[PATCH 3.16 010/204] uwb: ensure that endpoint is interrupt
3.16.52-rc1 review patch. If anyone has any objections, please let me know. -- From: Andrey Konovalov commit 70e743e4cec3733dc13559f6184b35d358b9ef3f upstream. hwarc_neep_init() assumes that endpoint 0 is interrupt, but there's no check for that, which results in a WARNING in USB core code, when a bad USB descriptor is provided from a device: usb 1-1: BOGUS urb xfer, pipe 1 != type 3 [ cut here ] WARNING: CPU: 0 PID: 3 at drivers/usb/core/urb.c:449 usb_submit_urb+0xf8a/0x11d0 Modules linked in: CPU: 0 PID: 3 Comm: kworker/0:0 Not tainted 4.13.0+ #111 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Workqueue: usb_hub_wq hub_event task: 88006bdc1a00 task.stack: 88006bde8000 RIP: 0010:usb_submit_urb+0xf8a/0x11d0 drivers/usb/core/urb.c:448 RSP: 0018:88006bdee3c0 EFLAGS: 00010282 RAX: 0029 RBX: 8800672a7200 RCX: RDX: 0029 RSI: 88006c815c78 RDI: ed000d7bdc6a RBP: 88006bdee4c0 R08: fbfff0fe00ff R09: fbfff0fe00ff R10: 0018 R11: fbfff0fe00fe R12: 11000d7bdc7f R13: 0003 R14: 0001 R15: 88006b02cc90 FS: () GS:88006c80() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 7fe4daddf000 CR3: 6add6000 CR4: 06f0 Call Trace: hwarc_neep_init+0x4ce/0x9c0 drivers/uwb/hwa-rc.c:710 uwb_rc_add+0x2fb/0x730 drivers/uwb/lc-rc.c:361 hwarc_probe+0x34e/0x9b0 drivers/uwb/hwa-rc.c:858 usb_probe_interface+0x351/0x8d0 drivers/usb/core/driver.c:361 really_probe drivers/base/dd.c:385 driver_probe_device+0x610/0xa00 drivers/base/dd.c:529 __device_attach_driver+0x230/0x290 drivers/base/dd.c:625 bus_for_each_drv+0x15e/0x210 drivers/base/bus.c:463 __device_attach+0x269/0x3c0 drivers/base/dd.c:682 device_initial_probe+0x1f/0x30 drivers/base/dd.c:729 bus_probe_device+0x1da/0x280 drivers/base/bus.c:523 device_add+0xcf9/0x1640 drivers/base/core.c:1703 usb_set_configuration+0x1064/0x1890 drivers/usb/core/message.c:1932 generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174 usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266 really_probe drivers/base/dd.c:385 driver_probe_device+0x610/0xa00 drivers/base/dd.c:529 __device_attach_driver+0x230/0x290 drivers/base/dd.c:625 bus_for_each_drv+0x15e/0x210 drivers/base/bus.c:463 __device_attach+0x269/0x3c0 drivers/base/dd.c:682 device_initial_probe+0x1f/0x30 drivers/base/dd.c:729 bus_probe_device+0x1da/0x280 drivers/base/bus.c:523 device_add+0xcf9/0x1640 drivers/base/core.c:1703 usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457 hub_port_connect drivers/usb/core/hub.c:4890 hub_port_connect_change drivers/usb/core/hub.c:4996 port_event drivers/usb/core/hub.c:5102 hub_event+0x23c8/0x37c0 drivers/usb/core/hub.c:5182 process_one_work+0x9fb/0x1570 kernel/workqueue.c:2097 worker_thread+0x1e4/0x1350 kernel/workqueue.c:2231 kthread+0x324/0x3f0 kernel/kthread.c:231 ret_from_fork+0x25/0x30 arch/x86/entry/entry_64.S:425 Code: 48 8b 85 30 ff ff ff 48 8d b8 98 00 00 00 e8 8e 93 07 ff 45 89 e8 44 89 f1 4c 89 fa 48 89 c6 48 c7 c7 a0 e5 55 86 e8 20 08 8f fd <0f> ff e9 9b f7 ff ff e8 4a 04 d6 fd e9 80 f7 ff ff e8 60 11 a6 ---[ end trace 55d741234124cfc3 ]--- Check that endpoint is interrupt. Found by syzkaller. Signed-off-by: Andrey Konovalov Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ben Hutchings --- drivers/uwb/hwa-rc.c | 2 ++ 1 file changed, 2 insertions(+) --- a/drivers/uwb/hwa-rc.c +++ b/drivers/uwb/hwa-rc.c @@ -827,6 +827,8 @@ static int hwarc_probe(struct usb_interf if (iface->cur_altsetting->desc.bNumEndpoints < 1) return -ENODEV; + if (!usb_endpoint_xfer_int(&iface->cur_altsetting->endpoint[0].desc)) + return -ENODEV; result = -ENOMEM; uwb_rc = uwb_rc_alloc();
[PATCH 3.16 128/204] usb: hub: Allow reset retry for USB2 devices on connect bounce
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Mathias Nyman
commit 1ac7db6db1eeff901bfd6bbcd502b4634fa4 upstream.
If the connect status change is set during reset signaling, but
the status remains connected just retry port reset.
This solves an issue with connecting a 90W HP Thunderbolt 3 dock
with a Lenovo Carbon x1 (5th generation) which causes a 30min loop
of a high speed device being re-discovererd before usb ports starts
working.
[...]
[ 389.023845] usb 3-1: new high-speed USB device number 55 using xhci_hcd
[ 389.491841] usb 3-1: new high-speed USB device number 56 using xhci_hcd
[ 389.959928] usb 3-1: new high-speed USB device number 57 using xhci_hcd
[...]
This is caused by a high speed device that doesn't successfully go to the
enabled state after the second port reset. Instead the connection bounces
(connected, with connect status change), bailing out completely from
enumeration just to restart from scratch.
Link: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1716332
Signed-off-by: Mathias Nyman
Acked-by: Alan Stern
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Ben Hutchings
---
drivers/usb/core/hub.c | 11 +++
1 file changed, 7 insertions(+), 4 deletions(-)
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -2625,13 +2625,16 @@ static int hub_port_wait_reset(struct us
if (!(portstatus & USB_PORT_STAT_CONNECTION))
return -ENOTCONN;
- /* bomb out completely if the connection bounced. A USB 3.0
-* connection may bounce if multiple warm resets were issued,
+ /* Retry if connect change is set but status is still connected.
+* A USB 3.0 connection may bounce if multiple warm resets were issued,
* but the device may have successfully re-connected. Ignore it.
*/
if (!hub_is_superspeed(hub->hdev) &&
- (portchange & USB_PORT_STAT_C_CONNECTION))
- return -ENOTCONN;
+ (portchange & USB_PORT_STAT_C_CONNECTION)) {
+ usb_clear_port_feature(hub->hdev, port1,
+ USB_PORT_FEAT_C_CONNECTION);
+ return -EAGAIN;
+ }
if (!(portstatus & USB_PORT_STAT_ENABLE))
return -EBUSY;
Re: [RFC PATCH v11 4/5] PCI / PM: Add support for the PCIe WAKE# signal for OF
On Thursday, December 28, 2017 5:51:34 PM CET Tony Lindgren wrote: > * Rafael J. Wysocki [171228 12:21]: > > On Thu, Dec 28, 2017 at 5:22 AM, Tony Lindgren wrote: > > > * Rafael J. Wysocki [171228 00:51]: > > >> On Wed, Dec 27, 2017 at 4:08 PM, Tony Lindgren wrote: > > >> > * Rafael J. Wysocki [171227 01:00]: > > >> >> On Tuesday, December 26, 2017 2:06:47 AM CET JeffyChen wrote: > > >> >> > Hi Rafael, > > >> >> > > > >> >> > Thanks for your reply :) > > >> >> > > > >> >> > On 12/26/2017 08:11 AM, Rafael J. Wysocki wrote: > > >> >> > >> >+ > > >> >> > >> >+ dn = pci_device_to_OF_node(ppdev); > > >> >> > >> >+ if (!dn) > > >> >> > >> >+ return 0; > > >> >> > >> >+ > > >> >> > >> >+ irq = of_irq_get_byname(dn, "wakeup"); > > >> >> > > Why is this a property of the bridge and not of the device itself? > > >> >> > > > >> >> > That is suggested by Brian, because in that way, the wakeup pin > > >> >> > would > > >> >> > not "tied to what exact device is installed (or no device, if it's > > >> >> > a slot)." > > >> >> > > >> >> But I don't think it works when there are two devices using different > > >> >> WAKE# > > >> >> interrupt lines under the same bridge. Or how does it work then? > > >> > > > >> > It won't work currently for multiple devices but adding more than > > >> > one wakeriq per device is doable. And I think we will have other > > >> > cases where multiple wakeirqs are connected to a single device, so > > >> > that issue should be sorted out sooner or later. > > >> > > > >> > And if requesting wakeirq for the PCI WAKE# lines at the PCI > > >> > controller does the job, then maybe that's all we need to start with. > > >> > > >> These are expected to be out-of-band, so not having anything to do > > >> with the Root Complex. > > >> > > >> In-band PME Messages go through the PCIe hierarchy, but that is a > > >> standard mechanism and it is supported already. > > >> > > >> WAKE# are platform-specific, pretty much by definition and I guess > > >> that on most ARM boards they are just going to be some kind of GPIO > > >> pins. > > > > > > OK. So probably supporting the following two configurations > > > should be enough then: > > > > > > 1. One or more WAKE# lines configured as a wakeirq for the PCI > > >controller > > > > > >When the wakeirq calls pm_wakeup_event() for the PCI controller > > >device driver, the PCI controller wakes up and can deal with > > >it's child devices > > > > But this shouldn't be necessary at all. Or if it is, I wonder why > > that's the case. > > Well Brian had a concern where we would have to implement PM runtime > for all device drivers for PCI devices. Why would we? > > I'm assuming that we're talking about PCI Express here, which has two > > wakeup mechanisms defined, one of which is based on using PME Messages > > (Beacon) and the second one is WAKE#: > > > > "The WAKE# mechanism uses sideband signaling to implement wakeup > > functionality. WAKE# is > > an “open drain” signal asserted by components requesting wakeup and > > observed by the associated > > power controller." > > > > (from PCIe Base Spec 3.0). [And there's a diagram showing the routing > > of WAKE# in two cases in Figure 5-4: Conceptual Diagrams Showing Two > > Example Cases of WAKE# Routing.] > > Thanks for the pointer, I had not seen that :) So the use cases > I was trying to describe above are similar to the wiring in the > PCIe Base Spec 3.0 "Figure 5-4" , but numbered the other way around. > > > Note that WAKE# is defined to be "observed by the associated power > > controller", so I'm not sure what the PCI controller's role in the > > handing of it is at all. > > To me it seems the "switch" part stays at least partially powered > and then in-band PME messages are used after host is woken up to > figure out which WAKE# triggered? Yes, that's my understanding too. > > > 2. Optionally a WAKE# line from a PCI device configured as wakeirq > > >for the PCI device driver > > > > > >In this case calling the PM runtime resume in the child > > >PCI device will also wake up the parent PCI controller, > > >and then the PCI controller can deal with it's children > > > > > > Seems like this series is pretty close to 1 above except > > > we need to have a list of wakeirqs per device instead of > > > just one. And option 2 should already work as long as the > > > PCI device driver parses and configures the wakeirq. > > > > Well, this is confusing, because as I said above, option 1 doesn't > > look relevant even. > > So isn't my option 1 above similar to the PCIe spec "Figure 5-4" > case 2? No, it isn't, because in that case there is no practical difference between WAKE# and an in-band PME message sent by the device (Beacon) from the software perspective. WAKE# causes the switch to send a PME message upstream and that is handled by the Root Complex through the standard mechanism already supported by our existing PME driver (drivers/
[PATCH 3.16 137/204] ipsec: Fix aborted xfrm policy dump crash
3.16.52-rc1 review patch. If anyone has any objections, please let me know. -- From: Ben Hutchings commit 1137b5e2529a8f5ca8ee709288ecba3e68044df2 upstream. This is a fix for CVE-2017-16939 suitable for older stable branches. The upstream fix is commit 1137b5e2529a8f5ca8ee709288ecba3e68044df2, from which the following explanation is taken: An independent security researcher, Mohamed Ghannam, has reported this vulnerability to Beyond Security's SecuriTeam Secure Disclosure program. The xfrm_dump_policy_done function expects xfrm_dump_policy to have been called at least once or it will crash. This can be triggered if a dump fails because the target socket's receive buffer is full. It was not possible to define a 'start' callback for netlink dumps until Linux 4.5, so instead add a check for the initialisation flag in the 'done' callback. Signed-off-by: Ben Hutchings --- --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -1570,7 +1570,8 @@ static int xfrm_dump_policy_done(struct struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *) &cb->args[1]; struct net *net = sock_net(cb->skb->sk); - xfrm_policy_walk_done(walk, net); + if (cb->args[0]) + xfrm_policy_walk_done(walk, net); return 0; }
[PATCH 3.16 177/204] MIPS: AR7: Ensure that serial ports are properly set up
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Oswald Buddenhagen
commit b084116f8587b222a2c5ef6dcd846f40f24b9420 upstream.
Without UPF_FIXED_TYPE, the data from the PORT_AR7 uart_config entry is
never copied, resulting in a dead port.
Fixes: 154615d55459 ("MIPS: AR7: Use correct UART port type")
Signed-off-by: Oswald Buddenhagen
[jonas.gorski: add Fixes tag]
Signed-off-by: Jonas Gorski
Reviewed-by: Florian Fainelli
Cc: Ralf Baechle
Cc: Greg Kroah-Hartman
Cc: Yoshihiro YUNOMAE
Cc: Nicolas Schichan
Cc: Oswald Buddenhagen
Cc: linux-m...@linux-mips.org
Cc: linux-ser...@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/17543/
Signed-off-by: James Hogan
Signed-off-by: Ben Hutchings
---
arch/mips/ar7/platform.c | 1 +
1 file changed, 1 insertion(+)
--- a/arch/mips/ar7/platform.c
+++ b/arch/mips/ar7/platform.c
@@ -581,6 +581,7 @@ static int __init ar7_register_uarts(voi
uart_port.type = PORT_AR7;
uart_port.uartclk = clk_get_rate(bus_clk) / 2;
uart_port.iotype= UPIO_MEM32;
+ uart_port.flags = UPF_FIXED_TYPE;
uart_port.regshift = 2;
uart_port.line = 0;
Re: [PATCH 0/4] Address error and recovery for AER and DPC
On Wed, Dec 27, 2017 at 02:20:18AM -0800, Oza Pawandeep wrote: > DPC should enumerate the devices after recovering the link, which is > achieved by implementing error_resume callback. Wouldn't that race with the link-up event that pciehp currently handles?
[PATCH 3.16 130/204] can: gs_usb: fix busy loop if no more TX context is available
3.16.52-rc1 review patch. If anyone has any objections, please let me know. -- From: Wolfgang Grandegger commit 97819f943063b622eca44d3644067c190dc75039 upstream. If sending messages with no cable connected, it quickly happens that there is no more TX context available. Then "gs_can_start_xmit()" returns with "NETDEV_TX_BUSY" and the upper layer does retry immediately keeping the CPU busy. To fix that issue, I moved "atomic_dec(&dev->active_tx_urbs)" from "gs_usb_xmit_callback()" to the TX done handling in "gs_usb_receive_bulk_callback()". Renaming "active_tx_urbs" to "active_tx_contexts" and moving it into "gs_[alloc|free]_tx_context()" would also make sense. Signed-off-by: Wolfgang Grandegger Signed-off-by: Marc Kleine-Budde Signed-off-by: Ben Hutchings --- drivers/net/can/usb/gs_usb.c | 10 ++ 1 file changed, 2 insertions(+), 8 deletions(-) --- a/drivers/net/can/usb/gs_usb.c +++ b/drivers/net/can/usb/gs_usb.c @@ -356,6 +356,8 @@ static void gs_usb_recieve_bulk_callback gs_free_tx_context(txc); + atomic_dec(&dev->active_tx_urbs); + netif_wake_queue(netdev); } @@ -444,14 +446,6 @@ static void gs_usb_xmit_callback(struct urb->transfer_buffer_length, urb->transfer_buffer, urb->transfer_dma); - - atomic_dec(&dev->active_tx_urbs); - - if (!netif_device_present(netdev)) - return; - - if (netif_queue_stopped(netdev)) - netif_wake_queue(netdev); } static netdev_tx_t gs_can_start_xmit(struct sk_buff *skb, struct net_device *netdev)
[PATCH 3.16 119/204] tun: call dev_get_valid_name() before register_netdevice()
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Cong Wang
commit 0ad646c81b2182f7fa67ec0c8c825e0ee165696d upstream.
register_netdevice() could fail early when we have an invalid
dev name, in which case ->ndo_uninit() is not called. For tun
device, this is a problem because a timer etc. are already
initialized and it expects ->ndo_uninit() to clean them up.
We could move these initializations into a ->ndo_init() so
that register_netdevice() knows better, however this is still
complicated due to the logic in tun_detach().
Therefore, I choose to just call dev_get_valid_name() before
register_netdevice(), which is quicker and much easier to audit.
And for this specific case, it is already enough.
Fixes: 96442e42429e ("tuntap: choose the txq based on rxq")
Reported-by: Dmitry Alexeev
Cc: Jason Wang
Cc: "Michael S. Tsirkin"
Signed-off-by: Cong Wang
Signed-off-by: David S. Miller
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings
---
drivers/net/tun.c | 3 +++
include/linux/netdevice.h | 3 +++
net/core/dev.c| 6 +++---
3 files changed, 9 insertions(+), 3 deletions(-)
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -1647,6 +1647,9 @@ static int tun_set_iff(struct net *net,
if (!dev)
return -ENOMEM;
+ err = dev_get_valid_name(net, dev, name);
+ if (err)
+ goto err_free_dev;
dev_net_set(dev, net);
dev->rtnl_link_ops = &tun_link_ops;
--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -3000,6 +3000,9 @@ void ether_setup(struct net_device *dev)
struct net_device *alloc_netdev_mqs(int sizeof_priv, const char *name,
void (*setup)(struct net_device *),
unsigned int txqs, unsigned int rxqs);
+int dev_get_valid_name(struct net *net, struct net_device *dev,
+ const char *name);
+
#define alloc_netdev(sizeof_priv, name, setup) \
alloc_netdev_mqs(sizeof_priv, name, setup, 1, 1)
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -1056,9 +1056,8 @@ static int dev_alloc_name_ns(struct net
return ret;
}
-static int dev_get_valid_name(struct net *net,
- struct net_device *dev,
- const char *name)
+int dev_get_valid_name(struct net *net, struct net_device *dev,
+ const char *name)
{
BUG_ON(!net);
@@ -1074,6 +1073,7 @@ static int dev_get_valid_name(struct net
return 0;
}
+EXPORT_SYMBOL(dev_get_valid_name);
/**
* dev_change_name - change name of a device
[PATCH 3.16 151/204] l2tp: hold tunnel in pppol2tp_connect()
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Guillaume Nault
commit f9e56baf03f9d36043a78f16e3e8b2cfd211e09e upstream.
Use l2tp_tunnel_get() in pppol2tp_connect() to ensure the tunnel isn't
going to disappear while processing the rest of the function.
Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp
parts")
Signed-off-by: Guillaume Nault
Signed-off-by: David S. Miller
Signed-off-by: Ben Hutchings
---
net/l2tp/l2tp_ppp.c | 7 ++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -603,6 +603,7 @@ static int pppol2tp_connect(struct socke
u32 tunnel_id, peer_tunnel_id;
u32 session_id, peer_session_id;
bool drop_refcnt = false;
+ bool drop_tunnel = false;
int ver = 2;
int fd;
@@ -671,7 +672,9 @@ static int pppol2tp_connect(struct socke
if (tunnel_id == 0)
goto end;
- tunnel = l2tp_tunnel_find(sock_net(sk), tunnel_id);
+ tunnel = l2tp_tunnel_get(sock_net(sk), tunnel_id);
+ if (tunnel)
+ drop_tunnel = true;
/* Special case: create tunnel context if session_id and
* peer_session_id is 0. Otherwise look up tunnel using supplied
@@ -800,6 +803,8 @@ out_no_ppp:
end:
if (drop_refcnt)
l2tp_session_dec_refcount(session);
+ if (drop_tunnel)
+ l2tp_tunnel_dec_refcount(tunnel);
release_sock(sk);
return error;
[PATCH 3.16 092/204] lsm: fix smack_inode_removexattr and xattr_getsecurity memleak
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Casey Schaufler
commit 57e7ba04d422c3d41c8426380303ec9b7533ded9 upstream.
security_inode_getsecurity() provides the text string value
of a security attribute. It does not provide a "secctx".
The code in xattr_getsecurity() that calls security_inode_getsecurity()
and then calls security_release_secctx() happened to work because
SElinux and Smack treat the attribute and the secctx the same way.
It fails for cap_inode_getsecurity(), because that module has no
secctx that ever needs releasing. It turns out that Smack is the
one that's doing things wrong by not allocating memory when instructed
to do so by the "alloc" parameter.
The fix is simple enough. Change the security_release_secctx() to
kfree() because it isn't a secctx being returned by
security_inode_getsecurity(). Change Smack to allocate the string when
told to do so.
Note: this also fixes memory leaks for LSMs which implement
inode_getsecurity but not release_secctx, such as capabilities.
Signed-off-by: Casey Schaufler
Reported-by: Konstantin Khlebnikov
Signed-off-by: James Morris
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings
---
fs/xattr.c | 2 +-
security/smack/smack_lsm.c | 55 +-
2 files changed, 26 insertions(+), 31 deletions(-)
--- a/fs/xattr.c
+++ b/fs/xattr.c
@@ -163,7 +163,7 @@ xattr_getsecurity(struct inode *inode, c
}
memcpy(value, buffer, len);
out:
- security_release_secctx(buffer, len);
+ kfree(buffer);
out_noalloc:
return len;
}
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -1060,7 +1060,7 @@ static int smack_inode_removexattr(struc
* @inode: the object
* @name: attribute name
* @buffer: where to put the result
- * @alloc: unused
+ * @alloc: duplicate memory
*
* Returns the size of the attribute or an error code
*/
@@ -1073,43 +1073,38 @@ static int smack_inode_getsecurity(const
struct super_block *sbp;
struct inode *ip = (struct inode *)inode;
char *isp;
- int ilen;
- int rc = 0;
- if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) {
+ if (strcmp(name, XATTR_SMACK_SUFFIX) == 0)
isp = smk_of_inode(inode);
- ilen = strlen(isp);
- *buffer = isp;
- return ilen;
+ else {
+ /*
+* The rest of the Smack xattrs are only on sockets.
+*/
+ sbp = ip->i_sb;
+ if (sbp->s_magic != SOCKFS_MAGIC)
+ return -EOPNOTSUPP;
+
+ sock = SOCKET_I(ip);
+ if (sock == NULL || sock->sk == NULL)
+ return -EOPNOTSUPP;
+
+ ssp = sock->sk->sk_security;
+
+ if (strcmp(name, XATTR_SMACK_IPIN) == 0)
+ isp = ssp->smk_in->smk_known;
+ else if (strcmp(name, XATTR_SMACK_IPOUT) == 0)
+ isp = ssp->smk_out->smk_known;
+ else
+ return -EOPNOTSUPP;
}
- /*
-* The rest of the Smack xattrs are only on sockets.
-*/
- sbp = ip->i_sb;
- if (sbp->s_magic != SOCKFS_MAGIC)
- return -EOPNOTSUPP;
-
- sock = SOCKET_I(ip);
- if (sock == NULL || sock->sk == NULL)
- return -EOPNOTSUPP;
-
- ssp = sock->sk->sk_security;
-
- if (strcmp(name, XATTR_SMACK_IPIN) == 0)
- isp = ssp->smk_in->smk_known;
- else if (strcmp(name, XATTR_SMACK_IPOUT) == 0)
- isp = ssp->smk_out->smk_known;
- else
- return -EOPNOTSUPP;
-
- ilen = strlen(isp);
- if (rc == 0) {
- *buffer = isp;
- rc = ilen;
+ if (alloc) {
+ *buffer = kstrdup(isp, GFP_KERNEL);
+ if (*buffer == NULL)
+ return -ENOMEM;
}
- return rc;
+ return strlen(isp);
}
[PATCH 3.16 133/204] pci_ids: Add PCI device IDs for F15h M60h
3.16.52-rc1 review patch. If anyone has any objections, please let me know. -- From: Aravind Gopalakrishnan commit 4cbbdb51cc921f95978360fd7a0652d493dadc3e upstream. Add F3, F4 device IDs to be used in amd_nb.c and amd64_edac.c Signed-off-by: Aravind Gopalakrishnan Acked-by: Bjorn Helgaas Link: http://lkml.kernel.org/r/1411070195-10177-1-git-send-email-aravind.gopalakrish...@amd.com Signed-off-by: Borislav Petkov Signed-off-by: Ben Hutchings --- include/linux/pci_ids.h | 2 ++ 1 file changed, 2 insertions(+) --- a/include/linux/pci_ids.h +++ b/include/linux/pci_ids.h @@ -520,6 +520,8 @@ #define PCI_DEVICE_ID_AMD_15H_M10H_F3 0x1403 #define PCI_DEVICE_ID_AMD_15H_M30H_NB_F3 0x141d #define PCI_DEVICE_ID_AMD_15H_M30H_NB_F4 0x141e +#define PCI_DEVICE_ID_AMD_15H_M60H_NB_F3 0x1573 +#define PCI_DEVICE_ID_AMD_15H_M60H_NB_F4 0x1574 #define PCI_DEVICE_ID_AMD_15H_NB_F00x1600 #define PCI_DEVICE_ID_AMD_15H_NB_F10x1601 #define PCI_DEVICE_ID_AMD_15H_NB_F20x1602
[PATCH 3.16 124/204] ALSA: hda: Remove superfluous '-' added by printk conversion
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Takashi Iwai
commit 6bf88a343db2b3c160edf9b82a74966b31cc80bd upstream.
While converting the error messages to the standard macros in the
commit 4e76a8833fac ("ALSA: hda - Replace with standard printk"), a
superfluous '-' slipped in the code mistakenly. Its influence is
almost negligible, merely shows a dB value as negative integer instead
of positive integer (or vice versa) in the rare error message.
So let's kill this embarrassing byte to show more correct value.
Fixes: 4e76a8833fac ("ALSA: hda - Replace with standard printk")
Signed-off-by: Takashi Iwai
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings
---
sound/pci/hda/hda_codec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/pci/hda/hda_codec.c
+++ b/sound/pci/hda/hda_codec.c
@@ -2791,7 +2791,7 @@ static int get_kctl_0dB_offset(struct sn
return -1;
if (*step_to_check && *step_to_check != step) {
snd_printk(KERN_ERR "hda_codec: Mismatching dB step for
vmaster slave (%d!=%d)\n",
-- *step_to_check, step);
+ *step_to_check, step);
return -1;
}
*step_to_check = step;
[PATCH 3.16 087/204] sh: sh7264: remove nonexistent GPIO_PH[0-7] to fix pinctrl registration
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Geert Uytterhoeven
commit eae3df7e82318d798f45dedf111e241805ec7a4a upstream.
Pinmux_pins[] is initialized through PINMUX_GPIO(), using designated
array initializers, where the GPIO_* enums serve as indices. If enum
values are defined, but never used, pinmux_pins[] contains (zero-filled)
holes. Such entries are treated as pin zero, which was registered
before, thus leading to pinctrl registration failures, as seen on
sh7722:
sh-pfc pfc-sh7722: pin 0 already registered
sh-pfc pfc-sh7722: error during pin registration
sh-pfc pfc-sh7722: could not register: -22
sh-pfc: probe of pfc-sh7722 failed with error -22
Remove GPIO_PH[0-7] from the enum to fix this.
Link:
http://lkml.kernel.org/r/1505205657-18012-4-git-send-email-geert+rene...@glider.be
Fixes: 41797f75486d8ca3 ("sh: Add pinmux for sh7264")
Signed-off-by: Geert Uytterhoeven
Reviewed-by: Laurent Pinchart
Cc: Jacopo Mondi
Cc: Magnus Damm
Cc: Rich Felker
Cc: Yoshihiro Shimoda
Cc: Yoshinori Sato
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
Signed-off-by: Ben Hutchings
---
arch/sh/include/cpu-sh2a/cpu/sh7264.h | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
--- a/arch/sh/include/cpu-sh2a/cpu/sh7264.h
+++ b/arch/sh/include/cpu-sh2a/cpu/sh7264.h
@@ -43,9 +43,7 @@ enum {
GPIO_PG7, GPIO_PG6, GPIO_PG5, GPIO_PG4,
GPIO_PG3, GPIO_PG2, GPIO_PG1, GPIO_PG0,
- /* Port H */
- GPIO_PH7, GPIO_PH6, GPIO_PH5, GPIO_PH4,
- GPIO_PH3, GPIO_PH2, GPIO_PH1, GPIO_PH0,
+ /* Port H - Port H does not have a Data Register */
/* Port I - not on device */
[PATCH 3.16 135/204] x86/amd_nb: Add Fam17h Data Fabric as "Northbridge"
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Yazen Ghannam
commit b791c6b6a55c402367cc544f54921074253db061 upstream.
