[PATCH 4.18 160/235] MIPS: loongson64: cs5536: Fix PCI_OHCI_INT_REG reads
4.18-stable review patch. If anyone has any objections, please let me know. -- From: Paul Burton [ Upstream commit cd87668d601f622e0ebcfea4f78d116d5f572f4d ] The PCI_OHCI_INT_REG case in pci_ohci_read_reg() contains the following if statement: if ((lo & 0x0f00) == CS5536_USB_INTR) CS5536_USB_INTR expands to the constant 11, which gives us the following condition which can never evaluate true: if ((lo & 0xf00) == 11) At least when using GCC 8.1.0 this falls foul of the tautoligcal-compare warning, and since the code is built with the -Werror flag the build fails. Fix this by shifting lo right by 8 bits in order to match the corresponding PCI_OHCI_INT_REG case in pci_ohci_write_reg(). Signed-off-by: Paul Burton Patchwork: https://patchwork.linux-mips.org/patch/19861/ Cc: Huacai Chen Cc: James Hogan Cc: Ralf Baechle Cc: linux-m...@linux-mips.org Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- arch/mips/loongson64/common/cs5536/cs5536_ohci.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/arch/mips/loongson64/common/cs5536/cs5536_ohci.c +++ b/arch/mips/loongson64/common/cs5536/cs5536_ohci.c @@ -138,7 +138,7 @@ u32 pci_ohci_read_reg(int reg) break; case PCI_OHCI_INT_REG: _rdmsr(DIVIL_MSR_REG(PIC_YSEL_LOW), , ); - if ((lo & 0x0f00) == CS5536_USB_INTR) + if (((lo >> PIC_YSEL_LOW_USB_SHIFT) & 0xf) == CS5536_USB_INTR) conf_data = 1; break; default:
[PATCH 4.18 174/235] liquidio: fix hang when re-binding VF host drv after running DPDK VF driver
4.18-stable review patch. If anyone has any objections, please let me know. -- From: Rick Farrington [ Upstream commit ac13d6d8eaded15c67265eafc32f439ea3a0ac4a ] When configuring SLI_PKTn_OUTPUT_CONTROL, VF driver was assuming that IPTR mode was disabled by reset, which was not true. Since DPDK driver had set IPTR mode previously, the VF driver (which uses buf-ptr-only mode) was not properly handling DROQ packets (i.e. it saw zero-length packets). This represented an invalid hardware configuration which the driver could not handle. Signed-off-by: Rick Farrington Signed-off-by: Felix Manlunas Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c |3 +++ drivers/net/ethernet/cavium/liquidio/cn23xx_vf_device.c |3 +++ 2 files changed, 6 insertions(+) --- a/drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c +++ b/drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c @@ -493,6 +493,9 @@ static void cn23xx_pf_setup_global_outpu for (q_no = srn; q_no < ern; q_no++) { reg_val = octeon_read_csr(oct, CN23XX_SLI_OQ_PKT_CONTROL(q_no)); + /* clear IPTR */ + reg_val &= ~CN23XX_PKT_OUTPUT_CTL_IPTR; + /* set DPTR */ reg_val |= CN23XX_PKT_OUTPUT_CTL_DPTR; --- a/drivers/net/ethernet/cavium/liquidio/cn23xx_vf_device.c +++ b/drivers/net/ethernet/cavium/liquidio/cn23xx_vf_device.c @@ -165,6 +165,9 @@ static void cn23xx_vf_setup_global_outpu reg_val = octeon_read_csr(oct, CN23XX_VF_SLI_OQ_PKT_CONTROL(q_no)); + /* clear IPTR */ + reg_val &= ~CN23XX_PKT_OUTPUT_CTL_IPTR; + /* set DPTR */ reg_val |= CN23XX_PKT_OUTPUT_CTL_DPTR;
[PATCH 4.18 176/235] ASoC: hdmi-codec: fix routing
4.18-stable review patch. If anyone has any objections, please let me know. -- From: Russell King [ Upstream commit d30e23d69981a4b665f5ce8711335df986576389 ] Commit 943fa0228252 ("ASoC: hdmi-codec: Use different name for playback streams") broke hdmi-codec's routing between it's output "TX" widget and the S/PDIF or I2S streams by renaming the streams. Whether an error occurs or not is dependent on whether there is another widget called "Playback" registered by some other component - if there is, that widget will be (incorrectly) bound to the HDMI codec's "TX" output widget. If we end up connecting "TX" incorrectly, it can result in components not being started, causing no audio output. Since the I2S and S/PDIF streams now have different names, we can't use a static route at component level to describe the relationship, so arrange to dynamically create the route when the DAI driver is probed. Fixes: 943fa0228252 ("ASoC: hdmi-codec: Use different name for playback streams") Signed-off-by: Russell King Signed-off-by: Mark Brown Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- sound/soc/codecs/hdmi-codec.c | 21 +++-- 1 file changed, 15 insertions(+), 6 deletions(-) --- a/sound/soc/codecs/hdmi-codec.c +++ b/sound/soc/codecs/hdmi-codec.c @@ -291,10 +291,6 @@ static const struct snd_soc_dapm_widget SND_SOC_DAPM_OUTPUT("TX"), }; -static const struct snd_soc_dapm_route hdmi_routes[] = { - { "TX", NULL, "Playback" }, -}; - enum { DAI_ID_I2S = 0, DAI_ID_SPDIF, @@ -689,9 +685,23 @@ static int hdmi_codec_pcm_new(struct snd return snd_ctl_add(rtd->card->snd_card, kctl); } +static int hdmi_dai_probe(struct snd_soc_dai *dai) +{ + struct snd_soc_dapm_context *dapm; + struct snd_soc_dapm_route route = { + .sink = "TX", + .source = dai->driver->playback.stream_name, + }; + + dapm = snd_soc_component_get_dapm(dai->component); + + return snd_soc_dapm_add_routes(dapm, , 1); +} + static const struct snd_soc_dai_driver hdmi_i2s_dai = { .name = "i2s-hifi", .id = DAI_ID_I2S, + .probe = hdmi_dai_probe, .playback = { .stream_name = "I2S Playback", .channels_min = 2, @@ -707,6 +717,7 @@ static const struct snd_soc_dai_driver h static const struct snd_soc_dai_driver hdmi_spdif_dai = { .name = "spdif-hifi", .id = DAI_ID_SPDIF, + .probe = hdmi_dai_probe, .playback = { .stream_name = "SPDIF Playback", .channels_min = 2, @@ -733,8 +744,6 @@ static int hdmi_of_xlate_dai_id(struct s static const struct snd_soc_component_driver hdmi_driver = { .dapm_widgets = hdmi_widgets, .num_dapm_widgets = ARRAY_SIZE(hdmi_widgets), - .dapm_routes= hdmi_routes, - .num_dapm_routes= ARRAY_SIZE(hdmi_routes), .of_xlate_dai_id= hdmi_of_xlate_dai_id, .idle_bias_on = 1, .use_pmdown_time= 1,
[PATCH 4.18 175/235] gpu: ipu-v3: csi: pass back mbus_code_to_bus_cfg error codes
4.18-stable review patch. If anyone has any objections, please let me know. -- From: Enrico Scholz [ Upstream commit d36d0e6309dd8137cf438cbb680e72eb63c81425 ] mbus_code_to_bus_cfg() can fail on unknown mbus codes; pass back the error to the caller. Signed-off-by: Enrico Scholz Signed-off-by: Jan Luebbe [p.za...@pengutronix.de - renamed rc to ret for consistency] Signed-off-by: Philipp Zabel Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/gpu/ipu-v3/ipu-csi.c | 20 1 file changed, 16 insertions(+), 4 deletions(-) --- a/drivers/gpu/ipu-v3/ipu-csi.c +++ b/drivers/gpu/ipu-v3/ipu-csi.c @@ -318,13 +318,17 @@ static int mbus_code_to_bus_cfg(struct i /* * Fill a CSI bus config struct from mbus_config and mbus_framefmt. */ -static void fill_csi_bus_cfg(struct ipu_csi_bus_config *csicfg, +static int fill_csi_bus_cfg(struct ipu_csi_bus_config *csicfg, struct v4l2_mbus_config *mbus_cfg, struct v4l2_mbus_framefmt *mbus_fmt) { + int ret; + memset(csicfg, 0, sizeof(*csicfg)); - mbus_code_to_bus_cfg(csicfg, mbus_fmt->code); + ret = mbus_code_to_bus_cfg(csicfg, mbus_fmt->code); + if (ret < 0) + return ret; switch (mbus_cfg->type) { case V4L2_MBUS_PARALLEL: @@ -356,6 +360,8 @@ static void fill_csi_bus_cfg(struct ipu_ /* will never get here, keep compiler quiet */ break; } + + return 0; } int ipu_csi_init_interface(struct ipu_csi *csi, @@ -365,8 +371,11 @@ int ipu_csi_init_interface(struct ipu_cs struct ipu_csi_bus_config cfg; unsigned long flags; u32 width, height, data = 0; + int ret; - fill_csi_bus_cfg(, mbus_cfg, mbus_fmt); + ret = fill_csi_bus_cfg(, mbus_cfg, mbus_fmt); + if (ret < 0) + return ret; /* set default sensor frame width and height */ width = mbus_fmt->width; @@ -587,11 +596,14 @@ int ipu_csi_set_mipi_datatype(struct ipu struct ipu_csi_bus_config cfg; unsigned long flags; u32 temp; + int ret; if (vc > 3) return -EINVAL; - mbus_code_to_bus_cfg(, mbus_fmt->code); + ret = mbus_code_to_bus_cfg(, mbus_fmt->code); + if (ret < 0) + return ret; spin_lock_irqsave(>lock, flags);
[PATCH 4.18 130/235] USB: serial: ti_usb_3410_5052: fix array underflow in completion handler
4.18-stable review patch. If anyone has any objections, please let me know. -- From: Johan Hovold commit 5dfdd24eb3d39d815bc952ae98128e967c9bba49 upstream. Similarly to a recently reported bug in io_ti, a malicious USB device could set port_number to a negative value and we would underflow the port array in the interrupt completion handler. As these devices only have one or two ports, fix this by making sure we only consider the seventh bit when determining the port number (and ignore bits 0xb0 which are typically set to 0x30). Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman --- drivers/usb/serial/ti_usb_3410_5052.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/usb/serial/ti_usb_3410_5052.c +++ b/drivers/usb/serial/ti_usb_3410_5052.c @@ -1119,7 +1119,7 @@ static void ti_break(struct tty_struct * static int ti_get_port_from_code(unsigned char code) { - return (code >> 4) - 3; + return (code >> 6) & 0x01; } static int ti_get_func_from_code(unsigned char code)
[PATCH 4.18 159/235] KVM: PPC: Book3S: Fix matching of hardware and emulated TCE tables
4.18-stable review patch. If anyone has any objections, please let me know. -- From: Alexey Kardashevskiy [ Upstream commit 76346cd93a5eca33700f82685d56172dd65d4c0a ] When attaching a hardware table to LIOBN in KVM, we match table parameters such as page size, table offset and table size. However the tables are created via very different paths - VFIO and KVM - and the VFIO path goes through the platform code which has minimum TCE page size requirement (which is 4K but since we allocate memory by pages and cannot avoid alignment anyway, we align to 64k pages for powernv_defconfig). So when we match the tables, one might be bigger that the other which means the hardware table cannot get attached to LIOBN and DMA mapping fails. This removes the table size alignment from the guest visible table. This does not affect the memory allocation which is still aligned - kvmppc_tce_pages() takes care of this. This relaxes the check we do when attaching tables to allow the hardware table be bigger than the guest visible table. Ideally we want the KVM table to cover the same space as the hardware table does but since the hardware table may use multiple levels, and all levels must use the same table size (IODA2 design), the area it can actually cover might get very different from the window size which the guest requested, even though the guest won't map it all. Fixes: ca1fc489cf "KVM: PPC: Book3S: Allow backing bigger guest IOMMU pages with smaller physical pages" Signed-off-by: Alexey Kardashevskiy Reviewed-by: David Gibson Signed-off-by: Paul Mackerras Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- arch/powerpc/kvm/book3s_64_vio.c |5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) --- a/arch/powerpc/kvm/book3s_64_vio.c +++ b/arch/powerpc/kvm/book3s_64_vio.c @@ -180,7 +180,7 @@ extern long kvm_spapr_tce_attach_iommu_g if ((tbltmp->it_page_shift <= stt->page_shift) && (tbltmp->it_offset << tbltmp->it_page_shift == stt->offset << stt->page_shift) && - (tbltmp->it_size << tbltmp->it_page_shift == + (tbltmp->it_size << tbltmp->it_page_shift >= stt->size << stt->page_shift)) { /* * Reference the table to avoid races with @@ -296,7 +296,7 @@ long kvm_vm_ioctl_create_spapr_tce(struc { struct kvmppc_spapr_tce_table *stt = NULL; struct kvmppc_spapr_tce_table *siter; - unsigned long npages, size; + unsigned long npages, size = args->size; int ret = -ENOMEM; int i; @@ -304,7 +304,6 @@ long kvm_vm_ioctl_create_spapr_tce(struc (args->offset + args->size > (ULLONG_MAX >> args->page_shift))) return -EINVAL; - size = _ALIGN_UP(args->size, PAGE_SIZE >> 3); npages = kvmppc_tce_pages(size); ret = kvmppc_account_memlimit(kvmppc_stt_pages(npages), true); if (ret)
[PATCH 4.18 165/235] arm64: dts: mt7622: update a clock property for UART0
4.18-stable review patch. If anyone has any objections, please let me know. -- From: Ryder Lee [ Upstream commit 2b519747ae4859e886c37834d766fe0c7d8d82e2 ] The input clock of UART0 should be CLK_PERI_UART0_PD. Fixes: 13f36c326cef ("arm64: dts: mt7622: turn uart0 clock to real ones") Signed-off-by: Ryder Lee Signed-off-by: Matthias Brugger Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- arch/arm64/boot/dts/mediatek/mt7622.dtsi |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/arch/arm64/boot/dts/mediatek/mt7622.dtsi +++ b/arch/arm64/boot/dts/mediatek/mt7622.dtsi @@ -331,7 +331,7 @@ reg = <0 0x11002000 0 0x400>; interrupts = ; clocks = < CLK_TOP_UART_SEL>, -< CLK_PERI_UART1_PD>; +< CLK_PERI_UART0_PD>; clock-names = "baud", "bus"; status = "disabled"; };
[PATCH 4.18 178/235] serial: 8250: of: Correct of_platform_serial_setup() error handling
4.18-stable review patch. If anyone has any objections, please let me know. -- From: Alexander Sverdlin [ Upstream commit b29330d829042512fabb2bfa3bbfa32df1115594 ] Don't dispose IRQ mapping before it has been created. Fixes: aa9594740 ("serial: 8250_of: Add IO space support") Signed-off-by: Alexander Sverdlin Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/tty/serial/8250/8250_of.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/tty/serial/8250/8250_of.c +++ b/drivers/tty/serial/8250/8250_of.c @@ -124,7 +124,7 @@ static int of_platform_serial_setup(stru dev_warn(>dev, "unsupported reg-io-width (%d)\n", prop); ret = -EINVAL; - goto err_dispose; + goto err_unprepare; } } port->flags |= UPF_IOREMAP;
[PATCH 4.18 131/235] USB: yurex: Fix buffer over-read in yurex_write()
4.18-stable review patch. If anyone has any objections, please let me know. -- From: Ben Hutchings commit 7e10f14ebface44a48275c8d6dc1caae3668d5a9 upstream. If the written data starts with a digit, yurex_write() tries to parse it as an integer using simple_strtoull(). This requires a null- terminator, and currently there's no guarantee that there is one. (The sample program at https://github.com/NeoCat/YUREX-driver-for-Linux/blob/master/sample/yurex_clock.pl writes an integer without a null terminator. It seems like it must have worked by chance!) Always add a null byte after the written data. Enlarge the buffer to allow for this. Cc: sta...@vger.kernel.org Signed-off-by: Ben Hutchings Signed-off-by: Greg Kroah-Hartman --- drivers/usb/misc/yurex.c |5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) --- a/drivers/usb/misc/yurex.c +++ b/drivers/usb/misc/yurex.c @@ -421,13 +421,13 @@ static ssize_t yurex_write(struct file * { struct usb_yurex *dev; int i, set = 0, retval = 0; - char buffer[16]; + char buffer[16 + 1]; char *data = buffer; unsigned long long c, c2 = 0; signed long timeout = 0; DEFINE_WAIT(wait); - count = min(sizeof(buffer), count); + count = min(sizeof(buffer) - 1, count); dev = file->private_data; /* verify that we actually have some data to write */ @@ -446,6 +446,7 @@ static ssize_t yurex_write(struct file * retval = -EFAULT; goto error; } + buffer[count] = 0; memset(dev->cntl_buffer, CMD_PADDING, YUREX_BUF_SIZE); switch (buffer[0]) {
[PATCH 4.18 180/235] tty: fix termios input-speed encoding
4.18-stable review patch. If anyone has any objections, please let me know. -- From: Johan Hovold [ Upstream commit fada18c48d774b9e837928ecdce6a5d5fdd11ee7 ] Make sure to clear the CIBAUD bits before OR-ing the new mask when encoding the termios input baud rate. This could otherwise lead to an incorrect input rate being reported back and incidentally set on subsequent termios updates. Fixes: edc6afc54968 ("[PATCH] tty: switch to ktermios and new framework") Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/tty/tty_baudrate.c |3 +++ 1 file changed, 3 insertions(+) --- a/drivers/tty/tty_baudrate.c +++ b/drivers/tty/tty_baudrate.c @@ -173,6 +173,9 @@ void tty_termios_encode_baud_rate(struct iclose = 0; #endif termios->c_cflag &= ~CBAUD; +#ifdef IBSHIFT + termios->c_cflag &= ~(CBAUD << IBSHIFT); +#endif /* * Our goal is to find a close match to the standard baud rate
[PATCH 4.18 179/235] tty: fix termios input-speed encoding when using BOTHER
4.18-stable review patch. If anyone has any objections, please let me know. -- From: Johan Hovold [ Upstream commit 1cee38f0363a88db374e50b232ca17b9a4c12fa0 ] When the termios CIBAUD bits are left unset (i.e. B0), we use the same output and input speed and should leave CIBAUD unchanged. When the user requests a rate using BOTHER and c_ospeed which the driver cannot set exactly, the driver can report back the actual baud rate using tty_termios_encode_baud_rate(). If this rate is close enough to a standard rate however, we could end up setting CIBAUD to a Bfoo value despite the user having left it unset. This in turn could lead to an unexpected input rate being set on subsequent termios updates. Fix this by using a zero tolerance value also for the input rate when CIBAUD is clear so that the matching logic works as expected. Fixes: 78137e3b34e1 ("[PATCH] tty: improve encode_baud_rate logic") Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/tty/tty_baudrate.c | 10 +++--- 1 file changed, 7 insertions(+), 3 deletions(-) --- a/drivers/tty/tty_baudrate.c +++ b/drivers/tty/tty_baudrate.c @@ -157,16 +157,20 @@ void tty_termios_encode_baud_rate(struct termios->c_ospeed = obaud; #ifdef BOTHER + if ((termios->c_cflag >> IBSHIFT) & CBAUD) + ibinput = 1;/* An input speed was specified */ + /* If the user asked for a precise weird speed give a precise weird answer. If they asked for a Bfoo speed they may have problems digesting non-exact replies so fuzz a bit */ - if ((termios->c_cflag & CBAUD) == BOTHER) + if ((termios->c_cflag & CBAUD) == BOTHER) { oclose = 0; + if (!ibinput) + iclose = 0; + } if (((termios->c_cflag >> IBSHIFT) & CBAUD) == BOTHER) iclose = 0; - if ((termios->c_cflag >> IBSHIFT) & CBAUD) - ibinput = 1;/* An input speed was specified */ #endif termios->c_cflag &= ~CBAUD;
[PATCH 4.18 122/235] usb: uas: add support for more quirk flags
4.18-stable review patch. If anyone has any objections, please let me know. -- From: Oliver Neukum commit 42d1c6d4a06a77b3ab206a919b9050c3080f3a71 upstream. The hope that UAS devices would be less broken than old style storage devices has turned out to be unfounded. Make UAS support more of the quirk flags of the old driver. Signed-off-by: Oliver Neukum Cc: stable Signed-off-by: Greg Kroah-Hartman --- drivers/usb/storage/uas.c | 21 + 1 file changed, 21 insertions(+) --- a/drivers/usb/storage/uas.c +++ b/drivers/usb/storage/uas.c @@ -842,6 +842,27 @@ static int uas_slave_configure(struct sc sdev->skip_ms_page_8 = 1; sdev->wce_default_on = 1; } + + /* +* Some disks return the total number of blocks in response +* to READ CAPACITY rather than the highest block number. +* If this device makes that mistake, tell the sd driver. +*/ + if (devinfo->flags & US_FL_FIX_CAPACITY) + sdev->fix_capacity = 1; + + /* +* Some devices don't like MODE SENSE with page=0x3f, +* which is the command used for checking if a device +* is write-protected. Now that we tell the sd driver +* to do a 192-byte transfer with this command the +* majority of devices work fine, but a few still can't +* handle it. The sd driver will simply assume those +* devices are write-enabled. +*/ + if (devinfo->flags & US_FL_NO_WP_DETECT) + sdev->skip_ms_page_3f = 1; + scsi_change_queue_depth(sdev, devinfo->qdepth - 2); return 0; }
[PATCH 4.18 182/235] mmc: tegra: prevent HS200 on Tegra 3
4.18-stable review patch. If anyone has any objections, please let me know. -- From: Stefan Agner [ Upstream commit 127407e36f4fe3a1d5e8b9998b479956ce83a7dc ] The stack assumes that SDHC controller which support SD3.0 (SDR104) do support HS200. This is not the case for Tegra 3, which does support SD 3.0 but only supports eMMC spec 4.41. Use SDHCI_QUIRK2_BROKEN_HS200 to indicate that the controller does not support HS200. Note that commit 156e14b126ff ("mmc: sdhci: fix caps2 for HS200") added the tie between SD3.0 (SDR104) and HS200. I don't think that this is necessarly true. It is fully legitimate to support SD3.0 and not support HS200. The quirk naming suggests something is broken in the controller, but this is not the case: The controller simply does not support HS200. Fixes: 7ad2ed1dfcbe ("mmc: tegra: enable UHS-I modes") Signed-off-by: Stefan Agner Tested-by: Marcel Ziswiler Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/mmc/host/sdhci-tegra.c |3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/drivers/mmc/host/sdhci-tegra.c +++ b/drivers/mmc/host/sdhci-tegra.c @@ -334,7 +334,8 @@ static const struct sdhci_pltfm_data sdh SDHCI_QUIRK_NO_HISPD_BIT | SDHCI_QUIRK_BROKEN_ADMA_ZEROLEN_DESC | SDHCI_QUIRK_CAP_CLOCK_BASE_BROKEN, - .quirks2 = SDHCI_QUIRK2_PRESET_VALUE_BROKEN, + .quirks2 = SDHCI_QUIRK2_PRESET_VALUE_BROKEN | + SDHCI_QUIRK2_BROKEN_HS200, .ops = _sdhci_ops, };
[PATCH 4.18 181/235] mmc: sdhci-of-esdhc: set proper dma mask for ls104x chips
4.18-stable review patch. If anyone has any objections, please let me know. -- From: Laurentiu Tudor [ Upstream commit 5552d7ad596c3fea953f40fef74170ce0760c04d ] SDHCI controller in ls1043a and ls1046a generate 40-bit wide addresses when doing DMA. Make sure that the corresponding dma mask is correctly configured. Context: when enabling smmu on these chips the following problem is encountered: the smmu input address size is 48 bits so the dma mappings for sdhci end up 48-bit wide. However, on these chips sdhci only use 40-bits of that address size when doing dma. So you end up with a 48-bit address translation in smmu but the device generates transactions with clipped 40-bit addresses, thus smmu context faults are triggered. Setting up the correct dma mask fixes this situation. Signed-off-by: Laurentiu Tudor Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/mmc/host/sdhci-of-esdhc.c |6 ++ 1 file changed, 6 insertions(+) --- a/drivers/mmc/host/sdhci-of-esdhc.c +++ b/drivers/mmc/host/sdhci-of-esdhc.c @@ -22,6 +22,7 @@ #include #include #include +#include #include #include "sdhci-pltfm.h" #include "sdhci-esdhc.h" @@ -427,6 +428,11 @@ static void esdhc_of_adma_workaround(str static int esdhc_of_enable_dma(struct sdhci_host *host) { u32 value; + struct device *dev = mmc_dev(host->mmc); + + if (of_device_is_compatible(dev->of_node, "fsl,ls1043a-esdhc") || + of_device_is_compatible(dev->of_node, "fsl,ls1046a-esdhc")) + dma_set_mask_and_coherent(dev, DMA_BIT_MASK(40)); value = sdhci_readl(host, ESDHC_DMA_SYSCTL); value |= ESDHC_DMA_SNOOP;
[PATCH 4.18 183/235] mmc: sdhci: do not try to use 3.3V signaling if not supported
4.18-stable review patch. If anyone has any objections, please let me know. -- From: Stefan Agner [ Upstream commit 1b5190c2e74c47ebe4bcecf7a072358ad9f1feaa ] For eMMC devices it is valid to only support 1.8V signaling. When vqmmc is set to a fixed 1.8V regulator the stack tries to set 3.3V initially and prints the following warning: mmc1: Switching to 3.3V signalling voltage failed Clear the MMC_SIGNAL_VOLTAGE_330 flag in case 3.3V is signaling is not available. This prevents the stack from even trying to use 3.3V signaling and avoids the above warning. Signed-off-by: Stefan Agner Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/mmc/host/sdhci.c |9 - 1 file changed, 8 insertions(+), 1 deletion(-) --- a/drivers/mmc/host/sdhci.c +++ b/drivers/mmc/host/sdhci.c @@ -3734,14 +3734,21 @@ int sdhci_setup_host(struct sdhci_host * mmc_gpio_get_cd(host->mmc) < 0) mmc->caps |= MMC_CAP_NEEDS_POLL; - /* If vqmmc regulator and no 1.8V signalling, then there's no UHS */ if (!IS_ERR(mmc->supply.vqmmc)) { ret = regulator_enable(mmc->supply.vqmmc); + + /* If vqmmc provides no 1.8V signalling, then there's no UHS */ if (!regulator_is_supported_voltage(mmc->supply.vqmmc, 170, 195)) host->caps1 &= ~(SDHCI_SUPPORT_SDR104 | SDHCI_SUPPORT_SDR50 | SDHCI_SUPPORT_DDR50); + + /* In eMMC case vqmmc might be a fixed 1.8V regulator */ + if (!regulator_is_supported_voltage(mmc->supply.vqmmc, 270, + 360)) + host->flags &= ~SDHCI_SIGNALING_330; + if (ret) { pr_warn("%s: Failed to enable vqmmc regulator: %d\n", mmc_hostname(mmc), ret);
[PATCH 4.18 177/235] gpiolib: dont allow userspace to set values of input lines
