LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
* [PATCH 3.16 001/410] MIPS: Normalise code flow in the CpU exception handler
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 407/410] RDMA/ucma: Check that device is connected prior to access it Ben Hutchings
` (408 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Ralf Baechle, Maciej W. Rozycki, linux-mips
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Maciej W. Rozycki" <macro@linux-mips.org>
commit 27e28e8ec47a5ce335ebf25d34ca356c80635908 upstream.
Changes applied to `do_cpu' over time reduced the use of the SIGILL
issued with `force_sig' at the end to a single CU3 case only in the
switch statement there. Move that `force_sig' call over to right where
required then and toss out the pile of gotos now not needed to skip over
the call, replacing them with regular breaks out of the switch.
Signed-off-by: Maciej W. Rozycki <macro@linux-mips.org>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/9683/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/mips/kernel/traps.c | 15 +++++++--------
1 file changed, 7 insertions(+), 8 deletions(-)
--- a/arch/mips/kernel/traps.c
+++ b/arch/mips/kernel/traps.c
@@ -1247,7 +1247,7 @@ asmlinkage void do_cpu(struct pt_regs *r
status = -1;
if (unlikely(compute_return_epc(regs) < 0))
- goto out;
+ break;
if (get_isa16_mode(regs->cp0_epc)) {
unsigned short mmop[2] = { 0 };
@@ -1280,7 +1280,7 @@ asmlinkage void do_cpu(struct pt_regs *r
force_sig(status, current);
}
- goto out;
+ break;
case 3:
/*
@@ -1296,8 +1296,10 @@ asmlinkage void do_cpu(struct pt_regs *r
* erroneously too, so they are covered by this choice
* as well.
*/
- if (raw_cpu_has_fpu)
+ if (raw_cpu_has_fpu) {
+ force_sig(SIGILL, current);
break;
+ }
/* Fall through. */
case 1:
@@ -1320,16 +1322,13 @@ asmlinkage void do_cpu(struct pt_regs *r
if (!process_fpemu_return(sig, fault_addr, fcr31) && !err)
mt_ase_fp_affinity();
- goto out;
+ break;
case 2:
raw_notifier_call_chain(&cu2_chain, CU2_EXCEPTION, regs);
- goto out;
+ break;
}
- force_sig(SIGILL, current);
-
-out:
exception_exit(prev_state);
}
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 000/410] 3.16.57-rc1 review
@ 2018-06-07 14:05 Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 001/410] MIPS: Normalise code flow in the CpU exception handler Ben Hutchings
` (409 more replies)
0 siblings, 410 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: torvalds, Guenter Roeck, akpm
This is the start of the stable review cycle for the 3.16.57 release.
There are 410 patches in this series, which will be posted as responses
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Thu Jun 14 18:00:00 UTC 2018.
Anything received after that time might be too late.
All the patches have also been committed to the linux-3.16.y-rc branch of
https://git.kernel.org/pub/scm/linux/kernel/git/bwh/linux-stable-rc.git .
A shortlog and diffstat can be found below.
Ben.
-------------
Adrian Hunter (2):
mmc: sdhci-pci: Fix S0i3 for Intel BYT-based controllers
[f8870ae6e2d6be75b1accc2db981169fdfbea7ab]
mmc: sdhci: Allow override of mmc host operations
[bf60e592a1af4d6f65dd54593250183f14360eed]
Al Viro (2):
Bluetooth: hidp_connection_add() unsafe use of l2cap_pi()
[51bda2bca53b265715ca1852528f38dc67429d9a]
lock_parent() needs to recheck if dentry got __dentry_kill'ed under it
[3b821409632ab778d46e807516b457dfa72736ed]
Alaa Hleihel (1):
IB/ipoib: Do not warn if IPoIB debugfs doesn't exist
[14fa91e0fef8e4d6feb8b1fa2a807828e0abe815]
Alex Chen (1):
ocfs2: subsystem.su_mutex is required while accessing the item->ci_parent
[853bc26a7ea39e354b9f8889ae7ad1492ffa28d2]
Alex Deucher (2):
drm/radeon: Add dpm quirk for Jet PRO (v2)
[239b5f64e12b1f09f506c164dff0374924782979]
drm/radeon: fix KV harvesting
[0b58d90f89545e021d188c289fa142e5ff9e708b]
Alexander Graf (1):
KVM: PPC: Book3S PR: Fix svcpu copying with preemption enabled
[07ae5389e98c53bb9e9f308fce9c903bc3ee7720]
Alexander Potapenko (1):
netlink: make sure nladdr has correct size in netlink_connect()
[7880287981b60a6808f39f297bb66936e8bdf57a]
Alexandra Yates (3):
Adding Intel Lewisburg device IDs for SATA
[f5bdd66c705484b4bc77eb914be15c1b7881fae7]
ahci: Order SATA device IDs for codename Lewisburg
[4d92f0099a06ef0e36c7673f7c090f1a448b2d1b]
ahci: add new Intel device IDs
[56e74338a535cbcc2f2da08b1ea1a92920194364]
Alexandru Ardelean (1):
staging: iio: adc: ad7192: fix external frequency setting
[e31b617d0a63c6558485aaa730fd162faa95a766]
Alexey Kodanev (4):
dccp: check sk for closed state in dccp_sendmsg()
[67f93df79aeefc3add4e4b31a752600f834236e2]
sch_netem: fix skb leak in netem_enqueue()
[35d889d10b649fda66121891ec05eca88150059d]
sctp: verify size of a new chunk in _sctp_make_chunk()
[07f2c7ab6f8d0a7e7c5764c4e6cc9c52951b9d9c]
udplite: fix partial checksum initialization
[15f35d49c93f4fa9875235e7bf3e3783d2dd7a1b]
Aman Deep (1):
usb: ohci: Proper handling of ed_rm_list to handle race condition between usb_kill_urb() and finish_unlinks()
[46408ea558df13b110e0866b99624384a33bdeba]
Anand Jain (1):
btrfs: use proper endianness accessors for super_copy
[3c181c12c431fe33b669410d663beb9cceefcd1b]
Andi Shyti (1):
Input: mms114 - fix license module information
[498e7e7ed1fd72c275a682f0903c4a20cc538658]
Andrew F. Davis (1):
ARM: dts: omap3-n900: Fix the audio CODEC's reset pin
[7be4b5dc7ffa9499ac6ef33a5ffa9ff43f9b7057]
Andri Yngvason (3):
can: cc770: Fix queue stall & dropped RTR reply
[746201235b3f876792099079f4c6fea941d76183]
can: cc770: Fix stalls on rt-linux, remove redundant IRQ ack
[f4353daf4905c0099fd25fa742e2ffd4a4bab26a]
can: cc770: Fix use after free in cc770_tx_interrupt()
[9ffd7503944ec7c0ef41c3245d1306c221aef2be]
Andy Lutomirski (1):
x86/entry/64: Don't use IST entry for #BP stack
[d8ba61ba58c88d5207c1ba2f7d9a2280e7d03be9]
Andy Shevchenko (1):
x86/cpu: Rename Merrifield2 to Moorefield
[f5fbf848303c8704d0e1a1e7cabd08fd0a49552f]
Anna-Maria Gleixner (1):
hrtimer: Ensure POSIX compliance (relative CLOCK_REALTIME hrtimers)
[48d0c9becc7f3c66874c100c126459a9da0fdced]
Arend Van Spriel (1):
brcmfmac: fix P2P_DEVICE ethernet address generation
[455f3e76cfc0d893585a5f358b9ddbe9c1e1e53b]
Arkadi Sharshevsky (1):
team: Fix double free in error path
[cbcc607e18422555db569b593608aec26111cb0b]
Arnaldo Carvalho de Melo (3):
perf evlist: Introduce perf_evlist__new_dummy constructor
[5bae0250237f7a5ec4355f9920701de247b8db91]
perf record: Generate PERF_RECORD_{MMAP,COMM,EXEC} with --delay
[d3dbf43c56f9176be325ce1cc72a44c8d3c210dc]
perf report: Fix -D output for user metadata events
[f250b09c779550e4a7a412dae6d3ad34d5201019]
Arnd Bergmann (7):
cfg80211: fix cfg80211_beacon_dup
[bee92d06157fc39d5d7836a061c7d41289a55797]
cifs: silence compiler warnings showing up with gcc-8.0.0
[ade7db991b47ab3016a414468164f4966bd08202]
media: exynos4-is: properly initialize frame format
[97913bcbe6da3957af27d9fdd76b3d97b99e6d6a]
mm: hide a #warning for COMPILE_TEST
[af27d9403f5b80685b79c88425086edccecaf711]
scsi: fas216: fix sense buffer initialization
[96d5eaa9bb74d299508d811d865c2c41b38b0301]
x86/oprofile: Fix bogus GCC-8 warning in nmi_setup()
[85c615eb52222bc5fab6c7190d146bc59fac289e]
x86/pti: Mark constant arrays as __initconst
[4bf5d56d429cbc96c23d809a08f63cd29e1a702e]
Ashok Raj (1):
KVM/x86: Add IBPB support
[15d45071523d89b3fb7372e2135fbd72f6af9506]
Aurelien Aptel (1):
CIFS: zero sensitive data when freeing
[97f4b7276b829a8927ac903a119bef2f963ccc58]
Baolin Wang (1):
usb: gadget: f_fs: Fix possibe deadlock
[b3ce3ce02d146841af012d08506b4071db8ffde3]
Bart Van Assche (1):
pktcdvd: Fix pkt_setup_dev() error path
[5a0ec388ef0f6e33841aeb810d7fa23f049ec4cd]
Bastian Stender (1):
mmc: block: fix updating ext_csd caches on ioctl call
[e74ef2194b41ba5e511fab29fe5ff00e72d2f42a]
Ben Crocker (1):
drm/radeon: insist on 32-bit DMA for Cedar on PPC64/PPC64LE
[2c83029cda55a5e7665c7c6326909427d6a01350]
Ben Hutchings (3):
skb: Add skb_postpush_rcsum()
[f8ffad69c9f8b8dfb0b633425d4ef4d2493ba61a]
staging: android: ashmem: Fix a race condition in pin ioctls
[ce8a3a9e76d0193e2e8d74a06d275b3c324ca652]
xen: Add xen_arch_suspend()
[2b953a5e994ce279904ec70220f7d4f31d380a0a]
Benjamin Poirier (1):
e1000e: Fix check_for_link return value with autoneg off
[4e7dc08e57c95673d2edaba8983c3de4dd1f65f5]
Bjorn Andersson (1):
PM / devfreq: Propagate error from devfreq_add_device()
[d1bf2d30728f310f72296b54f0651ecdb09cbb12]
Boris Ostrovsky (1):
xen/arm: Define xen_arch_suspend()
[ffb7dbed47da6ac4460b606a3feee295bbe4d9e2]
Boris Pismenny (1):
IB/mlx5: Fix integer overflows in mlx5_ib_create_srq
[c2b37f76485f073f020e60b5954b6dc4e55f693c]
Borislav Petkov (2):
x86, microcode: Fix accessing dis_ucode_ldr on 32-bit
[85be07c32496dc264661308e4d9d4e9ccaff8072]
x86/microcode/AMD: Do not load when running on a hypervisor
[a15a753539eca8ba243d576f02e7ca9c4b7d7042]
Charles_Rose@Dell.com (1):
ahci: Add Device ID for Intel Sunrise Point PCH
[c5967b79ecabe2baca40658d9073e28b30d7f6cf]
Chenjie (1):
mm/madvise.c: fix madvise() infinite loop under special circumstances
[6ea8d958a2c95a1d514015d4e29ba21a8c0a1a91]
Chien Tin Tung (1):
RDMA/ucma: Correct option size check using optlen
[5f3e3b85cc0a5eae1c46d72e47d3de7bf208d9e2]
Christian Borntraeger (1):
KVM: s390: provide io interrupt kvm_stat
[09a0fb67536a49af19f2bfc632100e9de91fe526]
Christian König (2):
drm/radeon: fix prime teardown order
[0f4f715bc6bed3bf14c5cd7d5fe88d443e756b14]
drm/ttm: fix adding foreign BOs to the swap LRU
[ed704a43e84cc536081423dcd3491acf2791aaeb]
Christophe JAILLET (3):
media: bt8xx: Fix err 'bt878_probe()'
[45392ff6881dbe56d41ef0b17c2e576065f8ffa1]
power: supply: ab8500_charger: Bail out in case of error in 'ab8500_charger_init_hw_registers()'
[09edcb647542487864e23aa8d2ef26be3e08978a]
power: supply: ab8500_charger: Fix an error handling path
[bf59fddde1c3eab89eb8dca8f3d3dc097887d2bb]
Clay McClure (1):
ubi: Fix race condition between ubi volume creation and udev
[a51a0c8d213594bc094cb8e54aad0cb6d7f7b9a6]
Colin Ian King (3):
clocksource/drivers/fsl_ftm_timer: Fix error return checking
[f287eb9013ccf199cbfa4eabd80c36fedfc15a73]
scsi: aacraid: remove redundant setting of variable c
[91814744646351a470f256fbcb853fb5a7229a9f]
wl1251: check return from call to wl1251_acx_arp_ip_filter
[ac1181c60822292176ab96912208ec9f9819faf8]
Cong Wang (2):
netfilter: ipt_CLUSTERIP: fix a refcount bug in clusterip_config_find_get()
[db93a3632b0f8773a3899e04a3a3e0aa7a26eb46]
netfilter: xt_RATEEST: acquire xt_rateest_mutex for hash insert
[7dc68e98757a8eccf8ca7a53a29b896f1eef1f76]
Corentin Labbe (2):
ia64: convert unwcheck.py to python3
[bd5edbe677948d0883f59d9625c444818d5284b1]
powerpc/pseries: Add empty update_numa_cpu_lookup_table() for NUMA=n
[c1e150ceb61e4a585bad156da15c33bfe89f5858]
Dan Aloni (1):
cifs: empty TargetInfo leads to crash on recovery
[cabfb3680f78981d26c078a26e5c748531257ebb]
Dan Carpenter (10):
ALSA: pcm: potential uninitialized return values
[5607dddbfca774fb38bffadcb077fe03aa4ac5c6]
ASoC: au1x: Fix timeout tests in au1xac97c_ac97_read()
[123af9043e93cb6f235207d260d50f832cdb5439]
ASoC: nuc900: Fix a loop timeout test
[65a12b3aafed5fc59f4ce41b22b752b1729e6701]
HID: roccat: prevent an out of bounds read in kovaplus_profile_activated()
[7ad81482cad67cbe1ec808490d1ddfc420c42008]
ath9k_htc: Add a sanity check in ath9k_htc_ampdu_action()
[413fd2f5c0233d3cde391679b967c1f14cd2cb27]
cdrom: information leak in cdrom_ioctl_media_changed()
[9de4ee40547fd315d4a0ed1dd15a2fa3559ad707]
media: cpia2: Fix a couple off by one bugs
[d5ac225c7d64c9c3ef821239edc035634e594ec9]
staging: lustre: libcfs: Prevent harmless read underflow
[134aecbc25fd77645baaea5467b2a7ed8e9d1ea7]
staging: ncpfs: memory corruption in ncp_read_kernel()
[4c41aa24baa4ed338241d05494f2c595c885af8f]
staging: rts5208: Fix "seg_no" calculation in reset_ms_card()
[7f7aeea7cf30368b9fdb86dcc9d2c8a3ebc65dfb]
Daniel N Pettersson (1):
cifs: Fix autonegotiate security settings mismatch
[9aca7e454415f7878b28524e76bebe1170911a88]
Danilo Krummrich (1):
usb: quirks: add control message delay for 1b1c:1b20
[cb88a0588717ba6c756cb5972d75766b273a6817]
Dave Hansen (1):
x86/cpu: Rename "WESTMERE2" family to "NEHALEM_G"
[4b3b234f434d440fcd749b9636131b76e2ce561e]
Dave Young (1):
HID: add quirk for another PIXART OEM mouse used by HP
[01cffe9ded15c0d664e0beb33c594e00c0d57bba]
David Ahern (1):
net: Refactor rtable initialization
[d08c4f355403840fad98d9918db51a7113f38ee8]
David Matlack (1):
KVM: nVMX: mark vmcs12 pages dirty on L2 exit
[c9f04407f2e0b3fc9ff7913c65fcfcb0a4b61570]
David Rientjes (1):
kernel/relay.c: limit kmalloc size to KMALLOC_MAX_SIZE
[88913bd8ea2a75d7e460a4bed5f75e1c32660d7e]
David Woodhouse (11):
x86/cpufeature: Blacklist SPEC_CTRL/PRED_CMD on early Spectre v2 microcodes
[a5b2966364538a0e68c9fa29bc0a3a1651799035]
x86/cpufeatures: Add AMD feature bits for Speculation Control
[5d10cbc91d9eb5537998b65608441b592eec65e7]
x86/cpufeatures: Add Intel feature bits for Speculation Control
[fc67dd70adb711a45d2ef34e12d1a8be75edde61]
x86/cpufeatures: Clean up Spectre v2 related CPUID flags
[2961298efe1ea1b6fc0d7ee8b76018fa6c0bcef2]
x86/cpuid: Fix up "virtual" IBRS/IBPB/STIBP feature bits on Intel
[7fcae1118f5fd44a862aa5c3525248e35ee67c3b]
x86/msr: Add definitions for new speculation control MSRs
[1e340c60d0dd3ae07b5bedc16a0469c14b9f3410]
x86/pti: Do not enable PTI on CPUs which are not vulnerable to Meltdown
[fec9434a12f38d3aeafeb75711b71d8a1fdef621]
x86/speculation: Add basic IBPB (Indirect Branch Prediction Barrier) support
[20ffa1caecca4db8f79fe665acdeaa5af815a24d]
x86/speculation: Correct Speculation Control microcode blacklist again
[d37fc6d360a404b208547ba112e7dabb6533c7fc]
x86/speculation: Update Speculation Control microcode blacklist
[1751342095f0d2b36fa8114d8e12c5688c455ac4]
x86/speculation: Use IBRS if available before calling into firmware
[dd84441a797150dcc49298ec95c459a8891d8bb1]
Dmitry Torokhov (1):
Input: edt-ft5x06 - fix error handling for factory mode on non-M06
[4b3e910d7f430ab76dd37131bb75129878950163]
Dmitry Vyukov (1):
netfilter: ipt_CLUSTERIP: fix out-of-bounds accesses in clusterip_tg_check()
[1a38956cce5eabd7b74f94bab70265e4df83165e]
Eran Ben Elisha (1):
net/mlx4_en: Fix mixed PFC and Global pause user control requests
[6e8814ceb7e8f468659ef9253bd212c07ae19584]
Eric Biggers (15):
NFS: reject request for id_legacy key without auxdata
[49686cbbb3ebafe42e63868222f269d8053ead00]
binder: check for binder_thread allocation failure in binder_poll()
[f88982679f54f75daa5b8eff3da72508f1e7422f]
crypto: cryptd - pass through absence of ->setkey()
[841a3ff329713f796a63356fef6e2f72e4a3f6a3]
crypto: hash - annotate algorithms taking optional key
[a208fa8f33031b9e0aba44c7d1b7e68eb0cbd29e]
crypto: hash - introduce crypto_hash_alg_has_setkey()
[cd6ed77ad5d223dc6299fb58f62e0f5267f7e2ba]
crypto: hash - prevent using keyed hashes without setting key
[9fa68f620041be04720d0cbfb1bd3ddfc6310b24]
libata: fix length validation of ATAPI-relayed SCSI commands
[058f58e235cbe03e923b30ea7c49995a46a8725f]
libata: remove WARN() for DMA or PIO command without data
[9173e5e80729c8434b8d27531527c5245f4a5594]
pipe, sysctl: drop 'min' parameter from pipe-max-size converter
[4c2e4befb3cc9ce42d506aa537c9ab504723e98c]
pipe, sysctl: remove pipe_proc_fn()
[319e0a21bb7823abbb4818fe2724e572bbac77a2]
pipe: actually allow root to exceed the pipe buffer limits
[85c2dd5473b2718b4b63e74bfeb1ca876868e11f]
pipe: fix off-by-one error when checking buffer limits
[9903a91c763ecdae333a04a9d89d79d2b8966503]
pipe: read buffer limits atomically
[f7340761812fc10313e6fcc115e0bc4f7a799112]
pipe: reject F_SETPIPE_SZ with size over UINT_MAX
[96e99be40e4cff870a83233731121ec0f7f95075]
pipe: simplify round_pipe_size()
[c4fed5a91fadc8a277b1eda474317b501651dd3e]
Eric Dumazet (4):
l2tp: do not accept arbitrary sockets
[17cfe79a65f98abe535261856c5aef14f306dff7]
net: fix possible out-of-bound read in skb_network_protocol()
[1dfe82ebd7d8fd43dba9948fdfb31f145014baa0]
net: igmp: add a missing rcu locking section
[e7aadb27a5415e8125834b84a74477bfbee4eff5]
netfilter: IDLETIMER: be syzkaller friendly
[cfc2c740533368b96e2be5e0a4e8c3cace7d9814]
Eric W. Biederman (4):
fs: Teach path_connected to handle nfs filesystems with multiple roots.
[95dd77580ccd66a0da96e6d4696945b8cea39431]
mn10300/misalignment: Use SIGSEGV SEGV_MAPERR to report a failed user copy
[6ac1dc736b323011a55ecd1fc5897c24c4f77cbd]
signal/openrisc: Fix do_unaligned_access to send the proper signal
[500d58300571b6602341b041f97c082a461ef994]
signal/sh: Ensure si_signo is initialized in do_divide_error
[0e88bb002a9b2ee8cc3cc9478ce2dc126f849696]
Erik Veijola (1):
ALSA: usb-audio: Add a quirck for B&W PX headphones
[240a8af929c7c57dcde28682725b29cf8474e8e5]
Ernesto A . Fernández (1):
ext4: correct documentation for grpid mount option
[9f0372488cc9243018a812e8cfbf27de650b187b]
Eugene Syromiatnikov (1):
s390: fix handling of -1 in set{,fs}[gu]id16 syscalls
[6dd0d2d22aa363fec075cb2577ba273ac8462e94]
Felix Kuehling (1):
drm/ttm: Don't add swapped BOs to swap-LRU list
[fd5002d6a3c602664b07668a24df4ef7a43bf078]
Florian Fainelli (2):
net: systemport: Rewrite __bcm_sysport_tx_reclaim()
[484d802d0f2f29c335563fcac2a8facf174a1bbc]
pinctrl: Really force states during suspend/resume
[981ed1bfbc6c4660b2ddaa8392893e20a6255048]
Florian Westphal (6):
netfilter: bridge: ebt_among: add missing match size checks
[c4585a2823edf4d1326da44d1524ecbfda26bb37]
netfilter: bridge: ebt_among: add more missing match size checks
[c8d70a700a5b486bfa8e5a7d33d805389f6e59f9]
netfilter: ebtables: CONFIG_COMPAT: don't trust userland offsets
[b71812168571fa55e44cdd0254471331b9c4c4c6]
netfilter: ebtables: fix erroneous reject of last rule
[932909d9b28d27e807ff8eecb68c7748f6701628]
netfilter: ipv6: fix use-after-free Write in nf_nat_ipv6_manip_pkt
[b078556aecd791b0e5cb3a59f4c3a14273b52121]
xfrm_user: uncoditionally validate esn replay attribute struct
[d97ca5d714a5334aecadadf696875da40f1fbf3e]
Ganesh Mahendran (1):
android: binder: use VM_ALLOC to get vm area
[aac6830ec1cb681544212838911cdc57f2638216]
Geert Uytterhoeven (1):
RDMA/iwpm: Fix uninitialized error code in iwpm_send_mapinfo()
[302d6424e4a293a5761997e6c9fc3dfb1e4c355f]
Greg Kroah-Hartman (2):
USB: serial: pl2303: new device id for Chilitag
[d08dd3f3dd2ae351b793fc5b76abdbf0fd317b12]
drm: udl: Properly check framebuffer mmap offsets
[3b82a4db8eaccce735dffd50b4d4e1578099b8e8]
Greg Kurz (1):
9p/trans_virtio: discard zero-length reply
[26d99834f89e76514076d9cd06f61e56e6a509b8]
Guillaume Nault (3):
l2tp: avoid using ->tunnel_sock for getting session's parent tunnel
[7198c77aa05560c257ee377ec1f4796812121580]
l2tp: don't close sessions in l2tp_tunnel_destruct()
[765924e362d12f87786060b98a49abd91e11ea96]
l2tp: remove l2tp_tunnel_count and l2tp_session_count
[c7fa745d988812c4dea7dbc645f025c5bfa4917e]
Hans de Goede (10):
ASoC: rt5651: Fix regcache sync errors on resume
[2d30e9494f1ea320aaaad0cff9ddd92c87eac355]
PCI: Add function 1 DMA alias quirk for Highpoint RocketRAID 644L
[1903be8222b7c278ca897c129ce477c1dd6403a8]
USB: cdc-acm: Do not log urb submission errors on disconnect
[f0386c083c2ce85284dc0b419d7b89c8e567c09f]
ahci: Add PCI ids for Intel Bay Trail, Cherry Trail and Apollo Lake AHCI
[998008b779e424bd7513c434d0ab9c1268459009]
ahci: Add PCI-id for the Highpoint Rocketraid 644L card
[28b2182dad43f6f8fcbd167539a26714fd12bd64]
libata: Apply NOLPM quirk to Crucial M500 480 and 960GB SSDs
[62ac3f7305470e3f52f159de448bc1a771717e88]
libata: Apply NOLPM quirk to Crucial MX100 512GB SSDs
[9c7be59fc519af9081c46c48f06f2b8fadf55ad8]
libata: Make Crucial BX100 500GB LPM quirk apply to all firmware versions
[3bf7b5d6d017c27e0d3b160aafb35a8e7cfeda1f]
libata: Modify quirks for MX100 to limit NCQ_TRIM quirk to MU01 version
[d418ff56b8f2d2b296daafa8da151fe27689b757]
uas: Log error codes when logging errors
[ce39fe6fa115d9fea0112c907773a400b98d2463]
Hans van Kranenburg (1):
btrfs: alloc_chunk: fix DUP stripe size handling
[92e222df7b8f05c565009c7383321b593eca488b]
Hemant Kumar (1):
usb: f_fs: Prevent gadget unbind if it is already unbound
[ce5bf9a50daf2d9078b505aca1cea22e88ecb94a]
Horia Geantă (1):
crypto: caam - fix endless loop when DECO acquire fails
[225ece3e7dad4cfc44cca38ce7a3a80f255ea8f1]
Ilya Dryomov (1):
rbd: whitelist RBD_FEATURE_OPERATIONS feature bit
[e573427a440fd67d3f522357d7ac901d59281948]
Ingo Molnar (1):
x86/speculation: Move firmware_restrict_branch_speculation_*() from C to CPP
[d72f4e29e6d84b7ec02ae93088aa459ac70e733b]
Ioana Ciornei (1):
staging: iio: adc: remove the use of CamelCase
[5f7e280f5ae61450a7aecd9feefe3f032b6a5abf]
Ivan Delalande (1):
lkdtm: fix handle_irq_event symbol for INT_HW_IRQ_EN
[5be2a5011c039506e2862650c928acfb2e3d7b9c]
Ivan Vecera (2):
kernfs: fix regression in kernfs_fop_write caused by wrong type
[ba87977a49913129962af8ac35b0e13e0fa4382d]
net/mlx4_en: do not ignore autoneg in mlx4_en_set_pauseparam()
[278d436a476f69fc95d5c82bf61b6c2d02f4d44e]
J. Bruce Fields (1):
NFS: commit direct writes even if they fail partially
[1b8d97b0a837beaf48a8449955b52c650a7114b4]
Jack Morgenstein (1):
IB/mlx4: Fix incorrectly releasing steerable UD QPs when have only ETH ports
[852f6927594d0d3e8632c889b2ab38cbc46476ad]
Jack Stocker (1):
Add delay-init quirk for Corsair K70 RGB keyboards
[7a1646d922577b5b48c0d222e03831141664bb59]
Jake Daryll Obina (1):
jffs2: Fix use-after-free bug in jffs2_iget()'s error handling path
[5bdd0c6f89fba430e18d636493398389dadc3b17]
Jakub Kicinski (1):
net: fix race on decreasing number of TX queues
[ac5b70198adc25c73fba28de4f78adcee8f6be0b]
James Chapman (5):
l2tp: don't use inet_shutdown on ppp session destroy
[225eb26489d05c679a4c4197ffcb81c81e9dcaf4]
l2tp: don't use inet_shutdown on tunnel destroy
[76a6abdb2513ad4ea0ded55d2c66160491f2e848]
l2tp: fix race in pppol2tp_release with session object destroy
[d02ba2a6110c530a32926af8ad441111774d2893]
l2tp: fix races with tunnel socket close
[d00fa9adc528c1b0e64d532556764852df8bd7b9]
l2tp: fix tunnel lookup use-after-free race
[28f5bfb819195ad9c2eb9486babe7b0e4efe925f]
James Hogan (2):
EDAC, octeon: Fix an uninitialized variable warning
[544e92581a2ac44607d7cc602c6b54d18656f56d]
MIPS: Fix clean of vmlinuz.{32,ecoff,bin,srec}
[5f2483eb2423152445b39f2db59d372f523e664e]
James Ralston (1):
ahci: Remove Device ID for Intel Sunrise Point PCH
[46319e13581a6c442b0a0e5a3bd5d9af4496f252]
Jan Beulich (1):
x86/mm: Fix {pmd,pud}_{set,clear}_flags()
[842cef9113c2120f74f645111ded1e020193d84c]
Jan Chochol (1):
nfs: Do not convert nfs_idmap_cache_timeout to jiffies
[cbebc6ef4fc830f4040d4140bf53484812d5d5d9]
Jan-Marek Glogowski (1):
ALSA: hda/realtek: PCI quirk for Fujitsu U7x7
[fdcc968a3b290407bcba9d4c90e2fba6d8d928f1]
Jason Gunthorpe (1):
sctp: Fix mangled IPv4 addresses on a IPv6 listening socket
[9302d7bb0c5cd46be5706859301f18c137b2439f]
Jason Wang (1):
vhost_net: stop device during reset owner
[4cd879515d686849eec5f718aeac62a70b067d82]
Jason Yan (5):
ata: do not schedule hot plug if it is a sas host
[6f54120e17e311fd7ac42b9ec2a0611caa5b46ad]
scsi: libsas: direct call probe and destruct
[0558f33c06bb910e2879e355192227a8e8f0219d]
scsi: libsas: fix error when getting phy events
[2b23d9509fd7174b362482cf5f3b5f9a2265bc33]
scsi: libsas: fix memory leak in sas_smp_get_phy_events()
[4a491b1ab11ca0556d2fda1ff1301e862a2d44c4]
scsi: libsas: remove the numbering for each event enum
[0d78f969b10f27e0be34210d482a01e1ee92994c]
Jean Delvare (1):
firmware: dmi_scan: Fix handling of empty DMI strings
[a7770ae194569e96a93c48aceb304edded9cc648]
Jens Axboe (1):
aio: fix serial draining in exit_aio()
[dc48e56d761610da4ea1088d1bea0a030b8e3e43]
Jeremy Boone (4):
tpm: fix potential buffer overruns caused by bit glitches on the bus
[3be23274755ee85771270a23af7691dc9b3a95db]
tpm_i2c_infineon: fix potential buffer overruns caused by bit glitches on the bus
[9b8cb28d7c62568a5916bdd7ea1c9176d7f8f2ed]
tpm_i2c_nuvoton: fix potential buffer overruns caused by bit glitches on the bus
[f9d4d9b5a5ef2f017bc344fb65a58a902517173b]
tpm_tis: fix potential buffer overruns caused by bit glitches on the bus
[6bb320ca4a4a7b5b3db8c8d7250cc40002046878]
Jia-Ju Bai (1):
USB: serial: io_edgeport: fix possible sleep-in-atomic
[c7b8f77872c73f69a16528a9eb87afefcccdc18b]
Jim Mattson (1):
KVM: nVMX: Eliminate vmcs02 pool
[de3a0021a60635de96aa92713c1a31a96747d72c]
Jiri Bohac (1):
x86/gart: Exclude GART aperture from vmcore
[2a3e83c6f96c513f43ce5a8c9034608ea584a255]
Joe Lawrence (3):
pipe: add proc_dopipe_max_size() to safely assign pipe_max_size
[7a8d181949fb2c16be00f8cdb354794a30e46b39]
pipe: avoid round_pipe_size() nr_pages overflow on 32-bit
[d3f14c485867cfb2e0c48aa88c41d0ef4bf5209c]
sysctl: check for UINT_MAX before unsigned int min/max
[fb910c42ccebf853c29296185c45c11164a56098]
Joel Fernandes (1):
staging: android: ashmem: Fix lockdep issue during llseek
[cb57469c9573f6018cd1302953dd45d6e05aba7b]
Johan Hovold (5):
USB: serial: add Medtronic CareLink USB driver
[cff9c2339a6d5105d7f6b1f9a96dd1d239cc76ac]
USB: serial: add Novatel Wireless GPS driver
[c5cd24d7b179a415df263e5b18b72f6e3aaf81e0]
USB: serial: add support for multi-port simple drivers
[b9f040389e23fb95fde36cb0a3c2c516fb3e9d1c]
USB: serial: simple: add Motorola Tetra driver
[46fe895e22ab3845515ec06b01eaf1282b342e29]
video: fbdev: atmel_lcdfb: fix display-timings lookup
[9cb18db0701f6b74f0c45c23ad767b3ebebe37f6]
Johannes Berg (1):
regulatory: add NUL to request alpha2
[657308f73e674e86b60509a430a46e569bf02846]
John Crispin (1):
MIPS: ralink: Don't set pm_power_off
[81ab9f6c5ff8565e4cba330e340a8979a10521d7]
Jonas Danielsson (1):
tty/serial: atmel: add new version check for usart
[fd63a8903a2c40425a9811c3371dd4d0f42c0ad3]
Ju Hyung Park (1):
libata: Enable queued TRIM for Samsung SSD 860
[ca6bfcb2f6d9deab3924bf901e73622a94900473]
Juergen Gross (2):
x86/xen: Zero MSR_IA32_SPEC_CTRL before suspend
[71c208dd54ab971036d83ff6d9837bae4976e623]
x86/xen: init %gs very early to avoid page faults with stack protector
[4f277295e54c5b7340e48efea3fc5cc21a2872b7]
Julia Lawall (3):
USB: usbmon: remove assignment from IS_ERR argument
[46c236dc7d1212d7417e6fb0317f91c44c719322]
drivers: video: fbdev: atmel_lcdfb.c: fix error return code
[6c131850eca653344c41d68ce87f3ab5a89af89e]
drm/radeon: adjust tested variable
[3a61b527b4e1f285d21b6e9e623dc45cf8bb391f]
Julian Wiedmann (2):
s390/qeth: fix SETIP command handling
[1c5b2216fbb973a9410e0b06389740b5c1289171]
s390/qeth: free netdevice when removing a card
[6be687395b3124f002a653c1a50b3260222b3cd7]
Julien Gomes (1):
tun: allow positive return values on dev_get_valid_name() call
[5c25f65fd1e42685f7ccd80e0621829c105785d9]
Justin Chen (1):
MIPS: BMIPS: Do not mask IPIs during suspend
[06a3f0c9f2725f5d7c63c4203839373c9bd00c28]
Kai-Heng Feng (3):
drm/edid: Add 6 bpc quirk for CPT panel in Asus UX303LA
[06998a756a3865817b87a129a7e5d5bb66dc1ec3]