AMD Fam17h uses a Data Fabric component instead of a traditional
Northbridge. However, the DF is similar to a NB in that there is one per
die and it uses PCI config D18Fx registers. So let's reuse the existing
AMD_NB infrastructure for Data Fabrics.
Signed-off-by: Yazen Ghannam
Cc: linux-edac
Cc: x86-ml
Link:
http://lkml.kernel.org/r/1478812257-5424-4-git-send-email-yazen.ghan...@amd.com
Signed-off-by: Borislav Petkov
Signed-off-by: Thomas Gleixner
Signed-off-by: Ben Hutchings
---
arch/x86/kernel/amd_nb.c | 5 +
1 file changed, 5 insertions(+)
--- a/arch/x86/kernel/amd_nb.c
+++ b/arch/x86/kernel/amd_nb.c
@@ -13,6 +13,9 @@
#include
#include
+#define PCI_DEVICE_ID_AMD_17H_DF_F30x1463
+#define PCI_DEVICE_ID_AMD_17H_DF_F40x1464
+
static u32 *flush_words;
const struct pci_device_id amd_nb_misc_ids[] = {
@@ -24,6 +27,7 @@ const struct pci_device_id amd_nb_misc_i
{ PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_15H_M60H_NB_F3) },
{ PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_16H_NB_F3) },
{ PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_16H_M30H_NB_F3) },
+ { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_17H_DF_F3) },
{}
};
EXPORT_SYMBOL(amd_nb_misc_ids);
@@ -34,6 +38,7 @@ static const struct pci_device_id amd_nb
{ PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_15H_M60H_NB_F4) },
{ PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_16H_NB_F4) },
{ PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_16H_M30H_NB_F4) },
+ { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_17H_DF_F4) },
{}
};
[PATCH 3.16 161/204] KEYS: trusted: fix writing past end of buffer in trusted_read()
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Eric Biggers
commit a3c812f7cfd80cf51e8f5b7034f7418f6beb56c1 upstream.
When calling keyctl_read() on a key of type "trusted", if the
user-supplied buffer was too small, the kernel ignored the buffer length
and just wrote past the end of the buffer, potentially corrupting
userspace memory. Fix it by instead returning the size required, as per
the documentation for keyctl_read().
We also don't even fill the buffer at all in this case, as this is
slightly easier to implement than doing a short read, and either
behavior appears to be permitted. It also makes it match the behavior
of the "encrypted" key type.
Fixes: d00a1c72f7f4 ("keys: add new trusted key-type")
Reported-by: Ben Hutchings
Signed-off-by: Eric Biggers
Signed-off-by: David Howells
Reviewed-by: Mimi Zohar
Reviewed-by: James Morris
Signed-off-by: James Morris
Signed-off-by: Ben Hutchings
---
security/keys/trusted.c | 23 ---
1 file changed, 12 insertions(+), 11 deletions(-)
--- a/security/keys/trusted.c
+++ b/security/keys/trusted.c
@@ -1061,20 +1061,21 @@ static long trusted_read(const struct ke
p = rcu_dereference_key(key);
if (!p)
return -EINVAL;
- if (!buffer || buflen <= 0)
- return 2 * p->blob_len;
- ascii_buf = kmalloc(2 * p->blob_len, GFP_KERNEL);
- if (!ascii_buf)
- return -ENOMEM;
- bufp = ascii_buf;
- for (i = 0; i < p->blob_len; i++)
- bufp = hex_byte_pack(bufp, p->blob[i]);
- if ((copy_to_user(buffer, ascii_buf, 2 * p->blob_len)) != 0) {
+ if (buffer && buflen >= 2 * p->blob_len) {
+ ascii_buf = kmalloc(2 * p->blob_len, GFP_KERNEL);
+ if (!ascii_buf)
+ return -ENOMEM;
+
+ bufp = ascii_buf;
+ for (i = 0; i < p->blob_len; i++)
+ bufp = hex_byte_pack(bufp, p->blob[i]);
+ if (copy_to_user(buffer, ascii_buf, 2 * p->blob_len) != 0) {
+ kzfree(ascii_buf);
+ return -EFAULT;
+ }
kzfree(ascii_buf);
- return -EFAULT;
}
- kzfree(ascii_buf);
return 2 * p->blob_len;
}
[PATCH 3.16 122/204] usb: cdc_acm: Add quirk for Elatec TWN3
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Maksim Salau
commit 765fb2f181cad669f2beb87842a05d8071f2be85 upstream.
Elatec TWN3 has the union descriptor on data interface. This results in
failure to bind the device to the driver with the following log:
usb 1-1.2: new full speed USB device using streamplug-ehci and address 4
usb 1-1.2: New USB device found, idVendor=09d8, idProduct=0320
usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
usb 1-1.2: Product: RFID Device (COM)
usb 1-1.2: Manufacturer: OEM
cdc_acm 1-1.2:1.0: Zero length descriptor references
cdc_acm: probe of 1-1.2:1.0 failed with error -22
Adding the NO_UNION_NORMAL quirk for the device fixes the issue.
`lsusb -v` of the device:
Bus 001 Device 003: ID 09d8:0320
Device Descriptor:
bLength18
bDescriptorType 1
bcdUSB 2.00
bDeviceClass2 Communications
bDeviceSubClass 0
bDeviceProtocol 0
bMaxPacketSize032
idVendor 0x09d8
idProduct 0x0320
bcdDevice3.00
iManufacturer 1 OEM
iProduct2 RFID Device (COM)
iSerial 0
bNumConfigurations 1
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 67
bNumInterfaces 2
bConfigurationValue 1
iConfiguration 0
bmAttributes 0x80
(Bus Powered)
MaxPower 250mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber0
bAlternateSetting 0
bNumEndpoints 1
bInterfaceClass 2 Communications
bInterfaceSubClass 2 Abstract (modem)
bInterfaceProtocol 1 AT-commands (v.25ter)
iInterface 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x83 EP 3 IN
bmAttributes3
Transfer TypeInterrupt
Synch Type None
Usage Type Data
wMaxPacketSize 0x0020 1x 32 bytes
bInterval 2
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber1
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass10 CDC Data
bInterfaceSubClass 0 Unused
bInterfaceProtocol 0
iInterface 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x02 EP 2 OUT
bmAttributes2
Transfer TypeBulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0020 1x 32 bytes
bInterval 0
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x81 EP 1 IN
bmAttributes2
Transfer TypeBulk
Synch Type None
Usage Type Data
wMaxPacketSize 0x0020 1x 32 bytes
bInterval 0
CDC Header:
bcdCDC 1.10
CDC Call Management:
bmCapabilities 0x03
call management
use DataInterface
bDataInterface 1
CDC ACM:
bmCapabilities 0x06
sends break
line coding and serial state
CDC Union:
bMasterInterface0
bSlaveInterface 1
Device Status: 0x
(Bus Powered)
Signed-off-by: Maksim Salau
Acked-by: Oliver Neukum
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Ben Hutchings
---
drivers/usb/class/cdc-acm.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -1775,6 +1775,9 @@ static const struct usb_device_id acm_id
{ USB_DEVICE(0xfff0, 0x0100), /* DATECS FP-2000 */
.driver_info = NO_UNION_NORMAL, /* reports zero length descriptor */
},
+ { USB_DEVICE(0x09d8, 0x0320), /* Elatec GmbH TWN3 */
+ .driver_info = NO_UNION_NORMAL, /* has misplaced union descriptor */
+ },
{ USB_DEVICE(0x2912, 0x0001), /* ATOL FPrint */
.driver_info = CLEAR_HALT_CONDITIONS,
[PATCH 3.16 040/204] SMB3: Don't ignore O_SYNC/O_DSYNC and O_DIRECT flags
3.16.52-rc1 review patch. If anyone has any objections, please let me know. -- From: Steve French commit 1013e760d10e614dc10b5624ce9fc41563ba2e65 upstream. Signed-off-by: Steve French Reviewed-by: Ronnie Sahlberg Reviewed-by: Pavel Shilovsky Signed-off-by: Ben Hutchings --- fs/cifs/file.c | 7 +++ 1 file changed, 7 insertions(+) --- a/fs/cifs/file.c +++ b/fs/cifs/file.c @@ -225,6 +225,13 @@ cifs_nt_open(char *full_path, struct ino if (backup_cred(cifs_sb)) create_options |= CREATE_OPEN_BACKUP_INTENT; + /* O_SYNC also has bit for O_DSYNC so following check picks up either */ + if (f_flags & O_SYNC) + create_options |= CREATE_WRITE_THROUGH; + + if (f_flags & O_DIRECT) + create_options |= CREATE_NO_BUFFER; + oparms.tcon = tcon; oparms.cifs_sb = cifs_sb; oparms.desired_access = desired_access;
[PATCH 3.16 047/204] KEYS: don't revoke uninstantiated key in request_key_auth_new()
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Eric Biggers
commit f7b48cf08fa63a68b59c2894806ee478216d7f91 upstream.
If key_instantiate_and_link() were to fail (which fortunately isn't
possible currently), the call to key_revoke(authkey) would crash with a
NULL pointer dereference in request_key_auth_revoke() because the key
has not yet been instantiated.
Fix this by removing the call to key_revoke(). key_put() is sufficient,
as it's not possible for an uninstantiated authkey to have been used for
anything yet.
Fixes: b5f545c880a2 ("[PATCH] keys: Permit running process to instantiate keys")
Signed-off-by: Eric Biggers
Signed-off-by: David Howells
Signed-off-by: Ben Hutchings
---
security/keys/request_key_auth.c | 1 -
1 file changed, 1 deletion(-)
--- a/security/keys/request_key_auth.c
+++ b/security/keys/request_key_auth.c
@@ -207,7 +207,6 @@ struct key *request_key_auth_new(struct
return authkey;
error_put_authkey:
- key_revoke(authkey);
key_put(authkey);
error_free_rka:
free_request_key_auth(rka);
[PATCH 3.16 157/204] tun/tap: sanitize TUNSETSNDBUF input
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Craig Gallek
commit 93161922c658c714715686cd0cf69b090cb9bf1d upstream.
Syzkaller found several variants of the lockup below by setting negative
values with the TUNSETSNDBUF ioctl. This patch adds a sanity check
to both the tun and tap versions of this ioctl.
watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [repro:2389]
Modules linked in:
irq event stamp: 329692056
hardirqs last enabled at (329692055): []
_raw_spin_unlock_irqrestore+0x31/0x75
hardirqs last disabled at (329692056): []
apic_timer_interrupt+0x98/0xb0
softirqs last enabled at (35659740): []
__do_softirq+0x328/0x48c
softirqs last disabled at (35659731): [] irq_exit+0xbc/0xd0
CPU: 0 PID: 2389 Comm: repro Not tainted 4.14.0-rc7 #23
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: 880009452140 task.stack: 880006a2
RIP: 0010:_raw_spin_lock_irqsave+0x11/0x80
RSP: 0018:880006a27c50 EFLAGS: 0282 ORIG_RAX: ff10
RAX: 880009ac68d0 RBX: 880006a27ce0 RCX:
RDX: 0001 RSI: 880006a27ce0 RDI: 880009ac6900
RBP: 880006a27c60 R08: R09:
R10: 0001 R11: 0063ff00 R12: 880009ac6900
R13: 880006a27cf8 R14: 0001 R15: 880006a27cf8
FS: 7f4be4838700() GS:88000cc0() knlGS:
CS: 0010 DS: ES: CR0: 80050033
CR2: 20101000 CR3: 09616000 CR4: 06f0
Call Trace:
prepare_to_wait+0x26/0xc0
sock_alloc_send_pskb+0x14e/0x270
? remove_wait_queue+0x60/0x60
tun_get_user+0x2cc/0x19d0
? __tun_get+0x60/0x1b0
tun_chr_write_iter+0x57/0x86
__vfs_write+0x156/0x1e0
vfs_write+0xf7/0x230
SyS_write+0x57/0xd0
entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x7f4be4356df9
RSP: 002b:7ffc18101c08 EFLAGS: 0293 ORIG_RAX: 0001
RAX: ffda RBX: RCX: 7f4be4356df9
RDX: 0046 RSI: 20101000 RDI: 0005
RBP: 7ffc18101c40 R08: 0001 R09: 0001
R10: 0001 R11: 0293 R12: 559c75f64780
R13: 7ffc18101d30 R14: R15:
Fixes: 33dccbb050bb ("tun: Limit amount of queued packets per device")
Fixes: 20d29d7a916a ("net: macvtap driver")
Signed-off-by: Craig Gallek
Reviewed-by: Eric Dumazet
Signed-off-by: David S. Miller
[bwh: Backported to 3.2: adjust filename]
Signed-off-by: Ben Hutchings
---
drivers/net/macvtap.c | 2 ++
drivers/net/tun.c | 4
2 files changed, 6 insertions(+)
--- a/drivers/net/macvtap.c
+++ b/drivers/net/macvtap.c
@@ -1053,6 +1053,8 @@ static long macvtap_ioctl(struct file *f
case TUNSETSNDBUF:
if (get_user(s, sp))
return -EFAULT;
+ if (s <= 0)
+ return -EINVAL;
q->sk.sk_sndbuf = s;
return 0;
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -2054,6 +2054,10 @@ static long __tun_chr_ioctl(struct file
ret = -EFAULT;
break;
}
+ if (sndbuf <= 0) {
+ ret = -EINVAL;
+ break;
+ }
tun->sndbuf = sndbuf;
tun_set_sndbuf(tun);
[PATCH 3.16 045/204] staging: iio: ad7192: Fix - use the dedicated reset function avoiding dma from stack.
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Stefan Popa
commit f790923f146140a261ad211e5baf75d169f16fb2 upstream.
Depends on: 691c4b95d1 ("iio: ad_sigma_delta: Implement a dedicated reset
function")
SPI host drivers can use DMA to transfer data, so the buffer should be properly
allocated.
Keeping it on the stack could cause an undefined behavior.
The dedicated reset function solves this issue.
Signed-off-by: Stefan Popa
Acked-by: Lars-Peter Clausen
Acked-by: Michael Hennerich
Signed-off-by: Jonathan Cameron
Signed-off-by: Ben Hutchings
---
drivers/staging/iio/adc/ad7192.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
--- a/drivers/staging/iio/adc/ad7192.c
+++ b/drivers/staging/iio/adc/ad7192.c
@@ -206,11 +206,9 @@ static int ad7192_setup(struct ad7192_st
struct iio_dev *indio_dev = spi_get_drvdata(st->sd.spi);
unsigned long long scale_uv;
int i, ret, id;
- u8 ones[6];
/* reset the serial interface */
- memset(&ones, 0xFF, 6);
- ret = spi_write(st->sd.spi, &ones, 6);
+ ret = ad_sd_reset(&st->sd, 48);
if (ret < 0)
goto out;
msleep(1); /* Wait for at least 500us */
[PATCH 3.16 071/204] packet: only test po->has_vnet_hdr once in packet_snd
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Willem de Bruijn
commit da7c9561015e93d10fe6aab73e9288e0d09d65a6 upstream.
Packet socket option po->has_vnet_hdr can be updated concurrently with
other operations if no ring is attached.
Do not test the option twice in packet_snd, as the value may change in
between calls. A race on setsockopt disable may cause a packet > mtu
to be sent without having GSO options set.
Fixes: bfd5f4a3d605 ("packet: Add GSO/csum offload support.")
Signed-off-by: Willem de Bruijn
Reviewed-by: Eric Dumazet
Signed-off-by: David S. Miller
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings
---
net/packet/af_packet.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -2432,6 +2432,7 @@ static int packet_snd(struct socket *soc
int offset = 0;
int vnet_hdr_len;
struct packet_sock *po = pkt_sk(sk);
+ bool has_vnet_hdr = false;
unsigned short gso_type = 0;
int hlen, tlen;
int extra_len = 0;
@@ -2466,6 +2467,7 @@ static int packet_snd(struct socket *soc
reserve = dev->hard_header_len;
if (po->has_vnet_hdr) {
vnet_hdr_len = sizeof(vnet_hdr);
+ has_vnet_hdr = true;
err = -EINVAL;
if (len < vnet_hdr_len)
@@ -2557,7 +2559,7 @@ static int packet_snd(struct socket *soc
skb->priority = sk->sk_priority;
skb->mark = sk->sk_mark;
- if (po->has_vnet_hdr) {
+ if (has_vnet_hdr) {
if (vnet_hdr.flags & VIRTIO_NET_HDR_F_NEEDS_CSUM) {
if (!skb_partial_csum_set(skb, vnet_hdr.csum_start,
vnet_hdr.csum_offset)) {
[PATCH 3.16 025/204] crypto: talitos - Don't provide setkey for non hmac hashing algs.
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: LEROY Christophe
commit 56136631573baa537a15e0012055ffe8cfec1a33 upstream.
Today, md5sum fails with error -ENOKEY because a setkey
function is set for non hmac hashing algs, see strace output below:
mmap(NULL, 378880, PROT_READ, MAP_SHARED, 6, 0) = 0x77f5
accept(3, 0, NULL) = 7
vmsplice(5,
[{"bin/\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 378880}],
1, SPLICE_F_MORE|SPLICE_F_GIFT) = 262144
splice(4, NULL, 7, NULL, 262144, SPLICE_F_MORE) = -1 ENOKEY (Required key not
available)
write(2, "Generation of hash for file kcap"..., 50) = 50
munmap(0x77f5, 378880) = 0
This patch ensures that setkey() function is set only
for hmac hashing.
Signed-off-by: Christophe Leroy
Signed-off-by: Herbert Xu
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings
---
drivers/crypto/talitos.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/crypto/talitos.c
+++ b/drivers/crypto/talitos.c
@@ -2550,7 +2550,8 @@ static struct talitos_crypto_alg *talito
t_alg->algt.alg.hash.final = ahash_final;
t_alg->algt.alg.hash.finup = ahash_finup;
t_alg->algt.alg.hash.digest = ahash_digest;
- t_alg->algt.alg.hash.setkey = ahash_setkey;
+ if (!strncmp(alg->cra_name, "hmac", 4))
+ t_alg->algt.alg.hash.setkey = ahash_setkey;
if (!(priv->features & TALITOS_FTR_HMAC_OK) &&
!strncmp(alg->cra_name, "hmac", 4)) {
[PATCH 3.16 192/204] mm, thp: Do not make page table dirty unconditionally in touch_p[mu]d()
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: "Kirill A. Shutemov"
commit a8f97366452ed491d13cf1e44241bc0b5740b1f0 upstream.
Currently, we unconditionally make page table dirty in touch_pmd().
It may result in false-positive can_follow_write_pmd().
We may avoid the situation, if we would only make the page table entry
dirty if caller asks for write access -- FOLL_WRITE.
The patch also changes touch_pud() in the same way.
Signed-off-by: Kirill A. Shutemov
Cc: Michal Hocko
Cc: Hugh Dickins
Signed-off-by: Linus Torvalds
[carnil: backport for 3.16:
- Adjust context
- Drop specific part for PUD-sized transparent hugepages. Support
for PUD-sized transparent hugepages was added in v4.11-rc1
]
Signed-off-by: Ben Hutchings
---
mm/huge_memory.c | 36 +---
1 file changed, 13 insertions(+), 23 deletions(-)
--- a/mm/huge_memory.c
+++ b/mm/huge_memory.c
@@ -1230,17 +1230,11 @@ struct page *follow_trans_huge_pmd(struc
if (flags & FOLL_TOUCH) {
pmd_t _pmd;
- /*
-* We should set the dirty bit only for FOLL_WRITE but
-* for now the dirty bit in the pmd is meaningless.
-* And if the dirty bit will become meaningful and
-* we'll only set it with FOLL_WRITE, an atomic
-* set_bit will be required on the pmd to set the
-* young bit, instead of the current set_pmd_at.
-*/
- _pmd = pmd_mkyoung(pmd_mkdirty(*pmd));
+ _pmd = pmd_mkyoung(*pmd);
+ if (flags & FOLL_WRITE)
+ _pmd = pmd_mkdirty(_pmd);
if (pmdp_set_access_flags(vma, addr & HPAGE_PMD_MASK,
- pmd, _pmd, 1))
+ pmd, _pmd, flags & FOLL_WRITE))
update_mmu_cache_pmd(vma, addr, pmd);
}
if ((flags & FOLL_MLOCK) && (vma->vm_flags & VM_LOCKED)) {
[PATCH 3.16 120/204] scsi: zfcp: fix erp_action use-before-initialize in REC action trace
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Steffen Maier
commit ab31fd0ce65ec93828b617123792c1bb7c6dcc42 upstream.
v4.10 commit 6f2ce1c6af37 ("scsi: zfcp: fix rport unblock race with LUN
recovery") extended accessing parent pointer fields of struct
zfcp_erp_action for tracing. If an erp_action has never been enqueued
before, these parent pointer fields are uninitialized and NULL. Examples
are zfcp objects freshly added to the parent object's children list,
before enqueueing their first recovery subsequently. In
zfcp_erp_try_rport_unblock(), we iterate such list. Accessing erp_action
fields can cause a NULL pointer dereference. Since the kernel can read
from lowcore on s390, it does not immediately cause a kernel page
fault. Instead it can cause hangs on trying to acquire the wrong
erp_action->adapter->dbf->rec_lock in zfcp_dbf_rec_action_lvl()
^bogus^
while holding already other locks with IRQs disabled.
Real life example from attaching lots of LUNs in parallel on many CPUs:
crash> bt 17723
PID: 17723 TASK: ... CPU: 25 COMMAND: "zfcperp0.0.1800"
LOWCORE INFO:
-psw : 0x040430018000 0x0038e424
-function : _raw_spin_lock_wait_flags at 38e424
...
#0 [fdde8fc90] zfcp_dbf_rec_action_lvl at 3e0004e9862 [zfcp]
#1 [fdde8fce8] zfcp_erp_try_rport_unblock at 3e0004dfddc [zfcp]
#2 [fdde8fd38] zfcp_erp_strategy at 3e0004e0234 [zfcp]
#3 [fdde8fda8] zfcp_erp_thread at 3e0004e0a12 [zfcp]
#4 [fdde8fe60] kthread at 173550
#5 [fdde8feb8] kernel_thread_starter at 10add2
zfcp_adapter
zfcp_port
zfcp_unit , 0x404040d6
scsi_device NULL, returning early!
zfcp_scsi_dev.status = 0x4000
0x4000 ZFCP_STATUS_COMMON_RUNNING
crash> zfcp_unit
struct zfcp_unit {
erp_action = {
adapter = 0x0,
port = 0x0,
unit = 0x0,
},
}
zfcp_erp_action is always fully embedded into its container object. Such
container object is never moved in its object tree (only add or delete).
Hence, erp_action parent pointers can never change.
To fix the issue, initialize the erp_action parent pointers before
adding the erp_action container to any list and thus before it becomes
accessible from outside of its initializing function.
In order to also close the time window between zfcp_erp_setup_act()
memsetting the entire erp_action to zero and setting the parent pointers
again, drop the memset and instead explicitly initialize individually
all erp_action fields except for parent pointers. To be extra careful
not to introduce any other unintended side effect, even keep zeroing the
erp_action fields for list and timer. Also double-check with
WARN_ON_ONCE that erp_action parent pointers never change, so we get to
know when we would deviate from previous behavior.
Signed-off-by: Steffen Maier
Fixes: 6f2ce1c6af37 ("scsi: zfcp: fix rport unblock race with LUN recovery")
Reviewed-by: Benjamin Block
Signed-off-by: Martin K. Petersen
Signed-off-by: Ben Hutchings
---
drivers/s390/scsi/zfcp_aux.c | 5 +
drivers/s390/scsi/zfcp_erp.c | 18 +++---
drivers/s390/scsi/zfcp_scsi.c | 5 +
3 files changed, 21 insertions(+), 7 deletions(-)
--- a/drivers/s390/scsi/zfcp_aux.c
+++ b/drivers/s390/scsi/zfcp_aux.c
@@ -356,6 +356,8 @@ struct zfcp_adapter *zfcp_adapter_enqueu
INIT_WORK(&adapter->scan_work, zfcp_fc_scan_ports);
INIT_WORK(&adapter->ns_up_work, zfcp_fc_sym_name_update);
+ adapter->erp_action.adapter = adapter;
+
if (zfcp_qdio_setup(adapter))
goto failed;
@@ -512,6 +514,9 @@ struct zfcp_port *zfcp_port_enqueue(stru
port->dev.groups = zfcp_port_attr_groups;
port->dev.release = zfcp_port_release;
+ port->erp_action.adapter = adapter;
+ port->erp_action.port = port;
+
if (dev_set_name(&port->dev, "0x%016llx", (unsigned long long)wwpn)) {
kfree(port);
goto err_out;
--- a/drivers/s390/scsi/zfcp_erp.c
+++ b/drivers/s390/scsi/zfcp_erp.c
@@ -193,9 +193,8 @@ static struct zfcp_erp_action *zfcp_erp_
atomic_set_mask(ZFCP_STATUS_COMMON_ERP_INUSE,
&zfcp_sdev->status);
erp_action = &zfcp_sdev->erp_action;
- memset(erp_action, 0, sizeof(struct zfcp_erp_action));
- erp_action->port = port;
- erp_action->sdev = sdev;
+ WARN_ON_ONCE(erp_action->port != port);
+ WARN_ON_ONCE(erp_action->sdev != sdev);
if (!(atomic_read(&zfcp_sdev->status) &
ZFCP_STATUS_COMMON_RUNNING))
act_status |= ZFCP_STATUS_ERP_CLOSE_ONLY;
@@ -208,8 +207,8 @@ static struct zfcp_erp_action *zfcp_erp_
zfcp_erp_action_dismiss_port(port);
atomic_set_mask(ZFCP_STATUS_COMMON_ERP_INUSE, &port->status);
erp_action = &port->erp_action;
- memset(erp_action, 0, sizeof(str
[PATCH 3.16 129/204] can: esd_usb2: Fix can_dlc value for received RTR, frames
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Stefan Mätje
commit 72d92e865d1560723e1957ee3f393688c49ca5bf upstream.
The dlc member of the struct rx_msg contains also the ESD_RTR flag to
mark received RTR frames. Without the fix the can_dlc value for received
RTR frames would always be set to 8 by get_can_dlc() instead of the
received value.
Fixes: 96d8e90382dc ("can: Add driver for esd CAN-USB/2 device")
Signed-off-by: Stefan Mätje
Signed-off-by: Marc Kleine-Budde
Signed-off-by: Ben Hutchings
---
drivers/net/can/usb/esd_usb2.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/can/usb/esd_usb2.c
+++ b/drivers/net/can/usb/esd_usb2.c
@@ -334,7 +334,7 @@ static void esd_usb2_rx_can_msg(struct e
}
cf->can_id = id & ESD_IDMASK;
- cf->can_dlc = get_can_dlc(msg->msg.rx.dlc);
+ cf->can_dlc = get_can_dlc(msg->msg.rx.dlc & ~ESD_RTR);
if (id & ESD_EXTID)
cf->can_id |= CAN_EFF_FLAG;
[PATCH 3.16 179/204] can: c_can: don't indicate triple sampling support for D_CAN
3.16.52-rc1 review patch. If anyone has any objections, please let me know. -- From: Richard Schütz commit fb5f0b3ef69b95e665e4bbe8a3de7201f09f1071 upstream. The D_CAN controller doesn't provide a triple sampling mode, so don't set the CAN_CTRLMODE_3_SAMPLES flag in ctrlmode_supported. Currently enabling triple sampling is a no-op. Signed-off-by: Richard Schütz Signed-off-by: Marc Kleine-Budde Signed-off-by: Ben Hutchings --- drivers/net/can/c_can/c_can_pci.c | 1 - drivers/net/can/c_can/c_can_platform.c | 1 - 2 files changed, 2 deletions(-) --- a/drivers/net/can/c_can/c_can_pci.c +++ b/drivers/net/can/c_can/c_can_pci.c @@ -178,7 +178,6 @@ static int c_can_pci_probe(struct pci_de break; case BOSCH_D_CAN: priv->regs = reg_map_d_can; - priv->can.ctrlmode_supported |= CAN_CTRLMODE_3_SAMPLES; break; default: ret = -EINVAL; --- a/drivers/net/can/c_can/c_can_platform.c +++ b/drivers/net/can/c_can/c_can_platform.c @@ -266,7 +266,6 @@ static int c_can_plat_probe(struct platf break; case BOSCH_D_CAN: priv->regs = reg_map_d_can; - priv->can.ctrlmode_supported |= CAN_CTRLMODE_3_SAMPLES; priv->read_reg = c_can_plat_read_reg_aligned_to_16bit; priv->write_reg = c_can_plat_write_reg_aligned_to_16bit; priv->read_reg32 = d_can_plat_read_reg32;
[PATCH 3.16 086/204] sh: sh7757: remove nonexistent GPIO_PT[JLNQ]7_RESV to fix pinctrl registration
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Geert Uytterhoeven
commit d8ce38f69843a56da044e56b6c16aecfbc3c6e39 upstream.