4.18-stable review patch. If anyone has any objections, please let me know. -- From: Bartosz Golaszewski [ Upstream commit e5332d5437764f775cf4e3b8ca3bf592af063a02 ] User space can currently both read and set values of input lines using the character device. This was not allowed by the old sysfs interface nor is it a correct behavior. Check the first descriptor in the set for the OUT flag when asked to set values and return -EPERM if the line is input. Signed-off-by: Bartosz Golaszewski Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/gpio/gpiolib.c |8 +++- 1 file changed, 7 insertions(+), 1 deletion(-) --- a/drivers/gpio/gpiolib.c +++ b/drivers/gpio/gpiolib.c @@ -449,7 +449,13 @@ static long linehandle_ioctl(struct file return 0; } else if (cmd == GPIOHANDLE_SET_LINE_VALUES_IOCTL) { - /* TODO: check if descriptors are really output */ + /* +* All line descriptors were created at once with the same +* flags so just check if the first one is really output. +*/ + if (!test_bit(FLAG_IS_OUT, >descs[0]->flags)) + return -EPERM; + if (copy_from_user(, ip, sizeof(ghd))) return -EFAULT;
[PATCH 4.18 185/235] drm/nouveau/debugfs: Wake up GPU before doing any reclocking
4.18-stable review patch. If anyone has any objections, please let me know. -- From: Karol Herbst [ Upstream commit eaeb9010bb4bcdc20e58254fa42f3fe730a7f908 ] Fixes various reclocking related issues on prime systems. Signed-off-by: Karol Herbst Signed-off-by: Martin Peres Signed-off-by: Ben Skeggs Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/gpu/drm/nouveau/nouveau_debugfs.c |4 1 file changed, 4 insertions(+) --- a/drivers/gpu/drm/nouveau/nouveau_debugfs.c +++ b/drivers/gpu/drm/nouveau/nouveau_debugfs.c @@ -160,7 +160,11 @@ nouveau_debugfs_pstate_set(struct file * args.ustate = value; } + ret = pm_runtime_get_sync(drm->dev); + if (IS_ERR_VALUE(ret) && ret != -EACCES) + return ret; ret = nvif_mthd(ctrl, NVIF_CONTROL_PSTATE_USER, , sizeof(args)); + pm_runtime_put_autosuspend(drm->dev); if (ret < 0) return ret;
[PATCH 4.18 166/235] sched/core: Use smp_mb() in wake_woken_function()
4.18-stable review patch. If anyone has any objections, please let me know. -- From: Andrea Parri [ Upstream commit 76e079fefc8f62bd9b2cd2950814d1ee806e31a5 ] wake_woken_function() synchronizes with wait_woken() as follows: [wait_woken] [wake_woken_function] entry->flags &= ~wq_flag_woken;condition = true; smp_mb(); smp_wmb(); if (condition) wq_entry->flags |= wq_flag_woken; break; This commit replaces the above smp_wmb() with an smp_mb() in order to guarantee that either wait_woken() sees the wait condition being true or the store to wq_entry->flags in woken_wake_function() follows the store in wait_woken() in the coherence order (so that the former can eventually be observed by wait_woken()). The commit also fixes a comment associated to set_current_state() in wait_woken(): the comment pairs the barrier in set_current_state() to the above smp_wmb(), while the actual pairing involves the barrier in set_current_state() and the barrier executed by the try_to_wake_up() in wake_woken_function(). Signed-off-by: Andrea Parri Signed-off-by: Paul E. McKenney Acked-by: Peter Zijlstra (Intel) Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: aki...@gmail.com Cc: boqun.f...@gmail.com Cc: dhowe...@redhat.com Cc: j.algl...@ucl.ac.uk Cc: linux-a...@vger.kernel.org Cc: luc.maran...@inria.fr Cc: npig...@gmail.com Cc: parri.and...@gmail.com Cc: st...@rowland.harvard.edu Cc: will.dea...@arm.com Link: http://lkml.kernel.org/r/20180716180605.16115-10-paul...@linux.vnet.ibm.com Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- kernel/sched/wait.c | 47 +-- 1 file changed, 21 insertions(+), 26 deletions(-) --- a/kernel/sched/wait.c +++ b/kernel/sched/wait.c @@ -392,35 +392,36 @@ static inline bool is_kthread_should_sto * if (condition) * break; * - * p->state = mode;condition = true; - * smp_mb(); // A smp_wmb(); // C - * if (!wq_entry->flags & WQ_FLAG_WOKEN) wq_entry->flags |= WQ_FLAG_WOKEN; - * schedule() try_to_wake_up(); - * p->state = TASK_RUNNING;~~ - * wq_entry->flags &= ~WQ_FLAG_WOKEN; condition = true; - * smp_mb() // B smp_wmb(); // C - * wq_entry->flags |= WQ_FLAG_WOKEN; - * } - * remove_wait_queue(_head, ); + * // in wait_woken() // in woken_wake_function() * + * p->state = mode;wq_entry->flags |= WQ_FLAG_WOKEN; + * smp_mb(); // A try_to_wake_up(): + * if (!(wq_entry->flags & WQ_FLAG_WOKEN)) + * schedule() if (p->state & mode) + * p->state = TASK_RUNNING; p->state = TASK_RUNNING; + * wq_entry->flags &= ~WQ_FLAG_WOKEN; ~~ + * smp_mb(); // B condition = true; + * } smp_mb(); // C + * remove_wait_queue(_head, ); wq_entry->flags |= WQ_FLAG_WOKEN; */ long wait_woken(struct wait_queue_entry *wq_entry, unsigned mode, long timeout) { - set_current_state(mode); /* A */ /* -* The above implies an smp_mb(), which matches with the smp_wmb() from -* woken_wake_function() such that if we observe WQ_FLAG_WOKEN we must -* also observe all state before the wakeup. +* The below executes an smp_mb(), which matches with the full barrier +* executed by the try_to_wake_up() in woken_wake_function() such that +* either we see the store to wq_entry->flags in woken_wake_function() +* or woken_wake_function() sees our store to current->state. */ + set_current_state(mode); /* A */ if (!(wq_entry->flags & WQ_FLAG_WOKEN) && !is_kthread_should_stop()) timeout = schedule_timeout(timeout); __set_current_state(TASK_RUNNING); /* -* The below implies an smp_mb(), it too pairs with the smp_wmb() from -* woken_wake_function() such that we must either observe the wait -* condition being true _OR_ WQ_FLAG_WOKEN such that we will not miss -* an event. +* The below executes an smp_mb(), which matches with the smp_mb() (C) +* in woken_wake_function() such that either we see the wait condition +* being true or the store to wq_entry->flags in woken_wake_function() +* follows ours in the coherence order. */ smp_store_mb(wq_entry->flags, wq_entry->flags & ~WQ_FLAG_WOKEN); /* B */ @@ -430,14 +431,8 @@ EXPORT_SYMBOL(wait_woken); int woken_wake_function(struct wait_queue_entry *wq_entry, unsigned mode, int
[PATCH 4.18 184/235] drm/nouveau: Fix runtime PM leak in drm_open()
4.18-stable review patch. If anyone has any objections, please let me know. -- From: Lyude Paul [ Upstream commit 922a8c82fafdec99688bbaea6c5889f562a42cdc ] Noticed this as I was skimming through, if we fail to allocate memory for cli we'll end up returning without dropping the runtime PM ref we got. Additionally, we'll even return the wrong return code! (ret most likely will == 0 here, we want -ENOMEM). Signed-off-by: Lyude Paul Reviewed-by: Lukas Wunner Signed-off-by: Ben Skeggs Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/gpu/drm/nouveau/nouveau_drm.c |6 -- 1 file changed, 4 insertions(+), 2 deletions(-) --- a/drivers/gpu/drm/nouveau/nouveau_drm.c +++ b/drivers/gpu/drm/nouveau/nouveau_drm.c @@ -908,8 +908,10 @@ nouveau_drm_open(struct drm_device *dev, get_task_comm(tmpname, current); snprintf(name, sizeof(name), "%s[%d]", tmpname, pid_nr(fpriv->pid)); - if (!(cli = kzalloc(sizeof(*cli), GFP_KERNEL))) - return ret; + if (!(cli = kzalloc(sizeof(*cli), GFP_KERNEL))) { + ret = -ENOMEM; + goto done; + } ret = nouveau_cli_init(drm, name, cli); if (ret)
[PATCH 4.18 127/235] USB: net2280: Fix erroneous synchronization change
4.18-stable review patch. If anyone has any objections, please let me know. -- From: Alan Stern commit dec3c23c9aa1815f07d98ae0375b4cbc10971e13 upstream. Commit f16443a034c7 ("USB: gadgetfs, dummy-hcd, net2280: fix locking for callbacks") was based on a serious misunderstanding. It introduced regressions into both the dummy-hcd and net2280 drivers. The problem in dummy-hcd was fixed by commit 7dbd8f4cabd9 ("USB: dummy-hcd: Fix erroneous synchronization change"), but the problem in net2280 remains. Namely: the ->disconnect(), ->suspend(), ->resume(), and ->reset() callbacks must be invoked without the private lock held; otherwise a deadlock will occur when the callback routine tries to interact with the UDC driver. This patch largely is a reversion of the relevant parts of f16443a034c7. It also drops the private lock around the calls to ->suspend() and ->resume() (something the earlier patch forgot to do). This is safe from races with device interrupts because it occurs within the interrupt handler. Finally, the patch changes where the ->disconnect() callback is invoked when net2280_pullup() turns the pullup off. Rather than making the callback from within stop_activity() at a time when dropping the private lock could be unsafe, the callback is moved to a point after the lock has already been dropped. Signed-off-by: Alan Stern Fixes: f16443a034c7 ("USB: gadgetfs, dummy-hcd, net2280: fix locking for callbacks") Reported-by: D. Ziesche Tested-by: D. Ziesche CC: Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman --- drivers/usb/gadget/udc/net2280.c | 16 ++-- 1 file changed, 14 insertions(+), 2 deletions(-) --- a/drivers/usb/gadget/udc/net2280.c +++ b/drivers/usb/gadget/udc/net2280.c @@ -1545,11 +1545,14 @@ static int net2280_pullup(struct usb_gad writel(tmp | BIT(USB_DETECT_ENABLE), >usb->usbctl); } else { writel(tmp & ~BIT(USB_DETECT_ENABLE), >usb->usbctl); - stop_activity(dev, dev->driver); + stop_activity(dev, NULL); } spin_unlock_irqrestore(>lock, flags); + if (!is_on && dev->driver) + dev->driver->disconnect(>gadget); + return 0; } @@ -2466,8 +2469,11 @@ static void stop_activity(struct net2280 nuke(>ep[i]); /* report disconnect; the driver is already quiesced */ - if (driver) + if (driver) { + spin_unlock(>lock); driver->disconnect(>gadget); + spin_lock(>lock); + } usb_reinit(dev); } @@ -3341,6 +3347,8 @@ next_endpoints: BIT(PCI_RETRY_ABORT_INTERRUPT)) static void handle_stat1_irqs(struct net2280 *dev, u32 stat) +__releases(dev->lock) +__acquires(dev->lock) { struct net2280_ep *ep; u32 tmp, num, mask, scratch; @@ -3381,12 +3389,14 @@ static void handle_stat1_irqs(struct net if (disconnect || reset) { stop_activity(dev, dev->driver); ep0_start(dev); + spin_unlock(>lock); if (reset) usb_gadget_udc_reset (>gadget, dev->driver); else (dev->driver->disconnect) (>gadget); + spin_lock(>lock); return; } } @@ -3405,6 +3415,7 @@ static void handle_stat1_irqs(struct net tmp = BIT(SUSPEND_REQUEST_CHANGE_INTERRUPT); if (stat & tmp) { writel(tmp, >regs->irqstat1); + spin_unlock(>lock); if (stat & BIT(SUSPEND_REQUEST_INTERRUPT)) { if (dev->driver->suspend) dev->driver->suspend(>gadget); @@ -3415,6 +3426,7 @@ static void handle_stat1_irqs(struct net dev->driver->resume(>gadget); /* at high speed, note erratum 0133 */ } + spin_lock(>lock); stat &= ~tmp; }
[PATCH 4.18 157/235] security: check for kstrdup() failure in lsm_append()
4.18-stable review patch. If anyone has any objections, please let me know. -- From: Eric Biggers [ Upstream commit 87ea58433208d17295e200d56be5e2a4fe4ce7d6 ] lsm_append() should return -ENOMEM if memory allocation failed. Fixes: d69dece5f5b6 ("LSM: Add /sys/kernel/security/lsm") Signed-off-by: Eric Biggers Signed-off-by: James Morris Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- security/security.c |2 ++ 1 file changed, 2 insertions(+) --- a/security/security.c +++ b/security/security.c @@ -118,6 +118,8 @@ static int lsm_append(char *new, char ** if (*result == NULL) { *result = kstrdup(new, GFP_KERNEL); + if (*result == NULL) + return -ENOMEM; } else { /* Check if it is the last registered name */ if (match_last_lsm(*result, new))
[PATCH 4.18 129/235] usb: misc: uss720: Fix two sleep-in-atomic-context bugs
4.18-stable review patch. If anyone has any objections, please let me know. -- From: Jia-Ju Bai commit bc8acc214d3f1cafebcbcd101a695bbac716595d upstream. async_complete() in uss720.c is a completion handler function for the USB driver. So it should not sleep, but it is can sleep according to the function call paths (from bottom to top) in Linux-4.16. [FUNC] set_1284_register(GFP_KERNEL) drivers/usb/misc/uss720.c, 372: set_1284_register in parport_uss720_frob_control drivers/parport/ieee1284.c, 560: [FUNC_PTR]parport_uss720_frob_control in parport_ieee1284_ack_data_avail drivers/parport/ieee1284.c, 577: parport_ieee1284_ack_data_avail in parport_ieee1284_interrupt ./include/linux/parport.h, 474: parport_ieee1284_interrupt in parport_generic_irq drivers/usb/misc/uss720.c, 116: parport_generic_irq in async_complete [FUNC] get_1284_register(GFP_KERNEL) drivers/usb/misc/uss720.c, 382: get_1284_register in parport_uss720_read_status drivers/parport/ieee1284.c, 555: [FUNC_PTR]parport_uss720_read_status in parport_ieee1284_ack_data_avail drivers/parport/ieee1284.c, 577: parport_ieee1284_ack_data_avail in parport_ieee1284_interrupt ./include/linux/parport.h, 474: parport_ieee1284_interrupt in parport_generic_irq drivers/usb/misc/uss720.c, 116: parport_generic_irq in async_complete Note that [FUNC_PTR] means a function pointer call is used. To fix these bugs, GFP_KERNEL is replaced with GFP_ATOMIC. These bugs are found by my static analysis tool DSAC. Signed-off-by: Jia-Ju Bai Cc: stable Signed-off-by: Greg Kroah-Hartman --- drivers/usb/misc/uss720.c |4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/drivers/usb/misc/uss720.c +++ b/drivers/usb/misc/uss720.c @@ -369,7 +369,7 @@ static unsigned char parport_uss720_frob mask &= 0x0f; val &= 0x0f; d = (priv->reg[1] & (~mask)) ^ val; - if (set_1284_register(pp, 2, d, GFP_KERNEL)) + if (set_1284_register(pp, 2, d, GFP_ATOMIC)) return 0; priv->reg[1] = d; return d & 0xf; @@ -379,7 +379,7 @@ static unsigned char parport_uss720_read { unsigned char ret; - if (get_1284_register(pp, 1, , GFP_KERNEL)) + if (get_1284_register(pp, 1, , GFP_ATOMIC)) return 0; return ret & 0xf8; }
[PATCH 4.18 163/235] pinctrl: rza1: Fix selector use for groups and functions
4.18-stable review patch. If anyone has any objections, please let me know. -- From: Tony Lindgren [ Upstream commit dc4003d260594aa300028c3c5d040c5719abd19b ] We must use a mutex around the generic_add functions and save the function and group selector in case we need to remove them. Otherwise the selector use will be racy for deferred probe at least. Fixes: 5a49b644b307 ("pinctrl: Renesas RZ/A1 pin and gpio controller") Reported-by: H. Nikolaus Schaller Cc: Christ van Willegen Cc: Haojian Zhuang Cc: Paul Cercueil Cc: Sean Wang Acked-by: Jacopo Mondi Signed-off-by: Tony Lindgren Tested-By: H. Nikolaus Schaller Reviewed-by: Andy Shevchenko Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/pinctrl/pinctrl-rza1.c | 24 +--- 1 file changed, 13 insertions(+), 11 deletions(-) --- a/drivers/pinctrl/pinctrl-rza1.c +++ b/drivers/pinctrl/pinctrl-rza1.c @@ -1006,6 +1006,7 @@ static int rza1_dt_node_to_map(struct pi const char *grpname; const char **fngrps; int ret, npins; + int gsel, fsel; npins = rza1_dt_node_pin_count(np); if (npins < 0) { @@ -1055,18 +1056,19 @@ static int rza1_dt_node_to_map(struct pi fngrps[0] = grpname; mutex_lock(_pctl->mutex); - ret = pinctrl_generic_add_group(pctldev, grpname, grpins, npins, - NULL); - if (ret) { + gsel = pinctrl_generic_add_group(pctldev, grpname, grpins, npins, +NULL); + if (gsel < 0) { mutex_unlock(_pctl->mutex); - return ret; + return gsel; } - ret = pinmux_generic_add_function(pctldev, grpname, fngrps, 1, - mux_confs); - if (ret) + fsel = pinmux_generic_add_function(pctldev, grpname, fngrps, 1, + mux_confs); + if (fsel < 0) { + ret = fsel; goto remove_group; - mutex_unlock(_pctl->mutex); + } dev_info(rza1_pctl->dev, "Parsed function and group %s with %d pins\n", grpname, npins); @@ -1083,15 +1085,15 @@ static int rza1_dt_node_to_map(struct pi (*map)->data.mux.group = np->name; (*map)->data.mux.function = np->name; *num_maps = 1; + mutex_unlock(_pctl->mutex); return 0; remove_function: - mutex_lock(_pctl->mutex); - pinmux_generic_remove_last_function(pctldev); + pinmux_generic_remove_function(pctldev, fsel); remove_group: - pinctrl_generic_remove_last_group(pctldev); + pinctrl_generic_remove_group(pctldev, gsel); mutex_unlock(_pctl->mutex); dev_info(rza1_pctl->dev, "Unable to parse function and group %s\n",
[PATCH 4.18 128/235] USB: serial: io_ti: fix array underflow in completion handler
4.18-stable review patch. If anyone has any objections, please let me know. -- From: Johan Hovold commit 691a03cfe8ca483f9c48153b869d354e4ae3abef upstream. As reported by Dan Carpenter, a malicious USB device could set port_number to a negative value and we would underflow the port array in the interrupt completion handler. As these devices only have one or two ports, fix this by making sure we only consider the seventh bit when determining the port number (and ignore bits 0xb0 which are typically set to 0x30). Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable Reported-by: Dan Carpenter Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman --- drivers/usb/serial/io_ti.h |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/usb/serial/io_ti.h +++ b/drivers/usb/serial/io_ti.h @@ -173,7 +173,7 @@ struct ump_interrupt { } __attribute__((packed)); -#define TIUMP_GET_PORT_FROM_CODE(c)(((c) >> 4) - 3) +#define TIUMP_GET_PORT_FROM_CODE(c)(((c) >> 6) & 0x01) #define TIUMP_GET_FUNC_FROM_CODE(c)((c) & 0x0f) #define TIUMP_INTERRUPT_CODE_LSR 0x03 #define TIUMP_INTERRUPT_CODE_MSR 0x04
[PATCH 4.18 162/235] pinctrl: mt7622: Fix probe fail by misuse the selector
4.18-stable review patch. If anyone has any objections, please let me know. -- From: Sean Wang [ Upstream commit 238262af08a20e5f1932fcf606b8b84370ac8b77 ] After the commit acf137951367 ("pinctrl: core: Return selector to the pinctrl driver") and the commit 47f1242d19c3 ("pinctrl: pinmux: Return selector to the pinctrl driver"), it's necessary to add the fixes needed for the pin controller drivers to use the appropriate returned selector for a negative error number returned in case of the fail at these functions. Otherwise, the driver would have a failed probe and that causes boot message cannot correctly output and devices fail to acquire their own pins. Cc: Kevin Hilman Fixes: acf137951367 ("pinctrl: core: Return selector to the pinctrl driver") Fixes: 47f1242d19c3 ("pinctrl: pinmux: Return selector to the pinctrl driver") Signed-off-by: Sean Wang Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/pinctrl/mediatek/pinctrl-mt7622.c |4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/drivers/pinctrl/mediatek/pinctrl-mt7622.c +++ b/drivers/pinctrl/mediatek/pinctrl-mt7622.c @@ -1537,7 +1537,7 @@ static int mtk_build_groups(struct mtk_p err = pinctrl_generic_add_group(hw->pctrl, group->name, group->pins, group->num_pins, group->data); - if (err) { + if (err < 0) { dev_err(hw->dev, "Failed to register group %s\n", group->name); return err; @@ -1558,7 +1558,7 @@ static int mtk_build_functions(struct mt func->group_names, func->num_group_names, func->data); - if (err) { + if (err < 0) { dev_err(hw->dev, "Failed to register function %s\n", func->name); return err;
[PATCH 4.18 126/235] usb: gadget: udc: renesas_usb3: fix maxpacket size of ep0
4.18-stable review patch. If anyone has any objections, please let me know. -- From: Yoshihiro Shimoda commit dfe1a51d2a36647f74cbad478801efa7cf394376 upstream. This patch fixes an issue that maxpacket size of ep0 is incorrect for SuperSpeed. Otherwise, CDC NCM class with SuperSpeed doesn't work correctly on this driver because its control read data size is more than 64 bytes. Reported-by: Junki Kato Fixes: 746bfe63bba3 ("usb: gadget: renesas_usb3: add support for Renesas USB3.0 peripheral controller") Cc: # v4.5+ Signed-off-by: Yoshihiro Shimoda Tested-by: Junki Kato Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman --- drivers/usb/gadget/udc/renesas_usb3.c |5 - 1 file changed, 4 insertions(+), 1 deletion(-) --- a/drivers/usb/gadget/udc/renesas_usb3.c +++ b/drivers/usb/gadget/udc/renesas_usb3.c @@ -787,12 +787,15 @@ static void usb3_irq_epc_int_1_speed(str switch (speed) { case USB_STA_SPEED_SS: usb3->gadget.speed = USB_SPEED_SUPER; + usb3->gadget.ep0->maxpacket = USB3_EP0_SS_MAX_PACKET_SIZE; break; case USB_STA_SPEED_HS: usb3->gadget.speed = USB_SPEED_HIGH; + usb3->gadget.ep0->maxpacket = USB3_EP0_HSFS_MAX_PACKET_SIZE; break; case USB_STA_SPEED_FS: usb3->gadget.speed = USB_SPEED_FULL; + usb3->gadget.ep0->maxpacket = USB3_EP0_HSFS_MAX_PACKET_SIZE; break; default: usb3->gadget.speed = USB_SPEED_UNKNOWN; @@ -2451,7 +2454,7 @@ static int renesas_usb3_init_ep(struct r /* for control pipe */ usb3->gadget.ep0 = _ep->ep; usb_ep_set_maxpacket_limit(_ep->ep, - USB3_EP0_HSFS_MAX_PACKET_SIZE); + USB3_EP0_SS_MAX_PACKET_SIZE); usb3_ep->ep.caps.type_control = true; usb3_ep->ep.caps.dir_in = true; usb3_ep->ep.caps.dir_out = true;
Re: [PATCH] arm64: dts: rockchip: update pinmux setting in rk3399.dtsi
Hi Akash, Am Mittwoch, 19. September 2018, 16:45:15 CEST schrieb Akash Gajjar: > replace pin numbers with equivalent pin macro in rk3399.dtsi > > Signed-off-by: Akash Gajjar so far my "policy" has been to have new stuff use the constants but not mass-converting the old entries, due to me being anxious about accidentially breaking some seldom used settings. With the newly added linebreaks your change looks pretty much hand- generated, so I guess there is a bit of probability for typos creeping in and it of course also only adapts one of the Rockchip socs. So while I _may_ be persuaded of a scripted conversion [including seeing the script] doing all Rockchip socs (per architecture) at once, I currently somehow prefer keeping the status quo ;-) Heiko
[PATCH 4.4 34/70] misc: hmc6352: fix potential Spectre v1
4.4-stable review patch. If anyone has any objections, please let me know. -- From: Gustavo A. R. Silva commit de916736dddbd6061472969f667b14204aa9 upstream. val is indirectly controlled by user-space, hence leading to a potential exploitation of the Spectre variant 1 vulnerability. This issue was detected with the help of Smatch: drivers/misc/hmc6352.c:54 compass_store() warn: potential spectre issue 'map' [r] Fix this by sanitizing val before using it to index map Notice that given that speculation windows are large, the policy is to kill the speculation on the first load and not worry if it can be completed with a dependent load/store [1]. [1] https://marc.info/?l=linux-kernel=152449131114778=2 Cc: sta...@vger.kernel.org Signed-off-by: Gustavo A. R. Silva Signed-off-by: Greg Kroah-Hartman --- drivers/misc/hmc6352.c |2 ++ 1 file changed, 2 insertions(+) --- a/drivers/misc/hmc6352.c +++ b/drivers/misc/hmc6352.c @@ -27,6 +27,7 @@ #include #include #include +#include static DEFINE_MUTEX(compass_mutex); @@ -50,6 +51,7 @@ static int compass_store(struct device * return ret; if (val >= strlen(map)) return -EINVAL; + val = array_index_nospec(val, strlen(map)); mutex_lock(_mutex); ret = compass_command(c, map[val]); mutex_unlock(_mutex);
Re: [BISECTED] Regression: Solidrun Clearfog Base won't boot since "PCI: mvebu: Only remap I/O space if configured"