libata: disable LPM for Crucial BX100 SSD 500GB drive
[b17e5729a630d8326a48ec34ef02e6b4464a6aef]
xhci: Fix front USB ports on ASUS PRIME B350M-A
[191edc5e2e515aab1075a3f0ef23599e80be5f59]
Kamil Konieczny (1):
crypto: s5p-sss - Fix kernel Oops in AES-ECB mode
[c927b080c67e3e97193c81fc1d27f4251bf4e036]
KarimAllah Ahmed (3):
KVM/SVM: Allow direct access to MSR_IA32_SPEC_CTRL
[b2ac58f90540e39324e7a29a7ad471407ae0bf48]
KVM/VMX: Allow direct access to MSR_IA32_SPEC_CTRL
[d28b387fb74da95d69d2615732f50cceb38e9a4d]
KVM/VMX: Emulate MSR_IA32_ARCH_CAPABILITIES
[28c1c9fabf48d6ad596273a11c46e0d0da3e14cd]
Karsten Koop (1):
usb: ldusb: add PIDs for new CASSY devices supported by this driver
[52ad2bd8918158266fc88a05f95429b56b6a33c5]
Kees Cook (1):
NFC: llcp: Limit size of SDP URI
[fe9c842695e26d8116b61b80bfb905356f07834b]
Kirill Marinushkin (1):
ALSA: usb-audio: Fix parsing descriptor of UAC2 processing unit
[a6618f4aedb2b60932d766bd82ae7ce866e842aa]
Konrad Rzeszutek Wilk (1):
x86/spectre_v2: Don't check microcode versions when running under hypervisors
[36268223c1e9981d6cfc33aff8520b3bde4b8114]
Lars-Peter Clausen (1):
iio: adis_lib: Initialize trigger before requesting interrupt
[f027e0b3a774e10302207e91d304bbf99e3a8b36]
Lassi Ylikojola (1):
ALSA: usb-audio: add implicit fb quirk for Behringer UFX1204
[5e35dc0338d85ccebacf3f77eca1e5dea73155e8]
Leon Romanovsky (11):
RDMA/mlx5: Avoid memory leak in case of XRCD dealloc failure
[b081808a66345ba725b77ecd8d759bee874cd937]
RDMA/mlx5: Fix integer overflow while resizing CQ
[28e9091e3119933c38933cb8fc48d5618eb784c8]
RDMA/ucma: Check AF family prior resolving address
[2975d5de6428ff6d9317e9948f0968f7d42e5d74]
RDMA/ucma: Check that device exists prior to accessing it
[c8d3bcbfc5eab3f01cf373d039af725f3b488813]
RDMA/ucma: Check that device is connected prior to access it
[4b658d1bbc16605330694bb3ef2570c465ef383d]
RDMA/ucma: Check that user doesn't overflow QP state
[a5880b84430316e3e1c1f5d23aa32ec6000cc717]
RDMA/ucma: Don't allow join attempts for unsupported AF family
[0c81ffc60d5280991773d17e84bda605387148b1]
RDMA/ucma: Ensure that CM_ID exists prior to access it
[e8980d67d6017c8eee8f9c35f782c4bd68e004c9]
RDMA/ucma: Fix access to non-initialized CM_ID object
[7688f2c3bbf55e52388e37ac5d63ca471a7712e1]
RDMA/ucma: Fix use-after-free access in ucma_close
[ed65a4dc22083e73bac599ded6a262318cad7baf]
RDMA/ucma: Limit possible option size
[6a21dfc0d0db7b7e0acedce67ca533a6eb19283c]
Linus Lüssing (2):
batman-adv: fix multicast-via-unicast transmission with AP isolation
[f8fb3419ead44f9a3136995acd24e35da4525177]
batman-adv: fix packet loss for broadcasted DHCP packets to a server
[a752c0a4524889cdc0765925258fd1fd72344100]
Linus Torvalds (3):
kvm/x86: fix icebp instruction handling
[32d43cd391bacb5f0814c2624399a5dad3501d09]
perf/hwbp: Simplify the perf-hwbp code, fix documentation
[f67b15037a7a50c57f72e69a6d59941ad90a0f0f]
tty: vt: fix up tabstops properly
[f1869a890cdedb92a3fab969db5d0fd982850273]
Linus Walleij (1):
mtd: jedec_probe: Fix crash in jedec_read_mfr()
[87a73eb5b56fd6e07c8e499fe8608ef2d8912b82]
Liu Bo (4):
Btrfs: fix crash due to not cleaning up tree log block's dirty bits
[1846430c24d66e85cc58286b3319c82cd54debb2]
Btrfs: fix deadlock in run_delalloc_nocow
[e89166990f11c3f21e1649d760dd35f9e410321c]
Btrfs: fix extent state leak from tree log
[55237a5f2431a72435e3ed39e4306e973c0446b7]
Btrfs: fix use-after-free on root->orphan_block_rsv
[1a932ef4e47984dee227834667b5ff5a334e4805]
Lukas Czerner (1):
ext4: fix bitmap position validation
[22be37acce25d66ecf6403fc8f44df9c5ded2372]
Lukas Wunner (5):
Revert "apple-gmux: lock iGP IO to protect from vgaarb changes"
[d6fa7588fd7a8def4c747c0c574ce85d453e3788]
drm/nouveau: Fix deadlock on runtime suspend
[d61a5c1063515e855bedb1b81e20e50b0ac3541e]
drm/radeon: Fix deadlock on runtime suspend
[15734feff2bdac24aa3266c437cffa42851990e3]
drm: Allow determining if current task is output poll worker
[25c058ccaf2ebbc3e250ec1e199e161f91fe27d4]
workqueue: Allow retrieval of current task's work struct
[27d4ee03078aba88c5e07dcc4917e8d01d046f38]
Maciej W. Rozycki (1):
MIPS: Normalise code flow in the CpU exception handler
[27e28e8ec47a5ce335ebf25d34ca356c80635908]
Malcolm Priestley (2):
media: dvb-usb-v2: lmedm04: Improve logic checking of warm start
[3d932ee27e852e4904647f15b64dedca51187ad7]
media: dvb-usb-v2: lmedm04: move ts2020 attach to dm04_lme2510_tuner
[7bf7a7116ed313c601307f7e585419369926ab05]
Marc Kleine-Budde (1):
slip: sl_alloc(): remove unused parameter "dev_t line"
[936e5d8bdfa72577e28ea671d9e2ee4fef0d6b3e]
Marc Zyngier (2):
arm64: KVM: Increment PC after handling an SMC trap
[f5115e8869e1dfafac0e414b4f1664f3a84a4683]
arm: KVM: Fix SMCCC handling of unimplemented SMC/HVC calls
[20e8175d246e9f9deb377f2784b3e7dfb2ad3e86]
Mark Rutland (1):
arm64: remove __die()'s stack dump
[c5bc503cbeee8586395aa541d2b53c69c3dd6930]
Masahiro Yamada (1):
mmc: sdhci: export sdhci_execute_tuning()
[85a882c2e91d3655927ecdc1db823d1420a65b8f]
Masami Hiramatsu (1):
tracing: probeevent: Fix to support minus offset from symbol
[c5d343b6b7badd1f5fe0873eff2e8d63a193e732]
Masatake YAMATO (1):
route: remove unsed variable in __mkroute_input
[cb1c61680d29a054b91a23c7a504cea8a72bdcff]
Matt Redfearn (1):
MIPS: TXx9: use IS_BUILTIN() for CONFIG_LEDS_CLASS
[0cde5b44a30f1daaef1c34e08191239dc63271c4]
Matthew Wilcox (1):
cifs: Fix missing put_xid in cifs_file_strict_mmap
[f04a703c3d613845ae3141bfaf223489de8ab3eb]
Matthias Schiffer (4):
batman-adv: fix header size check in batadv_dbg_arp()
[6f27d2c2a8c236d296201c19abb8533ec20d212b]
batman-adv: fix packet checksum in receive path
[abd6360591d3f8259f41c34e31ac4826dfe621b8]
batman-adv: invalidate checksum on fragment reassembly
[3bf2a09da956b43ecfaa630a2ef9a477f991a46a]
batman-adv: update data pointers after skb_cow()
[bc44b78157f621ff2a2618fe287a827bcb094ac4]
Mauro Carvalho Chehab (1):
media: cxusb, dib0700: ignore XC2028_I2C_FLUSH
[9893b905e743ded332575ca04486bd586c0772f7]
Max Filippov (1):
xtensa: fix futex_atomic_cmpxchg_inatomic
[ca47480921587ae30417dd234a9f79af188e3666]
Mel Gorman (1):
mm: pin address_space before dereferencing it while isolating an LRU page
[69d763fc6d3aee787a3e8c8c35092b4f4960fa5d]
Michael Kerrisk (8):
pipe: cap initial pipe capacity according to pipe-max-size limit
[086e774a57fba4695f14383c0818994c0b31da7c]
pipe: fix limit checking in alloc_pipe_info()
[a005ca0e6813e1d796a7422a7e31d8b8d6555df1]
pipe: fix limit checking in pipe_set_size()
[b0b91d18e2e97b741b294af9333824ecc3fadfd8]
pipe: make account_pipe_buffers() return a value, and use it
[9c87bcf0a31b338dc8a69a5d251a037565a94e13]
pipe: move limit checking logic into pipe_set_size()
[d37d41666408102bf0ac8e48d8efdce7b809e5f6]
pipe: refactor argument for account_pipe_buffers()
[3734a13b96ebf039b293d8d37a934fd1bd9e03ab]
pipe: relocate round_pipe_size() above pipe_set_size()
[f491bd71118beba608d39ac2d5f1530e1160cd2e]
pipe: simplify logic in alloc_pipe_info()
[09b4d1990094dd22c27fb0163534db419458569c]
Michael Lyle (1):
bcache: don't attach backing with duplicate UUID
[86755b7a96faed57f910f9e6b8061e019ac1ec08]
Michael Weiser (2):
arm64: Disable unhandled signal log messages by default
[5ee39a71fd89ab7240c5339d04161c44a8e03269]
arm64: Remove unimplemented syscall log message
[1962682d2b2fbe6cfa995a85c53c069fadda473e]
Michel Dänzer (1):
drm/radeon: Don't turn off DP sink when disconnected
[2681bc79eeb640562c932007bfebbbdc55bf6a7d]
Mika Westerberg (1):
ahci: Add Intel Cannon Lake PCH-H PCI ID
[f919dde0772a894c693a1eeabc77df69d6a9b937]
Mike Kravetz (2):
hugetlbfs: check for pgoff value overflow
[63489f8e821144000e0bdca7e65a8d1cc23a7ee7]
hugetlbfs: fix offset overflow in hugetlbfs mmap
[045c7a3f53d9403b62d396b6d051c4be5044cdb4]
Mikulas Patocka (2):
alpha: fix crash if pthread_create races with signal delivery
[21ffceda1c8b3807615c40d440d7815e0c85d366]
alpha: fix reboot on Avanti platform
[55fc633c41a08ce9244ff5f528f420b16b1e04d6]
Mimi Zohar (1):
ima: relax requiring a file signature for new files with zero length
[b7e27bc1d42e8e0cc58b602b529c25cd0071b336]
Miquel Raynal (1):
mtd: nand: Fix nand_do_read_oob() return value
[87e89ce8d0d14f573c068c61bec2117751fb5103]
Mulhern (1):
dm thin: fix documentation relative to low water mark threshold
[9b28a1102efc75d81298198166ead87d643a29ce]
Namjae Jeon (1):
cifs: fix memory leak when password is supplied multiple times
[d6ccf4997e62fb6629f9f003980dca5292138b7b]
Nathan Fontenot (1):
powerpc/numa: Invalidate numa_cpu_lookup_table on cpu remove
[1d9a090783bef19fe8cdec878620d22f05191316]
NeilBrown (1):
MIPS: ralink: Remove ralink_halt()
[891731f6a5dbe508d12443175a7e166a2fba616a]
Nicholas Piggin (1):
powerpc/64: Don't trace irqs-off at interrupt return to soft-disabled context
[acb1feab320e38588fccc568e3767761f494976f]
Nicolas Dichtel (2):
netlink: avoid a double skb free in genlmsg_mcast()
[02a2385f37a7c6594c9d89b64c4a1451276f08eb]
netlink: ensure to loop over all netns in genlmsg_multicast_allns()
[cb9f7a9a5c96a773bbc9c70660dc600cfff82f82]
Nicolas Pitre (1):
console/dummy: leave .con_font_get set to NULL
[724ba8b30b044aa0d94b1cd374fc15806cdd6f18]
Nikola Ciprich (1):
serial: 8250_pci: Add Brainboxes UC-260 4 port serial device
[9f2068f35729948bde84d87a40d135015911345d]
Nikolay Borisov (1):
btrfs: Handle btrfs_set_extent_delalloc failure in fixup worker
[f3038ee3a3f1017a1cbe9907e31fa12d366c5dcb]
OKAMOTO Yoshiaki (1):
usb: option: Add support for FS040U modem
[69341bd15018da0a662847e210f9b2380c71e623]
Oleg Nesterov (2):
aio: change exit_aio() to load mm->ioctx_table once and avoid rcu_read_lock()
[4b70ac5fd9b58bfaa5f25b4ea48f528aefbf3308]
aio: kill the misleading rcu read locks in ioctx_add_table() and kill_ioctx()
[855ef0dec7271ff7be7381feaaf3f4aed80bd503]
Oliver Neukum (3):
CDC-ACM: apply quirk for card reader
[df1cc78a52491f71d8170d513d0f6f114faa1bda]
uas: fix comparison for error code
[9a513c905bb95bef79d96feb08621c1ec8d8c4bb]
usb: uas: unconditionally bring back host after reset
[cbeef22fd611c4f47c494b821b2b105b8af970bb]
Paolo Abeni (7):
dn_getsockoptdecnet: move nf_{get/set}sockopt outside sock lock
[dfec091439bb2acf763497cfc58f2bdfc67c56b7]
ipv6: the entire IPv6 header chain must fit the first fragment
[10b8a3de603df7b96004179b1b33b1708c76d144]
l2tp: fix races with ipv4-mapped ipv6 addresses
[b954f94023dcc61388c8384f0f14eb8e42c863c5]
netfilter: drop outermost socket lock in getsockopt()
[01ea306f2ac2baff98d472da719193e738759d93]
netfilter: nat: cope with negative port range
[db57ccf0f2f4624b4c4758379f8165277504fbd7]
netfilter: on sockopt() acquire sock lock only in the required scope
[3f34cfae1238848fd53f25e5c8fd59da57901f4b]
netfilter: x_tables: fix missing timer initialization in xt_LED
[10414014bc085aac9f787a5890b33b5605fbcfc4]
Paolo Bonzini (6):
KVM/VMX: Optimize vmx_vcpu_run() and svm_vcpu_run() by marking the RDMSR path as unlikely()
[946fbbc13dce68902f64515b610eeb2a6c3d7a64]
KVM/x86: Remove indirect MSR op calls from SPEC_CTRL
[ecb586bd29c99fb4de599dec388658e74388daad]
KVM: VMX: introduce alloc_loaded_vmcs
[f21f165ef922c2146cc5bdc620f542953c41714b]
KVM: VMX: make MSR bitmaps per-VCPU
[904e14fb7cb96401a7dc803ca2863fd5ba32ffe6]
KVM: x86: pass host_initiated to functions that read MSRs
[609e36d372ad9329269e4a1467bd35311893d1d6]
KVM: x86: rename update_db_bp_intercept to update_bp_intercept
[a96036b8ef7df9f10cd575c0d78359bd33188e8e]
Parav Pandit (1):
RDMA/cma: Use correct size when writing netlink stats
[7baaa49af3716fb31877c61f59b74d029ce15b75]
Pete Zaitcev (1):
usb: usbmon: Read text within supplied buffer size
[a5f596830e27e15f7a0ecd6be55e433d776986d8]
Peter Malone (1):
fbdev: Fixing arbitrary kernel leak in case FBIOGETCMAP_SPARC in sbusfb_ioctl_helper().
[250c6c49e3b68756b14983c076183568636e2bde]
Peter Zijlstra (1):
x86/speculation: Add <asm/msr-index.h> dependency
[ea00f301285ea2f07393678cd2b6057878320c9d]
Petr Machata (1):
ip_tunnel: Emit events for post-register MTU changes
[f6cc9c054e77b9a28d4594bcc201697edb21dfd2]
Raghava Aditya Renukunta (1):
scsi: aacraid: Fix udev inquiry race condition
[f4e8708d3104437fd7716e957f38c265b0c509ef]
Rasmus Villemoes (2):
kernel/async.c: revert "async: simplify lowest_in_progress()"
[4f7e988e63e336827f4150de48163bed05d653bd]
nospec: Allow index argument to have const-qualified type
[b98c6a160a057d5686a8c54c79cc6c8c94a7d0c8]
Roger Pau Monne (1):
xen/pirq: fix error path cleanup when binding MSIs
[910f8befdf5bccf25287d9f1743e3e546bcb7ce0]
Sabrina Dubroca (1):
ipv4: lock mtu in fnhe when received PMTU < net.ipv4.route.min_pmtu
[d52e5a7e7ca49457dd31fc8b42fb7c0d58a31221]
Scott Lawson (1):
AHCI: Remove obsolete Intel Lewisburg SATA RAID device IDs
[8ba559fd09bcf4e87faad3efa465dacf04c076c9]
Scott Mayhew (1):
nfs/pnfs: fix nfs_direct_req ref leak when i/o falls back to the mds
[ba4a76f703ab7eb72941fdaac848502073d6e9ee]
SeongJae Park (2):
rcutorture/configinit: Fix build directory error message
[2adfa4210f8f35cdfb4e08318cc06b99752964c2]
rcutorture/kvm.sh: Use consistent help text for --qemu-args
[8dcd6f3fe206c0bb8996e59386a04027b1c2fb9b]
Sergey Senozhatsky (1):
arm64: do not use print_symbol()
[4ef7963843d3243260aa335dfb9cb2fede06aacf]
Seunghun Han (1):
x86/MCE: Serialize sysfs changes
[b3b7c4795ccab5be71f080774c45bbbcc75c2aaf]
Shaohua Li (1):
ata: Add a new flag to destinguish sas controller
[5067c0469c643512f24786990e315f9c15cc7d24]
Shawn Lin (2):
mmc: dw_mmc: Factor out dw_mci_init_slot_caps
[a4faa4929ed3be15e2d500d2405f992f6dedc8eb]
mmc: dw_mmc: Fix out-of-bounds access for slot's caps
[0d84b9e5631d923744767dc6608672df906dd092]
Shuah Khan (3):
usbip: keep usbip_device sockfd state in sync with tcp_socket
[009f41aed4b3e11e6dc1e3c07377a10c20f1a5ed]
usbip: list: don't list devices attached to vhci_hcd
[ef824501f50846589f02173d73ce3fe6021a9d2a]
usbip: prevent bind loops on devices attached to vhci_hcd
[ef54cf0c600fb8f5737fb001a9e357edda1a1de8]
Simon Shields (1):
ARM: dts: exynos: Correct Trats2 panel reset line
[1b377924841df1e13ab5b225be3a83f807a92b52]
Stefan Agner (1):
spi: imx: do not access registers while clocks disabled
[d593574aff0ab846136190b1729c151c736727ec]
Stefan Roese (1):
ALSA: pcm: Use dma_bytes as size parameter in dma_mmap_coherent()
[9066ae7ff5d89c0b5daa271e2d573540097a94fa]
Stefan Windfeldt-Prytz (1):
iio: buffer: check if a buffer has been set up when poll is called
[4cd140bda6494543f1c1b0ccceceaa44b676eef6]
Stefano Brivio (3):
ip_tunnel: Clamp MTU to bounds on new link
[24fc79798b8ddfd46f2dd363a8d29072c083b977]
vti4: Don't count header length twice on tunnel setup
[dd1df24737727e119c263acf1be2a92763938297]
vti4: Don't override MTU passed on link creation via IFLA_MTU
[03080e5ec72740c1a62e6730f2a5f3f114f11b19]
Stephan Mueller (1):
crypto: af_alg - whitelist mask and type
[bb30b8848c85e18ca7e371d0a869e94b3e383bdf]
Sven Eckelmann (2):
batman-adv: Fix internal interface indices types
[f22e08932c2960f29b5e828e745c9f3fb7c1bb86]
batman-adv: Fix skbuff rcsum on packet reroute
[fc04fdb2c8a894283259f5621d31d75610701091]
Takashi Iwai (8):
ALSA: aloop: Fix access to not-yet-ready substream via cable
[8e6b1a72a75bb5067ccb6b56d8ca4aa3a300a64e]
ALSA: aloop: Sync stale timer before release
[67a01afaf3d34893cf7d2ea19b34555d6abb7cb0]
ALSA: hda/realtek - Always immediately update mute LED with pin VREF
[e40bdb03d3cd7da66bd0bc1e40cbcfb49351265c]
ALSA: seq: Clear client entry before deleting else at closing
[a2ff19f7b70118ced291a28d5313469914de451b]
ALSA: seq: Don't allow resizing pool in use
[d85739367c6d56e475c281945c68fdb05ca74b4c]
ALSA: seq: Fix possible UAF in snd_seq_check_queue()
[d0f833065221cbfcbadf19fd4102bcfa9330006a]
ALSA: seq: Fix racy pool initializations
[d15d662e89fc667b90cd294b0eb45694e33144da]
ALSA: seq: More protection for concurrent write and ioctl races
[7bd80091567789f1c0cb70eb4737aac8bcd2b6b9]
Tang Junhui (1):
bcache: fix crashes in duplicate cache device register
[cc40daf91bdddbba72a4a8cd0860640e06668309]
Tariq Toukan (1):
net/mlx4_core: Cleanup FMR unmapping flow
[fd4a3e2828b4ca35aef40e5bdc1ed7d87b3cb50a]
Teijo Kinnunen (1):
USB: storage: Add JMicron bridge 152d:2567 to unusual_devs.h
[5126a504b63d82785eaece3a9c30c660b313785a]
Tejun Heo (3):
fs/aio: Add explicit RCU grace period when freeing kioctx
[a6d7cff472eea87d96899a20fa718d2bab7109f3]
fs/aio: Use RCU accessors for kioctx_table->table[]
[d0264c01e7587001a8c4608a5d1818dba9a4c11a]
tty: make n_tty_read() always abort if hangup is in progress
[28b0f8a6962a24ed21737578f3b1b07424635c9e]
Theodore Ts'o (2):
ext4: add validity checks for bitmap block numbers
[7dac4a1726a9c64a517d595c40e95e2d0d135f6f]
ext4: fail ext4_iget for root directory if unallocated
[8e4b5eae5decd9dfe5a4ee369c22028f90ab4c44]
Thinh Nguyen (1):
usb: dwc3: gadget: Set maxpacket size for ep0 IN
[6180026341e852a250e1f97ebdcf71684a3c81b9]
Thomas Gleixner (1):
posix-timers: Protect posix clock array access against speculation
[19b558db12f9f4e45a22012bae7b4783e62224da]
Thomas Richter (1):
perf annotate: Fix objdump comment parsing for Intel mov dissassembly
[35a8a148d8c1ee9e5ae18f9565a880490f816f89]
Tim Chen (1):
x86/speculation: Use Indirect Branch Prediction Barrier in context switch
[18bf3c3ea8ece8f03b6fc58508f2dfd23c7711c7]
Tobias Jordan (1):
spi: sun6i: disable/unprepare clocks on remove
[2d9bbd02c54094ceffa555143b0d68cd06504d63]
Todd Kjos (1):
binder: replace "%p" with "%pK"
[8ca86f1639ec5890d400fff9211aca22d0a392eb]
Tony Luck (1):
x86/MCE: Save microcode revision in machine check records
[fa94d0c6e0f3431523f5701084d799c77c7d4a4f]
Toshiaki Makita (2):
net: Fix untag for vlan packets without ethernet header
[ae4745730cf8e693d354ccd4dbaf59ea440c09a9]
net: Fix vlan untag for bridge and vlan_dev with reorder_hdr off
[4bbb3e0e8239f9079bf1fe20b3c0cb598714ae61]
Trond Myklebust (2):
NFS: Add a cond_resched() to nfs_commit_release_pages()
[7f1bda447c9bd48b415acedba6b830f61591601f]
NFS: Fix 2 use after free issues in the I/O code
[196639ebbe63a037fe9a80669140bd292d8bcd80]
Tyrel Datwyler (1):
scsi: ibmvfc: fix misdefined reserved field in ibmvfc_fcp_rsp_info
[c39813652700f3df552b6557530f1e5f782dbe2f]
Ulf Magnusson (1):
ARM: mvebu: Fix broken PL310_ERRATA_753970 selects
[8aa36a8dcde3183d84db7b0d622ffddcebb61077]
Ulrich Hecht (1):
serial: sh-sci: prevent lockup on full TTY buffers
[7842055bfce4bf0170d0f61df8b2add8399697be]
Vinicius Costa Gomes (1):
skbuff: Fix not waking applications when errors are enqueued
[6e5d58fdc9bedd0255a8781b258f10bbdc63e975]
Viresh Kumar (4):
arm: spear13xx: Fix dmas cells
[cdd10409914184c7eee5ae3e11beb890c9c16c61]
arm: spear13xx: Fix spics gpio controller's warning
[f8975cb1b8a36d0839b6365235778dd9df1d04ca]
arm: spear600: Add missing interrupt-parent of rtc
[6ffb5b4f248fe53e0361b8cbc2a523b432566442]
cpufreq: s3c24xx: Fix broken s3c_cpufreq_init()
[0373ca74831b0f93cd4cdbf7ad3aec3c33a479a5]
Wang Nan (1):
x86/traps: Enable DEBUG_STACK after cpu_init() for TRAP_DB/BP
[b4d8327024637cb2a1f7910dcb5d0ad7a096f473]
Wanpeng Li (1):
KVM: mmu: Fix overlap between public and private memslots
[b28676bb8ae4569cced423dc2a88f7cb319d5379]
Wei Yongjun (1):
mtd: ubi: wl: Fix error return code in ubi_wl_init()
[7233982ade15eeac05c6f351e8d347406e6bcd2f]
Will Deacon (2):
arm64: __show_regs: Only resolve kernel symbols when running at EL1
[a06f818a70de21b4b3b4186816094208fc7accf9]
arm64: traps: Don't print stack or raw PC/LR values in backtraces
[a25ffd3a6302a67814280274d8f1aa4ae2ea4b59]
Xin Long (4):
bonding: fix the err path for dev hwaddr sync in bond_enslave
[5c78f6bfae2b10ff70e21d343e64584ea6280c26]
bonding: move dev_mc_sync after master_upper_dev_link in bond_enslave
[ae42cc62a9f07f1f6979054ed92606b9c30f4a2e]
bonding: process the err returned by dev_set_allmulti properly in bond_enslave
[9f5a90c107741b864398f4ac0014711a8c1d8474]
bridge: check brport attr show in brport_show
[1b12580af1d0677c3c3a19e35bfe5d59b03f737f]
Yisheng Xie (2):
mm/mempolicy.c: avoid use uninitialized preferred_node
[8970a63e965b43288c4f5f40efbc2bbf80de7f16]
staging: android: ashmem: Fix possible deadlock in ashmem_ioctl
[740a5759bf222332fbb5eda42f89aa25ba38f9b2]
Yufen Yu (1):
md raid10: fix NULL deference in handle_write_completed()
[01a69cab01c184d3786af09e9339311123d63d22]
Yunlei He (1):
f2fs: fix a panic caused by NULL flush_cmd_control
[d4fdf8ba0e5808ba9ad6b44337783bd9935e0982]
Zhang Bo (1):
Input: matrix_keypad - fix race when disabling interrupts
[ea4f7bd2aca9f68470e9aac0fc9432fd180b1fe7]
Zhouyi Zhou (1):
ext4: save error to disk in __ext4_grp_locked_error()
[06f29cc81f0350261f59643a505010531130eea0]
Zygo Blaxell (1):
btrfs: remove spurious WARN_ON(ref->count < 0) in find_parent_nodes
[c8195a7b1ad5648857ce20ba24f384faed8512bc]
Documentation/device-mapper/thin-provisioning.txt | 8 +-
Documentation/devicetree/bindings/dma/snps-dma.txt | 2 +-
Documentation/filesystems/ext4.txt | 2 +-
Makefile | 4 +-
arch/alpha/kernel/pci_impl.h | 3 +-
arch/alpha/kernel/process.c | 3 +-
arch/arm/boot/dts/exynos4412-trats2.dts | 2 +-
arch/arm/boot/dts/omap3-n900.dts | 4 +-
arch/arm/boot/dts/spear1310-evb.dts | 2 +-
arch/arm/boot/dts/spear1340.dtsi | 4 +-
arch/arm/boot/dts/spear13xx.dtsi | 6 +-
arch/arm/boot/dts/spear600.dtsi | 1 +
arch/arm/kvm/handle_exit.c | 13 +-
arch/arm/mach-mvebu/Kconfig | 4 +-
arch/arm/xen/enlighten.c | 1 +
arch/arm64/kernel/process.c | 16 +-
arch/arm64/kernel/traps.c | 58 +-
arch/arm64/kvm/handle_exit.c | 9 +
arch/ia64/scripts/unwcheck.py | 16 +-
arch/mips/boot/compressed/Makefile | 6 +-
arch/mips/kernel/smp-bmips.c | 8 +-
arch/mips/kernel/traps.c | 15 +-
arch/mips/ralink/reset.c | 8 -
arch/mips/txx9/rbtx4939/setup.c | 4 +-
arch/mn10300/mm/misalignment.c | 2 +-
arch/openrisc/kernel/traps.c | 10 +-
arch/powerpc/include/asm/kvm_book3s.h | 6 +-
arch/powerpc/include/asm/topology.h | 8 +
arch/powerpc/kernel/entry_64.S | 10 +-
arch/powerpc/kvm/book3s_interrupts.S | 4 +-
arch/powerpc/kvm/book3s_pr.c | 20 +-
arch/powerpc/mm/numa.c | 5 -
arch/powerpc/platforms/pseries/hotplug-cpu.c | 2 +
arch/s390/kernel/compat_linux.c | 8 +-
arch/s390/kvm/kvm-s390.c | 1 +
arch/sh/kernel/traps_32.c | 3 +-
arch/sparc/crypto/crc32c_glue.c | 1 +
arch/x86/crypto/crc32-pclmul_glue.c | 1 +
arch/x86/crypto/crc32c-intel_glue.c | 1 +
arch/x86/include/asm/apm.h | 6 +
arch/x86/include/asm/cpufeature.h | 15 +-
arch/x86/include/asm/efi.h | 8 +
arch/x86/include/asm/intel-family.h | 11 +-
arch/x86/include/asm/kvm_host.h | 8 +-
arch/x86/include/asm/nospec-branch.h | 37 ++
arch/x86/include/asm/pgtable.h | 4 +-
arch/x86/include/asm/pgtable_types.h | 5 +
arch/x86/include/asm/vmx.h | 1 +
arch/x86/include/uapi/asm/mce.h | 4 +
arch/x86/include/uapi/asm/msr-index.h | 12 +
arch/x86/kernel/aperture_64.c | 46 +-
arch/x86/kernel/cpu/bugs.c | 19 +-
arch/x86/kernel/cpu/common.c | 75 ++-
arch/x86/kernel/cpu/intel.c | 71 +++
arch/x86/kernel/cpu/mcheck/mce.c | 26 +-
arch/x86/kernel/cpu/microcode/core.c | 2 +-
arch/x86/kernel/cpu/microcode/core_early.c | 29 +-
arch/x86/kernel/entry_64.S | 2 +-
arch/x86/kernel/traps.c | 27 +-
arch/x86/kvm/cpuid.c | 24 +-
arch/x86/kvm/cpuid.h | 31 ++
arch/x86/kvm/svm.c | 171 +++++-
arch/x86/kvm/vmx.c | 619 +++++++++++----------
arch/x86/kvm/x86.c | 111 ++--
arch/x86/mm/tlb.c | 19 +
arch/x86/oprofile/nmi_int.c | 2 +-
arch/x86/xen/mmu.c | 2 +-
arch/x86/xen/suspend.c | 24 +
arch/x86/xen/xen-head.S | 15 +
arch/xtensa/include/asm/futex.h | 23 +-
crypto/af_alg.c | 5 +
crypto/ahash.c | 33 +-
crypto/algif_hash.c | 54 +-
crypto/crc32.c | 1 +
crypto/crc32c_generic.c | 1 +
crypto/cryptd.c | 6 +-
crypto/shash.c | 25 +-
drivers/ata/ahci.c | 24 +-
drivers/ata/libata-core.c | 21 +-
drivers/ata/libata-eh.c | 3 +-
drivers/ata/libata-scsi.c | 4 +-
drivers/block/pktcdvd.c | 4 +-
drivers/block/rbd.c | 7 +-
drivers/cdrom/cdrom.c | 2 +-
drivers/char/tpm/tpm-interface.c | 4 +
drivers/char/tpm/tpm_i2c_infineon.c | 5 +-
drivers/char/tpm/tpm_i2c_nuvoton.c | 8 +-
drivers/char/tpm/tpm_tis.c | 5 +-
drivers/clocksource/fsl_ftm_timer.c | 2 +-
drivers/cpufreq/s3c24xx-cpufreq.c | 8 +-
drivers/crypto/bfin_crc.c | 3 +-
drivers/crypto/caam/ctrl.c | 8 +-
drivers/crypto/s5p-sss.c | 12 +-
drivers/devfreq/devfreq.c | 2 +-
drivers/edac/octeon_edac-lmc.c | 1 +
drivers/firmware/dmi_scan.c | 22 +-
drivers/gpu/drm/drm_edid.c | 3 +
drivers/gpu/drm/drm_probe_helper.c | 20 +
drivers/gpu/drm/nouveau/nouveau_connector.c | 18 +-
drivers/gpu/drm/radeon/cik.c | 31 +-
drivers/gpu/drm/radeon/radeon_connectors.c | 105 ++--
drivers/gpu/drm/radeon/radeon_device.c | 4 +
drivers/gpu/drm/radeon/radeon_gem.c | 2 -
drivers/gpu/drm/radeon/radeon_object.c | 2 +
drivers/gpu/drm/radeon/radeon_uvd.c | 2 +-
drivers/gpu/drm/radeon/si_dpm.c | 5 +
drivers/gpu/drm/ttm/ttm_bo.c | 3 +-
drivers/gpu/drm/udl/udl_fb.c | 9 +-
drivers/hid/hid-core.c | 3 +
drivers/hid/hid-ids.h | 4 +
drivers/hid/hid-roccat-kovaplus.c | 2 +
drivers/hid/usbhid/hid-quirks.c | 1 +
drivers/iio/imu/adis_trigger.c | 7 +-
drivers/iio/industrialio-buffer.c | 2 +-
drivers/infiniband/core/cma.c | 5 +-
drivers/infiniband/core/iwpm_util.c | 1 +
drivers/infiniband/core/ucma.c | 51 +-
drivers/infiniband/hw/mlx4/main.c | 13 +-
drivers/infiniband/hw/mlx5/cq.c | 7 +-
drivers/infiniband/hw/mlx5/qp.c | 5 +-
drivers/infiniband/hw/mlx5/srq.c | 15 +-
drivers/infiniband/ulp/ipoib/ipoib_fs.c | 2 -
drivers/input/keyboard/matrix_keypad.c | 4 +-
drivers/input/touchscreen/edt-ft5x06.c | 14 +-
drivers/input/touchscreen/mms114.c | 2 +-
drivers/md/bcache/super.c | 27 +-
drivers/md/raid10.c | 6 +-
drivers/media/pci/bt8xx/bt878.c | 3 +-
drivers/media/platform/exynos4-is/fimc-isp.c | 14 +-
drivers/media/usb/cpia2/cpia2_v4l.c | 4 +-
drivers/media/usb/dvb-usb-v2/lmedm04.c | 39 +-
drivers/media/usb/dvb-usb/cxusb.c | 2 +
drivers/media/usb/dvb-usb/dib0700_devices.c | 1 +
drivers/misc/lkdtm.c | 2 +-
drivers/mmc/card/block.c | 21 +
drivers/mmc/host/dw_mmc-exynos.c | 1 +
drivers/mmc/host/dw_mmc.c | 68 ++-
drivers/mmc/host/dw_mmc.h | 2 +
drivers/mmc/host/sdhci-pci.c | 27 +
drivers/mmc/host/sdhci.c | 7 +-
drivers/mmc/host/sdhci.h | 1 +
drivers/mtd/chips/jedec_probe.c | 2 +
drivers/mtd/nand/nand_base.c | 5 +-
drivers/mtd/ubi/vmt.c | 15 +-
drivers/mtd/ubi/wl.c | 8 +-
drivers/net/bonding/bond_main.c | 73 +--
drivers/net/can/cc770/cc770.c | 100 ++--
drivers/net/can/cc770/cc770.h | 2 +
drivers/net/ethernet/broadcom/bcmsysport.c | 33 +-
drivers/net/ethernet/broadcom/bcmsysport.h | 2 +-
drivers/net/ethernet/intel/e1000e/ich8lan.c | 2 +-
drivers/net/ethernet/intel/e1000e/mac.c | 2 +-
drivers/net/ethernet/mellanox/mlx4/en_dcb_nl.c | 23 +-
drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 27 +-
drivers/net/ethernet/mellanox/mlx4/en_main.c | 4 +-
drivers/net/ethernet/mellanox/mlx4/mr.c | 40 +-
drivers/net/ethernet/mellanox/mlx4/qp.c | 3 +
drivers/net/slip/slip.c | 4 +-
drivers/net/team/team.c | 4 +-
drivers/net/tun.c | 2 +-
drivers/net/wireless/ath/ath9k/htc_drv_main.c | 4 +
drivers/net/wireless/brcm80211/brcmfmac/p2p.c | 24 +-
drivers/net/wireless/ti/wl1251/main.c | 3 +-