Commit 3810e96056ff ("sh: modify pinmux for SH7757 2nd cut") renamed
GPIO_PT[JLNQ]7 to GPIO_PT[JLNQ]7_RESV, and removed the existing users
from the pinmux_pins[] array.
However, pinmux_pins[] is initialized through PINMUX_GPIO(), using
designated array initializers, where the GPIO_* enums serve as indices.
Hence entries were not really removed, but replaced by (zero-filled)
holes. Such entries are treated as pin zero, which was registered
before, thus leading to pinctrl registration failures, as seen on
sh7722:
sh-pfc pfc-sh7722: pin 0 already registered
sh-pfc pfc-sh7722: error during pin registration
sh-pfc pfc-sh7722: could not register: -22
sh-pfc: probe of pfc-sh7722 failed with error -22
Remove GPIO_PT[JLNQ]7_RESV from the enum to fix this.
Link:
http://lkml.kernel.org/r/1505205657-18012-3-git-send-email-geert+rene...@glider.be
Fixes: 3810e96056ffddf6 ("sh: modify pinmux for SH7757 2nd cut")
Signed-off-by: Geert Uytterhoeven
Reviewed-by: Laurent Pinchart
Cc: Jacopo Mondi
Cc: Magnus Damm
Cc: Rich Felker
Cc: Yoshihiro Shimoda
Cc: Yoshinori Sato
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
Signed-off-by: Ben Hutchings
---
arch/sh/include/cpu-sh4/cpu/sh7757.h | 8
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/arch/sh/include/cpu-sh4/cpu/sh7757.h
+++ b/arch/sh/include/cpu-sh4/cpu/sh7757.h
@@ -40,7 +40,7 @@ enum {
/* PTJ */
GPIO_PTJ0, GPIO_PTJ1, GPIO_PTJ2, GPIO_PTJ3,
- GPIO_PTJ4, GPIO_PTJ5, GPIO_PTJ6, GPIO_PTJ7_RESV,
+ GPIO_PTJ4, GPIO_PTJ5, GPIO_PTJ6,
/* PTK */
GPIO_PTK0, GPIO_PTK1, GPIO_PTK2, GPIO_PTK3,
@@ -48,7 +48,7 @@ enum {
/* PTL */
GPIO_PTL0, GPIO_PTL1, GPIO_PTL2, GPIO_PTL3,
- GPIO_PTL4, GPIO_PTL5, GPIO_PTL6, GPIO_PTL7_RESV,
+ GPIO_PTL4, GPIO_PTL5, GPIO_PTL6,
/* PTM */
GPIO_PTM0, GPIO_PTM1, GPIO_PTM2, GPIO_PTM3,
@@ -56,7 +56,7 @@ enum {
/* PTN */
GPIO_PTN0, GPIO_PTN1, GPIO_PTN2, GPIO_PTN3,
- GPIO_PTN4, GPIO_PTN5, GPIO_PTN6, GPIO_PTN7_RESV,
+ GPIO_PTN4, GPIO_PTN5, GPIO_PTN6,
/* PTO */
GPIO_PTO0, GPIO_PTO1, GPIO_PTO2, GPIO_PTO3,
@@ -68,7 +68,7 @@ enum {
/* PTQ */
GPIO_PTQ0, GPIO_PTQ1, GPIO_PTQ2, GPIO_PTQ3,
- GPIO_PTQ4, GPIO_PTQ5, GPIO_PTQ6, GPIO_PTQ7_RESV,
+ GPIO_PTQ4, GPIO_PTQ5, GPIO_PTQ6,
/* PTR */
GPIO_PTR0, GPIO_PTR1, GPIO_PTR2, GPIO_PTR3,
Re: [PATCH 5/7] MIPS: jz4780: dts: Fix watchdog node
Hi Paul,
On Thu, Dec 28, 2017 at 5:29 PM, Paul Cercueil wrote:
> - The previous node requested a memory area of 0x100 bytes, while the
> driver only manipulates four registers present in the first 0x10 bytes.
>
> - The driver requests for the "rtc" clock, but the previous node did not
> provide any.
>
> Signed-off-by: Paul Cercueil
> ---
> arch/mips/boot/dts/ingenic/jz4780.dtsi | 5 -
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/arch/mips/boot/dts/ingenic/jz4780.dtsi
> b/arch/mips/boot/dts/ingenic/jz4780.dtsi
> index 9b5794667aee..a52f59bf58c7 100644
> --- a/arch/mips/boot/dts/ingenic/jz4780.dtsi
> +++ b/arch/mips/boot/dts/ingenic/jz4780.dtsi
> @@ -221,7 +221,10 @@
>
> watchdog: watchdog@10002000 {
> compatible = "ingenic,jz4780-watchdog";
> - reg = <0x10002000 0x100>;
> + reg = <0x10002000 0x10>;
> +
> + clocks = <&cgu JZ4780_CLK_RTCLK>;
> + clock-names = "rtc";
> };
>
> nemc: nemc@1341 {
> --
> 2.11.0
>
>
Looks good, thanks for fixing my mess. Tested on MIPS Creator CI20:
Dec 28 17:27:50 ci20 watchdog[17531]: starting daemon (5.14):
Dec 28 17:27:50 ci20 watchdog[17531]: int=1s realtime=yes sync=no
soft=no mla=0 mem=0
Dec 28 17:27:50 ci20 watchdog[17531]: ping: no machine to check
Dec 28 17:27:50 ci20 watchdog[17531]: file: no file to check
Dec 28 17:27:50 ci20 watchdog[17531]: pidfile: no server process to check
Dec 28 17:27:50 ci20 watchdog[17531]: interface: no interface to check
Dec 28 17:27:50 ci20 watchdog[17531]: temperature: no sensors to check
Dec 28 17:27:50 ci20 watchdog[17531]: test=none(0) repair=none(0)
alive=/dev/watchdog heartbeat=none to=root no_act=no force=no
Dec 28 17:27:50 ci20 watchdog[17531]: watchdog now set to 60 seconds
Dec 28 17:27:50 ci20 watchdog[17531]: hardware watchdog identity:
jz4740 Watchdog
pkill + reboot = ok
Reviewed-by: Mathieu Malaterre
[PATCH 3.16 051/204] KEYS: prevent creating a different user's keyrings
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Eric Biggers
commit 237bbd29f7a049d310d907f4b2716a7feef9abf3 upstream.
It was possible for an unprivileged user to create the user and user
session keyrings for another user. For example:
sudo -u '#3000' sh -c 'keyctl add keyring _uid.4000 "" @u
keyctl add keyring _uid_ses.4000 "" @u
sleep 15' &
sleep 1
sudo -u '#4000' keyctl describe @u
sudo -u '#4000' keyctl describe @us
This is problematic because these "fake" keyrings won't have the right
permissions. In particular, the user who created them first will own
them and will have full access to them via the possessor permissions,
which can be used to compromise the security of a user's keys:
-4: alswrv-v 3000 0 keyring: _uid.4000
-5: alswrv-v 3000 0 keyring: _uid_ses.4000
Fix it by marking user and user session keyrings with a flag
KEY_FLAG_UID_KEYRING. Then, when searching for a user or user session
keyring by name, skip all keyrings that don't have the flag set.
Fixes: 69664cf16af4 ("keys: don't generate user and user session keyrings
unless they're accessed")
Signed-off-by: Eric Biggers
Signed-off-by: David Howells
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings
---
--- a/include/linux/key.h
+++ b/include/linux/key.h
@@ -170,6 +170,7 @@ struct key {
#define KEY_FLAG_INVALIDATED 7 /* set if key has been invalidated */
#define KEY_FLAG_TRUSTED 8 /* set if key is trusted */
#define KEY_FLAG_TRUSTED_ONLY 9 /* set if keyring only accepts links to
trusted keys */
+#define KEY_FLAG_UID_KEYRING 11 /* set if key is a user or user session
keyring */
/* the key type and key description string
* - the desc is used to match a key against search criteria
@@ -221,6 +222,7 @@ extern struct key *key_alloc(struct key_
#define KEY_ALLOC_QUOTA_OVERRUN0x0001 /* add to quota, permit even if
overrun */
#define KEY_ALLOC_NOT_IN_QUOTA 0x0002 /* not in quota */
#define KEY_ALLOC_TRUSTED 0x0004 /* Key should be flagged as trusted */
+#define KEY_ALLOC_UID_KEYRING 0x0010 /* allocating a user or user
session keyring */
extern void key_revoke(struct key *key);
extern void key_invalidate(struct key *key);
--- a/security/keys/internal.h
+++ b/security/keys/internal.h
@@ -137,7 +137,7 @@ extern key_ref_t keyring_search_aux(key_
extern key_ref_t search_my_process_keyrings(struct keyring_search_context
*ctx);
extern key_ref_t search_process_keyrings(struct keyring_search_context *ctx);
-extern struct key *find_keyring_by_name(const char *name, bool
skip_perm_check);
+extern struct key *find_keyring_by_name(const char *name, bool uid_keyring);
extern int install_user_keyrings(void);
extern int install_thread_keyring_to_cred(struct cred *);
--- a/security/keys/key.c
+++ b/security/keys/key.c
@@ -298,6 +298,8 @@ struct key *key_alloc(struct key_type *t
key->flags |= 1 << KEY_FLAG_IN_QUOTA;
if (flags & KEY_ALLOC_TRUSTED)
key->flags |= 1 << KEY_FLAG_TRUSTED;
+ if (flags & KEY_ALLOC_UID_KEYRING)
+ key->flags |= 1 << KEY_FLAG_UID_KEYRING;
#ifdef KEY_DEBUGGING
key->magic = KEY_DEBUG_MAGIC;
--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
@@ -931,15 +931,15 @@ found:
/*
* Find a keyring with the specified name.
*
- * All named keyrings in the current user namespace are searched, provided they
- * grant Search permission directly to the caller (unless this check is
- * skipped). Keyrings whose usage points have reached zero or who have been
- * revoked are skipped.
+ * Only keyrings that have nonzero refcount, are not revoked, and are owned by
a
+ * user in the current user namespace are considered. If @uid_keyring is
%true,
+ * the keyring additionally must have been allocated as a user or user session
+ * keyring; otherwise, it must grant Search permission directly to the caller.
*
* Returns a pointer to the keyring with the keyring's refcount having being
* incremented on success. -ENOKEY is returned if a key could not be found.
*/
-struct key *find_keyring_by_name(const char *name, bool skip_perm_check)
+struct key *find_keyring_by_name(const char *name, bool uid_keyring)
{
struct key *keyring;
int bucket;
@@ -967,10 +967,15 @@ struct key *find_keyring_by_name(const c
if (strcmp(keyring->description, name) != 0)
continue;
- if (!skip_perm_check &&
- key_permission(make_key_ref(keyring, 0),
- KEY_NEED_SEARCH) < 0)
- continue;
+ if (uid_keyring) {
+ if (!test_bit(KEY_FLAG_UID_KEYRING,
+
[PATCH 3.16 178/204] rbd: use GFP_NOIO for parent stat and data requests
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Ilya Dryomov
commit 1e37f2f84680fa7f8394fd444b6928e334495ccc upstream.
rbd_img_obj_exists_submit() and rbd_img_obj_parent_read_full() are on
the writeback path for cloned images -- we attempt a stat on the parent
object to see if it exists and potentially read it in to call copyup.
GFP_NOIO should be used instead of GFP_KERNEL here.
Link: http://tracker.ceph.com/issues/22014
Signed-off-by: Ilya Dryomov
Reviewed-by: David Disseldorp
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings
---
drivers/block/rbd.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/block/rbd.c
+++ b/drivers/block/rbd.c
@@ -2584,7 +2584,7 @@ static int rbd_img_obj_parent_read_full(
* from the parent.
*/
page_count = (u32)calc_pages_for(0, length);
- pages = ceph_alloc_page_vector(page_count, GFP_KERNEL);
+ pages = ceph_alloc_page_vector(page_count, GFP_NOIO);
if (IS_ERR(pages)) {
result = PTR_ERR(pages);
pages = NULL;
@@ -2711,7 +2711,7 @@ static int rbd_img_obj_exists_submit(str
*/
size = sizeof (__le64) + sizeof (__le32) + sizeof (__le32);
page_count = (u32)calc_pages_for(0, size);
- pages = ceph_alloc_page_vector(page_count, GFP_KERNEL);
+ pages = ceph_alloc_page_vector(page_count, GFP_NOIO);
if (IS_ERR(pages))
return PTR_ERR(pages);
[PATCH 3.16 073/204] arm64: fault: Route pte translation faults via do_translation_fault
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Will Deacon
commit 760bfb47c36a07741a089bf6a28e854ffbee7dc9 upstream.
We currently route pte translation faults via do_page_fault, which elides
the address check against TASK_SIZE before invoking the mm fault handling
code. However, this can cause issues with the path walking code in
conjunction with our word-at-a-time implementation because
load_unaligned_zeropad can end up faulting in kernel space if it reads
across a page boundary and runs into a page fault (e.g. by attempting to
read from a guard region).
In the case of such a fault, load_unaligned_zeropad has registered a
fixup to shift the valid data and pad with zeroes, however the abort is
reported as a level 3 translation fault and we dispatch it straight to
do_page_fault, despite it being a kernel address. This results in calling
a sleeping function from atomic context:
BUG: sleeping function called from invalid context at
arch/arm64/mm/fault.c:313
in_atomic(): 0, irqs_disabled(): 0, pid: 10290
Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
[...]
[] ___might_sleep+0x134/0x144
[] __might_sleep+0x7c/0x8c
[] do_page_fault+0x140/0x330
[] do_mem_abort+0x54/0xb0
Exception stack(0xfffb20247a70 to 0xfffb20247ba0)
[...]
[] el1_da+0x18/0x78
[] path_parentat+0x44/0x88
[] filename_parentat+0x5c/0xd8
[] filename_create+0x4c/0x128
[] SyS_mkdirat+0x50/0xc8
[] el0_svc_naked+0x24/0x28
Code: 36380080 d5384100 f9400800 9402566d (d421)
---[ end trace 2d01889f2bca9b9f ]---
Fix this by dispatching all translation faults to do_translation_faults,
which avoids invoking the page fault logic for faults on kernel addresses.
Reported-by: Ankit Jain
Signed-off-by: Will Deacon
Signed-off-by: Catalin Marinas
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings
---
arch/arm64/mm/fault.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm64/mm/fault.c
+++ b/arch/arm64/mm/fault.c
@@ -386,7 +386,7 @@ static struct fault_info {
{ do_translation_fault, SIGSEGV, SEGV_MAPERR, "input address range
fault" },
{ do_translation_fault, SIGSEGV, SEGV_MAPERR, "level 1 translation
fault" },
{ do_translation_fault, SIGSEGV, SEGV_MAPERR, "level 2 translation
fault" },
- { do_page_fault,SIGSEGV, SEGV_MAPERR, "level 3 translation
fault" },
+ { do_translation_fault, SIGSEGV, SEGV_MAPERR, "level 3 translation
fault" },
{ do_bad, SIGBUS, 0, "reserved access flag
fault"},
{ do_page_fault,SIGSEGV, SEGV_ACCERR, "level 1 access flag
fault" },
{ do_page_fault,SIGSEGV, SEGV_ACCERR, "level 2 access flag
fault" },
[PATCH 3.16 057/204] btrfs: prevent to set invalid default subvolid
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: satoru takeuchi
commit 6d6d282932d1a609e60dc4467677e0e863682f57 upstream.
`btrfs sub set-default` succeeds to set an ID which isn't corresponding to any
fs/file tree. If such the bad ID is set to a filesystem, we can't mount this
filesystem without specifying `subvol` or `subvolid` mount options.
Fixes: 6ef5ed0d386b ("Btrfs: add ioctl and incompat flag to set the default
mount subvol")
Signed-off-by: Satoru Takeuchi
Reviewed-by: Qu Wenruo
Reviewed-by: David Sterba
Signed-off-by: David Sterba
Signed-off-by: Ben Hutchings
---
fs/btrfs/ioctl.c | 4
1 file changed, 4 insertions(+)
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -3980,6 +3980,10 @@ static long btrfs_ioctl_default_subvol(s
ret = PTR_ERR(new_root);
goto out;
}
+ if (!is_fstree(new_root->objectid)) {
+ ret = -ENOENT;
+ goto out;
+ }
path = btrfs_alloc_path();
if (!path) {
[PATCH 3.16 131/204] sctp: add the missing sock_owned_by_user check in sctp_icmp_redirect
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Xin Long
commit 1cc276cec9ec574d41cf47dfc0f51406b6f26ab4 upstream.
Now sctp processes icmp redirect packet in sctp_icmp_redirect where
it calls sctp_transport_dst_check in which tp->dst can be released.
The problem is before calling sctp_transport_dst_check, it doesn't
check sock_owned_by_user, which means tp->dst could be freed while
a process is accessing it with owning the socket.
An use-after-free issue could be triggered by this.
This patch is to fix it by checking sock_owned_by_user before calling
sctp_transport_dst_check in sctp_icmp_redirect, so that it would not
release tp->dst if users still hold sock lock.
Besides, the same issue fixed in commit 45caeaa5ac0b ("dccp/tcp: fix
routing redirect race") on sctp also needs this check.
Fixes: 55be7a9c6074 ("ipv4: Add redirect support to all protocol icmp error
handlers")
Reported-by: Eric Dumazet
Signed-off-by: Xin Long
Acked-by: Marcelo Ricardo Leitner
Acked-by: Neil Horman
Signed-off-by: David S. Miller
Signed-off-by: Ben Hutchings
---
net/sctp/input.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/sctp/input.c
+++ b/net/sctp/input.c
@@ -416,7 +416,7 @@ void sctp_icmp_redirect(struct sock *sk,
{
struct dst_entry *dst;
- if (!t)
+ if (sock_owned_by_user(sk) || !t)
return;
dst = sctp_transport_dst_check(t);
if (dst)
[PATCH 3.16 059/204] vti: fix use after free in vti_tunnel_xmit/vti6_tnl_xmit
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Alexey Kodanev
commit 36f6ee22d2d66046e369757ec6bbe1c482957ba6 upstream.
When running LTP IPsec tests, KASan might report:
BUG: KASAN: use-after-free in vti_tunnel_xmit+0xeee/0xff0 [ip_vti]
Read of size 4 at addr 880dc6ad1980 by task swapper/0/0
...
Call Trace:
dump_stack+0x63/0x89
print_address_description+0x7c/0x290
kasan_report+0x28d/0x370
? vti_tunnel_xmit+0xeee/0xff0 [ip_vti]
__asan_report_load4_noabort+0x19/0x20
vti_tunnel_xmit+0xeee/0xff0 [ip_vti]
? vti_init_net+0x190/0x190 [ip_vti]
? save_stack_trace+0x1b/0x20
? save_stack+0x46/0xd0
dev_hard_start_xmit+0x147/0x510
? icmp_echo.part.24+0x1f0/0x210
__dev_queue_xmit+0x1394/0x1c60
...
Freed by task 0:
save_stack_trace+0x1b/0x20
save_stack+0x46/0xd0
kasan_slab_free+0x70/0xc0
kmem_cache_free+0x81/0x1e0
kfree_skbmem+0xb1/0xe0
kfree_skb+0x75/0x170
kfree_skb_list+0x3e/0x60
__dev_queue_xmit+0x1298/0x1c60
dev_queue_xmit+0x10/0x20
neigh_resolve_output+0x3a8/0x740
ip_finish_output2+0x5c0/0xe70
ip_finish_output+0x4ba/0x680
ip_output+0x1c1/0x3a0
xfrm_output_resume+0xc65/0x13d0
xfrm_output+0x1e4/0x380
xfrm4_output_finish+0x5c/0x70
Can be fixed if we get skb->len before dst_output().
Fixes: b9959fd3b0fa ("vti: switch to new ip tunnel code")
Fixes: 22e1b23dafa8 ("vti6: Support inter address family tunneling.")
Signed-off-by: Alexey Kodanev
Signed-off-by: David S. Miller
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings
---
net/ipv4/ip_vti.c | 3 ++-
net/ipv6/ip6_vti.c | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
--- a/net/ipv4/ip_vti.c
+++ b/net/ipv4/ip_vti.c
@@ -151,6 +151,7 @@ static netdev_tx_t vti_xmit(struct sk_bu
struct ip_tunnel_parm *parms = &tunnel->parms;
struct dst_entry *dst = skb_dst(skb);
struct net_device *tdev;/* Device to other host */
+ int pkt_len = skb->len;
int err;
if (!dst) {
@@ -194,7 +195,7 @@ static netdev_tx_t vti_xmit(struct sk_bu
err = dst_output(skb);
if (net_xmit_eval(err) == 0)
- err = skb->len;
+ err = pkt_len;
iptunnel_xmit_stats(err, &dev->stats, dev->tstats);
return NETDEV_TX_OK;
--- a/net/ipv6/ip6_vti.c
+++ b/net/ipv6/ip6_vti.c
@@ -407,6 +407,7 @@ vti6_xmit(struct sk_buff *skb, struct ne
struct net_device_stats *stats = &t->dev->stats;
struct dst_entry *dst = skb_dst(skb);
struct net_device *tdev;
+ int pkt_len = skb->len;
int err = -1;
if (!dst)
@@ -441,7 +442,7 @@ vti6_xmit(struct sk_buff *skb, struct ne
struct pcpu_sw_netstats *tstats = this_cpu_ptr(dev->tstats);
u64_stats_update_begin(&tstats->syncp);
- tstats->tx_bytes += skb->len;
+ tstats->tx_bytes += pkt_len;
tstats->tx_packets++;
u64_stats_update_end(&tstats->syncp);
} else {
[PATCH 3.16 043/204] iio: ad7793: Fix the serial interface reset
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Dragos Bogdan
commit 7ee3b7ebcb74714df6d94c8f500f307e1ee5dda5 upstream.
The serial interface can be reset by writing 32 consecutive 1s to the device.
'ret' was initialized correctly but its value was overwritten when
ad7793_check_platform_data() was called. Since a dedicated reset function
is present now, it should be used instead.
Fixes: 2edb769d246e ("iio:ad7793: Add support for the ad7798 and ad7799")
Signed-off-by: Dragos Bogdan
Acked-by: Lars-Peter Clausen
Signed-off-by: Jonathan Cameron
Signed-off-by: Ben Hutchings
---
drivers/iio/adc/ad7793.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/iio/adc/ad7793.c
+++ b/drivers/iio/adc/ad7793.c
@@ -257,7 +257,7 @@ static int ad7793_setup(struct iio_dev *
unsigned int vref_mv)
{
struct ad7793_state *st = iio_priv(indio_dev);
- int i, ret = -1;
+ int i, ret;
unsigned long long scale_uv;
u32 id;
@@ -266,7 +266,7 @@ static int ad7793_setup(struct iio_dev *
return ret;
/* reset the serial interface */
- ret = spi_write(st->sd.spi, (u8 *)&ret, sizeof(ret));
+ ret = ad_sd_reset(&st->sd, 32);
if (ret < 0)
goto out;
usleep_range(500, 2000); /* Wait for at least 500us */
[PATCH 3.16 022/204] powerpc/sysrq: Fix oops whem ppmu is not registered
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Ravi Bangoria
commit 4917fcb58cc73f6b81455e3c5f960144809ddf1a upstream.
Kernel crashes if power pmu is not registered and user tries to dump
regs with 'echo p > /proc/sysrq-trigger'. Sample log:
Unable to handle kernel paging request for data at address 0x0008
Faulting instruction address: 0xc00d52f0
NIP [c00d52f0] perf_event_print_debug+0x10/0x230
LR [c058a938] sysrq_handle_showregs+0x38/0x50
Call Trace:
printk+0x38/0x4c (unreliable)
__handle_sysrq+0xe4/0x270
write_sysrq_trigger+0x64/0x80
proc_reg_write+0x80/0xd0
__vfs_write+0x40/0x200
vfs_write+0xc8/0x240
SyS_write+0x60/0x110
system_call+0x58/0x6c
Fixes: 5f6d0380c640 ("powerpc/perf: Define perf_event_print_debug() to print
PMU register values")
Signed-off-by: Ravi Bangoria
Reviewed-by: Kamalesh Babulal
Signed-off-by: Michael Ellerman
Signed-off-by: Ben Hutchings
---
arch/powerpc/perf/core-book3s.c | 5 +
1 file changed, 5 insertions(+)
--- a/arch/powerpc/perf/core-book3s.c
+++ b/arch/powerpc/perf/core-book3s.c
@@ -755,6 +755,11 @@ void perf_event_print_debug(void)
u32 pmcs[MAX_HWEVENTS];
int i;
+ if (!ppmu) {
+ pr_info("Performance monitor hardware not registered.\n");
+ return;
+ }
+
if (!ppmu->n_counter)
return;
[PATCH 3.16 090/204] mm/memory_hotplug: define find_{smallest|biggest}_section_pfn as unsigned long
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: YASUAKI ISHIMATSU
commit d09b0137d204bebeaafed672bc5a244e9ac92edb upstream.
find_{smallest|biggest}_section_pfn()s find the smallest/biggest section
and return the pfn of the section. But the functions are defined as int.
So the functions always return 0x - 0x. It means if
memory address is over 16TB, the functions does not work correctly.
To handle 64 bit value, the patch defines
find_{smallest|biggest}_section_pfn() as unsigned long.
Fixes: 815121d2b5cd ("memory_hotplug: clear zone when removing the memory")
Link: http://lkml.kernel.org/r/d9d5593a-d0a4-c4be-ab08-493df59a8...@gmail.com
Signed-off-by: Yasuaki Ishimatsu
Acked-by: Michal Hocko
Cc: Xishi Qiu
Cc: Reza Arbab
Cc: Vlastimil Babka
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
Signed-off-by: Ben Hutchings
---
mm/memory_hotplug.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/mm/memory_hotplug.c
+++ b/mm/memory_hotplug.c
@@ -520,7 +520,7 @@ EXPORT_SYMBOL_GPL(__add_pages);
#ifdef CONFIG_MEMORY_HOTREMOVE
/* find the smallest valid pfn in the range [start_pfn, end_pfn) */
-static int find_smallest_section_pfn(int nid, struct zone *zone,
+static unsigned long find_smallest_section_pfn(int nid, struct zone *zone,
unsigned long start_pfn,
unsigned long end_pfn)
{
@@ -545,7 +545,7 @@ static int find_smallest_section_pfn(int
}
/* find the biggest valid pfn in the range [start_pfn, end_pfn). */
-static int find_biggest_section_pfn(int nid, struct zone *zone,
+static unsigned long find_biggest_section_pfn(int nid, struct zone *zone,
unsigned long start_pfn,
unsigned long end_pfn)
{
[PATCH 3.16 024/204] crypto: talitos - fix sha224
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: LEROY Christophe
commit afd62fa26343be6445479e75de9f07092a061459 upstream.
Kernel crypto tests report the following error at startup
[2.752626] alg: hash: Test 4 failed for sha224-talitos
[2.757907] : 30 e2 86 e2 e7 8a dd 0d d7 eb 9f d5 83 fe f1 b0
0010: 2d 5a 6c a5 f9 55 ea fd 0e 72 05 22
This patch fixes it
Signed-off-by: Christophe Leroy
Signed-off-by: Herbert Xu
Signed-off-by: Ben Hutchings
---
drivers/crypto/talitos.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/crypto/talitos.c
+++ b/drivers/crypto/talitos.c
@@ -1581,9 +1581,9 @@ static int common_nonsnoop_hash(struct t
req_ctx->swinit = 0;
} else {
desc->ptr[1] = zero_entry;
- /* Indicate next op is not the first. */
- req_ctx->first = 0;
}
+ /* Indicate next op is not the first. */
+ req_ctx->first = 0;
/* HMAC key */
if (ctx->keylen)
[PATCH 3.16 091/204] Smack: remove unneeded NULL-termination from securtity label
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Konstantin Khlebnikov
commit da1b63566c469bf3e2b24182114422e16b1aa34c upstream.
Values of extended attributes are stored as binary blobs. NULL-termination
of them isn't required. It just wastes disk space and confuses command-line
tools like getfattr because they have to print that zero byte at the end.
This patch removes terminating zero byte from initial security label in
smack_inode_init_security and cuts it out in function smack_inode_getsecurity
which is used by syscall getxattr. This change seems completely safe, because
function smk_parse_smack ignores everything after first zero byte.
Signed-off-by: Konstantin Khlebnikov
Signed-off-by: Ben Hutchings
---
security/smack/smack_lsm.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -674,7 +674,7 @@ static int smack_inode_init_security(str
}
if (len)
- *len = strlen(isp) + 1;
+ *len = strlen(isp);
return 0;
}
@@ -1078,7 +1078,7 @@ static int smack_inode_getsecurity(const
if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) {
isp = smk_of_inode(inode);
- ilen = strlen(isp) + 1;
+ ilen = strlen(isp);
*buffer = isp;
return ilen;
}
@@ -1103,7 +1103,7 @@ static int smack_inode_getsecurity(const
else
return -EOPNOTSUPP;
- ilen = strlen(isp) + 1;
+ ilen = strlen(isp);
if (rc == 0) {
*buffer = isp;
rc = ilen;
[PATCH 3.16 098/204] crypto: shash - Fix zero-length shash ahash digest crash
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Herbert Xu
commit b61907bb42409adf9b3120f741af7c57dd7e3db2 upstream.