Hello, On Mon, 24 Sep 2018 13:46:29 +0100, Lorenzo Pieralisi wrote: > What I think you can do short term, given that AFAICS MVEBU is not > removable, instead of using pci_host_probe() you move part of its code > into the driver and make sure that you remap IO as last operation before > probe completion (ie after scanning the host bridge) so that you do not > need to unmap it on failure; write a commit log summarising/linking this > thread please and when v4.20 lands we will give this a more thorough > look as Russell requested. > > How does that sound ? The only thing that can fail in pci_host_probe() is: ret = pci_scan_root_bus_bridge(bridge); if (ret < 0) { dev_err(bridge->dev.parent, "Scanning root bridge failed"); return ret; } In the pci-mvebu driver prior to the conversion to pci_host_probe(), the code flow at the end of ->probe() was: mvebu_pcie_enable() pci_common_init_dev() pcibios_init_hw() and pcibios_init_hw() calls pci_scan_root_bus_bridge(), without doing much about the return value other than issuing a warning: ret = pci_scan_root_bus_bridge(bridge); } if (WARN(ret < 0, "PCI: unable to scan bus!")) { pci_free_host_bridge(bridge); break; } I.e, even before the conversion to pci_host_probe(), in case of failure in pci_scan_root_bus_bridge(), we would have the I/O mapping in place, but the PCI controller not registered. We could keep the same (not great) behavior by doing: diff --git a/drivers/pci/controller/pci-mvebu.c b/drivers/pci/controller/pci-mvebu.c index 50eb0729385b..487492f0c5f7 100644 --- a/drivers/pci/controller/pci-mvebu.c +++ b/drivers/pci/controller/pci-mvebu.c @@ -1179,9 +1179,6 @@ static int mvebu_pcie_parse_request_resources(struct mvebu_pcie *pcie) resource_size(>io) - 1); pcie->realio.name = "PCI I/O"; - for (i = 0; i < resource_size(>realio); i += SZ_64K) - pci_ioremap_io(i, pcie->io.start + i); - pci_add_resource(>resources, >realio); } @@ -1197,7 +1194,7 @@ static int mvebu_pcie_probe(struct platform_device *pdev) struct device_node *child; int num, i, ret; - bridge = devm_pci_alloc_host_bridge(dev, sizeof(struct mvebu_pcie)); + bridge = pci_alloc_host_bridge(sizeof(struct mvebu_pcie)); if (!bridge) return -ENOMEM; @@ -1212,8 +1209,10 @@ static int mvebu_pcie_probe(struct platform_device *pdev) num = of_get_available_child_count(np); pcie->ports = devm_kcalloc(dev, num, sizeof(*pcie->ports), GFP_KERNEL); - if (!pcie->ports) - return -ENOMEM; + if (!pcie->ports) { + ret = -ENOMEM; + goto free_host_bridge; + } i = 0; for_each_available_child_of_node(np, child) { @@ -1222,7 +1221,7 @@ static int mvebu_pcie_probe(struct platform_device *pdev) ret = mvebu_pcie_parse_port(pcie, port, child); if (ret < 0) { of_node_put(child); - return ret; + goto free_host_bridge; } else if (ret == 0) { continue; } @@ -1268,7 +1267,21 @@ static int mvebu_pcie_probe(struct platform_device *pdev) bridge->align_resource = mvebu_pcie_align_resource; bridge->msi = pcie->msi; - return pci_host_probe(bridge); + if (resource_size(>io) != 0) { + for (i = 0; i < resource_size(>realio); i += SZ_64K) + pci_ioremap_io(i, pcie->io.start + i); + } + + ret = pci_host_probe(bridge); + if (ret) + pci_free_host_bridge(bridge); + + /* Yes, when pci_host_probe() returns a failure, we don't care */ + return 0; + +free_host_bridge: + pci_free_host_bridge(bridge); + return ret; } static const struct of_device_id mvebu_pcie_of_match_table[] = { I.e, we simply ignore the failure of pci_host_probe(). To be honest, I really prefer the option of introducing pci_unmap_io(). Best regards, Thomas -- Thomas Petazzoni, CTO, Bootlin Embedded Linux and Kernel engineering https://bootlin.com
Re: [PATCH v3 1/2] printk: Fix panic caused by passing log_buf_len to command line
On Sun, 23 Sep 2018 14:51:12 +0800 He Zhe wrote: > On 2018年09月23日 00:19, Steven Rostedt wrote: > > On Sat, 22 Sep 2018 23:40:51 +0800 > > wrote: > > > >> From: He Zhe > >> > >> log_buf_len_setup does not check input argument before passing it to > >> simple_strtoull. The argument would be a NULL pointer if "log_buf_len", > >> without its value, is set in command line and thus causes the following > >> panic. > >> > >> PANIC: early exception 0xe3 IP 10:aaeacd0d error 0 cr2 0x0 > >> [0.00] CPU: 0 PID: 0 Comm: swapper Not tainted > >> 4.19.0-rc4-yocto-standard+ #1 > >> [0.00] RIP: 0010:_parse_integer_fixup_radix+0xd/0x70 > >> ... > >> [0.00] Call Trace: > >> [0.00] simple_strtoull+0x29/0x70 > >> [0.00] memparse+0x26/0x90 > >> [0.00] log_buf_len_setup+0x17/0x22 > >> [0.00] do_early_param+0x57/0x8e > >> [0.00] parse_args+0x208/0x320 > >> [0.00] ? rdinit_setup+0x30/0x30 > >> [0.00] parse_early_options+0x29/0x2d > >> [0.00] ? rdinit_setup+0x30/0x30 > >> [0.00] parse_early_param+0x36/0x4d > >> [0.00] setup_arch+0x336/0x99e > >> [0.00] start_kernel+0x6f/0x4ee > >> [0.00] x86_64_start_reservations+0x24/0x26 > >> [0.00] x86_64_start_kernel+0x6f/0x72 > >> [0.00] secondary_startup_64+0xa4/0xb0 > >> > >> This patch adds a check to prevent the panic. > >> > >> Signed-off-by: He Zhe > >> Cc: sta...@vger.kernel.org > > I just tried this on a 2.6.32 kernel, and it crashes there. I guess > > this goes farther back than git history goes. > > > > Perhaps it should be commented that this bug has been here since > > creation of (git) time. > > I did a try on 2.6.32. It passed. Actually this bug only happens on > early_param(not __setup) which is introduced since v3.0. The oldest Really? This is what I got: Linux version 2.6.32-565.el6.x86_64 (mockbu...@x86-022.build.eng.bos.redhat.com) (gcc version 4.4.7 20120313 (Red Hat 4.4.7-16) (GCC) ) #1 SMP Tue Jun 2 14:53:05 EDT 2015 Command line: ro root=UUID=b6bbd80c-a321-4350-9d87-ba8ec1f45917 LANG=en_US.UTF-8 SYSFONT=latarcyrheb-sun16 KEYTABLE=us console=ttyS0,115200 crashkernel=auto selinux=0 earlyprintk=ttyS0,115200 log_buf_len KERNEL supported cpus: Intel GenuineIntel AMD AuthenticAMD Centaur CentaurHauls BIOS-provided physical RAM map: BIOS-e820: - 0009d800 (usable) BIOS-e820: 0009d800 - 000a (reserved) BIOS-e820: 000e - 0010 (reserved) BIOS-e820: 0010 - c69ee000 (usable) BIOS-e820: c69ee000 - c69f5000 (ACPI NVS) BIOS-e820: c69f5000 - c6e38000 (usable) BIOS-e820: c6e38000 - c73c9000 (reserved) BIOS-e820: c73c9000 - d8dac000 (usable) BIOS-e820: d8dac000 - d8e44000 (reserved) BIOS-e820: d8e44000 - d8e95000 (usable) BIOS-e820: d8e95000 - d8fc8000 (ACPI NVS) BIOS-e820: d8fc8000 - d9fff000 (reserved) BIOS-e820: d9fff000 - da00 (usable) BIOS-e820: db00 - df20 (reserved) BIOS-e820: f800 - fc00 (reserved) BIOS-e820: fec0 - fec01000 (reserved) BIOS-e820: fed0 - fed04000 (reserved) BIOS-e820: fed1c000 - fed2 (reserved) BIOS-e820: fee0 - fee01000 (reserved) BIOS-e820: ff00 - 0001 (reserved) BIOS-e820: 0001 - 00021ee0 (usable) bootconsole [earlyser0] enabled PANIC: early exception 0e rip 10:812a1a4d error 0 cr2 0 Pid: 0, comm: swapper Not tainted 2.6.32-565.el6.x86_64 #1 Call Trace: [] ? native_read_cr2+0x9/0x10 [] ? early_idt_handler+0x5e/0x71 [] ? _parse_integer_fixup_radix+0xd/0x70 [] ? simple_strtoull+0x1a/0x50 [] ? memparse+0x17/0x90 [] ? log_buf_len_setup+0x15/0x47 [] ? do_early_param+0x5d/0x89 [] ? parse_args+0x197/0x340 [] ? do_early_param+0x0/0x89 [] ? parse_early_options+0x1e/0x20 [] ? parse_early_param+0x31/0x3d [] ? setup_arch+0x36f/0xc69 [] ? printk+0x41/0x44 [] ? start_kernel+0xdc/0x431 [] ? x86_64_start_reservations+0x125/0x129 [] ? x86_64_start_kernel+0x115/0x124 RIP _parse_integer_fixup_radix+0xd/0x70 > LTS version is 3.16 now. Should I send v4 and add a statement about > the supported version range in commit log? Fixes tags and stable info can be added by the maintainer that pulls in the patch. I was just commenting on it for them. > > > > > > >> Cc: pmla...@suse.com > >> Cc: sergey.senozhat...@gmail.com > >> Cc: rost...@goodmis.org > >> --- > >> v2: > >> Split out the addition of pr_fmt and the unsigned update > > Which unsigned update? As it does switch to unsigned to "unsigned int", > > but that change is fine to me with this. > > No problem. It's the history of v2. > > In v1 you suggested "unsigned int size" should be in a separate
RE: [RFC PATCH v2 2/2] phy: cadence: Add driver for Sierra PHY
Hi, On 20 September 2018 11:10, Kishon Vijay Abraham I wrote: > Hi, > > On Thursday 06 September 2018 08:12 PM, Alan Douglas wrote: > > Add a Sierra PHY driver with PCIe and USB support. > > > > The PHY has multiple lanes, which can be configured into > > groups, and a generic PHY device is created for each group. > > > > There are two resets controlling the overall PHY block, one > > to enable the APB interface for programming registers, and > > another to enable the PHY itself. Additionally there are > > resets for each PHY lane. > > > > The PHY can be configured in hardware to read register > > settings from ROM, or they can be written by the driver. > > > > The sequence of operation on startup is to enable the APB > > bus, write the PHY registers (if required) for each lane > > group, and then enable the PHY. Each group of lanes > > can then be individually controlled using the power_on()/ > > power_off() function for that generic PHY > > > > Signed-off-by: Alan Douglas > > --- > > drivers/phy/Kconfig | 1 + > > drivers/phy/Makefile | 1 + > > drivers/phy/cadence/Kconfig | 9 + > > drivers/phy/cadence/Makefile | 2 + > > drivers/phy/cadence/cdns-sierra.c | 385 > > ++ > > 5 files changed, 398 insertions(+) > > create mode 100644 drivers/phy/cadence/Kconfig > > create mode 100644 drivers/phy/cadence/Makefile > > create mode 100644 drivers/phy/cadence/cdns-sierra.c > > > > diff --git a/drivers/phy/Kconfig b/drivers/phy/Kconfig > > index 5c8d452..cc47f85 100644 > > --- a/drivers/phy/Kconfig > > +++ b/drivers/phy/Kconfig > > @@ -43,6 +43,7 @@ config PHY_XGENE > > source "drivers/phy/allwinner/Kconfig" > > source "drivers/phy/amlogic/Kconfig" > > source "drivers/phy/broadcom/Kconfig" > > +source "drivers/phy/cadence/Kconfig" > > source "drivers/phy/hisilicon/Kconfig" > > source "drivers/phy/lantiq/Kconfig" > > source "drivers/phy/marvell/Kconfig" > > diff --git a/drivers/phy/Makefile b/drivers/phy/Makefile > > index 84e3bd9..ba48acd 100644 > > --- a/drivers/phy/Makefile > > +++ b/drivers/phy/Makefile > > @@ -15,6 +15,7 @@ obj-$(CONFIG_ARCH_RENESAS)+= renesas/ > > obj-$(CONFIG_ARCH_ROCKCHIP)+= rockchip/ > > obj-$(CONFIG_ARCH_TEGRA) += tegra/ > > obj-y += broadcom/\ > > + cadence/ \ > >hisilicon/ \ > >marvell/ \ > >motorola/\ > > diff --git a/drivers/phy/cadence/Kconfig b/drivers/phy/cadence/Kconfig > > new file mode 100644 > > index 000..098df0f > > --- /dev/null > > +++ b/drivers/phy/cadence/Kconfig > > @@ -0,0 +1,9 @@ > > +# > > +# Phy drivers for Cadence PHYs > > +# > > +config CDNS_SIERRA_PHY > > + tristate "Cadence Sierra PHY Driver" > > + depends on OF && HAS_IOMEM && RESET_CONTROLLER > > + select GENERIC_PHY > > + help > > + Enable this to support the Cadence Sierra PHY driver > > diff --git a/drivers/phy/cadence/Makefile b/drivers/phy/cadence/Makefile > > new file mode 100644 > > index 000..c396c69 > > --- /dev/null > > +++ b/drivers/phy/cadence/Makefile > > @@ -0,0 +1,2 @@ > > +# SPDX-License-Identifier: GPL-2.0 > > +obj-$(CONFIG_CDNS_SIERRA_PHY) += cdns-sierra.o > > diff --git a/drivers/phy/cadence/cdns-sierra.c > > b/drivers/phy/cadence/cdns-sierra.c > > new file mode 100644 > > index 000..83568b4 > > --- /dev/null > > +++ b/drivers/phy/cadence/cdns-sierra.c > > @@ -0,0 +1,385 @@ > > +// SPDX-License-Identifier: GPL-2.0 > > +/* > > + * Cadence Sierra PHY Driver > > + * > > + * Copyright (c) 2018 Cadence Design Systems > > + * Author: Alan Douglas > > + * > > + */ > > +#include > > +#include > > +#include > > +#include > > +#include > > +#include > > +#include > > +#include > > +#include > > +#include > > +#include > > +#include > > +#include > > +#include > > + > > +/* PHY register offsets */ > > +#define SIERRA_PHY_PLL_CFG (0xc00e << 2) > > +#define SIERRA_DET_STANDEC_A (0x4000 << 2) > > +#define SIERRA_DET_STANDEC_B (0x4001 << 2) > > +#define SIERRA_DET_STANDEC_C (0x4002 << 2) > > +#define SIERRA_DET_STANDEC_D (0x4003 << 2) > > +#define SIERRA_DET_STANDEC_E (0x4004 << 2) > > +#define SIERRA_PSM_LANECAL (0x4008 << 2) > > +#define SIERRA_PSM_DIAG(0x4015 << 2) > > +#define SIERRA_PSC_TX_A0 (0x4028 << 2) > > +#define SIERRA_PSC_TX_A1 (0x4029 << 2) > > +#define SIERRA_PSC_TX_A2 (0x402A << 2) > > +#define SIERRA_PSC_TX_A3 (0x402B << 2) > > +#define SIERRA_PSC_RX_A0 (0x4030 << 2) > > +#define SIERRA_PSC_RX_A1 (0x4031 << 2) > > +#define SIERRA_PSC_RX_A2 (0x4032 << 2) > > +#define SIERRA_PSC_RX_A3 (0x4033 << 2) > >
[PATCH 1/2] thunderbolt: Do not handle ICM events after domain is stopped
If there is a long chain of devices connected when the driver is loaded ICM sends device connected event for each and those are put to tb->wq for later processing. Now if the driver gets unloaded in the middle, so that the work queue is not yet empty it gets flushed by tb_domain_stop(). However, by that time the root switch is already removed so the driver crashes when it tries to dereference it in ICM event handling callbacks. Fix this by checking whether the root switch is already removed. If it is we know that the domain is stopped and we should merely skip handling the event. Signed-off-by: Mika Westerberg --- drivers/thunderbolt/icm.c | 49 --- 1 file changed, 20 insertions(+), 29 deletions(-) diff --git a/drivers/thunderbolt/icm.c b/drivers/thunderbolt/icm.c index e1e264a9a4c7..28fc4ce75edb 100644 --- a/drivers/thunderbolt/icm.c +++ b/drivers/thunderbolt/icm.c @@ -738,14 +738,6 @@ icm_fr_xdomain_connected(struct tb *tb, const struct icm_pkg_header *hdr) u8 link, depth; u64 route; - /* -* After NVM upgrade adding root switch device fails because we -* initiated reset. During that time ICM might still send -* XDomain connected message which we ignore here. -*/ - if (!tb->root_switch) - return; - link = pkg->link_info & ICM_LINK_INFO_LINK_MASK; depth = (pkg->link_info & ICM_LINK_INFO_DEPTH_MASK) >> ICM_LINK_INFO_DEPTH_SHIFT; @@ -1037,14 +1029,6 @@ icm_tr_device_connected(struct tb *tb, const struct icm_pkg_header *hdr) if (pkg->hdr.packet_id) return; - /* -* After NVM upgrade adding root switch device fails because we -* initiated reset. During that time ICM might still send device -* connected message which we ignore here. -*/ - if (!tb->root_switch) - return; - route = get_route(pkg->route_hi, pkg->route_lo); authorized = pkg->link_info & ICM_LINK_INFO_APPROVED; security_level = (pkg->hdr.flags & ICM_FLAGS_SLEVEL_MASK) >> @@ -1408,19 +1392,26 @@ static void icm_handle_notification(struct work_struct *work) mutex_lock(>lock); - switch (n->pkg->code) { - case ICM_EVENT_DEVICE_CONNECTED: - icm->device_connected(tb, n->pkg); - break; - case ICM_EVENT_DEVICE_DISCONNECTED: - icm->device_disconnected(tb, n->pkg); - break; - case ICM_EVENT_XDOMAIN_CONNECTED: - icm->xdomain_connected(tb, n->pkg); - break; - case ICM_EVENT_XDOMAIN_DISCONNECTED: - icm->xdomain_disconnected(tb, n->pkg); - break; + /* +* When the domain is stopped we flush its workqueue but before +* that the root switch is removed. In that case we should treat +* the queued events as being canceled. +*/ + if (tb->root_switch) { + switch (n->pkg->code) { + case ICM_EVENT_DEVICE_CONNECTED: + icm->device_connected(tb, n->pkg); + break; + case ICM_EVENT_DEVICE_DISCONNECTED: + icm->device_disconnected(tb, n->pkg); + break; + case ICM_EVENT_XDOMAIN_CONNECTED: + icm->xdomain_connected(tb, n->pkg); + break; + case ICM_EVENT_XDOMAIN_DISCONNECTED: + icm->xdomain_disconnected(tb, n->pkg); + break; + } } mutex_unlock(>lock); -- 2.18.0
[PATCH 2/2] thunderbolt: Initialize after IOMMUs
If IOMMU is enabled and Thunderbolt driver is built into the kernel image, it will be probed before IOMMUs are attached to the PCI bus. Because of this DMA mappings the driver does will not go through IOMMU and start failing right after IOMMUs are enabled. For this reason move the Thunderbolt driver initialization happen at rootfs level. Signed-off-by: Mika Westerberg --- drivers/thunderbolt/nhi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/thunderbolt/nhi.c b/drivers/thunderbolt/nhi.c index 88cff05a1808..5cd6bdfa068f 100644 --- a/drivers/thunderbolt/nhi.c +++ b/drivers/thunderbolt/nhi.c @@ -1191,5 +1191,5 @@ static void __exit nhi_unload(void) tb_domain_exit(); } -fs_initcall(nhi_init); +rootfs_initcall(nhi_init); module_exit(nhi_unload); -- 2.18.0
Re: [PATCH v10 01/26] KVM: s390: vsie: simulate VCPU SIE entry/exit
On 09/12/2018 09:42 PM, Tony Krowiak wrote: > From: David Hildenbrand > > VCPU requests and VCPU blocking right now don't take care of the vSIE > (as it was not necessary until now). But we want to have synchronous VCPU > requests that will also be handled before running the vSIE again. > > So let's simulate a SIE entry of the VCPU when calling the sie during > vSIE handling and check for PROG_ flags. The existing infrastructure > (e.g. exit_sie()) will then detect that the SIE (in form of the vSIE) is > running and properly kick the vSIE CPU, resulting in it leaving the vSIE > loop and therefore the vSIE interception handler, allowing it to handle > VCPU requests. > > E.g. if we want to modify the crycb of the VCPU and make sure that any > masks also get applied to the VSIE crycb shadow (which uses masks from the > VCPU crycb), we will need a way to hinder the vSIE from running and make > sure to process the updated crycb before reentering the vSIE again. > > Reviewed-by: Pierre Morel > Reviewed-by: Cornelia Huck > Reviewed-by: Janosch Frank > Signed-off-by: Tony Krowiak > Signed-off-by: David Hildenbrand I guess you should want to swap both signoffs? In the end they should show the patch flow. Other than that: Reviewed-by: Christian Borntraeger > --- > arch/s390/kvm/kvm-s390.c |9 - > arch/s390/kvm/kvm-s390.h |1 + > arch/s390/kvm/vsie.c | 21 + > 3 files changed, 26 insertions(+), 5 deletions(-) > > diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c > index f69333f..0b5aff0 100644 > --- a/arch/s390/kvm/kvm-s390.c > +++ b/arch/s390/kvm/kvm-s390.c > @@ -2768,18 +2768,25 @@ static void kvm_s390_vcpu_request(struct kvm_vcpu > *vcpu) > exit_sie(vcpu); > } > > +bool kvm_s390_vcpu_sie_inhibited(struct kvm_vcpu *vcpu) > +{ > + return atomic_read(>arch.sie_block->prog20) & > +(PROG_BLOCK_SIE | PROG_REQUEST); > +} > + > static void kvm_s390_vcpu_request_handled(struct kvm_vcpu *vcpu) > { > atomic_andnot(PROG_REQUEST, >arch.sie_block->prog20); > } > > /* > - * Kick a guest cpu out of SIE and wait until SIE is not running. > + * Kick a guest cpu out of (v)SIE and wait until (v)SIE is not running. > * If the CPU is not running (e.g. waiting as idle) the function will > * return immediately. */ > void exit_sie(struct kvm_vcpu *vcpu) > { > kvm_s390_set_cpuflags(vcpu, CPUSTAT_STOP_INT); > + kvm_s390_vsie_kick(vcpu); > while (vcpu->arch.sie_block->prog0c & PROG_IN_SIE) > cpu_relax(); > } > diff --git a/arch/s390/kvm/kvm-s390.h b/arch/s390/kvm/kvm-s390.h > index 981e3ba..1f6e36c 100644 > --- a/arch/s390/kvm/kvm-s390.h > +++ b/arch/s390/kvm/kvm-s390.h > @@ -290,6 +290,7 @@ void kvm_s390_set_tod_clock(struct kvm *kvm, > void kvm_s390_vcpu_stop(struct kvm_vcpu *vcpu); > void kvm_s390_vcpu_block(struct kvm_vcpu *vcpu); > void kvm_s390_vcpu_unblock(struct kvm_vcpu *vcpu); > +bool kvm_s390_vcpu_sie_inhibited(struct kvm_vcpu *vcpu); > void exit_sie(struct kvm_vcpu *vcpu); > void kvm_s390_sync_request(int req, struct kvm_vcpu *vcpu); > int kvm_s390_vcpu_setup_cmma(struct kvm_vcpu *vcpu); > diff --git a/arch/s390/kvm/vsie.c b/arch/s390/kvm/vsie.c > index a2b28cd..12b9707 100644 > --- a/arch/s390/kvm/vsie.c > +++ b/arch/s390/kvm/vsie.c > @@ -830,7 +830,7 @@ static int do_vsie_run(struct kvm_vcpu *vcpu, struct > vsie_page *vsie_page) > struct kvm_s390_sie_block *scb_s = _page->scb_s; > struct kvm_s390_sie_block *scb_o = vsie_page->scb_o; > int guest_bp_isolation; > - int rc; > + int rc = 0; > > handle_last_fault(vcpu, vsie_page); > > @@ -858,7 +858,18 @@ static int do_vsie_run(struct kvm_vcpu *vcpu, struct > vsie_page *vsie_page) > guest_enter_irqoff(); > local_irq_enable(); > > - rc = sie64a(scb_s, vcpu->run->s.regs.gprs); > + /* > + * Simulate a SIE entry of the VCPU (see sie64a), so VCPU blocking > + * and VCPU requests also hinder the vSIE from running and lead > + * to an immediate exit. kvm_s390_vsie_kick() has to be used to > + * also kick the vSIE. > + */ > + vcpu->arch.sie_block->prog0c |= PROG_IN_SIE; > + barrier(); > + if (!kvm_s390_vcpu_sie_inhibited(vcpu)) > + rc = sie64a(scb_s, vcpu->run->s.regs.gprs); > + barrier(); > + vcpu->arch.sie_block->prog0c &= ~PROG_IN_SIE; > > local_irq_disable(); > guest_exit_irqoff(); > @@ -1005,7 +1016,8 @@ static int vsie_run(struct kvm_vcpu *vcpu, struct > vsie_page *vsie_page) > if (rc == -EAGAIN) > rc = 0; > if (rc || scb_s->icptcode || signal_pending(current) || > - kvm_s390_vcpu_has_irq(vcpu, 0)) > + kvm_s390_vcpu_has_irq(vcpu, 0) || > + kvm_s390_vcpu_sie_inhibited(vcpu)) > break; > } > > @@ -1122,7 +1134,8 @@ int kvm_s390_handle_vsie(struct kvm_vcpu *vcpu) > if
Re: [PATCH v3 3/4] devres: provide devm_kstrdup_const()
On Mon, Sep 24, 2018 at 12:11:49PM +0200, Bartosz Golaszewski wrote: > Provide a resource managed version of kstrdup_const(). This variant > internally calls devm_kstrdup() on pointers that are outside of > .rodata section and returns the string as is otherwise. > > Also provide a corresponding version of devm_kfree(). > > Signed-off-by: Bartosz Golaszewski > Reviewed-by: Bjorn Andersson Acked-by: Mike Rapoport > --- > drivers/base/devres.c | 38 ++ > include/linux/device.h | 3 +++ > 2 files changed, 41 insertions(+) > > diff --git a/drivers/base/devres.c b/drivers/base/devres.c > index 438c91a43508..48185d57bc5b 100644 > --- a/drivers/base/devres.c > +++ b/drivers/base/devres.c > @@ -11,6 +11,8 @@ > #include > #include > > +#include > + > #include "base.h" > > struct devres_node { > @@ -822,6 +824,28 @@ char *devm_kstrdup(struct device *dev, const char *s, > gfp_t gfp) > } > EXPORT_SYMBOL_GPL(devm_kstrdup); > > +/** > + * devm_kstrdup_const - resource managed conditional string duplication > + * @dev: device for which to duplicate the string > + * @s: the string to duplicate > + * @gfp: the GFP mask used in the kmalloc() call when allocating memory > + * > + * Strings allocated by devm_kstrdup_const will be automatically freed when > + * the associated device is detached. > + * > + * RETURNS: > + * Source string if it is in .rodata section otherwise it falls back to > + * devm_kstrdup. > + */ > +const char *devm_kstrdup_const(struct device *dev, const char *s, gfp_t gfp) > +{ > + if (is_kernel_rodata((unsigned long)s)) > + return s; > + > + return devm_kstrdup(dev, s, gfp); > +} > +EXPORT_SYMBOL(devm_kstrdup_const); > + > /** > * devm_kvasprintf - Allocate resource managed space and format a string > *into that. > @@ -895,6 +919,20 @@ void devm_kfree(struct device *dev, const void *p) > } > EXPORT_SYMBOL_GPL(devm_kfree); > > +/** > + * devm_kfree_const - Resource managed conditional kfree > + * @dev: device this memory belongs to > + * @p: memory to free > + * > + * Function calls devm_kfree only if @p is not in .rodata section. > + */ > +void devm_kfree_const(struct device *dev, const void *p) > +{ > + if (!is_kernel_rodata((unsigned long)p)) > + devm_kfree(dev, p); > +} > +EXPORT_SYMBOL(devm_kfree_const); > + > /** > * devm_kmemdup - Resource-managed kmemdup > * @dev: Device this memory belongs to > diff --git a/include/linux/device.h b/include/linux/device.h > index 33f7cb271fbb..79ccc6eb0975 100644 > --- a/include/linux/device.h > +++ b/include/linux/device.h > @@ -693,7 +693,10 @@ static inline void *devm_kcalloc(struct device *dev, > return devm_kmalloc_array(dev, n, size, flags | __GFP_ZERO); > } > extern void devm_kfree(struct device *dev, const void *p); > +extern void devm_kfree_const(struct device *dev, const void *p); > extern char *devm_kstrdup(struct device *dev, const char *s, gfp_t gfp) > __malloc; > +extern const char *devm_kstrdup_const(struct device *dev, > + const char *s, gfp_t gfp); > extern void *devm_kmemdup(struct device *dev, const void *src, size_t len, > gfp_t gfp); > > -- > 2.18.0 > -- Sincerely yours, Mike.
Re: [PATCH v3 2/4] mm: move is_kernel_rodata() to asm-generic/sections.h
On Mon, Sep 24, 2018 at 12:11:48PM +0200, Bartosz Golaszewski wrote: > Export this routine so that we can use it later in devm_kstrdup_const() > and devm_kfree_const(). > > Signed-off-by: Bartosz Golaszewski > Reviewed-by: Bjorn Andersson Acked-by: Mike Rapoport > --- > include/asm-generic/sections.h | 14 ++ > mm/util.c | 7 --- > 2 files changed, 14 insertions(+), 7 deletions(-) > > diff --git a/include/asm-generic/sections.h b/include/asm-generic/sections.h > index 849cd8eb5ca0..d79abca81a52 100644 > --- a/include/asm-generic/sections.h > +++ b/include/asm-generic/sections.h > @@ -141,4 +141,18 @@ static inline bool init_section_intersects(void *virt, > size_t size) > return memory_intersects(__init_begin, __init_end, virt, size); > } > > +/** > + * is_kernel_rodata - checks if the pointer address is located in the > + *.rodata section > + * > + * @addr: address to check > + * > + * Returns: true if the address is located in .rodata, false otherwise. > + */ > +static inline bool is_kernel_rodata(unsigned long addr) > +{ > + return addr >= (unsigned long)__start_rodata && > +addr < (unsigned long)__end_rodata; > +} > + > #endif /* _ASM_GENERIC_SECTIONS_H_ */ > diff --git a/mm/util.c b/mm/util.c > index 9e3ebd2ef65f..470f5cd80b64 100644 > --- a/mm/util.c > +++ b/mm/util.c > @@ -15,17 +15,10 @@ > #include > #include > > -#include > #include > > #include "internal.h" > > -static inline int is_kernel_rodata(unsigned long addr) > -{ > - return addr >= (unsigned long)__start_rodata && > - addr < (unsigned long)__end_rodata; > -} > - > /** > * kfree_const - conditionally free memory > * @x: pointer to the memory > -- > 2.18.0 > -- Sincerely yours, Mike.