drivers/pci/quirks.c | 2 +
drivers/pinctrl/core.c | 24 +-
drivers/platform/x86/apple-gmux.c | 48 +-
drivers/power/ab8500_charger.c | 6 +-
drivers/s390/net/qeth_core.h | 5 +
drivers/s390/net/qeth_core_main.c | 16 +-
drivers/s390/net/qeth_l2_main.c | 2 +-
drivers/s390/net/qeth_l3_main.c | 2 +-
drivers/scsi/aacraid/aachba.c | 22 +-
drivers/scsi/arm/fas216.c | 2 +-
drivers/scsi/ibmvscsi/ibmvfc.h | 2 +-
drivers/scsi/ipr.c | 3 +-
drivers/scsi/libsas/sas_ata.c | 4 +-
drivers/scsi/libsas/sas_discover.c | 32 +-
drivers/scsi/libsas/sas_expander.c | 11 +-
drivers/scsi/libsas/sas_internal.h | 1 +
drivers/scsi/libsas/sas_port.c | 3 +
drivers/spi/spi-imx.c | 15 +-
drivers/spi/spi-sun6i.c | 2 +-
drivers/staging/android/ashmem.c | 32 +-
drivers/staging/android/binder.c | 14 +-
drivers/staging/iio/adc/ad7192.c | 29 +-
drivers/staging/iio/adc/ad7192.h | 2 +-
drivers/staging/iio/adc/ad7280a.c | 4 +-
.../lustre/libcfs/linux/linux-crypto-adler.c | 1 +
drivers/staging/lustre/lustre/libcfs/tracefile.c | 2 +-
drivers/staging/rts5208/ms.c | 3 +-
drivers/staging/usbip/stub_dev.c | 3 +
drivers/staging/usbip/userspace/src/usbip_bind.c | 9 +
drivers/staging/usbip/userspace/src/usbip_list.c | 9 +
drivers/staging/usbip/vhci_hcd.c | 2 +
drivers/tty/n_tty.c | 6 +
drivers/tty/serial/8250/8250_pci.c | 11 +
drivers/tty/serial/atmel_serial.c | 1 +
drivers/tty/serial/sh-sci.c | 2 +
drivers/tty/vt/vt.c | 8 +-
drivers/usb/class/cdc-acm.c | 5 +-
drivers/usb/core/message.c | 4 +
drivers/usb/core/quirks.c | 6 +-
drivers/usb/dwc3/gadget.c | 2 +
drivers/usb/gadget/f_fs.c | 9 +-
drivers/usb/host/ohci-q.c | 17 +-
drivers/usb/host/xhci-pci.c | 3 +
drivers/usb/host/xhci.c | 3 +
drivers/usb/host/xhci.h | 1 +
drivers/usb/misc/ldusb.c | 6 +
drivers/usb/mon/mon_text.c | 124 +++--
drivers/usb/serial/Kconfig | 3 +
drivers/usb/serial/io_edgeport.c | 1 -
drivers/usb/serial/option.c | 5 +
drivers/usb/serial/pl2303.c | 1 +
drivers/usb/serial/pl2303.h | 1 +
drivers/usb/serial/usb-serial-simple.c | 26 +-
drivers/usb/storage/uas.c | 22 +-
drivers/usb/storage/unusual_devs.h | 7 +
drivers/vhost/net.c | 1 +
drivers/video/console/dummycon.c | 1 -
drivers/video/fbdev/atmel_lcdfb.c | 10 +-
drivers/video/fbdev/sbuslib.c | 4 +-
drivers/xen/events/events_base.c | 4 +-
drivers/xen/manage.c | 9 +-
fs/aio.c | 134 +++--
fs/btrfs/backref.c | 11 +-
fs/btrfs/inode.c | 44 +-
fs/btrfs/sysfs.c | 6 +-
fs/btrfs/transaction.c | 20 +-
fs/btrfs/tree-log.c | 14 +-
fs/btrfs/volumes.c | 11 +-
fs/cifs/cifsencrypt.c | 3 +-
fs/cifs/cifssmb.c | 4 +-
fs/cifs/connect.c | 4 +-
fs/cifs/file.c | 26 +-
fs/cifs/misc.c | 14 +-
fs/cifs/smb2pdu.c | 6 +-
fs/dcache.c | 11 +-
fs/ext4/balloc.c | 17 +-
fs/ext4/ialloc.c | 6 +
fs/ext4/inode.c | 6 +
fs/ext4/super.c | 1 +
fs/f2fs/segment.c | 5 +-
fs/hugetlbfs/inode.c | 26 +-
fs/jffs2/fs.c | 1 -
fs/kernfs/file.c | 2 +-
fs/namei.c | 5 +-
fs/ncpfs/ncplib_kernel.c | 4 +
fs/nfs/direct.c | 4 +-
fs/nfs/idmap.c | 6 +-
fs/nfs/internal.h | 1 -
fs/nfs/nfs4sysctl.c | 2 +-
fs/nfs/pagelist.c | 26 +-
fs/nfs/pnfs.c | 6 +-
fs/nfs/super.c | 2 +
fs/nfs/write.c | 2 +
fs/ocfs2/cluster/nodemanager.c | 63 ++-
fs/pipe.c | 198 ++++---
include/crypto/hash.h | 34 +-
include/crypto/internal/hash.h | 2 +
include/drm/drm_crtc_helper.h | 1 +
include/linux/crypto.h | 8 +
include/linux/fs.h | 4 +
include/linux/libata.h | 1 +
include/linux/mlx5/driver.h | 4 +-
include/linux/mmc/sdhci.h | 1 +
include/linux/nospec.h | 3 +-
include/linux/pipe_fs_i.h | 4 +-
include/linux/skbuff.h | 17 +
include/linux/usb/quirks.h | 3 +
include/linux/workqueue.h | 1 +
include/net/ip.h | 11 +-
include/net/ip_fib.h | 1 +
include/net/regulatory.h | 2 +-
include/net/route.h | 3 +-
include/net/sch_generic.h | 8 +
include/net/sctp/sctp.h | 7 +-
include/net/udplite.h | 1 +
include/scsi/libsas.h | 33 +-
include/scsi/scsi_transport_sas.h | 1 +
include/uapi/linux/if_ether.h | 3 +
include/uapi/linux/usb/audio.h | 4 +-
include/xen/xen-ops.h | 1 +
kernel/async.c | 20 +-
kernel/events/hw_breakpoint.c | 30 +-
kernel/hrtimer.c | 7 +-
kernel/posix-timers.c | 15 +-
kernel/relay.c | 2 +-
kernel/sysctl.c | 33 +-
kernel/trace/trace_kprobe.c | 4 +-
kernel/trace/trace_probe.c | 8 +-
kernel/trace/trace_probe.h | 2 +-
kernel/workqueue.c | 16 +
mm/hugetlb.c | 9 +
mm/madvise.c | 3 +-
mm/memory.c | 2 +-
mm/mempolicy.c | 3 +
mm/vmscan.c | 14 +-
net/9p/trans_virtio.c | 3 +-
net/batman-adv/bat_iv_ogm.c | 16 +-
net/batman-adv/distributed-arp-table.c | 2 +-
net/batman-adv/fragmentation.c | 3 +-
net/batman-adv/gateway_client.c | 3 +
net/batman-adv/hard-interface.c | 9 +-
net/batman-adv/multicast.c | 4 +-
net/batman-adv/originator.c | 4 +-
net/batman-adv/originator.h | 4 +-
net/batman-adv/routing.c | 21 +-
net/batman-adv/soft-interface.c | 8 +-
net/batman-adv/types.h | 9 +-
net/bluetooth/hidp/core.c | 3 +-
net/bridge/br_sysfs_if.c | 3 +
net/bridge/netfilter/ebt_among.c | 55 +-
net/bridge/netfilter/ebtables.c | 17 +-
net/core/dev.c | 13 +-
net/core/skbuff.c | 11 +-
net/dccp/proto.c | 5 +
net/decnet/af_decnet.c | 62 ++-
net/ipv4/igmp.c | 4 +
net/ipv4/ip_sockglue.c | 21 +-
net/ipv4/ip_tunnel.c | 30 +-
net/ipv4/ip_vti.c | 2 -
net/ipv4/netfilter/ipt_CLUSTERIP.c | 24 +-
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 6 +-
net/ipv4/route.c | 114 ++--
net/ipv4/udp.c | 5 +
net/ipv4/xfrm4_policy.c | 1 +
net/ipv6/ip6_checksum.c | 5 +
net/ipv6/ip6_output.c | 13 +-
net/ipv6/ipv6_sockglue.c | 27 +-
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 18 +-
net/ipv6/netfilter/nf_nat_l3proto_ipv6.c | 4 +
net/l2tp/l2tp_core.c | 202 +++----
net/l2tp/l2tp_core.h | 26 +-
net/l2tp/l2tp_ip.c | 10 +-
net/l2tp/l2tp_ip6.c | 8 +-
net/l2tp/l2tp_ppp.c | 126 ++---
net/mac80211/cfg.c | 2 +-
net/netfilter/nf_nat_proto_common.c | 7 +-
net/netfilter/xt_IDLETIMER.c | 9 +-
net/netfilter/xt_LED.c | 12 +-
net/netfilter/xt_RATEEST.c | 22 +-
net/netlink/af_netlink.c | 3 +
net/netlink/genetlink.c | 12 +-
net/nfc/llcp_commands.c | 4 +
net/nfc/netlink.c | 3 +-
net/sched/sch_netem.c | 6 +-
net/sctp/sm_make_chunk.c | 8 +-
net/xfrm/xfrm_user.c | 21 +-
security/integrity/ima/ima_appraise.c | 3 +-
sound/core/oss/pcm_oss.c | 4 +-
sound/core/pcm_native.c | 2 +-
sound/core/seq/seq_clientmgr.c | 29 +-
sound/core/seq/seq_fifo.c | 2 +-
sound/core/seq/seq_memory.c | 14 +-
sound/core/seq/seq_memory.h | 3 +-
sound/core/seq/seq_prioq.c | 28 +-
sound/core/seq/seq_prioq.h | 6 +-
sound/core/seq/seq_queue.c | 28 +-
sound/drivers/aloop.c | 17 +-
sound/pci/hda/patch_realtek.c | 25 +-
sound/soc/au1x/ac97c.c | 6 +-
sound/soc/codecs/rt5651.c | 1 +
sound/soc/nuc900/nuc900-ac97.c | 4 +-
sound/usb/pcm.c | 9 +
sound/usb/quirks-table.h | 47 ++
tools/perf/builtin-record.c | 13 +
tools/perf/util/annotate.c | 8 +-
tools/perf/util/evlist.c | 28 +
tools/perf/util/evlist.h | 3 +
tools/perf/util/session.c | 3 +-
.../testing/selftests/rcutorture/bin/configinit.sh | 2 +-
tools/testing/selftests/rcutorture/bin/kvm.sh | 4 +-
virt/kvm/kvm_main.c | 3 +-
374 files changed, 3739 insertions(+), 2144 deletions(-)
--
Ben Hutchings
The most exhausting thing in life is being insincere.
- Anne Morrow Lindberg
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 245/410] IB/ipoib: Do not warn if IPoIB debugfs doesn't exist
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (74 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 291/410] l2tp: don't use inet_shutdown on ppp session destroy Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 090/410] net/mlx4_core: Cleanup FMR unmapping flow Ben Hutchings
` (333 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Alaa Hleihel, Jason Gunthorpe, Dennis Dalessandro, Leon Romanovsky
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alaa Hleihel <alaa@mellanox.com>
commit 14fa91e0fef8e4d6feb8b1fa2a807828e0abe815 upstream.
netdev_wait_allrefs() could rebroadcast NETDEV_UNREGISTER event
multiple times until all refs are gone, which will result in calling
ipoib_delete_debug_files multiple times and printing a warning.
Remove the WARN_ONCE since checks of NULL pointers before calling
debugfs_remove are not needed.
Fixes: 771a52584096 ("IB/IPoIB: ibX: failed to create mcg debug file")
Signed-off-by: Alaa Hleihel <alaa@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Reviewed-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/infiniband/ulp/ipoib/ipoib_fs.c | 2 --
1 file changed, 2 deletions(-)
--- a/drivers/infiniband/ulp/ipoib/ipoib_fs.c
+++ b/drivers/infiniband/ulp/ipoib/ipoib_fs.c
@@ -281,8 +281,6 @@ void ipoib_delete_debug_files(struct net
{
struct ipoib_dev_priv *priv = netdev_priv(dev);
- WARN_ONCE(!priv->mcg_dentry, "null mcg debug file\n");
- WARN_ONCE(!priv->path_dentry, "null path debug file\n");
debugfs_remove(priv->mcg_dentry);
debugfs_remove(priv->path_dentry);
priv->mcg_dentry = priv->path_dentry = NULL;
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 071/410] power: supply: ab8500_charger: Fix an error handling path
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (196 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 353/410] ipv4: lock mtu in fnhe when received PMTU < net.ipv4.route.min_pmtu Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 310/410] xen/arm: Define xen_arch_suspend() Ben Hutchings
` (211 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Sebastian Reichel, Christophe JAILLET
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
commit bf59fddde1c3eab89eb8dca8f3d3dc097887d2bb upstream.
'ret' is know to be 0 at this point, because it has not been updated by the
the previous call to 'abx500_mask_and_set_register_interruptible()'.
Fix it by updating 'ret' before checking if an error occurred.
Fixes: 84edbeeab67c ("ab8500-charger: AB8500 charger driver")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.co.uk>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/power/ab8500_charger.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/power/ab8500_charger.c
+++ b/drivers/power/ab8500_charger.c
@@ -3224,7 +3224,7 @@ static int ab8500_charger_init_hw_regist
}
/* Enable backup battery charging */
- abx500_mask_and_set_register_interruptible(di->dev,
+ ret = abx500_mask_and_set_register_interruptible(di->dev,
AB8500_RTC, AB8500_RTC_CTRL_REG,
RTC_BUP_CH_ENA, RTC_BUP_CH_ENA);
if (ret < 0)
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 022/410] sctp: verify size of a new chunk in _sctp_make_chunk()
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (402 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 217/410] cifs: silence compiler warnings showing up with gcc-8.0.0 Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 023/410] fbdev: Fixing arbitrary kernel leak in case FBIOGETCMAP_SPARC in sbusfb_ioctl_helper() Ben Hutchings
` (5 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, David S. Miller, Marcelo Ricardo Leitner, Alexey Kodanev,
Neil Horman
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Kodanev <alexey.kodanev@oracle.com>
commit 07f2c7ab6f8d0a7e7c5764c4e6cc9c52951b9d9c upstream.
When SCTP makes INIT or INIT_ACK packet the total chunk length
can exceed SCTP_MAX_CHUNK_LEN which leads to kernel panic when
transmitting these packets, e.g. the crash on sending INIT_ACK:
[ 597.804948] skbuff: skb_over_panic: text:00000000ffae06e4 len:120168
put:120156 head:000000007aa47635 data:00000000d991c2de
tail:0x1d640 end:0xfec0 dev:<NULL>
...
[ 597.976970] ------------[ cut here ]------------
[ 598.033408] kernel BUG at net/core/skbuff.c:104!
[ 600.314841] Call Trace:
[ 600.345829] <IRQ>
[ 600.371639] ? sctp_packet_transmit+0x2095/0x26d0 [sctp]
[ 600.436934] skb_put+0x16c/0x200
[ 600.477295] sctp_packet_transmit+0x2095/0x26d0 [sctp]
[ 600.540630] ? sctp_packet_config+0x890/0x890 [sctp]
[ 600.601781] ? __sctp_packet_append_chunk+0x3b4/0xd00 [sctp]
[ 600.671356] ? sctp_cmp_addr_exact+0x3f/0x90 [sctp]
[ 600.731482] sctp_outq_flush+0x663/0x30d0 [sctp]
[ 600.788565] ? sctp_make_init+0xbf0/0xbf0 [sctp]
[ 600.845555] ? sctp_check_transmitted+0x18f0/0x18f0 [sctp]
[ 600.912945] ? sctp_outq_tail+0x631/0x9d0 [sctp]
[ 600.969936] sctp_cmd_interpreter.isra.22+0x3be1/0x5cb0 [sctp]
[ 601.041593] ? sctp_sf_do_5_1B_init+0x85f/0xc30 [sctp]
[ 601.104837] ? sctp_generate_t1_cookie_event+0x20/0x20 [sctp]
[ 601.175436] ? sctp_eat_data+0x1710/0x1710 [sctp]
[ 601.233575] sctp_do_sm+0x182/0x560 [sctp]
[ 601.284328] ? sctp_has_association+0x70/0x70 [sctp]
[ 601.345586] ? sctp_rcv+0xef4/0x32f0 [sctp]
[ 601.397478] ? sctp6_rcv+0xa/0x20 [sctp]
...
Here the chunk size for INIT_ACK packet becomes too big, mostly
because of the state cookie (INIT packet has large size with
many address parameters), plus additional server parameters.
Later this chunk causes the panic in skb_put_data():
skb_packet_transmit()
sctp_packet_pack()
skb_put_data(nskb, chunk->skb->data, chunk->skb->len);
'nskb' (head skb) was previously allocated with packet->size
from u16 'chunk->chunk_hdr->length'.
As suggested by Marcelo we should check the chunk's length in
_sctp_make_chunk() before trying to allocate skb for it and
discard a chunk if its size bigger than SCTP_MAX_CHUNK_LEN.
Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leinter@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16:
- Keep using WORD_ROUND() instead of SCTP_PAD4()
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/sctp/sm_make_chunk.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -1367,10 +1367,14 @@ static struct sctp_chunk *_sctp_make_chu
sctp_chunkhdr_t *chunk_hdr;
struct sk_buff *skb;
struct sock *sk;
+ int chunklen;
+
+ chunklen = WORD_ROUND(sizeof(*chunk_hdr) + paylen);
+ if (chunklen > SCTP_MAX_CHUNK_LEN)
+ goto nodata;
/* No need to allocate LL here, as this is only a chunk. */
- skb = alloc_skb(WORD_ROUND(sizeof(sctp_chunkhdr_t) + paylen),
- GFP_ATOMIC);
+ skb = alloc_skb(chunklen, GFP_ATOMIC);
if (!skb)
goto nodata;
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 263/410] cfg80211: fix cfg80211_beacon_dup
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (71 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 361/410] drm/radeon: fix prime teardown order Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 201/410] pipe: refactor argument for account_pipe_buffers() Ben Hutchings
` (336 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Johannes Berg, Arnd Bergmann
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
commit bee92d06157fc39d5d7836a061c7d41289a55797 upstream.
gcc-8 warns about some obviously incorrect code:
net/mac80211/cfg.c: In function 'cfg80211_beacon_dup':
net/mac80211/cfg.c:2896:3: error: 'memcpy' source argument is the same as destination [-Werror=restrict]
=46romthe context, I conclude that we want to copy from beacon into
new_beacon, as we do in the rest of the function.
Fixes: 73da7d5bab79 ("mac80211: add channel switch command and beacon callbacks")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/mac80211/cfg.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -3054,7 +3054,7 @@ cfg80211_beacon_dup(struct cfg80211_beac
}
if (beacon->probe_resp_len) {
new_beacon->probe_resp_len = beacon->probe_resp_len;
- beacon->probe_resp = pos;
+ new_beacon->probe_resp = pos;
memcpy(pos, beacon->probe_resp, beacon->probe_resp_len);
pos += beacon->probe_resp_len;
}
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 380/410] libata: Modify quirks for MX100 to limit NCQ_TRIM quirk to MU01 version
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (61 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 378/410] libata: Apply NOLPM quirk to Crucial M500 480 and 960GB SSDs Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 020/410] ext4: fix bitmap position validation Ben Hutchings
` (346 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Hans de Goede, Tejun Heo
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Hans de Goede <hdegoede@redhat.com>
commit d418ff56b8f2d2b296daafa8da151fe27689b757 upstream.
When commit 9c7be59fc519af ("libata: Apply NOLPM quirk to Crucial MX100
512GB SSDs") was added it inherited the ATA_HORKAGE_NO_NCQ_TRIM quirk
from the existing "Crucial_CT*MX100*" entry, but that entry sets model_rev
to "MU01", where as the entry adding the NOLPM quirk sets it to NULL.
This means that after this commit we no apply the NO_NCQ_TRIM quirk to
all "Crucial_CT512MX100*" SSDs even if they have the fixed "MU02"
firmware. This commit splits the "Crucial_CT512MX100*" quirk into 2
quirks, one for the "MU01" firmware and one for all other firmware
versions, so that we once again only apply the NO_NCQ_TRIM quirk to the
"MU01" firmware version.
Fixes: 9c7be59fc519af ("libata: Apply NOLPM quirk to ... MX100 512GB SSDs")
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
[bwh: Backported to 3.16: There's no ATA_HORKAGE_ZERO_AFTER_TRIM flag]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/ata/libata-core.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/drivers/ata/libata-core.c
+++ b/drivers/ata/libata-core.c
@@ -4227,9 +4227,11 @@ static const struct ata_blacklist_entry
/* Crucial BX100 SSD 500GB has broken LPM support */
{ "CT500BX100SSD1", NULL, ATA_HORKAGE_NOLPM },
- /* The 512GB version of the MX100 has both queued TRIM and LPM issues */
- { "Crucial_CT512MX100*", NULL, ATA_HORKAGE_NO_NCQ_TRIM |
+ /* 512GB MX100 with MU01 firmware has both queued TRIM and LPM issues */
+ { "Crucial_CT512MX100*", "MU01", ATA_HORKAGE_NO_NCQ_TRIM |
ATA_HORKAGE_NOLPM, },
+ /* 512GB MX100 with newer firmware has only LPM issues */
+ { "Crucial_CT512MX100*", NULL, ATA_HORKAGE_NOLPM, },
/* 480GB+ M500 SSDs have both queued TRIM and LPM issues */
{ "Crucial_CT480M500*", NULL, ATA_HORKAGE_NO_NCQ_TRIM |
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 152/410] USB: serial: add support for multi-port simple drivers
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (35 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 029/410] scsi: libsas: fix memory leak in sas_smp_get_phy_events() Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 271/410] netfilter: IDLETIMER: be syzkaller friendly Ben Hutchings
` (372 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Johan Hovold
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit b9f040389e23fb95fde36cb0a3c2c516fb3e9d1c upstream.
Add support for multi-port simple drivers.
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/usb-serial-simple.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/usb/serial/usb-serial-simple.c
+++ b/drivers/usb/serial/usb-serial-simple.c
@@ -20,7 +20,7 @@
#include <linux/usb.h>
#include <linux/usb/serial.h>
-#define DEVICE(vendor, IDS) \
+#define DEVICE_N(vendor, IDS, nport) \
static const struct usb_device_id vendor##_id_table[] = { \
IDS(), \
{ }, \
@@ -31,9 +31,10 @@ static struct usb_serial_driver vendor##
.name = #vendor, \
}, \
.id_table = vendor##_id_table, \
- .num_ports = 1, \
+ .num_ports = nport, \
};
+#define DEVICE(vendor, IDS) DEVICE_N(vendor, IDS, 1)
/* ZIO Motherboard USB driver */
#define ZIO_IDS() \
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 088/410] RDMA/cma: Use correct size when writing netlink stats
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (43 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 379/410] libata: Make Crucial BX100 500GB LPM quirk apply to all firmware versions Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 214/410] pipe: reject F_SETPIPE_SZ with size over UINT_MAX Ben Hutchings
` (364 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Leon Romanovsky, Parav Pandit, Daniel Jurgens, Jason Gunthorpe
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Parav Pandit <parav@mellanox.com>
commit 7baaa49af3716fb31877c61f59b74d029ce15b75 upstream.
The code was using the src size when formatting the dst. They are almost
certainly the same value but it reads wrong.
Fixes: ce117ffac2e9 ("RDMA/cma: Export AF_IB statistics")
Signed-off-by: Parav Pandit <parav@mellanox.com>
Reviewed-by: Daniel Jurgens <danielj@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/infiniband/core/cma.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/infiniband/core/cma.c
+++ b/drivers/infiniband/core/cma.c
@@ -3637,7 +3637,7 @@ static int cma_get_id_stats(struct sk_bu
RDMA_NL_RDMA_CM_ATTR_SRC_ADDR))
goto out;
if (ibnl_put_attr(skb, nlh,
- rdma_addr_size(cma_src_addr(id_priv)),
+ rdma_addr_size(cma_dst_addr(id_priv)),
cma_dst_addr(id_priv),
RDMA_NL_RDMA_CM_ATTR_DST_ADDR))
goto out;
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 232/410] ALSA: hda/realtek: PCI quirk for Fujitsu U7x7
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (64 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 290/410] l2tp: don't use inet_shutdown on tunnel destroy Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 103/410] usb: f_fs: Prevent gadget unbind if it is already unbound Ben Hutchings
` (343 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jan-Marek Glogowski, Takashi Iwai
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jan-Marek Glogowski <glogow@fbihome.de>
commit fdcc968a3b290407bcba9d4c90e2fba6d8d928f1 upstream.
These laptops have a combined jack to attach headsets, the U727 on
the left, the U757 on the right, but a headsets microphone doesn't
work. Using hdajacksensetest I found that pin 0x19 changed the
present state when plugging the headset, in addition to 0x21, but
didn't have the correct configuration (shown as "Not connected").
So this sets the configuration to the same values as the headphone
pin 0x21 except for the device type microphone, which makes it
work correctly. With the patch the configured pins for U727 are
Pin 0x12 (Internal Mic, Mobile-In): present = No
Pin 0x14 (Internal Speaker): present = No
Pin 0x19 (Black Mic, Left side): present = No
Pin 0x1d (Internal Aux): present = No
Pin 0x21 (Black Headphone, Left side): present = No
Signed-off-by: Jan-Marek Glogowski <glogow@fbihome.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/pci/hda/patch_realtek.c | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -3289,6 +3289,19 @@ static void alc269_fixup_pincfg_no_hp_to
spec->parse_flags = HDA_PINCFG_NO_HP_FIXUP;
}
+static void alc269_fixup_pincfg_U7x7_headset_mic(struct hda_codec *codec,
+ const struct hda_fixup *fix,
+ int action)
+{
+ unsigned int cfg_headphone = snd_hda_codec_get_pincfg(codec, 0x21);
+ unsigned int cfg_headset_mic = snd_hda_codec_get_pincfg(codec, 0x19);
+
+ if (cfg_headphone && cfg_headset_mic == 0x411111f0)
+ snd_hda_codec_set_pincfg(codec, 0x19,
+ (cfg_headphone & ~AC_DEFCFG_DEVICE) |
+ (AC_JACK_MIC_IN << AC_DEFCFG_DEVICE_SHIFT));
+}
+
static void alc269_fixup_hweq(struct hda_codec *codec,
const struct hda_fixup *fix, int action)
{
@@ -4292,6 +4305,7 @@ enum {
ALC269_FIXUP_LIFEBOOK_EXTMIC,
ALC269_FIXUP_LIFEBOOK_HP_PIN,
ALC269_FIXUP_LIFEBOOK_NO_HP_TO_LINEOUT,
+ ALC255_FIXUP_LIFEBOOK_U7x7_HEADSET_MIC,
ALC269_FIXUP_AMIC,
ALC269_FIXUP_DMIC,
ALC269VB_FIXUP_AMIC,
@@ -4456,6 +4470,10 @@ static const struct hda_fixup alc269_fix
.type = HDA_FIXUP_FUNC,
.v.func = alc269_fixup_pincfg_no_hp_to_lineout,
},
+ [ALC255_FIXUP_LIFEBOOK_U7x7_HEADSET_MIC] = {
+ .type = HDA_FIXUP_FUNC,
+ .v.func = alc269_fixup_pincfg_U7x7_headset_mic,
+ },
[ALC269_FIXUP_AMIC] = {
.type = HDA_FIXUP_PINS,
.v.pins = (const struct hda_pintbl[]) {
@@ -4996,6 +5014,7 @@ static const struct snd_pci_quirk alc269
SND_PCI_QUIRK(0x10cf, 0x159f, "Lifebook E780", ALC269_FIXUP_LIFEBOOK_NO_HP_TO_LINEOUT),
SND_PCI_QUIRK(0x10cf, 0x15dc, "Lifebook T731", ALC269_FIXUP_LIFEBOOK_HP_PIN),
SND_PCI_QUIRK(0x10cf, 0x1757, "Lifebook E752", ALC269_FIXUP_LIFEBOOK_HP_PIN),
+ SND_PCI_QUIRK(0x10cf, 0x1629, "Lifebook U7x7", ALC255_FIXUP_LIFEBOOK_U7x7_HEADSET_MIC),
SND_PCI_QUIRK(0x10cf, 0x1845, "Lifebook U904", ALC269_FIXUP_LIFEBOOK_EXTMIC),
SND_PCI_QUIRK(0x17aa, 0x20f2, "Thinkpad SL410/510", ALC269_FIXUP_SKU_IGNORE),
SND_PCI_QUIRK(0x17aa, 0x215e, "Thinkpad L512", ALC269_FIXUP_SKU_IGNORE),
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 273/410] x86/mm: Fix {pmd,pud}_{set,clear}_flags()
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (321 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 249/410] staging: android: ashmem: Fix possible deadlock in ashmem_ioctl Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 097/410] signal/sh: Ensure si_signo is initialized in do_divide_error Ben Hutchings
` (86 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Andy Lutomirski, Linus Torvalds, Thomas Gleixner,
Juergen Gross, H. Peter Anvin, Josh Poimboeuf, Denys Vlasenko,
Jan Beulich, Ingo Molnar, Brian Gerst, Jan Beulich,
Peter Zijlstra, Borislav Petkov, Boris Ostrovsky
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jan Beulich <JBeulich@suse.com>
commit 842cef9113c2120f74f645111ded1e020193d84c upstream.
Just like pte_{set,clear}_flags() their PMD and PUD counterparts should
not do any address translation. This was outright wrong under Xen
(causing a dead boot with no useful output on "suitable" systems), and
produced needlessly more complicated code (even if just slightly) when
paravirt was enabled.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Link: http://lkml.kernel.org/r/5A8AF1BB02000078001A91C3@prv-mh.provo.novell.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[bwh: Backported to 3.16:
- There aren't any pud_{set,clear}_flags() functions
- There's no p4d level]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/x86/include/asm/pgtable.h
+++ b/arch/x86/include/asm/pgtable.h
@@ -263,14 +263,14 @@ static inline pmd_t pmd_set_flags(pmd_t
{
pmdval_t v = native_pmd_val(pmd);
- return __pmd(v | set);
+ return native_make_pmd(v | set);
}
static inline pmd_t pmd_clear_flags(pmd_t pmd, pmdval_t clear)
{
pmdval_t v = native_pmd_val(pmd);
- return __pmd(v & ~clear);
+ return native_make_pmd(v & ~clear);
}
static inline pmd_t pmd_mkold(pmd_t pmd)
--- a/arch/x86/include/asm/pgtable_types.h
+++ b/arch/x86/include/asm/pgtable_types.h
@@ -321,6 +321,11 @@ static inline pmdval_t native_pmd_val(pm
#else
#include <asm-generic/pgtable-nopmd.h>
+static inline pmd_t native_make_pmd(pmdval_t val)
+{
+ return (pmd_t) { .pud.pgd = native_make_pgd(val) };
+}
+
static inline pmdval_t native_pmd_val(pmd_t pmd)
{
return native_pgd_val(pmd.pud.pgd);
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 260/410] iio: buffer: check if a buffer has been set up when poll is called
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (299 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 156/410] usbip: prevent bind loops on devices attached to vhci_hcd Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 099/410] wl1251: check return from call to wl1251_acx_arp_ip_filter Ben Hutchings
` (108 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Stefan Windfeldt-Prytz, Jonathan Cameron
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Stefan Windfeldt-Prytz <stefan.windfeldt@axis.com>
commit 4cd140bda6494543f1c1b0ccceceaa44b676eef6 upstream.