The shash ahash digest adaptor function may crash if given a
zero-length input together with a null SG list. This is because
it tries to read the SG list before looking at the length.
This patch fixes it by checking the length first.
Reported-by: Stephan Müller
Signed-off-by: Herbert Xu
Tested-by: Stephan Müller
Signed-off-by: Ben Hutchings
---
crypto/shash.c | 8 +---
1 file changed, 5 insertions(+), 3 deletions(-)
--- a/crypto/shash.c
+++ b/crypto/shash.c
@@ -274,12 +274,14 @@ static int shash_async_finup(struct ahas
int shash_ahash_digest(struct ahash_request *req, struct shash_desc *desc)
{
- struct scatterlist *sg = req->src;
- unsigned int offset = sg->offset;
unsigned int nbytes = req->nbytes;
+ struct scatterlist *sg;
+ unsigned int offset;
int err;
- if (nbytes < min(sg->length, ((unsigned int)(PAGE_SIZE)) - offset)) {
+ if (nbytes &&
+ (sg = req->src, offset = sg->offset,
+nbytes < min(sg->length, ((unsigned int)(PAGE_SIZE)) - offset))) {
void *data;
data = kmap_atomic(sg_page(sg));
[PATCH 3.16 033/204] Input: uinput - avoid crash when sending FF request to device going away
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Dmitry Torokhov
commit 6b4877c7bdc6ae39ce03716df7caeecf204697eb upstream.
If FF request comes in while uinput device is going away,
uinput_request_send() will fail with -ENODEV, and uinput_request_submit()
will attempt to mark the slot as unused by calling uinput_request_done().
Unfortunately in this case we haven't initialized request->done completion
yet, and we get a crash:
[ 39.402036] BUG: spinlock bad magic on CPU#1, fftest/3108
[ 39.402046] lock: 0x88006a93bb00, .magic: , .owner: /39,
.owner_cpu: 1217155072
[ 39.402055] CPU: 1 PID: 3108 Comm: fftest Tainted: GW 4.13.0+ #15
[ 39.402059] Hardware name: LENOVO 20HQS0EG02/20HQS0EG02, BIOS N1MET37W (1.22
) 07/04/2017
[ 39.402064] 0086 f0fad82f3ceaa120 88006a93b9a0
9de941bb
[ 39.402077] 88026df8ae00 88006a93bb00 88006a93b9c0
9dca62b7
[ 39.402088] 88006a93bb00 88006a93baf8 88006a93b9e0
9dca62e7
[ 39.402099] Call Trace:
[ 39.402112] [] dump_stack+0x4d/0x63
[ 39.402123] [] spin_dump+0x97/0x9c
[ 39.402130] [] spin_bug+0x2b/0x2d
[ 39.402138] [] do_raw_spin_lock+0x28/0xfd
[ 39.402147] [] _raw_spin_lock_irqsave+0x19/0x1f
[ 39.402154] [] complete+0x1d/0x48
[ 39.402162] [] 0xc04f30af
[ 39.402167] [] 0xc04f468c
[ 39.402177] [] ? __slab_free+0x22f/0x359
[ 39.402184] [] ? tk_clock_read+0xc/0xe
[ 39.402189] [] 0xc04f471f
[ 39.402195] [] ? __wake_up+0x44/0x4b
[ 39.402200] [] ? 0xc04f3240
[ 39.402207] [] erase_effect+0xa1/0xd2
[ 39.402214] [] input_ff_flush+0x43/0x5c
[ 39.402219] [] 0xc04f32ad
[ 39.402227] [] input_flush_device+0x3d/0x51
[ 39.402234] [] evdev_flush+0x49/0x5c
[ 39.402243] [] filp_close+0x3f/0x65
[ 39.402253] [] put_files_struct+0x66/0xc1
[ 39.402261] [] exit_files+0x47/0x4e
[ 39.402270] [] do_exit+0x483/0x969
[ 39.402278] [] ? recalc_sigpending_tsk+0x3d/0x44
[ 39.402285] [] do_group_exit+0x42/0xb0
[ 39.402293] [] get_signal+0x58d/0x5bf
[ 39.402300] [] do_signal+0x37/0x53e
[ 39.402307] [] ? evdev_ioctl_handler+0xac8/0xb04
[ 39.402314] [] ? evdev_ioctl+0x10/0x12
[ 39.402321] [] ? do_vfs_ioctl+0x42e/0x501
[ 39.402328] [] prepare_exit_to_usermode+0x66/0x90
[ 39.402333] [] syscall_return_slowpath+0xe3/0xec
[ 39.402339] [] int_ret_from_sys_call+0x25/0x8f
While we could solve this by simply initializing the completion earlier, we
are better off rearranging the code a bit so we avoid calling complete() on
requests that we did not send out. This patch consolidates marking request
slots as free in one place (in uinput_request_submit(), the same place
where we acquire them) and having everyone else simply signal completion
of the requests.
Fixes: 00ce756ce53a ("Input: uinput - mark failed submission requests as free")
Signed-off-by: Dmitry Torokhov
Signed-off-by: Ben Hutchings
---
drivers/input/misc/uinput.c | 39 +--
1 file changed, 21 insertions(+), 18 deletions(-)
--- a/drivers/input/misc/uinput.c
+++ b/drivers/input/misc/uinput.c
@@ -98,14 +98,15 @@ static int uinput_request_reserve_slot(s
uinput_request_alloc_id(udev, request));
}
-static void uinput_request_done(struct uinput_device *udev,
- struct uinput_request *request)
+static void uinput_request_release_slot(struct uinput_device *udev,
+ unsigned int id)
{
/* Mark slot as available */
- udev->requests[request->id] = NULL;
- wake_up(&udev->requests_waitq);
+ spin_lock(&udev->requests_lock);
+ udev->requests[id] = NULL;
+ spin_unlock(&udev->requests_lock);
- complete(&request->done);
+ wake_up(&udev->requests_waitq);
}
static int uinput_request_send(struct uinput_device *udev,
@@ -138,20 +139,22 @@ static int uinput_request_send(struct ui
static int uinput_request_submit(struct uinput_device *udev,
struct uinput_request *request)
{
- int error;
+ int retval;
- error = uinput_request_reserve_slot(udev, request);
- if (error)
- return error;
+ retval = uinput_request_reserve_slot(udev, request);
+ if (retval)
+ return retval;
- error = uinput_request_send(udev, request);
- if (error) {
- uinput_request_done(udev, request);
- return error;
- }
+ retval = uinput_request_send(udev, request);
+ if (retval)
+ goto out;
wait_for_completion(&request->done);
- return request->retval;
+ retval = request->retval;
+
+ out:
+ uinput_request_release_slot(udev, request->id);
+ return retval;
}
/*
@@ -169,7 +172,7 @@ static void uinput_flush_requests(struct
[PATCH 3.16 067/204] USB: gadgetfs, dummy-hcd, net2280: fix locking for callbacks
3.16.52-rc1 review patch. If anyone has any objections, please let me know. -- From: Alan Stern commit f16443a034c7aa359ddf6f0f9bc40d01ca31faea upstream. Using the syzkaller kernel fuzzer, Andrey Konovalov generated the following error in gadgetfs: > BUG: KASAN: use-after-free in __lock_acquire+0x3069/0x3690 > kernel/locking/lockdep.c:3246 > Read of size 8 at addr 88003a2bdaf8 by task kworker/3:1/903 > > CPU: 3 PID: 903 Comm: kworker/3:1 Not tainted 4.12.0-rc4+ #35 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 > Workqueue: usb_hub_wq hub_event > Call Trace: > __dump_stack lib/dump_stack.c:16 [inline] > dump_stack+0x292/0x395 lib/dump_stack.c:52 > print_address_description+0x78/0x280 mm/kasan/report.c:252 > kasan_report_error mm/kasan/report.c:351 [inline] > kasan_report+0x230/0x340 mm/kasan/report.c:408 > __asan_report_load8_noabort+0x19/0x20 mm/kasan/report.c:429 > __lock_acquire+0x3069/0x3690 kernel/locking/lockdep.c:3246 > lock_acquire+0x22d/0x560 kernel/locking/lockdep.c:3855 > __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] > _raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:151 > spin_lock include/linux/spinlock.h:299 [inline] > gadgetfs_suspend+0x89/0x130 drivers/usb/gadget/legacy/inode.c:1682 > set_link_state+0x88e/0xae0 drivers/usb/gadget/udc/dummy_hcd.c:455 > dummy_hub_control+0xd7e/0x1fb0 drivers/usb/gadget/udc/dummy_hcd.c:2074 > rh_call_control drivers/usb/core/hcd.c:689 [inline] > rh_urb_enqueue drivers/usb/core/hcd.c:846 [inline] > usb_hcd_submit_urb+0x92f/0x20b0 drivers/usb/core/hcd.c:1650 > usb_submit_urb+0x8b2/0x12c0 drivers/usb/core/urb.c:542 > usb_start_wait_urb+0x148/0x5b0 drivers/usb/core/message.c:56 > usb_internal_control_msg drivers/usb/core/message.c:100 [inline] > usb_control_msg+0x341/0x4d0 drivers/usb/core/message.c:151 > usb_clear_port_feature+0x74/0xa0 drivers/usb/core/hub.c:412 > hub_port_disable+0x123/0x510 drivers/usb/core/hub.c:4177 > hub_port_init+0x1ed/0x2940 drivers/usb/core/hub.c:4648 > hub_port_connect drivers/usb/core/hub.c:4826 [inline] > hub_port_connect_change drivers/usb/core/hub.c:4999 [inline] > port_event drivers/usb/core/hub.c:5105 [inline] > hub_event+0x1ae1/0x3d40 drivers/usb/core/hub.c:5185 > process_one_work+0xc08/0x1bd0 kernel/workqueue.c:2097 > process_scheduled_works kernel/workqueue.c:2157 [inline] > worker_thread+0xb2b/0x1860 kernel/workqueue.c:2233 > kthread+0x363/0x440 kernel/kthread.c:231 > ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:424 > > Allocated by task 9958: > save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59 > save_stack+0x43/0xd0 mm/kasan/kasan.c:513 > set_track mm/kasan/kasan.c:525 [inline] > kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:617 > kmem_cache_alloc_trace+0x87/0x280 mm/slub.c:2745 > kmalloc include/linux/slab.h:492 [inline] > kzalloc include/linux/slab.h:665 [inline] > dev_new drivers/usb/gadget/legacy/inode.c:170 [inline] > gadgetfs_fill_super+0x24f/0x540 drivers/usb/gadget/legacy/inode.c:1993 > mount_single+0xf6/0x160 fs/super.c:1192 > gadgetfs_mount+0x31/0x40 drivers/usb/gadget/legacy/inode.c:2019 > mount_fs+0x9c/0x2d0 fs/super.c:1223 > vfs_kern_mount.part.25+0xcb/0x490 fs/namespace.c:976 > vfs_kern_mount fs/namespace.c:2509 [inline] > do_new_mount fs/namespace.c:2512 [inline] > do_mount+0x41b/0x2d90 fs/namespace.c:2834 > SYSC_mount fs/namespace.c:3050 [inline] > SyS_mount+0xb0/0x120 fs/namespace.c:3027 > entry_SYSCALL_64_fastpath+0x1f/0xbe > > Freed by task 9960: > save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59 > save_stack+0x43/0xd0 mm/kasan/kasan.c:513 > set_track mm/kasan/kasan.c:525 [inline] > kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:590 > slab_free_hook mm/slub.c:1357 [inline] > slab_free_freelist_hook mm/slub.c:1379 [inline] > slab_free mm/slub.c:2961 [inline] > kfree+0xed/0x2b0 mm/slub.c:3882 > put_dev+0x124/0x160 drivers/usb/gadget/legacy/inode.c:163 > gadgetfs_kill_sb+0x33/0x60 drivers/usb/gadget/legacy/inode.c:2027 > deactivate_locked_super+0x8d/0xd0 fs/super.c:309 > deactivate_super+0x21e/0x310 fs/super.c:340 > cleanup_mnt+0xb7/0x150 fs/namespace.c:1112 > __cleanup_mnt+0x1b/0x20 fs/namespace.c:1119 > task_work_run+0x1a0/0x280 kernel/task_work.c:116 > exit_task_work include/linux/task_work.h:21 [inline] > do_exit+0x18a8/0x2820 kernel/exit.c:878 > do_group_exit+0x14e/0x420 kernel/exit.c:982 > get_signal+0x784/0x1780 kernel/signal.c:2318 > do_signal+0xd7/0x2130 arch/x86/kernel/signal.c:808 > exit_to_usermode_loop+0x1ac/0x240 arch/x86/entry/common.c:157 > prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline] > syscall_return_slowpath+0x3ba/0x410 arch/x86/entry/common.c:263 > entry_SYSCALL_64_fastpath+0xbc/0xbe > > The buggy address belongs to the object at 88003a2bdae0 > which belongs to the cache kmalloc-1024 of size 1024 > The buggy address is located 24 bytes inside of > 1024-byte region [88003a2bdae0, 88003a2bdee0) > T
[PATCH 3.16 055/204] PCI: Fix race condition with driver_override
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Nicolai Stange
commit 9561475db680f7144d2223a409dd3d7e322aca03 upstream.
The driver_override implementation is susceptible to a race condition when
different threads are reading vs. storing a different driver override. Add
locking to avoid the race condition.
This is in close analogy to commit 6265539776a0 ("driver core: platform:
fix race condition with driver_override") from Adrian Salido.
Fixes: 782a985d7af2 ("PCI: Introduce new device binding path using
pci_dev.driver_override")
Signed-off-by: Nicolai Stange
Signed-off-by: Bjorn Helgaas
Signed-off-by: Ben Hutchings
---
drivers/pci/pci-sysfs.c | 11 +--
1 file changed, 9 insertions(+), 2 deletions(-)
--- a/drivers/pci/pci-sysfs.c
+++ b/drivers/pci/pci-sysfs.c
@@ -514,7 +514,7 @@ static ssize_t driver_override_store(str
const char *buf, size_t count)
{
struct pci_dev *pdev = to_pci_dev(dev);
- char *driver_override, *old = pdev->driver_override, *cp;
+ char *driver_override, *old, *cp;
/* We need to keep extra room for a newline */
if (count >= (PAGE_SIZE - 1))
@@ -528,12 +528,15 @@ static ssize_t driver_override_store(str
if (cp)
*cp = '\0';
+ device_lock(dev);
+ old = pdev->driver_override;
if (strlen(driver_override)) {
pdev->driver_override = driver_override;
} else {
kfree(driver_override);
pdev->driver_override = NULL;
}
+ device_unlock(dev);
kfree(old);
@@ -544,8 +547,12 @@ static ssize_t driver_override_show(stru
struct device_attribute *attr, char *buf)
{
struct pci_dev *pdev = to_pci_dev(dev);
+ ssize_t len;
- return snprintf(buf, PAGE_SIZE, "%s\n", pdev->driver_override);
+ device_lock(dev);
+ len = snprintf(buf, PAGE_SIZE, "%s\n", pdev->driver_override);
+ device_unlock(dev);
+ return len;
}
static DEVICE_ATTR_RW(driver_override);
[PATCH 3.16 021/204] tcp: fastopen: fix on syn-data transmit failure
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Eric Dumazet
commit b5b7db8d680464b1d631fd016f5e093419f0bfd9 upstream.
Our recent change exposed a bug in TCP Fastopen Client that syzkaller
found right away [1]
When we prepare skb with SYN+DATA, we attempt to transmit it,
and we update socket state as if the transmit was a success.
In socket RTX queue we have two skbs, one with the SYN alone,
and a second one containing the DATA.
When (malicious) ACK comes in, we now complain that second one had no
skb_mstamp.
The proper fix is to make sure that if the transmit failed, we do not
pretend we sent the DATA skb, and make it our send_head.
When 3WHS completes, we can now send the DATA right away, without having
to wait for a timeout.
[1]
WARNING: CPU: 0 PID: 100189 at net/ipv4/tcp_input.c:3117
tcp_clean_rtx_queue+0x2057/0x2ab0 net/ipv4/tcp_input.c:3117()
WARN_ON_ONCE(last_ackt == 0);
Modules linked in:
CPU: 0 PID: 100189 Comm: syz-executor1 Not tainted
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
01/01/2011
8800b35cb1d8 81cad00d
828a4347 88009f86c080 8316eb20 0d7f
8800b35cb220 812c33c2 8800baad2440 0009d46575c0
Call Trace:
[] __dump_stack
[] dump_stack+0xc1/0x124
[] warn_slowpath_common+0xe2/0x150
[] warn_slowpath_null+0x2e/0x40
[] tcp_clean_rtx_queue+0x2057/0x2ab0 n
[] tcp_ack+0x151d/0x3930
[] tcp_rcv_state_process+0x1c69/0x4fd0
[] tcp_v4_do_rcv+0x54f/0x7c0
[] sk_backlog_rcv
[] __release_sock+0x12b/0x3a0
[] release_sock+0x5e/0x1c0
[] inet_wait_for_connect
[] __inet_stream_connect+0x545/0xc50
[] tcp_sendmsg_fastopen
[] tcp_sendmsg+0x2298/0x35a0
[] inet_sendmsg+0xe5/0x520
[] sock_sendmsg_nosec
[] sock_sendmsg+0xcf/0x110
Fixes: 8c72c65b426b ("tcp: update skb->skb_mstamp more carefully")
Fixes: 783237e8daf1 ("net-tcp: Fast Open client - sending SYN-data")
Signed-off-by: Eric Dumazet
Reported-by: Dmitry Vyukov
Cc: Neal Cardwell
Cc: Yuchung Cheng
Acked-by: Yuchung Cheng
Signed-off-by: David S. Miller
Signed-off-by: Ben Hutchings
---
net/ipv4/tcp_output.c | 9 +
1 file changed, 9 insertions(+)
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -3058,6 +3058,10 @@ static int tcp_send_syn_data(struct sock
goto done;
}
+ /* data was not sent, this is our new send_head */
+ sk->sk_send_head = syn_data;
+ tp->packets_out -= tcp_skb_pcount(syn_data);
+
fallback:
/* Send a regular SYN with Fast Open cookie request option */
if (fo->cookie.len > 0)
@@ -3104,6 +3108,11 @@ int tcp_connect(struct sock *sk)
*/
tp->snd_nxt = tp->write_seq;
tp->pushed_seq = tp->write_seq;
+ buff = tcp_send_head(sk);
+ if (unlikely(buff)) {
+ tp->snd_nxt = TCP_SKB_CB(buff)->seq;
+ tp->pushed_seq = TCP_SKB_CB(buff)->seq;
+ }
TCP_INC_STATS(sock_net(sk), TCP_MIB_ACTIVEOPENS);
/* Timer for repeating the SYN until an answer. */
[PATCH 3.16 104/204] ALSA: caiaq: Fix stray URB at probe error path
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Takashi Iwai
commit 99fee508245825765ff60155fed43f970ff83a8f upstream.
caiaq driver doesn't kill the URB properly at its error path during
the probe, which may lead to a use-after-free error later. This patch
addresses it.
Reported-by: Johan Hovold
Reviewed-by: Johan Hovold
Signed-off-by: Takashi Iwai
Signed-off-by: Ben Hutchings
---
sound/usb/caiaq/device.c | 12 +---
1 file changed, 9 insertions(+), 3 deletions(-)
--- a/sound/usb/caiaq/device.c
+++ b/sound/usb/caiaq/device.c
@@ -469,10 +469,12 @@ static int init_card(struct snd_usb_caia
err = snd_usb_caiaq_send_command(cdev, EP1_CMD_GET_DEVICE_INFO, NULL,
0);
if (err)
- return err;
+ goto err_kill_urb;
- if (!wait_event_timeout(cdev->ep1_wait_queue, cdev->spec_received, HZ))
- return -ENODEV;
+ if (!wait_event_timeout(cdev->ep1_wait_queue, cdev->spec_received, HZ))
{
+ err = -ENODEV;
+ goto err_kill_urb;
+ }
usb_string(usb_dev, usb_dev->descriptor.iManufacturer,
cdev->vendor_name, CAIAQ_USB_STR_LEN);
@@ -507,6 +509,10 @@ static int init_card(struct snd_usb_caia
setup_card(cdev);
return 0;
+
+ err_kill_urb:
+ usb_kill_urb(&cdev->ep1_in_urb);
+ return err;
}
static int snd_probe(struct usb_interface *intf,
[PATCH 3.16 186/204] Bluetooth: bnep: bnep_add_connection() should verify that it's dealing with l2cap socket
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Al Viro
commit 71bb99a02b32b4cc4265118e85f6035ca72923f0 upstream.
same story as cmtp
Signed-off-by: Al Viro
Signed-off-by: Marcel Holtmann
Signed-off-by: Ben Hutchings
---
net/bluetooth/bnep/core.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/bluetooth/bnep/core.c
+++ b/net/bluetooth/bnep/core.c
@@ -533,6 +533,9 @@ int bnep_add_connection(struct bnep_conn
BT_DBG("");
+ if (!l2cap_is_socket(sock))
+ return -EBADFD;
+
baswap((void *) dst, &l2cap_pi(sock->sk)->chan->dst);
baswap((void *) src, &l2cap_pi(sock->sk)->chan->src);
[PATCH 3.16 053/204] IB/mlx5: Simplify mlx5_ib_cont_pages
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Ilya Lesokhin
commit d67bc5d4e3e100d762c0f57ea67f28bc219698a6 upstream.
The patch simplifies mlx5_ib_cont_pages and fixes the following
issues in the original implementation:
First issues is related to alignment of the PFNs. After the check
base + p != PFN, the alignment of the PFN wasn't checked. So the PFN
sequence 0, 1, 1, 2 would result in a page_shift of 13 even though
the 3rd PFN is not 8KB aligned.
This wasn't actually a bug because it was supported by all the
existing mlx5 compatible device, but we don't want to require
this support in all future devices.
Another issue is because the inner loop didn't advance PFN so
the test "if (base + p != pfn)" always failed for SGE with
len > (1<
Reviewed-by: Eli Cohen
Signed-off-by: Leon Romanovsky
Signed-off-by: Doug Ledford
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings
---
drivers/infiniband/hw/mlx5/mem.c | 47 +++-
1 file changed, 17 insertions(+), 30 deletions(-)
--- a/drivers/infiniband/hw/mlx5/mem.c
+++ b/drivers/infiniband/hw/mlx5/mem.c
@@ -46,46 +46,33 @@ void mlx5_ib_cont_pages(struct ib_umem *
{
unsigned long tmp;
unsigned long m;
- int i, k;
- u64 base = 0;
- int p = 0;
- int skip;
- int mask;
- u64 len;
- u64 pfn;
+ u64 base = ~0, p = 0;
+ u64 len, pfn;
+ int i = 0;
struct scatterlist *sg;
int entry;
addr = addr >> PAGE_SHIFT;
tmp = (unsigned long)addr;
m = find_first_bit(&tmp, BITS_PER_LONG);
- skip = 1 << m;
- mask = skip - 1;
- i = 0;
+
for_each_sg(umem->sg_head.sgl, sg, umem->nmap, entry) {
len = sg_dma_len(sg) >> PAGE_SHIFT;
pfn = sg_dma_address(sg) >> PAGE_SHIFT;
- for (k = 0; k < len; k++) {
- if (!(i & mask)) {
- tmp = (unsigned long)pfn;
- m = min_t(unsigned long, m,
find_first_bit(&tmp, BITS_PER_LONG));
- skip = 1 << m;
- mask = skip - 1;
- base = pfn;
- p = 0;
- } else {
- if (base + p != pfn) {
- tmp = (unsigned long)p;
- m = find_first_bit(&tmp, BITS_PER_LONG);
- skip = 1 << m;
- mask = skip - 1;
- base = pfn;
- p = 0;
- }
- }
- p++;
- i++;
+ if (base + p != pfn) {
+ /* If either the offset or the new
+* base are unaligned update m
+*/
+ tmp = (unsigned long)(pfn | p);
+ if (!IS_ALIGNED(tmp, 1 << m))
+ m = find_first_bit(&tmp, BITS_PER_LONG);
+
+ base = pfn;
+ p = 0;
}
+
+ p += len;
+ i += len;
}
if (i) {
Re: [PATCH 2/4] PCI/DPC/AER: Address Concurrency between AER and DPC
Hi Oza, Thank you for the patch! Yet something to improve: [auto build test ERROR on linus/master] [also build test ERROR on v4.15-rc5] [cannot apply to pci/next pm/linux-next next-20171222] [if your patch is applied to the wrong git tree, please drop us a note to help improve the system] url: https://github.com/0day-ci/linux/commits/Oza-Pawandeep/Address-error-and-recovery-for-AER-and-DPC/20171228-222058 config: arm64-defconfig (attached as .config) compiler: aarch64-linux-gnu-gcc (Debian 7.2.0-11) 7.2.0 reproduce: wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross # save the attached .config to linux build tree make.cross ARCH=arm64 All errors (new ones prefixed by >>): drivers/pci/pcie/pcie-err.o: In function `pci_reset_link': >> pcie-err.c:(.text+0x3f8): undefined reference to `pci_find_dpc_service' pcie-err.c:(.text+0x3f8): relocation truncated to fit: R_AARCH64_CALL26 against undefined symbol `pci_find_dpc_service' --- 0-DAY kernel test infrastructureOpen Source Technology Center https://lists.01.org/pipermail/kbuild-all Intel Corporation .config.gz Description: application/gzip
[PATCH 3.16 030/204] powerpc/pseries: Fix parent_dn reference leak in add_dt_node()
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Tyrel Datwyler
commit b537ca6fede69a281dc524983e5e633d79a10a08 upstream.
A reference to the parent device node is held by add_dt_node() for the
node to be added. If the call to dlpar_configure_connector() fails
add_dt_node() returns ENOENT and that reference is not freed.
Add a call to of_node_put(parent_dn) prior to bailing out after a
failed dlpar_configure_connector() call.
Fixes: 8d5ff320766f ("powerpc/pseries: Make dlpar_configure_connector parent
node aware")
Signed-off-by: Tyrel Datwyler
Signed-off-by: Michael Ellerman
Signed-off-by: Ben Hutchings
---
arch/powerpc/platforms/pseries/mobility.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/arch/powerpc/platforms/pseries/mobility.c
+++ b/arch/powerpc/platforms/pseries/mobility.c
@@ -224,8 +224,10 @@ static int add_dt_node(__be32 parent_pha
return -ENOENT;
dn = dlpar_configure_connector(drc_index, parent_dn);
- if (!dn)
+ if (!dn) {
+ of_node_put(parent_dn);
return -ENOENT;
+ }
rc = dlpar_attach_node(dn);
if (rc)
[PATCH 3.16 052/204] IB/mlx5: Fix the size parameter to find_first_bit
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Christophe Jaillet
commit fffd68734dc685e208e86d8c5f6522cd695a8d60 upstream.
The 2nd parameter of 'find_first_bit' is the number of bits to search.
In this case, we are passing 'sizeof(tmp)' which is likely to be 4 or 8
because 'tmp' is an 'unsigned long'.
It is likely that the number of bits of 'tmp' was expected here. So use
BITS_PER_LONG instead.
It has been spotted by the following coccinelle script:
@@
expression ret, x;
@@
* ret = \(find_first_bit \| find_first_zero_bit\) (x, sizeof(...));
Signed-off-by: Christophe JAILLET
Acked-by: Majd Dibbiny
Acked-by: Leon Romanovsky
Signed-off-by: Doug Ledford
Signed-off-by: Ben Hutchings
---
drivers/infiniband/hw/mlx5/mem.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/infiniband/hw/mlx5/mem.c
+++ b/drivers/infiniband/hw/mlx5/mem.c
@@ -58,7 +58,7 @@ void mlx5_ib_cont_pages(struct ib_umem *
addr = addr >> PAGE_SHIFT;
tmp = (unsigned long)addr;
- m = find_first_bit(&tmp, sizeof(tmp));
+ m = find_first_bit(&tmp, BITS_PER_LONG);
skip = 1 << m;
mask = skip - 1;
i = 0;
@@ -68,7 +68,7 @@ void mlx5_ib_cont_pages(struct ib_umem *
for (k = 0; k < len; k++) {
if (!(i & mask)) {
tmp = (unsigned long)pfn;
- m = min_t(unsigned long, m,
find_first_bit(&tmp, sizeof(tmp)));
+ m = min_t(unsigned long, m,
find_first_bit(&tmp, BITS_PER_LONG));
skip = 1 << m;
mask = skip - 1;
base = pfn;
@@ -76,7 +76,7 @@ void mlx5_ib_cont_pages(struct ib_umem *
} else {
if (base + p != pfn) {
tmp = (unsigned long)p;
- m = find_first_bit(&tmp, sizeof(tmp));
+ m = find_first_bit(&tmp, BITS_PER_LONG);
skip = 1 << m;
mask = skip - 1;
base = pfn;
[PATCH 3.16 126/204] Input: ti_am335x_tsc - fix incorrect step config for 5 wire touchscreen
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Jeff Lance
commit cf5dd48907bebaefdb43a8ca079be77e8da2cb20 upstream.