[PATCH 05/14] MIPS: lantiq: Unselect SWAP_IO_SPACE when LANTIQ is selected
SWAP_IO_SPACE macro prevents serial driver /drivers/tty/serial/lantiq.c to use readl/writel to replace ltq_r32/w32 which are SoC or platform specific APIs. readl/writel are used for this serial driver to support multiple platforms and multiple architectures. The legacy lantiq platform(Danube) enables SWAP_IO_SPACE for supporting PCI due to some hardware bugs. It's a little-endian bus plus PCI TX/RX swap enable impacted both data and control path for MIPS based platforms. But it is better to let PCI device driver to do endian swap since SWAP_IO_SPACE is a global wide macro which potentially impacts other peripheral like USB. ltq_r32/ltq_w32 is not impacted in other device drivers based on MIPS when SWAP_IO_SPACE is not selected as they use non-byte swapping OS API (__raw_read/__raw_writel). Signed-off-by: Songjun Wu --- arch/mips/Kconfig | 1 - 1 file changed, 1 deletion(-) diff --git a/arch/mips/Kconfig b/arch/mips/Kconfig index 138d60cf19bc..dcc1fd39cbf3 100644 --- a/arch/mips/Kconfig +++ b/arch/mips/Kconfig @@ -406,7 +406,6 @@ config LANTIQ select SYS_SUPPORTS_VPE_LOADER select SYS_HAS_EARLY_PRINTK select GPIOLIB - select SWAP_IO_SPACE select BOOT_RAW select CLKDEV_LOOKUP select USE_OF -- 2.11.0
[PATCH v9 5/5] clk: imx: add clock driver for i.MX8MQ CCM
From: Lucas Stach Add driver for the Clock Control Module found on i.MX8MQ. This is largely based on the downstream driver from Anson Huang and Bai Ping at NXP, plus the imx composite clock from Abel Vesa at NXP, with only some small adaptions to mainline from me. Signed-off-by: Lucas Stach Signed-off-by: Abel Vesa --- drivers/clk/imx/Makefile | 1 + drivers/clk/imx/clk-imx8mq.c | 602 +++ drivers/clk/imx/clk.h| 36 +++ 3 files changed, 639 insertions(+) create mode 100644 drivers/clk/imx/clk-imx8mq.c diff --git a/drivers/clk/imx/Makefile b/drivers/clk/imx/Makefile index 4fabb0a..64e695c 100644 --- a/drivers/clk/imx/Makefile +++ b/drivers/clk/imx/Makefile @@ -30,3 +30,4 @@ obj-$(CONFIG_SOC_IMX6SX) += clk-imx6sx.o obj-$(CONFIG_SOC_IMX6UL) += clk-imx6ul.o obj-$(CONFIG_SOC_IMX7D) += clk-imx7d.o obj-$(CONFIG_SOC_VF610) += clk-vf610.o +obj-$(CONFIG_SOC_IMX8MQ) += clk-imx8mq.o diff --git a/drivers/clk/imx/clk-imx8mq.c b/drivers/clk/imx/clk-imx8mq.c new file mode 100644 index 000..aadb523 --- /dev/null +++ b/drivers/clk/imx/clk-imx8mq.c @@ -0,0 +1,602 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright 2018 NXP. + * Copyright (C) 2017 Pengutronix, Lucas Stach + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "clk.h" + +static u32 share_count_sai1; +static u32 share_count_sai2; +static u32 share_count_sai3; +static u32 share_count_sai4; +static u32 share_count_sai5; +static u32 share_count_sai6; +static u32 share_count_dcss; +static u32 share_count_nand; + +static struct clk *clks[IMX8MQ_CLK_END]; + +static const char *pll_ref_sels[] = { "osc_25m", "osc_27m", "dummy", "dummy", }; +static const char *arm_pll_bypass_sels[] = {"arm_pll", "arm_pll_ref_sel", }; +static const char *gpu_pll_bypass_sels[] = {"gpu_pll", "gpu_pll_ref_sel", }; +static const char *vpu_pll_bypass_sels[] = {"vpu_pll", "vpu_pll_ref_sel", }; +static const char *audio_pll1_bypass_sels[] = {"audio_pll1", "audio_pll1_ref_sel", }; +static const char *audio_pll2_bypass_sels[] = {"audio_pll2", "audio_pll2_ref_sel", }; +static const char *video_pll1_bypass_sels[] = {"video_pll1", "video_pll1_ref_sel", }; + +static const char *sys1_pll1_out_sels[] = {"sys1_pll1", "sys1_pll1_ref_sel", }; +static const char *sys2_pll1_out_sels[] = {"sys2_pll1", "sys1_pll1_ref_sel", }; +static const char *sys3_pll1_out_sels[] = {"sys3_pll1", "sys3_pll1_ref_sel", }; +static const char *dram_pll1_out_sels[] = {"dram_pll1", "dram_pll1_ref_sel", }; + +static const char *sys1_pll2_out_sels[] = {"sys1_pll2_div", "sys1_pll1_ref_sel", }; +static const char *sys2_pll2_out_sels[] = {"sys2_pll2_div", "sys2_pll1_ref_sel", }; +static const char *sys3_pll2_out_sels[] = {"sys3_pll2_div", "sys2_pll1_ref_sel", }; +static const char *dram_pll2_out_sels[] = {"dram_pll2_div", "dram_pll1_ref_sel", }; + +/* CCM ROOT */ +static const char *imx8mq_a53_sels[] = {"osc_25m", "arm_pll_out", "sys2_pll_500m", "sys2_pll_1000m", + "sys1_pll_800m", "sys1_pll_400m", "audio_pll1_out", "sys3_pll2_out", }; + +static const char *imx8mq_vpu_sels[] = {"osc_25m", "arm_pll_out", "sys2_pll_500m", "sys2_pll_1000m", + "sys1_pll_800m", "sys1_pll_400m", "audio_pll1_out", "vpu_pll_out", }; + +static const char *imx8mq_gpu_core_sels[] = {"osc_25m", "gpu_pll_out", "sys1_pll_800m", "sys3_pll2_out", +"sys2_pll_1000m", "audio_pll1_out", "video_pll1_out", "audio_pll2_out", }; + +static const char *imx8mq_gpu_shader_sels[] = {"osc_25m", "gpu_pll_out", "sys1_pll_800m", "sys3_pll2_out", + "sys2_pll_1000m", "audio_pll1_out", "video_pll1_out", "audio_pll2_out", }; + +static const char *imx8mq_main_axi_sels[] = {"osc_25m", "sys2_pll_333m", "sys1_pll_800m", "sys2_pll_250m", +"sys2_pll_1000m", "audio_pll1_out", "video_pll1_out", "sys1_pll_100m",}; + +static const char *imx8mq_enet_axi_sels[] = {"osc_25m", "sys1_pll_266m", "sys1_pll_800m", "sys2_pll_250m", +"sys2_pll_200m", "audio_pll1_out", "video_pll1_out", "sys3_pll2_out", }; + +static const char *imx8mq_nand_usdhc_sels[] = {"osc_25m", "sys1_pll_266m", "sys1_pll_800m", "sys2_pll_200m", + "sys1_pll_133m", "sys3_pll2_out", "sys2_pll_250m", "audio_pll1_out", }; + +static const char *imx8mq_vpu_bus_sels[] = {"osc_25m", "sys1_pll_800m", "vpu_pll_out", "audio_pll2_out", "sys3_pll2_out", "sys2_pll_1000m", "sys2_pll_200m", "sys1_pll_100m", }; + +static const char *imx8mq_disp_axi_sels[] = {"osc_25m", "sys2_pll_125m", "sys1_pll_800m", "sys3_pll2_out", "sys1_pll_400m", "audio_pll2_out", "clk_ext1", "clk_ext4", }; + +static const char *imx8mq_disp_apb_sels[] = {"osc_25m", "sys2_pll_125m", "sys1_pll_800m",
Re: [PATCH v10 09/26] s390: vfio-ap: sysfs interface to view matrix mdev matrix
On Wed, 12 Sep 2018 15:42:59 -0400 Tony Krowiak wrote: > From: Tony Krowiak > > Provides a sysfs interface to view the AP matrix configured for the > mediated matrix device. > > The relevant sysfs structures are: > > /sys/devices/vfio_ap/matrix/ > .. [mdev_supported_types] > . [vfio_ap-passthrough] > [devices] > ...[$uuid] > .. matrix > > To view the matrix configured for the mediated matrix device, > print the matrix file: > > cat matrix > > Below are examples of the output from the above command: > > Example 1: Adapters and domains assigned > Assignments: > Adapters 5 and 6 > Domains 4 and 71 (0x47) > > Output > 05.0004 > 05.0047 > 06.0004 > 06.0047 > > Examples 2: Only adapters assigned > Assignments: > Adapters 5 and 6 > > Output: > 05. > 06. > > Examples 3: Only domains assigned > Assignments: > Domains 4 and 71 (0x47) > > Output: > .0004 > .0047 > > Signed-off-by: Tony Krowiak > Reviewed-by: Halil Pasic > Tested-by: Michael Mueller > Tested-by: Farhan Ali > Tested-by: Pierre Morel > Signed-off-by: Christian Borntraeger > --- > drivers/s390/crypto/vfio_ap_ops.c | 51 > + > 1 files changed, 51 insertions(+), 0 deletions(-) Reviewed-by: Cornelia Huck
Re: [PATCH v10 08/26] s390: vfio-ap: sysfs interfaces to configure control domains
On Wed, 12 Sep 2018 15:42:58 -0400 Tony Krowiak wrote: > From: Tony Krowiak > > Provides the sysfs interfaces for: > > 1. Assigning AP control domains to the mediated matrix device > > 2. Unassigning AP control domains from a mediated matrix device > > 3. Displaying the control domains assigned to a mediated matrix >device > > The IDs of the AP control domains assigned to the mediated matrix > device are stored in an AP domain mask (ADM). The bits in the ADM, > from most significant to least significant bit, correspond to > AP domain numbers 0 to 255. On some systems, the maximum allowable > domain number may be less than 255 - depending upon the host's > AP configuration - and assignment may be rejected if the input > domain ID exceeds the limit. > > When a control domain is assigned, the bit corresponding its domain > ID will be set in the ADM. Likewise, when a domain is unassigned, > the bit corresponding to its domain ID will be cleared in the ADM. > > The relevant sysfs structures are: > > /sys/devices/vfio_ap/matrix/ > .. [mdev_supported_types] > . [vfio_ap-passthrough] > [devices] > ...[$uuid] > .. assign_control_domain > .. unassign_control_domain > > To assign a control domain to the $uuid mediated matrix device's > ADM, write its domain number to the assign_control_domain file. > To unassign a domain, write its domain number to the > unassign_control_domain file. The domain number is specified > using conventional semantics: If it begins with 0x the number > will be parsed as a hexadecimal (case insensitive) number; > if it begins with 0, it is parsed as an octal number; > otherwise, it will be parsed as a decimal number. > > For example, to assign control domain 173 (0xad) to the mediated > matrix device $uuid: > > echo 173 > assign_control_domain > > or > > echo 0255 > assign_control_domain > > or > > echo 0xad > assign_control_domain > > To unassign control domain 173 (0xad): > > echo 173 > unassign_control_domain > > or > > echo 0255 > unassign_control_domain > > or > > echo 0xad > unassign_control_domain > > The assignment will be rejected if the APQI exceeds the maximum > value for an AP domain: > * If the AP Extended Addressing (APXA) facility is installed, > the max value is 255 > * Else the max value is 15 > > Signed-off-by: Tony Krowiak > Reviewed-by: Halil Pasic > Tested-by: Michael Mueller > Tested-by: Farhan Ali > Tested-by: Pierre Morel > Signed-off-by: Christian Borntraeger > --- > drivers/s390/crypto/vfio_ap_ops.c | 112 > + > 1 files changed, 112 insertions(+), 0 deletions(-) > Reviewed-by: Cornelia Huck
Re: [PATCH v3 4/4] clk: pmc-atom: use devm_kstrdup_const()
On Mon, Sep 24, 2018 at 12:11:50PM +0200, Bartosz Golaszewski wrote: > Use devm_kstrdup_const() in the pmc-atom driver. This mostly serves as > an example of how to use this new routine to shrink driver code. > > While we're at it: replace a call to kcalloc() with devm_kcalloc(). > @@ -352,8 +344,6 @@ static int plt_clk_probe(struct platform_device *pdev) > goto err_drop_mclk; > } > > - plt_clk_free_parent_names_loop(parent_names, data->nparents); > - > platform_set_drvdata(pdev, data); > return 0; I don't think this is a good example. You changed a behaviour here in the way that you keep all chunks of memory (even small enough for pointers) during entire life time of the driver, which pretty likely would be forever till next boot. In the original case the memory was freed immediately in probe either it fails or returns with success. NAK, sorry. -- With Best Regards, Andy Shevchenko
Re: [PATCH v10 24/26] KVM: s390: device attrs to enable/disable AP interpretation
On 22/09/2018 01:40, Tony Krowiak wrote: > On 09/17/2018 04:51 AM, David Hildenbrand wrote: >> Am 12.09.18 um 21:43 schrieb Tony Krowiak: >>> From: Tony Krowiak >>> >>> Introduces two new VM crypto device attributes (KVM_S390_VM_CRYPTO) >>> to enable or disable AP instruction interpretation from userspace >>> via the KVM_SET_DEVICE_ATTR ioctl: >>> >>> * The KVM_S390_VM_CRYPTO_ENABLE_APIE attribute enables hardware >>>interpretation of AP instructions executed on the guest. >>> >>> * The KVM_S390_VM_CRYPTO_DISABLE_APIE attribute disables hardware >>>interpretation of AP instructions executed on the guest. In this >>>case the instructions will be intercepted and pass through to >>>the guest. >>> >>> Signed-off-by: Tony Krowiak >>> --- >>> arch/s390/include/asm/kvm_host.h |1 + >>> arch/s390/include/uapi/asm/kvm.h |2 ++ >>> arch/s390/kvm/kvm-s390.c | 27 +++ >>> 3 files changed, 26 insertions(+), 4 deletions(-) >>> >>> diff --git a/arch/s390/include/asm/kvm_host.h >>> b/arch/s390/include/asm/kvm_host.h >>> index b32bd1b..36d3531 100644 >>> --- a/arch/s390/include/asm/kvm_host.h >>> +++ b/arch/s390/include/asm/kvm_host.h >>> @@ -719,6 +719,7 @@ struct kvm_s390_crypto { >>> __u32 crycbd; >>> __u8 aes_kw; >>> __u8 dea_kw; >>> + __u8 apie; >>> }; >>> >>> #define APCB0_MASK_SIZE 1 >>> diff --git a/arch/s390/include/uapi/asm/kvm.h >>> b/arch/s390/include/uapi/asm/kvm.h >>> index 8c23afc..a8dbd90 100644 >>> --- a/arch/s390/include/uapi/asm/kvm.h >>> +++ b/arch/s390/include/uapi/asm/kvm.h >>> @@ -161,6 +161,8 @@ struct kvm_s390_vm_cpu_subfunc { >>> #define KVM_S390_VM_CRYPTO_ENABLE_DEA_KW 1 >>> #define KVM_S390_VM_CRYPTO_DISABLE_AES_KW 2 >>> #define KVM_S390_VM_CRYPTO_DISABLE_DEA_KW 3 >>> +#define KVM_S390_VM_CRYPTO_ENABLE_APIE 4 >>> +#define KVM_S390_VM_CRYPTO_DISABLE_APIE5 >>> >>> /* kvm attributes for migration mode */ >>> #define KVM_S390_VM_MIGRATION_STOP0 >>> diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c >>> index 2cdd980..286c2e0 100644 >>> --- a/arch/s390/kvm/kvm-s390.c >>> +++ b/arch/s390/kvm/kvm-s390.c >>> @@ -856,12 +856,11 @@ void kvm_s390_vcpu_crypto_reset_all(struct kvm *kvm) >>> >>> static int kvm_s390_vm_set_crypto(struct kvm *kvm, struct kvm_device_attr >>> *attr) >>> { >>> - if (!test_kvm_facility(kvm, 76)) >>> - return -EINVAL; >>> - >>> mutex_lock(>lock); >>> switch (attr->attr) { >>> case KVM_S390_VM_CRYPTO_ENABLE_AES_KW: >>> + if (!test_kvm_facility(kvm, 76)) >>> + return -EINVAL; >>> get_random_bytes( >>> kvm->arch.crypto.crycb->aes_wrapping_key_mask, >>> sizeof(kvm->arch.crypto.crycb->aes_wrapping_key_mask)); >>> @@ -869,6 +868,8 @@ static int kvm_s390_vm_set_crypto(struct kvm *kvm, >>> struct kvm_device_attr *attr) >>> VM_EVENT(kvm, 3, "%s", "ENABLE: AES keywrapping support"); >>> break; >>> case KVM_S390_VM_CRYPTO_ENABLE_DEA_KW: >>> + if (!test_kvm_facility(kvm, 76)) >>> + return -EINVAL; >>> get_random_bytes( >>> kvm->arch.crypto.crycb->dea_wrapping_key_mask, >>> sizeof(kvm->arch.crypto.crycb->dea_wrapping_key_mask)); >>> @@ -876,17 +877,31 @@ static int kvm_s390_vm_set_crypto(struct kvm *kvm, >>> struct kvm_device_attr *attr) >>> VM_EVENT(kvm, 3, "%s", "ENABLE: DEA keywrapping support"); >>> break; >>> case KVM_S390_VM_CRYPTO_DISABLE_AES_KW: >>> + if (!test_kvm_facility(kvm, 76)) >>> + return -EINVAL; >>> kvm->arch.crypto.aes_kw = 0; >>> memset(kvm->arch.crypto.crycb->aes_wrapping_key_mask, 0, >>> sizeof(kvm->arch.crypto.crycb->aes_wrapping_key_mask)); >>> VM_EVENT(kvm, 3, "%s", "DISABLE: AES keywrapping support"); >>> break; >>> case KVM_S390_VM_CRYPTO_DISABLE_DEA_KW: >>> + if (!test_kvm_facility(kvm, 76)) >>> + return -EINVAL; >>> kvm->arch.crypto.dea_kw = 0; >>> memset(kvm->arch.crypto.crycb->dea_wrapping_key_mask, 0, >>> sizeof(kvm->arch.crypto.crycb->dea_wrapping_key_mask)); >>> VM_EVENT(kvm, 3, "%s", "DISABLE: DEA keywrapping support"); >>> break; >>> + case KVM_S390_VM_CRYPTO_ENABLE_APIE: >>> + if (!ap_instructions_available()) { >>> + mutex_unlock(>lock); >>> + return -EOPNOTSUPP; >>> + } >>> + kvm->arch.crypto.apie = 1; >>> + break; >>> + case KVM_S390_VM_CRYPTO_DISABLE_APIE: >>> + kvm->arch.crypto.apie = 0; >>> + break; >>> default: >>> mutex_unlock(>lock); >>> return -ENXIO; >>> @@ -1493,6 +1508,8 @@ static int kvm_s390_vm_has_attr(struct kvm *kvm, >>> struct
[PATCH 3.18 066/105] MIPS: ath79: fix system restart
3.18-stable review patch. If anyone has any objections, please let me know. -- From: Felix Fietkau [ Upstream commit f8a7bfe1cb2c1ebfa07775c9c8ac0ad3ba8e5ff5 ] This patch disables irq on reboot to fix hang issues that were observed due to pending interrupts. Signed-off-by: Felix Fietkau Signed-off-by: John Crispin Signed-off-by: Paul Burton Patchwork: https://patchwork.linux-mips.org/patch/19913/ Cc: James Hogan Cc: Ralf Baechle Cc: linux-m...@linux-mips.org Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- arch/mips/ath79/setup.c |1 + arch/mips/include/asm/mach-ath79/ath79.h |1 + 2 files changed, 2 insertions(+) --- a/arch/mips/ath79/setup.c +++ b/arch/mips/ath79/setup.c @@ -40,6 +40,7 @@ static char ath79_sys_type[ATH79_SYS_TYP static void ath79_restart(char *command) { + local_irq_disable(); ath79_device_reset_set(AR71XX_RESET_FULL_CHIP); for (;;) if (cpu_wait) --- a/arch/mips/include/asm/mach-ath79/ath79.h +++ b/arch/mips/include/asm/mach-ath79/ath79.h @@ -132,6 +132,7 @@ static inline u32 ath79_pll_rr(unsigned static inline void ath79_reset_wr(unsigned reg, u32 val) { __raw_writel(val, ath79_reset_base + reg); + (void) __raw_readl(ath79_reset_base + reg); /* flush */ } static inline u32 ath79_reset_rr(unsigned reg)
[PATCH 3.18 098/105] ARM: hisi: handle of_iomap and fix missing of_node_put
3.18-stable review patch. If anyone has any objections, please let me know. -- From: Nicholas Mc Guire [ Upstream commit d396cb185c0337aae5664b250cdd9a73f6eb1503 ] Relying on an unchecked of_iomap() which can return NULL is problematic here, an explicit check seems mandatory. Also the call to of_find_compatible_node() returns a device node with refcount incremented therefor an explicit of_node_put() is needed here. Signed-off-by: Nicholas Mc Guire Fixes: commit 22bae4290457 ("ARM: hi3xxx: add hotplug support") Signed-off-by: Wei Xu Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- arch/arm/mach-hisi/hotplug.c | 19 +-- 1 file changed, 13 insertions(+), 6 deletions(-) --- a/arch/arm/mach-hisi/hotplug.c +++ b/arch/arm/mach-hisi/hotplug.c @@ -145,13 +145,20 @@ static int hi3xxx_hotplug_init(void) struct device_node *node; node = of_find_compatible_node(NULL, NULL, "hisilicon,sysctrl"); - if (node) { - ctrl_base = of_iomap(node, 0); - id = HI3620_CTRL; - return 0; + if (!node) { + id = ERROR_CTRL; + return -ENOENT; } - id = ERROR_CTRL; - return -ENOENT; + + ctrl_base = of_iomap(node, 0); + of_node_put(node); + if (!ctrl_base) { + id = ERROR_CTRL; + return -ENOMEM; + } + + id = HI3620_CTRL; + return 0; } void hi3xxx_set_cpu(int cpu, bool enable)
Re: [PATCH v10 14/26] s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl
On Wed, 12 Sep 2018 15:43:04 -0400 Tony Krowiak wrote: > From: Tony Krowiak > > Implements the VFIO_DEVICE_RESET ioctl. This ioctl zeroizes > all of the AP queues assigned to the guest. > > Signed-off-by: Tony Krowiak > Reviewed-by: Halil Pasic > Tested-by: Michael Mueller > Tested-by: Farhan Ali > Reviewed-by: Pierre Morel > Tested-by: Pierre Morel > Signed-off-by: Christian Borntraeger > --- > drivers/s390/crypto/vfio_ap_ops.c |5 - > 1 files changed, 4 insertions(+), 1 deletions(-) Reviewed-by: Cornelia Huck
Re: [PATCH v3 4/4] clk: pmc-atom: use devm_kstrdup_const()
pon., 24 wrz 2018 o 13:23 Andy Shevchenko napisał(a): > > On Mon, Sep 24, 2018 at 12:11:50PM +0200, Bartosz Golaszewski wrote: > > Use devm_kstrdup_const() in the pmc-atom driver. This mostly serves as > > an example of how to use this new routine to shrink driver code. > > > > While we're at it: replace a call to kcalloc() with devm_kcalloc(). > > > @@ -352,8 +344,6 @@ static int plt_clk_probe(struct platform_device *pdev) > > goto err_drop_mclk; > > } > > > > - plt_clk_free_parent_names_loop(parent_names, data->nparents); > > - > > platform_set_drvdata(pdev, data); > > return 0; > > I don't think this is a good example. > > You changed a behaviour here in the way that you keep all chunks of memory > (even small enough for pointers) during entire life time of the driver, which > pretty likely would be forever till next boot. > > In the original case the memory was freed immediately in probe either it fails > or returns with success. > > NAK, sorry. > > I see. I'd like to still merge patches 1-3 and then I'd come up with better examples for the next release cycle once these are in? Bart
[PATCH 3.18 096/105] mtdchar: fix overflows in adjustment of `count`
3.18-stable review patch. If anyone has any objections, please let me know. -- From: Jann Horn [ Upstream commit 6c6bc9ea84d0008024606bf5ba10519e20d851bf ] The first checks in mtdchar_read() and mtdchar_write() attempt to limit `count` such that `*ppos + count <= mtd->size`. However, they ignore the possibility of `*ppos > mtd->size`, allowing the calculation of `count` to wrap around. `mtdchar_lseek()` prevents seeking beyond mtd->size, but the pread/pwrite syscalls bypass this. I haven't found any codepath on which this actually causes dangerous behavior, but it seems like a sensible change anyway. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Jann Horn Signed-off-by: Boris Brezillon Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/mtd/mtdchar.c | 10 +++--- 1 file changed, 7 insertions(+), 3 deletions(-) --- a/drivers/mtd/mtdchar.c +++ b/drivers/mtd/mtdchar.c @@ -190,8 +190,12 @@ static ssize_t mtdchar_read(struct file pr_debug("MTD_read\n"); - if (*ppos + count > mtd->size) - count = mtd->size - *ppos; + if (*ppos + count > mtd->size) { + if (*ppos < mtd->size) + count = mtd->size - *ppos; + else + count = 0; + } if (!count) return 0; @@ -276,7 +280,7 @@ static ssize_t mtdchar_write(struct file pr_debug("MTD_write\n"); - if (*ppos == mtd->size) + if (*ppos >= mtd->size) return -ENOSPC; if (*ppos + count > mtd->size)
[PATCH 3.18 091/105] usb: cdc-wdm: Fix a sleep-in-atomic-context bug in service_outstanding_interrupt()
3.18-stable review patch. If anyone has any objections, please let me know. -- From: Jia-Ju Bai commit 6e22e3af7bb3a7b9dc53cb4687659f6e63fca427 upstream. wdm_in_callback() is a completion handler function for the USB driver. So it should not sleep. But it calls service_outstanding_interrupt(), which calls usb_submit_urb() with GFP_KERNEL. To fix this bug, GFP_KERNEL is replaced with GFP_ATOMIC. This bug is found by my static analysis tool DSAC. Signed-off-by: Jia-Ju Bai Cc: stable Signed-off-by: Greg Kroah-Hartman --- drivers/usb/class/cdc-wdm.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/usb/class/cdc-wdm.c +++ b/drivers/usb/class/cdc-wdm.c @@ -452,7 +452,7 @@ static int clear_wdm_read_flag(struct wd set_bit(WDM_RESPONDING, >flags); spin_unlock_irq(>iuspin); - rv = usb_submit_urb(desc->response, GFP_KERNEL); + rv = usb_submit_urb(desc->response, GFP_ATOMIC); spin_lock_irq(>iuspin); if (rv) { dev_err(>intf->dev,
[PATCH 3.18 097/105] MIPS: loongson64: cs5536: Fix PCI_OHCI_INT_REG reads
3.18-stable review patch. If anyone has any objections, please let me know. -- From: Paul Burton [ Upstream commit cd87668d601f622e0ebcfea4f78d116d5f572f4d ] The PCI_OHCI_INT_REG case in pci_ohci_read_reg() contains the following if statement: if ((lo & 0x0f00) == CS5536_USB_INTR) CS5536_USB_INTR expands to the constant 11, which gives us the following condition which can never evaluate true: if ((lo & 0xf00) == 11) At least when using GCC 8.1.0 this falls foul of the tautoligcal-compare warning, and since the code is built with the -Werror flag the build fails. Fix this by shifting lo right by 8 bits in order to match the corresponding PCI_OHCI_INT_REG case in pci_ohci_write_reg(). Signed-off-by: Paul Burton Patchwork: https://patchwork.linux-mips.org/patch/19861/ Cc: Huacai Chen Cc: James Hogan Cc: Ralf Baechle Cc: linux-m...@linux-mips.org Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- arch/mips/loongson/common/cs5536/cs5536_ohci.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/arch/mips/loongson/common/cs5536/cs5536_ohci.c +++ b/arch/mips/loongson/common/cs5536/cs5536_ohci.c @@ -138,7 +138,7 @@ u32 pci_ohci_read_reg(int reg) break; case PCI_OHCI_INT_REG: _rdmsr(DIVIL_MSR_REG(PIC_YSEL_LOW), , ); - if ((lo & 0x0f00) == CS5536_USB_INTR) + if (((lo >> PIC_YSEL_LOW_USB_SHIFT) & 0xf) == CS5536_USB_INTR) conf_data = 1; break; default:
[PATCH 3.18 100/105] parport: sunbpp: fix error return code
3.18-stable review patch. If anyone has any objections, please let me know. -- From: Julia Lawall [ Upstream commit faa1a47388b33623e4d504c23569188907b039a0 ] Return an error code on failure. Change leading spaces to tab on the first if. Problem found using Coccinelle. Signed-off-by: Julia Lawall Signed-off-by: Sudip Mukherjee Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/parport/parport_sunbpp.c |8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) --- a/drivers/parport/parport_sunbpp.c +++ b/drivers/parport/parport_sunbpp.c @@ -286,12 +286,16 @@ static int bpp_probe(struct platform_dev ops = kmemdup(_sunbpp_ops, sizeof(struct parport_operations), GFP_KERNEL); -if (!ops) + if (!ops) { + err = -ENOMEM; goto out_unmap; + } dprintk(("register_port\n")); - if (!(p = parport_register_port((unsigned long)base, irq, dma, ops))) + if (!(p = parport_register_port((unsigned long)base, irq, dma, ops))) { + err = -ENOMEM; goto out_free_ops; + } p->size = size; p->dev = >dev;
[PATCH 3.18 099/105] ARM: hisi: check of_iomap and fix missing of_node_put
3.18-stable review patch. If anyone has any objections, please let me know. -- From: Nicholas Mc Guire [ Upstream commit 81646a3d39ef14749301374a3a0b8311384cd412 ] of_find_compatible_node() returns a device node with refcount incremented and thus needs an explicit of_node_put(). Further relying on an unchecked of_iomap() which can return NULL is problematic here, after all ctrl_base is critical enough for hix5hd2_set_cpu() to call BUG() if not available so a check seems mandated here. Signed-off-by: Nicholas Mc Guire 0002 Fixes: commit 06cc5c1d4d73 ("ARM: hisi: enable hix5hd2 SoC") Signed-off-by: Wei Xu Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- arch/arm/mach-hisi/hotplug.c | 14 +- 1 file changed, 9 insertions(+), 5 deletions(-) --- a/arch/arm/mach-hisi/hotplug.c +++ b/arch/arm/mach-hisi/hotplug.c @@ -177,11 +177,15 @@ static bool hix5hd2_hotplug_init(void) struct device_node *np; np = of_find_compatible_node(NULL, NULL, "hisilicon,cpuctrl"); - if (np) { - ctrl_base = of_iomap(np, 0); - return true; - } - return false; + if (!np) + return false; + + ctrl_base = of_iomap(np, 0); + of_node_put(np); + if (!ctrl_base) + return false; + + return true; } void hix5hd2_set_cpu(int cpu, bool enable)