If no iio buffer has been set up and poll is called return 0.
Without this check there will be a null pointer dereference when
calling poll on a iio driver without an iio buffer.
Signed-off-by: Stefan Windfeldt-Prytz <stefan.windfeldt@axis.com>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/iio/industrialio-buffer.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/iio/industrialio-buffer.c
+++ b/drivers/iio/industrialio-buffer.c
@@ -95,7 +95,7 @@ unsigned int iio_buffer_poll(struct file
struct iio_dev *indio_dev = filp->private_data;
struct iio_buffer *rb = indio_dev->buffer;
- if (!indio_dev->info)
+ if (!indio_dev->info || rb == NULL)
return 0;
poll_wait(filp, &rb->pollq, wait);
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 053/410] KVM: VMX: introduce alloc_loaded_vmcs
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (93 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 113/410] ahci: Add PCI ids for Intel Bay Trail, Cherry Trail and Apollo Lake AHCI Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 147/410] alpha: fix crash if pthread_create races with signal delivery Ben Hutchings
` (314 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, David Woodhouse, Greg Kroah-Hartman, Paolo Bonzini
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Bonzini <pbonzini@redhat.com>
commit f21f165ef922c2146cc5bdc620f542953c41714b upstream.
Group together the calls to alloc_vmcs and loaded_vmcs_init. Soon we'll also
allocate an MSR bitmap there.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16:
- No loaded_vmcs::shadow_vmcs field to initialise
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -2999,11 +2999,6 @@ static struct vmcs *alloc_vmcs_cpu(int c
return vmcs;
}
-static struct vmcs *alloc_vmcs(void)
-{
- return alloc_vmcs_cpu(raw_smp_processor_id());
-}
-
static void free_vmcs(struct vmcs *vmcs)
{
free_pages((unsigned long)vmcs, vmcs_config.order);
@@ -3021,6 +3016,21 @@ static void free_loaded_vmcs(struct load
loaded_vmcs->vmcs = NULL;
}
+static struct vmcs *alloc_vmcs(void)
+{
+ return alloc_vmcs_cpu(raw_smp_processor_id());
+}
+
+static int alloc_loaded_vmcs(struct loaded_vmcs *loaded_vmcs)
+{
+ loaded_vmcs->vmcs = alloc_vmcs();
+ if (!loaded_vmcs->vmcs)
+ return -ENOMEM;
+
+ loaded_vmcs_init(loaded_vmcs);
+ return 0;
+}
+
static void free_kvm_area(void)
{
int cpu;
@@ -5965,6 +5975,7 @@ static int handle_vmon(struct kvm_vcpu *
struct vmcs *shadow_vmcs;
const u64 VMXON_NEEDED_FEATURES = FEATURE_CONTROL_LOCKED
| FEATURE_CONTROL_VMXON_ENABLED_OUTSIDE_SMX;
+ int r;
/* The Intel VMX Instruction Reference lists a bunch of bits that
* are prerequisite to running VMXON, most notably cr4.VMXE must be
@@ -6004,10 +6015,9 @@ static int handle_vmon(struct kvm_vcpu *
return 1;
}
- vmx->nested.vmcs02.vmcs = alloc_vmcs();
- if (!vmx->nested.vmcs02.vmcs)
+ r = alloc_loaded_vmcs(&vmx->nested.vmcs02);
+ if (r < 0)
return -ENOMEM;
- loaded_vmcs_init(&vmx->nested.vmcs02);
if (enable_shadow_vmcs) {
shadow_vmcs = alloc_vmcs();
@@ -7612,16 +7622,15 @@ static struct kvm_vcpu *vmx_create_vcpu(
goto uninit_vcpu;
}
- vmx->loaded_vmcs = &vmx->vmcs01;
- vmx->loaded_vmcs->vmcs = alloc_vmcs();
- if (!vmx->loaded_vmcs->vmcs)
- goto free_msrs;
if (!vmm_exclusive)
kvm_cpu_vmxon(__pa(per_cpu(vmxarea, raw_smp_processor_id())));
- loaded_vmcs_init(vmx->loaded_vmcs);
+ err = alloc_loaded_vmcs(&vmx->vmcs01);
if (!vmm_exclusive)
kvm_cpu_vmxoff();
+ if (err < 0)
+ goto free_msrs;
+ vmx->loaded_vmcs = &vmx->vmcs01;
cpu = get_cpu();
vmx_vcpu_load(&vmx->vcpu, cpu);
vmx->vcpu.cpu = cpu;
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 183/410] mm: pin address_space before dereferencing it while isolating an LRU page
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (53 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 268/410] arm64: Disable unhandled signal log messages by default Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-10 18:06 ` Hugh Dickins
2018-06-07 14:05 ` [PATCH 3.16 384/410] RDMA/ucma: Correct option size check using optlen Ben Hutchings
` (354 subsequent siblings)
409 siblings, 1 reply; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Linus Torvalds, Mel Gorman, Jan Kara, Minchan Kim, Huang, Ying
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mel Gorman <mgorman@techsingularity.net>
commit 69d763fc6d3aee787a3e8c8c35092b4f4960fa5d upstream.
Minchan Kim asked the following question -- what locks protects
address_space destroying when race happens between inode trauncation and
__isolate_lru_page? Jan Kara clarified by describing the race as follows
CPU1 CPU2
truncate(inode) __isolate_lru_page()
...
truncate_inode_page(mapping, page);
delete_from_page_cache(page)
spin_lock_irqsave(&mapping->tree_lock, flags);
__delete_from_page_cache(page, NULL)
page_cache_tree_delete(..)
... mapping = page_mapping(page);
page->mapping = NULL;
...
spin_unlock_irqrestore(&mapping->tree_lock, flags);
page_cache_free_page(mapping, page)
put_page(page)
if (put_page_testzero(page)) -> false
- inode now has no pages and can be freed including embedded address_space
if (mapping && !mapping->a_ops->migratepage)
- we've dereferenced mapping which is potentially already free.
The race is theoretically possible but unlikely. Before the
delete_from_page_cache, truncate_cleanup_page is called so the page is
likely to be !PageDirty or PageWriteback which gets skipped by the only
caller that checks the mappping in __isolate_lru_page. Even if the race
occurs, a substantial amount of work has to happen during a tiny window
with no preemption but it could potentially be done using a virtual
machine to artifically slow one CPU or halt it during the critical
window.
This patch should eliminate the race with truncation by try-locking the
page before derefencing mapping and aborting if the lock was not
acquired. There was a suggestion from Huang Ying to use RCU as a
side-effect to prevent mapping being freed. However, I do not like the
solution as it's an unconventional means of preserving a mapping and
it's not a context where rcu_read_lock is obviously protecting rcu data.
Link: http://lkml.kernel.org/r/20180104102512.2qos3h5vqzeisrek@techsingularity.net
Fixes: c82449352854 ("mm: compaction: make isolate_lru_page() filter-aware again")
Signed-off-by: Mel Gorman <mgorman@techsingularity.net>
Acked-by: Minchan Kim <minchan@kernel.org>
Cc: "Huang, Ying" <ying.huang@intel.com>
Cc: Jan Kara <jack@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
mm/vmscan.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
--- a/mm/vmscan.c
+++ b/mm/vmscan.c
@@ -1206,6 +1206,7 @@ int __isolate_lru_page(struct page *page
if (PageDirty(page)) {
struct address_space *mapping;
+ bool migrate_dirty;
/* ISOLATE_CLEAN means only clean pages */
if (mode & ISOLATE_CLEAN)
@@ -1214,10 +1215,19 @@ int __isolate_lru_page(struct page *page
/*
* Only pages without mappings or that have a
* ->migratepage callback are possible to migrate
- * without blocking
+ * without blocking. However, we can be racing with
+ * truncation so it's necessary to lock the page
+ * to stabilise the mapping as truncation holds
+ * the page lock until after the page is removed
+ * from the page cache.
*/
+ if (!trylock_page(page))
+ return ret;
+
mapping = page_mapping(page);
- if (mapping && !mapping->a_ops->migratepage)
+ migrate_dirty = mapping && mapping->a_ops->migratepage;
+ unlock_page(page);
+ if (!migrate_dirty)
return ret;
}
}
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 307/410] serial: 8250_pci: Add Brainboxes UC-260 4 port serial device
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (283 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 114/410] ahci: Add Intel Cannon Lake PCH-H PCI ID Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 244/410] Add delay-init quirk for Corsair K70 RGB keyboards Ben Hutchings
` (124 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Nikola Ciprich, Andy Shevchenko, Greg Kroah-Hartman
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Nikola Ciprich <nikola.ciprich@linuxbox.cz>
commit 9f2068f35729948bde84d87a40d135015911345d upstream.
Add PCI ids for two variants of Brainboxes UC-260 quad port
PCI serial cards.
Suggested-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Nikola Ciprich <nikola.ciprich@linuxbox.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/tty/serial/8250/8250_pci.c | 11 +++++++++++
1 file changed, 11 insertions(+)
--- a/drivers/tty/serial/8250/8250_pci.c
+++ b/drivers/tty/serial/8250/8250_pci.c
@@ -5067,6 +5067,17 @@ static struct pci_device_id serial_pci_t
PCI_ANY_ID, PCI_ANY_ID, 0, 0, /* 135a.0dc0 */
pbn_b2_4_115200 },
/*
+ * BrainBoxes UC-260
+ */
+ { PCI_VENDOR_ID_INTASHIELD, 0x0D21,
+ PCI_ANY_ID, PCI_ANY_ID,
+ PCI_CLASS_COMMUNICATION_MULTISERIAL << 8, 0xffff00,
+ pbn_b2_4_115200 },
+ { PCI_VENDOR_ID_INTASHIELD, 0x0E34,
+ PCI_ANY_ID, PCI_ANY_ID,
+ PCI_CLASS_COMMUNICATION_MULTISERIAL << 8, 0xffff00,
+ pbn_b2_4_115200 },
+ /*
* Perle PCI-RAS cards
*/
{ PCI_VENDOR_ID_PLX, PCI_DEVICE_ID_PLX_9030,
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 119/410] mtd: nand: Fix nand_do_read_oob() return value
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (310 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 173/410] staging: iio: adc: ad7192: fix external frequency setting Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 126/410] mn10300/misalignment: Use SIGSEGV SEGV_MAPERR to report a failed user copy Ben Hutchings
` (97 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Miquel Raynal, Boris Brezillon
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Miquel Raynal <miquel.raynal@free-electrons.com>
commit 87e89ce8d0d14f573c068c61bec2117751fb5103 upstream.
Starting from commit 041e4575f034 ("mtd: nand: handle ECC errors in
OOB"), nand_do_read_oob() (from the NAND core) did return 0 or a
negative error, and the MTD layer expected it.
However, the trend for the NAND layer is now to return an error or a
positive number of bitflips. Deciding which status to return to the user
belongs to the MTD layer.
Commit e47f68587b82 ("mtd: check for max_bitflips in mtd_read_oob()")
brought this logic to the mtd_read_oob() function while the return value
coming from nand_do_read_oob() (called by the ->_read_oob() hook) was
left unchanged.
Fixes: e47f68587b82 ("mtd: check for max_bitflips in mtd_read_oob()")
Signed-off-by: Miquel Raynal <miquel.raynal@free-electrons.com>
Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/mtd/nand/nand_base.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/mtd/nand/nand_base.c
+++ b/drivers/mtd/nand/nand_base.c
@@ -1837,6 +1837,7 @@ static int nand_write_oob_syndrome(struc
static int nand_do_read_oob(struct mtd_info *mtd, loff_t from,
struct mtd_oob_ops *ops)
{
+ unsigned int max_bitflips = 0;
int page, realpage, chipnr;
struct nand_chip *chip = mtd->priv;
struct mtd_ecc_stats stats;
@@ -1897,6 +1898,8 @@ static int nand_do_read_oob(struct mtd_i
nand_wait_ready(mtd);
}
+ max_bitflips = max_t(unsigned int, max_bitflips, ret);
+
readlen -= len;
if (!readlen)
break;
@@ -1922,7 +1925,7 @@ static int nand_do_read_oob(struct mtd_i
if (mtd->ecc_stats.failed - stats.failed)
return -EBADMSG;
- return mtd->ecc_stats.corrected - stats.corrected ? -EUCLEAN : 0;
+ return max_bitflips;
}
/**
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 285/410] batman-adv: Fix internal interface indices types
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (113 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 137/410] NFS: commit direct writes even if they fail partially Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 054/410] KVM: VMX: make MSR bitmaps per-VCPU Ben Hutchings
` (294 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Sven Eckelmann, Simon Wunderlich
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Sven Eckelmann <sven@narfation.org>
commit f22e08932c2960f29b5e828e745c9f3fb7c1bb86 upstream.
batman-adv uses internal indices for each enabled and active interface.
It is currently used by the B.A.T.M.A.N. IV algorithm to identifify the
correct position in the ogm_cnt bitmaps.
The type for the number of enabled interfaces (which defines the next
interface index) was set to char. This type can be (depending on the
architecture) either signed (limiting batman-adv to 127 active slave
interfaces) or unsigned (limiting batman-adv to 255 active slave
interfaces).
This limit was not correctly checked when an interface was enabled and thus
an overflow happened. This was only catched on systems with the signed char
type when the B.A.T.M.A.N. IV code tried to resize its counter arrays with
a negative size.
The if_num interface index was only a s16 and therefore significantly
smaller than the ifindex (int) used by the code net code.
Both &batadv_hard_iface->if_num and &batadv_priv->num_ifaces must be
(unsigned) int to support the same number of slave interfaces as the net
core code. And the interface activation code must check the number of
active slave interfaces to avoid integer overflows.
Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
[bwh: Backported to 3.16:
- Drop changes in batadv_iv_ogm_{drop_bcast_{own,sum}_entry,orig_get}()
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/net/batman-adv/bat_iv_ogm.c
+++ b/net/batman-adv/bat_iv_ogm.c
@@ -105,7 +105,7 @@ static void batadv_iv_ogm_orig_free(stru
* Returns 0 on success, a negative error code otherwise.
*/
static int batadv_iv_ogm_orig_add_if(struct batadv_orig_node *orig_node,
- int max_if_num)
+ unsigned int max_if_num)
{
void *data_ptr;
size_t data_size, old_size;
@@ -150,7 +150,8 @@ unlock:
* Returns 0 on success, a negative error code otherwise.
*/
static int batadv_iv_ogm_orig_del_if(struct batadv_orig_node *orig_node,
- int max_if_num, int del_if_num)
+ unsigned int max_if_num,
+ unsigned int del_if_num)
{
int chunk_size, ret = -ENOMEM, if_offset;
void *data_ptr = NULL;
@@ -867,7 +868,7 @@ batadv_iv_ogm_slide_own_bcast_window(str
uint32_t i;
size_t word_index;
uint8_t *w;
- int if_num;
+ unsigned int if_num;
for (i = 0; i < hash->size; i++) {
head = &hash->table[i];
@@ -977,7 +978,7 @@ batadv_iv_ogm_orig_update(struct batadv_
struct batadv_neigh_node *neigh_node = NULL, *tmp_neigh_node = NULL;
struct batadv_neigh_node *router = NULL;
struct batadv_orig_node *orig_node_tmp;
- int if_num;
+ unsigned int if_num;
uint8_t sum_orig, sum_neigh;
uint8_t *neigh_addr;
uint8_t tq_avg;
@@ -1134,7 +1135,8 @@ static int batadv_iv_ogm_calc_tq(struct
uint8_t total_count;
uint8_t orig_eq_count, neigh_rq_count, neigh_rq_inv, tq_own;
unsigned int neigh_rq_inv_cube, neigh_rq_max_cube;
- int if_num, ret = 0;
+ unsigned int if_num;
+ int ret = 0;
unsigned int tq_asym_penalty, inv_asym_penalty;
unsigned int combined_tq;
unsigned int tq_iface_penalty;
@@ -1641,9 +1643,9 @@ static void batadv_iv_ogm_process(const
if (is_my_orig) {
unsigned long *word;
- int offset;
+ size_t offset;
int32_t bit_pos;
- int16_t if_num;
+ unsigned int if_num;
uint8_t *weight;
orig_neigh_node = batadv_iv_ogm_orig_get(bat_priv,
--- a/net/batman-adv/hard-interface.c
+++ b/net/batman-adv/hard-interface.c
@@ -411,6 +411,11 @@ int batadv_hardif_enable_interface(struc
hard_iface->soft_iface = soft_iface;
bat_priv = netdev_priv(hard_iface->soft_iface);
+ if (bat_priv->num_ifaces >= UINT_MAX) {
+ ret = -ENOSPC;
+ goto err_dev;
+ }
+
ret = netdev_master_upper_dev_link(hard_iface->net_dev, soft_iface);
if (ret)
goto err_dev;
@@ -514,7 +519,7 @@ void batadv_hardif_disable_interface(str
dev_put(hard_iface->soft_iface);
/* nobody uses this interface anymore */
- if (!bat_priv->num_ifaces) {
+ if (bat_priv->num_ifaces == 0) {
batadv_gw_check_client_stop(bat_priv);
if (autodel == BATADV_IF_CLEANUP_AUTO)
@@ -571,7 +576,7 @@ batadv_hardif_add_interface(struct net_d
if (ret)
goto free_if;
- hard_iface->if_num = -1;
+ hard_iface->if_num = 0;
hard_iface->net_dev = net_dev;
hard_iface->soft_iface = NULL;
hard_iface->if_status = BATADV_IF_NOT_IN_USE;
--- a/net/batman-adv/originator.c
+++ b/net/batman-adv/originator.c
@@ -1069,7 +1069,7 @@ out:
}
int batadv_orig_hash_add_if(struct batadv_hard_iface *hard_iface,
- int max_if_num)
+ unsigned int max_if_num)
{
struct batadv_priv *bat_priv = netdev_priv(hard_iface->soft_iface);
struct batadv_algo_ops *bao = bat_priv->bat_algo_ops;
@@ -1105,7 +1105,7 @@ err:
}
int batadv_orig_hash_del_if(struct batadv_hard_iface *hard_iface,
- int max_if_num)
+ unsigned int max_if_num)
{
struct batadv_priv *bat_priv = netdev_priv(hard_iface->soft_iface);
struct batadv_hashtable *hash = bat_priv->orig_hash;
--- a/net/batman-adv/originator.h
+++ b/net/batman-adv/originator.h
@@ -58,9 +58,9 @@ void batadv_orig_ifinfo_free_ref(struct
int batadv_orig_seq_print_text(struct seq_file *seq, void *offset);
int batadv_orig_hardif_seq_print_text(struct seq_file *seq, void *offset);
int batadv_orig_hash_add_if(struct batadv_hard_iface *hard_iface,
- int max_if_num);
+ unsigned int max_if_num);
int batadv_orig_hash_del_if(struct batadv_hard_iface *hard_iface,
- int max_if_num);
+ unsigned int max_if_num);
struct batadv_orig_node_vlan *
batadv_orig_node_vlan_new(struct batadv_orig_node *orig_node,
unsigned short vid);
--- a/net/batman-adv/types.h
+++ b/net/batman-adv/types.h
@@ -89,7 +89,7 @@ struct batadv_hard_iface_bat_iv {
*/
struct batadv_hard_iface {
struct list_head list;
- int16_t if_num;
+ unsigned int if_num;
char if_status;
struct net_device *net_dev;
uint8_t num_bcasts;
@@ -795,7 +795,7 @@ struct batadv_priv {
atomic_t bcast_seqno;
atomic_t bcast_queue_left;
atomic_t batman_queue_left;
- char num_ifaces;
+ unsigned int num_ifaces;
struct kobject *mesh_obj;
struct dentry *debug_dir;
struct hlist_head forw_bat_list;
@@ -1166,9 +1166,10 @@ struct batadv_algo_ops {
struct batadv_hard_iface *hard_iface);
void (*bat_orig_free)(struct batadv_orig_node *orig_node);
int (*bat_orig_add_if)(struct batadv_orig_node *orig_node,
- int max_if_num);
+ unsigned int max_if_num);
int (*bat_orig_del_if)(struct batadv_orig_node *orig_node,
- int max_if_num, int del_if_num);
+ unsigned int max_if_num,
+ unsigned int del_if_num);
};
/**
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 157/410] usbip: list: don't list devices attached to vhci_hcd
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (16 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 112/410] AHCI: Remove obsolete Intel Lewisburg SATA RAID device IDs Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 360/410] RDMA/ucma: Don't allow join attempts for unsupported AF family Ben Hutchings
` (391 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Shuah Khan, Greg Kroah-Hartman
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Shuah Khan <shuahkh@osg.samsung.com>
commit ef824501f50846589f02173d73ce3fe6021a9d2a upstream.
usbip host lists devices attached to vhci_hcd on the same server
when user does attach over localhost or specifies the server as the
remote.
usbip attach -r localhost -b busid
or
usbip attach -r servername (or server IP)
Fix it to check and not list devices that are attached to vhci_hcd.
Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/staging/usbip/userspace/src/usbip_list.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/drivers/staging/usbip/userspace/src/usbip_list.c
+++ b/drivers/staging/usbip/userspace/src/usbip_list.c
@@ -180,6 +180,7 @@ static int list_devices(bool parsable)
const char *busid;
char product_name[128];
int ret = -1;
+ const char *devpath;
/* Create libudev context. */
udev = udev_new();
@@ -202,6 +203,14 @@ static int list_devices(bool parsable)
path = udev_list_entry_get_name(dev_list_entry);
dev = udev_device_new_from_syspath(udev, path);
+ /* Ignore devices attached to vhci_hcd */
+ devpath = udev_device_get_devpath(dev);
+ if (strstr(devpath, USBIP_VHCI_DRV_NAME)) {
+ dbg("Skip the device %s already attached to %s\n",
+ devpath, USBIP_VHCI_DRV_NAME);
+ continue;
+ }
+
/* Get device information. */
idVendor = udev_device_get_sysattr_value(dev, "idVendor");
idProduct = udev_device_get_sysattr_value(dev, "idProduct");
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 176/410] vhost_net: stop device during reset owner
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (25 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 320/410] PCI: Add function 1 DMA alias quirk for Highpoint RocketRAID 644L Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 093/410] PM / devfreq: Propagate error from devfreq_add_device() Ben Hutchings
` (382 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, syzbot+eb17c6162478cc50632c, Jason Wang, David S. Miller
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jason Wang <jasowang@redhat.com>
commit 4cd879515d686849eec5f718aeac62a70b067d82 upstream.
We don't stop device before reset owner, this means we could try to
serve any virtqueue kick before reset dev->worker. This will result a
warn since the work was pending at llist during owner resetting. Fix
this by stopping device during owner reset.
Reported-by: syzbot+eb17c6162478cc50632c@syzkaller.appspotmail.com
Fixes: 3a4d5c94e9593 ("vhost_net: a kernel-level virtio server")
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/vhost/net.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/vhost/net.c
+++ b/drivers/vhost/net.c
@@ -1009,6 +1009,7 @@ static long vhost_net_reset_owner(struct
}
vhost_net_stop(n, &tx_sock, &rx_sock);
vhost_net_flush(n);
+ vhost_dev_stop(&n->dev);
vhost_dev_reset_owner(&n->dev, memory);
vhost_net_vq_reset(n);
done:
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 118/410] arm: spear13xx: Fix spics gpio controller's warning
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (179 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 397/410] netlink: make sure nladdr has correct size in netlink_connect() Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 337/410] USB: storage: Add JMicron bridge 152d:2567 to unusual_devs.h Ben Hutchings
` (228 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Olof Johansson, Viresh Kumar, Arnd Bergmann
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Viresh Kumar <viresh.kumar@linaro.org>
commit f8975cb1b8a36d0839b6365235778dd9df1d04ca upstream.
This fixes the following warning by also sending the flags argument for
gpio controllers:
Property 'cs-gpios', cell 6 is not a phandle reference in
/ahb/apb/spi@e0100000
Fixes: 8113ba917dfa ("ARM: SPEAr: DT: Update device nodes")
Reported-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Olof Johansson <olof@lixom.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm/boot/dts/spear1310-evb.dts | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm/boot/dts/spear1310-evb.dts
+++ b/arch/arm/boot/dts/spear1310-evb.dts
@@ -345,7 +345,7 @@
spi0: spi@e0100000 {
status = "okay";
num-cs = <3>;
- cs-gpios = <&gpio1 7 0>, <&spics 0>, <&spics 1>;
+ cs-gpios = <&gpio1 7 0>, <&spics 0 0>, <&spics 1 0>;
stmpe610@0 {
compatible = "st,stmpe610";
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 301/410] mmc: sdhci-pci: Fix S0i3 for Intel BYT-based controllers
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (171 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 105/410] drm/radeon: Add dpm quirk for Jet PRO (v2) Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 068/410] ARM: dts: exynos: Correct Trats2 panel reset line Ben Hutchings
` (236 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Ulf Hansson, Adrian Hunter
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Adrian Hunter <adrian.hunter@intel.com>
commit f8870ae6e2d6be75b1accc2db981169fdfbea7ab upstream.
Tuning can leave the IP in an active state (Buffer Read Enable bit set)
which prevents the entry to low power states (i.e. S0i3). Data reset will
clear it.
Generally tuning is followed by a data transfer which will anyway sort out
the state, so it is rare that S0i3 is actually prevented.
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
[bwh: Backported to 3.16:
- Drop chnages in ni_byt_sdio_probe_slot(), byt_sd_probe_slot()
- Adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/mmc/host/sdhci-pci.c | 35 +++++++++++++++++++++++++++----
1 file changed, 31 insertions(+), 4 deletions(-)
--- a/drivers/mmc/host/sdhci-pci.c
+++ b/drivers/mmc/host/sdhci-pci.c
@@ -265,8 +265,34 @@ static void sdhci_pci_int_hw_reset(struc
usleep_range(300, 1000);
}
+static int intel_execute_tuning(struct mmc_host *mmc, u32 opcode)
+{
+ int err = sdhci_execute_tuning(mmc, opcode);
+ struct sdhci_host *host = mmc_priv(mmc);
+
+ if (err)
+ return err;
+
+ /*
+ * Tuning can leave the IP in an active state (Buffer Read Enable bit
+ * set) which prevents the entry to low power states (i.e. S0i3). Data
+ * reset will clear it.
+ */
+ sdhci_reset(host, SDHCI_RESET_DATA);
+
+ return 0;
+}
+
+static void byt_probe_slot(struct sdhci_pci_slot *slot)
+{
+ struct mmc_host_ops *ops = &slot->host->mmc_host_ops;
+
+ ops->execute_tuning = intel_execute_tuning;
+}
+
static int byt_emmc_probe_slot(struct sdhci_pci_slot *slot)
{
+ byt_probe_slot(slot);
slot->host->mmc->caps |= MMC_CAP_8_BIT_DATA | MMC_CAP_NONREMOVABLE |
MMC_CAP_HW_RESET;
slot->host->mmc->caps2 |= MMC_CAP2_HC_ERASE_SZ;
@@ -278,6 +304,7 @@ static int byt_emmc_probe_slot(struct sd
static int byt_sdio_probe_slot(struct sdhci_pci_slot *slot)
{
+ byt_probe_slot(slot);
slot->host->mmc->caps |= MMC_CAP_POWER_OFF_CARD | MMC_CAP_NONREMOVABLE;
return 0;
}
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 042/410] x86/cpufeatures: Add AMD feature bits for Speculation Control
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (405 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 371/410] ALSA: hda/realtek - Always immediately update mute LED with pin VREF Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 311/410] x86/xen: Zero MSR_IA32_SPEC_CTRL before suspend Ben Hutchings
` (2 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, arjan, gnomes, karahmed, Tom Lendacky, Thomas Gleixner,
torvalds, dave.hansen, ak, gregkh, ashok.raj, David Woodhouse,
bp, peterz, pbonzini, tim.c.chen, Greg Kroah-Hartman
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: David Woodhouse <dwmw@amazon.co.uk>
commit 5d10cbc91d9eb5537998b65608441b592eec65e7 upstream.
AMD exposes the PRED_CMD/SPEC_CTRL MSRs slightly differently to Intel.
See http://lkml.kernel.org/r/2b3e25cc-286d-8bd0-aeaf-9ac4aae39de8@amd.com
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: gnomes@lxorguk.ukuu.org.uk
Cc: ak@linux.intel.com
Cc: ashok.raj@intel.com
Cc: dave.hansen@intel.com
Cc: karahmed@amazon.de
Cc: arjan@linux.intel.com
Cc: torvalds@linux-foundation.org
Cc: peterz@infradead.org
Cc: bp@alien8.de
Cc: pbonzini@redhat.com
Cc: tim.c.chen@linux.intel.com
Cc: gregkh@linux-foundation.org
Link: https://lkml.kernel.org/r/1516896855-7642-4-git-send-email-dwmw@amazon.co.uk
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: This CPUID word wasn't used at all yet, so
add it as feature word 11]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/include/asm/cpufeature.h | 7 ++++++-
arch/x86/kernel/cpu/common.c | 5 ++++-
2 files changed, 10 insertions(+), 2 deletions(-)
--- a/arch/x86/include/asm/cpufeature.h
+++ b/arch/x86/include/asm/cpufeature.h
@@ -8,7 +8,7 @@
#include <asm/required-features.h>
#endif
-#define NCAPINTS 11 /* N 32-bit words worth of info */
+#define NCAPINTS 12 /* N 32-bit words worth of info */
#define NBUGINTS 1 /* N 32-bit bug flags */
/*
@@ -239,6 +239,11 @@
#define X86_FEATURE_STIBP (10*32+27) /* Single Thread Indirect Branch Predictors */
#define X86_FEATURE_ARCH_CAPABILITIES (10*32+29) /* IA32_ARCH_CAPABILITIES MSR (Intel) */
+/* AMD-defined CPU features, CPUID level 0x80000008 (EBX), word 11 */
+#define X86_FEATURE_AMD_PRED_CMD (11*32+12) /* Prediction Command MSR (AMD) */
+#define X86_FEATURE_AMD_SPEC_CTRL (11*32+14) /* Speculation Control MSR only (AMD) */
+#define X86_FEATURE_AMD_STIBP (11*32+15) /* Single Thread Indirect Branch Predictors (AMD) */
+
/*
* BUG word(s)
*/
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -716,10 +716,13 @@ void get_cpu_cap(struct cpuinfo_x86 *c)
}
if (c->extended_cpuid_level >= 0x80000008) {
- u32 eax = cpuid_eax(0x80000008);
+ u32 eax, ebx, ecx, edx;
+
+ cpuid(0x80000008, &eax, &ebx, &ecx, &edx);
c->x86_virt_bits = (eax >> 8) & 0xff;
c->x86_phys_bits = eax & 0xff;
+ c->x86_capability[11] = ebx;
}
#ifdef CONFIG_X86_32
else if (cpu_has(c, X86_FEATURE_PAE) || cpu_has(c, X86_FEATURE_PSE36))
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 014/410] cifs: empty TargetInfo leads to crash on recovery
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (391 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 160/410] scsi: fas216: fix sense buffer initialization Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 299/410] mmc: sdhci: Allow override of mmc host operations Ben Hutchings
` (16 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Steve French, linux-cifs, Dan Aloni
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Aloni <dan@kernelim.com>
commit cabfb3680f78981d26c078a26e5c748531257ebb upstream.
[ resend from Oct 20, 2014, see [1] ]
A trivially patched Samba server (see [2] [3]) can cause a remote kernel
crash (see [4]) in a client's CIFS kernel module upon session recovery,
under kernels prior to v4.11. The server patch can made by a single
source line modification - returning an empty TargetInfo in an NTLMSSP
setup negotiation response.
To reproduce at the client side, the CIFS client can be instructed to
mount with SMB 2.0, on a share without user/password credentials, e.g:
mount -t cifs //[host]/[share] -o vers=2.0,guest [mountpoint]
(It may also reproduce with credentials, but I used a simpler
configuration for the reproduction)
An demo patch to Samba 4.7.4 is provided in the links provided.
As for the client crash itself:
When the session is recovered (after a server start/stop, for example),
the following condition turns out to be true:
ses->auth_key.len != 0 && ses->auth_key.response == NULL
This will cause the following memcpy() in setup_ntlmv2_rsp() to GPF,
because tiblob == NULL and tilen != 0 (these are the old auth_key values):
memcpy(ses->auth_key.response + baselen, tiblob, tilen);
By bisecting, upstream commit cabfb3680f78 ("CIFS: Enable encryption
during session setup phase") from v4.11 have fixed this issue.
According to my tests, LTS kernels versions 4.4.x and 4.9.x are affected.
The patch below applies for 4.4.x however a similar patch can be applied
to 4.9.x and older kernels.
