
[ 21.101216] Synchronous External Abort: synchronous external abort
(0x9610) at 0xff8008064018
[ 21.104969] {1}[Hardware Error]: Hardware error from APEI Generic Hardware
Error Source: 8
[ 21.106918] {1}[Hardware Error]: event severity: recoverable
[ 21.109027] {1}[Hardware Error]: Error 0, type: recoverable
[ 21.110362] {1}[Hardware Error]: section_type: memory error
[ 21.111705] {1}[Hardware Error]: physical_address: 0x7a20
[ 21.113255] {1}[Hardware Error]: e