[PATCH 3.18 010/105] mfd: sm501: Set coherent_dma_mask when creating subdevices
3.18-stable review patch. If anyone has any objections, please let me know. -- From: Guenter Roeck [ Upstream commit 2f606da78230f09cf1a71fde6ee91d0c710fa2b2 ] Instantiating the sm501 OHCI subdevice results in a kernel warning. sm501-usb sm501-usb: SM501 OHCI sm501-usb sm501-usb: new USB bus registered, assigned bus number 1 WARNING: CPU: 0 PID: 1 at ./include/linux/dma-mapping.h:516 ohci_init+0x194/0x2d8 Modules linked in: CPU: 0 PID: 1 Comm: swapper Tainted: GW 4.18.0-rc7-00178-g0b5b1f9a78b5 #1 PC is at ohci_init+0x194/0x2d8 PR is at ohci_init+0x168/0x2d8 PC : 8c27844c SP : 8f81dd94 SR : 40008001 TEA : 29613060 R0 : R1 : R2 : R3 : 0202 R4 : 8fa98b88 R5 : 8c277e68 R6 : R7 : R8 : 8f965814 R9 : 8c388100 R10 : 8fa98800 R11 : 8fa98928 R12 : 8c48302c R13 : 8fa98920 R14 : 8c48302c MACH: 0096 MACL: 017c GBR : PR : 8c278420 Call trace: [<(ptrval)>] usb_add_hcd+0x1e8/0x6ec [<(ptrval)>] _dev_info+0x0/0x54 [<(ptrval)>] arch_local_save_flags+0x0/0x8 [<(ptrval)>] arch_local_irq_restore+0x0/0x24 [<(ptrval)>] ohci_hcd_sm501_drv_probe+0x114/0x2d8 ... Initialize coherent_dma_mask when creating SM501 subdevices to fix the problem. Fixes: b6d6454fdb66f ("mfd: SM501 core driver") Signed-off-by: Guenter Roeck Signed-off-by: Lee Jones Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/mfd/sm501.c |1 + 1 file changed, 1 insertion(+) --- a/drivers/mfd/sm501.c +++ b/drivers/mfd/sm501.c @@ -714,6 +714,7 @@ sm501_create_subdev(struct sm501_devdata smdev->pdev.name = name; smdev->pdev.id = sm->pdev_id; smdev->pdev.dev.parent = sm->dev; + smdev->pdev.dev.coherent_dma_mask = 0x; if (res_count) { smdev->pdev.resource = (struct resource *)(smdev+1);
Re: [PATCH crypto-next 01/23] crypto: skcipher - Introduce crypto_sync_skcipher
On Wed, 19 Sep 2018 at 04:11, Kees Cook wrote: > > In preparation for removal of VLAs due to skcipher requests on the stack > via SKCIPHER_REQUEST_ON_STACK() usage, this introduces the infrastructure > for the "sync skcipher" tfm, which is for handling the on-stack cases of > skcipher, which are always non-ASYNC and have a known limited request > size. > > The crypto API additions: > > struct crypto_sync_skcipher (wrapper for struct crypto_skcipher) > crypto_alloc_sync_skcipher() > crypto_free_sync_skcipher() > crypto_sync_skcipher_setkey() > crypto_sync_skcipher_get_flags() > crypto_sync_skcipher_set_flags() > crypto_sync_skcipher_clear_flags() > crypto_sync_skcipher_blocksize() > crypto_sync_skcipher_ivsize() > crypto_sync_skcipher_reqtfm() > skcipher_request_set_sync_tfm() > SYNC_SKCIPHER_REQUEST_ON_STACK() (with tfm type check) > > Signed-off-by: Kees Cook Reviewed-by: Ard Biesheuvel > --- > crypto/skcipher.c | 24 + > include/crypto/skcipher.h | 75 +++ > 2 files changed, 99 insertions(+) > > diff --git a/crypto/skcipher.c b/crypto/skcipher.c > index 0bd8c6caa498..4caab81d2d02 100644 > --- a/crypto/skcipher.c > +++ b/crypto/skcipher.c > @@ -949,6 +949,30 @@ struct crypto_skcipher *crypto_alloc_skcipher(const char > *alg_name, > } > EXPORT_SYMBOL_GPL(crypto_alloc_skcipher); > > +struct crypto_sync_skcipher *crypto_alloc_sync_skcipher( > + const char *alg_name, u32 type, u32 mask) > +{ > + struct crypto_skcipher *tfm; > + > + /* Only sync algorithms allowed. */ > + mask |= CRYPTO_ALG_ASYNC; > + > + tfm = crypto_alloc_tfm(alg_name, _skcipher_type2, type, mask); > + > + /* > +* Make sure we do not allocate something that might get used with > +* an on-stack request: check the request size. > +*/ > + if (!IS_ERR(tfm) && WARN_ON(crypto_skcipher_reqsize(tfm) > > + MAX_SYNC_SKCIPHER_REQSIZE)) { > + crypto_free_skcipher(tfm); > + return ERR_PTR(-EINVAL); > + } > + > + return (struct crypto_sync_skcipher *)tfm; > +} > +EXPORT_SYMBOL_GPL(crypto_alloc_sync_skcipher); > + > int crypto_has_skcipher2(const char *alg_name, u32 type, u32 mask) > { > return crypto_type_has_alg(alg_name, _skcipher_type2, > diff --git a/include/crypto/skcipher.h b/include/crypto/skcipher.h > index 2f327f090c3e..d00ce90dc7da 100644 > --- a/include/crypto/skcipher.h > +++ b/include/crypto/skcipher.h > @@ -65,6 +65,10 @@ struct crypto_skcipher { > struct crypto_tfm base; > }; > > +struct crypto_sync_skcipher { > + struct crypto_skcipher base; > +}; > + > /** > * struct skcipher_alg - symmetric key cipher definition > * @min_keysize: Minimum key size supported by the transformation. This is > the > @@ -139,6 +143,19 @@ struct skcipher_alg { > struct crypto_alg base; > }; > > +#define MAX_SYNC_SKCIPHER_REQSIZE 384 > +/* > + * This performs a type-check against the "tfm" argument to make sure > + * all users have the correct skcipher tfm for doing on-stack requests. > + */ > +#define SYNC_SKCIPHER_REQUEST_ON_STACK(name, tfm) \ > + char __##name##_desc[sizeof(struct skcipher_request) + \ > +MAX_SYNC_SKCIPHER_REQSIZE + \ > +(!(sizeof((struct crypto_sync_skcipher *)1 == \ > + (typeof(tfm))1))) \ > + ] CRYPTO_MINALIGN_ATTR; \ > + struct skcipher_request *name = (void *)__##name##_desc > + > #define SKCIPHER_REQUEST_ON_STACK(name, tfm) \ > char __##name##_desc[sizeof(struct skcipher_request) + \ > crypto_skcipher_reqsize(tfm)] CRYPTO_MINALIGN_ATTR; \ > @@ -197,6 +214,9 @@ static inline struct crypto_skcipher > *__crypto_skcipher_cast( > struct crypto_skcipher *crypto_alloc_skcipher(const char *alg_name, > u32 type, u32 mask); > > +struct crypto_sync_skcipher *crypto_alloc_sync_skcipher(const char *alg_name, > + u32 type, u32 mask); > + > static inline struct crypto_tfm *crypto_skcipher_tfm( > struct crypto_skcipher *tfm) > { > @@ -212,6 +232,11 @@ static inline void crypto_free_skcipher(struct > crypto_skcipher *tfm) > crypto_destroy_tfm(tfm, crypto_skcipher_tfm(tfm)); > } > > +static inline void crypto_free_sync_skcipher(struct crypto_sync_skcipher > *tfm) > +{ > + crypto_free_skcipher(>base); > +} > + > /** > * crypto_has_skcipher() - Search for the availability of an skcipher. > * @alg_name: is the cra_name / name or cra_driver_name / driver name of the > @@ -280,6 +305,12 @@ static inline unsigned int crypto_skcipher_ivsize(struct > crypto_skcipher *tfm) > return tfm->ivsize; > } > > +static
Re: [PATCH v10 00/26] guest dedicated crypto adapters
On Wed, 12 Sep 2018 15:42:50 -0400 Tony Krowiak wrote: > Abstract: > > > On s390, we have cryptographic coprocessor cards, which are modeled on > Linux as devices on the AP bus. Each card can be partitioned into domains > which can be thought of as a set of hardware registers for processing > crypto commands. Crypto commands are sent to a specific domain within a > card is via a queue which is identified as a (card,domain) tuple. We model > this something like the following (assuming we have access to cards 3 and > 4 and domains 1 and 2): > > AP -> card3 -> queue (3,1) > -> queue (3,2) >-> card4 -> queue (4,1) > -> queue (4,2) > > If we want to virtualize this, we can use a feature provided by the > hardware. We basically attach a satellite control block to our main > hardware virtualization control block and the hardware takes care of > most of the rest. > > For this control block, we don't specify explicit tuples, but a list of > cards and a list of domains. The guest will get access to the cross > product. > > Because of this, we need to take care that the lists provided to > different guests don't overlap; i.e., we need to enforce sane > configurations. Otherwise, one guest may get access to things like > secret keys for another guest. > > The idea of this patch set is to introduce a new device, the matrix > device. This matrix device hangs off a different root and acts as the > parent node for mdev devices. > > If you now want to give the tuples (4,1) and (4,2), you need to do the > following: > > - Make sure the queues (4,1) and (4,2) belong to vfio_ap (see patches > #5 and #6) > - Create the mediated device. > - Assign card 4 and domains 1 and 2 to the mediated device > - Optionally activate the mediated device. > > QEMU will now simply consume the mediated device and things should work. > > For a complete description of the architecture and concepts underlying > the design, see the Documentation/s390/vfio-ap.txt file included with this > patch set. I did not spot anything major, and if v11 addresses the issues raised by various reviewers I don't see why it should not be merged (interface looks sane). I skipped looking at the vsie stuff, though ;)
[PATCH 4.9 040/111] s390/qeth: reset layer2 attribute on layer switch
4.9-stable review patch. If anyone has any objections, please let me know. -- From: Julian Wiedmann [ Upstream commit 70551dc46ffa3555a0b5f3545b0cd87ab67fd002 ] After the subdriver's remove() routine has completed, the card's layer mode is undetermined again. Reflect this in the layer2 field. If qeth_dev_layer2_store() hits an error after remove() was called, the card _always_ requires a setup(), even if the previous layer mode is requested again. But qeth_dev_layer2_store() bails out early if the requested layer mode still matches the current one. So unless we reset the layer2 field, re-probing the card back to its previous mode is currently not possible. Signed-off-by: Julian Wiedmann Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/s390/net/qeth_core_sys.c |1 + 1 file changed, 1 insertion(+) --- a/drivers/s390/net/qeth_core_sys.c +++ b/drivers/s390/net/qeth_core_sys.c @@ -423,6 +423,7 @@ static ssize_t qeth_dev_layer2_store(str if (card->discipline) { card->discipline->remove(card->gdev); qeth_core_free_discipline(card); + card->options.layer2 = -1; } rc = qeth_core_load_discipline(card, newdis);
[PATCH 4.9 038/111] ARM: dts: qcom: msm8974-hammerhead: increase load on l20 for sdhci
4.9-stable review patch. If anyone has any objections, please let me know. -- From: Bhushan Shah [ Upstream commit 03864e57770a9541e7ff3990bacf2d9a2fffcd5d ] The kernel would not boot on the hammerhead hardware due to the following error: mmc0: Timeout waiting for hardware interrupt. mmc0: sdhci: SDHCI REGISTER DUMP === mmc0: sdhci: Sys addr: 0x0200 | Version: 0x3802 mmc0: sdhci: Blk size: 0x0200 | Blk cnt: 0x0200 mmc0: sdhci: Argument: 0x | Trn mode: 0x0023 mmc0: sdhci: Present: 0x03e8 | Host ctl: 0x0034 mmc0: sdhci: Power: 0x0001 | Blk gap: 0x mmc0: sdhci: Wake-up: 0x | Clock:0x0007 mmc0: sdhci: Timeout: 0x000e | Int stat: 0x mmc0: sdhci: Int enab: 0x02ff900b | Sig enab: 0x02ff100b mmc0: sdhci: AC12 err: 0x | Slot int: 0x mmc0: sdhci: Caps: 0x642dc8b2 | Caps_1: 0x8007 mmc0: sdhci: Cmd: 0x0c1b | Max curr: 0x mmc0: sdhci: Resp[0]: 0x0c00 | Resp[1]: 0x mmc0: sdhci: Resp[2]: 0x | Resp[3]: 0x mmc0: sdhci: Host ctl2: 0x0008 mmc0: sdhci: ADMA Err: 0x | ADMA Ptr: 0x70040220 mmc0: sdhci: mmc0: Card stuck in wrong state! mmcblk0 card_busy_detect status: 0xe00 mmc0: cache flush error -110 mmc0: Reset 0x1 never completed. This patch increases the load on l20 to 0.2 amps for the sdhci and allows the device to boot normally. Signed-off-by: Bhushan Shah Signed-off-by: Brian Masney Suggested-by: Bjorn Andersson Tested-by: Brian Masney Signed-off-by: Andy Gross Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- arch/arm/boot/dts/qcom-msm8974-lge-nexus5-hammerhead.dts |2 ++ 1 file changed, 2 insertions(+) --- a/arch/arm/boot/dts/qcom-msm8974-lge-nexus5-hammerhead.dts +++ b/arch/arm/boot/dts/qcom-msm8974-lge-nexus5-hammerhead.dts @@ -188,6 +188,8 @@ regulator-max-microvolt = <295>; regulator-boot-on; + regulator-system-load = <20>; + regulator-allow-set-load; }; l21 {
[PATCH 4.9 029/111] powerpc/powernv: opal_put_chars partial write fix
4.9-stable review patch. If anyone has any objections, please let me know. -- From: Nicholas Piggin [ Upstream commit bd90284cc6c1c9e8e48c8eadd0c79574fcce0b81 ] The intention here is to consume and discard the remaining buffer upon error. This works if there has not been a previous partial write. If there has been, then total_len is no longer total number of bytes to copy. total_len is always "bytes left to copy", so it should be added to written bytes. This code may not be exercised any more if partial writes will not be hit, but this is a small bugfix before a larger change. Reviewed-by: Benjamin Herrenschmidt Signed-off-by: Nicholas Piggin Signed-off-by: Michael Ellerman Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- arch/powerpc/platforms/powernv/opal.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/arch/powerpc/platforms/powernv/opal.c +++ b/arch/powerpc/platforms/powernv/opal.c @@ -369,7 +369,7 @@ int opal_put_chars(uint32_t vtermno, con /* Closed or other error drop */ if (rc != OPAL_SUCCESS && rc != OPAL_BUSY && rc != OPAL_BUSY_EVENT) { - written = total_len; + written += total_len; break; } if (rc == OPAL_SUCCESS) {
[PATCH 4.9 039/111] s390/qeth: fix race in used-buffer accounting
4.9-stable review patch. If anyone has any objections, please let me know. -- From: Julian Wiedmann [ Upstream commit a702349a4099cd5a7bab0904689d8e0bf8dcd622 ] By updating q->used_buffers only _after_ do_QDIO() has completed, there is a potential race against the buffer's TX completion. In the unlikely case that the TX completion path wins, qeth_qdio_output_handler() would decrement the counter before qeth_flush_buffers() even incremented it. Signed-off-by: Julian Wiedmann Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/s390/net/qeth_core_main.c |3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/drivers/s390/net/qeth_core_main.c +++ b/drivers/s390/net/qeth_core_main.c @@ -3499,13 +3499,14 @@ static void qeth_flush_buffers(struct qe qdio_flags = QDIO_FLAG_SYNC_OUTPUT; if (atomic_read(>set_pci_flags_count)) qdio_flags |= QDIO_FLAG_PCI_OUT; + atomic_add(count, >used_buffers); + rc = do_QDIO(CARD_DDEV(queue->card), qdio_flags, queue->queue_no, index, count); if (queue->card->options.performance_stats) queue->card->perf_stats.outbound_do_qdio_time += qeth_get_micros() - queue->card->perf_stats.outbound_do_qdio_start_time; - atomic_add(count, >used_buffers); if (rc) { queue->card->stats.tx_errors += count; /* ignore temporary SIGA errors without busy condition */
[PATCH 4.9 000/111] 4.9.129-stable review
This is the start of the stable review cycle for the 4.9.129 release. There are 111 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed Sep 26 11:30:16 UTC 2018. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.129-rc1.gz or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y and the diffstat can be found below. thanks, greg k-h - Pseudo-Shortlog of commits: Greg Kroah-Hartman Linux 4.9.129-rc1 Paul Burton MIPS: VDSO: Drop gic_get_usm_range() usage Benjamin Poirier e1000e: Fix link check race condition Benjamin Poirier Revert "e1000e: Separate signaling for link check/link up" Benjamin Poirier e1000e: Avoid missed interrupts following ICR read Benjamin Poirier e1000e: Fix queue interrupt re-raising in Other interrupt Benjamin Poirier Partial revert "e1000e: Avoid receiver overrun interrupt bursts" Benjamin Poirier e1000e: Remove Other from EIAC Paul Burton MIPS: VDSO: Match data page cache colouring when D$ aliases Dan Carpenter mei: bus: type promotion bug in mei_nfc_if_version() Douglas Anderson pinctrl: qcom: spmi-gpio: Fix pmic_gpio_config_get() to be compliant Andy Shevchenko gpiolib: Respect error code of ->get_direction() Bart Van Assche IB/nes: Fix a compiler warning Dan Carpenter drm/panel: type promotion bug in s6e8aa0_read_mtp_id() John Stultz selftest: timers: Tweak raw_skew to SKIP when ADJ_OFFSET/other clock adjustments are in progress Timo Wischer ALSA: pcm: Fix snd_interval_refine first/last with open min/max Zhouyang Jia rtc: bq4802: add error handling for devm_ioremap Wei Lu drm/amdkfd: Fix error codes in kfd_get_process Paul E. McKenney rcu: Fix grace-period hangs due to race with CPU offline Peter Rosin input: rohm_bu21023: switch to i2c_lock_bus(..., I2C_LOCK_SEGMENT) Peter Rosin mfd: 88pm860x-i2c: switch to i2c_lock_bus(..., I2C_LOCK_SEGMENT) Andy Shevchenko gpiolib: Mark gpio_suffixes array with __maybe_unused Wei Yongjun gpio: pxa: Fix potential NULL dereference Robin Murphy coresight: tpiu: Fix disabling timeouts Suzuki K Poulose coresight: Handle errors in finding input/output ports Julia Lawall parport: sunbpp: fix error return code Thierry Reding drm/nouveau: tegra: Detach from ARM DMA/IOMMU mapping Stefan Agner mmc: sdhci: do not try to use 3.3V signaling if not supported Stefan Agner mmc: tegra: prevent HS200 on Tegra 3 Enrico Scholz gpu: ipu-v3: csi: pass back mbus_code_to_bus_cfg error codes Nicholas Mc Guire ARM: hisi: check of_iomap and fix missing of_node_put Nicholas Mc Guire ARM: hisi: fix error handling and missing of_node_put Nicholas Mc Guire ARM: hisi: handle of_iomap and fix missing of_node_put Ard Biesheuvel efi/esrt: Only call efi_mem_reserve() for boot services memory Mike Christie configfs: fix registered group removal Paul Burton MIPS: loongson64: cs5536: Fix PCI_OHCI_INT_REG reads Matthew Garrett evm: Don't deadlock if a crypto algorithm is unavailable Jann Horn mtdchar: fix overflows in adjustment of `count` Ronny Chevalier audit: fix use-after-free in audit_add_watch Maciej W. Rozycki binfmt_elf: Respect error return from `regset->active' Trond Myklebust NFSv4.1 fix infinite loop on I/O. Yabin Cui perf/core: Force USER_DS when recording user stack data Dan Carpenter CIFS: fix wrapping bugs in num_entries() Dan Carpenter cifs: prevent integer overflow in nxt_dir_entry() Oliver Neukum Revert "cdc-acm: implement put_char() and flush_chars()" Jia-Ju Bai usb: cdc-wdm: Fix a sleep-in-atomic-context bug in service_outstanding_interrupt() Ben Hutchings USB: yurex: Fix buffer over-read in yurex_write() Johan Hovold USB: serial: ti_usb_3410_5052: fix array underflow in completion handler Jia-Ju Bai usb: misc: uss720: Fix two sleep-in-atomic-context bugs Johan Hovold USB: serial: io_ti: fix array underflow in completion handler Alan Stern USB: net2280: Fix erroneous synchronization change Yoshihiro Shimoda usb: gadget: udc: renesas_usb3: fix maxpacket size of ep0 Maxence Duprès USB: add quirk for WORLDE Controller KS49 or Prodipe MIDI 49C USB controller Jia-Ju Bai usb: host: u132-hcd: Fix a sleep-in-atomic-context bug in u132_get_frame() Mathias Nyman usb: Avoid use-after-free by flushing endpoints early in usb_set_interface() Oliver Neukum usb: uas: add support for more quirk flags Tim Anderson USB: Add quirk to support DJI CineSSD Alexander Usyskin mei: ignore not found client in
[PATCH 4.9 009/111] gfs2: Special-case rindex for gfs2_grow
4.9-stable review patch. If anyone has any objections, please let me know. -- From: Andreas Gruenbacher [ Upstream commit 776125785a87ff05d49938bd5b9f336f2a05bff6 ] To speed up the common case of appending to a file, gfs2_write_alloc_required presumes that writing beyond the end of a file will always require additional blocks to be allocated. This assumption is incorrect for preallocates files, but there are no negative consequences as long as *some* space is still left on the filesystem. One special file that always has some space preallocated beyond the end of the file is the rindex: when growing a filesystem, gfs2_grow adds one or more new resource groups and appends records describing those resource groups to the rindex; the preallocated space ensures that this is always possible. However, when a filesystem is completely full, gfs2_write_alloc_required will indicate that an additional allocation is required, and appending the next record to the rindex will fail even though space for that record has already been preallocated. To fix that, skip the incorrect optimization in gfs2_write_alloc_required, but for the rindex only. Other writes to preallocated space beyond the end of the file are still allowed to fail on completely full filesystems. Signed-off-by: Andreas Gruenbacher Reviewed-by: Bob Peterson Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- fs/gfs2/bmap.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/fs/gfs2/bmap.c +++ b/fs/gfs2/bmap.c @@ -1472,7 +1472,7 @@ int gfs2_write_alloc_required(struct gfs end_of_file = (i_size_read(>i_inode) + sdp->sd_sb.sb_bsize - 1) >> shift; lblock = offset >> shift; lblock_stop = (offset + len + sdp->sd_sb.sb_bsize - 1) >> shift; - if (lblock_stop > end_of_file) + if (lblock_stop > end_of_file && ip != GFS2_I(sdp->sd_rindex)) return 1; size = (lblock_stop - lblock) << shift;
[PATCH 4.9 004/111] net/mlx5: Fix debugfs cleanup in the device init/remove flow
4.9-stable review patch. If anyone has any objections, please let me know. -- From: Jack Morgenstein [ Upstream commit 5df816e7f43f1297c40021ef17ec6e722b45c82f ] When initializing the device (procedure init_one), the driver calls mlx5_pci_init to perform pci initialization. As part of this initialization, mlx5_pci_init creates a debugfs directory. If this creation fails, init_one aborts, returning failure to the caller (which is the probe method caller). The main reason for such a failure to occur is if the debugfs directory already exists. This can happen if the last time mlx5_pci_close was called, debugfs_remove (silently) failed due to the debugfs directory not being empty. Guarantee that such a debugfs_remove failure will not occur by instead calling debugfs_remove_recursive in procedure mlx5_pci_close. Fixes: 59211bd3b632 ("net/mlx5: Split the load/unload flow into hardware and software flows") Signed-off-by: Jack Morgenstein Reviewed-by: Daniel Jurgens Signed-off-by: Saeed Mahameed Signed-off-by: Greg Kroah-Hartman --- drivers/net/ethernet/mellanox/mlx5/core/main.c |6 -- 1 file changed, 4 insertions(+), 2 deletions(-) --- a/drivers/net/ethernet/mellanox/mlx5/core/main.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c @@ -787,8 +787,10 @@ static int mlx5_pci_init(struct mlx5_cor priv->numa_node = dev_to_node(>pdev->dev); priv->dbg_root = debugfs_create_dir(dev_name(>dev), mlx5_debugfs_root); - if (!priv->dbg_root) + if (!priv->dbg_root) { + dev_err(>dev, "Cannot create debugfs dir, aborting\n"); return -ENOMEM; + } err = mlx5_pci_enable_device(dev); if (err) { @@ -837,7 +839,7 @@ static void mlx5_pci_close(struct mlx5_c pci_clear_master(dev->pdev); release_bar(dev->pdev); mlx5_pci_disable_device(dev); - debugfs_remove(priv->dbg_root); + debugfs_remove_recursive(priv->dbg_root); } static int mlx5_init_once(struct mlx5_core_dev *dev, struct mlx5_priv *priv)
Re: [PATCH] Revert "uapi/linux/keyctl.h: don't use C++ reserved keyword as a struct member name"
Lubomir Rintel wrote: > This changes UAPI, breaking iwd and libell: > > ell/key.c: In function 'kernel_dh_compute': > ell/key.c:205:38: error: 'struct keyctl_dh_params' has no member named > 'private'; did you mean 'dh_private'? > struct keyctl_dh_params params = { .private = private, > ^~~ > dh_private > > This reverts commit 8a2336e549d385bb0b46880435b411df8d8200e8. > > Cc: David Howells > Cc: James Morris > Cc: "Serge E. Hallyn" > Cc: Mat Martineau > Cc: Andrew Morton > Cc: Linus Torvalds > Cc: Can I stick your Signed-off-by on it? David
[PATCH 4.9 007/111] ALSA: usb-audio: Fix multiple definitions in AU0828_DEVICE() macro
4.9-stable review patch. If anyone has any objections, please let me know. -- From: Takashi Iwai [ Upstream commit bd1cd0eb2ce9141100628d476ead4de485501b29 ] AU0828_DEVICE() macro in quirks-table.h uses USB_DEVICE_VENDOR_SPEC() for expanding idVendor and idProduct fields. However, the latter macro adds also match_flags and bInterfaceClass, which are different from the values AU0828_DEVICE() macro sets after that. For fixing them, just expand idVendor and idProduct fields manually in AU0828_DEVICE(). This fixes sparse warnings like: sound/usb/quirks-table.h:2892:1: warning: Initializer entry defined twice Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- sound/usb/quirks-table.h |3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/sound/usb/quirks-table.h +++ b/sound/usb/quirks-table.h @@ -2875,7 +2875,8 @@ YAMAHA_DEVICE(0x7010, "UB99"), */ #define AU0828_DEVICE(vid, pid, vname, pname) { \ - USB_DEVICE_VENDOR_SPEC(vid, pid), \ + .idVendor = vid, \ + .idProduct = pid, \ .match_flags = USB_DEVICE_ID_MATCH_DEVICE | \ USB_DEVICE_ID_MATCH_INT_CLASS | \ USB_DEVICE_ID_MATCH_INT_SUBCLASS, \
[PATCH 4.9 005/111] iommu/arm-smmu-v3: sync the OVACKFLG to PRIQ consumer register
4.9-stable review patch. If anyone has any objections, please let me know. -- From: Miao Zhong [ Upstream commit 0d535967ac658966c6ade8f82b5799092f7d5441 ] When PRI queue occurs overflow, driver should update the OVACKFLG to the PRIQ consumer register, otherwise subsequent PRI requests will not be processed. Cc: Will Deacon Cc: Robin Murphy Signed-off-by: Miao Zhong Signed-off-by: Will Deacon Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/iommu/arm-smmu-v3.c |1 + 1 file changed, 1 insertion(+) --- a/drivers/iommu/arm-smmu-v3.c +++ b/drivers/iommu/arm-smmu-v3.c @@ -1233,6 +1233,7 @@ static irqreturn_t arm_smmu_priq_thread( /* Sync our overflow flag, as we believe we're up to speed */ q->cons = Q_OVF(q, q->prod) | Q_WRP(q, q->cons) | Q_IDX(q, q->cons); + writel(q->cons, q->cons_reg); return IRQ_HANDLED; }