Signed-off-by: Dan Aloni <dan@kernelim.com>
CC: Steve French <sfrench@samba.org>
CC: linux-cifs@vger.kernel.org
CC: linux-kernel@vger.kernel.org
[1]
https://patchwork.kernel.org/patch/5106391/
[2] (temporary url)
http://copr-dist-git.fedorainfracloud.org/cgit/alonid/samba-for-client-crash-repro/samba.git/tree/0001-Patch.patch?id=43229c84abe008bfc11aa86f5bacb03a1e54f88c
[3] (temporary url)
https://copr.fedorainfracloud.org/coprs/alonid/samba-for-client-crash-repro/
[4]
[ 3414.518134] BUG: unable to handle kernel NULL pointer dereference at (null)
[ 3414.518200] IP: memcpy_erms+0x6/0x10
[ 3414.518227] PGD 0
[ 3414.518252] Oops: 0000 [#1] SMP
[ 3414.518272] Modules linked in: arc4 md4 cifs rpcsec_gss_krb5 nfsv4 dns_resolver nfs fscache ip6t_rpfilter ip6t_REJECT nf_reject_ipv6 xt_conntrack ip_set nfnetlink ebtable_nat ebtable_broute bridge stp llc ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_mangle iptable_security iptable_raw ebtable_filter ebtables ip6table_filter ip6_tables snd_hda_codec_generic ppdev snd_hda_intel snd_hda_codec crct10dif_pclmul crc32_pclmul snd_hwdep snd_hda_core ghash_clmulni_intel snd_seq snd_seq_device snd_pcm joydev parport_pc tpm_tis parport tpm_tis_core tpm snd_timer snd soundcore qemu_fw_cfg virtio_balloon i2c_piix4 nfsd auth_rpcgss nfs_acl lockd grace sunrpc xfs libcrc32c
[ 3414.518708] virtio_blk virtio_console virtio_net qxl drm_kms_helper ttm crc32c_intel drm ata_generic nvme serio_raw nvme_core virtio_pci virtio_ring virtio pata_acpi
[ 3414.518803] CPU: 3 PID: 1697 Comm: kworker/3:1 Not tainted 4.10.0-rc6-dan-00097-ge765a3d89ede #20
[ 3414.518852] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-2.fc27 04/01/2014
[ 3414.518927] Workqueue: cifsiod smb2_reconnect_server [cifs]
[ 3414.518960] task: ffff8cc6764a4000 task.stack: ffff9bc548808000
[ 3414.518997] RIP: 0010:memcpy_erms+0x6/0x10
[ 3414.519021] RSP: 0018:ffff9bc54880bbc8 EFLAGS: 00010296
[ 3414.519051] RAX: ffff8cc6ba00d8dc RBX: ffff8cc676190400 RCX: 0000000000000010
[ 3414.519091] RDX: 0000000000000010 RSI: 0000000000000000 RDI: ffff8cc6ba00d8dc
[ 3414.519130] RBP: ffff9bc54880bc30 R08: ffff9bc54880bb58 R09: ffff9bc54880bb58
[ 3414.519170] R10: 000000004619520e R11: 00000000f46cd8cf R12: 0000000000000000
[ 3414.519209] R13: 0000000000000000 R14: ffff8cc6ba00d8a0 R15: 0000000000000010
[ 3414.519250] FS: 0000000000000000(0000) GS:ffff8cc6bfd80000(0000) knlGS:0000000000000000
[ 3414.519314] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 3414.519347] CR2: 0000000000000000 CR3: 000000007992a000 CR4: 00000000003406e0
[ 3414.519392] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 3414.519431] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 3414.519470] Call Trace:
[ 3414.519510] ? setup_ntlmv2_rsp+0x124/0xa10 [cifs]
[ 3414.519553] build_ntlmssp_auth_blob+0x36/0x310 [cifs]
[ 3414.519597] SMB2_sess_auth_rawntlmssp_authenticate+0xc7/0x300 [cifs]
[ 3414.519646] SMB2_sess_setup+0x9a/0x140 [cifs]
[ 3414.519685] cifs_setup_session+0x78/0x100 [cifs]
[ 3414.519722] ? cifs_negotiate_protocol+0x84/0xd0 [cifs]
[ 3414.519763] smb2_reconnect+0x308/0x3e0 [cifs]
[ 3414.519793] ? __internal_add_timer+0x1f/0x60
[ 3414.519831] smb2_reconnect_server+0x187/0x260 [cifs]
[ 3414.519863] process_one_work+0x19e/0x440
[ 3414.519887] worker_thread+0x4e/0x4a0
[ 3414.519910] ? process_one_work+0x440/0x440
[ 3414.519936] kthread+0x11e/0x140
[ 3414.520493] ? kthread_park+0x90/0x90
[ 3414.520989] ret_from_fork+0x2c/0x40
[ 3414.521450] Code: 78 ff ff ff 90 eb 1e 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 <f3> a4 c3 0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40 38
[ 3414.522488] RIP: memcpy_erms+0x6/0x10 RSP: ffff9bc54880bbc8
[ 3414.522964] CR2: 0000000000000000
[ 3414.526127] ---[ end trace bbe4aa1e45cc6c17 ]---
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/cifs/smb2pdu.c | 3 +++
1 file changed, 3 insertions(+)
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -596,6 +596,7 @@ SMB2_sess_setup(const unsigned int xid,
*/
kfree(ses->auth_key.response);
ses->auth_key.response = NULL;
+ ses->auth_key.len = 0;
/*
* If memory allocation is successful, caller of this function
@@ -756,6 +757,7 @@ ssetup_exit:
rc = server->ops->generate_signingkey(ses);
kfree(ses->auth_key.response);
ses->auth_key.response = NULL;
+ ses->auth_key.len = 0;
if (rc) {
cifs_dbg(FYI,
"SMB3 session key generation failed\n");
@@ -780,6 +782,7 @@ keygen_exit:
if (!server->sign) {
kfree(ses->auth_key.response);
ses->auth_key.response = NULL;
+ ses->auth_key.len = 0;
}
kfree(ses->ntlmssp);
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 282/410] batman-adv: fix packet checksum in receive path
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (324 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 177/410] rbd: whitelist RBD_FEATURE_OPERATIONS feature bit Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 390/410] s390/qeth: free netdevice when removing a card Ben Hutchings
` (83 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Simon Wunderlich, Sven Eckelmann, Maximilian Wilhelm,
Matthias Schiffer
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Matthias Schiffer <mschiffer@universe-factory.net>
commit abd6360591d3f8259f41c34e31ac4826dfe621b8 upstream.
eth_type_trans() internally calls skb_pull(), which does not adjust the
skb checksum; skb_postpull_rcsum() is necessary to avoid log spam of the
form "bat0: hw csum failure" when packets with CHECKSUM_COMPLETE are
received.
Note that in usual setups, packets don't reach batman-adv with
CHECKSUM_COMPLETE (I assume NICs bail out of checksumming when they see
batadv's ethtype?), which is why the log messages do not occur on every
system using batman-adv. I could reproduce this issue by stacking
batman-adv on top of a VXLAN interface.
Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol")
Tested-by: Maximilian Wilhelm <max@sdn.clinic>
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/batman-adv/soft-interface.c | 8 +-------
1 file changed, 1 insertion(+), 7 deletions(-)
--- a/net/batman-adv/soft-interface.c
+++ b/net/batman-adv/soft-interface.c
@@ -401,13 +401,7 @@ void batadv_interface_rx(struct net_devi
/* skb->dev & skb->pkt_type are set here */
skb->protocol = eth_type_trans(skb, soft_iface);
-
- /* should not be necessary anymore as we use skb_pull_rcsum()
- * TODO: please verify this and remove this TODO
- * -- Dec 21st 2009, Simon Wunderlich
- */
-
- /* skb->ip_summed = CHECKSUM_UNNECESSARY; */
+ skb_postpull_rcsum(skb, eth_hdr(skb), ETH_HLEN);
batadv_inc_counter(bat_priv, BATADV_CNT_RX);
batadv_add_counter(bat_priv, BATADV_CNT_RX_BYTES,
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 210/410] pipe, sysctl: drop 'min' parameter from pipe-max-size converter
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (355 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 357/410] fs/aio: Add explicit RCU grace period when freeing kioctx Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 212/410] pipe: actually allow root to exceed the pipe buffer limits Ben Hutchings
` (52 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Linus Torvalds, Luis R . Rodriguez, Eric Biggers,
Mikulas Patocka, Willy Tarreau, Alexander Viro, Joe Lawrence,
Michael Kerrisk, Kees Cook
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
commit 4c2e4befb3cc9ce42d506aa537c9ab504723e98c upstream.
Patch series "pipe: buffer limits fixes and cleanups", v2.
This series simplifies the sysctl handler for pipe-max-size and fixes
another set of bugs related to the pipe buffer limits:
- The root user wasn't allowed to exceed the limits when creating new
pipes.
- There was an off-by-one error when checking the limits, so a limit of
N was actually treated as N - 1.
- F_SETPIPE_SZ accepted values over UINT_MAX.
- Reading the pipe buffer limits could be racy.
This patch (of 7):
Before validating the given value against pipe_min_size,
do_proc_dopipe_max_size_conv() calls round_pipe_size(), which rounds the
value up to pipe_min_size. Therefore, the second check against
pipe_min_size is redundant. Remove it.
Link: http://lkml.kernel.org/r/20180111052902.14409-2-ebiggers3@gmail.com
Signed-off-by: Eric Biggers <ebiggers@google.com>
Acked-by: Kees Cook <keescook@chromium.org>
Acked-by: Joe Lawrence <joe.lawrence@redhat.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: "Luis R . Rodriguez" <mcgrof@kernel.org>
Cc: Michael Kerrisk <mtk.manpages@gmail.com>
Cc: Mikulas Patocka <mpatocka@redhat.com>
Cc: Willy Tarreau <w@1wt.eu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/pipe.c | 10 +++-------
include/linux/pipe_fs_i.h | 2 +-
kernel/sysctl.c | 15 +--------------
3 files changed, 5 insertions(+), 22 deletions(-)
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -34,11 +34,6 @@
*/
unsigned int pipe_max_size = 1048576;
-/*
- * Minimum pipe size, as required by POSIX
- */
-unsigned int pipe_min_size = PAGE_SIZE;
-
/* Maximum allocatable pages per user. Hard limit is unset by default, soft
* matches default values.
*/
@@ -1012,8 +1007,9 @@ unsigned int round_pipe_size(unsigned in
{
unsigned long nr_pages;
- if (size < pipe_min_size)
- size = pipe_min_size;
+ /* Minimum pipe size, as required by POSIX */
+ if (size < PAGE_SIZE)
+ size = PAGE_SIZE;
nr_pages = (size + PAGE_SIZE - 1) >> PAGE_SHIFT;
if (nr_pages == 0)
--- a/include/linux/pipe_fs_i.h
+++ b/include/linux/pipe_fs_i.h
@@ -124,7 +124,7 @@ void pipe_lock(struct pipe_inode_info *)
void pipe_unlock(struct pipe_inode_info *);
void pipe_double_lock(struct pipe_inode_info *, struct pipe_inode_info *);
-extern unsigned int pipe_max_size, pipe_min_size;
+extern unsigned int pipe_max_size;
extern unsigned long pipe_user_pages_hard;
extern unsigned long pipe_user_pages_soft;
int pipe_proc_fn(struct ctl_table *, int, void __user *, size_t *, loff_t *);
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -1672,7 +1672,6 @@ static struct ctl_table fs_table[] = {
.maxlen = sizeof(int),
.mode = 0644,
.proc_handler = &pipe_proc_fn,
- .extra1 = &pipe_min_size,
},
{
.procname = "pipe-user-pages-hard",
@@ -2223,15 +2222,9 @@ int proc_dointvec_minmax(struct ctl_tabl
do_proc_dointvec_minmax_conv, ¶m);
}
-struct do_proc_dopipe_max_size_conv_param {
- unsigned int *min;
-};
-
static int do_proc_dopipe_max_size_conv(bool *negp, unsigned long *lvalp,
int *valp, int write, void *data)
{
- struct do_proc_dopipe_max_size_conv_param *param = data;
-
if (write) {
unsigned int val;
@@ -2242,9 +2235,6 @@ static int do_proc_dopipe_max_size_conv(
if (*negp || val == 0)
return -EINVAL;
- if (param->min && *param->min > val)
- return -ERANGE;
-
*valp = val;
} else {
unsigned int val = *valp;
@@ -2258,11 +2248,8 @@ static int do_proc_dopipe_max_size_conv(
int proc_dopipe_max_size(struct ctl_table *table, int write,
void __user *buffer, size_t *lenp, loff_t *ppos)
{
- struct do_proc_dopipe_max_size_conv_param param = {
- .min = (unsigned int *) table->extra1,
- };
return do_proc_dointvec(table, write, buffer, lenp, ppos,
- do_proc_dopipe_max_size_conv, ¶m);
+ do_proc_dopipe_max_size_conv, NULL);
}
static void validate_coredump_safety(void)
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 005/410] sctp: Fix mangled IPv4 addresses on a IPv6 listening socket
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (262 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 283/410] batman-adv: invalidate checksum on fragment reassembly Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 334/410] x86/spectre_v2: Don't check microcode versions when running under hypervisors Ben Hutchings
` (145 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Jason Gunthorpe, Daniel Borkmann, Neil Horman, David S. Miller
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
commit 9302d7bb0c5cd46be5706859301f18c137b2439f upstream.
sctp_v4_map_v6 was subtly writing and reading from members
of a union in a way the clobbered data it needed to read before
it read it.
Zeroing the v6 flowinfo overwrites the v4 sin_addr with 0, meaning
that every place that calls sctp_v4_map_v6 gets ::ffff:0.0.0.0 as the
result.
Reorder things to guarantee correct behaviour no matter what the
union layout is.
This impacts user space clients that open an IPv6 SCTP socket and
receive IPv4 connections. Prior to 299ee user space would see a
sockaddr with AF_INET and a correct address, after 299ee the sockaddr
is AF_INET6, but the address is wrong.
Fixes: 299ee123e198 (sctp: Fixup v4mapped behaviour to comply with Sock API)
Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/net/sctp/sctp.h | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/include/net/sctp/sctp.h
+++ b/include/net/sctp/sctp.h
@@ -582,11 +582,14 @@ static inline void sctp_v6_map_v4(union
/* Map v4 address to v4-mapped v6 address */
static inline void sctp_v4_map_v6(union sctp_addr *addr)
{
+ __be16 port;
+
+ port = addr->v4.sin_port;
+ addr->v6.sin6_addr.s6_addr32[3] = addr->v4.sin_addr.s_addr;
+ addr->v6.sin6_port = port;
addr->v6.sin6_family = AF_INET6;
addr->v6.sin6_flowinfo = 0;
addr->v6.sin6_scope_id = 0;
- addr->v6.sin6_port = addr->v4.sin_port;
- addr->v6.sin6_addr.s6_addr32[3] = addr->v4.sin_addr.s_addr;
addr->v6.sin6_addr.s6_addr32[0] = 0;
addr->v6.sin6_addr.s6_addr32[1] = 0;
addr->v6.sin6_addr.s6_addr32[2] = htonl(0x0000ffff);
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 194/410] x86/xen: init %gs very early to avoid page faults with stack protector
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (372 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 306/410] tty/serial: atmel: add new version check for usart Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 185/410] net: igmp: add a missing rcu locking section Ben Hutchings
` (35 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Juergen Gross, Boris Ostrovsky, Chris Patterson
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Juergen Gross <jgross@suse.com>
commit 4f277295e54c5b7340e48efea3fc5cc21a2872b7 upstream.
When running as Xen pv guest %gs is initialized some time after
C code is started. Depending on stack protector usage this might be
too late, resulting in page faults.
So setup %gs and MSR_GS_BASE in assembly code already.
Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Tested-by: Chris Patterson <cjp256@gmail.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/x86/xen/xen-head.S
+++ b/arch/x86/xen/xen-head.S
@@ -8,7 +8,9 @@
#include <asm/boot.h>
#include <asm/asm.h>
+#include <asm/msr.h>
#include <asm/page_types.h>
+#include <asm/percpu.h>
#include <xen/interface/elfnote.h>
#include <xen/interface/features.h>
@@ -42,7 +44,20 @@ ENTRY(startup_xen)
#else
mov %rsi,xen_start_info
mov $init_thread_union+THREAD_SIZE,%rsp
+
+ /* Set up %gs.
+ *
+ * The base of %gs always points to the bottom of the irqstack
+ * union. If the stack protector canary is enabled, it is
+ * located at %gs:40. Note that, on SMP, the boot cpu uses
+ * init data section till per cpu areas are set up.
+ */
+ movl $MSR_GS_BASE,%ecx
+ movq $INIT_PER_CPU_VAR(irq_stack_union),%rax
+ cdq
+ wrmsr
#endif
+
jmp xen_start_kernel
__FINIT
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 356/410] aio: fix serial draining in exit_aio()
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (223 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 046/410] x86/cpufeature: Blacklist SPEC_CTRL/PRED_CMD on early Spectre v2 microcodes Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 227/410] bridge: check brport attr show in brport_show Ben Hutchings
` (184 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jens Axboe, Jeff Moyer
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jens Axboe <axboe@fb.com>
commit dc48e56d761610da4ea1088d1bea0a030b8e3e43 upstream.
exit_aio() currently serializes killing io contexts. Each context
killing ends up having to do percpu_ref_kill(), which in turns has
to wait for an RCU grace period. This can take a long time, depending
on the number of contexts. And there's no point in doing them serially,
when we could be waiting for all of them in one fell swoop.
This patches makes my fio thread offload test case exit 0.2s instead
of almost 6s.
Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/aio.c | 45 ++++++++++++++++++++++++++++++---------------
1 file changed, 30 insertions(+), 15 deletions(-)
--- a/fs/aio.c
+++ b/fs/aio.c
@@ -77,6 +77,11 @@ struct kioctx_cpu {
unsigned reqs_available;
};
+struct ctx_rq_wait {
+ struct completion comp;
+ atomic_t count;
+};
+
struct kioctx {
struct percpu_ref users;
atomic_t dead;
@@ -115,7 +120,7 @@ struct kioctx {
/*
* signals when all in-flight requests are done
*/
- struct completion *requests_done;
+ struct ctx_rq_wait *rq_wait;
struct {
/*
@@ -523,8 +528,8 @@ static void free_ioctx_reqs(struct percp
struct kioctx *ctx = container_of(ref, struct kioctx, reqs);
/* At this point we know that there are no any in-flight requests */
- if (ctx->requests_done)
- complete(ctx->requests_done);
+ if (ctx->rq_wait && atomic_dec_and_test(&ctx->rq_wait->count))
+ complete(&ctx->rq_wait->comp);
INIT_WORK(&ctx->free_work, free_ioctx);
schedule_work(&ctx->free_work);
@@ -735,7 +740,7 @@ err:
* the rapid destruction of the kioctx.
*/
static int kill_ioctx(struct mm_struct *mm, struct kioctx *ctx,
- struct completion *requests_done)
+ struct ctx_rq_wait *wait)
{
struct kioctx_table *table;
@@ -764,7 +769,7 @@ static int kill_ioctx(struct mm_struct *
if (ctx->mmap_size)
vm_munmap(ctx->mmap_base, ctx->mmap_size);
- ctx->requests_done = requests_done;
+ ctx->rq_wait = wait;
percpu_ref_kill(&ctx->users);
return 0;
}
@@ -796,18 +801,24 @@ EXPORT_SYMBOL(wait_on_sync_kiocb);
void exit_aio(struct mm_struct *mm)
{
struct kioctx_table *table = rcu_dereference_raw(mm->ioctx_table);
- int i;
+ struct ctx_rq_wait wait;
+ int i, skipped;
if (!table)
return;
+ atomic_set(&wait.count, table->nr);
+ init_completion(&wait.comp);
+
+ skipped = 0;
for (i = 0; i < table->nr; ++i) {
struct kioctx *ctx = table->table[i];
- struct completion requests_done =
- COMPLETION_INITIALIZER_ONSTACK(requests_done);
- if (!ctx)
+ if (!ctx) {
+ skipped++;
continue;
+ }
+
/*
* We don't need to bother with munmap() here - exit_mmap(mm)
* is coming and it'll unmap everything. And we simply can't,
@@ -816,10 +827,12 @@ void exit_aio(struct mm_struct *mm)
* that it needs to unmap the area, just set it to 0.
*/
ctx->mmap_size = 0;
- kill_ioctx(mm, ctx, &requests_done);
+ kill_ioctx(mm, ctx, &wait);
+ }
+ if (!atomic_sub_and_test(skipped, &wait.count)) {
/* Wait until all IO for the context are done. */
- wait_for_completion(&requests_done);
+ wait_for_completion(&wait.comp);
}
RCU_INIT_POINTER(mm->ioctx_table, NULL);
@@ -1299,15 +1312,17 @@ SYSCALL_DEFINE1(io_destroy, aio_context_
{
struct kioctx *ioctx = lookup_ioctx(ctx);
if (likely(NULL != ioctx)) {
- struct completion requests_done =
- COMPLETION_INITIALIZER_ONSTACK(requests_done);
+ struct ctx_rq_wait wait;
int ret;
+ init_completion(&wait.comp);
+ atomic_set(&wait.count, 1);
+
/* Pass requests_done to kill_ioctx() where it can be set
* in a thread-safe way. If we try to set it here then we have
* a race condition if two io_destroy() called simultaneously.
*/
- ret = kill_ioctx(current->mm, ioctx, &requests_done);
+ ret = kill_ioctx(current->mm, ioctx, &wait);
percpu_ref_put(&ioctx->users);
/* Wait until all IO for the context are done. Otherwise kernel
@@ -1315,7 +1330,7 @@ SYSCALL_DEFINE1(io_destroy, aio_context_
* is destroyed.
*/
if (!ret)
- wait_for_completion(&requests_done);
+ wait_for_completion(&wait.comp);
return ret;
}
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 266/410] arm64: traps: Don't print stack or raw PC/LR values in backtraces
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (393 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 299/410] mmc: sdhci: Allow override of mmc host operations Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 209/410] sysctl: check for UINT_MAX before unsigned int min/max Ben Hutchings
` (14 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Will Deacon, Laura Abbott
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Will Deacon <will.deacon@arm.com>
commit a25ffd3a6302a67814280274d8f1aa4ae2ea4b59 upstream.
Printing raw pointer values in backtraces has potential security
implications and are of questionable value anyway.
This patch follows x86's lead and removes the "Exception stack:" dump
from kernel backtraces, as well as converting PC/LR values to symbols
such as "sysrq_handle_crash+0x20/0x30".
Tested-by: Laura Abbott <labbott@redhat.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
[bwh: Backported to 3.16:
- Deleted code in dump_mem() and dump_backtrace_entry() is a bit different
- Leave dump_backtrace() unchanged, since it doesn't use dump_mem()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/arm64/kernel/process.c
+++ b/arch/arm64/kernel/process.c
@@ -198,11 +198,9 @@ void __show_regs(struct pt_regs *regs)
}
show_regs_print_info(KERN_DEFAULT);
- print_symbol("PC is at %s\n", instruction_pointer(regs));
- print_symbol("LR is at %s\n", lr);
- printk("pc : [<%016llx>] lr : [<%016llx>] pstate: %08llx\n",
- regs->pc, lr, regs->pstate);
- printk("sp : %016llx\n", sp);
+ print_symbol("pc : %s\n", regs->pc);
+ print_symbol("lr : %s\n", lr);
+ printk("sp : %016llx pstate : %08llx\n", sp, regs->pstate);
for (i = top_reg; i >= 0; i--) {
printk("x%-2d: %016llx ", i, regs->regs[i]);
if (i % 2 == 0)
--- a/arch/arm64/kernel/traps.c
+++ b/arch/arm64/kernel/traps.c
@@ -47,53 +47,9 @@ static const char *handler[]= {
int show_unhandled_signals = 1;
-/*
- * Dump out the contents of some memory nicely...
- */
-static void dump_mem(const char *lvl, const char *str, unsigned long bottom,
- unsigned long top)
-{
- unsigned long first;
- mm_segment_t fs;
- int i;
-
- /*
- * We need to switch to kernel mode so that we can use __get_user
- * to safely read from kernel space.
- */
- fs = get_fs();
- set_fs(KERNEL_DS);
-
- printk("%s%s(0x%016lx to 0x%016lx)\n", lvl, str, bottom, top);
-
- for (first = bottom & ~31; first < top; first += 32) {
- unsigned long p;
- char str[sizeof(" 12345678") * 8 + 1];
-
- memset(str, ' ', sizeof(str));
- str[sizeof(str) - 1] = '\0';
-
- for (p = first, i = 0; i < 8 && p < top; i++, p += 4) {
- if (p >= bottom && p < top) {
- unsigned int val;
- if (__get_user(val, (unsigned int *)p) == 0)
- sprintf(str + i * 9, " %08x", val);
- else
- sprintf(str + i * 9, " ????????");
- }
- }
- printk("%s%04lx:%s\n", lvl, first & 0xffff, str);
- }
-
- set_fs(fs);
-}
-
static void dump_backtrace_entry(unsigned long where, unsigned long stack)
{
- print_ip_sym(where);
- if (in_exception_text(where))
- dump_mem("", "Exception stack", stack,
- stack + sizeof(struct pt_regs));
+ printk(" %pS\n", (void *)where);
}
static void __dump_instr(const char *lvl, struct pt_regs *regs)
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 261/410] libata: Apply NOLPM quirk to Crucial MX100 512GB SSDs
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (211 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 033/410] x86/traps: Enable DEBUG_STACK after cpu_init() for TRAP_DB/BP Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 190/410] btrfs: remove spurious WARN_ON(ref->count < 0) in find_parent_nodes Ben Hutchings
` (196 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Tejun Heo, Hans de Goede
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Hans de Goede <hdegoede@redhat.com>
commit 9c7be59fc519af9081c46c48f06f2b8fadf55ad8 upstream.
Various people have reported the Crucial MX100 512GB model not working
with LPM set to min_power. I've now received a report that it also does
not work with the new med_power_with_dipm level.
It does work with medium_power, but that has no measurable power-savings
and given the amount of people being bitten by the other levels not
working, this commit just disables LPM altogether.
Note all reporters of this have either the 512GB model (max capacity), or
are not specifying their SSD's size. So for now this quirk assumes this is
a problem with the 512GB model only.
Buglink: https://bugzilla.kernel.org/show_bug.cgi?id=89261
Buglink: https://github.com/linrunner/TLP/issues/84
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
[bwh: Backported to 3.16: There's no ATA_HORKAGE_ZERO_AFTER_TRIM flag]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/ata/libata-core.c
+++ b/drivers/ata/libata-core.c
@@ -4224,6 +4224,10 @@ static const struct ata_blacklist_entry
{ "PIONEER DVD-RW DVR-212D", NULL, ATA_HORKAGE_NOSETXFER },
{ "PIONEER DVD-RW DVR-216D", NULL, ATA_HORKAGE_NOSETXFER },
+ /* The 512GB version of the MX100 has both queued TRIM and LPM issues */
+ { "Crucial_CT512MX100*", NULL, ATA_HORKAGE_NO_NCQ_TRIM |
+ ATA_HORKAGE_NOLPM, },
+
/* devices that don't properly handle queued TRIM commands */
{ "Micron_M500_*", NULL, ATA_HORKAGE_NO_NCQ_TRIM, },
{ "Crucial_CT*M500*", NULL, ATA_HORKAGE_NO_NCQ_TRIM, },
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 341/410] RDMA/mlx5: Fix integer overflow while resizing CQ
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (379 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 381/410] ALSA: usb-audio: Fix parsing descriptor of UAC2 processing unit Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 016/410] netfilter: ebtables: fix erroneous reject of last rule Ben Hutchings
` (28 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, syzkaller, Doug Ledford, Yishai Hadas, Leon Romanovsky,
Noa Osherovich
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Leon Romanovsky <leonro@mellanox.com>
commit 28e9091e3119933c38933cb8fc48d5618eb784c8 upstream.
The user can provide very large cqe_size which will cause to integer
overflow as it can be seen in the following UBSAN warning:
=======================================================================
UBSAN: Undefined behaviour in drivers/infiniband/hw/mlx5/cq.c:1192:53
signed integer overflow:
64870 * 65536 cannot be represented in type 'int'
CPU: 0 PID: 267 Comm: syzkaller605279 Not tainted 4.15.0+ #90 Hardware
name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014
Call Trace:
dump_stack+0xde/0x164
? dma_virt_map_sg+0x22c/0x22c
ubsan_epilogue+0xe/0x81
handle_overflow+0x1f3/0x251
? __ubsan_handle_negate_overflow+0x19b/0x19b
? lock_acquire+0x440/0x440
mlx5_ib_resize_cq+0x17e7/0x1e40
? cyc2ns_read_end+0x10/0x10
? native_read_msr_safe+0x6c/0x9b
? cyc2ns_read_end+0x10/0x10
? mlx5_ib_modify_cq+0x220/0x220
? sched_clock_cpu+0x18/0x200
? lookup_get_idr_uobject+0x200/0x200
? rdma_lookup_get_uobject+0x145/0x2f0
ib_uverbs_resize_cq+0x207/0x3e0
? ib_uverbs_ex_create_cq+0x250/0x250
ib_uverbs_write+0x7f9/0xef0
? cyc2ns_read_end+0x10/0x10
? print_irqtrace_events+0x280/0x280
? ib_uverbs_ex_create_cq+0x250/0x250
? uverbs_devnode+0x110/0x110
? sched_clock_cpu+0x18/0x200
? do_raw_spin_trylock+0x100/0x100
? __lru_cache_add+0x16e/0x290
__vfs_write+0x10d/0x700
? uverbs_devnode+0x110/0x110
? kernel_read+0x170/0x170
? sched_clock_cpu+0x18/0x200
? security_file_permission+0x93/0x260
vfs_write+0x1b0/0x550
SyS_write+0xc7/0x1a0
? SyS_read+0x1a0/0x1a0
? trace_hardirqs_on_thunk+0x1a/0x1c
entry_SYSCALL_64_fastpath+0x1e/0x8b
RIP: 0033:0x433549
RSP: 002b:00007ffe63bd1ea8 EFLAGS: 00000217
=======================================================================
Cc: syzkaller <syzkaller@googlegroups.com>
Fixes: bde51583f49b ("IB/mlx5: Add support for resize CQ")
Reported-by: Noa Osherovich <noaos@mellanox.com>
Reviewed-by: Yishai Hadas <yishaih@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/infiniband/hw/mlx5/cq.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/infiniband/hw/mlx5/cq.c
+++ b/drivers/infiniband/hw/mlx5/cq.c
@@ -956,7 +956,12 @@ static int resize_user(struct mlx5_ib_de
if (ucmd.reserved0 || ucmd.reserved1)
return -EINVAL;
- umem = ib_umem_get(context, ucmd.buf_addr, entries * ucmd.cqe_size,
+ /* check multiplication overflow */
+ if (ucmd.cqe_size && SIZE_MAX / ucmd.cqe_size <= entries - 1)
+ return -EINVAL;
+
+ umem = ib_umem_get(context, ucmd.buf_addr,
+ (size_t)ucmd.cqe_size * entries,
IB_ACCESS_LOCAL_WRITE, 1);
if (IS_ERR(umem)) {
err = PTR_ERR(umem);
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 320/410] PCI: Add function 1 DMA alias quirk for Highpoint RocketRAID 644L
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (24 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 082/410] ima: relax requiring a file signature for new files with zero length Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 176/410] vhost_net: stop device during reset owner Ben Hutchings
` (383 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Tejun Heo, Bjorn Helgaas, Hans de Goede
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Hans de Goede <hdegoede@redhat.com>
commit 1903be8222b7c278ca897c129ce477c1dd6403a8 upstream.
The Highpoint RocketRAID 644L uses a Marvel 88SE9235 controller, as with
other Marvel controllers this needs a function 1 DMA alias quirk.
Note the RocketRAID 642L uses the same Marvel 88SE9235 controller and
already is listed with a function 1 DMA alias quirk.
BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1534106
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Acked-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/pci/quirks.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/pci/quirks.c
+++ b/drivers/pci/quirks.c
@@ -3511,6 +3511,8 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_M
quirk_dma_func1_alias);
DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_TTI, 0x0642,
quirk_dma_func1_alias);
+DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_TTI, 0x0645,
+ quirk_dma_func1_alias);
/* https://bugs.gentoo.org/show_bug.cgi?id=497630 */
DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_JMICRON,
PCI_DEVICE_ID_JMICRON_JMB388_ESD,
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 393/410] ip_tunnel: Emit events for post-register MTU changes
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (120 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 079/410] ASoC: nuc900: Fix a loop timeout test Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 057/410] KVM/VMX: Allow direct access to MSR_IA32_SPEC_CTRL Ben Hutchings
` (287 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Ido Schimmel, David S. Miller, Petr Machata
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Petr Machata <petrm@mellanox.com>
commit f6cc9c054e77b9a28d4594bcc201697edb21dfd2 upstream.
For tunnels created with IFLA_MTU, MTU of the netdevice is set by
rtnl_create_link() (called from rtnl_newlink()) before the device is
registered. However without IFLA_MTU that's not done.
rtnl_newlink() proceeds by calling struct rtnl_link_ops.newlink, which
via ip_tunnel_newlink() calls register_netdevice(), and that emits
NETDEV_REGISTER. Thus any listeners that inspect the netdevice get the
MTU of 0.
After ip_tunnel_newlink() corrects the MTU after registering the
netdevice, but since there's no event, the listeners don't get to know
about the MTU until something else happens--such as a NETDEV_UP event.
That's not ideal.
So instead of setting the MTU directly, go through dev_set_mtu(), which
takes care of distributing the necessary NETDEV_PRECHANGEMTU and
NETDEV_CHANGEMTU events.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Petr Machata <petrm@mellanox.com>
Signed-off-by: Ido Schimmel <idosch@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: Resolve conflict with commit 24fc79798b8d
"ip_tunnel: Clamp MTU to bounds on new link", referring to commit
5568cdc368c3 "ip_tunnel: Resolve ipsec merge conflict properly."]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/net/ipv4/ip_tunnel.c
+++ b/net/ipv4/ip_tunnel.c
@@ -405,17 +405,26 @@ static struct ip_tunnel *ip_tunnel_creat
{
struct ip_tunnel *nt;
struct net_device *dev;
+ int mtu;
+ int err;
BUG_ON(!itn->fb_tunnel_dev);
dev = __ip_tunnel_create(net, itn->fb_tunnel_dev->rtnl_link_ops, parms);
if (IS_ERR(dev))
return ERR_CAST(dev);
- dev->mtu = ip_tunnel_bind_dev(dev);
+ mtu = ip_tunnel_bind_dev(dev);
+ err = dev_set_mtu(dev, mtu);
+ if (err)
+ goto err_dev_set_mtu;
nt = netdev_priv(dev);
ip_tunnel_add(itn, nt);
return nt;
+
+err_dev_set_mtu:
+ unregister_netdevice(dev);
+ return ERR_PTR(err);
}
int ip_tunnel_rcv(struct ip_tunnel *tunnel, struct sk_buff *skb,
@@ -962,7 +971,7 @@ int ip_tunnel_newlink(struct net_device
nt->parms = *p;
err = register_netdevice(dev);
if (err)
- goto out;
+ goto err_register_netdevice;
if (dev->type == ARPHRD_ETHER && !tb[IFLA_ADDRESS])
eth_hw_addr_random(dev);
@@ -971,15 +980,20 @@ int ip_tunnel_newlink(struct net_device
if (tb[IFLA_MTU]) {
unsigned int max = 0xfff8 - dev->hard_header_len - nt->hlen;
- dev->mtu = clamp(dev->mtu, (unsigned int)ETH_MIN_MTU,
- (unsigned int)(max - sizeof(struct iphdr)));
- } else {
- dev->mtu = mtu;
+ mtu = clamp(dev->mtu, (unsigned int)ETH_MIN_MTU,
+ (unsigned int)(max - sizeof(struct iphdr)));
}
+ err = dev_set_mtu(dev, mtu);
+ if (err)
+ goto err_dev_set_mtu;
+
ip_tunnel_add(itn, nt);
+ return 0;
-out:
+err_dev_set_mtu:
+ unregister_netdevice(dev);
+err_register_netdevice:
return err;
}
EXPORT_SYMBOL_GPL(ip_tunnel_newlink);
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 298/410] tpm: fix potential buffer overruns caused by bit glitches on the bus
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (244 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 073/410] perf annotate: Fix objdump comment parsing for Intel mov dissassembly Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 287/410] l2tp: remove l2tp_tunnel_count and l2tp_session_count Ben Hutchings
` (163 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, James Morris, James Bottomley, Jeremy Boone, Jarkko Sakkinen
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jeremy Boone <jeremy.boone@nccgroup.trust>
commit 3be23274755ee85771270a23af7691dc9b3a95db upstream.