Step config setting for 5 wire touchscreen is incorrect for Y coordinates.
It was broken while we moved to DT. If you look close at the offending
commit bb76dc09ddfc ("input: ti_am33x_tsc: Order of TSC wires, made
configurable"), the change was:
- STEPCONFIG_XNP | STEPCONFIG_YPN;
+ ts_dev->bit_xn | ts_dev->bit_yp;
while bit_xn = STEPCONFIG_XNN and bit_yp = STEPCONFIG_YNN. Not quite the
same.
Fixes: bb76dc09ddfc ("input: ti_am33x_tsc: Order of TSC wires, made
configurable")
Signed-off-by: Jeff Lance
[vigne...@ti.com: Rebase to v4.14-rc1]
Signed-off-by: Vignesh R
Reviewed-by: Michael Nazzareno Trimarchi
Signed-off-by: Dmitry Torokhov
Signed-off-by: Ben Hutchings
---
drivers/input/touchscreen/ti_am335x_tsc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/input/touchscreen/ti_am335x_tsc.c
+++ b/drivers/input/touchscreen/ti_am335x_tsc.c
@@ -157,7 +157,7 @@ static void titsc_step_config(struct tit
break;
case 5:
config |= ts_dev->bit_xp | STEPCONFIG_INP_AN4 |
- ts_dev->bit_xn | ts_dev->bit_yp;
+ STEPCONFIG_XNP | STEPCONFIG_YPN;
break;
case 8:
config |= ts_dev->bit_yp | STEPCONFIG_INP(ts_dev->inp_xp);
[PATCH 3.16 036/204] USB: gadgetfs: fix copy_to_user while holding spinlock
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Alan Stern
commit 6e76c01e71551cb221c1f3deacb9dcd9a7346784 upstream.
The gadgetfs driver as a long-outstanding FIXME, regarding a call of
copy_to_user() made while holding a spinlock. This patch fixes the
issue by dropping the spinlock and using the dev->udc_usage mechanism
introduced by another recent patch to guard against status changes
while the lock isn't held.
Signed-off-by: Alan Stern
Reported-by: Andrey Konovalov
Acked-by: Felipe Balbi
Signed-off-by: Greg Kroah-Hartman
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings
---
drivers/usb/gadget/inode.c | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/usb/gadget/inode.c
+++ b/drivers/usb/gadget/inode.c
@@ -1055,11 +1055,14 @@ ep0_read (struct file *fd, char __user *
retval = -EIO;
else {
len = min (len, (size_t)dev->req->actual);
-// FIXME don't call this with the spinlock held ...
+ ++dev->udc_usage;
+ spin_unlock_irq(&dev->lock);
if (copy_to_user (buf, dev->req->buf, len))
retval = -EFAULT;
else
retval = len;
+ spin_lock_irq(&dev->lock);
+ --dev->udc_usage;
clean_req (dev->gadget->ep0, dev->req);
/* NOTE userspace can't yet choose to stall */
}
[PATCH 3.16 028/204] cifs: release auth_key.response for reconnect.
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Shu Wang
commit f5c4ba816315d3b813af16f5571f86c8d4e897bd upstream.
There is a race that cause cifs reconnect in cifs_mount,
- cifs_mount
- cifs_get_tcp_session
- [ start thread cifs_demultiplex_thread
- cifs_read_from_socket: -ECONNABORTED
- DELAY_WORK smb2_reconnect_server ]
- cifs_setup_session
- [ smb2_reconnect_server ]
auth_key.response was allocated in cifs_setup_session, and
will release when the session destoried. So when session re-
connect, auth_key.response should be check and released.
Tested with my system:
CIFS VFS: Free previous auth_key.response = 8800320bbf80
A simple auth_key.response allocation call trace:
- cifs_setup_session
- SMB2_sess_setup
- SMB2_sess_auth_rawntlmssp_authenticate
- build_ntlmssp_auth_blob
- setup_ntlmv2_rsp
Signed-off-by: Shu Wang
Signed-off-by: Steve French
Reviewed-by: Ronnie Sahlberg
Signed-off-by: Ben Hutchings
---
fs/cifs/connect.c | 8
1 file changed, 8 insertions(+)
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -3956,6 +3956,14 @@ cifs_setup_session(const unsigned int xi
cifs_dbg(FYI, "Security Mode: 0x%x Capabilities: 0x%x TimeAdjust: %d\n",
server->sec_mode, server->capabilities, server->timeAdj);
+ if (ses->auth_key.response) {
+ cifs_dbg(VFS, "Free previous auth_key.response = %p\n",
+ses->auth_key.response);
+ kfree(ses->auth_key.response);
+ ses->auth_key.response = NULL;
+ ses->auth_key.len = 0;
+ }
+
if (server->ops->sess_setup)
rc = server->ops->sess_setup(xid, ses, nls_info);
[PATCH 3.16 085/204] sh: sh7722: remove nonexistent GPIO_PTQ7 to fix pinctrl registration
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Geert Uytterhoeven
commit b78412b8300a8453b78d2c1b0b925b66493bb011 upstream.
Patch series "sh: sh7722/sh7757i/sh7264/sh7269: Fix pinctrl registration",
v2.
Magnus Damm reported that on sh7722/Migo-R, pinctrl registration fails
with:
sh-pfc pfc-sh7722: pin 0 already registered
sh-pfc pfc-sh7722: error during pin registration
sh-pfc pfc-sh7722: could not register: -22
sh-pfc: probe of pfc-sh7722 failed with error -22
pinmux_pins[] is initialized through PINMUX_GPIO(), using designated
array initializers, where the GPIO_* enums serve as indices. Apparently
GPIO_PTQ7 was defined in the enum, but never used. If enum values are
defined, but never used, pinmux_pins[] contains (zero-filled) holes.
Hence such entries are treated as pin zero, which was registered before,
and pinctrl registration fails.
I can't see how this ever worked, as at the time of commit f5e25ae52fef
("sh-pfc: Add sh7722 pinmux support"), pinmux_gpios[] in
drivers/pinctrl/sh-pfc/pfc-sh7722.c already had the hole, and
drivers/pinctrl/core.c already had the check.
Some scripting revealed a few more broken drivers:
- sh7757 has four holes, due to nonexistent GPIO_PT[JLNQ]7_RESV.
- sh7264 and sh7269 define GPIO_PH[0-7], but don't use it with
PINMUX_GPIO().
Patch 1 fixes the issue on sh7722, and was tested. Patches 3-4 should
fix the issue on the other 3 SoCs, but was untested due to lack of
hardware.
This patch (of 4):
On sh7722/Migo-R, pinctrl registration fails with:
sh-pfc pfc-sh7722: pin 0 already registered
sh-pfc pfc-sh7722: error during pin registration
sh-pfc pfc-sh7722: could not register: -22
sh-pfc: probe of pfc-sh7722 failed with error -22
pinmux_pins[] is initialized through PINMUX_GPIO(), using designated array
initializers, where the GPIO_* enums serve as indices. As GPIO_PTQ7 is
defined in the enum, but never used, pinmux_pins[] contains a
(zero-filled) hole. Hence this entry is treated as pin zero, which was
registered before, and pinctrl registration fails.
According to the datasheet, port PTQ7 does not exist. Hence remove
GPIO_PTQ7 from the enum to fix this.
Link:
http://lkml.kernel.org/r/1505205657-18012-2-git-send-email-geert+rene...@glider.be
Fixes: 8d7b5b0af7e070b9 ("sh: Add sh7722 pinmux code")
Signed-off-by: Geert Uytterhoeven
Reported-by: Magnus Damm
Reviewed-by: Laurent Pinchart
Tested-by: Jacopo Mondi
Cc: Rich Felker
Cc: Yoshihiro Shimoda
Cc: Yoshinori Sato
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
Signed-off-by: Ben Hutchings
---
arch/sh/include/cpu-sh4/cpu/sh7722.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/sh/include/cpu-sh4/cpu/sh7722.h
+++ b/arch/sh/include/cpu-sh4/cpu/sh7722.h
@@ -67,7 +67,7 @@ enum {
GPIO_PTN3, GPIO_PTN2, GPIO_PTN1, GPIO_PTN0,
/* PTQ */
- GPIO_PTQ7, GPIO_PTQ6, GPIO_PTQ5, GPIO_PTQ4,
+ GPIO_PTQ6, GPIO_PTQ5, GPIO_PTQ4,
GPIO_PTQ3, GPIO_PTQ2, GPIO_PTQ1, GPIO_PTQ0,
/* PTR */
[PATCH 3.16 084/204] kernel/params.c: align add_sysfs_param documentation with code
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Jean Delvare
commit 630cc2b30a42c70628368a412beb4a5e5dd71abe upstream.
This parameter is named kp, so the documentation should use that.
Fixes: 9b473de87209 ("param: Fix duplicate module prefixes")
Link: http://lkml.kernel.org/r/20170919142656.64aea59e@endymion
Signed-off-by: Jean Delvare
Acked-by: Rusty Russell
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
Signed-off-by: Ben Hutchings
---
kernel/params.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/kernel/params.c
+++ b/kernel/params.c
@@ -581,7 +581,7 @@ EXPORT_SYMBOL(__kernel_param_unlock);
/*
* add_sysfs_param - add a parameter to sysfs
* @mk: struct module_kobject
- * @kparam: the actual parameter definition to add to sysfs
+ * @kp: the actual parameter definition to add to sysfs
* @name: name of parameter
*
* Create a kobject if for a (per-module) parameter if mp NULL, and
[PATCH 3.16 094/204] netfilter: x_tables: avoid stack-out-of-bounds read in xt_copy_counters_from_user
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Eric Dumazet
commit e466af75c074e76107ae1cd5a2823e9c61894ffb upstream.
syzkaller reports an out of bound read in strlcpy(), triggered
by xt_copy_counters_from_user()
Fix this by using memcpy(), then forcing a zero byte at the last position
of the destination, as Florian did for the non COMPAT code.
Fixes: d7591f0c41ce ("netfilter: x_tables: introduce and use
xt_copy_counters_from_user")
Signed-off-by: Eric Dumazet
Cc: Willem de Bruijn
Acked-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
Signed-off-by: Ben Hutchings
---
net/netfilter/x_tables.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -860,7 +860,7 @@ void *xt_copy_counters_from_user(const v
if (copy_from_user(&compat_tmp, user, sizeof(compat_tmp)) != 0)
return ERR_PTR(-EFAULT);
- strlcpy(info->name, compat_tmp.name, sizeof(info->name));
+ memcpy(info->name, compat_tmp.name, sizeof(info->name) - 1);
info->num_counters = compat_tmp.num_counters;
user += sizeof(compat_tmp);
} else
@@ -873,9 +873,9 @@ void *xt_copy_counters_from_user(const v
if (copy_from_user(info, user, sizeof(*info)) != 0)
return ERR_PTR(-EFAULT);
- info->name[sizeof(info->name) - 1] = '\0';
user += sizeof(*info);
}
+ info->name[sizeof(info->name) - 1] = '\0';
size = sizeof(struct xt_counters);
size *= info->num_counters;
Re: IRQ behaivour has been changed from v4.14 to v4.15-rc1
On Thu, 2017-12-28 at 18:21 +0100, Thomas Gleixner wrote: > On Thu, 28 Dec 2017, Shevchenko, Andriy wrote: > > > Hi! > > > > Experimenting with AtomISP (yes, code is ugly and MSI handling > > rather > > hackish, though...). > > > > So, with v4.14 base: > > > > [ 33.639224] atomisp-isp2 :00:03.0: Start stream on pad 1 for > > asd0 > > [ 33.652355] atomisp-isp2 :00:03.0: irq:0x20 > > [ 33.662456] atomisp-isp2 :00:03.0: irq:0x20 > > [ 33.698064] atomisp-isp2 :00:03.0: stream[0] started. > > > > Ctrl+C > > > > [ 48.185643] atomisp-isp2 :00:03.0: > [ 48.204641] atomisp-isp2 :00:03.0: release device ATOMISP ISP > > CAPTURE output > > ... > > > > and machine still alive. > > > > > > With v4.15-rc1 base (basically your branch + some my hack patches) > > the > > IR > > Q behaviour changed, i.e. I have got: > > > > > > [ 85.167061] spurious APIC interrupt through vector ff on CPU#0, > > should never happen. > > [ 85.199886] atomisp-isp2 :00:03.0: stream[0] started. > > > > and Ctrl+C does NOT work. Machine just hangs. > > > > It might be related to this: > > https://lkml.org/lkml/2017/12/22/697 > > I don't think so. > > Does the patch below cure it? Unfortunately, no. Same behaviour. Tell me if I need to provide some debug before it hangs. For now I have apic=debug (AFAIR it doesn't affect this). > > Thanks, > > tglx > 8<- > arch/x86/kernel/apic/apic_flat_64.c |2 +- > arch/x86/kernel/apic/probe_32.c |2 +- > arch/x86/kernel/apic/x2apic_cluster.c |2 +- > 3 files changed, 3 insertions(+), 3 deletions(-) > > --- a/arch/x86/kernel/apic/apic_flat_64.c > +++ b/arch/x86/kernel/apic/apic_flat_64.c > @@ -151,7 +151,7 @@ static struct apic apic_flat __ro_after_ > .apic_id_valid = > default_apic_id_valid, > .apic_id_registered = flat_apic_id_registered, > > - .irq_delivery_mode = dest_LowestPrio, > + .irq_delivery_mode = dest_Fixed, > .irq_dest_mode = 1, /* logical */ > > .disable_esr= 0, > --- a/arch/x86/kernel/apic/probe_32.c > +++ b/arch/x86/kernel/apic/probe_32.c > @@ -105,7 +105,7 @@ static struct apic apic_default __ro_aft > .apic_id_valid = > default_apic_id_valid, > .apic_id_registered = > default_apic_id_registered, > > - .irq_delivery_mode = dest_LowestPrio, > + .irq_delivery_mode = dest_Fixed, > /* logical delivery broadcast to all CPUs: */ > .irq_dest_mode = 1, > > --- a/arch/x86/kernel/apic/x2apic_cluster.c > +++ b/arch/x86/kernel/apic/x2apic_cluster.c > @@ -184,7 +184,7 @@ static struct apic apic_x2apic_cluster _ > .apic_id_valid = x2apic_apic_id_valid, > .apic_id_registered = > x2apic_apic_id_registered, > > - .irq_delivery_mode = dest_LowestPrio, > + .irq_delivery_mode = dest_Fixed, > .irq_dest_mode = 1, /* logical */ > > .disable_esr= 0, > > -- Andy Shevchenko Intel Finland Oy
[PATCH 3.16 099/204] direct-io: Prevent NULL pointer access in submit_page_section
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Andreas Gruenbacher
commit 899f0429c7d3eed886406cd72182bee3b96aa1f9 upstream.
In the code added to function submit_page_section by commit b1058b981,
sdio->bio can currently be NULL when calling dio_bio_submit. This then
leads to a NULL pointer access in dio_bio_submit, so check for a NULL
bio in submit_page_section before trying to submit it instead.
Fixes xfstest generic/250 on gfs2.
Signed-off-by: Andreas Gruenbacher
Reviewed-by: Jan Kara
Signed-off-by: Al Viro
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings
---
fs/direct-io.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/fs/direct-io.c
+++ b/fs/direct-io.c
@@ -812,7 +812,8 @@ out:
*/
if (sdio->boundary) {
ret = dio_send_cur_page(dio, sdio, map_bh);
- dio_bio_submit(dio, sdio);
+ if (sdio->bio)
+ dio_bio_submit(dio, sdio);
page_cache_release(sdio->cur_page);
sdio->cur_page = NULL;
}
[PATCH 3.16 029/204] SMB: Validate negotiate (to protect against downgrade) even if signing off
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Steve French
commit 0603c96f3af50e2f9299fa410c224ab1d465e0f9 upstream.
As long as signing is supported (ie not a guest user connection) and
connection is SMB3 or SMB3.02, then validate negotiate (protect
against man in the middle downgrade attacks). We had been doing this
only when signing was required, not when signing was just enabled,
but this more closely matches recommended SMB3 behavior and is
better security. Suggested by Metze.
Signed-off-by: Steve French
Reviewed-by: Jeremy Allison
Acked-by: Stefan Metzmacher
Reviewed-by: Ronnie Sahlberg
Signed-off-by: Ben Hutchings
---
fs/cifs/smb2pdu.c | 17 -
1 file changed, 12 insertions(+), 5 deletions(-)
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -486,15 +486,22 @@ int smb3_validate_negotiate(const unsign
/*
* validation ioctl must be signed, so no point sending this if we
-* can not sign it. We could eventually change this to selectively
+* can not sign it (ie are not known user). Even if signing is not
+* required (enabled but not negotiated), in those cases we selectively
* sign just this, the first and only signed request on a connection.
-* This is good enough for now since a user who wants better security
-* would also enable signing on the mount. Having validation of
-* negotiate info for signed connections helps reduce attack vectors
+* Having validation of negotiate info helps reduce attack vectors.
*/
- if (tcon->ses->server->sign == false)
+ if (tcon->ses->session_flags & SMB2_SESSION_FLAG_IS_GUEST)
return 0; /* validation requires signing */
+ if (tcon->ses->user_name == NULL) {
+ cifs_dbg(FYI, "Can't validate negotiate: null user mount\n");
+ return 0; /* validation requires signing */
+ }
+
+ if (tcon->ses->session_flags & SMB2_SESSION_FLAG_IS_NULL)
+ cifs_dbg(VFS, "Unexpected null user (anonymous) auth flag sent
by server\n");
+
vneg_inbuf.Capabilities =
cpu_to_le32(tcon->ses->server->vals->req_capabilities);
memcpy(vneg_inbuf.Guid, tcon->ses->server->client_guid,
[PATCH 3.16 142/204] SMB: fix validate negotiate info uninitialised memory use
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: David Disseldorp
commit a2d9daad1d2dfbd307ab158044d1c323d7babbde upstream.
An undersize validate negotiate info server response causes the client
to use uninitialised memory for struct validate_negotiate_info_rsp
comparisons of Dialect, SecurityMode and/or Capabilities members.
Link: https://bugzilla.samba.org/show_bug.cgi?id=13092
Fixes: 7db0a6efdc3e ("SMB3: Work around mount failure when using SMB3 dialect
to Macs")
Signed-off-by: David Disseldorp
Reviewed-by: Pavel Shilovsky
Signed-off-by: Steve French
Signed-off-by: Ben Hutchings
---
fs/cifs/smb2pdu.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -535,7 +535,8 @@ int smb3_validate_negotiate(const unsign
rsplen);
/* relax check since Mac returns max bufsize allowed on ioctl */
- if (rsplen > CIFSMaxBufSize)
+ if ((rsplen > CIFSMaxBufSize)
+|| (rsplen < sizeof(struct validate_negotiate_info_rsp)))
goto err_rsp_free;
}
[PATCH 3.16 088/204] sh: sh7269: remove nonexistent GPIO_PH[0-7] to fix pinctrl registration
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Geert Uytterhoeven
commit d9d73e81fe82fdf4ee65a48c26531edc04108349 upstream.
Pinmux_pins[] is initialized through PINMUX_GPIO(), using designated
array initializers, where the GPIO_* enums serve as indices. If enum
values are defined, but never used, pinmux_pins[] contains (zero-filled)
holes. Such entries are treated as pin zero, which was registered
before, thus leading to pinctrl registration failures, as seen on
sh7722:
sh-pfc pfc-sh7722: pin 0 already registered
sh-pfc pfc-sh7722: error during pin registration
sh-pfc pfc-sh7722: could not register: -22
sh-pfc: probe of pfc-sh7722 failed with error -22
Remove GPIO_PH[0-7] from the enum to fix this.
Link:
http://lkml.kernel.org/r/1505205657-18012-5-git-send-email-geert+rene...@glider.be
Fixes: ef0fa5331a73e479 ("sh: Add pinmux for sh7269")
Signed-off-by: Geert Uytterhoeven
Reviewed-by: Laurent Pinchart
Cc: Yoshinori Sato
Cc: Rich Felker
Cc: Magnus Damm
Cc: Yoshihiro Shimoda
Cc: Jacopo Mondi
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
Signed-off-by: Ben Hutchings
---
arch/sh/include/cpu-sh2a/cpu/sh7269.h | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
--- a/arch/sh/include/cpu-sh2a/cpu/sh7269.h
+++ b/arch/sh/include/cpu-sh2a/cpu/sh7269.h
@@ -45,9 +45,7 @@ enum {
GPIO_PG7, GPIO_PG6, GPIO_PG5, GPIO_PG4,
GPIO_PG3, GPIO_PG2, GPIO_PG1, GPIO_PG0,
- /* Port H */
- GPIO_PH7, GPIO_PH6, GPIO_PH5, GPIO_PH4,
- GPIO_PH3, GPIO_PH2, GPIO_PH1, GPIO_PH0,
+ /* Port H - Port H does not have a Data Register */
/* Port I - not on device */
[PATCH 3.16 149/204] x86/uaccess, sched/preempt: Verify access_ok() context
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Peter Zijlstra
commit 7c4788950ba5922fde976d80b72baf46f14dee8d upstream.
I recently encountered wreckage because access_ok() was used where it
should not be, add an explicit WARN when access_ok() is used wrongly.
Signed-off-by: Peter Zijlstra (Intel)
Cc: Andy Lutomirski
Cc: H. Peter Anvin
Cc: Linus Torvalds
Cc: Peter Zijlstra
Cc: Thomas Gleixner
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Ingo Molnar
[bwh: Backported to 3.16:
- Adjust filename
- Include in since it's not included by
]
Signed-off-by: Ben Hutchings
---
arch/x86/include/asm/uaccess.h | 13 +++--
include/linux/preempt_mask.h | 21 +
2 files changed, 24 insertions(+), 10 deletions(-)
--- a/arch/x86/include/asm/uaccess.h
+++ b/arch/x86/include/asm/uaccess.h
@@ -7,6 +7,7 @@
#include
#include
#include
+#include
#include
#include
#include
@@ -66,6 +67,12 @@ static inline bool __chk_range_not_ok(un
__chk_range_not_ok((unsigned long __force)(addr), size, limit); \
})
+#ifdef CONFIG_DEBUG_ATOMIC_SLEEP
+# define WARN_ON_IN_IRQ() WARN_ON_ONCE(!in_task())
+#else
+# define WARN_ON_IN_IRQ()
+#endif
+
/**
* access_ok: - Checks if a user space pointer is valid
* @type: Type of access: %VERIFY_READ or %VERIFY_WRITE. Note that
@@ -85,8 +92,11 @@ static inline bool __chk_range_not_ok(un
* checks that the pointer is in the user space range - after calling
* this function, memory access functions may still return -EFAULT.
*/
-#define access_ok(type, addr, size) \
- likely(!__range_not_ok(addr, size, user_addr_max()))
+#define access_ok(type, addr, size)\
+({ \
+ WARN_ON_IN_IRQ(); \
+ likely(!__range_not_ok(addr, size, user_addr_max())); \
+})
/*
* The exception table consists of pairs of addresses relative to the
--- a/include/linux/preempt_mask.h
+++ b/include/linux/preempt_mask.h
@@ -57,19 +57,24 @@
/*
* Are we doing bottom half or hardware interrupt processing?
- * Are we in a softirq context? Interrupt context?
- * in_softirq - Are we currently processing softirq or have bh disabled?
- * in_serving_softirq - Are we currently processing softirq?
+ *
+ * in_irq() - We're in (hard) IRQ context
+ * in_softirq() - We have BH disabled, or are processing softirqs
+ * in_interrupt() - We're in NMI,IRQ,SoftIRQ context or have BH disabled
+ * in_serving_softirq() - We're in softirq context
+ * in_nmi() - We're in NMI context
+ * in_task() - We're in task context
+ *
+ * Note: due to the BH disabled confusion: in_softirq(),in_interrupt() really
+ * should not be used in new code.
*/
#define in_irq() (hardirq_count())
#define in_softirq() (softirq_count())
#define in_interrupt() (irq_count())
#define in_serving_softirq() (softirq_count() & SOFTIRQ_OFFSET)
-
-/*
- * Are we in NMI context?
- */
-#define in_nmi() (preempt_count() & NMI_MASK)
+#define in_nmi() (preempt_count() & NMI_MASK)
+#define in_task() (!(preempt_count() & \
+ (NMI_MASK | HARDIRQ_MASK | SOFTIRQ_OFFSET)))
/*
* The preempt_count offset after preempt_disable();
[PATCH 3.16 049/204] KEYS: fix key refcount leak in keyctl_read_key()
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Eric Biggers
commit 7fc0786d956d9e59b68d282be9b156179846ea3d upstream.
In keyctl_read_key(), if key_permission() were to return an error code
other than EACCES, we would leak a the reference to the key. This can't
actually happen currently because key_permission() can only return an
error code other than EACCES if security_key_permission() does, only
SELinux and Smack implement that hook, and neither can return an error
code other than EACCES. But it should still be fixed, as it is a bug
waiting to happen.
Fixes: 29db91906340 ("[PATCH] Keys: Add LSM hooks for key management [try #3]")
Signed-off-by: Eric Biggers
Signed-off-by: David Howells
Signed-off-by: Ben Hutchings
---
security/keys/keyctl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/security/keys/keyctl.c
+++ b/security/keys/keyctl.c
@@ -745,7 +745,7 @@ long keyctl_read_key(key_serial_t keyid,
if (ret == 0)
goto can_read_key;
if (ret != -EACCES)
- goto error;
+ goto error2;
/* we can't; see if it's searchable from this process's keyrings
* - we automatically take account of the fact that it may be
Re: [RFC PATCH v11 4/5] PCI / PM: Add support for the PCIe WAKE# signal for OF
On Thu, Dec 28, 2017 at 6:29 PM, Rafael J. Wysocki wrote: > On Thursday, December 28, 2017 5:51:34 PM CET Tony Lindgren wrote: >> * Rafael J. Wysocki [171228 12:21]: >> > On Thu, Dec 28, 2017 at 5:22 AM, Tony Lindgren wrote: >> > > * Rafael J. Wysocki [171228 00:51]: >> > >> On Wed, Dec 27, 2017 at 4:08 PM, Tony Lindgren wrote: >> > >> > * Rafael J. Wysocki [171227 01:00]: >> > >> >> On Tuesday, December 26, 2017 2:06:47 AM CET JeffyChen wrote: >> > >> >> > Hi Rafael, >> > >> >> > >> > >> >> > Thanks for your reply :) >> > >> >> > >> > >> >> > On 12/26/2017 08:11 AM, Rafael J. Wysocki wrote: >> > >> >> > >> >+ >> > >> >> > >> >+ dn = pci_device_to_OF_node(ppdev); >> > >> >> > >> >+ if (!dn) >> > >> >> > >> >+ return 0; >> > >> >> > >> >+ >> > >> >> > >> >+ irq = of_irq_get_byname(dn, "wakeup"); >> > >> >> > > Why is this a property of the bridge and not of the device >> > >> >> > > itself? >> > >> >> > >> > >> >> > That is suggested by Brian, because in that way, the wakeup pin >> > >> >> > would >> > >> >> > not "tied to what exact device is installed (or no device, if it's >> > >> >> > a slot)." >> > >> >> >> > >> >> But I don't think it works when there are two devices using >> > >> >> different WAKE# >> > >> >> interrupt lines under the same bridge. Or how does it work then? >> > >> > >> > >> > It won't work currently for multiple devices but adding more than >> > >> > one wakeriq per device is doable. And I think we will have other >> > >> > cases where multiple wakeirqs are connected to a single device, so >> > >> > that issue should be sorted out sooner or later. >> > >> > >> > >> > And if requesting wakeirq for the PCI WAKE# lines at the PCI >> > >> > controller does the job, then maybe that's all we need to start with. >> > >> >> > >> These are expected to be out-of-band, so not having anything to do >> > >> with the Root Complex. >> > >> >> > >> In-band PME Messages go through the PCIe hierarchy, but that is a >> > >> standard mechanism and it is supported already. >> > >> >> > >> WAKE# are platform-specific, pretty much by definition and I guess >> > >> that on most ARM boards they are just going to be some kind of GPIO >> > >> pins. >> > > >> > > OK. So probably supporting the following two configurations >> > > should be enough then: >> > > >> > > 1. One or more WAKE# lines configured as a wakeirq for the PCI >> > >controller >> > > >> > >When the wakeirq calls pm_wakeup_event() for the PCI controller >> > >device driver, the PCI controller wakes up and can deal with >> > >it's child devices >> > >> > But this shouldn't be necessary at all. Or if it is, I wonder why >> > that's the case. >> >> Well Brian had a concern where we would have to implement PM runtime >> for all device drivers for PCI devices. > > Why would we? > >> > I'm assuming that we're talking about PCI Express here, which has two >> > wakeup mechanisms defined, one of which is based on using PME Messages >> > (Beacon) and the second one is WAKE#: >> > >> > "The WAKE# mechanism uses sideband signaling to implement wakeup >> > functionality. WAKE# is >> > an “open drain” signal asserted by components requesting wakeup and >> > observed by the associated >> > power controller." >> > >> > (from PCIe Base Spec 3.0). [And there's a diagram showing the routing >> > of WAKE# in two cases in Figure 5-4: Conceptual Diagrams Showing Two >> > Example Cases of WAKE# Routing.] >> >> Thanks for the pointer, I had not seen that :) So the use cases >> I was trying to describe above are similar to the wiring in the >> PCIe Base Spec 3.0 "Figure 5-4" , but numbered the other way around. >> >> > Note that WAKE# is defined to be "observed by the associated power >> > controller", so I'm not sure what the PCI controller's role in the >> > handing of it is at all. >> >> To me it seems the "switch" part stays at least partially powered >> and then in-band PME messages are used after host is woken up to >> figure out which WAKE# triggered? > > Yes, that's my understanding too. To be precise, it is not quite possible to figure out which WAKE# triggered, if they are sharing the line, without looking into the config spaces of the devices below the switch. The switch is not expected to do that AFAICS. It only generates a PME message meaning "wakeup is being signaled somewhere below" and the PME driver that handles the Root Port receiving it should look at the PME Status bits of the devices below the switch (the pme.c driver does that IIRC or at least it should do that ;-)). Still, the handling of WAKE# doesn't need to cover this case AFAICS. Thanks, Rafael
[PATCH 3.16 023/204] ARM: dts: da850-evm: add serial and ethernet aliases
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Sekhar Nori
commit ce21574ad1922b403198ee664c4dff276f514f1d upstream.