[PATCH 4.9 008/111] xfrm: fix passing zero to ERR_PTR() warning
4.9-stable review patch. If anyone has any objections, please let me know. -- From: YueHaibing [ Upstream commit 934ffce1343f22ed5e2d0bd6da4440f4848074de ] Fix a static code checker warning: net/xfrm/xfrm_policy.c:1836 xfrm_resolve_and_create_bundle() warn: passing zero to 'ERR_PTR' xfrm_tmpl_resolve return 0 just means no xdst found, return NULL instead of passing zero to ERR_PTR. Fixes: d809ec895505 ("xfrm: do not assume that template resolving always returns xfrms") Signed-off-by: YueHaibing Signed-off-by: Steffen Klassert Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- net/xfrm/xfrm_policy.c |5 - 1 file changed, 4 insertions(+), 1 deletion(-) --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -1873,7 +1873,10 @@ xfrm_resolve_and_create_bundle(struct xf /* Try to instantiate a bundle */ err = xfrm_tmpl_resolve(pols, num_pols, fl, xfrm, family); if (err <= 0) { - if (err != 0 && err != -EAGAIN) + if (err == 0) + return NULL; + + if (err != -EAGAIN) XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTPOLERROR); return ERR_PTR(err); }
[PATCH 4.9 003/111] net/mlx5: Fix use-after-free in self-healing flow
4.9-stable review patch. If anyone has any objections, please let me know. -- From: Jack Morgenstein [ Upstream commit 76d5581c870454be5f1f1a106c57985902e7ea20 ] When the mlx5 health mechanism detects a problem while the driver is in the middle of init_one or remove_one, the driver needs to prevent the health mechanism from scheduling future work; if future work is scheduled, there is a problem with use-after-free: the system WQ tries to run the work item (which has been freed) at the scheduled future time. Prevent this by disabling work item scheduling in the health mechanism when the driver is in the middle of init_one() or remove_one(). Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters") Signed-off-by: Jack Morgenstein Reviewed-by: Feras Daoud Signed-off-by: Saeed Mahameed Signed-off-by: Greg Kroah-Hartman --- drivers/net/ethernet/mellanox/mlx5/core/health.c | 10 +- drivers/net/ethernet/mellanox/mlx5/core/main.c |4 ++-- include/linux/mlx5/driver.h |2 +- 3 files changed, 12 insertions(+), 4 deletions(-) --- a/drivers/net/ethernet/mellanox/mlx5/core/health.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/health.c @@ -339,9 +339,17 @@ void mlx5_start_health_poll(struct mlx5_ add_timer(>timer); } -void mlx5_stop_health_poll(struct mlx5_core_dev *dev) +void mlx5_stop_health_poll(struct mlx5_core_dev *dev, bool disable_health) { struct mlx5_core_health *health = >priv.health; + unsigned long flags; + + if (disable_health) { + spin_lock_irqsave(>wq_lock, flags); + set_bit(MLX5_DROP_NEW_HEALTH_WORK, >flags); + set_bit(MLX5_DROP_NEW_RECOVERY_WORK, >flags); + spin_unlock_irqrestore(>wq_lock, flags); + } del_timer_sync(>timer); } --- a/drivers/net/ethernet/mellanox/mlx5/core/main.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c @@ -1130,7 +1130,7 @@ err_cleanup_once: mlx5_cleanup_once(dev); err_stop_poll: - mlx5_stop_health_poll(dev); + mlx5_stop_health_poll(dev, boot); if (mlx5_cmd_teardown_hca(dev)) { dev_err(>pdev->dev, "tear_down_hca failed, skip cleanup\n"); goto out_err; @@ -1187,7 +1187,7 @@ static int mlx5_unload_one(struct mlx5_c mlx5_disable_msix(dev); if (cleanup) mlx5_cleanup_once(dev); - mlx5_stop_health_poll(dev); + mlx5_stop_health_poll(dev, cleanup); err = mlx5_cmd_teardown_hca(dev); if (err) { dev_err(>pdev->dev, "tear_down_hca failed, skip cleanup\n"); --- a/include/linux/mlx5/driver.h +++ b/include/linux/mlx5/driver.h @@ -786,7 +786,7 @@ void mlx5_unmap_free_uar(struct mlx5_cor void mlx5_health_cleanup(struct mlx5_core_dev *dev); int mlx5_health_init(struct mlx5_core_dev *dev); void mlx5_start_health_poll(struct mlx5_core_dev *dev); -void mlx5_stop_health_poll(struct mlx5_core_dev *dev); +void mlx5_stop_health_poll(struct mlx5_core_dev *dev, bool disable_health); void mlx5_drain_health_wq(struct mlx5_core_dev *dev); void mlx5_drain_health_recovery(struct mlx5_core_dev *dev); int mlx5_buf_alloc_node(struct mlx5_core_dev *dev, int size,
[PATCH 4.9 027/111] ARM: exynos: Clear global variable on init error path
4.9-stable review patch. If anyone has any objections, please let me know. -- From: Krzysztof Kozlowski [ Upstream commit cd4806911cee3901bc2b5eb95603cf1958720b57 ] For most of Exynos SoCs, Power Management Unit (PMU) address space is mapped into global variable 'pmu_base_addr' very early when initializing PMU interrupt controller. A lot of other machine code depends on it so when doing iounmap() on this address, clear the global as well to avoid usage of invalid value (pointing to unmapped memory region). Properly mapped PMU address space is a requirement for all other machine code so this fix is purely theoretical. Boot will fail immediately in many other places after following this error path. Signed-off-by: Krzysztof Kozlowski Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- arch/arm/mach-exynos/suspend.c |1 + 1 file changed, 1 insertion(+) --- a/arch/arm/mach-exynos/suspend.c +++ b/arch/arm/mach-exynos/suspend.c @@ -252,6 +252,7 @@ static int __init exynos_pmu_irq_init(st NULL); if (!domain) { iounmap(pmu_base_addr); + pmu_base_addr = NULL; return -ENOMEM; }
Re: [PATCH 04/10] irqchip/gic-v3-its: Move pending table allocation to init time
Hi Marc, On 21/09/18 20:59, Marc Zyngier wrote: Pending tables for the redistributors are currently allocated one at a time as each CPU boots. This is causing some grief for Linux/RT (allocation from within a CPU hotplug notifier is frown upon). Let's more this allocation to take place at init time, when we only have a single CPU. It means we're allocating memory for CPUs that are not online yet, but most system will boot all of their CPUs anyway, so that's not completely wasted. Signed-off-by: Marc Zyngier --- drivers/irqchip/irq-gic-v3-its.c | 80 +++--- include/linux/irqchip/arm-gic-v3.h | 1 + 2 files changed, 53 insertions(+), 28 deletions(-) diff --git a/drivers/irqchip/irq-gic-v3-its.c b/drivers/irqchip/irq-gic-v3-its.c index 7ef6baea2d78..462bba422189 100644 --- a/drivers/irqchip/irq-gic-v3-its.c +++ b/drivers/irqchip/irq-gic-v3-its.c @@ -173,6 +173,7 @@ static DEFINE_RAW_SPINLOCK(vmovp_lock); static DEFINE_IDA(its_vpeid_ida); #define gic_data_rdist() (raw_cpu_ptr(gic_rdists->rdist)) +#define gic_data_rdist_cpu(cpu)(per_cpu_ptr(gic_rdists->rdist, cpu)) #define gic_data_rdist_rd_base() (gic_data_rdist()->rd_base) #define gic_data_rdist_vlpi_base()(gic_data_rdist_rd_base() + SZ_128K) @@ -1625,7 +1626,7 @@ static void its_free_prop_table(struct page *prop_page) get_order(LPI_PROPBASE_SZ)); } -static int __init its_alloc_lpi_tables(void) +static int __init its_alloc_lpi_prop_table(void) A bit of a nit, but there is already a function called "its_allocate_prop_table" which I find very easy to confuse with this one. And patch 3 factored the initialization out of its_allocate_prop_table. So I was wondering whether it would not actually be better to open-code it here and get rid of that function. Otherwise I'd suggest having more distinct names. Otherwise the patch looks good. Thanks, { phys_addr_t paddr; @@ -1944,30 +1945,47 @@ static void its_free_pending_table(struct page *pt) free_pages((unsigned long)page_address(pt), get_order(LPI_PENDBASE_SZ)); } -static void its_cpu_init_lpis(void) +static int __init allocate_lpi_tables(void) { - void __iomem *rbase = gic_data_rdist_rd_base(); - struct page *pend_page; - u64 val, tmp; + int err, cpu; - /* If we didn't allocate the pending table yet, do it now */ - pend_page = gic_data_rdist()->pend_page; - if (!pend_page) { - phys_addr_t paddr; + err = its_alloc_lpi_prop_table(); + if (err) + return err; + + /* +* We allocate all the pending tables anyway, as we may have a +* mix of RDs that have had LPIs enabled, and some that +* don't. We'll free the unused ones as each CPU comes online. +*/ + for_each_possible_cpu(cpu) { + struct page *pend_page; pend_page = its_allocate_pending_table(GFP_NOWAIT); if (!pend_page) { - pr_err("Failed to allocate PENDBASE for CPU%d\n", - smp_processor_id()); - return; + pr_err("Failed to allocate PENDBASE for CPU%d\n", cpu); + return -ENOMEM; } - paddr = page_to_phys(pend_page); - pr_info("CPU%d: using LPI pending table @%pa\n", - smp_processor_id(), ); - gic_data_rdist()->pend_page = pend_page; + gic_data_rdist_cpu(cpu)->pend_page = pend_page; } + return 0; +} + +static void its_cpu_init_lpis(void) +{ + void __iomem *rbase = gic_data_rdist_rd_base(); + struct page *pend_page; + phys_addr_t paddr; + u64 val, tmp; + + if (gic_data_rdist()->lpi_enabled) + return; + + pend_page = gic_data_rdist()->pend_page; + paddr = page_to_phys(pend_page); + /* set PROPBASE */ val = (page_to_phys(gic_rdists->prop_page) | GICR_PROPBASER_InnerShareable | @@ -2019,6 +2037,10 @@ static void its_cpu_init_lpis(void) /* Make sure the GIC has seen the above */ dsb(sy); + gic_data_rdist()->lpi_enabled = true; + pr_info("GICv3: CPU%d: using LPI pending table @%pa\n", + smp_processor_id(), + ); } static void its_cpu_init_collection(struct its_node *its) @@ -3497,16 +3519,6 @@ static int redist_disable_lpis(void) u64 timeout = USEC_PER_SEC; u64 val; - /* -* If coming via a CPU hotplug event, we don't need to disable -* LPIs before trying to re-enable them. They are already -* configured and all is well in the world. Detect this case -* by checking the allocation of the pending table for the -* current CPU. -*/ - if (gic_data_rdist()->pend_page) - return 0; - if (!gic_rdists_supports_plpis()) {
[PATCH 4.9 076/111] evm: Dont deadlock if a crypto algorithm is unavailable
4.9-stable review patch. If anyone has any objections, please let me know. -- From: Matthew Garrett [ Upstream commit e2861fa71641c6414831d628a1f4f793b6562580 ] When EVM attempts to appraise a file signed with a crypto algorithm the kernel doesn't have support for, it will cause the kernel to trigger a module load. If the EVM policy includes appraisal of kernel modules this will in turn call back into EVM - since EVM is holding a lock until the crypto initialisation is complete, this triggers a deadlock. Add a CRYPTO_NOLOAD flag and skip module loading if it's set, and add that flag in the EVM case in order to fail gracefully with an error message instead of deadlocking. Signed-off-by: Matthew Garrett Acked-by: Herbert Xu Signed-off-by: Mimi Zohar Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- crypto/api.c|2 +- include/linux/crypto.h |5 + security/integrity/evm/evm_crypto.c |3 ++- 3 files changed, 8 insertions(+), 2 deletions(-) --- a/crypto/api.c +++ b/crypto/api.c @@ -215,7 +215,7 @@ struct crypto_alg *crypto_larval_lookup( type &= mask; alg = crypto_alg_lookup(name, type, mask); - if (!alg) { + if (!alg && !(mask & CRYPTO_NOLOAD)) { request_module("crypto-%s", name); if (!((type ^ CRYPTO_ALG_NEED_FALLBACK) & mask & --- a/include/linux/crypto.h +++ b/include/linux/crypto.h @@ -109,6 +109,11 @@ #define CRYPTO_ALG_OPTIONAL_KEY0x4000 /* + * Don't trigger module loading + */ +#define CRYPTO_NOLOAD 0x8000 + +/* * Transform masks and values (for crt_flags). */ #define CRYPTO_TFM_NEED_KEY0x0001 --- a/security/integrity/evm/evm_crypto.c +++ b/security/integrity/evm/evm_crypto.c @@ -94,7 +94,8 @@ static struct shash_desc *init_desc(char mutex_lock(); if (*tfm) goto out; - *tfm = crypto_alloc_shash(algo, 0, CRYPTO_ALG_ASYNC); + *tfm = crypto_alloc_shash(algo, 0, + CRYPTO_ALG_ASYNC | CRYPTO_NOLOAD); if (IS_ERR(*tfm)) { rc = PTR_ERR(*tfm); pr_err("Can not allocate %s (reason: %ld)\n", algo, rc);
[PATCH 4.9 110/111] e1000e: Fix link check race condition
4.9-stable review patch. If anyone has any objections, please let me know. -- From: Benjamin Poirier commit e2710dbf0dc1e37d85368e2404049dadda848d5a upstream. Alex reported the following race condition: /* link goes up... interrupt... schedule watchdog */ \ e1000_watchdog_task \ e1000e_has_link \ hw->mac.ops.check_for_link() === e1000e_check_for_copper_link \ e1000e_phy_has_link_generic(..., ) link = true /* link goes down... interrupt */ \ e1000_msix_other hw->mac.get_link_status = true /* link is up */ mac->get_link_status = false link_active = true /* link_active is true, wrongly, and stays so because * get_link_status is false */ Avoid this problem by making sure that we don't set get_link_status = false after having checked the link. It seems this problem has been present since the introduction of e1000e. Link: https://lkml.org/lkml/2018/1/29/338 Reported-by: Alexander Duyck Signed-off-by: Benjamin Poirier Acked-by: Alexander Duyck Tested-by: Aaron Brown Signed-off-by: Jeff Kirsher Cc: Yanhui He Signed-off-by: Ben Hutchings Signed-off-by: Greg Kroah-Hartman --- drivers/net/ethernet/intel/e1000e/ich8lan.c | 31 +++- drivers/net/ethernet/intel/e1000e/mac.c | 14 ++-- 2 files changed, 24 insertions(+), 21 deletions(-) --- a/drivers/net/ethernet/intel/e1000e/ich8lan.c +++ b/drivers/net/ethernet/intel/e1000e/ich8lan.c @@ -1380,6 +1380,7 @@ static s32 e1000_check_for_copper_link_i */ if (!mac->get_link_status) return 0; + mac->get_link_status = false; /* First we want to see if the MII Status Register reports * link. If so, then we want to get the current speed/duplex @@ -1387,12 +1388,12 @@ static s32 e1000_check_for_copper_link_i */ ret_val = e1000e_phy_has_link_generic(hw, 1, 0, ); if (ret_val) - return ret_val; + goto out; if (hw->mac.type == e1000_pchlan) { ret_val = e1000_k1_gig_workaround_hv(hw, link); if (ret_val) - return ret_val; + goto out; } /* When connected at 10Mbps half-duplex, some parts are excessively @@ -1427,7 +1428,7 @@ static s32 e1000_check_for_copper_link_i ret_val = hw->phy.ops.acquire(hw); if (ret_val) - return ret_val; + goto out; if (hw->mac.type == e1000_pch2lan) emi_addr = I82579_RX_CONFIG; @@ -1450,7 +1451,7 @@ static s32 e1000_check_for_copper_link_i hw->phy.ops.release(hw); if (ret_val) - return ret_val; + goto out; if (hw->mac.type == e1000_pch_spt) { u16 data; @@ -1459,14 +1460,14 @@ static s32 e1000_check_for_copper_link_i if (speed == SPEED_1000) { ret_val = hw->phy.ops.acquire(hw); if (ret_val) - return ret_val; + goto out; ret_val = e1e_rphy_locked(hw, PHY_REG(776, 20), ); if (ret_val) { hw->phy.ops.release(hw); - return ret_val; + goto out; } ptr_gap = (data & (0x3FF << 2)) >> 2; @@ -1480,18 +1481,18 @@ static s32 e1000_check_for_copper_link_i } hw->phy.ops.release(hw); if (ret_val) - return ret_val; + goto out; } else { ret_val = hw->phy.ops.acquire(hw); if (ret_val) - return ret_val; + goto out; ret_val = e1e_wphy_locked(hw, PHY_REG(776, 20), 0xC023); hw->phy.ops.release(hw); if (ret_val) - return ret_val; +
[PATCH 4.9 075/111] mtdchar: fix overflows in adjustment of `count`
4.9-stable review patch. If anyone has any objections, please let me know. -- From: Jann Horn [ Upstream commit 6c6bc9ea84d0008024606bf5ba10519e20d851bf ] The first checks in mtdchar_read() and mtdchar_write() attempt to limit `count` such that `*ppos + count <= mtd->size`. However, they ignore the possibility of `*ppos > mtd->size`, allowing the calculation of `count` to wrap around. `mtdchar_lseek()` prevents seeking beyond mtd->size, but the pread/pwrite syscalls bypass this. I haven't found any codepath on which this actually causes dangerous behavior, but it seems like a sensible change anyway. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Jann Horn Signed-off-by: Boris Brezillon Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/mtd/mtdchar.c | 10 +++--- 1 file changed, 7 insertions(+), 3 deletions(-) --- a/drivers/mtd/mtdchar.c +++ b/drivers/mtd/mtdchar.c @@ -160,8 +160,12 @@ static ssize_t mtdchar_read(struct file pr_debug("MTD_read\n"); - if (*ppos + count > mtd->size) - count = mtd->size - *ppos; + if (*ppos + count > mtd->size) { + if (*ppos < mtd->size) + count = mtd->size - *ppos; + else + count = 0; + } if (!count) return 0; @@ -246,7 +250,7 @@ static ssize_t mtdchar_write(struct file pr_debug("MTD_write\n"); - if (*ppos == mtd->size) + if (*ppos >= mtd->size) return -ENOSPC; if (*ppos + count > mtd->size)
[PATCH 4.9 077/111] MIPS: loongson64: cs5536: Fix PCI_OHCI_INT_REG reads
4.9-stable review patch. If anyone has any objections, please let me know. -- From: Paul Burton [ Upstream commit cd87668d601f622e0ebcfea4f78d116d5f572f4d ] The PCI_OHCI_INT_REG case in pci_ohci_read_reg() contains the following if statement: if ((lo & 0x0f00) == CS5536_USB_INTR) CS5536_USB_INTR expands to the constant 11, which gives us the following condition which can never evaluate true: if ((lo & 0xf00) == 11) At least when using GCC 8.1.0 this falls foul of the tautoligcal-compare warning, and since the code is built with the -Werror flag the build fails. Fix this by shifting lo right by 8 bits in order to match the corresponding PCI_OHCI_INT_REG case in pci_ohci_write_reg(). Signed-off-by: Paul Burton Patchwork: https://patchwork.linux-mips.org/patch/19861/ Cc: Huacai Chen Cc: James Hogan Cc: Ralf Baechle Cc: linux-m...@linux-mips.org Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- arch/mips/loongson64/common/cs5536/cs5536_ohci.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/arch/mips/loongson64/common/cs5536/cs5536_ohci.c +++ b/arch/mips/loongson64/common/cs5536/cs5536_ohci.c @@ -138,7 +138,7 @@ u32 pci_ohci_read_reg(int reg) break; case PCI_OHCI_INT_REG: _rdmsr(DIVIL_MSR_REG(PIC_YSEL_LOW), , ); - if ((lo & 0x0f00) == CS5536_USB_INTR) + if (((lo >> PIC_YSEL_LOW_USB_SHIFT) & 0xf) == CS5536_USB_INTR) conf_data = 1; break; default:
[PATCH 4.9 026/111] fbdev: Distinguish between interlaced and progressive modes
4.9-stable review patch. If anyone has any objections, please let me know. -- From: Fredrik Noring [ Upstream commit 1ba0a59cea41ea05fda92daaf2a2958a2246b9cf ] I discovered the problem when developing a frame buffer driver for the PlayStation 2 (not yet merged), using the following video modes for the PlayStation 3 in drivers/video/fbdev/ps3fb.c: }, { /* 1080if */ "1080if", 50, 1920, 1080, 13468, 148, 484, 36, 4, 88, 5, FB_SYNC_BROADCAST, FB_VMODE_INTERLACED }, { /* 1080pf */ "1080pf", 50, 1920, 1080, 6734, 148, 484, 36, 4, 88, 5, FB_SYNC_BROADCAST, FB_VMODE_NONINTERLACED }, In ps3fb_probe, the mode_option module parameter is used with fb_find_mode but it can only select the interlaced variant of 1920x1080 since the loop matching the modes does not take the difference between interlaced and progressive modes into account. In short, without the patch, progressive 1920x1080 cannot be chosen as a mode_option parameter since fb_find_mode (falsely) thinks interlace is a perfect match. Signed-off-by: Fredrik Noring Cc: "Maciej W. Rozycki" [b.zolnierkie: updated patch description] Signed-off-by: Bartlomiej Zolnierkiewicz Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/video/fbdev/core/modedb.c | 41 +++--- 1 file changed, 30 insertions(+), 11 deletions(-) --- a/drivers/video/fbdev/core/modedb.c +++ b/drivers/video/fbdev/core/modedb.c @@ -644,7 +644,7 @@ static int fb_try_mode(struct fb_var_scr * * Valid mode specifiers for @mode_option: * - * x[M][R][-][@][i][m] or + * x[M][R][-][@][i][p][m] or * [-][@] * * with , , and decimal numbers and @@ -653,10 +653,10 @@ static int fb_try_mode(struct fb_var_scr * If 'M' is present after yres (and before refresh/bpp if present), * the function will compute the timings using VESA(tm) Coordinated * Video Timings (CVT). If 'R' is present after 'M', will compute with - * reduced blanking (for flatpanels). If 'i' is present, compute - * interlaced mode. If 'm' is present, add margins equal to 1.8% - * of xres rounded down to 8 pixels, and 1.8% of yres. The char - * 'i' and 'm' must be after 'M' and 'R'. Example: + * reduced blanking (for flatpanels). If 'i' or 'p' are present, compute + * interlaced or progressive mode. If 'm' is present, add margins equal + * to 1.8% of xres rounded down to 8 pixels, and 1.8% of yres. The chars + * 'i', 'p' and 'm' must be after 'M' and 'R'. Example: * * 1024x768MR-8@60m - Reduced blank with margins at 60Hz. * @@ -697,7 +697,8 @@ int fb_find_mode(struct fb_var_screeninf unsigned int namelen = strlen(name); int res_specified = 0, bpp_specified = 0, refresh_specified = 0; unsigned int xres = 0, yres = 0, bpp = default_bpp, refresh = 0; - int yres_specified = 0, cvt = 0, rb = 0, interlace = 0; + int yres_specified = 0, cvt = 0, rb = 0; + int interlace_specified = 0, interlace = 0; int margins = 0; u32 best, diff, tdiff; @@ -748,9 +749,17 @@ int fb_find_mode(struct fb_var_screeninf if (!cvt) margins = 1; break; + case 'p': + if (!cvt) { + interlace = 0; + interlace_specified = 1; + } + break; case 'i': - if (!cvt) + if (!cvt) { interlace = 1; + interlace_specified = 1; + } break; default: goto done; @@ -819,11 +828,21 @@ done: if ((name_matches(db[i], name, namelen) || (res_specified && res_matches(db[i], xres, yres))) && !fb_try_mode(var, info, [i], bpp)) { - if (refresh_specified && db[i].refresh == refresh) - return 1; + const int db_interlace = (db[i].vmode & + FB_VMODE_INTERLACED ? 1 : 0); + int score = abs(db[i].refresh - refresh); + + if (interlace_specified) + score += abs(db_interlace - interlace); + + if (!interlace_specified || + db_interlace == interlace) + if (refresh_specified && +
[PATCH 1/2] Revert "uapi/linux/keyctl.h: don't use C++ reserved keyword as a struct member name"
From: Lubomir Rintel This changes UAPI, breaking iwd and libell: ell/key.c: In function 'kernel_dh_compute': ell/key.c:205:38: error: 'struct keyctl_dh_params' has no member named 'private'; did you mean 'dh_private'? struct keyctl_dh_params params = { .private = private, ^~~ dh_private This reverts commit 8a2336e549d385bb0b46880435b411df8d8200e8. Signed-off-by: Lubomir Rintel Signed-off-by: David Howells cc: Randy Dunlap cc: Mat Martineau cc: Stephan Mueller cc: James Morris cc: "Serge E. Hallyn" cc: Mat Martineau cc: Andrew Morton cc: Linus Torvalds cc: --- include/uapi/linux/keyctl.h |2 +- security/keys/dh.c |2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/include/uapi/linux/keyctl.h b/include/uapi/linux/keyctl.h index 910cc4334b21..7b8c9e19bad1 100644 --- a/include/uapi/linux/keyctl.h +++ b/include/uapi/linux/keyctl.h @@ -65,7 +65,7 @@ /* keyctl structures */ struct keyctl_dh_params { - __s32 dh_private; + __s32 private; __s32 prime; __s32 base; }; diff --git a/security/keys/dh.c b/security/keys/dh.c index 3b602a1e27fa..711e89d8c415 100644 --- a/security/keys/dh.c +++ b/security/keys/dh.c @@ -300,7 +300,7 @@ long __keyctl_dh_compute(struct keyctl_dh_params __user *params, } dh_inputs.g_size = dlen; - dlen = dh_data_from_key(pcopy.dh_private, _inputs.key); + dlen = dh_data_from_key(pcopy.private, _inputs.key); if (dlen < 0) { ret = dlen; goto out2;
[PATCH 4.14 066/173] KVM: arm/arm64: Fix vgic init race
4.14-stable review patch. If anyone has any objections, please let me know. -- From: Christoffer Dall [ Upstream commit 1d47191de7e15900f8fbfe7cccd7c6e1c2d7c31a ] The vgic_init function can race with kvm_arch_vcpu_create() which does not hold kvm_lock() and we therefore have no synchronization primitives to ensure we're doing the right thing. As the user is trying to initialize or run the VM while at the same time creating more VCPUs, we just have to refuse to initialize the VGIC in this case rather than silently failing with a broken VCPU. Reviewed-by: Eric Auger Signed-off-by: Christoffer Dall Signed-off-by: Marc Zyngier Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- virt/kvm/arm/vgic/vgic-init.c |4 1 file changed, 4 insertions(+) --- a/virt/kvm/arm/vgic/vgic-init.c +++ b/virt/kvm/arm/vgic/vgic-init.c @@ -277,6 +277,10 @@ int vgic_init(struct kvm *kvm) if (vgic_initialized(kvm)) return 0; + /* Are we also in the middle of creating a VCPU? */ + if (kvm->created_vcpus != atomic_read(>online_vcpus)) + return -EBUSY; + /* freeze the number of spis */ if (!dist->nr_spis) dist->nr_spis = VGIC_NR_IRQS_LEGACY - VGIC_NR_PRIVATE_IRQS;
[PATCH 4.14 116/173] security: check for kstrdup() failure in lsm_append()
4.14-stable review patch. If anyone has any objections, please let me know. -- From: Eric Biggers [ Upstream commit 87ea58433208d17295e200d56be5e2a4fe4ce7d6 ] lsm_append() should return -ENOMEM if memory allocation failed. Fixes: d69dece5f5b6 ("LSM: Add /sys/kernel/security/lsm") Signed-off-by: Eric Biggers Signed-off-by: James Morris Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- security/security.c |2 ++ 1 file changed, 2 insertions(+) --- a/security/security.c +++ b/security/security.c @@ -111,6 +111,8 @@ static int lsm_append(char *new, char ** if (*result == NULL) { *result = kstrdup(new, GFP_KERNEL); + if (*result == NULL) + return -ENOMEM; } else { /* Check if it is the last registered name */ if (match_last_lsm(*result, new))
[PATCH 4.14 111/173] mtdchar: fix overflows in adjustment of `count`