Discrete TPMs are often connected over slow serial buses which, on
some platforms, can have glitches causing bit flips. If a bit does
flip it could cause an overrun if it's in one of the size parameters,
so sanity check that we're not overrunning the provided buffer when
doing a memcpy().
Signed-off-by: Jeremy Boone <jeremy.boone@nccgroup.trust>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: James Morris <james.morris@microsoft.com>
[bwh: Backported to 3.16: Drop the TPM2 bits]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/char/tpm/tpm-interface.c | 4 ++++
drivers/char/tpm/tpm2-cmd.c | 4 ++++
2 files changed, 8 insertions(+)
--- a/drivers/char/tpm/tpm-interface.c
+++ b/drivers/char/tpm/tpm-interface.c
@@ -1029,6 +1029,10 @@ int tpm_get_random(u32 chip_num, u8 *out
break;
recd = be32_to_cpu(tpm_cmd.params.getrandom_out.rng_data_len);
+ if (recd > num_bytes) {
+ total = -EFAULT;
+ break;
+ }
memcpy(dest, tpm_cmd.params.getrandom_out.rng_data, recd);
dest += recd;
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 147/410] alpha: fix crash if pthread_create races with signal delivery
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (94 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 053/410] KVM: VMX: introduce alloc_loaded_vmcs Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 123/410] crypto: hash - annotate algorithms taking optional key Ben Hutchings
` (313 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Mikulas Patocka, Matt Turner
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mikulas Patocka <mpatocka@redhat.com>
commit 21ffceda1c8b3807615c40d440d7815e0c85d366 upstream.
On alpha, a process will crash if it attempts to start a thread and a
signal is delivered at the same time. The crash can be reproduced with
this program: https://cygwin.com/ml/cygwin/2014-11/msg00473.html
The reason for the crash is this:
* we call the clone syscall
* we go to the function copy_process
* copy process calls copy_thread_tls, it is a wrapper around copy_thread
* copy_thread sets the tls pointer: childti->pcb.unique = regs->r20
* copy_thread sets regs->r20 to zero
* we go back to copy_process
* copy process checks "if (signal_pending(current))" and returns
-ERESTARTNOINTR
* the clone syscall is restarted, but this time, regs->r20 is zero, so
the new thread is created with zero tls pointer
* the new thread crashes in start_thread when attempting to access tls
The comment in the code says that setting the register r20 is some
compatibility with OSF/1. But OSF/1 doesn't use the CLONE_SETTLS flag, so
we don't have to zero r20 if CLONE_SETTLS is set. This patch fixes the bug
by zeroing regs->r20 only if CLONE_SETTLS is not set.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Matt Turner <mattst88@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/alpha/kernel/process.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/arch/alpha/kernel/process.c
+++ b/arch/alpha/kernel/process.c
@@ -274,12 +274,13 @@ copy_thread(unsigned long clone_flags, u
application calling fork. */
if (clone_flags & CLONE_SETTLS)
childti->pcb.unique = regs->r20;
+ else
+ regs->r20 = 0; /* OSF/1 has some strange fork() semantics. */
childti->pcb.usp = usp ?: rdusp();
*childregs = *regs;
childregs->r0 = 0;
childregs->r19 = 0;
childregs->r20 = 1; /* OSF/1 has some strange fork() semantics. */
- regs->r20 = 0;
stack = ((struct switch_stack *) regs) - 1;
*childstack = *stack;
childstack->r26 = (unsigned long) ret_from_fork;
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 054/410] KVM: VMX: make MSR bitmaps per-VCPU
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (114 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 285/410] batman-adv: Fix internal interface indices types Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 346/410] l2tp: fix races with ipv4-mapped ipv6 addresses Ben Hutchings
` (293 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Greg Kroah-Hartman, Paolo Bonzini, Jim Mattson, David Woodhouse
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Bonzini <pbonzini@redhat.com>
commit 904e14fb7cb96401a7dc803ca2863fd5ba32ffe6 upstream.
Place the MSR bitmap in struct loaded_vmcs, and update it in place
every time the x2apic or APICv state can change. This is rare and
the loop can handle 64 MSRs per iteration, in a similar fashion as
nested_vmx_prepare_msr_bitmap.
This prepares for choosing, on a per-VM basis, whether to intercept
the SPEC_CTRL and PRED_CMD MSRs.
Suggested-by: Jim Mattson <jmattson@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16:
- No support for nested MSR bitmaps
- APICv support looked different
- We still need to intercept the APIC_ID MSR
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/kvm/vmx.c | 228 +++++++++++++++++++++------------------------
1 file changed, 107 insertions(+), 121 deletions(-)
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -101,6 +101,14 @@ module_param_named(enable_shadow_vmcs, e
static bool __read_mostly nested = 0;
module_param(nested, bool, S_IRUGO);
+#define MSR_TYPE_R 1
+#define MSR_TYPE_W 2
+#define MSR_TYPE_RW 3
+
+#define MSR_BITMAP_MODE_X2APIC 1
+#define MSR_BITMAP_MODE_X2APIC_APICV 2
+#define MSR_BITMAP_MODE_LM 4
+
#define KVM_GUEST_CR0_MASK (X86_CR0_NW | X86_CR0_CD)
#define KVM_VM_CR0_ALWAYS_ON_UNRESTRICTED_GUEST (X86_CR0_WP | X86_CR0_NE)
#define KVM_VM_CR0_ALWAYS_ON \
@@ -154,6 +162,7 @@ struct loaded_vmcs {
struct vmcs *vmcs;
int cpu;
int launched;
+ unsigned long *msr_bitmap;
struct list_head loaded_vmcss_on_cpu_link;
};
@@ -410,6 +419,7 @@ struct vcpu_vmx {
unsigned long host_rsp;
u8 fail;
bool nmi_known_unmasked;
+ u8 msr_bitmap_mode;
u32 exit_intr_info;
u32 idt_vectoring_info;
ulong rflags;
@@ -745,6 +755,7 @@ static void vmx_sync_pir_to_irr_dummy(st
static void copy_vmcs12_to_shadow(struct vcpu_vmx *vmx);
static void copy_shadow_to_vmcs12(struct vcpu_vmx *vmx);
static bool vmx_mpx_supported(void);
+static void vmx_update_msr_bitmap(struct kvm_vcpu *vcpu);
static DEFINE_PER_CPU(struct vmcs *, vmxarea);
static DEFINE_PER_CPU(struct vmcs *, current_vmcs);
@@ -757,10 +768,6 @@ static DEFINE_PER_CPU(struct desc_ptr, h
static unsigned long *vmx_io_bitmap_a;
static unsigned long *vmx_io_bitmap_b;
-static unsigned long *vmx_msr_bitmap_legacy;
-static unsigned long *vmx_msr_bitmap_longmode;
-static unsigned long *vmx_msr_bitmap_legacy_x2apic;
-static unsigned long *vmx_msr_bitmap_longmode_x2apic;
static unsigned long *vmx_vmread_bitmap;
static unsigned long *vmx_vmwrite_bitmap;
@@ -2073,25 +2080,6 @@ static void move_msr_up(struct vcpu_vmx
vmx->guest_msrs[from] = tmp;
}
-static void vmx_set_msr_bitmap(struct kvm_vcpu *vcpu)
-{
- unsigned long *msr_bitmap;
-
- if (irqchip_in_kernel(vcpu->kvm) && apic_x2apic_mode(vcpu->arch.apic)) {
- if (is_long_mode(vcpu))
- msr_bitmap = vmx_msr_bitmap_longmode_x2apic;
- else
- msr_bitmap = vmx_msr_bitmap_legacy_x2apic;
- } else {
- if (is_long_mode(vcpu))
- msr_bitmap = vmx_msr_bitmap_longmode;
- else
- msr_bitmap = vmx_msr_bitmap_legacy;
- }
-
- vmcs_write64(MSR_BITMAP, __pa(msr_bitmap));
-}
-
/*
* Set up the vmcs to automatically save and restore system
* msrs. Don't touch the 64-bit msrs if the guest is in legacy
@@ -2132,7 +2120,7 @@ static void setup_msrs(struct vcpu_vmx *
vmx->save_nmsrs = save_nmsrs;
if (cpu_has_vmx_msr_bitmap())
- vmx_set_msr_bitmap(&vmx->vcpu);
+ vmx_update_msr_bitmap(&vmx->vcpu);
}
/*
@@ -3014,6 +3002,8 @@ static void free_loaded_vmcs(struct load
loaded_vmcs_clear(loaded_vmcs);
free_vmcs(loaded_vmcs->vmcs);
loaded_vmcs->vmcs = NULL;
+ if (loaded_vmcs->msr_bitmap)
+ free_page((unsigned long)loaded_vmcs->msr_bitmap);
}
static struct vmcs *alloc_vmcs(void)
@@ -3028,7 +3018,18 @@ static int alloc_loaded_vmcs(struct load
return -ENOMEM;
loaded_vmcs_init(loaded_vmcs);
+
+ if (cpu_has_vmx_msr_bitmap()) {
+ loaded_vmcs->msr_bitmap = (unsigned long *)__get_free_page(GFP_KERNEL);
+ if (!loaded_vmcs->msr_bitmap)
+ goto out_vmcs;
+ memset(loaded_vmcs->msr_bitmap, 0xff, PAGE_SIZE);
+ }
return 0;
+
+out_vmcs:
+ free_loaded_vmcs(loaded_vmcs);
+ return -ENOMEM;
}
static void free_kvm_area(void)
@@ -4089,10 +4090,8 @@ static void free_vpid(struct vcpu_vmx *v
spin_unlock(&vmx_vpid_lock);
}
-#define MSR_TYPE_R 1
-#define MSR_TYPE_W 2
-static void __vmx_disable_intercept_for_msr(unsigned long *msr_bitmap,
- u32 msr, int type)
+static void __always_inline vmx_disable_intercept_for_msr(unsigned long *msr_bitmap,
+ u32 msr, int type)
{
int f = sizeof(unsigned long);
@@ -4126,8 +4125,8 @@ static void __vmx_disable_intercept_for_
}
}
-static void __vmx_enable_intercept_for_msr(unsigned long *msr_bitmap,
- u32 msr, int type)
+static void __always_inline vmx_enable_intercept_for_msr(unsigned long *msr_bitmap,
+ u32 msr, int type)
{
int f = sizeof(unsigned long);
@@ -4161,37 +4160,76 @@ static void __vmx_enable_intercept_for_m
}
}
-static void vmx_disable_intercept_for_msr(u32 msr, bool longmode_only)
+static void __always_inline vmx_set_intercept_for_msr(unsigned long *msr_bitmap,
+ u32 msr, int type, bool value)
{
- if (!longmode_only)
- __vmx_disable_intercept_for_msr(vmx_msr_bitmap_legacy,
- msr, MSR_TYPE_R | MSR_TYPE_W);
- __vmx_disable_intercept_for_msr(vmx_msr_bitmap_longmode,
- msr, MSR_TYPE_R | MSR_TYPE_W);
+ if (value)
+ vmx_enable_intercept_for_msr(msr_bitmap, msr, type);
+ else
+ vmx_disable_intercept_for_msr(msr_bitmap, msr, type);
}
-static void vmx_enable_intercept_msr_read_x2apic(u32 msr)
+static u8 vmx_msr_bitmap_mode(struct kvm_vcpu *vcpu)
{
- __vmx_enable_intercept_for_msr(vmx_msr_bitmap_legacy_x2apic,
- msr, MSR_TYPE_R);
- __vmx_enable_intercept_for_msr(vmx_msr_bitmap_longmode_x2apic,
- msr, MSR_TYPE_R);
+ u8 mode = 0;
+
+ if (irqchip_in_kernel(vcpu->kvm) && apic_x2apic_mode(vcpu->arch.apic)) {
+ mode |= MSR_BITMAP_MODE_X2APIC;
+ if (enable_apicv)
+ mode |= MSR_BITMAP_MODE_X2APIC_APICV;
+ }
+
+ if (is_long_mode(vcpu))
+ mode |= MSR_BITMAP_MODE_LM;
+
+ return mode;
}
-static void vmx_disable_intercept_msr_read_x2apic(u32 msr)
+#define X2APIC_MSR(r) (APIC_BASE_MSR + ((r) >> 4))
+
+static void vmx_update_msr_bitmap_x2apic(unsigned long *msr_bitmap,
+ u8 mode)
{
- __vmx_disable_intercept_for_msr(vmx_msr_bitmap_legacy_x2apic,
- msr, MSR_TYPE_R);
- __vmx_disable_intercept_for_msr(vmx_msr_bitmap_longmode_x2apic,
- msr, MSR_TYPE_R);
+ int msr;
+
+ for (msr = 0x800; msr <= 0x8ff; msr += BITS_PER_LONG) {
+ unsigned word = msr / BITS_PER_LONG;
+ msr_bitmap[word] = (mode & MSR_BITMAP_MODE_X2APIC_APICV) ? 0 : ~0;
+ msr_bitmap[word + (0x800 / sizeof(long))] = ~0;
+ }
+
+ if (mode & MSR_BITMAP_MODE_X2APIC) {
+ /*
+ * TPR reads and writes can be virtualized even if virtual interrupt
+ * delivery is not in use.
+ */
+ vmx_disable_intercept_for_msr(msr_bitmap, X2APIC_MSR(APIC_TASKPRI), MSR_TYPE_RW);
+ if (mode & MSR_BITMAP_MODE_X2APIC_APICV) {
+ vmx_enable_intercept_for_msr(msr_bitmap, X2APIC_MSR(APIC_ID), MSR_TYPE_R);
+ vmx_enable_intercept_for_msr(msr_bitmap, X2APIC_MSR(APIC_TMCCT), MSR_TYPE_R);
+ vmx_disable_intercept_for_msr(msr_bitmap, X2APIC_MSR(APIC_EOI), MSR_TYPE_W);
+ vmx_disable_intercept_for_msr(msr_bitmap, X2APIC_MSR(APIC_SELF_IPI), MSR_TYPE_W);
+ }
+ }
}
-static void vmx_disable_intercept_msr_write_x2apic(u32 msr)
+static void vmx_update_msr_bitmap(struct kvm_vcpu *vcpu)
{
- __vmx_disable_intercept_for_msr(vmx_msr_bitmap_legacy_x2apic,
- msr, MSR_TYPE_W);
- __vmx_disable_intercept_for_msr(vmx_msr_bitmap_longmode_x2apic,
- msr, MSR_TYPE_W);
+ struct vcpu_vmx *vmx = to_vmx(vcpu);
+ unsigned long *msr_bitmap = vmx->vmcs01.msr_bitmap;
+ u8 mode = vmx_msr_bitmap_mode(vcpu);
+ u8 changed = mode ^ vmx->msr_bitmap_mode;
+
+ if (!changed)
+ return;
+
+ vmx_set_intercept_for_msr(msr_bitmap, MSR_KERNEL_GS_BASE, MSR_TYPE_RW,
+ !(mode & MSR_BITMAP_MODE_LM));
+
+ if (changed & (MSR_BITMAP_MODE_X2APIC | MSR_BITMAP_MODE_X2APIC_APICV))
+ vmx_update_msr_bitmap_x2apic(msr_bitmap, mode);
+
+ vmx->msr_bitmap_mode = mode;
}
static int vmx_vm_has_apicv(struct kvm *kvm)
@@ -4412,7 +4450,7 @@ static int vmx_vcpu_setup(struct vcpu_vm
vmcs_write64(VMWRITE_BITMAP, __pa(vmx_vmwrite_bitmap));
}
if (cpu_has_vmx_msr_bitmap())
- vmcs_write64(MSR_BITMAP, __pa(vmx_msr_bitmap_legacy));
+ vmcs_write64(MSR_BITMAP, __pa(vmx->vmcs01.msr_bitmap));
vmcs_write64(VMCS_LINK_POINTER, -1ull); /* 22.3.1.5 */
@@ -7085,7 +7123,7 @@ static void vmx_set_virtual_x2apic_mode(
}
vmcs_write32(SECONDARY_VM_EXEC_CONTROL, sec_exec_control);
- vmx_set_msr_bitmap(vcpu);
+ vmx_update_msr_bitmap(vcpu);
}
static void vmx_hwapic_isr_update(struct kvm *kvm, int isr)
@@ -7605,6 +7643,7 @@ static struct kvm_vcpu *vmx_create_vcpu(
{
int err;
struct vcpu_vmx *vmx = kmem_cache_zalloc(kvm_vcpu_cache, GFP_KERNEL);
+ unsigned long *msr_bitmap;
int cpu;
if (!vmx)
@@ -7630,6 +7669,15 @@ static struct kvm_vcpu *vmx_create_vcpu(
if (err < 0)
goto free_msrs;
+ msr_bitmap = vmx->vmcs01.msr_bitmap;
+ vmx_disable_intercept_for_msr(msr_bitmap, MSR_FS_BASE, MSR_TYPE_RW);
+ vmx_disable_intercept_for_msr(msr_bitmap, MSR_GS_BASE, MSR_TYPE_RW);
+ vmx_disable_intercept_for_msr(msr_bitmap, MSR_KERNEL_GS_BASE, MSR_TYPE_RW);
+ vmx_disable_intercept_for_msr(msr_bitmap, MSR_IA32_SYSENTER_CS, MSR_TYPE_RW);
+ vmx_disable_intercept_for_msr(msr_bitmap, MSR_IA32_SYSENTER_ESP, MSR_TYPE_RW);
+ vmx_disable_intercept_for_msr(msr_bitmap, MSR_IA32_SYSENTER_EIP, MSR_TYPE_RW);
+ vmx->msr_bitmap_mode = 0;
+
vmx->loaded_vmcs = &vmx->vmcs01;
cpu = get_cpu();
vmx_vcpu_load(&vmx->vcpu, cpu);
@@ -8955,7 +9003,7 @@ static struct kvm_x86_ops vmx_x86_ops =
static int __init vmx_init(void)
{
- int r, i, msr;
+ int r, i;
rdmsrl_safe(MSR_EFER, &host_efer);
@@ -8972,30 +9020,13 @@ static int __init vmx_init(void)
if (!vmx_io_bitmap_b)
goto out;
- vmx_msr_bitmap_legacy = (unsigned long *)__get_free_page(GFP_KERNEL);
- if (!vmx_msr_bitmap_legacy)
- goto out1;
-
- vmx_msr_bitmap_legacy_x2apic =
- (unsigned long *)__get_free_page(GFP_KERNEL);
- if (!vmx_msr_bitmap_legacy_x2apic)
- goto out2;
-
- vmx_msr_bitmap_longmode = (unsigned long *)__get_free_page(GFP_KERNEL);
- if (!vmx_msr_bitmap_longmode)
- goto out3;
-
- vmx_msr_bitmap_longmode_x2apic =
- (unsigned long *)__get_free_page(GFP_KERNEL);
- if (!vmx_msr_bitmap_longmode_x2apic)
- goto out4;
vmx_vmread_bitmap = (unsigned long *)__get_free_page(GFP_KERNEL);
if (!vmx_vmread_bitmap)
- goto out5;
+ goto out1;
vmx_vmwrite_bitmap = (unsigned long *)__get_free_page(GFP_KERNEL);
if (!vmx_vmwrite_bitmap)
- goto out6;
+ goto out2;
memset(vmx_vmread_bitmap, 0xff, PAGE_SIZE);
memset(vmx_vmwrite_bitmap, 0xff, PAGE_SIZE);
@@ -9004,51 +9035,18 @@ static int __init vmx_init(void)
memset(vmx_io_bitmap_b, 0xff, PAGE_SIZE);
- memset(vmx_msr_bitmap_legacy, 0xff, PAGE_SIZE);
- memset(vmx_msr_bitmap_longmode, 0xff, PAGE_SIZE);
-
set_bit(0, vmx_vpid_bitmap); /* 0 is reserved for host */
r = kvm_init(&vmx_x86_ops, sizeof(struct vcpu_vmx),
__alignof__(struct vcpu_vmx), THIS_MODULE);
if (r)
- goto out7;
+ goto out3;
#ifdef CONFIG_KEXEC
rcu_assign_pointer(crash_vmclear_loaded_vmcss,
crash_vmclear_local_loaded_vmcss);
#endif
- vmx_disable_intercept_for_msr(MSR_FS_BASE, false);
- vmx_disable_intercept_for_msr(MSR_GS_BASE, false);
- vmx_disable_intercept_for_msr(MSR_KERNEL_GS_BASE, true);
- vmx_disable_intercept_for_msr(MSR_IA32_SYSENTER_CS, false);
- vmx_disable_intercept_for_msr(MSR_IA32_SYSENTER_ESP, false);
- vmx_disable_intercept_for_msr(MSR_IA32_SYSENTER_EIP, false);
-
- memcpy(vmx_msr_bitmap_legacy_x2apic,
- vmx_msr_bitmap_legacy, PAGE_SIZE);
- memcpy(vmx_msr_bitmap_longmode_x2apic,
- vmx_msr_bitmap_longmode, PAGE_SIZE);
-
- if (enable_apicv) {
- for (msr = 0x800; msr <= 0x8ff; msr++)
- vmx_disable_intercept_msr_read_x2apic(msr);
-
- /* According SDM, in x2apic mode, the whole id reg is used.
- * But in KVM, it only use the highest eight bits. Need to
- * intercept it */
- vmx_enable_intercept_msr_read_x2apic(0x802);
- /* TMCCT */
- vmx_enable_intercept_msr_read_x2apic(0x839);
- /* TPR */
- vmx_disable_intercept_msr_write_x2apic(0x808);
- /* EOI */
- vmx_disable_intercept_msr_write_x2apic(0x80b);
- /* SELF-IPI */
- vmx_disable_intercept_msr_write_x2apic(0x83f);
- }
-
if (enable_ept) {
kvm_mmu_set_mask_ptes(0ull,
(enable_ept_ad_bits) ? VMX_EPT_ACCESS_BIT : 0ull,
@@ -9061,18 +9059,10 @@ static int __init vmx_init(void)
return 0;
-out7:
- free_page((unsigned long)vmx_vmwrite_bitmap);
-out6:
- free_page((unsigned long)vmx_vmread_bitmap);
-out5:
- free_page((unsigned long)vmx_msr_bitmap_longmode_x2apic);
-out4:
- free_page((unsigned long)vmx_msr_bitmap_longmode);
out3:
- free_page((unsigned long)vmx_msr_bitmap_legacy_x2apic);
+ free_page((unsigned long)vmx_vmwrite_bitmap);
out2:
- free_page((unsigned long)vmx_msr_bitmap_legacy);
+ free_page((unsigned long)vmx_vmread_bitmap);
out1:
free_page((unsigned long)vmx_io_bitmap_b);
out:
@@ -9082,10 +9072,6 @@ out:
static void __exit vmx_exit(void)
{
- free_page((unsigned long)vmx_msr_bitmap_legacy_x2apic);
- free_page((unsigned long)vmx_msr_bitmap_longmode_x2apic);
- free_page((unsigned long)vmx_msr_bitmap_legacy);
- free_page((unsigned long)vmx_msr_bitmap_longmode);
free_page((unsigned long)vmx_io_bitmap_b);
free_page((unsigned long)vmx_io_bitmap_a);
free_page((unsigned long)vmx_vmwrite_bitmap);
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 200/410] pipe: move limit checking logic into pipe_set_size()
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (130 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 004/410] x86/microcode/AMD: Do not load when running on a hypervisor Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 011/410] scsi: libsas: remove the numbering for each event enum Ben Hutchings
` (277 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Linus Torvalds, Vegard Nossum, Tetsuo Handa,
Michael Kerrisk (man-pages),
socketpair, Al Viro, Willy Tarreau, Jens Axboe
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>
commit d37d41666408102bf0ac8e48d8efdce7b809e5f6 upstream.
This is a preparatory patch for following work. Move the F_SETPIPE_SZ
limit-checking logic from pipe_fcntl() into pipe_set_size(). This
simplifies the code a little, and allows for reworking required in
a later patch that fixes the limit checking in pipe_set_size()
Link: http://lkml.kernel.org/r/3701b2c5-2c52-2c3e-226d-29b9deb29b50@gmail.com
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
Reviewed-by: Vegard Nossum <vegard.nossum@oracle.com>
Cc: Willy Tarreau <w@1wt.eu>
Cc: <socketpair@gmail.com>
Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: Jens Axboe <axboe@fb.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/pipe.c | 41 ++++++++++++++++++-----------------------
1 file changed, 18 insertions(+), 23 deletions(-)
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -1009,9 +1009,24 @@ static inline unsigned int round_pipe_si
* Allocate a new array of pipe buffers and copy the info over. Returns the
* pipe size if successful, or return -ERROR on error.
*/
-static long pipe_set_size(struct pipe_inode_info *pipe, unsigned long nr_pages)
+static long pipe_set_size(struct pipe_inode_info *pipe, unsigned long arg)
{
struct pipe_buffer *bufs;
+ unsigned int size, nr_pages;
+
+ size = round_pipe_size(arg);
+ nr_pages = size >> PAGE_SHIFT;
+
+ if (!nr_pages)
+ return -EINVAL;
+
+ if (!capable(CAP_SYS_RESOURCE) && size > pipe_max_size)
+ return -EPERM;
+
+ if ((too_many_pipe_buffers_hard(pipe->user) ||
+ too_many_pipe_buffers_soft(pipe->user)) &&
+ !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN))
+ return -EPERM;
/*
* We can shrink the pipe, if arg >= pipe->nrbufs. Since we don't
@@ -1094,28 +1109,9 @@ long pipe_fcntl(struct file *file, unsig
__pipe_lock(pipe);
switch (cmd) {
- case F_SETPIPE_SZ: {
- unsigned int size, nr_pages;
-
- size = round_pipe_size(arg);
- nr_pages = size >> PAGE_SHIFT;
-
- ret = -EINVAL;
- if (!nr_pages)
- goto out;
-
- if (!capable(CAP_SYS_RESOURCE) && size > pipe_max_size) {
- ret = -EPERM;
- goto out;
- } else if ((too_many_pipe_buffers_hard(pipe->user) ||
- too_many_pipe_buffers_soft(pipe->user)) &&
- !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN)) {
- ret = -EPERM;
- goto out;
- }
- ret = pipe_set_size(pipe, nr_pages);
+ case F_SETPIPE_SZ:
+ ret = pipe_set_size(pipe, arg);
break;
- }
case F_GETPIPE_SZ:
ret = pipe->buffers * PAGE_SIZE;
break;
@@ -1124,7 +1120,6 @@ long pipe_fcntl(struct file *file, unsig
break;
}
-out:
__pipe_unlock(pipe);
return ret;
}
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 361/410] drm/radeon: fix prime teardown order
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (70 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 257/410] drm/radeon: Fix deadlock on runtime suspend Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 263/410] cfg80211: fix cfg80211_beacon_dup Ben Hutchings
` (337 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Michel Dänzer, Alex Deucher, Christian König
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Christian König <christian.koenig@amd.com>
commit 0f4f715bc6bed3bf14c5cd7d5fe88d443e756b14 upstream.
We unmapped imported DMA-bufs when the GEM handle was dropped, not when the
hardware was done with the buffere.
Signed-off-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Michel Dänzer <michel.daenzer@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/radeon/radeon_gem.c | 2 --
drivers/gpu/drm/radeon/radeon_object.c | 2 ++
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/radeon/radeon_gem.c
+++ b/drivers/gpu/drm/radeon/radeon_gem.c
@@ -34,8 +34,6 @@ void radeon_gem_object_free(struct drm_g
struct radeon_bo *robj = gem_to_radeon_bo(gobj);
if (robj) {
- if (robj->gem_base.import_attach)
- drm_prime_gem_destroy(&robj->gem_base, robj->tbo.sg);
radeon_bo_unref(&robj);
}
}
--- a/drivers/gpu/drm/radeon/radeon_object.c
+++ b/drivers/gpu/drm/radeon/radeon_object.c
@@ -91,6 +91,8 @@ static void radeon_ttm_bo_destroy(struct
mutex_unlock(&bo->rdev->gem.mutex);
radeon_bo_clear_surface_reg(bo);
radeon_bo_clear_va(bo);
+ if (bo->gem_base.import_attach)
+ drm_prime_gem_destroy(&bo->gem_base, bo->tbo.sg);
drm_gem_object_release(&bo->gem_base);
kfree(bo);
}
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 057/410] KVM/VMX: Allow direct access to MSR_IA32_SPEC_CTRL
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (121 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 393/410] ip_tunnel: Emit events for post-register MTU changes Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 264/410] drm/edid: Add 6 bpc quirk for CPT panel in Asus UX303LA Ben Hutchings
` (286 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, David Woodhouse, Andrea Arcangeli, Ashok Raj, Jim Mattson,
Jun Nakajima, Tim Chen, Paolo Bonzini, Asit Mallick, Greg KH,
Konrad Rzeszutek Wilk, Linus Torvalds, Thomas Gleixner, kvm,
KarimAllah Ahmed, Darren Kenny, Dan Williams, Dave Hansen,
Arjan Van De Ven, Andy Lutomirski, Andi Kleen
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: KarimAllah Ahmed <karahmed@amazon.de>
commit d28b387fb74da95d69d2615732f50cceb38e9a4d upstream.
[ Based on a patch from Ashok Raj <ashok.raj@intel.com> ]
Add direct access to MSR_IA32_SPEC_CTRL for guests. This is needed for
guests that will only mitigate Spectre V2 through IBRS+IBPB and will not
be using a retpoline+IBPB based approach.
To avoid the overhead of saving and restoring the MSR_IA32_SPEC_CTRL for
guests that do not actually use the MSR, only start saving and restoring
when a non-zero is written to it.
No attempt is made to handle STIBP here, intentionally. Filtering STIBP
may be added in a future patch, which may require trapping all writes
if we don't want to pass it through directly to the guest.
[dwmw2: Clean up CPUID bits, save/restore manually, handle reset]
Signed-off-by: KarimAllah Ahmed <karahmed@amazon.de>
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Darren Kenny <darren.kenny@oracle.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Reviewed-by: Jim Mattson <jmattson@google.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: Jun Nakajima <jun.nakajima@intel.com>
Cc: kvm@vger.kernel.org
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Tim Chen <tim.c.chen@linux.intel.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Asit Mallick <asit.k.mallick@intel.com>
Cc: Arjan Van De Ven <arjan.van.de.ven@intel.com>
Cc: Greg KH <gregkh@linuxfoundation.org>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Ashok Raj <ashok.raj@intel.com>
Link: https://lkml.kernel.org/r/1517522386-18410-5-git-send-email-karahmed@amazon.de
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16:
- No support for nested MSR bitmaps
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/kvm/cpuid.c | 8 +++---
arch/x86/kvm/cpuid.h | 11 ++++++++
arch/x86/kvm/vmx.c | 64 ++++++++++++++++++++++++++++++++++++++++++++
arch/x86/kvm/x86.c | 2 +-
4 files changed, 81 insertions(+), 4 deletions(-)
--- a/arch/x86/kvm/cpuid.c
+++ b/arch/x86/kvm/cpuid.c
@@ -302,7 +302,7 @@ static inline int __do_cpuid_ent(struct
/* cpuid 0x80000008.ebx */
const u32 kvm_cpuid_8000_0008_ebx_x86_features =
- F(IBPB);
+ F(IBPB) | F(IBRS);
/* cpuid 0xC0000001.edx */
const u32 kvm_supported_word5_x86_features =
@@ -318,7 +318,7 @@ static inline int __do_cpuid_ent(struct
/* cpuid 7.0.edx*/
const u32 kvm_cpuid_7_0_edx_x86_features =
- F(ARCH_CAPABILITIES);
+ F(SPEC_CTRL) | F(ARCH_CAPABILITIES);
/* all calls to cpuid_count() should be made on the same cpu */
get_cpu();
@@ -524,9 +524,11 @@ static inline int __do_cpuid_ent(struct
g_phys_as = phys_as;
entry->eax = g_phys_as | (virt_as << 8);
entry->edx = 0;
- /* IBPB isn't necessarily present in hardware cpuid */
+ /* IBRS and IBPB aren't necessarily present in hardware cpuid */
if (boot_cpu_has(X86_FEATURE_IBPB))
entry->ebx |= F(IBPB);
+ if (boot_cpu_has(X86_FEATURE_IBRS))
+ entry->ebx |= F(IBRS);
entry->ebx &= kvm_cpuid_8000_0008_ebx_x86_features;
cpuid_mask(&entry->ebx, 11);
break;
--- a/arch/x86/kvm/cpuid.h
+++ b/arch/x86/kvm/cpuid.h
@@ -115,6 +115,17 @@ static inline bool guest_cpuid_has_ibpb(
return best && (best->edx & bit(X86_FEATURE_SPEC_CTRL));
}
+static inline bool guest_cpuid_has_ibrs(struct kvm_vcpu *vcpu)
+{
+ struct kvm_cpuid_entry2 *best;
+
+ best = kvm_find_cpuid_entry(vcpu, 0x80000008, 0);
+ if (best && (best->ebx & bit(X86_FEATURE_IBRS)))
+ return true;
+ best = kvm_find_cpuid_entry(vcpu, 7, 0);
+ return best && (best->edx & bit(X86_FEATURE_SPEC_CTRL));
+}
+
static inline bool guest_cpuid_has_arch_capabilities(struct kvm_vcpu *vcpu)
{
struct kvm_cpuid_entry2 *best;
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -433,6 +433,7 @@ struct vcpu_vmx {
#endif
u64 arch_capabilities;
+ u64 spec_ctrl;
u32 vm_entry_controls_shadow;
u32 vm_exit_controls_shadow;
@@ -2524,6 +2525,13 @@ static int vmx_get_msr(struct kvm_vcpu *
case MSR_IA32_TSC:
msr_info->data = guest_read_tsc();
break;
+ case MSR_IA32_SPEC_CTRL:
+ if (!msr_info->host_initiated &&
+ !guest_cpuid_has_ibrs(vcpu))
+ return 1;
+
+ msr_info->data = to_vmx(vcpu)->spec_ctrl;
+ break;
case MSR_IA32_ARCH_CAPABILITIES:
if (!msr_info->host_initiated &&
!guest_cpuid_has_arch_capabilities(vcpu))
@@ -2622,6 +2630,36 @@ static int vmx_set_msr(struct kvm_vcpu *
case MSR_IA32_TSC:
kvm_write_tsc(vcpu, msr_info);
break;
+ case MSR_IA32_SPEC_CTRL:
+ if (!msr_info->host_initiated &&
+ !guest_cpuid_has_ibrs(vcpu))
+ return 1;
+
+ /* The STIBP bit doesn't fault even if it's not advertised */
+ if (data & ~(SPEC_CTRL_IBRS | SPEC_CTRL_STIBP))
+ return 1;
+
+ vmx->spec_ctrl = data;
+
+ if (!data)
+ break;
+
+ /*
+ * For non-nested:
+ * When it's written (to non-zero) for the first time, pass
+ * it through.