Add aliases for serial and ethernet nodes. Serial
aliases help keep order of tty nodes fixed and
ethernet alias is used by bootloader to setup mac
address correctly.
Reported-by: Adam Ford
Acked-by: Tony Lindgren
Fixes: dd7deaf218bf ("ARM: davinci: da850: add DT node for ethernet")
Signed-off-by: Sekhar Nori
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings
---
arch/arm/boot/dts/da850-evm.dts | 7 +++
1 file changed, 7 insertions(+)
--- a/arch/arm/boot/dts/da850-evm.dts
+++ b/arch/arm/boot/dts/da850-evm.dts
@@ -14,6 +14,13 @@
compatible = "ti,da850-evm", "ti,da850";
model = "DA850/AM1808/OMAP-L138 EVM";
+ aliases {
+ serial0 = &serial0;
+ serial1 = &serial1;
+ serial2 = &serial2;
+ ethernet0 = ð0;
+ };
+
soc {
pmx_core: pinmux@1c14120 {
status = "okay";
[PATCH 3.16 038/204] USB: g_mass_storage: Fix deadlock when driver is unbound
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Alan Stern
commit 1fbbb78f25d1291274f320462bf6908906f538db upstream.
As a holdover from the old g_file_storage gadget, the g_mass_storage
legacy gadget driver attempts to unregister itself when its main
operating thread terminates (if it hasn't been unregistered already).
This is not strictly necessary; it was never more than an attempt to
have the gadget fail cleanly if something went wrong and the main
thread was killed.
However, now that the UDC core manages gadget drivers independently of
UDC drivers, this scheme doesn't work any more. A simple test:
modprobe dummy-hcd
modprobe g-mass-storage file=...
rmmod dummy-hcd
ends up in a deadlock with the following backtrace:
sysrq: SysRq : Show Blocked State
taskPC stack pid father
file-storageD0 1130 2 0x
Call Trace:
__schedule+0x53e/0x58c
schedule+0x6e/0x77
schedule_preempt_disabled+0xd/0xf
__mutex_lock.isra.1+0x129/0x224
? _raw_spin_unlock_irqrestore+0x12/0x14
__mutex_lock_slowpath+0x12/0x14
mutex_lock+0x28/0x2b
usb_gadget_unregister_driver+0x29/0x9b [udc_core]
usb_composite_unregister+0x10/0x12 [libcomposite]
msg_cleanup+0x1d/0x20 [g_mass_storage]
msg_thread_exits+0xd/0xdd7 [g_mass_storage]
fsg_main_thread+0x1395/0x13d6 [usb_f_mass_storage]
? __schedule+0x573/0x58c
kthread+0xd9/0xdb
? do_set_interface+0x25c/0x25c [usb_f_mass_storage]
? init_completion+0x1e/0x1e
ret_from_fork+0x19/0x24
rmmod D0 1155683 0x
Call Trace:
__schedule+0x53e/0x58c
schedule+0x6e/0x77
schedule_timeout+0x26/0xbc
? __schedule+0x573/0x58c
do_wait_for_common+0xb3/0x128
? usleep_range+0x81/0x81
? wake_up_q+0x3f/0x3f
wait_for_common+0x2e/0x45
wait_for_completion+0x17/0x19
fsg_common_put+0x34/0x81 [usb_f_mass_storage]
fsg_free_inst+0x13/0x1e [usb_f_mass_storage]
usb_put_function_instance+0x1a/0x25 [libcomposite]
msg_unbind+0x2a/0x42 [g_mass_storage]
__composite_unbind+0x4a/0x6f [libcomposite]
composite_unbind+0x12/0x14 [libcomposite]
usb_gadget_remove_driver+0x4f/0x77 [udc_core]
usb_del_gadget_udc+0x52/0xcc [udc_core]
dummy_udc_remove+0x27/0x2c [dummy_hcd]
platform_drv_remove+0x1d/0x31
device_release_driver_internal+0xe9/0x16d
device_release_driver+0x11/0x13
bus_remove_device+0xd2/0xe2
device_del+0x19f/0x221
? selinux_capable+0x22/0x27
platform_device_del+0x21/0x63
platform_device_unregister+0x10/0x1a
cleanup+0x20/0x817 [dummy_hcd]
SyS_delete_module+0x10c/0x197
? fput+0xd/0xf
? task_work_run+0x55/0x62
? prepare_exit_to_usermode+0x65/0x75
do_fast_syscall_32+0x86/0xc3
entry_SYSENTER_32+0x4e/0x7c
What happens is that removing the dummy-hcd driver causes the UDC core
to unbind the gadget driver, which it does while holding the udc_lock
mutex. The unbind routine in g_mass_storage tells the main thread to
exit and waits for it to terminate.
But as mentioned above, when the main thread exits it tries to
unregister the mass-storage function driver. Via the composite
framework this ends up calling usb_gadget_unregister_driver(), which
tries to acquire the udc_lock mutex. The result is deadlock.
The simplest way to fix the problem is not to be so clever: The main
thread doesn't have to unregister the function driver. The side
effects won't be so terrible; if the gadget is still attached to a USB
host when the main thread is killed, it will appear to the host as
though the gadget's firmware has crashed -- a reasonably accurate
interpretation, and an all-too-common occurrence for USB mass-storage
devices.
In fact, the code to unregister the driver when the main thread exits
is specific to g-mass-storage; it is not used when f-mass-storage is
included as a function in a larger composite device. Therefore the
entire mechanism responsible for this (the fsg_operations structure
with its ->thread_exits method, the fsg_common_set_ops() routine, and
the msg_thread_exits() callback routine) can all be eliminated. Even
the msg_registered bitflag can be removed, because now the driver is
unregistered in only one place rather than in two places.
Signed-off-by: Alan Stern
Acked-by: Felipe Balbi
Acked-by: Michal Nazarewicz
Signed-off-by: Greg Kroah-Hartman
[bwh: Backported to 3.16:
- Preserve the old way of iterating over LUNs in fsg_main_thread() cleanup
- Adjust filename, context]
Signed-off-by: Ben Hutchings
---
--- a/drivers/usb/gadget/f_mass_storage.c
+++ b/drivers/usb/gadget/f_mass_storage.c
@@ -307,8 +307,6 @@ struct fsg_common {
struct completion thread_notifier;
struct task_struct *thread_task;
- /* Callback functions. */
- const struct fsg_operations *ops;
/* Gadget's private data. */
void*private_data;
@@ -2498,6 +2496,8 @@ static void handle_exception(struct fsg_
static int fsg_main_thread(voi
[PATCH 3.16 140/204] fuse: fix READDIRPLUS skipping an entry
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Miklos Szeredi
commit c6cdd51404b7ac12dd95173ddfc548c59ecf037f upstream.
Marios Titas running a Haskell program noticed a problem with fuse's
readdirplus: when it is interrupted by a signal, it skips one directory
entry.
The reason is that fuse erronously updates ctx->pos after a failed
dir_emit().
The issue originates from the patch adding readdirplus support.
Reported-by: Jakob Unterwurzacher
Tested-by: Marios Titas
Signed-off-by: Miklos Szeredi
Fixes: 0b05b18381ee ("fuse: implement NFS-like readdirplus support")
Signed-off-by: Ben Hutchings
---
fs/fuse/dir.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/fs/fuse/dir.c
+++ b/fs/fuse/dir.c
@@ -1382,7 +1382,8 @@ static int parse_dirplusfile(char *buf,
*/
over = !dir_emit(ctx, dirent->name, dirent->namelen,
dirent->ino, dirent->type);
- ctx->pos = dirent->off;
+ if (!over)
+ ctx->pos = dirent->off;
}
buf += reclen;
[PATCH 3.16 127/204] parisc: Fix double-word compare and exchange in LWS code on 32-bit kernels
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: John David Anglin
commit 374b3bf8e8b519f61eb9775888074c6e46b3bf0c upstream.
As discussed on the debian-hppa list, double-wordcompare and exchange
operations fail on 32-bit kernels. Looking at the code, I realized that
the ",ma" completer does the wrong thing in the "ldw,ma 4(%r26), %r29"
instruction. This increments %r26 and causes the following store to
write to the wrong location.
Note by Helge Deller:
The patch applies cleanly to stable kernel series if this upstream
commit is merged in advance:
f4125cfdb300 ("parisc: Avoid trashing sr2 and sr3 in LWS code").
Signed-off-by: John David Anglin
Tested-by: Christoph Biedl
Fixes: 89206491201c ("parisc: Implement new LWS CAS supporting 64 bit
operations.")
Signed-off-by: Helge Deller
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings
---
arch/parisc/kernel/syscall.S | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/arch/parisc/kernel/syscall.S
+++ b/arch/parisc/kernel/syscall.S
@@ -742,7 +742,7 @@ lws_compare_and_swap_2:
10:ldd 0(%sr3,%r25), %r25
11:ldd 0(%sr3,%r24), %r24
#else
- /* Load new value into r22/r23 - high/low */
+ /* Load old value into r22/r23 - high/low */
10:ldw 0(%sr3,%r25), %r22
11:ldw 4(%sr3,%r25), %r23
/* Load new value into fr4 for atomic store later */
@@ -834,11 +834,11 @@ cas2_action:
copy%r0, %r28
#else
/* Compare first word */
-19:ldw,ma 0(%sr3,%r26), %r29
+19:ldw 0(%sr3,%r26), %r29
sub,= %r29, %r22, %r0
b,n cas2_end
/* Compare second word */
-20:ldw,ma 4(%sr3,%r26), %r29
+20:ldw 4(%sr3,%r26), %r29
sub,= %r29, %r23, %r0
b,n cas2_end
/* Perform the store */
[PATCH 3.16 118/204] net: enable interface alias removal via rtnl
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Nicolas Dichtel
commit 2459b4c635858094df78abb9ca87d99f89fe8ca5 upstream.
IFLA_IFALIAS is defined as NLA_STRING. It means that the minimal length of
the attribute is 1 ("\0"). However, to remove an alias, the attribute
length must be 0 (see dev_set_alias()).
Let's define the type to NLA_BINARY to allow 0-length string, so that the
alias can be removed.
Example:
$ ip l s dummy0 alias foo
$ ip l l dev dummy0
5: dummy0: mtu 1500 qdisc noop state DOWN mode DEFAULT group
default qlen 1000
link/ether ae:20:30:4f:a7:f3 brd ff:ff:ff:ff:ff:ff
alias foo
Before the patch:
$ ip l s dummy0 alias ""
RTNETLINK answers: Numerical result out of range
After the patch:
$ ip l s dummy0 alias ""
$ ip l l dev dummy0
5: dummy0: mtu 1500 qdisc noop state DOWN mode DEFAULT group
default qlen 1000
link/ether ae:20:30:4f:a7:f3 brd ff:ff:ff:ff:ff:ff
CC: Oliver Hartkopp
CC: Stephen Hemminger
Fixes: 96ca4a2cc145 ("net: remove ifalias on empty given alias")
Reported-by: Julien FLoret
Signed-off-by: Nicolas Dichtel
Signed-off-by: David S. Miller
Signed-off-by: Ben Hutchings
---
net/core/rtnetlink.c | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -1187,7 +1187,10 @@ static const struct nla_policy ifla_poli
[IFLA_LINKINFO] = { .type = NLA_NESTED },
[IFLA_NET_NS_PID] = { .type = NLA_U32 },
[IFLA_NET_NS_FD]= { .type = NLA_U32 },
- [IFLA_IFALIAS] = { .type = NLA_STRING, .len = IFALIASZ-1 },
+ /* IFLA_IFALIAS is a string, but policy is set to NLA_BINARY to
+* allow 0-length string (needed to remove an alias).
+*/
+ [IFLA_IFALIAS] = { .type = NLA_BINARY, .len = IFALIASZ - 1 },
[IFLA_VFINFO_LIST] = {. type = NLA_NESTED },
[IFLA_VF_PORTS] = { .type = NLA_NESTED },
[IFLA_PORT_SELF]= { .type = NLA_NESTED },
Re: IRQ behaivour has been changed from v4.14 to v4.15-rc1
On Thu, 28 Dec 2017, Andy Shevchenko wrote:
> On Thu, 2017-12-28 at 18:21 +0100, Thomas Gleixner wrote:
> > > [ 85.167061] spurious APIC interrupt through vector ff on CPU#0,
> > > should never happen.
> > > [ 85.199886] atomisp-isp2 :00:03.0: stream[0] started.
> > >
> > > and Ctrl+C does NOT work. Machine just hangs.
> > >
> > > It might be related to this:
> > > https://lkml.org/lkml/2017/12/22/697
> >
> > I don't think so.
> >
> > Does the patch below cure it?
>
> Unfortunately, no.
>
> Same behaviour.
>
> Tell me if I need to provide some debug before it hangs. For now I have
> apic=debug (AFAIR it doesn't affect this).
The interesting question is why that spurious APIC interrupt through vector
ff happens. Can you please add the following to the kernel command line:
'trace_events=irq_vectors:* ftrace_dump_on_oops'
and apply the patch below. That should spill out the trace over serial (I
hope you have that ...)
Thanks,
tglx
8<---
--- a/arch/x86/kernel/apic/apic.c
+++ b/arch/x86/kernel/apic/apic.c
@@ -1978,6 +1978,8 @@ void __init register_lapic_address(unsig
/* see sw-dev-man vol 3, chapter 7.4.13.5 */
pr_info("spurious APIC interrupt through vector %02x on CPU#%d, "
"should never happen.\n", vector, smp_processor_id());
+ tracing_off();
+ BUG();
trace_spurious_apic_exit(vector);
exiting_irq();
[PATCH 3.16 145/204] SMB3: Validate negotiate request must always be signed
3.16.52-rc1 review patch. If anyone has any objections, please let me know. -- From: Steve French commit 4587eee04e2ac7ac3ac9fa2bc164fb6e548f99cd upstream. According to MS-SMB2 3.2.55 validate_negotiate request must always be signed. Some Windows can fail the request if you send it unsigned See kernel bugzilla bug 197311 Acked-by: Ronnie Sahlberg Signed-off-by: Steve French [bwh: Backported to 3.16: s/sync_hdr\.Flags/Flags/] Signed-off-by: Ben Hutchings --- fs/cifs/smb2pdu.c | 3 +++ 1 file changed, 3 insertions(+) --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c @@ -1342,6 +1342,9 @@ SMB2_ioctl(const unsigned int xid, struc } else iov[0].iov_len = get_rfc1002_length(req) + 4; + /* validate negotiate request must be signed - see MS-SMB2 3.2.5.5 */ + if (opcode == FSCTL_VALIDATE_NEGOTIATE_INFO) + req->hdr.Flags |= SMB2_FLAGS_SIGNED; rc = SendReceive2(xid, ses, iov, num_iovecs, &resp_buftype, 0); rsp = (struct smb2_ioctl_rsp *)iov[0].iov_base;
[PATCH 3.16 026/204] usb: gadget: dummy: fix nonsensical comparisons
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Arnd Bergmann
commit 7661ca09b2ff98f48693f431bb01fed62830e433 upstream.
gcc-8 points out two comparisons that are clearly bogus
and almost certainly not what the author intended to write:
drivers/usb/gadget/udc/dummy_hcd.c: In function 'set_link_state_by_speed':
drivers/usb/gadget/udc/dummy_hcd.c:379:31: error: bitwise comparison always
evaluates to false [-Werror=tautological-compare]
USB_PORT_STAT_ENABLE) == 1 &&
^~
drivers/usb/gadget/udc/dummy_hcd.c:381:25: error: bitwise comparison always
evaluates to false [-Werror=tautological-compare]
USB_SS_PORT_LS_U0) == 1 &&
^~
I looked at the code for a bit and came up with a change that makes
it look like what the author probably meant here. This makes it
look reasonable to me and to gcc, shutting up the warning.
It does of course change behavior as the two conditions are actually
evaluated rather than being hardcoded to false, and I have made no
attempt at verifying that the changed logic makes sense in the context
of a USB HCD, so that part needs to be reviewed carefully.
Fixes: 1cd8fd2887e1 ("usb: gadget: dummy_hcd: add SuperSpeed support")
Cc: Tatyana Brokhman
Cc: Felipe Balbi
Acked-by: Alan Stern
Signed-off-by: Arnd Bergmann
Signed-off-by: Felipe Balbi
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings
---
drivers/usb/gadget/dummy_hcd.c | 9 -
1 file changed, 4 insertions(+), 5 deletions(-)
--- a/drivers/usb/gadget/dummy_hcd.c
+++ b/drivers/usb/gadget/dummy_hcd.c
@@ -311,11 +311,10 @@ static void set_link_state_by_speed(stru
USB_PORT_STAT_CONNECTION) == 0)
dum_hcd->port_status |=
(USB_PORT_STAT_C_CONNECTION << 16);
- if ((dum_hcd->port_status &
-USB_PORT_STAT_ENABLE) == 1 &&
- (dum_hcd->port_status &
-USB_SS_PORT_LS_U0) == 1 &&
- dum_hcd->rh_state != DUMMY_RH_SUSPENDED)
+ if ((dum_hcd->port_status & USB_PORT_STAT_ENABLE) &&
+ (dum_hcd->port_status &
+USB_PORT_STAT_LINK_STATE) == USB_SS_PORT_LS_U0 &&
+ dum_hcd->rh_state != DUMMY_RH_SUSPENDED)
dum_hcd->active = 1;
}
} else {
[PATCH 3.16 054/204] security/keys: properly zero out sensitive key material in big_key
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: "Jason A. Donenfeld"
commit 910801809b2e40a4baedd080ef5d80b4a180e70e upstream.
Error paths forgot to zero out sensitive material, so this patch changes
some kfrees into a kzfrees.
Signed-off-by: Jason A. Donenfeld
Signed-off-by: David Howells
Reviewed-by: Eric Biggers
Cc: Herbert Xu
Cc: Kirill Marinushkin
Cc: secur...@kernel.org
[bwh: Backported to 3.16: there's only one kfree() to change]
Signed-off-by: Ben Hutchings
---
security/keys/big_key.c | 12 ++--
1 file changed, 6 insertions(+), 6 deletions(-)
--- a/security/keys/big_key.c
+++ b/security/keys/big_key.c
@@ -135,7 +135,7 @@ void big_key_destroy(struct key *key)
path->mnt = NULL;
path->dentry = NULL;
} else {
- kfree(key->payload.data);
+ kzfree(key->payload.data);
key->payload.data = NULL;
}
}
[PATCH 3.16 062/204] vfs: Return -ENXIO for negative SEEK_HOLE / SEEK_DATA offsets
3.16.52-rc1 review patch. If anyone has any objections, please let me know. -- From: Andreas Gruenbacher commit fc46820b27a2d9a46f7e90c9ceb4a64a1bc5fab8 upstream. In generic_file_llseek_size, return -ENXIO for negative offsets as well as offsets beyond EOF. This affects filesystems which don't implement SEEK_HOLE / SEEK_DATA internally, possibly because they don't support holes. Fixes xfstest generic/448. Signed-off-by: Andreas Gruenbacher Signed-off-by: Linus Torvalds Signed-off-by: Ben Hutchings --- fs/read_write.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/fs/read_write.c +++ b/fs/read_write.c @@ -116,7 +116,7 @@ generic_file_llseek_size(struct file *fi * In the generic case the entire file is data, so as long as * offset isn't at the end of the file then the offset is data. */ - if (offset >= eof) + if ((unsigned long long)offset >= eof) return -ENXIO; break; case SEEK_HOLE: @@ -124,7 +124,7 @@ generic_file_llseek_size(struct file *fi * There is a virtual hole at the end of the file, so as long as * offset isn't i_size or larger, return i_size. */ - if (offset >= eof) + if ((unsigned long long)offset >= eof) return -ENXIO; offset = eof; break;
[PATCH 3.16 044/204] iio: core: Return error for failed read_reg
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Matt Fornero
commit 3d62c78a6eb9a7d67bace9622b66ad51e81c5f9b upstream.
If an IIO device returns an error code for a read access via debugfs, it
is currently ignored by the IIO core (other than emitting an error
message). Instead, return this error code to user space, so upper layers
can detect it correctly.
Signed-off-by: Matt Fornero
Signed-off-by: Lars-Peter Clausen
Signed-off-by: Jonathan Cameron
Signed-off-by: Ben Hutchings
---
drivers/iio/industrialio-core.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/iio/industrialio-core.c
+++ b/drivers/iio/industrialio-core.c
@@ -184,8 +184,10 @@ static ssize_t iio_debugfs_read_reg(stru
ret = indio_dev->info->debugfs_reg_access(indio_dev,
indio_dev->cached_reg_addr,
0, &val);
- if (ret)
+ if (ret) {
dev_err(indio_dev->dev.parent, "%s: read failed\n", __func__);
+ return ret;
+ }
len = snprintf(buf, sizeof(buf), "0x%X\n", val);
[PATCH 3.16 050/204] KEYS: fix writing past end of user-supplied buffer in keyring_read()
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Eric Biggers
commit e645016abc803dafc75e4b8f6e4118f088900ffb upstream.
Userspace can call keyctl_read() on a keyring to get the list of IDs of
keys in the keyring. But if the user-supplied buffer is too small, the
kernel would write the full list anyway --- which will corrupt whatever
userspace memory happened to be past the end of the buffer. Fix it by
only filling the space that is available.
Fixes: b2a4df200d57 ("KEYS: Expand the capacity of a keyring")
Signed-off-by: Eric Biggers
Signed-off-by: David Howells
Signed-off-by: Ben Hutchings
---
security/keys/keyring.c | 14 +-
1 file changed, 5 insertions(+), 9 deletions(-)
--- a/security/keys/keyring.c
+++ b/security/keys/keyring.c
@@ -405,7 +405,7 @@ static void keyring_describe(const struc
}
struct keyring_read_iterator_context {
- size_t qty;
+ size_t buflen;
size_t count;
key_serial_t __user *buffer;
};
@@ -417,9 +417,9 @@ static int keyring_read_iterator(const v
int ret;
kenter("{%s,%d},,{%zu/%zu}",
- key->type->name, key->serial, ctx->count, ctx->qty);
+ key->type->name, key->serial, ctx->count, ctx->buflen);
- if (ctx->count >= ctx->qty)
+ if (ctx->count >= ctx->buflen)
return 1;
ret = put_user(key->serial, ctx->buffer);
@@ -454,16 +454,12 @@ static long keyring_read(const struct ke
return 0;
/* Calculate how much data we could return */
- ctx.qty = nr_keys * sizeof(key_serial_t);
-
if (!buffer || !buflen)
- return ctx.qty;
-
- if (buflen > ctx.qty)
- ctx.qty = buflen;
+ return nr_keys * sizeof(key_serial_t);
/* Copy the IDs of the subscribed keys into the buffer */
ctx.buffer = (key_serial_t __user *)buffer;
+ ctx.buflen = buflen;
ctx.count = 0;
ret = assoc_array_iterate(&keyring->keys, keyring_read_iterator, &ctx);
if (ret < 0) {
[PATCH 3.16 194/204] security: let security modules use PTRACE_MODE_* with bitmasks
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Jann Horn
commit 3dfb7d8cdbc7ea0c2970450e60818bb3eefbad69 upstream.
It looks like smack and yama weren't aware that the ptrace mode
can have flags ORed into it - PTRACE_MODE_NOAUDIT until now, but
only for /proc/$pid/stat, and with the PTRACE_MODE_*CREDS patch,
all modes have flags ORed into them.
Signed-off-by: Jann Horn
Acked-by: Kees Cook
Acked-by: Casey Schaufler
Cc: Oleg Nesterov
Cc: Ingo Molnar
Cc: James Morris
Cc: "Serge E. Hallyn"
Cc: Andy Shevchenko
Cc: Andy Lutomirski
Cc: Al Viro
Cc: "Eric W. Biederman"
Cc: Willy Tarreau
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
Signed-off-by: Ben Hutchings
---
security/smack/smack_lsm.c | 8 +++-
security/yama/yama_lsm.c | 4 ++--
2 files changed, 5 insertions(+), 7 deletions(-)
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -163,12 +163,10 @@ static int smk_copy_rules(struct list_he
*/
static inline unsigned int smk_ptrace_mode(unsigned int mode)
{
- switch (mode) {
- case PTRACE_MODE_READ:
- return MAY_READ;
- case PTRACE_MODE_ATTACH:
+ if (mode & PTRACE_MODE_ATTACH)
return MAY_READWRITE;
- }
+ if (mode & PTRACE_MODE_READ)
+ return MAY_READ;
return 0;
}
--- a/security/yama/yama_lsm.c
+++ b/security/yama/yama_lsm.c
@@ -292,7 +292,7 @@ int yama_ptrace_access_check(struct task
return rc;
/* require ptrace target be a child of ptracer on attach */
- if (mode == PTRACE_MODE_ATTACH) {
+ if (mode & PTRACE_MODE_ATTACH) {
switch (ptrace_scope) {
case YAMA_SCOPE_DISABLED:
/* No additional restrictions. */
@@ -318,7 +318,7 @@ int yama_ptrace_access_check(struct task
}
}
- if (rc) {
+ if (rc && (mode & PTRACE_MODE_NOAUDIT) == 0) {
printk_ratelimited(KERN_NOTICE
"ptrace of pid %d was attempted by: %s (pid %d)\n",
child->pid, current->comm, current->pid);
[PATCH 3.16 147/204] ip6_gre: only increase err_count for some certain type icmpv6 in ip6gre_err
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Xin Long
commit f8d20b46ce55cf40afb30dcef6d9288f7ef46d9b upstream.
The similar fix in patch 'ipip: only increase err_count for some
certain type icmp in ipip_err' is needed for ip6gre_err.
In Jianlin's case, udp netperf broke even when receiving a TooBig
icmpv6 packet.
Fixes: c12b395a4664 ("gre: Support GRE over IPv6")
Reported-by: Jianlin Shi
Signed-off-by: Xin Long
Signed-off-by: David S. Miller
Signed-off-by: Ben Hutchings
---
net/ipv6/ip6_gre.c | 11 +++
1 file changed, 7 insertions(+), 4 deletions(-)
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -406,13 +406,16 @@ static void ip6gre_err(struct sk_buff *s
case ICMPV6_DEST_UNREACH:
net_dbg_ratelimited("%s: Path to destination invalid or
inactive!\n",
t->parms.name);
- break;
+ if (code != ICMPV6_PORT_UNREACH)
+ break;
+ return;
case ICMPV6_TIME_EXCEED:
if (code == ICMPV6_EXC_HOPLIMIT) {
net_dbg_ratelimited("%s: Too small hop limit or routing
loop in tunnel!\n",
t->parms.name);
+ break;
}
- break;
+ return;
case ICMPV6_PARAMPROB:
teli = 0;
if (code == ICMPV6_HDR_FIELD)
@@ -428,13 +431,13 @@ static void ip6gre_err(struct sk_buff *s
net_dbg_ratelimited("%s: Recipient unable to parse
tunneled packet!\n",
t->parms.name);
}
- break;
+ return;
case ICMPV6_PKT_TOOBIG:
mtu = be32_to_cpu(info) - offset;
if (mtu < IPV6_MIN_MTU)
mtu = IPV6_MIN_MTU;
t->dev->mtu = mtu;
- break;
+ return;
}
if (time_before(jiffies, t->err_time + IP6TUNNEL_ERR_TIMEO))
[PATCH 3.16 089/204] mm/memory_hotplug: change pfn_to_section_nr/section_nr_to_pfn macro to inline function
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: YASUAKI ISHIMATSU
commit 1dd2bfc86818ddbc95f98e312e7704350223fd7d upstream.
pfn_to_section_nr() and section_nr_to_pfn() are defined as macro.
pfn_to_section_nr() has no issue even if it is defined as macro. But
section_nr_to_pfn() has overflow issue if sec is defined as int.
section_nr_to_pfn() just shifts sec by PFN_SECTION_SHIFT. If sec is
defined as unsigned long, section_nr_to_pfn() returns pfn as 64 bit value.