4.14-stable review patch. If anyone has any objections, please let me know. -- From: Jann Horn [ Upstream commit 6c6bc9ea84d0008024606bf5ba10519e20d851bf ] The first checks in mtdchar_read() and mtdchar_write() attempt to limit `count` such that `*ppos + count <= mtd->size`. However, they ignore the possibility of `*ppos > mtd->size`, allowing the calculation of `count` to wrap around. `mtdchar_lseek()` prevents seeking beyond mtd->size, but the pread/pwrite syscalls bypass this. I haven't found any codepath on which this actually causes dangerous behavior, but it seems like a sensible change anyway. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Jann Horn Signed-off-by: Boris Brezillon Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/mtd/mtdchar.c | 10 +++--- 1 file changed, 7 insertions(+), 3 deletions(-) --- a/drivers/mtd/mtdchar.c +++ b/drivers/mtd/mtdchar.c @@ -160,8 +160,12 @@ static ssize_t mtdchar_read(struct file pr_debug("MTD_read\n"); - if (*ppos + count > mtd->size) - count = mtd->size - *ppos; + if (*ppos + count > mtd->size) { + if (*ppos < mtd->size) + count = mtd->size - *ppos; + else + count = 0; + } if (!count) return 0; @@ -246,7 +250,7 @@ static ssize_t mtdchar_write(struct file pr_debug("MTD_write\n"); - if (*ppos == mtd->size) + if (*ppos >= mtd->size) return -ENOSPC; if (*ppos + count > mtd->size)
[PATCH 4.14 110/173] audit: fix use-after-free in audit_add_watch
4.14-stable review patch. If anyone has any objections, please let me know. -- From: Ronny Chevalier [ Upstream commit baa2a4fdd525c8c4b0f704d20457195b29437839 ] audit_add_watch stores locally krule->watch without taking a reference on watch. Then, it calls audit_add_to_parent, and uses the watch stored locally. Unfortunately, it is possible that audit_add_to_parent updates krule->watch. When it happens, it also drops a reference of watch which could free the watch. How to reproduce (with KASAN enabled): auditctl -w /etc/passwd -F success=0 -k test_passwd auditctl -w /etc/passwd -F success=1 -k test_passwd2 The second call to auditctl triggers the use-after-free, because audit_to_parent updates krule->watch to use a previous existing watch and drops the reference to the newly created watch. To fix the issue, we grab a reference of watch and we release it at the end of the function. Signed-off-by: Ronny Chevalier Reviewed-by: Richard Guy Briggs Signed-off-by: Paul Moore Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- kernel/audit_watch.c | 12 +++- 1 file changed, 11 insertions(+), 1 deletion(-) --- a/kernel/audit_watch.c +++ b/kernel/audit_watch.c @@ -419,6 +419,13 @@ int audit_add_watch(struct audit_krule * struct path parent_path; int h, ret = 0; + /* +* When we will be calling audit_add_to_parent, krule->watch might have +* been updated and watch might have been freed. +* So we need to keep a reference of watch. +*/ + audit_get_watch(watch); + mutex_unlock(_filter_mutex); /* Avoid calling path_lookup under audit_filter_mutex. */ @@ -427,8 +434,10 @@ int audit_add_watch(struct audit_krule * /* caller expects mutex locked */ mutex_lock(_filter_mutex); - if (ret) + if (ret) { + audit_put_watch(watch); return ret; + } /* either find an old parent or attach a new one */ parent = audit_find_parent(d_backing_inode(parent_path.dentry)); @@ -446,6 +455,7 @@ int audit_add_watch(struct audit_krule * *list = _inode_hash[h]; error: path_put(_path); + audit_put_watch(watch); return ret; }
[PATCH 4.14 112/173] vfs: fix freeze protection in mnt_want_write_file() for overlayfs
4.14-stable review patch. If anyone has any objections, please let me know. -- From: Miklos Szeredi [ Upstream commit a6795a585929d94ca3e931bc8518f8deb8bbe627 ] The underlying real file used by overlayfs still contains the overlay path. This results in mnt_want_write_file() calls by the filesystem getting freeze protection on the wrong inode (the overlayfs one instead of the real one). Fix by using file_inode(file)->i_sb instead of file->f_path.mnt->mnt_sb. Reported-by: Amir Goldstein Signed-off-by: Miklos Szeredi Reviewed-by: Christoph Hellwig Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- fs/namespace.c |7 --- 1 file changed, 4 insertions(+), 3 deletions(-) --- a/fs/namespace.c +++ b/fs/namespace.c @@ -446,10 +446,10 @@ int mnt_want_write_file_path(struct file { int ret; - sb_start_write(file->f_path.mnt->mnt_sb); + sb_start_write(file_inode(file)->i_sb); ret = __mnt_want_write_file(file); if (ret) - sb_end_write(file->f_path.mnt->mnt_sb); + sb_end_write(file_inode(file)->i_sb); return ret; } @@ -540,7 +540,8 @@ void __mnt_drop_write_file(struct file * void mnt_drop_write_file_path(struct file *file) { - mnt_drop_write(file->f_path.mnt); + __mnt_drop_write_file(file); + sb_end_write(file_inode(file)->i_sb); } void mnt_drop_write_file(struct file *file)
[PATCH 4.14 120/173] pinctrl: pinmux: Return selector to the pinctrl driver
4.14-stable review patch. If anyone has any objections, please let me know. -- From: Tony Lindgren [ Upstream commit f913cfce4ee49a3382a9ff95696f49a46e56e974 ] We must return the selector from pinmux_generic_add_function() so pin controller device drivers can remove the right group if needed for deferred probe for example. And we now must make sure that a proper name is passed so we can use it to check if the entry already exists. Note that fixes are also needed for the pin controller drivers to use the selector value. Fixes: a76edc89b100 ("pinctrl: core: Add generic pinctrl functions for managing groups") Reported-by: H. Nikolaus Schaller Cc: Christ van Willegen Cc: Haojian Zhuang Cc: Jacopo Mondi Cc: Paul Cercueil Cc: Sean Wang Signed-off-by: Tony Lindgren Tested-By: H. Nikolaus Schaller Reviewed-by: Andy Shevchenko Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/pinctrl/pinmux.c | 16 1 file changed, 12 insertions(+), 4 deletions(-) --- a/drivers/pinctrl/pinmux.c +++ b/drivers/pinctrl/pinmux.c @@ -308,7 +308,6 @@ static int pinmux_func_name_to_selector( selector++; } - dev_err(pctldev->dev, "function '%s' not supported\n", function); return -EINVAL; } @@ -777,6 +776,16 @@ int pinmux_generic_add_function(struct p void *data) { struct function_desc *function; + int selector; + + if (!name) + return -EINVAL; + + selector = pinmux_func_name_to_selector(pctldev, name); + if (selector >= 0) + return selector; + + selector = pctldev->num_functions; function = devm_kzalloc(pctldev->dev, sizeof(*function), GFP_KERNEL); if (!function) @@ -787,12 +796,11 @@ int pinmux_generic_add_function(struct p function->num_group_names = num_groups; function->data = data; - radix_tree_insert(>pin_function_tree, pctldev->num_functions, - function); + radix_tree_insert(>pin_function_tree, selector, function); pctldev->num_functions++; - return 0; + return selector; } EXPORT_SYMBOL_GPL(pinmux_generic_add_function);
[PATCH 4.14 119/173] pinctrl: rza1: Fix selector use for groups and functions
4.14-stable review patch. If anyone has any objections, please let me know. -- From: Tony Lindgren [ Upstream commit dc4003d260594aa300028c3c5d040c5719abd19b ] We must use a mutex around the generic_add functions and save the function and group selector in case we need to remove them. Otherwise the selector use will be racy for deferred probe at least. Fixes: 5a49b644b307 ("pinctrl: Renesas RZ/A1 pin and gpio controller") Reported-by: H. Nikolaus Schaller Cc: Christ van Willegen Cc: Haojian Zhuang Cc: Paul Cercueil Cc: Sean Wang Acked-by: Jacopo Mondi Signed-off-by: Tony Lindgren Tested-By: H. Nikolaus Schaller Reviewed-by: Andy Shevchenko Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/pinctrl/pinctrl-rza1.c | 24 +--- 1 file changed, 13 insertions(+), 11 deletions(-) --- a/drivers/pinctrl/pinctrl-rza1.c +++ b/drivers/pinctrl/pinctrl-rza1.c @@ -878,6 +878,7 @@ static int rza1_dt_node_to_map(struct pi const char *grpname; const char **fngrps; int ret, npins; + int gsel, fsel; npins = rza1_dt_node_pin_count(np); if (npins < 0) { @@ -927,18 +928,19 @@ static int rza1_dt_node_to_map(struct pi fngrps[0] = grpname; mutex_lock(_pctl->mutex); - ret = pinctrl_generic_add_group(pctldev, grpname, grpins, npins, - NULL); - if (ret) { + gsel = pinctrl_generic_add_group(pctldev, grpname, grpins, npins, +NULL); + if (gsel < 0) { mutex_unlock(_pctl->mutex); - return ret; + return gsel; } - ret = pinmux_generic_add_function(pctldev, grpname, fngrps, 1, - mux_confs); - if (ret) + fsel = pinmux_generic_add_function(pctldev, grpname, fngrps, 1, + mux_confs); + if (fsel < 0) { + ret = fsel; goto remove_group; - mutex_unlock(_pctl->mutex); + } dev_info(rza1_pctl->dev, "Parsed function and group %s with %d pins\n", grpname, npins); @@ -955,15 +957,15 @@ static int rza1_dt_node_to_map(struct pi (*map)->data.mux.group = np->name; (*map)->data.mux.function = np->name; *num_maps = 1; + mutex_unlock(_pctl->mutex); return 0; remove_function: - mutex_lock(_pctl->mutex); - pinmux_generic_remove_last_function(pctldev); + pinmux_generic_remove_function(pctldev, fsel); remove_group: - pinctrl_generic_remove_last_group(pctldev); + pinctrl_generic_remove_group(pctldev, gsel); mutex_unlock(_pctl->mutex); dev_info(rza1_pctl->dev, "Unable to parse function and group %s\n",
[PATCH 4.14 127/173] gpu: ipu-v3: csi: pass back mbus_code_to_bus_cfg error codes
4.14-stable review patch. If anyone has any objections, please let me know. -- From: Enrico Scholz [ Upstream commit d36d0e6309dd8137cf438cbb680e72eb63c81425 ] mbus_code_to_bus_cfg() can fail on unknown mbus codes; pass back the error to the caller. Signed-off-by: Enrico Scholz Signed-off-by: Jan Luebbe [p.za...@pengutronix.de - renamed rc to ret for consistency] Signed-off-by: Philipp Zabel Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/gpu/ipu-v3/ipu-csi.c | 20 1 file changed, 16 insertions(+), 4 deletions(-) --- a/drivers/gpu/ipu-v3/ipu-csi.c +++ b/drivers/gpu/ipu-v3/ipu-csi.c @@ -316,13 +316,17 @@ static int mbus_code_to_bus_cfg(struct i /* * Fill a CSI bus config struct from mbus_config and mbus_framefmt. */ -static void fill_csi_bus_cfg(struct ipu_csi_bus_config *csicfg, +static int fill_csi_bus_cfg(struct ipu_csi_bus_config *csicfg, struct v4l2_mbus_config *mbus_cfg, struct v4l2_mbus_framefmt *mbus_fmt) { + int ret; + memset(csicfg, 0, sizeof(*csicfg)); - mbus_code_to_bus_cfg(csicfg, mbus_fmt->code); + ret = mbus_code_to_bus_cfg(csicfg, mbus_fmt->code); + if (ret < 0) + return ret; switch (mbus_cfg->type) { case V4L2_MBUS_PARALLEL: @@ -353,6 +357,8 @@ static void fill_csi_bus_cfg(struct ipu_ /* will never get here, keep compiler quiet */ break; } + + return 0; } int ipu_csi_init_interface(struct ipu_csi *csi, @@ -362,8 +368,11 @@ int ipu_csi_init_interface(struct ipu_cs struct ipu_csi_bus_config cfg; unsigned long flags; u32 width, height, data = 0; + int ret; - fill_csi_bus_cfg(, mbus_cfg, mbus_fmt); + ret = fill_csi_bus_cfg(, mbus_cfg, mbus_fmt); + if (ret < 0) + return ret; /* set default sensor frame width and height */ width = mbus_fmt->width; @@ -584,11 +593,14 @@ int ipu_csi_set_mipi_datatype(struct ipu struct ipu_csi_bus_config cfg; unsigned long flags; u32 temp; + int ret; if (vc > 3) return -EINVAL; - mbus_code_to_bus_cfg(, mbus_fmt->code); + ret = mbus_code_to_bus_cfg(, mbus_fmt->code); + if (ret < 0) + return ret; spin_lock_irqsave(>lock, flags);
[PATCH 4.14 128/173] tty: fix termios input-speed encoding when using BOTHER
4.14-stable review patch. If anyone has any objections, please let me know. -- From: Johan Hovold [ Upstream commit 1cee38f0363a88db374e50b232ca17b9a4c12fa0 ] When the termios CIBAUD bits are left unset (i.e. B0), we use the same output and input speed and should leave CIBAUD unchanged. When the user requests a rate using BOTHER and c_ospeed which the driver cannot set exactly, the driver can report back the actual baud rate using tty_termios_encode_baud_rate(). If this rate is close enough to a standard rate however, we could end up setting CIBAUD to a Bfoo value despite the user having left it unset. This in turn could lead to an unexpected input rate being set on subsequent termios updates. Fix this by using a zero tolerance value also for the input rate when CIBAUD is clear so that the matching logic works as expected. Fixes: 78137e3b34e1 ("[PATCH] tty: improve encode_baud_rate logic") Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/tty/tty_baudrate.c | 10 +++--- 1 file changed, 7 insertions(+), 3 deletions(-) --- a/drivers/tty/tty_baudrate.c +++ b/drivers/tty/tty_baudrate.c @@ -156,16 +156,20 @@ void tty_termios_encode_baud_rate(struct termios->c_ospeed = obaud; #ifdef BOTHER + if ((termios->c_cflag >> IBSHIFT) & CBAUD) + ibinput = 1;/* An input speed was specified */ + /* If the user asked for a precise weird speed give a precise weird answer. If they asked for a Bfoo speed they may have problems digesting non-exact replies so fuzz a bit */ - if ((termios->c_cflag & CBAUD) == BOTHER) + if ((termios->c_cflag & CBAUD) == BOTHER) { oclose = 0; + if (!ibinput) + iclose = 0; + } if (((termios->c_cflag >> IBSHIFT) & CBAUD) == BOTHER) iclose = 0; - if ((termios->c_cflag >> IBSHIFT) & CBAUD) - ibinput = 1;/* An input speed was specified */ #endif termios->c_cflag &= ~CBAUD;
[PATCH 4.14 126/173] liquidio: fix hang when re-binding VF host drv after running DPDK VF driver
4.14-stable review patch. If anyone has any objections, please let me know. -- From: Rick Farrington [ Upstream commit ac13d6d8eaded15c67265eafc32f439ea3a0ac4a ] When configuring SLI_PKTn_OUTPUT_CONTROL, VF driver was assuming that IPTR mode was disabled by reset, which was not true. Since DPDK driver had set IPTR mode previously, the VF driver (which uses buf-ptr-only mode) was not properly handling DROQ packets (i.e. it saw zero-length packets). This represented an invalid hardware configuration which the driver could not handle. Signed-off-by: Rick Farrington Signed-off-by: Felix Manlunas Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c |3 +++ drivers/net/ethernet/cavium/liquidio/cn23xx_vf_device.c |3 +++ 2 files changed, 6 insertions(+) --- a/drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c +++ b/drivers/net/ethernet/cavium/liquidio/cn23xx_pf_device.c @@ -493,6 +493,9 @@ static void cn23xx_pf_setup_global_outpu for (q_no = srn; q_no < ern; q_no++) { reg_val = octeon_read_csr(oct, CN23XX_SLI_OQ_PKT_CONTROL(q_no)); + /* clear IPTR */ + reg_val &= ~CN23XX_PKT_OUTPUT_CTL_IPTR; + /* set DPTR */ reg_val |= CN23XX_PKT_OUTPUT_CTL_DPTR; --- a/drivers/net/ethernet/cavium/liquidio/cn23xx_vf_device.c +++ b/drivers/net/ethernet/cavium/liquidio/cn23xx_vf_device.c @@ -165,6 +165,9 @@ static void cn23xx_vf_setup_global_outpu reg_val = octeon_read_csr(oct, CN23XX_VF_SLI_OQ_PKT_CONTROL(q_no)); + /* clear IPTR */ + reg_val &= ~CN23XX_PKT_OUTPUT_CTL_IPTR; + /* set DPTR */ reg_val |= CN23XX_PKT_OUTPUT_CTL_DPTR;
[PATCH 4.14 121/173] sched/core: Use smp_mb() in wake_woken_function()
4.14-stable review patch. If anyone has any objections, please let me know. -- From: Andrea Parri [ Upstream commit 76e079fefc8f62bd9b2cd2950814d1ee806e31a5 ] wake_woken_function() synchronizes with wait_woken() as follows: [wait_woken] [wake_woken_function] entry->flags &= ~wq_flag_woken;condition = true; smp_mb(); smp_wmb(); if (condition) wq_entry->flags |= wq_flag_woken; break; This commit replaces the above smp_wmb() with an smp_mb() in order to guarantee that either wait_woken() sees the wait condition being true or the store to wq_entry->flags in woken_wake_function() follows the store in wait_woken() in the coherence order (so that the former can eventually be observed by wait_woken()). The commit also fixes a comment associated to set_current_state() in wait_woken(): the comment pairs the barrier in set_current_state() to the above smp_wmb(), while the actual pairing involves the barrier in set_current_state() and the barrier executed by the try_to_wake_up() in wake_woken_function(). Signed-off-by: Andrea Parri Signed-off-by: Paul E. McKenney Acked-by: Peter Zijlstra (Intel) Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: aki...@gmail.com Cc: boqun.f...@gmail.com Cc: dhowe...@redhat.com Cc: j.algl...@ucl.ac.uk Cc: linux-a...@vger.kernel.org Cc: luc.maran...@inria.fr Cc: npig...@gmail.com Cc: parri.and...@gmail.com Cc: st...@rowland.harvard.edu Cc: will.dea...@arm.com Link: http://lkml.kernel.org/r/20180716180605.16115-10-paul...@linux.vnet.ibm.com Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- kernel/sched/wait.c | 47 +-- 1 file changed, 21 insertions(+), 26 deletions(-) --- a/kernel/sched/wait.c +++ b/kernel/sched/wait.c @@ -395,35 +395,36 @@ static inline bool is_kthread_should_sto * if (condition) * break; * - * p->state = mode;condition = true; - * smp_mb(); // A smp_wmb(); // C - * if (!wq_entry->flags & WQ_FLAG_WOKEN) wq_entry->flags |= WQ_FLAG_WOKEN; - * schedule() try_to_wake_up(); - * p->state = TASK_RUNNING;~~ - * wq_entry->flags &= ~WQ_FLAG_WOKEN; condition = true; - * smp_mb() // B smp_wmb(); // C - * wq_entry->flags |= WQ_FLAG_WOKEN; - * } - * remove_wait_queue(_head, ); + * // in wait_woken() // in woken_wake_function() * + * p->state = mode;wq_entry->flags |= WQ_FLAG_WOKEN; + * smp_mb(); // A try_to_wake_up(): + * if (!(wq_entry->flags & WQ_FLAG_WOKEN)) + * schedule() if (p->state & mode) + * p->state = TASK_RUNNING; p->state = TASK_RUNNING; + * wq_entry->flags &= ~WQ_FLAG_WOKEN; ~~ + * smp_mb(); // B condition = true; + * } smp_mb(); // C + * remove_wait_queue(_head, ); wq_entry->flags |= WQ_FLAG_WOKEN; */ long wait_woken(struct wait_queue_entry *wq_entry, unsigned mode, long timeout) { - set_current_state(mode); /* A */ /* -* The above implies an smp_mb(), which matches with the smp_wmb() from -* woken_wake_function() such that if we observe WQ_FLAG_WOKEN we must -* also observe all state before the wakeup. +* The below executes an smp_mb(), which matches with the full barrier +* executed by the try_to_wake_up() in woken_wake_function() such that +* either we see the store to wq_entry->flags in woken_wake_function() +* or woken_wake_function() sees our store to current->state. */ + set_current_state(mode); /* A */ if (!(wq_entry->flags & WQ_FLAG_WOKEN) && !is_kthread_should_stop()) timeout = schedule_timeout(timeout); __set_current_state(TASK_RUNNING); /* -* The below implies an smp_mb(), it too pairs with the smp_wmb() from -* woken_wake_function() such that we must either observe the wait -* condition being true _OR_ WQ_FLAG_WOKEN such that we will not miss -* an event. +* The below executes an smp_mb(), which matches with the smp_mb() (C) +* in woken_wake_function() such that either we see the wait condition +* being true or the store to wq_entry->flags in woken_wake_function() +* follows ours in the coherence order. */ smp_store_mb(wq_entry->flags, wq_entry->flags & ~WQ_FLAG_WOKEN); /* B */ @@ -433,14 +434,8 @@ EXPORT_SYMBOL(wait_woken); int woken_wake_function(struct wait_queue_entry *wq_entry, unsigned mode, int
[PATCH 4.14 102/173] CIFS: fix wrapping bugs in num_entries()
4.14-stable review patch. If anyone has any objections, please let me know. -- From: Dan Carpenter commit 56446f218af1133c802dad8e9e116f07f381846c upstream. The problem is that "entryptr + next_offset" and "entryptr + len + size" can wrap. I ended up changing the type of "entryptr" because it makes the math easier when we don't have to do so much casting. Signed-off-by: Dan Carpenter Signed-off-by: Steve French Reviewed-by: Aurelien Aptel Reviewed-by: Pavel Shilovsky CC: Stable Signed-off-by: Greg Kroah-Hartman --- fs/cifs/smb2pdu.c | 25 +++-- 1 file changed, 15 insertions(+), 10 deletions(-) --- a/fs/cifs/smb2pdu.c +++ b/fs/cifs/smb2pdu.c @@ -2939,33 +2939,38 @@ num_entries(char *bufstart, char *end_of int len; unsigned int entrycount = 0; unsigned int next_offset = 0; - FILE_DIRECTORY_INFO *entryptr; + char *entryptr; + FILE_DIRECTORY_INFO *dir_info; if (bufstart == NULL) return 0; - entryptr = (FILE_DIRECTORY_INFO *)bufstart; + entryptr = bufstart; while (1) { - entryptr = (FILE_DIRECTORY_INFO *) - ((char *)entryptr + next_offset); - - if ((char *)entryptr + size > end_of_buf) { + if (entryptr + next_offset < entryptr || + entryptr + next_offset > end_of_buf || + entryptr + next_offset + size > end_of_buf) { cifs_dbg(VFS, "malformed search entry would overflow\n"); break; } - len = le32_to_cpu(entryptr->FileNameLength); - if ((char *)entryptr + len + size > end_of_buf) { + entryptr = entryptr + next_offset; + dir_info = (FILE_DIRECTORY_INFO *)entryptr; + + len = le32_to_cpu(dir_info->FileNameLength); + if (entryptr + len < entryptr || + entryptr + len > end_of_buf || + entryptr + len + size > end_of_buf) { cifs_dbg(VFS, "directory entry name would overflow frame end of buf %p\n", end_of_buf); break; } - *lastentry = (char *)entryptr; + *lastentry = entryptr; entrycount++; - next_offset = le32_to_cpu(entryptr->NextEntryOffset); + next_offset = le32_to_cpu(dir_info->NextEntryOffset); if (!next_offset) break; }
[PATCH 4.18 049/235] perf tests: Fix record+probe_libc_inet_pton.sh when event exists
4.18-stable review patch. If anyone has any objections, please let me know. -- From: Sandipan Das [ Upstream commit 60089e42d38438772e2f83334e3e5b7497009366 ] If the event 'probe_libc:inet_pton' already exists, this test fails and deletes the existing event before exiting. This will then pass for any subsequent executions. Instead of skipping to deleting the existing event because of failing to add a new event, a duplicate event is now created and the script continues with the usual checks. Only the new duplicate event that is created at the beginning of the test is deleted as a part of the cleanups in the end. All existing events remain as it is. This can be observed on a powerpc64 system running Fedora 27 as shown below. # perf probe -x /usr/lib64/power8/libc-2.26.so -a inet_pton Added new event: probe_libc:inet_pton (on inet_pton in /usr/lib64/power8/libc-2.26.so) Before: # perf test -v "probe libc's inet_pton & backtrace it with ping" 62: probe libc's inet_pton & backtrace it with ping : --- start --- test child forked, pid 21302 test child finished with -1 end probe libc's inet_pton & backtrace it with ping: FAILED! # perf probe --list After: # perf test -v "probe libc's inet_pton & backtrace it with ping" 62: probe libc's inet_pton & backtrace it with ping : --- start --- test child forked, pid 21490 ping 21513 [035] 39357.565561: probe_libc:inet_pton_1: (7fffa4c623b0) 7fffa4c623b0 __GI___inet_pton+0x0 (/usr/lib64/power8/libc-2.26.so) 7fffa4c190dc gaih_inet.constprop.7+0xf4c (/usr/lib64/power8/libc-2.26.so) 7fffa4c19c4c getaddrinfo+0x15c (/usr/lib64/power8/libc-2.26.so) 111d93c20 main+0x3e0 (/usr/bin/ping) test child finished with 0 end probe libc's inet_pton & backtrace it with ping: Ok # perf probe --list probe_libc:inet_pton (on __inet_pton@resolv/inet_pton.c in /usr/lib64/power8/libc-2.26.so) Signed-off-by: Sandipan Das Cc: Jiri Olsa Cc: Kim Phillips Cc: Naveen N. Rao Cc: Ravi Bangoria Link: http://lkml.kernel.org/r/e11fecff96e6cf4c65cdbd9012463513d7b8356c.1530724939.git.sandi...@linux.ibm.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- tools/perf/tests/shell/record+probe_libc_inet_pton.sh | 28 +++--- 1 file changed, 24 insertions(+), 4 deletions(-) --- a/tools/perf/tests/shell/record+probe_libc_inet_pton.sh +++ b/tools/perf/tests/shell/record+probe_libc_inet_pton.sh @@ -13,11 +13,24 @@ libc=$(grep -w libc /proc/self/maps | head -1 | sed -r 's/.*[[:space:]](\/.*)/\1/g') nm -Dg $libc 2>/dev/null | fgrep -q inet_pton || exit 254 +event_pattern='probe_libc:inet_pton(\_[[:digit:]]+)?' + +add_libc_inet_pton_event() { + + event_name=$(perf probe -f -x $libc -a inet_pton 2>&1 | tail -n +2 | head -n -5 | \ + grep -P -o "$event_pattern(?=[[:space:]]\(on inet_pton in $libc\))") + + if [ $? -ne 0 -o -z "$event_name" ] ; then + printf "FAIL: could not add event\n" + return 1 + fi +} + trace_libc_inet_pton_backtrace() { expected=`mktemp -u /tmp/expected.XXX` - echo "ping[][0-9 \.:]+probe_libc:inet_pton: \([[:xdigit:]]+\)" > $expected + echo "ping[][0-9 \.:]+$event_name: \([[:xdigit:]]+\)" > $expected echo ".*inet_pton\+0x[[:xdigit:]]+[[:space:]]\($libc|inlined\)$" >> $expected case "$(uname -m)" in s390x) @@ -41,7 +54,7 @@ trace_libc_inet_pton_backtrace() { perf_data=`mktemp -u /tmp/perf.data.XXX` perf_script=`mktemp -u /tmp/perf.script.XXX` - perf record -e probe_libc:inet_pton/$eventattr/ -o $perf_data ping -6 -c 1 ::1 > /dev/null 2>&1 + perf record -e $event_name/$eventattr/ -o $perf_data ping -6 -c 1 ::1 > /dev/null 2>&1 perf script -i $perf_data > $perf_script exec 3<$perf_script @@ -62,13 +75,20 @@ trace_libc_inet_pton_backtrace() { # even if the perf script output does not match. } +delete_libc_inet_pton_event() { + + if [ -n "$event_name" ] ; then + perf probe -q -d $event_name + fi +} + # Check for IPv6 interface existence ip a sh lo | fgrep -q inet6 || exit 2 skip_if_no_perf_probe && \ -perf probe -q $libc inet_pton && \ +add_libc_inet_pton_event && \ trace_libc_inet_pton_backtrace err=$? rm -f ${perf_data} ${perf_script} ${expected} -perf probe -q -d probe_libc:inet_pton +delete_libc_inet_pton_event exit $err
[PATCH 4.18 051/235] fbdev: omapfb: off by one in omapfb_register_client()
4.18-stable review patch. If anyone has any objections, please let me know. -- From: Dan Carpenter [ Upstream commit 5ec1ec35b2979b59d0b33381e7c9aac17e159d16 ] The omapfb_register_client[] array has OMAPFB_PLANE_NUM elements so the > should be >= or we are one element beyond the end of the array. Fixes: 8b08cf2b64f5 ("OMAP: add TI OMAP framebuffer driver") Signed-off-by: Dan Carpenter Cc: Imre Deak Signed-off-by: Bartlomiej Zolnierkiewicz Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/video/fbdev/omap/omapfb_main.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/video/fbdev/omap/omapfb_main.c +++ b/drivers/video/fbdev/omap/omapfb_main.c @@ -958,7 +958,7 @@ int omapfb_register_client(struct omapfb { int r; - if ((unsigned)omapfb_nb->plane_idx > OMAPFB_PLANE_NUM) + if ((unsigned)omapfb_nb->plane_idx >= OMAPFB_PLANE_NUM) return -EINVAL; if (!notifier_inited) {