+ *
+ * For nested:
+ * The handling of the MSR bitmap for L2 guests is done in
+ * nested_vmx_merge_msr_bitmap. We should not touch the
+ * vmcs02.msr_bitmap here since it gets completely overwritten
+ * in the merging. We update the vmcs01 here for L1 as well
+ * since it will end up touching the MSR anyway now.
+ */
+ vmx_disable_intercept_for_msr(vmx->vmcs01.msr_bitmap,
+ MSR_IA32_SPEC_CTRL,
+ MSR_TYPE_RW);
+ break;
case MSR_IA32_PRED_CMD:
if (!msr_info->host_initiated &&
!guest_cpuid_has_ibpb(vcpu))
@@ -4617,6 +4655,7 @@ static void vmx_vcpu_reset(struct kvm_vc
struct msr_data apic_base_msr;
vmx->rmode.vm86_active = 0;
+ vmx->spec_ctrl = 0;
vmx->soft_vnmi_blocked = 0;
@@ -7496,6 +7535,15 @@ static void __noclone vmx_vcpu_run(struc
atomic_switch_perf_msrs(vmx);
debugctlmsr = get_debugctlmsr();
+ /*
+ * If this vCPU has touched SPEC_CTRL, restore the guest's value if
+ * it's non-zero. Since vmentry is serialising on affected CPUs, there
+ * is no need to worry about the conditional branch over the wrmsr
+ * being speculatively taken.
+ */
+ if (vmx->spec_ctrl)
+ wrmsrl(MSR_IA32_SPEC_CTRL, vmx->spec_ctrl);
+
vmx->__launched = vmx->loaded_vmcs->launched;
asm(
/* Store host registers */
@@ -7614,6 +7662,22 @@ static void __noclone vmx_vcpu_run(struc
#endif
);
+ /*
+ * We do not use IBRS in the kernel. If this vCPU has used the
+ * SPEC_CTRL MSR it may have left it on; save the value and
+ * turn it off. This is much more efficient than blindly adding
+ * it to the atomic save/restore list. Especially as the former
+ * (Saving guest MSRs on vmexit) doesn't even exist in KVM.
+ *
+ * If the L01 MSR bitmap does not intercept the MSR, then we need to
+ * save it.
+ */
+ if (!msr_write_intercepted_l01(vcpu, MSR_IA32_SPEC_CTRL))
+ rdmsrl(MSR_IA32_SPEC_CTRL, vmx->spec_ctrl);
+
+ if (vmx->spec_ctrl)
+ wrmsrl(MSR_IA32_SPEC_CTRL, 0);
+
/* Eliminate branch target predictions from guest mode */
vmexit_fill_RSB();
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -894,7 +894,7 @@ static u32 msrs_to_save[] = {
#endif
MSR_IA32_TSC, MSR_IA32_CR_PAT, MSR_VM_HSAVE_PA,
MSR_IA32_FEATURE_CONTROL, MSR_IA32_BNDCFGS,
- MSR_IA32_ARCH_CAPABILITIES
+ MSR_IA32_SPEC_CTRL, MSR_IA32_ARCH_CAPABILITIES
};
static unsigned num_msrs_to_save;
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 002/410] tun: allow positive return values on dev_get_valid_name() call
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (50 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 191/410] Input: mms114 - fix license module information Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 133/410] hrtimer: Ensure POSIX compliance (relative CLOCK_REALTIME hrtimers) Ben Hutchings
` (357 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Julien Gomes, Cong Wang, David S. Miller
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Julien Gomes <julien@arista.com>
commit 5c25f65fd1e42685f7ccd80e0621829c105785d9 upstream.
If the name argument of dev_get_valid_name() contains "%d", it will try
to assign it a unit number in __dev__alloc_name() and return either the
unit number (>= 0) or an error code (< 0).
Considering positive values as error values prevent tun device creations
relying this mechanism, therefor we should only consider negative values
as errors here.
Signed-off-by: Julien Gomes <julien@arista.com>
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/tun.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -1648,7 +1648,7 @@ static int tun_set_iff(struct net *net,
if (!dev)
return -ENOMEM;
err = dev_get_valid_name(net, dev, name);
- if (err)
+ if (err < 0)
goto err_free_dev;
dev_net_set(dev, net);
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 250/410] mm: hide a #warning for COMPILE_TEST
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (293 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 012/410] scsi: libsas: direct call probe and destruct Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 401/410] bonding: move dev_mc_sync after master_upper_dev_link in bond_enslave Ben Hutchings
` (114 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Linus Torvalds, Arnd Bergmann
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
commit af27d9403f5b80685b79c88425086edccecaf711 upstream.
We get a warning about some slow configurations in randconfig kernels:
mm/memory.c:83:2: error: #warning Unfortunate NUMA and NUMA Balancing config, growing page-frame for last_cpupid. [-Werror=cpp]
The warning is reasonable by itself, but gets in the way of randconfig
build testing, so I'm hiding it whenever CONFIG_COMPILE_TEST is set.
The warning was added in 2013 in commit 75980e97dacc ("mm: fold
page->_last_nid into page->flags where possible").
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
mm/memory.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -71,7 +71,7 @@
#include "internal.h"
-#ifdef LAST_CPUPID_NOT_IN_PAGE_FLAGS
+#if defined(LAST_CPUPID_NOT_IN_PAGE_FLAGS) && !defined(CONFIG_COMPILE_TEST)
#warning Unfortunate NUMA and NUMA Balancing config, growing page-frame for last_cpupid.
#endif
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 106/410] x86/gart: Exclude GART aperture from vmcore
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (164 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 120/410] crypto: af_alg - whitelist mask and type Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 314/410] btrfs: alloc_chunk: fix DUP stripe size handling Ben Hutchings
` (243 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Dave Young, Toshi Kani, yinghai, Jiri Bohac,
Thomas Gleixner, David Airlie, kexec, joro, Borislav Petkov,
Bjorn Helgaas, Baoquan He, Vivek Goyal
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jiri Bohac <jbohac@suse.cz>
commit 2a3e83c6f96c513f43ce5a8c9034608ea584a255 upstream.
On machines where the GART aperture is mapped over physical RAM
/proc/vmcore contains the remapped range and reading it may cause hangs or
reboots.
In the past, the GART region was added into the resource map, implemented
by commit 56dd669a138c ("[PATCH] Insert GART region into resource map")
However, inserting the iomem_resource from the early GART code caused
resource conflicts with some AGP drivers (bko#72201), which got avoided by
reverting the patch in commit 707d4eefbdb3 ("Revert [PATCH] Insert GART
region into resource map"). This revert introduced the /proc/vmcore bug.
The vmcore ELF header is either prepared by the kernel (when using the
kexec_file_load syscall) or by the kexec userspace (when using the kexec_load
syscall). Since we no longer have the GART iomem resource, the userspace
kexec has no way of knowing which region to exclude from the ELF header.
Changes from v1 of this patch:
Instead of excluding the aperture from the ELF header, this patch
makes /proc/vmcore return zeroes in the second kernel when attempting to
read the aperture region. This is done by reusing the
gart_oldmem_pfn_is_ram infrastructure originally intended to exclude XEN
balooned memory. This works for both, the kexec_file_load and kexec_load
syscalls.
[Note that the GART region is the same in the first and second kernels:
regardless whether the first kernel fixed up the northbridge/bios setting
and mapped the aperture over physical memory, the second kernel finds the
northbridge properly configured by the first kernel and the aperture
never overlaps with e820 memory because the second kernel has a fake e820
map created from the crashkernel memory regions. Thus, the second kernel
keeps the aperture address/size as configured by the first kernel.]
register_oldmem_pfn_is_ram can only register one callback and returns an error
if the callback has been registered already. Since XEN used to be the only user
of this function, it never checks the return value. Now that we have more than
one user, I added a WARN_ON just in case agp, XEN, or any other future user of
register_oldmem_pfn_is_ram were to step on each other's toes.
Fixes: 707d4eefbdb3 ("Revert [PATCH] Insert GART region into resource map")
Signed-off-by: Jiri Bohac <jbohac@suse.cz>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Baoquan He <bhe@redhat.com>
Cc: Toshi Kani <toshi.kani@hpe.com>
Cc: David Airlie <airlied@linux.ie>
Cc: yinghai@kernel.org
Cc: joro@8bytes.org
Cc: kexec@lists.infradead.org
Cc: Borislav Petkov <bp@alien8.de>
Cc: Bjorn Helgaas <bhelgaas@google.com>
Cc: Dave Young <dyoung@redhat.com>
Cc: Vivek Goyal <vgoyal@redhat.com>
Link: https://lkml.kernel.org/r/20180106010013.73suskgxm7lox7g6@dwarf.suse.cz
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/kernel/aperture_64.c | 46 ++++++++++++++++++++++++++++++++++-
arch/x86/xen/mmu.c | 2 +-
2 files changed, 46 insertions(+), 2 deletions(-)
--- a/arch/x86/kernel/aperture_64.c
+++ b/arch/x86/kernel/aperture_64.c
@@ -29,6 +29,7 @@
#include <asm/dma.h>
#include <asm/amd_nb.h>
#include <asm/x86_init.h>
+#include <linux/crash_dump.h>
/*
* Using 512M as goal, in case kexec will load kernel_big
@@ -55,6 +56,33 @@ int fallback_aper_force __initdata;
int fix_aperture __initdata = 1;
+#ifdef CONFIG_PROC_VMCORE
+/*
+ * If the first kernel maps the aperture over e820 RAM, the kdump kernel will
+ * use the same range because it will remain configured in the northbridge.
+ * Trying to dump this area via /proc/vmcore may crash the machine, so exclude
+ * it from vmcore.
+ */
+static unsigned long aperture_pfn_start, aperture_page_count;
+
+static int gart_oldmem_pfn_is_ram(unsigned long pfn)
+{
+ return likely((pfn < aperture_pfn_start) ||
+ (pfn >= aperture_pfn_start + aperture_page_count));
+}
+
+static void exclude_from_vmcore(u64 aper_base, u32 aper_order)
+{
+ aperture_pfn_start = aper_base >> PAGE_SHIFT;
+ aperture_page_count = (32 * 1024 * 1024) << aper_order >> PAGE_SHIFT;
+ WARN_ON(register_oldmem_pfn_is_ram(&gart_oldmem_pfn_is_ram));
+}
+#else
+static void exclude_from_vmcore(u64 aper_base, u32 aper_order)
+{
+}
+#endif
+
/* This code runs before the PCI subsystem is initialized, so just
access the northbridge directly. */
@@ -436,8 +464,16 @@ int __init gart_iommu_hole_init(void)
out:
if (!fix && !fallback_aper_force) {
- if (last_aper_base)
+ if (last_aper_base) {
+ /*
+ * If this is the kdump kernel, the first kernel
+ * may have allocated the range over its e820 RAM
+ * and fixed up the northbridge
+ */
+ exclude_from_vmcore(last_aper_base, last_aper_order);
+
return 1;
+ }
return 0;
}
@@ -474,6 +510,14 @@ out:
return 0;
}
+ /*
+ * If this is the kdump kernel _and_ the first kernel did not
+ * configure the aperture in the northbridge, this range may
+ * overlap with the first kernel's memory. We can't access the
+ * range through vmcore even though it should be part of the dump.
+ */
+ exclude_from_vmcore(aper_alloc, aper_order);
+
/* Fix up the north bridges */
for (i = 0; i < amd_nb_bus_dev_ranges[i].dev_limit; i++) {
int bus, dev_base, dev_limit;
--- a/arch/x86/xen/mmu.c
+++ b/arch/x86/xen/mmu.c
@@ -2500,7 +2500,7 @@ void __init xen_hvm_init_mmu_ops(void)
if (is_pagetable_dying_supported())
pv_mmu_ops.exit_mmap = xen_hvm_exit_mmap;
#ifdef CONFIG_PROC_VMCORE
- register_oldmem_pfn_is_ram(&xen_oldmem_pfn_is_ram);
+ WARN_ON(register_oldmem_pfn_is_ram(&xen_oldmem_pfn_is_ram));
#endif
}
#endif
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 185/410] net: igmp: add a missing rcu locking section
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (373 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 194/410] x86/xen: init %gs very early to avoid page faults with stack protector Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 167/410] lkdtm: fix handle_irq_event symbol for INT_HW_IRQ_EN Ben Hutchings
` (34 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, syzbot, David S. Miller, Eric Dumazet
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit e7aadb27a5415e8125834b84a74477bfbee4eff5 upstream.
Newly added igmpv3_get_srcaddr() needs to be called under rcu lock.
Timer callbacks do not ensure this locking.
=============================
WARNING: suspicious RCU usage
4.15.0+ #200 Not tainted
-----------------------------
./include/linux/inetdevice.h:216 suspicious rcu_dereference_check() usage!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 1
3 locks held by syzkaller616973/4074:
#0: (&mm->mmap_sem){++++}, at: [<00000000bfce669e>] __do_page_fault+0x32d/0xc90 arch/x86/mm/fault.c:1355
#1: ((&im->timer)){+.-.}, at: [<00000000619d2f71>] lockdep_copy_map include/linux/lockdep.h:178 [inline]
#1: ((&im->timer)){+.-.}, at: [<00000000619d2f71>] call_timer_fn+0x1c6/0x820 kernel/time/timer.c:1316
#2: (&(&im->lock)->rlock){+.-.}, at: [<000000005f833c5c>] spin_lock_bh include/linux/spinlock.h:315 [inline]
#2: (&(&im->lock)->rlock){+.-.}, at: [<000000005f833c5c>] igmpv3_send_report+0x98/0x5b0 net/ipv4/igmp.c:600
stack backtrace:
CPU: 0 PID: 4074 Comm: syzkaller616973 Not tainted 4.15.0+ #200
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
lockdep_rcu_suspicious+0x123/0x170 kernel/locking/lockdep.c:4592
__in_dev_get_rcu include/linux/inetdevice.h:216 [inline]
igmpv3_get_srcaddr net/ipv4/igmp.c:329 [inline]
igmpv3_newpack+0xeef/0x12e0 net/ipv4/igmp.c:389
add_grhead.isra.27+0x235/0x300 net/ipv4/igmp.c:432
add_grec+0xbd3/0x1170 net/ipv4/igmp.c:565
igmpv3_send_report+0xd5/0x5b0 net/ipv4/igmp.c:605
igmp_send_report+0xc43/0x1050 net/ipv4/igmp.c:722
igmp_timer_expire+0x322/0x5c0 net/ipv4/igmp.c:831
call_timer_fn+0x228/0x820 kernel/time/timer.c:1326
expire_timers kernel/time/timer.c:1363 [inline]
__run_timers+0x7ee/0xb70 kernel/time/timer.c:1666
run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1692
__do_softirq+0x2d7/0xb85 kernel/softirq.c:285
invoke_softirq kernel/softirq.c:365 [inline]
irq_exit+0x1cc/0x200 kernel/softirq.c:405
exiting_irq arch/x86/include/asm/apic.h:541 [inline]
smp_apic_timer_interrupt+0x16b/0x700 arch/x86/kernel/apic/apic.c:1052
apic_timer_interrupt+0xa9/0xb0 arch/x86/entry/entry_64.S:938
Fixes: a46182b00290 ("net: igmp: Use correct source address on IGMPv3 reports")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv4/igmp.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/net/ipv4/igmp.c
+++ b/net/ipv4/igmp.c
@@ -388,7 +388,11 @@ static struct sk_buff *igmpv3_newpack(st
pip->frag_off = htons(IP_DF);
pip->ttl = 1;
pip->daddr = fl4.daddr;
+
+ rcu_read_lock();
pip->saddr = igmpv3_get_srcaddr(dev, &fl4);
+ rcu_read_unlock();
+
pip->protocol = IPPROTO_IGMP;
pip->tot_len = 0; /* filled in later */
ip_select_ident(skb, NULL);
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 241/410] usbip: keep usbip_device sockfd state in sync with tcp_socket
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (335 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 146/410] alpha: fix reboot on Avanti platform Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 322/410] bcache: fix crashes in duplicate cache device register Ben Hutchings
` (72 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Greg Kroah-Hartman, Shuah Khan
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Shuah Khan <shuahkh@osg.samsung.com>
commit 009f41aed4b3e11e6dc1e3c07377a10c20f1a5ed upstream.
Keep usbip_device sockfd state in sync with tcp_socket. When tcp_socket
is reset to null, reset sockfd to -1 to keep it in sync.
Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust filenames]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/staging/usbip/stub_dev.c | 3 +++
drivers/staging/usbip/vhci_hcd.c | 2 ++
2 files changed, 5 insertions(+)
--- a/drivers/staging/usbip/stub_dev.c
+++ b/drivers/staging/usbip/stub_dev.c
@@ -114,6 +114,7 @@ static ssize_t store_sockfd(struct devic
goto err;
sdev->ud.tcp_socket = socket;
+ sdev->ud.sockfd = sockfd;
spin_unlock_irq(&sdev->ud.lock);
@@ -213,6 +214,7 @@ static void stub_shutdown_connection(str
if (ud->tcp_socket) {
sockfd_put(ud->tcp_socket);
ud->tcp_socket = NULL;
+ ud->sockfd = -1;
}
/* 3. free used data */
@@ -307,6 +309,7 @@ static struct stub_device *stub_device_a
sdev->ud.status = SDEV_ST_AVAILABLE;
spin_lock_init(&sdev->ud.lock);
sdev->ud.tcp_socket = NULL;
+ sdev->ud.sockfd = -1;
INIT_LIST_HEAD(&sdev->priv_init);
INIT_LIST_HEAD(&sdev->priv_tx);
--- a/drivers/staging/usbip/vhci_hcd.c
+++ b/drivers/staging/usbip/vhci_hcd.c
@@ -786,6 +786,7 @@ static void vhci_shutdown_connection(str
if (vdev->ud.tcp_socket) {
sockfd_put(vdev->ud.tcp_socket);
vdev->ud.tcp_socket = NULL;
+ vdev->ud.sockfd = -1;
}
pr_info("release socket\n");
@@ -833,6 +834,7 @@ static void vhci_device_reset(struct usb
if (ud->tcp_socket) {
sockfd_put(ud->tcp_socket);
ud->tcp_socket = NULL;
+ ud->sockfd = -1;
}
ud->status = VDEV_ST_NULL;
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 143/410] drm/ttm: Don't add swapped BOs to swap-LRU list
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (47 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 374/410] vti4: Don't count header length twice on tunnel setup Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 058/410] KVM/SVM: Allow direct access to MSR_IA32_SPEC_CTRL Ben Hutchings
` (360 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Felix Kuehling, Christian König, Alex Deucher
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Felix Kuehling <Felix.Kuehling@amd.com>
commit fd5002d6a3c602664b07668a24df4ef7a43bf078 upstream.
A BO that's already swapped would be added back to the swap-LRU list
for example if its validation failed under high memory pressure. This
could later lead to swapping it out again and leaking previous swap
storage.
This commit adds a condition to prevent that from happening.
v2: Check page_flags instead of swap_storage
Signed-off-by: Felix Kuehling <Felix.Kuehling@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/ttm/ttm_bo.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/ttm/ttm_bo.c
+++ b/drivers/gpu/drm/ttm/ttm_bo.c
@@ -175,7 +175,8 @@ void ttm_bo_add_to_lru(struct ttm_buffer
list_add_tail(&bo->lru, &man->lru);
kref_get(&bo->list_kref);
- if (bo->ttm && !(bo->ttm->page_flags & TTM_PAGE_FLAG_SG)) {
+ if (bo->ttm && !(bo->ttm->page_flags &
+ (TTM_PAGE_FLAG_SG | TTM_PAGE_FLAG_SWAPPED))) {
list_add_tail(&bo->swap, &bo->glob->swap_lru);
kref_get(&bo->list_kref);
}
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 389/410] posix-timers: Protect posix clock array access against speculation
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (388 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 089/410] pinctrl: Really force states during suspend/resume Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 385/410] MIPS: ralink: Don't set pm_power_off Ben Hutchings
` (19 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, David Woodhouse, Peter Zijlstra (Intel),
Rasmus Villemoes, Greg KH, Linus Torvalds, Thomas Gleixner,
Dan Williams
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Gleixner <tglx@linutronix.de>
commit 19b558db12f9f4e45a22012bae7b4783e62224da upstream.
The clockid argument of clockid_to_kclock() comes straight from user space
via various syscalls and is used as index into the posix_clocks array.
Protect it against spectre v1 array out of bounds speculation. Remove the
redundant check for !posix_clock[id] as this is another source for
speculation and does not provide any advantage over the return
posix_clock[id] path which returns NULL in that case anyway.
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Acked-by: Dan Williams <dan.j.williams@intel.com>
Cc: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Cc: Greg KH <gregkh@linuxfoundation.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: David Woodhouse <dwmw@amazon.co.uk>
Link: https://lkml.kernel.org/r/alpine.DEB.2.21.1802151718320.1296@nanos.tec.linutronix.de
[bwh: Backported to 3.16:
- Move the test of the clock_getres field below the lookup using
array_index_nospec()
- Adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/kernel/posix-timers.c
+++ b/kernel/posix-timers.c
@@ -48,6 +48,7 @@
#include <linux/workqueue.h>
#include <linux/export.h>
#include <linux/hashtable.h>
+#include <linux/nospec.h>
/*
* Management arrays for POSIX timers. Timers are now kept in static hash table
@@ -578,13 +579,21 @@ static void release_posix_timer(struct k
static struct k_clock *clockid_to_kclock(const clockid_t id)
{
- if (id < 0)
+ clockid_t idx = id;
+ struct k_clock *kc;
+
+ if (id < 0) {
return (id & CLOCKFD_MASK) == CLOCKFD ?
&clock_posix_dynamic : &clock_posix_cpu;
+ }
+
+ if (id >= ARRAY_SIZE(posix_clocks))
+ return NULL;
- if (id >= MAX_CLOCKS || !posix_clocks[id].clock_getres)
+ kc = &posix_clocks[array_index_nospec(idx, ARRAY_SIZE(posix_clocks))];
+ if (!kc->clock_getres)
return NULL;
- return &posix_clocks[id];
+ return kc;
}
static int common_timer_create(struct k_itimer *new_timer)
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 351/410] route: remove unsed variable in __mkroute_input
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (353 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 062/410] x86/speculation: Use Indirect Branch Prediction Barrier in context switch Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 357/410] fs/aio: Add explicit RCU grace period when freeing kioctx Ben Hutchings
` (54 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller, Masatake YAMATO
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Masatake YAMATO <yamato@redhat.com>
commit cb1c61680d29a054b91a23c7a504cea8a72bdcff upstream.
flags local variable in __mkroute_input is not used as a variable.
Signed-off-by: Masatake YAMATO <yamato@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv4/route.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -1587,7 +1587,6 @@ static int __mkroute_input(struct sk_buf
struct rtable *rth;
int err;
struct in_device *out_dev;
- unsigned int flags = 0;
bool do_cache;
u32 itag = 0;
@@ -1660,7 +1659,7 @@ rt_cache:
}
rth->rt_genid = rt_genid_ipv4(dev_net(rth->dst.dev));
- rth->rt_flags = flags;
+ rth->rt_flags = 0;
rth->rt_type = res->type;
rth->rt_is_input = 1;
rth->rt_iif = 0;
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 235/410] netfilter: ipt_CLUSTERIP: fix a refcount bug in clusterip_config_find_get()
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (200 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 332/410] RDMA/ucma: Check that user doesn't overflow QP state Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 115/410] ext4: correct documentation for grpid mount option Ben Hutchings
` (207 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Cong Wang, Pablo Neira Ayuso, Florian Westphal, Eric Dumazet
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Cong Wang <xiyou.wangcong@gmail.com>
commit db93a3632b0f8773a3899e04a3a3e0aa7a26eb46 upstream.
In clusterip_config_find_get() we hold RCU read lock so it could
run concurrently with clusterip_config_entry_put(), as a result,
the refcnt could go back to 1 from 0, which leads to a double
list_del()... Just replace refcount_inc() with
refcount_inc_not_zero(), as for c->refcount.
Fixes: d73f33b16883 ("netfilter: CLUSTERIP: RCU conversion")
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Florian Westphal <fw@strlen.de>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Reviewed-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
[bwh: Backported to 3.16: s/refcount/atomic/]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv4/netfilter/ipt_CLUSTERIP.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -147,8 +147,12 @@ clusterip_config_find_get(struct net *ne
if (c) {
if (unlikely(!atomic_inc_not_zero(&c->refcount)))
c = NULL;
- else if (entry)
- atomic_inc(&c->entries);
+ else if (entry) {
+ if (unlikely(!atomic_inc_not_zero(&c->entries))) {
+ clusterip_config_put(c);
+ c = NULL;
+ }
+ }
}
rcu_read_unlock_bh();
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 109/410] ahci: Add Device ID for Intel Sunrise Point PCH
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (8 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 060/410] x86/speculation: Move firmware_restrict_branch_speculation_*() from C to CPP Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 059/410] KVM/x86: Remove indirect MSR op calls from SPEC_CTRL Ben Hutchings
` (399 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Charles_Rose, Nanda Kishore Chinna, Charles Rose, Tejun Heo
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Charles_Rose@Dell.com" <Charles_Rose@Dell.com>
commit c5967b79ecabe2baca40658d9073e28b30d7f6cf upstream.
This patch adds missing AHCI RAID SATA Device IDs for the Intel Sunrise
Point PCH.
Signed-off-by: Nanda Kishore Chinna <nanda_kishore_chinna@dell.com>
Signed-off-by: Charles Rose <charles_rose@dell.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/ata/ahci.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/ata/ahci.c
+++ b/drivers/ata/ahci.c
@@ -368,8 +368,10 @@ static const struct pci_device_id ahci_p
{ PCI_VDEVICE(INTEL, 0x9d03), board_ahci }, /* Sunrise Point-LP AHCI */
{ PCI_VDEVICE(INTEL, 0x9d05), board_ahci }, /* Sunrise Point-LP RAID */
{ PCI_VDEVICE(INTEL, 0x9d07), board_ahci }, /* Sunrise Point-LP RAID */
+ { PCI_VDEVICE(INTEL, 0xa102), board_ahci }, /* Sunrise Point-H AHCI */
{ PCI_VDEVICE(INTEL, 0xa103), board_ahci }, /* Sunrise Point-H AHCI */
{ PCI_VDEVICE(INTEL, 0xa105), board_ahci }, /* Sunrise Point-H RAID */
+ { PCI_VDEVICE(INTEL, 0xa106), board_ahci }, /* Sunrise Point-H RAID */
{ PCI_VDEVICE(INTEL, 0xa107), board_ahci }, /* Sunrise Point-H RAID */
{ PCI_VDEVICE(INTEL, 0xa10f), board_ahci }, /* Sunrise Point-H RAID */
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 339/410] usb: usbmon: Read text within supplied buffer size
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (192 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 325/410] MIPS: BMIPS: Do not mask IPIs during suspend Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 081/410] rcutorture/kvm.sh: Use consistent help text for --qemu-args Ben Hutchings
` (215 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Greg Kroah-Hartman, Pete Zaitcev, Fredrik Noring, Pete Zaitcev
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Pete Zaitcev <zaitcev@kotori.zaitcev.us>
commit a5f596830e27e15f7a0ecd6be55e433d776986d8 upstream.
This change fixes buffer overflows and silent data corruption with the
usbmon device driver text file read operations.
Signed-off-by: Fredrik Noring <noring@nocrew.org>
Signed-off-by: Pete Zaitcev <zaitcev@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/mon/mon_text.c | 126 +++++++++++++++++++++++--------------
1 file changed, 78 insertions(+), 48 deletions(-)
--- a/drivers/usb/mon/mon_text.c
+++ b/drivers/usb/mon/mon_text.c
@@ -82,6 +82,8 @@ struct mon_reader_text {
wait_queue_head_t wait;
int printf_size;
+ size_t printf_offset;
+ size_t printf_togo;
char *printf_buf;
struct mutex printf_lock;
@@ -373,75 +375,103 @@ err_alloc:
return rc;
}
-/*
- * For simplicity, we read one record in one system call and throw out
- * what does not fit. This means that the following does not work:
- * dd if=/dbg/usbmon/0t bs=10
- * Also, we do not allow seeks and do not bother advancing the offset.
- */
+static ssize_t mon_text_copy_to_user(struct mon_reader_text *rp,
+ char __user * const buf, const size_t nbytes)
+{
+ const size_t togo = min(nbytes, rp->printf_togo);
+
+ if (copy_to_user(buf, &rp->printf_buf[rp->printf_offset], togo))
+ return -EFAULT;
+ rp->printf_togo -= togo;
+ rp->printf_offset += togo;
+ return togo;
+}
+
+/* ppos is not advanced since the llseek operation is not permitted. */
static ssize_t mon_text_read_t(struct file *file, char __user *buf,
- size_t nbytes, loff_t *ppos)
+ size_t nbytes, loff_t *ppos)
{
struct mon_reader_text *rp = file->private_data;
struct mon_event_text *ep;
struct mon_text_ptr ptr;
+ ssize_t ret;
- ep = mon_text_read_wait(rp, file);
- if (IS_ERR(ep))
- return PTR_ERR(ep);
mutex_lock(&rp->printf_lock);
- ptr.cnt = 0;
- ptr.pbuf = rp->printf_buf;
- ptr.limit = rp->printf_size;
-
- mon_text_read_head_t(rp, &ptr, ep);
- mon_text_read_statset(rp, &ptr, ep);
- ptr.cnt += snprintf(ptr.pbuf + ptr.cnt, ptr.limit - ptr.cnt,
- " %d", ep->length);
- mon_text_read_data(rp, &ptr, ep);
- if (copy_to_user(buf, rp->printf_buf, ptr.cnt))
- ptr.cnt = -EFAULT;
+ if (rp->printf_togo == 0) {
+
+ ep = mon_text_read_wait(rp, file);
+ if (IS_ERR(ep)) {
+ mutex_unlock(&rp->printf_lock);
+ return PTR_ERR(ep);
+ }
+ ptr.cnt = 0;
+ ptr.pbuf = rp->printf_buf;
+ ptr.limit = rp->printf_size;
+
+ mon_text_read_head_t(rp, &ptr, ep);
+ mon_text_read_statset(rp, &ptr, ep);
+ ptr.cnt += snprintf(ptr.pbuf + ptr.cnt, ptr.limit - ptr.cnt,
+ " %d", ep->length);
+ mon_text_read_data(rp, &ptr, ep);
+
+ rp->printf_togo = ptr.cnt;
+ rp->printf_offset = 0;
+
+ kmem_cache_free(rp->e_slab, ep);
+ }
+
+ ret = mon_text_copy_to_user(rp, buf, nbytes);
mutex_unlock(&rp->printf_lock);
- kmem_cache_free(rp->e_slab, ep);
- return ptr.cnt;
+ return ret;
}
+/* ppos is not advanced since the llseek operation is not permitted. */
static ssize_t mon_text_read_u(struct file *file, char __user *buf,
- size_t nbytes, loff_t *ppos)
+ size_t nbytes, loff_t *ppos)
{
struct mon_reader_text *rp = file->private_data;
struct mon_event_text *ep;
struct mon_text_ptr ptr;
+ ssize_t ret;
- ep = mon_text_read_wait(rp, file);
- if (IS_ERR(ep))
- return PTR_ERR(ep);
mutex_lock(&rp->printf_lock);
- ptr.cnt = 0;
- ptr.pbuf = rp->printf_buf;
- ptr.limit = rp->printf_size;
- mon_text_read_head_u(rp, &ptr, ep);
- if (ep->type == 'E') {
- mon_text_read_statset(rp, &ptr, ep);
- } else if (ep->xfertype == USB_ENDPOINT_XFER_ISOC) {
- mon_text_read_isostat(rp, &ptr, ep);
- mon_text_read_isodesc(rp, &ptr, ep);
- } else if (ep->xfertype == USB_ENDPOINT_XFER_INT) {
- mon_text_read_intstat(rp, &ptr, ep);
- } else {
- mon_text_read_statset(rp, &ptr, ep);
+ if (rp->printf_togo == 0) {
+
+ ep = mon_text_read_wait(rp, file);
+ if (IS_ERR(ep)) {
+ mutex_unlock(&rp->printf_lock);
+ return PTR_ERR(ep);
+ }
+ ptr.cnt = 0;
+ ptr.pbuf = rp->printf_buf;
+ ptr.limit = rp->printf_size;
+
+ mon_text_read_head_u(rp, &ptr, ep);
+ if (ep->type == 'E') {
+ mon_text_read_statset(rp, &ptr, ep);
+ } else if (ep->xfertype == USB_ENDPOINT_XFER_ISOC) {
+ mon_text_read_isostat(rp, &ptr, ep);
+ mon_text_read_isodesc(rp, &ptr, ep);
+ } else if (ep->xfertype == USB_ENDPOINT_XFER_INT) {
+ mon_text_read_intstat(rp, &ptr, ep);
+ } else {
+ mon_text_read_statset(rp, &ptr, ep);
+ }
+ ptr.cnt += snprintf(ptr.pbuf + ptr.cnt, ptr.limit - ptr.cnt,
+ " %d", ep->length);
+ mon_text_read_data(rp, &ptr, ep);
+
+ rp->printf_togo = ptr.cnt;
+ rp->printf_offset = 0;
+
+ kmem_cache_free(rp->e_slab, ep);
}
- ptr.cnt += snprintf(ptr.pbuf + ptr.cnt, ptr.limit - ptr.cnt,
- " %d", ep->length);
- mon_text_read_data(rp, &ptr, ep);
- if (copy_to_user(buf, rp->printf_buf, ptr.cnt))
- ptr.cnt = -EFAULT;
+ ret = mon_text_copy_to_user(rp, buf, nbytes);
mutex_unlock(&rp->printf_lock);
- kmem_cache_free(rp->e_slab, ep);
- return ptr.cnt;
+ return ret;
}
static struct mon_event_text *mon_text_read_wait(struct mon_reader_text *rp,
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 163/410] Input: edt-ft5x06 - fix error handling for factory mode on non-M06
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (27 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 093/410] PM / devfreq: Propagate error from devfreq_add_device() Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 231/410] ARM: mvebu: Fix broken PL310_ERRATA_753970 selects Ben Hutchings
` (380 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Dmitry Torokhov, Andi Shyti
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
commit 4b3e910d7f430ab76dd37131bb75129878950163 upstream.