But if sec is defined as int, section_nr_to_pfn() returns pfn as 32 bit
value.
__remove_section() calculates start_pfn using section_nr_to_pfn() and
scn_nr defined as int. So if hot-removed memory address is over 16TB,
overflow issue occurs and section_nr_to_pfn() does not calculate correct
pfn.
To make callers use proper arg, the patch changes the macros to inline
functions.
Fixes: 815121d2b5cd ("memory_hotplug: clear zone when removing the memory")
Link: http://lkml.kernel.org/r/e643a387-e573-6bbf-d418-c60c8ee3d...@gmail.com
Signed-off-by: Yasuaki Ishimatsu
Acked-by: Michal Hocko
Cc: Xishi Qiu
Cc: Reza Arbab
Cc: Vlastimil Babka
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
Signed-off-by: Ben Hutchings
---
include/linux/mmzone.h | 10 --
mm/memory_hotplug.c| 2 +-
2 files changed, 9 insertions(+), 3 deletions(-)
--- a/include/linux/mmzone.h
+++ b/include/linux/mmzone.h
@@ -1094,8 +1094,14 @@ static inline unsigned long early_pfn_to
#error Allocator MAX_ORDER exceeds SECTION_SIZE
#endif
-#define pfn_to_section_nr(pfn) ((pfn) >> PFN_SECTION_SHIFT)
-#define section_nr_to_pfn(sec) ((sec) << PFN_SECTION_SHIFT)
+static inline unsigned long pfn_to_section_nr(unsigned long pfn)
+{
+ return pfn >> PFN_SECTION_SHIFT;
+}
+static inline unsigned long section_nr_to_pfn(unsigned long sec)
+{
+ return sec << PFN_SECTION_SHIFT;
+}
#define SECTION_ALIGN_UP(pfn) (((pfn) + PAGES_PER_SECTION - 1) &
PAGE_SECTION_MASK)
#define SECTION_ALIGN_DOWN(pfn)((pfn) & PAGE_SECTION_MASK)
--- a/mm/memory_hotplug.c
+++ b/mm/memory_hotplug.c
@@ -735,7 +735,7 @@ static int __remove_section(struct zone
return ret;
scn_nr = __section_nr(ms);
- start_pfn = section_nr_to_pfn(scn_nr);
+ start_pfn = section_nr_to_pfn((unsigned long)scn_nr);
__remove_zone(zone, start_pfn);
sparse_remove_one_section(zone, ms);
Re: [PATCH 2/7] watchdog: jz4740: Use devm_* functions
On 12/28/2017 08:29 AM, Paul Cercueil wrote:
- Use devm_clk_get instead of clk_get
- Use devm_watchdog_register_device instead of watchdog_register_device
Signed-off-by: Paul Cercueil
---
drivers/watchdog/jz4740_wdt.c | 27 ---
1 file changed, 8 insertions(+), 19 deletions(-)
diff --git a/drivers/watchdog/jz4740_wdt.c b/drivers/watchdog/jz4740_wdt.c
index 6955deb100ef..92d6ca8ceb49 100644
--- a/drivers/watchdog/jz4740_wdt.c
+++ b/drivers/watchdog/jz4740_wdt.c
@@ -178,40 +178,29 @@ static int jz4740_wdt_probe(struct platform_device *pdev)
res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
drvdata->base = devm_ioremap_resource(&pdev->dev, res);
- if (IS_ERR(drvdata->base)) {
- ret = PTR_ERR(drvdata->base);
- goto err_out;
- }
+ if (IS_ERR(drvdata->base))
+ return PTR_ERR(drvdata->base);
- drvdata->rtc_clk = clk_get(&pdev->dev, "rtc");
+ drvdata->rtc_clk = devm_clk_get(&pdev->dev, "rtc");
if (IS_ERR(drvdata->rtc_clk)) {
dev_err(&pdev->dev, "cannot find RTC clock\n");
- ret = PTR_ERR(drvdata->rtc_clk);
- goto err_out;
+ return PTR_ERR(drvdata->rtc_clk);
}
- ret = watchdog_register_device(&drvdata->wdt);
+ ret = devm_watchdog_register_device(&pdev->dev, &drvdata->wdt);
if (ret < 0)
- goto err_disable_clk;
+ return ret;
platform_set_drvdata(pdev, drvdata);
- return 0;
-err_disable_clk:
- clk_put(drvdata->rtc_clk);
-err_out:
- return ret;
+ return 0;
}
static int jz4740_wdt_remove(struct platform_device *pdev)
{
struct jz4740_wdt_drvdata *drvdata = platform_get_drvdata(pdev);
- jz4740_wdt_stop(&drvdata->wdt);
- watchdog_unregister_device(&drvdata->wdt);
- clk_put(drvdata->rtc_clk);
-
- return 0;
+ return jz4740_wdt_stop(&drvdata->wdt);
If the watchdog is running, the module can not be unloaded. Even if that wasn't
the case, this defeats both WDIOF_MAGICCLOSE and watchdog_set_nowayout().
Are you sure this is what you want ? If so, please call
watchdog_stop_on_unregister() before registration; this clarifies that this
is what you want, and you can drop the remove function.
Thanks,
Guenter
}
static struct platform_driver jz4740_wdt_driver = {
[PATCH 3.16 100/204] more bio_map_user_iov() leak fixes
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Al Viro
commit 2b04e8f6bbb196cab4b232af0f8d48ff2c7a8058 upstream.
we need to take care of failure exit as well - pages already
in bio should be dropped by analogue of bio_unmap_pages(),
since their refcounts had been bumped only once per reference
in bio.
Signed-off-by: Al Viro
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings
---
block/bio.c | 14 +-
1 file changed, 9 insertions(+), 5 deletions(-)
--- a/block/bio.c
+++ b/block/bio.c
@@ -1286,6 +1286,7 @@ static struct bio *__bio_map_user_iov(st
struct bio *bio;
int cur_page = 0;
int ret, offset;
+ struct bio_vec *bvec;
for (i = 0; i < iov_count; i++) {
unsigned long uaddr = (unsigned long)iov[i].iov_base;
@@ -1329,7 +1330,12 @@ static struct bio *__bio_map_user_iov(st
ret = get_user_pages_fast(uaddr, local_nr_pages,
write_to_vm, &pages[cur_page]);
- if (ret < local_nr_pages) {
+ if (unlikely(ret < local_nr_pages)) {
+ for (j = cur_page; j < page_limit; j++) {
+ if (!pages[j])
+ break;
+ put_page(pages[j]);
+ }
ret = -EFAULT;
goto out_unmap;
}
@@ -1384,10 +1390,8 @@ static struct bio *__bio_map_user_iov(st
return bio;
out_unmap:
- for (i = 0; i < nr_pages; i++) {
- if(!pages[i])
- break;
- page_cache_release(pages[i]);
+ bio_for_each_segment_all(bvec, bio, j) {
+ put_page(bvec->bv_page);
}
out:
kfree(pages);
[PATCH 3.16 081/204] ALSA: usx2y: Suppress kernel warning at page allocation failures
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Takashi Iwai
commit 7682e399485fe19622b6fd82510b1f4551e48a25 upstream.
The usx2y driver allocates the stream read/write buffers in continuous
pages depending on the stream setup, and this may spew the kernel
warning messages with a stack trace like:
WARNING: CPU: 1 PID: 1846 at mm/page_alloc.c:3883
__alloc_pages_slowpath+0x1ef2/0x2d70
Modules linked in:
CPU: 1 PID: 1846 Comm: kworker/1:2 Not tainted
It may confuse user as if it were any serious error, although this is
no fatal error and the driver handles the error case gracefully.
Since the driver has already some sanity check of the given size (128
and 256 pages), it can't pass any crazy value. So it's merely page
fragmentation.
This patch adds __GFP_NOWARN to each caller for suppressing such
kernel warnings. The original issue was spotted by syzkaller.
Reported-by: Andrey Konovalov
Tested-by: Andrey Konovalov
Signed-off-by: Takashi Iwai
Signed-off-by: Ben Hutchings
---
sound/usb/usx2y/usb_stream.c | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/sound/usb/usx2y/usb_stream.c
+++ b/sound/usb/usx2y/usb_stream.c
@@ -191,7 +191,8 @@ struct usb_stream *usb_stream_new(struct
}
pg = get_order(read_size);
- sk->s = (void *) __get_free_pages(GFP_KERNEL|__GFP_COMP|__GFP_ZERO, pg);
+ sk->s = (void *) __get_free_pages(GFP_KERNEL|__GFP_COMP|__GFP_ZERO|
+ __GFP_NOWARN, pg);
if (!sk->s) {
snd_printk(KERN_WARNING "couldn't __get_free_pages()\n");
goto out;
@@ -211,7 +212,8 @@ struct usb_stream *usb_stream_new(struct
pg = get_order(write_size);
sk->write_page =
- (void *)__get_free_pages(GFP_KERNEL|__GFP_COMP|__GFP_ZERO, pg);
+ (void *)__get_free_pages(GFP_KERNEL|__GFP_COMP|__GFP_ZERO|
+__GFP_NOWARN, pg);
if (!sk->write_page) {
snd_printk(KERN_WARNING "couldn't __get_free_pages()\n");
usb_stream_free(sk);
[PATCH 3.16 042/204] iio: ad_sigma_delta: Implement a dedicated reset function
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Dragos Bogdan
commit 7fc10de8d49a748c476532c9d8e8fe19e548dd67 upstream.
Since most of the SD ADCs have the option of reseting the serial
interface by sending a number of SCLKs with CS = 0 and DIN = 1,
a dedicated function that can do this is usefull.
Needed for the patch: iio: ad7793: Fix the serial interface reset
Signed-off-by: Dragos Bogdan
Acked-by: Lars-Peter Clausen
Signed-off-by: Jonathan Cameron
Signed-off-by: Ben Hutchings
---
drivers/iio/adc/ad_sigma_delta.c | 28
include/linux/iio/adc/ad_sigma_delta.h | 3 +++
2 files changed, 31 insertions(+)
--- a/drivers/iio/adc/ad_sigma_delta.c
+++ b/drivers/iio/adc/ad_sigma_delta.c
@@ -177,6 +177,34 @@ out:
}
EXPORT_SYMBOL_GPL(ad_sd_read_reg);
+/**
+ * ad_sd_reset() - Reset the serial interface
+ *
+ * @sigma_delta: The sigma delta device
+ * @reset_length: Number of SCLKs with DIN = 1
+ *
+ * Returns 0 on success, an error code otherwise.
+ **/
+int ad_sd_reset(struct ad_sigma_delta *sigma_delta,
+ unsigned int reset_length)
+{
+ uint8_t *buf;
+ unsigned int size;
+ int ret;
+
+ size = DIV_ROUND_UP(reset_length, 8);
+ buf = kcalloc(size, sizeof(*buf), GFP_KERNEL);
+ if (!buf)
+ return -ENOMEM;
+
+ memset(buf, 0xff, size);
+ ret = spi_write(sigma_delta->spi, buf, size);
+ kfree(buf);
+
+ return ret;
+}
+EXPORT_SYMBOL_GPL(ad_sd_reset);
+
static int ad_sd_calibrate(struct ad_sigma_delta *sigma_delta,
unsigned int mode, unsigned int channel)
{
--- a/include/linux/iio/adc/ad_sigma_delta.h
+++ b/include/linux/iio/adc/ad_sigma_delta.h
@@ -111,6 +111,9 @@ int ad_sd_write_reg(struct ad_sigma_delt
int ad_sd_read_reg(struct ad_sigma_delta *sigma_delta, unsigned int reg,
unsigned int size, unsigned int *val);
+int ad_sd_reset(struct ad_sigma_delta *sigma_delta,
+ unsigned int reset_length);
+
int ad_sigma_delta_single_conversion(struct iio_dev *indio_dev,
const struct iio_chan_spec *chan, int *val);
int ad_sd_calibrate_all(struct ad_sigma_delta *sigma_delta,
[PATCH 3.16 146/204] ip6_gre: Reduce log level in ip6gre_err() to debug
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Matt Bennett
commit a46496ce38eeb401344d5623c1960dbf2f1769be upstream.
Currently error log messages in ip6gre_err are printed at 'warn'
level. This is different to most other tunnel types which don't
print any messages. These log messages don't provide any information
that couldn't be deduced with networking tools. Also it can be annoying
to have one end of the tunnel go down and have the logs fill with
pointless messages such as "Path to destination invalid or inactive!".
This patch reduces the log level of these messages to 'dbg' level to
bring the visible behaviour into line with other tunnel types.
Signed-off-by: Matt Bennett
Signed-off-by: David S. Miller
Signed-off-by: Ben Hutchings
---
net/ipv6/ip6_gre.c | 16
1 file changed, 8 insertions(+), 8 deletions(-)
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -404,13 +404,13 @@ static void ip6gre_err(struct sk_buff *s
struct ipv6_tlv_tnl_enc_lim *tel;
__u32 mtu;
case ICMPV6_DEST_UNREACH:
- net_warn_ratelimited("%s: Path to destination invalid or
inactive!\n",
-t->parms.name);
+ net_dbg_ratelimited("%s: Path to destination invalid or
inactive!\n",
+ t->parms.name);
break;
case ICMPV6_TIME_EXCEED:
if (code == ICMPV6_EXC_HOPLIMIT) {
- net_warn_ratelimited("%s: Too small hop limit or
routing loop in tunnel!\n",
-t->parms.name);
+ net_dbg_ratelimited("%s: Too small hop limit or routing
loop in tunnel!\n",
+ t->parms.name);
}
break;
case ICMPV6_PARAMPROB:
@@ -421,12 +421,12 @@ static void ip6gre_err(struct sk_buff *s
if (teli && teli == be32_to_cpu(info) - 2) {
tel = (struct ipv6_tlv_tnl_enc_lim *) &skb->data[teli];
if (tel->encap_limit == 0) {
- net_warn_ratelimited("%s: Too small
encapsulation limit or routing loop in tunnel!\n",
-t->parms.name);
+ net_dbg_ratelimited("%s: Too small
encapsulation limit or routing loop in tunnel!\n",
+ t->parms.name);
}
} else {
- net_warn_ratelimited("%s: Recipient unable to parse
tunneled packet!\n",
-t->parms.name);
+ net_dbg_ratelimited("%s: Recipient unable to parse
tunneled packet!\n",
+ t->parms.name);
}
break;
case ICMPV6_PKT_TOOBIG:
[PATCH 3.16 039/204] IB/ocrdma: fix incorrect fall-through on switch statement
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Colin Ian King
commit 06564f60859bdf7e73d70ae35d7e285e96ae9c46 upstream.
In the case where mbox_status is OCRDMA_MBX_STATUS_FAILED and
add_status is OCRDMA_MBX_STATUS_FAILED err_num is assigned -EAGAIN
however the case OCRDMA_MBX_STATUS_FAILED is missing a break and
falls through to the default case which then re-assigns err_num
to -EFAULT. Fix this so that err_num is assigned to -EAGAIN
for the add_status OCRDMA_MBX_STATUS_FAILED case and -EFAULT
otherwise.
Detected by CoverityScan CID#703125 ("Missing break in switch")
Fixes: fe2caefcdf58 ("RDMA/ocrdma: Add driver for Emulex OneConnect IBoE RDMA
adapter")
Signed-off-by: Colin Ian King
Reviewed-by: Leon Romanovsky
Signed-off-by: Doug Ledford
Signed-off-by: Ben Hutchings
---
drivers/infiniband/hw/ocrdma/ocrdma_hw.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/infiniband/hw/ocrdma/ocrdma_hw.c
+++ b/drivers/infiniband/hw/ocrdma/ocrdma_hw.c
@@ -235,7 +235,10 @@ static int ocrdma_get_mbx_errno(u32 stat
case OCRDMA_MBX_ADDI_STATUS_INSUFFICIENT_RESOURCES:
err_num = -EAGAIN;
break;
+ default:
+ err_num = -EFAULT;
}
+ break;
default:
err_num = -EFAULT;
}
[PATCH 3.16 077/204] udp: perform source validation for mcast early demux
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Paolo Abeni
commit bc044e8db7962e727a75b591b9851ff2ac5cf846 upstream.
The UDP early demux can leverate the rx dst cache even for
multicast unconnected sockets.
In such scenario the ipv4 source address is validated only on
the first packet in the given flow. After that, when we fetch
the dst entry from the socket rx cache, we stop enforcing
the rp_filter and we even start accepting any kind of martian
addresses.
Disabling the dst cache for unconnected multicast socket will
cause large performace regression, nearly reducing by half the
max ingress tput.
Instead we factor out a route helper to completely validate an
skb source address for multicast packets and we call it from
the UDP early demux for mcast packets landing on unconnected
sockets, after successful fetching the related cached dst entry.
This still gives a measurable, but limited performance
regression:
rp_filter = 0 rp_filter = 1
edmux disabled: 1182 Kpps 1127 Kpps
edmux before: 2238 Kpps 2238 Kpps
edmux after:2037 Kpps 2019 Kpps
The above figures are on top of current net tree.
Applying the net-next commit 6e617de84e87 ("net: avoid a full
fib lookup when rp_filter is disabled.") the delta with
rp_filter == 0 will decrease even more.
Fixes: 421b3885bf6d ("udp: ipv4: Add udp early demux")
Signed-off-by: Paolo Abeni
Signed-off-by: David S. Miller
Signed-off-by: Ben Hutchings
---
include/net/route.h | 4 +++-
net/ipv4/route.c| 46 ++
net/ipv4/udp.c | 13 -
3 files changed, 41 insertions(+), 22 deletions(-)
--- a/include/net/route.h
+++ b/include/net/route.h
@@ -159,7 +159,9 @@ static inline struct rtable *ip_route_ou
fl4->fl4_gre_key = gre_key;
return ip_route_output_key(net, fl4);
}
-
+int ip_mc_validate_source(struct sk_buff *skb, __be32 daddr, __be32 saddr,
+ u8 tos, struct net_device *dev,
+ struct in_device *in_dev, u32 *itag);
int ip_route_input_noref(struct sk_buff *skb, __be32 dst, __be32 src,
u8 tos, struct net_device *devin);
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -1440,40 +1440,53 @@ static struct rtable *rt_dst_alloc(struc
}
/* called in rcu_read_lock() section */
-static int ip_route_input_mc(struct sk_buff *skb, __be32 daddr, __be32 saddr,
- u8 tos, struct net_device *dev, int our)
+int ip_mc_validate_source(struct sk_buff *skb, __be32 daddr, __be32 saddr,
+ u8 tos, struct net_device *dev,
+ struct in_device *in_dev, u32 *itag)
{
- struct rtable *rth;
- struct in_device *in_dev = __in_dev_get_rcu(dev);
- u32 itag = 0;
int err;
/* Primary sanity checks. */
-
if (in_dev == NULL)
return -EINVAL;
if (ipv4_is_multicast(saddr) || ipv4_is_lbcast(saddr) ||
skb->protocol != htons(ETH_P_IP))
- goto e_inval;
+ return -EINVAL;
if (likely(!IN_DEV_ROUTE_LOCALNET(in_dev)))
if (ipv4_is_loopback(saddr))
- goto e_inval;
+ return -EINVAL;
if (ipv4_is_zeronet(saddr)) {
if (!ipv4_is_local_multicast(daddr))
- goto e_inval;
+ return -EINVAL;
} else {
err = fib_validate_source(skb, saddr, 0, tos, 0, dev,
- in_dev, &itag);
+ in_dev, itag);
if (err < 0)
- goto e_err;
+ return err;
}
+ return 0;
+}
+
+/* called in rcu_read_lock() section */
+static int ip_route_input_mc(struct sk_buff *skb, __be32 daddr, __be32 saddr,
+u8 tos, struct net_device *dev, int our)
+{
+ struct in_device *in_dev = __in_dev_get_rcu(dev);
+ struct rtable *rth;
+ u32 itag = 0;
+ int err;
+
+ err = ip_mc_validate_source(skb, daddr, saddr, tos, dev, in_dev, &itag);
+ if (err)
+ return err;
+
rth = rt_dst_alloc(dev_net(dev)->loopback_dev,
IN_DEV_CONF_GET(in_dev, NOPOLICY), false, false);
if (!rth)
- goto e_nobufs;
+ return -ENOBUFS;
#ifdef CONFIG_IP_ROUTE_CLASSID
rth->dst.tclassid = itag;
@@ -1502,13 +1515,6 @@ static int ip_route_input_mc(struct sk_b
skb_dst_set(skb, &rth->dst);
return 0;
-
-e_nobufs:
- return -ENOBUFS;
-e_inval:
- return -EINVAL;
-e_err:
- return err;
}
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -1953,6 +1953,7 @@ static struct sock *__udp4_lib_demux_loo
int udp_v4_early_demux(struct sk_buff *skb)
{
struct
Re: PROBLEM: 4.15.0-rc3 APIC causes lockups on Core 2 Duo laptop
No; it seems to be tied to this specific issue, and I was seeing even before getting logs just now, whenever I'd start one of the bad kernels in recovery mode. But no, I've never seen that in any other logs, or on any other screens outside of those popping up in relation to this problem. On Thu, Dec 28, 2017 at 06:29:05PM +0100, Thomas Gleixner wrote: > On Thu, 28 Dec 2017, Alexandru Chirvasitu wrote: > > On Thu, Dec 28, 2017 at 05:10:28PM +0100, Thomas Gleixner wrote: > > > On Thu, 28 Dec 2017, Alexandru Chirvasitu wrote: > > > > Actually, it decided to cooperate for just long enough for me to get > > > > the dmesg out. Attached. > > > > > > > > This is from the kernel you asked about: Dou's patch + yours, i.e. the > > > > latest one in that git log I just sent, booted up with 'apic=debug'. > > > > > > Ok. As I suspected that warning does not trigger. I would have been > > > massively surprised if that happened. So Dou's patch is just a red herring > > > and just might change the timing enough to make the problem 'hide'. > > > > > > Can you try something completely different please? > > > > > > Just use plain Linus tree without any additional patches on top and > > > disable > > > CONFIG_NO_HZ_IDLE, i.e. select CONFIG_HZ_PERIODIC. > > > > > > If that works, then reenable it and add 'nohz=off' to the kernel command > > > line. > > > > > > > No go here I'm afraid: > > > > Linus' clean 4.15-rc5 compiled with CONFIG_HZ_PERIODIC exhibits the > > familiar behaviour: lockups, sometimes instant upon trying to log in, > > sometimes logging me in and freaking out seconds later. > > Ok. So it's not the issue I had in mind. > > Back to some of the interesting bits in the logs: > > [ 36.017942] spurious APIC interrupt through vector ff on CPU#0, should > never happen. > > Does that message ever show up in 4.14 or 4.9? > > Thanks, > > tglx
[PATCH 3.16 072/204] sched/sysctl: Check user input value of sysctl_sched_time_avg
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Ethan Zhao
commit 5ccba44ba118a500050076b0344632459779 upstream.
System will hang if user set sysctl_sched_time_avg to 0:
[root@XXX ~]# sysctl kernel.sched_time_avg_ms=0
Stack traceback for pid 0
0x883f6406c600 0 0 1 3 R 0x883f6406cf50 *swapper/3
883f7ccc3ae8 0018 810c4dd0
00017800 883f7ccc3d78 0003 883f7ccc3bf8
810c4fc9 883f7ccc3c08 810c5043 883f7ccc3c08
Call Trace:
[] ? update_group_capacity+0x110/0x200
[] ? update_sd_lb_stats+0x109/0x600
[] ? find_busiest_group+0x47/0x530
[] ? load_balance+0x194/0x900
[] ? update_rq_clock.part.83+0x1a/0xe0
[] ? rebalance_domains+0x152/0x290
[] ? run_rebalance_domains+0xdc/0x1d0
[] ? __do_softirq+0xfb/0x320
[] ? irq_exit+0x125/0x130
[] ? scheduler_ipi+0x97/0x160
[] ? smp_reschedule_interrupt+0x29/0x30
[] ? reschedule_interrupt+0x6e/0x80
[] ? cpuidle_enter_state+0xcc/0x230
[] ? cpuidle_enter_state+0x9c/0x230
[] ? cpuidle_enter+0x17/0x20
[] ? cpu_startup_entry+0x38c/0x420
[] ? start_secondary+0x173/0x1e0
Because divide-by-zero error happens in function:
update_group_capacity()
update_cpu_capacity()
scale_rt_capacity()
{
...
total = sched_avg_period() + delta;
used = div_u64(avg, total);
...
}
To fix this issue, check user input value of sysctl_sched_time_avg, keep
it unchanged when hitting invalid input, and set the minimum limit of
sysctl_sched_time_avg to 1 ms.
Reported-by: James Puthukattukaran
Signed-off-by: Ethan Zhao
Signed-off-by: Peter Zijlstra (Intel)
Cc: Linus Torvalds
Cc: Peter Zijlstra
Cc: Thomas Gleixner
Cc: efa...@gmx.de
Cc: ethan.ker...@gmail.com
Cc: keesc...@chromium.org
Cc: mcg...@kernel.org
Link:
http://lkml.kernel.org/r/1504504774-18253-1-git-send-email-ethan.z...@oracle.com
Signed-off-by: Ingo Molnar
Signed-off-by: Ben Hutchings
---
kernel/sysctl.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -342,7 +342,8 @@ static struct ctl_table kern_table[] = {
.data = &sysctl_sched_time_avg,
.maxlen = sizeof(unsigned int),
.mode = 0644,
- .proc_handler = proc_dointvec,
+ .proc_handler = proc_dointvec_minmax,
+ .extra1 = &one,
},
{
.procname = "sched_shares_window_ns",
[PATCH 3.16 116/204] l2tp: check ps->sock before running pppol2tp_session_ioctl()
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Guillaume Nault
commit 5903f594935a3841137c86b9d5b75143a5b7121c upstream.
When pppol2tp_session_ioctl() is called by pppol2tp_tunnel_ioctl(),
the session may be unconnected. That is, it was created by
pppol2tp_session_create() and hasn't been connected with
pppol2tp_connect(). In this case, ps->sock is NULL, so we need to check
for this case in order to avoid dereferencing a NULL pointer.
Fixes: 309795f4bec2 ("l2tp: Add netlink control API for L2TP")
Signed-off-by: Guillaume Nault
Signed-off-by: David S. Miller
Signed-off-by: Ben Hutchings
---
net/l2tp/l2tp_ppp.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/l2tp/l2tp_ppp.c
+++ b/net/l2tp/l2tp_ppp.c
@@ -1007,6 +1007,9 @@ static int pppol2tp_session_ioctl(struct
session->name, cmd, arg);
sk = ps->sock;
+ if (!sk)
+ return -EBADR;
+
sock_hold(sk);
switch (cmd) {
[PATCH 3.16 132/204] arm/arm64: KVM: set right LR register value for 32 bit guest when inject abort
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Dongjiu Geng
commit fd6c8c206fc5d0717b0433b191de0715122f33bb upstream.
When a exception is trapped to EL2, hardware uses ELR_ELx to hold
the current fault instruction address. If KVM wants to inject a
abort to 32 bit guest, it needs to set the LR register for the
guest to emulate this abort happened in the guest. Because ARM32
architecture is pipelined execution, so the LR value has an offset to
the fault instruction address.
The offsets applied to Link value for exceptions as shown below,
which should be added for the ARM32 link register(LR).
Table taken from ARMv8 ARM DDI0487B-B, table G1-10:
Exception Offset, for PE state of:
A32 T32
Undefined Instruction +4+2
Prefetch Abort +4+4
Data Abort +8+8
IRQ or FIQ +4+4
[ Removed unused variables in inject_abt to avoid compile warnings.