[PATCH 4.18 052/235] perf tools: Fix struct comm_str removal crash
4.18-stable review patch. If anyone has any objections, please let me know. -- From: Jiri Olsa [ Upstream commit 46b3722cc7765582354488da633aafffcb138458 ] We occasionaly hit following assert failure in 'perf top', when processing the /proc info in multiple threads. perf: ...include/linux/refcount.h:109: refcount_inc: Assertion `!(!refcount_inc_not_zero(r))' failed. The gdb backtrace looks like this: [Switching to Thread 0x711ba700 (LWP 13749)] 0x750839fb in raise () from /lib64/libc.so.6 (gdb) #0 0x750839fb in raise () from /lib64/libc.so.6 #1 0x75085800 in abort () from /lib64/libc.so.6 #2 0x7507c0da in __assert_fail_base () from /lib64/libc.so.6 #3 0x7507c152 in __assert_fail () from /lib64/libc.so.6 #4 0x00535373 in refcount_inc (r=0x7fffdc009be0) at ...include/linux/refcount.h:109 #5 0x005354f1 in comm_str__get (cs=0x7fffdc009bc0) at util/comm.c:24 #6 0x005356bd in __comm_str__findnew (str=0x7fffd000b260 ":2", root=0xbed5c0 ) at util/comm.c:72 #7 0x0053579e in comm_str__findnew (str=0x7fffd000b260 ":2", root=0xbed5c0 ) at util/comm.c:95 #8 0x0053582e in comm__new (str=0x7fffd000b260 ":2", timestamp=0, exec=false) at util/comm.c:111 #9 0x005363bc in thread__new (pid=2, tid=2) at util/thread.c:57 #10 0x00523da0 in machine__findnew_thread (machine=0xbfde38, threads=0xbfdf28, pid=2, tid=2, create=true) at util/machine.c:457 #11 0x00523eb4 in __machine__findnew_thread (machine=0xbfde38, ... The failing assertion is this one: REFCOUNT_WARN(!refcount_inc_not_zero(r), ... The problem is that we keep global comm_str_root list, which is accessed by multiple threads during the 'perf top' startup and following 2 paths can race: thread 1: ... thread__new comm__new comm_str__findnew down_write(_str_lock); __comm_str__findnew comm_str__get thread 2: ... comm__override or comm__free comm_str__put refcount_dec_and_test down_write(_str_lock); rb_erase(>rb_node, _str_root); Because thread 2 first decrements the refcnt and only after then it removes the struct comm_str from the list, the thread 1 can find this object on the list with refcnt equls to 0 and hit the assert. This patch fixes the thread 1 __comm_str__findnew path, by ignoring objects that already dropped the refcnt to 0. For the rest of the objects we take the refcnt before comparing its name and release it afterwards with comm_str__put, which can also release the object completely. Signed-off-by: Jiri Olsa Acked-by: Namhyung Kim Cc: Alexander Shishkin Cc: Andi Kleen Cc: David Ahern Cc: Kan Liang Cc: Lukasz Odzioba Cc: Peter Zijlstra Cc: Wang Nan Cc: kernel-t...@lge.com Link: http://lkml.kernel.org/r/20180720101740.GA27176@krava Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- tools/perf/util/comm.c | 16 +++- 1 file changed, 11 insertions(+), 5 deletions(-) --- a/tools/perf/util/comm.c +++ b/tools/perf/util/comm.c @@ -20,9 +20,10 @@ static struct rw_semaphore comm_str_lock static struct comm_str *comm_str__get(struct comm_str *cs) { - if (cs) - refcount_inc(>refcnt); - return cs; + if (cs && refcount_inc_not_zero(>refcnt)) + return cs; + + return NULL; } static void comm_str__put(struct comm_str *cs) @@ -67,9 +68,14 @@ struct comm_str *__comm_str__findnew(con parent = *p; iter = rb_entry(parent, struct comm_str, rb_node); + /* +* If we race with comm_str__put, iter->refcnt is 0 +* and it will be removed within comm_str__put call +* shortly, ignore it in this search. +*/ cmp = strcmp(str, iter->str); - if (!cmp) - return comm_str__get(iter); + if (!cmp && comm_str__get(iter)) + return iter; if (cmp < 0) p = &(*p)->rb_left;
[PATCH 4.18 000/235] 4.18.10-stable review
This is the start of the stable review cycle for the 4.18.10 release. There are 235 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed Sep 26 11:30:01 UTC 2018. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.18.10-rc1.gz or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.18.y and the diffstat can be found below. thanks, greg k-h - Pseudo-Shortlog of commits: Greg Kroah-Hartman Linux 4.18.10-rc1 Brijesh Singh crypto: ccp - add timeout support in the SEV command Dan Carpenter mei: bus: type promotion bug in mei_nfc_if_version() Mikko Perttunen clk: tegra: bpmp: Don't crash when a clock fails to register Douglas Anderson pinctrl: qcom: spmi-gpio: Fix pmic_gpio_config_get() to be compliant Douglas Anderson pinctrl: msm: Fix msm_config_group_get() to be compliant Andy Shevchenko gpiolib: Respect error code of ->get_direction() Ming Lei blk-mq: avoid to synchronize rcu inside blk_cleanup_queue() Ming Lei blk-mq: only attempt to merge bio if there is rq in sw queue Jann Horn IB/mlx5: fix uaccess beyond "count" in debugfs read/write handlers Randy Dunlap block/DAC960.c: fix defined but not used build warnings Bart Van Assche IB/nes: Fix a compiler warning Ioana Radulescu staging: fsl-dpaa2/eth: Fix DMA mapping direction Yoshihiro Shimoda dmaengine: sh: rcar-dmac: avoid to write CHCR.TE to 1 if TCR is set to 0 Harry Wentland drm/amd/pp: Send khz clock values to DC for smu7/8 Suzuki K Poulose arm64: perf: Disable PMU while processing counter overflows Dan Carpenter drm/panel: type promotion bug in s6e8aa0_read_mtp_id() Hans de Goede ASoC: rt5651: Fix workqueue cancel vs irq free race on remove John Stultz selftest: timers: Tweak raw_skew to SKIP when ADJ_OFFSET/other clock adjustments are in progress Sibi Sankar remoteproc: qcom: q6v5-pil: fix modem hang on SDM845 after axis2 clk unvote James Smart scsi: lpfc: Fix panic if driver unloaded when port is offline James Smart scsi: lpfc: Fix NVME Target crash in defer rcv logic Hannes Reinecke scsi: libfc: fixup 'sleeping function called from invalid context' Timo Wischer ALSA: pcm: Fix snd_interval_refine first/last with open min/max Li Zhijian selftests/android: initialize heap_type to avoid compiling warning Shuah Khan (Samsung OSG) selftests: vDSO - fix to return KSFT_SKIP when test couldn't be run Zhouyang Jia rtc: bq4802: add error handling for devm_ioremap Wei Lu drm/amdkfd: Fix error codes in kfd_get_process Shaoyun Liu drm/amdkfd: Fix kernel queue 64 bit doorbell offset calculation Paul E. McKenney rcu: Fix grace-period hangs due to race with CPU offline Peter Rosin input: rohm_bu21023: switch to i2c_lock_bus(..., I2C_LOCK_SEGMENT) Peter Rosin mfd: 88pm860x-i2c: switch to i2c_lock_bus(..., I2C_LOCK_SEGMENT) Arnd Bergmann rcutorture: Use monotonic timestamp for stall detection Maxime Chevallier net: mvpp2: make sure we use single queue mode on PPv2.1 Linus Walleij net: gemini: Allow multiple ports to instantiate Andy Shevchenko gpiolib: Mark gpio_suffixes array with __maybe_unused Wei Yongjun gpio: pxa: Fix potential NULL dereference Tuomas Tynkkynen staging: bcm2835-audio: Don't leak workqueue if open fails Matias Bjørling lightnvm: pblk: enable line minor version detection Hans Holmberg lightnvm: pblk: assume that chunks are closed on 1.2 devices Dan Carpenter ASoC: qdsp6: q6afe-dai: fix a range check in of_q6afe_parse_dai_data() Eric Yang drm/amd/display: support access ddc for mst branch Dan Williams tools/testing/nvdimm: Fix support for emulating controller temperature Jaegeuk Kim f2fs: do checkpoint in kill_sb Suzuki K Poulose coresight: ETM: Add support for Arm Cortex-A73 and Cortex-A35 Robin Murphy coresight: tpiu: Fix disabling timeouts Suzuki K Poulose coresight: Handle errors in finding input/output ports Quentin Perret sched/fair: Fix util_avg of new tasks for asymmetric systems Julia Lawall parport: sunbpp: fix error return code Boris Pismenny tls: Fix zerocopy_from_iter iov handling Thierry Reding drm/nouveau: tegra: Detach from ARM DMA/IOMMU mapping Karol Herbst drm/nouveau/debugfs: Wake up GPU before doing any reclocking Lyude Paul drm/nouveau: Fix runtime PM leak in drm_open() Stefan Agner mmc: sdhci: do not try to use 3.3V signaling if not supported Stefan Agner mmc: tegra: prevent HS200 on Tegra 3 Laurentiu Tudor mmc: sdhci-of-esdhc: set proper dma mask for ls104x chips
[PATCH 4.18 050/235] perf tests: Fix record+probe_libc_inet_pton.sh to ensure cleanups
4.18-stable review patch. If anyone has any objections, please let me know. -- From: Sandipan Das [ Upstream commit 83e3b6d73e66a10088f362b08b99c36fec3a14e7 ] If there is a mismatch in the perf script output, this test fails and exits before the event and temporary files created during its execution are cleaned up. This can be observed on a powerpc64 system running Fedora 27 as shown below. # perf test -v "probe libc's inet_pton & backtrace it with ping" 62: probe libc's inet_pton & backtrace it with ping : --- start --- test child forked, pid 18655 ping 18674 [013] 24511.496995: probe_libc:inet_pton: (7fffa6b423b0) 7fffa6b423b0 __GI___inet_pton+0x0 (/usr/lib64/power8/libc-2.26.so) 7fffa6af90dc gaih_inet.constprop.7+0xf4c (/usr/lib64/power8/libc-2.26.so) FAIL: expected backtrace entry "getaddrinfo\+0x[[:xdigit:]]+[[:space:]]\(/usr/lib64/power8/libc-2.26.so\)$" got "7fffa6af90dc gaih_inet.constprop.7+0xf4c (/usr/lib64/power8/libc-2.26.so)" test child finished with -1 end probe libc's inet_pton & backtrace it with ping: FAILED! # ls /tmp/expected.* /tmp/perf.data.* /tmp/perf.script.* /tmp/expected.u31 /tmp/perf.data.Pki /tmp/perf.script.Bhs # perf probe --list probe_libc:inet_pton (on __inet_pton@resolv/inet_pton.c in /usr/lib64/power8/libc-2.26.so) Cleanup of the event and the temporary files are now ensured by allowing the cleanup code to be executed even if the lines from the backtrace do not match their expected patterns instead of simply exiting from the point of failure. Signed-off-by: Sandipan Das Cc: Jiri Olsa Cc: Kim Phillips Cc: Naveen N. Rao Cc: Ravi Bangoria Link: http://lkml.kernel.org/r/ce9fb091dd3028fba8749a1a267cfbcb264bbfb1.1530724939.git.sandi...@linux.ibm.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- tools/perf/tests/shell/record+probe_libc_inet_pton.sh |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/tools/perf/tests/shell/record+probe_libc_inet_pton.sh +++ b/tools/perf/tests/shell/record+probe_libc_inet_pton.sh @@ -65,7 +65,7 @@ trace_libc_inet_pton_backtrace() { echo "$line" | egrep -q "$pattern" if [ $? -ne 0 ] ; then printf "FAIL: expected backtrace entry \"%s\" got \"%s\"\n" "$pattern" "$line" - exit 1 + return 1 fi done
[PATCH 4.18 053/235] video: goldfishfb: fix memory leak on driver remove
4.18-stable review patch. If anyone has any objections, please let me know. -- From: Anton Vasilyev [ Upstream commit 5958fde72d04e7b8c6de3669d1f794a90997e3eb ] goldfish_fb_probe() allocates memory for fb, but goldfish_fb_remove() does not have deallocation of fb, which leads to memory leak on probe/remove. The patch adds deallocation into goldfish_fb_remove(). Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Anton Vasilyev Cc: Aleksandar Markovic Cc: Miodrag Dinic Cc: Goran Ferenc Signed-off-by: Bartlomiej Zolnierkiewicz Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/video/fbdev/goldfishfb.c |1 + 1 file changed, 1 insertion(+) --- a/drivers/video/fbdev/goldfishfb.c +++ b/drivers/video/fbdev/goldfishfb.c @@ -301,6 +301,7 @@ static int goldfish_fb_remove(struct pla dma_free_coherent(>dev, framesize, (void *)fb->fb.screen_base, fb->fb.fix.smem_start); iounmap(fb->reg_base); + kfree(fb); return 0; }
[PATCH 4.18 055/235] perf powerpc: Fix callchain ip filtering when return address is in a register
4.18-stable review patch. If anyone has any objections, please let me know. -- From: Sandipan Das [ Upstream commit 9068533e4f470daf2b0f29c71d865990acd8826e ] For powerpc64, perf will filter out the second entry in the callchain, i.e. the LR value, if the return address of the function corresponding to the probed location has already been saved on its caller's stack. The state of the return address is determined using debug information. At any point within a function, if the return address is already saved somewhere, a DWARF expression can tell us about its location. If the return address in still in LR only, no DWARF expression would exist. Typically, the instructions in a function's prologue first copy the LR value to R0 and then pushes R0 on to the stack. If LR has already been copied to R0 but R0 is yet to be pushed to the stack, we can still get a DWARF expression that says that the return address is in R0. This is indicating that getting a DWARF expression for the return address does not guarantee the fact that it has already been saved on the stack. This can be observed on a powerpc64le system running Fedora 27 as shown below. # objdump -d /usr/lib64/libc-2.26.so | less ... 0015af20 : 15af20: 0b 00 4c 3c addis r2,r12,11 15af24: e0 c1 42 38 addir2,r2,-15904 15af28: a6 02 08 7c mflrr0 15af2c: f0 ff c1 fb std r30,-16(r1) 15af30: f8 ff e1 fb std r31,-8(r1) 15af34: 78 1b 7f 7c mr r31,r3 15af38: 78 23 83 7c mr r3,r4 15af3c: 78 2b be 7c mr r30,r5 15af40: 10 00 01 f8 std r0,16(r1) 15af44: c1 ff 21 f8 stdur1,-64(r1) 15af48: 28 00 81 f8 std r4,40(r1) ... # readelf --debug-dump=frames-interp /usr/lib64/libc-2.26.so | less ... 00027024 0024 00027028 FDE cie= pc=0015af20..0015af88 LOC CFA r30 r31 ra 0015af20 r1+0 u u u 0015af34 r1+0 c-16 c-8 r0 0015af48 r1+64c-16 c-8 c+16 0015af5c r1+0 c-16 c-8 c+16 0015af78 r1+0 u u ... # perf probe -x /usr/lib64/libc-2.26.so -a inet_pton+0x18 # perf record -e probe_libc:inet_pton -g ping -6 -c 1 ::1 # perf script Before: ping 2829 [005] 512917.460174: probe_libc:inet_pton: (7fff7e2baf38) 7fff7e2baf38 __GI___inet_pton+0x18 (/usr/lib64/libc-2.26.so) 7fff7e2705b4 getaddrinfo+0x164 (/usr/lib64/libc-2.26.so) 12f152d70 _init+0xbfc (/usr/bin/ping) 7fff7e1836a0 generic_start_main.isra.0+0x140 (/usr/lib64/libc-2.26.so) 7fff7e183898 __libc_start_main+0xb8 (/usr/lib64/libc-2.26.so) 0 [unknown] ([unknown]) After: ping 2829 [005] 512917.460174: probe_libc:inet_pton: (7fff7e2baf38) 7fff7e2baf38 __GI___inet_pton+0x18 (/usr/lib64/libc-2.26.so) 7fff7e26fa54 gaih_inet.constprop.7+0xf44 (/usr/lib64/libc-2.26.so) 7fff7e2705b4 getaddrinfo+0x164 (/usr/lib64/libc-2.26.so) 12f152d70 _init+0xbfc (/usr/bin/ping) 7fff7e1836a0 generic_start_main.isra.0+0x140 (/usr/lib64/libc-2.26.so) 7fff7e183898 __libc_start_main+0xb8 (/usr/lib64/libc-2.26.so) 0 [unknown] ([unknown]) Reported-by: Ravi Bangoria Signed-off-by: Sandipan Das Cc: Jiri Olsa Cc: Maynard Johnson Cc: Naveen N. Rao Cc: Ravi Bangoria Cc: Sukadev Bhattiprolu Link: http://lkml.kernel.org/r/66e848a7bdf2d43b39210a705ff6d828a0865661.1530724939.git.sandi...@linux.ibm.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- tools/perf/arch/powerpc/util/skip-callchain-idx.c |8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) --- a/tools/perf/arch/powerpc/util/skip-callchain-idx.c +++ b/tools/perf/arch/powerpc/util/skip-callchain-idx.c @@ -58,9 +58,13 @@ static int check_return_reg(int ra_regno } /* -* Check if return address is on the stack. +* Check if return address is on the stack. If return address +* is in a register (typically R0), it is yet to be saved on +* the stack. */ - if (nops != 0 || ops != NULL) + if ((nops != 0 || ops != NULL) && + !(nops == 1 && ops[0].atom == DW_OP_regx && + ops[0].number2 == 0 && ops[0].offset == 0)) return 0; /*
[PATCH 4.18 056/235] video: fbdev: pxafb: clear allocated memory for video modes
4.18-stable review patch. If anyone has any objections, please let me know. -- From: Daniel Mack [ Upstream commit b951d80aaf224b1f774e10def672f5e37488e4ee ] When parsing the video modes from DT properties, make sure to zero out memory before using it. This is important because not all fields in the mode struct are explicitly initialized, even though they are used later on. Fixes: 420a488278e86 ("video: fbdev: pxafb: initial devicetree conversion") Reviewed-by: Robert Jarzmik Signed-off-by: Daniel Mack Signed-off-by: Bartlomiej Zolnierkiewicz Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/video/fbdev/pxafb.c |4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/drivers/video/fbdev/pxafb.c +++ b/drivers/video/fbdev/pxafb.c @@ -2128,8 +2128,8 @@ static int of_get_pxafb_display(struct d return -EINVAL; ret = -ENOMEM; - info->modes = kmalloc_array(timings->num_timings, - sizeof(info->modes[0]), GFP_KERNEL); + info->modes = kcalloc(timings->num_timings, sizeof(info->modes[0]), + GFP_KERNEL); if (!info->modes) goto out; info->num_modes = timings->num_timings;
[PATCH 4.18 054/235] fbdev/via: fix defined but not used warning
4.18-stable review patch. If anyone has any objections, please let me know. -- From: Randy Dunlap [ Upstream commit b6566b47a67e07fdca44cf51abb14e2fbe17d3eb ] Fix a build warning in viafbdev.c when CONFIG_PROC_FS is not enabled by marking the unused function as __maybe_unused. ../drivers/video/fbdev/via/viafbdev.c:1471:12: warning: 'viafb_sup_odev_proc_show' defined but not used [-Wunused-function] Signed-off-by: Randy Dunlap Cc: Florian Tobias Schandinat Signed-off-by: Bartlomiej Zolnierkiewicz Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/video/fbdev/via/viafbdev.c |3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/drivers/video/fbdev/via/viafbdev.c +++ b/drivers/video/fbdev/via/viafbdev.c @@ -19,6 +19,7 @@ * 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ +#include #include #include #include @@ -1468,7 +1469,7 @@ static const struct file_operations viaf #endif /* CONFIG_FB_VIA_DIRECT_PROCFS */ -static int viafb_sup_odev_proc_show(struct seq_file *m, void *v) +static int __maybe_unused viafb_sup_odev_proc_show(struct seq_file *m, void *v) { via_odev_to_seq(m, supported_odev_map[ viaparinfo->shared->chip_info.gfx_chip_name]);
[PATCH 4.18 036/235] media: tw686x: Fix oops on buffer alloc failure
4.18-stable review patch. If anyone has any objections, please let me know. -- From: Krzysztof Ha?asa [ Upstream commit 5a1a2f63d840dc2631505b607e11ff65ac1b7d3c ] The error path currently calls tw686x_video_free() which requires vc->dev to be initialized, causing a NULL dereference on uninitizalized channels. Fix this by setting the vc->dev fields for all the channels first. Fixes: f8afaa8dbc0d ("[media] tw686x: Introduce an interface to support multiple DMA modes") Signed-off-by: Krzysztof Ha?asa Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/media/pci/tw686x/tw686x-video.c | 11 --- 1 file changed, 8 insertions(+), 3 deletions(-) --- a/drivers/media/pci/tw686x/tw686x-video.c +++ b/drivers/media/pci/tw686x/tw686x-video.c @@ -1190,6 +1190,14 @@ int tw686x_video_init(struct tw686x_dev return err; } + /* Initialize vc->dev and vc->ch for the error path */ + for (ch = 0; ch < max_channels(dev); ch++) { + struct tw686x_video_channel *vc = >video_channels[ch]; + + vc->dev = dev; + vc->ch = ch; + } + for (ch = 0; ch < max_channels(dev); ch++) { struct tw686x_video_channel *vc = >video_channels[ch]; struct video_device *vdev; @@ -1198,9 +1206,6 @@ int tw686x_video_init(struct tw686x_dev spin_lock_init(>qlock); INIT_LIST_HEAD(>vidq_queued); - vc->dev = dev; - vc->ch = ch; - /* default settings */ err = tw686x_set_standard(vc, V4L2_STD_NTSC); if (err)
[PATCH 4.18 033/235] clk: clk-fixed-factor: Clear OF_POPULATED flag in case of failure
4.18-stable review patch. If anyone has any objections, please let me know. -- From: Rajan Vaja [ Upstream commit f6dab4233d6b64d719109040503b567f71fbfa01 ] Fixed factor clock has two initializations at of_clk_init() time and during platform driver probe. Before of_clk_init() call, node is marked as populated and so its probe never gets called. During of_clk_init() fixed factor clock registration may fail if any of its parent clock is not registered. In this case, it doesn't get chance to retry registration from probe. Clear OF_POPULATED flag if fixed factor clock registration fails so that clock registration is attempted again from probe. Signed-off-by: Rajan Vaja Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/clk/clk-fixed-factor.c |9 - 1 file changed, 8 insertions(+), 1 deletion(-) --- a/drivers/clk/clk-fixed-factor.c +++ b/drivers/clk/clk-fixed-factor.c @@ -177,8 +177,15 @@ static struct clk *_of_fixed_factor_clk_ clk = clk_register_fixed_factor(NULL, clk_name, parent_name, flags, mult, div); - if (IS_ERR(clk)) + if (IS_ERR(clk)) { + /* +* If parent clock is not registered, registration would fail. +* Clear OF_POPULATED flag so that clock registration can be +* attempted again from probe function. +*/ + of_node_clear_flag(node, OF_POPULATED); return clk; + } ret = of_clk_add_provider(node, of_clk_src_simple_get, clk); if (ret) {
[PATCH 4.18 030/235] clk: mvebu: armada-37xx-periph: Fix wrong return value in get_parent
4.18-stable review patch. If anyone has any objections, please let me know. -- From: Gregory CLEMENT [ Upstream commit 616bf80d381da13fbb392ebff06f46f946e3ee84 ] The return value of the get_parent operation is a u8, whereas a -EINVAL was returned. This wrong value was return if the value was bigger that the number of parent but this case was already handled by the core. So we can just remove this chunk of code to fix the issue. Reported-by: Dan Carpenter Fixes: 9818a7a4fd10 ("clk: mvebu: armada-37xx-periph: prepare cpu clk to be used with DVFS") Signed-off-by: Gregory CLEMENT Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/clk/mvebu/armada-37xx-periph.c |3 --- 1 file changed, 3 deletions(-) --- a/drivers/clk/mvebu/armada-37xx-periph.c +++ b/drivers/clk/mvebu/armada-37xx-periph.c @@ -429,9 +429,6 @@ static u8 clk_pm_cpu_get_parent(struct c val &= pm_cpu->mask_mux; } - if (val >= num_parents) - return -EINVAL; - return val; }
[PATCH 4.18 008/235] net/mlx5: Check for error in mlx5_attach_interface
4.18-stable review patch. If anyone has any objections, please let me know. -- From: Huy Nguyen [ Upstream commit 47bc94b82291e007da61ee1b3d18c77871f3e158 ] Currently, mlx5_attach_interface does not check for error after calling intf->attach or intf->add. When these two calls fails, the client is not initialized and will cause issues such as kernel panic on invalid address in the teardown path (mlx5_detach_interface) Fixes: 737a234bb638 ("net/mlx5: Introduce attach/detach to interface API") Signed-off-by: Huy Nguyen Signed-off-by: Saeed Mahameed Signed-off-by: Greg Kroah-Hartman --- drivers/net/ethernet/mellanox/mlx5/core/dev.c | 15 ++- 1 file changed, 10 insertions(+), 5 deletions(-) --- a/drivers/net/ethernet/mellanox/mlx5/core/dev.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/dev.c @@ -132,11 +132,11 @@ void mlx5_add_device(struct mlx5_interfa delayed_event_start(priv); dev_ctx->context = intf->add(dev); - set_bit(MLX5_INTERFACE_ADDED, _ctx->state); - if (intf->attach) - set_bit(MLX5_INTERFACE_ATTACHED, _ctx->state); - if (dev_ctx->context) { + set_bit(MLX5_INTERFACE_ADDED, _ctx->state); + if (intf->attach) + set_bit(MLX5_INTERFACE_ATTACHED, _ctx->state); + spin_lock_irq(>ctx_lock); list_add_tail(_ctx->list, >ctx_list); @@ -211,12 +211,17 @@ static void mlx5_attach_interface(struct if (intf->attach) { if (test_bit(MLX5_INTERFACE_ATTACHED, _ctx->state)) goto out; - intf->attach(dev, dev_ctx->context); + if (intf->attach(dev, dev_ctx->context)) + goto out; + set_bit(MLX5_INTERFACE_ATTACHED, _ctx->state); } else { if (test_bit(MLX5_INTERFACE_ADDED, _ctx->state)) goto out; dev_ctx->context = intf->add(dev); + if (!dev_ctx->context) + goto out; + set_bit(MLX5_INTERFACE_ADDED, _ctx->state); }
[PATCH 4.18 009/235] net/mlx5: Fix debugfs cleanup in the device init/remove flow
4.18-stable review patch. If anyone has any objections, please let me know. -- From: Jack Morgenstein [ Upstream commit 5df816e7f43f1297c40021ef17ec6e722b45c82f ] When initializing the device (procedure init_one), the driver calls mlx5_pci_init to perform pci initialization. As part of this initialization, mlx5_pci_init creates a debugfs directory. If this creation fails, init_one aborts, returning failure to the caller (which is the probe method caller). The main reason for such a failure to occur is if the debugfs directory already exists. This can happen if the last time mlx5_pci_close was called, debugfs_remove (silently) failed due to the debugfs directory not being empty. Guarantee that such a debugfs_remove failure will not occur by instead calling debugfs_remove_recursive in procedure mlx5_pci_close. Fixes: 59211bd3b632 ("net/mlx5: Split the load/unload flow into hardware and software flows") Signed-off-by: Jack Morgenstein Reviewed-by: Daniel Jurgens Signed-off-by: Saeed Mahameed Signed-off-by: Greg Kroah-Hartman --- drivers/net/ethernet/mellanox/mlx5/core/main.c |6 -- 1 file changed, 4 insertions(+), 2 deletions(-) --- a/drivers/net/ethernet/mellanox/mlx5/core/main.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c @@ -874,8 +874,10 @@ static int mlx5_pci_init(struct mlx5_cor priv->numa_node = dev_to_node(>pdev->dev); priv->dbg_root = debugfs_create_dir(dev_name(>dev), mlx5_debugfs_root); - if (!priv->dbg_root) + if (!priv->dbg_root) { + dev_err(>dev, "Cannot create debugfs dir, aborting\n"); return -ENOMEM; + } err = mlx5_pci_enable_device(dev); if (err) { @@ -924,7 +926,7 @@ static void mlx5_pci_close(struct mlx5_c pci_clear_master(dev->pdev); release_bar(dev->pdev); mlx5_pci_disable_device(dev); - debugfs_remove(priv->dbg_root); + debugfs_remove_recursive(priv->dbg_root); } static int mlx5_init_once(struct mlx5_core_dev *dev, struct mlx5_priv *priv)