-- Christoffer ]
Signed-off-by: Dongjiu Geng
Tested-by: Haibin Zhang
Reviewed-by: Marc Zyngier
Signed-off-by: Christoffer Dall
[bwh: Backported to 3.16:
- Don't delete cpsr variable in inject_abt() as it's still needed
- Adjust context]
Signed-off-by: Ben Hutchings
---
--- a/arch/arm/kvm/emulate.c
+++ b/arch/arm/kvm/emulate.c
@@ -295,7 +295,7 @@ void kvm_inject_undefined(struct kvm_vcp
u32 return_offset = (is_thumb) ? 2 : 4;
new_spsr_value = cpsr;
- new_lr_value = *vcpu_pc(vcpu) - return_offset;
+ new_lr_value = *vcpu_pc(vcpu) + return_offset;
*vcpu_cpsr(vcpu) = (cpsr & ~MODE_MASK) | UND_MODE;
*vcpu_cpsr(vcpu) |= PSR_I_BIT;
@@ -324,9 +324,8 @@ static void inject_abt(struct kvm_vcpu *
unsigned long new_spsr_value;
unsigned long cpsr = *vcpu_cpsr(vcpu);
u32 sctlr = vcpu->arch.cp15[c1_SCTLR];
- bool is_thumb = (cpsr & PSR_T_BIT);
u32 vect_offset;
- u32 return_offset = (is_thumb) ? 4 : 0;
+ u32 return_offset = (is_pabt) ? 4 : 8;
bool is_lpae;
new_spsr_value = cpsr;
--- a/arch/arm64/kvm/inject_fault.c
+++ b/arch/arm64/kvm/inject_fault.c
@@ -29,12 +29,26 @@
PSR_I_BIT | PSR_D_BIT)
#define EL1_EXCEPT_SYNC_OFFSET 0x200
+/*
+ * Table taken from ARMv8 ARM DDI0487B-B, table G1-10.
+ */
+static const u8 return_offsets[8][2] = {
+ [0] = { 0, 0 }, /* Reset, unused */
+ [1] = { 4, 2 }, /* Undefined */
+ [2] = { 0, 0 }, /* SVC, unused */
+ [3] = { 4, 4 }, /* Prefetch abort */
+ [4] = { 8, 8 }, /* Data abort */
+ [5] = { 0, 0 }, /* HVC, unused */
+ [6] = { 4, 4 }, /* IRQ, unused */
+ [7] = { 4, 4 }, /* FIQ, unused */
+};
+
static void prepare_fault32(struct kvm_vcpu *vcpu, u32 mode, u32 vect_offset)
{
unsigned long cpsr;
unsigned long new_spsr_value = *vcpu_cpsr(vcpu);
bool is_thumb = (new_spsr_value & COMPAT_PSR_T_BIT);
- u32 return_offset = (is_thumb) ? 4 : 0;
+ u32 return_offset = return_offsets[vect_offset >> 2][is_thumb];
u32 sctlr = vcpu_cp15(vcpu, c1_SCTLR);
cpsr = mode | COMPAT_PSR_I_BIT;
[PATCH 3.16 123/204] usb: quirks: add quirk for WORLDE MINI MIDI keyboard
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Felipe Balbi
commit 2811501e6d8f5747d08f8e25b9ecf472d0dc4c7d upstream.
This keyboard doesn't implement Get String descriptors properly even
though string indexes are valid. What happens is that when requesting
for the String descriptor, the device disconnects and
reconnects. Without this quirk, this loop will continue forever.
Cc: Alan Stern
Reported-by: Владимир Мартьянов
Signed-off-by: Felipe Balbi
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Ben Hutchings
---
drivers/usb/core/quirks.c | 4
1 file changed, 4 insertions(+)
--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -218,6 +218,10 @@ static const struct usb_device_id usb_qu
/* Corsair Strafe RGB */
{ USB_DEVICE(0x1b1c, 0x1b20), .driver_info = USB_QUIRK_DELAY_INIT },
+ /* MIDI keyboard WORLDE MINI */
+ { USB_DEVICE(0x1c75, 0x0204), .driver_info =
+ USB_QUIRK_CONFIG_INTF_STRINGS },
+
/* Acer C120 LED Projector */
{ USB_DEVICE(0x1de1, 0xc102), .driver_info = USB_QUIRK_NO_LPM },
[PATCH 3.16 125/204] x86/microcode/intel: Disable late loading on model 79
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Borislav Petkov
commit 723f2828a98c8ca19842042f418fb30dd8cfc0f7 upstream.
Blacklist Broadwell X model 79 for late loading due to an erratum.
Signed-off-by: Borislav Petkov
Acked-by: Tony Luck
Cc: Linus Torvalds
Cc: Peter Zijlstra
Cc: Thomas Gleixner
Link: http://lkml.kernel.org/r/20171018111225.25635-1...@alien8.de
Signed-off-by: Ingo Molnar
[bwh: Backported to 3.16: substitute literal value for INTEL_FAM6_BROADWELL_X]
Signed-off-by: Ben Hutchings
---
--- a/arch/x86/kernel/cpu/microcode/intel.c
+++ b/arch/x86/kernel/cpu/microcode/intel.c
@@ -267,6 +267,18 @@ static int get_ucode_fw(void *to, const
return 0;
}
+static bool is_blacklisted(unsigned int cpu)
+{
+ struct cpuinfo_x86 *c = &cpu_data(cpu);
+
+ if (c->x86 == 6 && c->x86_model == 0x4F) {
+ pr_err_once("late loading on model 79 is disabled.\n");
+ return true;
+ }
+
+ return false;
+}
+
static enum ucode_state request_microcode_fw(int cpu, struct device *device,
bool refresh_fw)
{
@@ -275,6 +287,9 @@ static enum ucode_state request_microcod
const struct firmware *firmware;
enum ucode_state ret;
+ if (is_blacklisted(cpu))
+ return UCODE_NFOUND;
+
sprintf(name, "intel-ucode/%02x-%02x-%02x",
c->x86, c->x86_model, c->x86_mask);
@@ -299,6 +314,9 @@ static int get_ucode_user(void *to, cons
static enum ucode_state
request_microcode_user(int cpu, const void __user *buf, size_t size)
{
+ if (is_blacklisted(cpu))
+ return UCODE_NFOUND;
+
return generic_load_microcode(cpu, (void *)buf, size, &get_ucode_user);
}
[PATCH 3.2 69/94] tcp: fix tcp_mtu_probe() vs highest_sack
3.2.97-rc1 review patch. If anyone has any objections, please let me know.
--
From: Eric Dumazet
commit 2b7cda9c35d3b940eb9ce74b30bbd5eb30db493d upstream.
Based on SNMP values provided by Roman, Yuchung made the observation
that some crashes in tcp_sacktag_walk() might be caused by MTU probing.
Looking at tcp_mtu_probe(), I found that when a new skb was placed
in front of the write queue, we were not updating tcp highest sack.
If one skb is freed because all its content was copied to the new skb
(for MTU probing), then tp->highest_sack could point to a now freed skb.
Bad things would then happen, including infinite loops.
This patch renames tcp_highest_sack_combine() and uses it
from tcp_mtu_probe() to fix the bug.
Note that I also removed one test against tp->sacked_out,
since we want to replace tp->highest_sack regardless of whatever
condition, since keeping a stale pointer to freed skb is a recipe
for disaster.
Fixes: a47e5a988a57 ("[TCP]: Convert highest_sack to sk_buff to allow direct
access")
Signed-off-by: Eric Dumazet
Reported-by: Alexei Starovoitov
Reported-by: Roman Gushchin
Reported-by: Oleksandr Natalenko
Acked-by: Alexei Starovoitov
Acked-by: Neal Cardwell
Acked-by: Yuchung Cheng
Signed-off-by: David S. Miller
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings
---
include/net/tcp.h | 6 +++---
net/ipv4/tcp_output.c | 3 ++-
2 files changed, 5 insertions(+), 4 deletions(-)
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -1394,12 +1394,12 @@ static inline void tcp_highest_sack_rese
tcp_sk(sk)->highest_sack = tcp_write_queue_head(sk);
}
-/* Called when old skb is about to be deleted (to be combined with new skb) */
-static inline void tcp_highest_sack_combine(struct sock *sk,
+/* Called when old skb is about to be deleted and replaced by new skb */
+static inline void tcp_highest_sack_replace(struct sock *sk,
struct sk_buff *old,
struct sk_buff *new)
{
- if (tcp_sk(sk)->sacked_out && (old == tcp_sk(sk)->highest_sack))
+ if (old == tcp_highest_sack(sk))
tcp_sk(sk)->highest_sack = new;
}
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -1676,6 +1676,7 @@ static int tcp_mtu_probe(struct sock *sk
nskb->ip_summed = skb->ip_summed;
tcp_insert_write_queue_before(nskb, skb, sk);
+ tcp_highest_sack_replace(sk, skb, nskb);
len = 0;
tcp_for_write_queue_from_safe(skb, next, sk) {
@@ -1987,7 +1988,7 @@ static void tcp_collapse_retrans(struct
BUG_ON(tcp_skb_pcount(skb) != 1 || tcp_skb_pcount(next_skb) != 1);
- tcp_highest_sack_combine(sk, next_skb, skb);
+ tcp_highest_sack_replace(sk, next_skb, skb);
tcp_unlink_write_queue(next_skb, sk);
[PATCH 3.16 121/204] usb: xhci: Handle error condition in xhci_stop_device()
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Mayank Rana
commit b3207c65dfafae27e7c492cb9188c0dc0eeaf3fd upstream.
xhci_stop_device() calls xhci_queue_stop_endpoint() multiple times
without checking the return value. xhci_queue_stop_endpoint() can
return error if the HC is already halted or unable to queue commands.
This can cause a deadlock condition as xhci_stop_device() would
end up waiting indefinitely for a completion for the command that
didn't get queued. Fix this by checking the return value and bailing
out of xhci_stop_device() in case of error. This patch happens to fix
potential memory leaks of the allocated command structures as well.
Fixes: c311e391a7ef ("xhci: rework command timeout and cancellation,")
Signed-off-by: Mayank Rana
Signed-off-by: Jack Pham
Signed-off-by: Mathias Nyman
Signed-off-by: Greg Kroah-Hartman
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings
---
--- a/drivers/usb/host/xhci-hub.c
+++ b/drivers/usb/host/xhci-hub.c
@@ -293,15 +293,25 @@ static int xhci_stop_device(struct xhci_
GFP_NOWAIT);
if (!command) {
spin_unlock_irqrestore(&xhci->lock, flags);
- xhci_free_command(xhci, cmd);
- return -ENOMEM;
+ ret = -ENOMEM;
+ goto cmd_cleanup;
+ }
+ ret = xhci_queue_stop_endpoint(xhci, command, slot_id,
+ i, suspend);
+ if (ret) {
+ spin_unlock_irqrestore(&xhci->lock, flags);
+ xhci_free_command(xhci, command);
+ goto cmd_cleanup;
}
- xhci_queue_stop_endpoint(xhci, command, slot_id, i,
-suspend);
}
}
- xhci_queue_stop_endpoint(xhci, cmd, slot_id, 0, suspend);
+ ret = xhci_queue_stop_endpoint(xhci, cmd, slot_id, 0, suspend);
+ if (ret) {
+ spin_unlock_irqrestore(&xhci->lock, flags);
+ goto cmd_cleanup;
+ }
+
xhci_ring_cmd_db(xhci);
spin_unlock_irqrestore(&xhci->lock, flags);
@@ -312,6 +322,8 @@ static int xhci_stop_device(struct xhci_
xhci_warn(xhci, "Timeout while waiting for stop endpoint
command\n");
ret = -ETIME;
}
+
+cmd_cleanup:
xhci_free_command(xhci, cmd);
return ret;
}
[PATCH 3.16 117/204] USB: serial: metro-usb: add MS7820 device id
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Johan Hovold
commit 31dc3f819bac28a0990b36510197560258ab7421 upstream.
Add device-id entry for (Honeywell) Metrologic MS7820 bar code scanner.
The device has two interfaces (in this mode?); a vendor-specific
interface with two interrupt endpoints and a second HID interface, which
we do not bind to.
Reported-by: Ladislav Dobrovsky
Tested-by: Ladislav Dobrovsky
Signed-off-by: Johan Hovold
Signed-off-by: Ben Hutchings
---
drivers/usb/serial/metro-usb.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/usb/serial/metro-usb.c
+++ b/drivers/usb/serial/metro-usb.c
@@ -45,6 +45,7 @@ struct metrousb_private {
static const struct usb_device_id id_table[] = {
{ USB_DEVICE(FOCUS_VENDOR_ID, FOCUS_PRODUCT_ID_BI) },
{ USB_DEVICE(FOCUS_VENDOR_ID, FOCUS_PRODUCT_ID_UNI) },
+ { USB_DEVICE_INTERFACE_CLASS(0x0c2e, 0x0730, 0xff) }, /* MS7820 */
{ }, /* Terminating entry. */
};
MODULE_DEVICE_TABLE(usb, id_table);
[PATCH 3.16 105/204] scsi: libiscsi: fix shifting of DID_REQUEUE host byte
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Johannes Thumshirn
commit eef9ffdf9cd39b2986367bc8395e2772bc1284ba upstream.
The SCSI host byte should be shifted left by 16 in order to have
scsi_decide_disposition() do the right thing (.i.e. requeue the
command).
Signed-off-by: Johannes Thumshirn
Fixes: 661134ad3765 ("[SCSI] libiscsi, bnx2i: make bound ep check common")
Cc: Lee Duncan
Cc: Hannes Reinecke
Cc: Bart Van Assche
Cc: Chris Leech
Acked-by: Lee Duncan
Signed-off-by: Martin K. Petersen
Signed-off-by: Ben Hutchings
---
drivers/scsi/libiscsi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/scsi/libiscsi.c
+++ b/drivers/scsi/libiscsi.c
@@ -1727,7 +1727,7 @@ int iscsi_queuecommand(struct Scsi_Host
if (test_bit(ISCSI_SUSPEND_BIT, &conn->suspend_tx)) {
reason = FAILURE_SESSION_IN_RECOVERY;
- sc->result = DID_REQUEUE;
+ sc->result = DID_REQUEUE << 16;
goto fault;
}
[PATCH 3.16 115/204] fs/mpage.c: fix mpage_writepage() for pages with buffers
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Matthew Wilcox
commit f892760aa66a2d657deaf59538fb69433036767c upstream.
When using FAT on a block device which supports rw_page, we can hit
BUG_ON(!PageLocked(page)) in try_to_free_buffers(). This is because we
call clean_buffers() after unlocking the page we've written. Introduce
a new clean_page_buffers() which cleans all buffers associated with a
page and call it from within bdev_write_page().
[a...@linux-foundation.org: s/PAGE_SIZE/~0U/ per Linus and Matthew]
Link: http://lkml.kernel.org/r/20171006211541.ga7...@bombadil.infradead.org
Signed-off-by: Matthew Wilcox
Reported-by: Toshi Kani
Reported-by: OGAWA Hirofumi
Tested-by: Toshi Kani
Acked-by: Johannes Thumshirn
Cc: Ross Zwisler
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings
---
fs/block_dev.c | 6 --
fs/mpage.c | 14 +++---
include/linux/buffer_head.h | 1 +
3 files changed, 16 insertions(+), 5 deletions(-)
--- a/fs/block_dev.c
+++ b/fs/block_dev.c
@@ -419,10 +419,12 @@ int bdev_write_page(struct block_device
return -EOPNOTSUPP;
set_page_writeback(page);
result = ops->rw_page(bdev, sector + get_start_sect(bdev), page, rw);
- if (result)
+ if (result) {
end_page_writeback(page);
- else
+ } else {
+ clean_page_buffers(page);
unlock_page(page);
+ }
return result;
}
EXPORT_SYMBOL_GPL(bdev_write_page);
--- a/fs/mpage.c
+++ b/fs/mpage.c
@@ -457,6 +457,16 @@ static void clean_buffers(struct page *p
try_to_free_buffers(page);
}
+/*
+ * For situations where we want to clean all buffers attached to a page.
+ * We don't need to calculate how many buffers are attached to the page,
+ * we just need to specify a number larger than the maximum number of buffers.
+ */
+void clean_page_buffers(struct page *page)
+{
+ clean_buffers(page, ~0U);
+}
+
static int __mpage_writepage(struct page *page, struct writeback_control *wbc,
void *data)
{
@@ -594,10 +604,8 @@ alloc_new:
if (bio == NULL) {
if (first_unmapped == blocks_per_page) {
if (!bdev_write_page(bdev, blocks[0] << (blkbits - 9),
- page, wbc)) {
- clean_buffers(page, first_unmapped);
+ page, wbc))
goto out;
- }
}
bio = mpage_alloc(bdev, blocks[0] << (blkbits - 9),
bio_get_nr_vecs(bdev), GFP_NOFS|__GFP_HIGH);
--- a/include/linux/buffer_head.h
+++ b/include/linux/buffer_head.h
@@ -222,6 +222,7 @@ int generic_write_end(struct file *, str
loff_t, unsigned, unsigned,
struct page *, void *);
void page_zero_new_buffers(struct page *page, unsigned from, unsigned to);
+void clean_page_buffers(struct page *page);
int cont_write_begin(struct file *, struct address_space *, loff_t,
unsigned, unsigned, struct page **, void **,
get_block_t *, loff_t *);
[PATCH 3.16 101/204] USB: dummy-hcd: Fix deadlock caused by disconnect detection
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Alan Stern
commit ab219221a5064abfff9f78c323c4a257b16cdb81 upstream.
The dummy-hcd driver calls the gadget driver's disconnect callback
under the wrong conditions. It should invoke the callback when Vbus
power is turned off, but instead it does so when the D+ pullup is
turned off.
This can cause a deadlock in the composite core when a gadget driver
is unregistered:
[ 88.361471]
[ 88.362014] WARNING: possible recursive locking detected
[ 88.362580] 4.14.0-rc2+ #9 Not tainted
[ 88.363010]
[ 88.363561] v4l_id/526 is trying to acquire lock:
[ 88.364062] (&(&cdev->lock)->rlock){}, at: []
composite_disconnect+0x43/0x100 [libcomposite]
[ 88.365051]
[ 88.365051] but task is already holding lock:
[ 88.365826] (&(&cdev->lock)->rlock){}, at: []
usb_function_deactivate+0x29/0x80 [libcomposite]
[ 88.366858]
[ 88.366858] other info that might help us debug this:
[ 88.368301] Possible unsafe locking scenario:
[ 88.368301]
[ 88.369304]CPU0
[ 88.369701]
[ 88.370101] lock(&(&cdev->lock)->rlock);
[ 88.370623] lock(&(&cdev->lock)->rlock);
[ 88.371145]
[ 88.371145] *** DEADLOCK ***
[ 88.371145]
[ 88.372211] May be due to missing lock nesting notation
[ 88.372211]
[ 88.373191] 2 locks held by v4l_id/526:
[ 88.373715] #0: (&(&cdev->lock)->rlock){}, at: []
usb_function_deactivate+0x29/0x80 [libcomposite]
[ 88.374814] #1: (&(&dum_hcd->dum->lock)->rlock){}, at:
[] dummy_pullup+0x7d/0xf0 [dummy_hcd]
[ 88.376289]
[ 88.376289] stack backtrace:
[ 88.377726] CPU: 0 PID: 526 Comm: v4l_id Not tainted 4.14.0-rc2+ #9
[ 88.378557] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.10.2-1 04/01/2014
[ 88.379504] Call Trace:
[ 88.380019] dump_stack+0x86/0xc7
[ 88.380605] __lock_acquire+0x841/0x1120
[ 88.381252] lock_acquire+0xd5/0x1c0
[ 88.381865] ? composite_disconnect+0x43/0x100 [libcomposite]
[ 88.382668] _raw_spin_lock_irqsave+0x40/0x54
[ 88.383357] ? composite_disconnect+0x43/0x100 [libcomposite]
[ 88.384290] composite_disconnect+0x43/0x100 [libcomposite]
[ 88.385490] set_link_state+0x2d4/0x3c0 [dummy_hcd]
[ 88.386436] dummy_pullup+0xa7/0xf0 [dummy_hcd]
[ 88.387195] usb_gadget_disconnect+0xd8/0x160 [udc_core]
[ 88.387990] usb_gadget_deactivate+0xd3/0x160 [udc_core]
[ 88.388793] usb_function_deactivate+0x64/0x80 [libcomposite]
[ 88.389628] uvc_function_disconnect+0x1e/0x40 [usb_f_uvc]
This patch changes the code to test the port-power status bit rather
than the port-connect status bit when deciding whether to isue the
callback.
Signed-off-by: Alan Stern
Reported-by: David Tulloh
Signed-off-by: Felipe Balbi
[bwh: Backported to 3.16: adjust filename, context]
Signed-off-by: Ben Hutchings
---
--- a/drivers/usb/gadget/dummy_hcd.c
+++ b/drivers/usb/gadget/dummy_hcd.c
@@ -355,6 +355,7 @@ static void set_link_state_by_speed(stru
static void set_link_state(struct dummy_hcd *dum_hcd)
{
struct dummy *dum = dum_hcd->dum;
+ unsigned int power_bit;
dum_hcd->active = 0;
if (dum->pullup)
@@ -365,19 +366,21 @@ static void set_link_state(struct dummy_
return;
set_link_state_by_speed(dum_hcd);
+ power_bit = (dummy_hcd_to_hcd(dum_hcd)->speed == HCD_USB3 ?
+ USB_SS_PORT_STAT_POWER : USB_PORT_STAT_POWER);
if ((dum_hcd->port_status & USB_PORT_STAT_ENABLE) == 0 ||
dum_hcd->active)
dum_hcd->resuming = 0;
/* if !connected or reset */
- if ((dum_hcd->port_status & USB_PORT_STAT_CONNECTION) == 0 ||
+ if ((dum_hcd->port_status & power_bit) == 0 ||
(dum_hcd->port_status & USB_PORT_STAT_RESET) != 0) {
/*
* We're connected and not reset (reset occurred now),
* and driver attached - disconnect!
*/
- if ((dum_hcd->old_status & USB_PORT_STAT_CONNECTION) != 0 &&
+ if ((dum_hcd->old_status & power_bit) != 0 &&
(dum_hcd->old_status & USB_PORT_STAT_RESET) == 0 &&
dum->ints_enabled) {
stop_activity(dum);
[PATCH 3.16 114/204] include/linux/of.h: provide of_n_{addr,size}_cells wrappers for !CONFIG_OF
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Arnd Bergmann
commit 8a1ac5dc7be09883051b1bf89a5e57d7ad850fa5 upstream.
The pci-rcar driver is enabled for compile tests, and this has shown that
the driver cannot build without CONFIG_OF, following the inclusion of
commit f8f2fe7355fb ("PCI: rcar: Use new OF interrupt mapping when possible"):
drivers/pci/host/pcie-rcar.c: In function 'pci_dma_range_parser_init':
drivers/pci/host/pcie-rcar.c:1039:2: error: implicit declaration of function
'of_n_addr_cells' [-Werror=implicit-function-declaration]
parser->pna = of_n_addr_cells(node);
^
As pointed out by Ben Dooks and Geert Uytterhoeven, this is actually
supposed to build fine, which we can achieve if we make the declaration
of of_irq_parse_and_map_pci conditional on CONFIG_OF and provide an
empty inline function otherwise, as we do for a lot of other of
interfaces.
This lets us build the rcar_pci driver again without CONFIG_OF for build
testing. All platforms using this driver select OF, so this doesn't
change anything for the users.
[a...@linux-foundation.org: be consistent with surrounding code]
Link: http://lkml.kernel.org/r/20170911200805.3363318-1-a...@arndb.de
Fixes: c25da4778803 ("PCI: rcar: Add Renesas R-Car PCIe driver")
Signed-off-by: Arnd Bergmann
Reviewed-by: Frank Rowand
Acked-by: Geert Uytterhoeven
Cc: Bjorn Helgaas
Cc: Magnus Damm
Cc: Ben Dooks
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
Signed-off-by: Ben Hutchings
---
include/linux/of.h | 10 ++
1 file changed, 10 insertions(+)
--- a/include/linux/of.h
+++ b/include/linux/of.h
@@ -503,6 +503,16 @@ static inline struct device_node *of_get
return NULL;
}
+static inline int of_n_addr_cells(struct device_node *np)
+{
+ return 0;
+
+}
+static inline int of_n_size_cells(struct device_node *np)
+{
+ return 0;
+}
+
static inline int of_property_read_u64(const struct device_node *np,
const char *propname, u64 *out_value)
{
[PATCH 3.16 095/204] ALSA: seq: Fix copy_from_user() call inside lock
3.16.52-rc1 review patch. If anyone has any objections, please let me know.
--
From: Takashi Iwai
commit 5803b023881857db32ffefa0d269c90280a67ee0 upstream.
The event handler in the virmidi sequencer code takes a read-lock for
the linked list traverse, while it's calling snd_seq_dump_var_event()
in the loop. The latter function may expand the user-space data
depending on the event type. It eventually invokes copy_from_user(),
which might be a potential dead-lock.
The sequencer core guarantees that the user-space data is passed only
with atomic=0 argument, but snd_virmidi_dev_receive_event() ignores it
and always takes read-lock(). For avoiding the problem above, this
patch introduces rwsem for non-atomic case, while keeping rwlock for
atomic case.
Also while we're at it: the superfluous irq flags is dropped in
snd_virmidi_input_open().
Reported-by: Jia-Ju Bai
Signed-off-by: Takashi Iwai
Signed-off-by: Ben Hutchings
---
include/sound/seq_virmidi.h | 1 +
sound/core/seq/seq_virmidi.c | 27 +++
2 files changed, 20 insertions(+), 8 deletions(-)
--- a/include/sound/seq_virmidi.h
+++ b/include/sound/seq_virmidi.h
@@ -60,6 +60,7 @@ struct snd_virmidi_dev {
int port; /* created/attached port */
unsigned int flags; /* SNDRV_VIRMIDI_* */
rwlock_t filelist_lock;
+ struct rw_semaphore filelist_sem;
struct list_head filelist;
};
--- a/sound/core/seq/seq_virmidi.c
+++ b/sound/core/seq/seq_virmidi.c
@@ -77,13 +77,17 @@ static void snd_virmidi_init_event(struc
* decode input event and put to read buffer of each opened file
*/
static int snd_virmidi_dev_receive_event(struct snd_virmidi_dev *rdev,
-struct snd_seq_event *ev)
+struct snd_seq_event *ev,
+bool atomic)
{
struct snd_virmidi *vmidi;
unsigned char msg[4];
int len;
- read_lock(&rdev->filelist_lock);
+ if (atomic)
+ read_lock(&rdev->filelist_lock);
+ else
+ down_read(&rdev->filelist_sem);
list_for_each_entry(vmidi, &rdev->filelist, list) {
if (!vmidi->trigger)
continue;
@@ -97,7 +101,10 @@ static int snd_virmidi_dev_receive_event
snd_rawmidi_receive(vmidi->substream, msg, len);
}
}
- read_unlock(&rdev->filelist_lock);
+ if (atomic)
+ read_unlock(&rdev->filelist_lock);
+ else
+ up_read(&rdev->filelist_sem);
return 0;
}
@@ -115,7 +122,7 @@ int snd_virmidi_receive(struct snd_rawmi
struct snd_virmidi_dev *rdev;
rdev = rmidi->private_data;
- return snd_virmidi_dev_receive_event(rdev, ev);
+ return snd_virmidi_dev_receive_event(rdev, ev, true);
}
#endif /* 0 */
@@ -130,7 +137,7 @@ static int snd_virmidi_event_input(struc
rdev = private_data;
if (!(rdev->flags & SNDRV_VIRMIDI_USE))
return 0; /* ignored */
- return snd_virmidi_dev_receive_event(rdev, ev);
+ return snd_virmidi_dev_receive_event(rdev, ev, atomic);
}
/*
@@ -209,7 +216,6 @@ static int snd_virmidi_input_open(struct
struct snd_virmidi_dev *rdev = substream->rmidi->private_data;
struct snd_rawmidi_runtime *runtime = substream->runtime;
struct snd_virmidi *vmidi;
- unsigned long flags;
vmidi = kzalloc(sizeof(*vmidi), GFP_KERNEL);
if (vmidi == NULL)
@@ -223,9 +229,11 @@ static int snd_virmidi_input_open(struct
vmidi->client = rdev->client;
vmidi->port = rdev->port;
runtime->private_data = vmidi;
- write_lock_irqsave(&rdev->filelist_lock, flags);
+ down_write(&rdev->filelist_sem);
+ write_lock_irq(&rdev->filelist_lock);
list_add_tail(&vmidi->list, &rdev->filelist);
- write_unlock_irqrestore(&rdev->filelist_lock, flags);
+ write_unlock_irq(&rdev->filelist_lock);
+ up_write(&rdev->filelist_sem);
vmidi->rdev = rdev;
return 0;
}
@@ -264,9 +272,11 @@ static int snd_virmidi_input_close(struc
struct snd_virmidi_dev *rdev = substream->rmidi->private_data;
struct snd_virmidi *vmidi = substream->runtime->private_data;
+ down_write(&rdev->filelist_sem);
write_lock_irq(&rdev->filelist_lock);
list_del(&vmidi->list);
write_unlock_irq(&rdev->filelist_lock);
+ up_write(&rdev->filelist_sem);
snd_midi_event_free(vmidi->parser);
substream->runtime->private_data = NULL;
kfree(vmidi);
@@ -520,6 +530,7 @@ int snd_virmidi_new(struct snd_card *car
rdev->rmidi = rmidi;
rdev->device = device;
rdev->client = -1;
+ init_rwsem(&rdev->filelist_sem);
rwlock_init(&rdev->filelist_lock);
INIT_LIST_HEAD(&rdev->filelist);