When attempting enter factory mode on firmware that does not support it,
we'd error out, but leave the device with interrupts disabled, and thus
touch not working. Fix it by moving the check before we disable
interrupts/allocate memory for debug buffers.
Fixes: fd335ab04b3f ("Input: edt-ft5x06 - add support for M09 firmware version")
Reviewed-by: Andi Shyti <andi@etezian.org>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
[bwh: Backported to 3.16:
- s/EDT_M06/M06/
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/input/touchscreen/edt-ft5x06.c | 14 ++++++--------
1 file changed, 6 insertions(+), 8 deletions(-)
--- a/drivers/input/touchscreen/edt-ft5x06.c
+++ b/drivers/input/touchscreen/edt-ft5x06.c
@@ -491,6 +491,12 @@ static int edt_ft5x06_factory_mode(struc
int ret;
int error;
+ if (tsdata->version != M06) {
+ dev_err(&client->dev,
+ "No factory mode support for non-M06 devices\n");
+ return -EINVAL;
+ }
+
disable_irq(client->irq);
if (!tsdata->raw_buffer) {
@@ -504,9 +510,6 @@ static int edt_ft5x06_factory_mode(struc
}
/* mode register is 0x3c when in the work mode */
- if (tsdata->version == M09)
- goto m09_out;
-
error = edt_ft5x06_register_write(tsdata, WORK_REGISTER_OPMODE, 0x03);
if (error) {
dev_err(&client->dev,
@@ -539,11 +542,6 @@ err_out:
enable_irq(client->irq);
return error;
-
-m09_out:
- dev_err(&client->dev, "No factory mode support for M09\n");
- return -EINVAL;
-
}
static int edt_ft5x06_work_mode(struct edt_ft5x06_ts_data *tsdata)
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 346/410] l2tp: fix races with ipv4-mapped ipv6 addresses
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (115 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 054/410] KVM: VMX: make MSR bitmaps per-VCPU Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 265/410] arm64: remove __die()'s stack dump Ben Hutchings
` (292 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller, Paolo Abeni
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
commit b954f94023dcc61388c8384f0f14eb8e42c863c5 upstream.
The l2tp_tunnel_create() function checks for v4mapped ipv6
sockets and cache that flag, so that l2tp core code can
reusing it at xmit time.
If the socket is provided by the userspace, the connection
status of the tunnel sockets can change between the tunnel
creation and the xmit call, so that syzbot is able to
trigger the following splat:
BUG: KASAN: use-after-free in ip6_dst_idev include/net/ip6_fib.h:192
[inline]
BUG: KASAN: use-after-free in ip6_xmit+0x1f76/0x2260
net/ipv6/ip6_output.c:264
Read of size 8 at addr ffff8801bd949318 by task syz-executor4/23448
CPU: 0 PID: 23448 Comm: syz-executor4 Not tainted 4.16.0-rc4+ #65
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x24d lib/dump_stack.c:53
print_address_description+0x73/0x250 mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report+0x23c/0x360 mm/kasan/report.c:412
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
ip6_dst_idev include/net/ip6_fib.h:192 [inline]
ip6_xmit+0x1f76/0x2260 net/ipv6/ip6_output.c:264
inet6_csk_xmit+0x2fc/0x580 net/ipv6/inet6_connection_sock.c:139
l2tp_xmit_core net/l2tp/l2tp_core.c:1053 [inline]
l2tp_xmit_skb+0x105f/0x1410 net/l2tp/l2tp_core.c:1148
pppol2tp_sendmsg+0x470/0x670 net/l2tp/l2tp_ppp.c:341
sock_sendmsg_nosec net/socket.c:630 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:640
___sys_sendmsg+0x767/0x8b0 net/socket.c:2046
__sys_sendmsg+0xe5/0x210 net/socket.c:2080
SYSC_sendmsg net/socket.c:2091 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2087
do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x453e69
RSP: 002b:00007f819593cc68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f819593d6d4 RCX: 0000000000453e69
RDX: 0000000000000081 RSI: 000000002037ffc8 RDI: 0000000000000004
RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000004c3 R14: 00000000006f72e8 R15: 0000000000000000
This change addresses the issues:
* explicitly checking for TCP_ESTABLISHED for user space provided sockets
* dropping the v4mapped flag usage - it can become outdated - and
explicitly invoking ipv6_addr_v4mapped() instead
The issue is apparently there since ancient times.
v1 -> v2: (many thanks to Guillaume)
- with csum issue introduced in v1
- replace pr_err with pr_debug
- fix build issue with IPV6 disabled
- move l2tp_sk_is_v4mapped in l2tp_core.c
v2 -> v3:
- don't update inet_daddr for v4mapped address, unneeded
- drop rendundant check at creation time
Reported-and-tested-by: syzbot+92fa328176eb07e4ac1a@syzkaller.appspotmail.com
Fixes: 3557baabf280 ("[L2TP]: PPP over L2TP driver core")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: Change an additional test of tunnel->v4mapped to use
l2tp_sk_is_v6()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -110,6 +110,13 @@ struct l2tp_net {
spinlock_t l2tp_session_hlist_lock;
};
+#if IS_ENABLED(CONFIG_IPV6)
+static bool l2tp_sk_is_v6(struct sock *sk)
+{
+ return sk->sk_family == PF_INET6 &&
+ !ipv6_addr_v4mapped(&sk->sk_v6_daddr);
+}
+#endif
static inline struct l2tp_tunnel *l2tp_tunnel(struct sock *sk)
{
@@ -1134,7 +1141,7 @@ static int l2tp_xmit_core(struct l2tp_se
/* Queue the packet to IP for output */
skb->ignore_df = 1;
#if IS_ENABLED(CONFIG_IPV6)
- if (tunnel->sock->sk_family == PF_INET6 && !tunnel->v4mapped)
+ if (l2tp_sk_is_v6(tunnel->sock))
error = inet6_csk_xmit(tunnel->sock, skb, NULL);
else
#endif
@@ -1197,6 +1204,15 @@ int l2tp_xmit_skb(struct l2tp_session *s
goto out_unlock;
}
+ /* The user-space may change the connection status for the user-space
+ * provided socket at run time: we must check it under the socket lock
+ */
+ if (tunnel->fd >= 0 && sk->sk_state != TCP_ESTABLISHED) {
+ kfree_skb(skb);
+ ret = NET_XMIT_DROP;
+ goto out_unlock;
+ }
+
/* Get routing info from the tunnel socket */
skb_dst_drop(skb);
skb_dst_set(skb, dst_clone(__sk_dst_check(sk, 0)));
@@ -1216,7 +1232,7 @@ int l2tp_xmit_skb(struct l2tp_session *s
/* Calculate UDP checksum if configured to do so */
#if IS_ENABLED(CONFIG_IPV6)
- if (sk->sk_family == PF_INET6 && !tunnel->v4mapped)
+ if (l2tp_sk_is_v6(sk))
udp6_set_csum(udp_get_no_check6_tx(sk),
skb, &inet6_sk(sk)->saddr,
&sk->sk_v6_daddr, udp_len);
@@ -1635,24 +1651,6 @@ int l2tp_tunnel_create(struct net *net,
if (cfg != NULL)
tunnel->debug = cfg->debug;
-#if IS_ENABLED(CONFIG_IPV6)
- if (sk->sk_family == PF_INET6) {
- struct ipv6_pinfo *np = inet6_sk(sk);
-
- if (ipv6_addr_v4mapped(&np->saddr) &&
- ipv6_addr_v4mapped(&sk->sk_v6_daddr)) {
- struct inet_sock *inet = inet_sk(sk);
-
- tunnel->v4mapped = true;
- inet->inet_saddr = np->saddr.s6_addr32[3];
- inet->inet_rcv_saddr = sk->sk_v6_rcv_saddr.s6_addr32[3];
- inet->inet_daddr = sk->sk_v6_daddr.s6_addr32[3];
- } else {
- tunnel->v4mapped = false;
- }
- }
-#endif
-
/* Mark socket as an encapsulation socket. See net/ipv4/udp.c */
tunnel->encap = encap;
if (encap == L2TP_ENCAPTYPE_UDP) {
@@ -1661,7 +1659,7 @@ int l2tp_tunnel_create(struct net *net,
udp_sk(sk)->encap_rcv = l2tp_udp_encap_recv;
udp_sk(sk)->encap_destroy = l2tp_udp_encap_destroy;
#if IS_ENABLED(CONFIG_IPV6)
- if (sk->sk_family == PF_INET6 && !tunnel->v4mapped)
+ if (l2tp_sk_is_v6(sk))
udpv6_encap_enable();
else
#endif
--- a/net/l2tp/l2tp_core.h
+++ b/net/l2tp/l2tp_core.h
@@ -203,9 +203,6 @@ struct l2tp_tunnel {
struct sock *sock; /* Parent socket */
int fd; /* Parent fd, if tunnel socket
* was created by userspace */
-#if IS_ENABLED(CONFIG_IPV6)
- bool v4mapped;
-#endif
struct work_struct del_work;
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 231/410] ARM: mvebu: Fix broken PL310_ERRATA_753970 selects
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (28 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 163/410] Input: edt-ft5x06 - fix error handling for factory mode on non-M06 Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 098/410] spi: imx: do not access registers while clocks disabled Ben Hutchings
` (379 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Gregory CLEMENT, Ulf Magnusson
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ulf Magnusson <ulfalizer@gmail.com>
commit 8aa36a8dcde3183d84db7b0d622ffddcebb61077 upstream.
The MACH_ARMADA_375 and MACH_ARMADA_38X boards select ARM_ERRATA_753970,
but it was renamed to PL310_ERRATA_753970 by commit fa0ce4035d48 ("ARM:
7162/1: errata: tidy up Kconfig options for PL310 errata workarounds").
Fix the selects to use the new name.
Discovered with the
https://github.com/ulfalizer/Kconfiglib/blob/master/examples/list_undefined.py
script.
Fixes: fa0ce4035d48 ("ARM: 7162/1: errata: tidy up Kconfig options for
PL310 errata workarounds"
Signed-off-by: Ulf Magnusson <ulfalizer@gmail.com>
Signed-off-by: Gregory CLEMENT <gregory.clement@bootlin.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm/mach-mvebu/Kconfig | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/arm/mach-mvebu/Kconfig
+++ b/arch/arm/mach-mvebu/Kconfig
@@ -33,7 +33,7 @@ config MACH_ARMADA_370
config MACH_ARMADA_375
bool "Marvell Armada 375 boards" if ARCH_MULTI_V7
select ARM_ERRATA_720789
- select ARM_ERRATA_753970
+ select PL310_ERRATA_753970
select ARM_GIC
select ARMADA_375_CLK
select HAVE_ARM_SCU
@@ -48,7 +48,7 @@ config MACH_ARMADA_375
config MACH_ARMADA_38X
bool "Marvell Armada 380/385 boards" if ARCH_MULTI_V7
select ARM_ERRATA_720789
- select ARM_ERRATA_753970
+ select PL310_ERRATA_753970
select ARM_GIC
select ARMADA_38X_CLK
select HAVE_ARM_SCU
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 055/410] KVM/x86: Add IBPB support
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (12 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 312/410] xen/pirq: fix error path cleanup when binding MSIs Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 003/410] x86, microcode: Fix accessing dis_ucode_ldr on 32-bit Ben Hutchings
` (395 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Dan Williams, Dave Hansen, Arjan Van De Ven,
Andy Lutomirski, Andi Kleen, Konrad Rzeszutek Wilk,
Linus Torvalds, Thomas Gleixner, kvm, KarimAllah Ahmed, Tim Chen,
Paolo Bonzini, Greg KH, Asit Mallick, David Woodhouse,
Andrea Arcangeli, Ashok Raj, Jun Nakajima, Peter Zijlstra (Intel)
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ashok Raj <ashok.raj@intel.com>
commit 15d45071523d89b3fb7372e2135fbd72f6af9506 upstream.
The Indirect Branch Predictor Barrier (IBPB) is an indirect branch
control mechanism. It keeps earlier branches from influencing
later ones.
Unlike IBRS and STIBP, IBPB does not define a new mode of operation.
It's a command that ensures predicted branch targets aren't used after
the barrier. Although IBRS and IBPB are enumerated by the same CPUID
enumeration, IBPB is very different.
IBPB helps mitigate against three potential attacks:
* Mitigate guests from being attacked by other guests.
- This is addressed by issing IBPB when we do a guest switch.
* Mitigate attacks from guest/ring3->host/ring3.
These would require a IBPB during context switch in host, or after
VMEXIT. The host process has two ways to mitigate
- Either it can be compiled with retpoline
- If its going through context switch, and has set !dumpable then
there is a IBPB in that path.
(Tim's patch: https://patchwork.kernel.org/patch/10192871)
- The case where after a VMEXIT you return back to Qemu might make
Qemu attackable from guest when Qemu isn't compiled with retpoline.
There are issues reported when doing IBPB on every VMEXIT that resulted
in some tsc calibration woes in guest.
* Mitigate guest/ring0->host/ring0 attacks.
When host kernel is using retpoline it is safe against these attacks.
If host kernel isn't using retpoline we might need to do a IBPB flush on
every VMEXIT.
Even when using retpoline for indirect calls, in certain conditions 'ret'
can use the BTB on Skylake-era CPUs. There are other mitigations
available like RSB stuffing/clearing.
* IBPB is issued only for SVM during svm_free_vcpu().
VMX has a vmclear and SVM doesn't. Follow discussion here:
https://lkml.org/lkml/2018/1/15/146
Please refer to the following spec for more details on the enumeration
and control.
Refer here to get documentation about mitigations.
https://software.intel.com/en-us/side-channel-security-support
[peterz: rebase and changelog rewrite]
[karahmed: - rebase
- vmx: expose PRED_CMD if guest has it in CPUID
- svm: only pass through IBPB if guest has it in CPUID
- vmx: support !cpu_has_vmx_msr_bitmap()]
- vmx: support nested]
[dwmw2: Expose CPUID bit too (AMD IBPB only for now as we lack IBRS)
PRED_CMD is a write-only MSR]
Signed-off-by: Ashok Raj <ashok.raj@intel.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Signed-off-by: KarimAllah Ahmed <karahmed@amazon.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: kvm@vger.kernel.org
Cc: Asit Mallick <asit.k.mallick@intel.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Arjan Van De Ven <arjan.van.de.ven@intel.com>
Cc: Greg KH <gregkh@linuxfoundation.org>
Cc: Jun Nakajima <jun.nakajima@intel.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: Tim Chen <tim.c.chen@linux.intel.com>
Link: http://lkml.kernel.org/r/1515720739-43819-6-git-send-email-ashok.raj@intel.com
Link: https://lkml.kernel.org/r/1517522386-18410-3-git-send-email-karahmed@amazon.de
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16:
- No support for nested MSR bitmaps in VMX
- Use literal number for CPU feature word
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/kvm/cpuid.c | 11 ++++++++-
arch/x86/kvm/cpuid.h | 12 ++++++++++
arch/x86/kvm/svm.c | 28 +++++++++++++++++++++++
arch/x86/kvm/vmx.c | 54 ++++++++++++++++++++++++++++++++++++++++++++
4 files changed, 104 insertions(+), 1 deletion(-)
--- a/arch/x86/kvm/cpuid.c
+++ b/arch/x86/kvm/cpuid.c
@@ -300,6 +300,10 @@ static inline int __do_cpuid_ent(struct
F(3DNOWPREFETCH) | F(OSVW) | 0 /* IBS */ | F(XOP) |
0 /* SKINIT, WDT, LWP */ | F(FMA4) | F(TBM);
+ /* cpuid 0x80000008.ebx */
+ const u32 kvm_cpuid_8000_0008_ebx_x86_features =
+ F(IBPB);
+
/* cpuid 0xC0000001.edx */
const u32 kvm_supported_word5_x86_features =
F(XSTORE) | F(XSTORE_EN) | F(XCRYPT) | F(XCRYPT_EN) |
@@ -512,7 +516,12 @@ static inline int __do_cpuid_ent(struct
if (!g_phys_as)
g_phys_as = phys_as;
entry->eax = g_phys_as | (virt_as << 8);
- entry->ebx = entry->edx = 0;
+ entry->edx = 0;
+ /* IBPB isn't necessarily present in hardware cpuid */
+ if (boot_cpu_has(X86_FEATURE_IBPB))
+ entry->ebx |= F(IBPB);
+ entry->ebx &= kvm_cpuid_8000_0008_ebx_x86_features;
+ cpuid_mask(&entry->ebx, 11);
break;
}
case 0x80000019:
--- a/arch/x86/kvm/cpuid.h
+++ b/arch/x86/kvm/cpuid.h
@@ -104,4 +104,16 @@ static inline bool guest_cpuid_has_mpx(s
return best && (best->ebx & bit(X86_FEATURE_MPX));
}
+static inline bool guest_cpuid_has_ibpb(struct kvm_vcpu *vcpu)
+{
+ struct kvm_cpuid_entry2 *best;
+
+ best = kvm_find_cpuid_entry(vcpu, 0x80000008, 0);
+ if (best && (best->ebx & bit(X86_FEATURE_IBPB)))
+ return true;
+ best = kvm_find_cpuid_entry(vcpu, 7, 0);
+ return best && (best->edx & bit(X86_FEATURE_SPEC_CTRL));
+}
+
+
#endif
--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
@@ -180,6 +180,7 @@ static const struct svm_direct_access_ms
{ .index = MSR_CSTAR, .always = true },
{ .index = MSR_SYSCALL_MASK, .always = true },
#endif
+ { .index = MSR_IA32_PRED_CMD, .always = false },
{ .index = MSR_IA32_LASTBRANCHFROMIP, .always = false },
{ .index = MSR_IA32_LASTBRANCHTOIP, .always = false },
{ .index = MSR_IA32_LASTINTFROMIP, .always = false },
@@ -409,6 +410,7 @@ struct svm_cpu_data {
struct kvm_ldttss_desc *tss_desc;
struct page *save_area;
+ struct vmcb *current_vmcb;
};
static DEFINE_PER_CPU(struct svm_cpu_data *, svm_data);
@@ -1294,11 +1296,17 @@ static void svm_free_vcpu(struct kvm_vcp
__free_pages(virt_to_page(svm->nested.msrpm), MSRPM_ALLOC_ORDER);
kvm_vcpu_uninit(vcpu);
kmem_cache_free(kvm_vcpu_cache, svm);
+ /*
+ * The vmcb page can be recycled, causing a false negative in
+ * svm_vcpu_load(). So do a full IBPB now.
+ */
+ indirect_branch_prediction_barrier();
}
static void svm_vcpu_load(struct kvm_vcpu *vcpu, int cpu)
{
struct vcpu_svm *svm = to_svm(vcpu);
+ struct svm_cpu_data *sd = per_cpu(svm_data, cpu);
int i;
if (unlikely(cpu != vcpu->cpu)) {
@@ -1321,6 +1329,10 @@ static void svm_vcpu_load(struct kvm_vcp
__get_cpu_var(current_tsc_ratio) = svm->tsc_ratio;
wrmsrl(MSR_AMD64_TSC_RATIO, svm->tsc_ratio);
}
+ if (sd->current_vmcb != svm->vmcb) {
+ sd->current_vmcb = svm->vmcb;
+ indirect_branch_prediction_barrier();
+ }
}
static void svm_vcpu_put(struct kvm_vcpu *vcpu)
@@ -3172,6 +3184,22 @@ static int svm_set_msr(struct kvm_vcpu *
case MSR_IA32_TSC:
kvm_write_tsc(vcpu, msr);
break;
+ case MSR_IA32_PRED_CMD:
+ if (!msr->host_initiated &&
+ !guest_cpuid_has_ibpb(vcpu))
+ return 1;
+
+ if (data & ~PRED_CMD_IBPB)
+ return 1;
+
+ if (!data)
+ break;
+
+ wrmsrl(MSR_IA32_PRED_CMD, PRED_CMD_IBPB);
+ if (is_guest_mode(vcpu))
+ break;
+ set_msr_interception(svm->msrpm, MSR_IA32_PRED_CMD, 0, 1);
+ break;
case MSR_STAR:
svm->vmcb->save.star = data;
break;
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -431,6 +431,7 @@ struct vcpu_vmx {
u64 msr_host_kernel_gs_base;
u64 msr_guest_kernel_gs_base;
#endif
+
u32 vm_entry_controls_shadow;
u32 vm_exit_controls_shadow;
/*
@@ -756,6 +757,8 @@ static void copy_vmcs12_to_shadow(struct
static void copy_shadow_to_vmcs12(struct vcpu_vmx *vmx);
static bool vmx_mpx_supported(void);
static void vmx_update_msr_bitmap(struct kvm_vcpu *vcpu);
+static void __always_inline vmx_disable_intercept_for_msr(unsigned long *msr_bitmap,
+ u32 msr, int type);
static DEFINE_PER_CPU(struct vmcs *, vmxarea);
static DEFINE_PER_CPU(struct vmcs *, current_vmcs);
@@ -1507,6 +1510,29 @@ static void update_exception_bitmap(stru
vmcs_write32(EXCEPTION_BITMAP, eb);
}
+/*
+ * Check if MSR is intercepted for L01 MSR bitmap.
+ */
+static bool msr_write_intercepted_l01(struct kvm_vcpu *vcpu, u32 msr)
+{
+ unsigned long *msr_bitmap;
+ int f = sizeof(unsigned long);
+
+ if (!cpu_has_vmx_msr_bitmap())
+ return true;
+
+ msr_bitmap = to_vmx(vcpu)->vmcs01.msr_bitmap;
+
+ if (msr <= 0x1fff) {
+ return !!test_bit(msr, msr_bitmap + 0x800 / f);
+ } else if ((msr >= 0xc0000000) && (msr <= 0xc0001fff)) {
+ msr &= 0x1fff;
+ return !!test_bit(msr, msr_bitmap + 0xc00 / f);
+ }
+
+ return true;
+}
+
static void clear_atomic_switch_msr_special(struct vcpu_vmx *vmx,
unsigned long entry, unsigned long exit)
{
@@ -1828,6 +1854,7 @@ static void vmx_vcpu_load(struct kvm_vcp
if (per_cpu(current_vmcs, cpu) != vmx->loaded_vmcs->vmcs) {
per_cpu(current_vmcs, cpu) = vmx->loaded_vmcs->vmcs;
vmcs_load(vmx->loaded_vmcs->vmcs);
+ indirect_branch_prediction_barrier();
}
if (vmx->loaded_vmcs->cpu != cpu) {
@@ -2587,6 +2614,33 @@ static int vmx_set_msr(struct kvm_vcpu *
case MSR_IA32_TSC:
kvm_write_tsc(vcpu, msr_info);
break;
+ case MSR_IA32_PRED_CMD:
+ if (!msr_info->host_initiated &&
+ !guest_cpuid_has_ibpb(vcpu))
+ return 1;
+
+ if (data & ~PRED_CMD_IBPB)
+ return 1;
+
+ if (!data)
+ break;
+
+ wrmsrl(MSR_IA32_PRED_CMD, PRED_CMD_IBPB);
+
+ /*
+ * For non-nested:
+ * When it's written (to non-zero) for the first time, pass
+ * it through.
+ *
+ * For nested:
+ * The handling of the MSR bitmap for L2 guests is done in
+ * nested_vmx_merge_msr_bitmap. We should not touch the
+ * vmcs02.msr_bitmap here since it gets completely overwritten
+ * in the merging.
+ */
+ vmx_disable_intercept_for_msr(vmx->vmcs01.msr_bitmap, MSR_IA32_PRED_CMD,
+ MSR_TYPE_W);
+ break;
case MSR_IA32_CR_PAT:
if (vmcs_config.vmentry_ctrl & VM_ENTRY_LOAD_IA32_PAT) {
if (!kvm_mtrr_valid(vcpu, MSR_IA32_CR_PAT, data))
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 365/410] RDMA/ucma: Check AF family prior resolving address
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (96 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 123/410] crypto: hash - annotate algorithms taking optional key Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 280/410] lock_parent() needs to recheck if dentry got __dentry_kill'ed under it Ben Hutchings
` (311 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Jason Gunthorpe, Sean Hefty, syzbot+1d8c43206853b369d00c,
Leon Romanovsky
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Leon Romanovsky <leonro@mellanox.com>
commit 2975d5de6428ff6d9317e9948f0968f7d42e5d74 upstream.
Garbage supplied by user will cause to UCMA module provide zero
memory size for memcpy(), because it wasn't checked, it will
produce unpredictable results in rdma_resolve_addr().
[ 42.873814] BUG: KASAN: null-ptr-deref in rdma_resolve_addr+0xc8/0xfb0
[ 42.874816] Write of size 28 at addr 00000000000000a0 by task resaddr/1044
[ 42.876765]
[ 42.876960] CPU: 1 PID: 1044 Comm: resaddr Not tainted 4.16.0-rc1-00057-gaa56a5293d7e #34
[ 42.877840] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org 04/01/2014
[ 42.879691] Call Trace:
[ 42.880236] dump_stack+0x5c/0x77
[ 42.880664] kasan_report+0x163/0x380
[ 42.881354] ? rdma_resolve_addr+0xc8/0xfb0
[ 42.881864] memcpy+0x34/0x50
[ 42.882692] rdma_resolve_addr+0xc8/0xfb0
[ 42.883366] ? deref_stack_reg+0x88/0xd0
[ 42.883856] ? vsnprintf+0x31a/0x770
[ 42.884686] ? rdma_bind_addr+0xc40/0xc40
[ 42.885327] ? num_to_str+0x130/0x130
[ 42.885773] ? deref_stack_reg+0x88/0xd0
[ 42.886217] ? __read_once_size_nocheck.constprop.6+0x10/0x10
[ 42.887698] ? unwind_get_return_address_ptr+0x50/0x50
[ 42.888302] ? replace_slot+0x147/0x170
[ 42.889176] ? delete_node+0x12c/0x340
[ 42.890223] ? __radix_tree_lookup+0xa9/0x160
[ 42.891196] ? ucma_resolve_ip+0xb7/0x110
[ 42.891917] ucma_resolve_ip+0xb7/0x110
[ 42.893003] ? ucma_resolve_addr+0x190/0x190
[ 42.893531] ? _copy_from_user+0x5e/0x90
[ 42.894204] ucma_write+0x174/0x1f0
[ 42.895162] ? ucma_resolve_route+0xf0/0xf0
[ 42.896309] ? dequeue_task_fair+0x67e/0xd90
[ 42.897192] ? put_prev_entity+0x7d/0x170
[ 42.897870] ? ring_buffer_record_is_on+0xd/0x20
[ 42.898439] ? tracing_record_taskinfo_skip+0x20/0x50
[ 42.899686] __vfs_write+0xc4/0x350
[ 42.900142] ? kernel_read+0xa0/0xa0
[ 42.900602] ? firmware_map_remove+0xdf/0xdf
[ 42.901135] ? do_task_dead+0x5d/0x60
[ 42.901598] ? do_exit+0xcc6/0x1220
[ 42.902789] ? __fget+0xa8/0xf0
[ 42.903190] vfs_write+0xf7/0x280
[ 42.903600] SyS_write+0xa1/0x120
[ 42.904206] ? SyS_read+0x120/0x120
[ 42.905710] ? compat_start_thread+0x60/0x60
[ 42.906423] ? SyS_read+0x120/0x120
[ 42.908716] do_syscall_64+0xeb/0x250
[ 42.910760] entry_SYSCALL_64_after_hwframe+0x21/0x86
[ 42.912735] RIP: 0033:0x7f138b0afe99
[ 42.914734] RSP: 002b:00007f138b799e98 EFLAGS: 00000287 ORIG_RAX: 0000000000000001
[ 42.917134] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f138b0afe99
[ 42.919487] RDX: 000000000000002e RSI: 0000000020000c40 RDI: 0000000000000004
[ 42.922393] RBP: 00007f138b799ec0 R08: 00007f138b79a700 R09: 0000000000000000
[ 42.925266] R10: 00007f138b79a700 R11: 0000000000000287 R12: 00007f138b799fc0
[ 42.927570] R13: 0000000000000000 R14: 00007ffdbae757c0 R15: 00007f138b79a9c0
[ 42.930047]
[ 42.932681] Disabling lock debugging due to kernel taint
[ 42.934795] BUG: unable to handle kernel NULL pointer dereference at 00000000000000a0
[ 42.936939] IP: memcpy_erms+0x6/0x10
[ 42.938864] PGD 80000001bea92067 P4D 80000001bea92067 PUD 1bea96067 PMD 0
[ 42.941576] Oops: 0002 [#1] SMP KASAN PTI
[ 42.943952] CPU: 1 PID: 1044 Comm: resaddr Tainted: G B 4.16.0-rc1-00057-gaa56a5293d7e #34
[ 42.946964] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org 04/01/2014
[ 42.952336] RIP: 0010:memcpy_erms+0x6/0x10
[ 42.954707] RSP: 0018:ffff8801c8b479c8 EFLAGS: 00010286
[ 42.957227] RAX: 00000000000000a0 RBX: ffff8801c8b47ba0 RCX: 000000000000001c
[ 42.960543] RDX: 000000000000001c RSI: ffff8801c8b47bbc RDI: 00000000000000a0
[ 42.963867] RBP: ffff8801c8b47b60 R08: 0000000000000000 R09: ffffed0039168ed1
[ 42.967303] R10: 0000000000000001 R11: ffffed0039168ed0 R12: ffff8801c8b47bbc
[ 42.970685] R13: 00000000000000a0 R14: 1ffff10039168f4a R15: 0000000000000000
[ 42.973631] FS: 00007f138b79a700(0000) GS:ffff8801e5d00000(0000) knlGS:0000000000000000
[ 42.976831] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 42.979239] CR2: 00000000000000a0 CR3: 00000001be908002 CR4: 00000000003606a0
[ 42.982060] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 42.984877] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 42.988033] Call Trace:
[ 42.990487] rdma_resolve_addr+0xc8/0xfb0
[ 42.993202] ? deref_stack_reg+0x88/0xd0
[ 42.996055] ? vsnprintf+0x31a/0x770
[ 42.998707] ? rdma_bind_addr+0xc40/0xc40
[ 43.000985] ? num_to_str+0x130/0x130
[ 43.003410] ? deref_stack_reg+0x88/0xd0
[ 43.006302] ? __read_once_size_nocheck.constprop.6+0x10/0x10
[ 43.008780] ? unwind_get_return_address_ptr+0x50/0x50
[ 43.011178] ? replace_slot+0x147/0x170
[ 43.013517] ? delete_node+0x12c/0x340
[ 43.016019] ? __radix_tree_lookup+0xa9/0x160
[ 43.018755] ? ucma_resolve_ip+0xb7/0x110
[ 43.021270] ucma_resolve_ip+0xb7/0x110
[ 43.023968] ? ucma_resolve_addr+0x190/0x190
[ 43.026312] ? _copy_from_user+0x5e/0x90
[ 43.029384] ucma_write+0x174/0x1f0
[ 43.031861] ? ucma_resolve_route+0xf0/0xf0
[ 43.034782] ? dequeue_task_fair+0x67e/0xd90
[ 43.037483] ? put_prev_entity+0x7d/0x170
[ 43.040215] ? ring_buffer_record_is_on+0xd/0x20
[ 43.042990] ? tracing_record_taskinfo_skip+0x20/0x50
[ 43.045595] __vfs_write+0xc4/0x350
[ 43.048624] ? kernel_read+0xa0/0xa0
[ 43.051604] ? firmware_map_remove+0xdf/0xdf
[ 43.055379] ? do_task_dead+0x5d/0x60
[ 43.058000] ? do_exit+0xcc6/0x1220
[ 43.060783] ? __fget+0xa8/0xf0
[ 43.063133] vfs_write+0xf7/0x280
[ 43.065677] SyS_write+0xa1/0x120
[ 43.068647] ? SyS_read+0x120/0x120
[ 43.071179] ? compat_start_thread+0x60/0x60
[ 43.074025] ? SyS_read+0x120/0x120
[ 43.076705] do_syscall_64+0xeb/0x250
[ 43.079006] entry_SYSCALL_64_after_hwframe+0x21/0x86
[ 43.081606] RIP: 0033:0x7f138b0afe99
[ 43.083679] RSP: 002b:00007f138b799e98 EFLAGS: 00000287 ORIG_RAX: 0000000000000001
[ 43.086802] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f138b0afe99
[ 43.089989] RDX: 000000000000002e RSI: 0000000020000c40 RDI: 0000000000000004
[ 43.092866] RBP: 00007f138b799ec0 R08: 00007f138b79a700 R09: 0000000000000000
[ 43.096233] R10: 00007f138b79a700 R11: 0000000000000287 R12: 00007f138b799fc0
[ 43.098913] R13: 0000000000000000 R14: 00007ffdbae757c0 R15: 00007f138b79a9c0
[ 43.101809] Code: 90 90 90 90 90 eb 1e 0f 1f 00 48 89 f8 48 89 d1 48
c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48
89 d1 <f3> a4 c3 0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40 38
[ 43.107950] RIP: memcpy_erms+0x6/0x10 RSP: ffff8801c8b479c8
Reported-by: <syzbot+1d8c43206853b369d00c@syzkaller.appspotmail.com>
Fixes: 75216638572f ("RDMA/cma: Export rdma cm interface to userspace")
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Reviewed-by: Sean Hefty <sean.hefty@intel.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/infiniband/core/ucma.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
--- a/drivers/infiniband/core/ucma.c
+++ b/drivers/infiniband/core/ucma.c
@@ -560,19 +560,23 @@ static ssize_t ucma_resolve_ip(struct uc
int in_len, int out_len)
{
struct rdma_ucm_resolve_ip cmd;
+ struct sockaddr *src, *dst;
struct ucma_context *ctx;
int ret;
if (copy_from_user(&cmd, inbuf, sizeof(cmd)))
return -EFAULT;
+ src = (struct sockaddr *) &cmd.src_addr;
+ dst = (struct sockaddr *) &cmd.dst_addr;
+ if (!rdma_addr_size(src) || !rdma_addr_size(dst))
+ return -EINVAL;
+
ctx = ucma_get_ctx(file, cmd.id);
if (IS_ERR(ctx))
return PTR_ERR(ctx);
- ret = rdma_resolve_addr(ctx->cm_id, (struct sockaddr *) &cmd.src_addr,
- (struct sockaddr *) &cmd.dst_addr,
- cmd.timeout_ms);
+ ret = rdma_resolve_addr(ctx->cm_id, src, dst, cmd.timeout_ms);
ucma_put_ctx(ctx);
return ret;
}
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 041/410] x86/cpufeatures: Add Intel feature bits for Speculation Control
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (350 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 256/410] drm/nouveau: Fix deadlock on runtime suspend Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 405/410] net/mlx4_en: do not ignore autoneg in mlx4_en_set_pauseparam() Ben Hutchings
` (57 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, gnomes, arjan, karahmed, torvalds, Thomas Gleixner,
dave.hansen, ak, gregkh, David Woodhouse, ashok.raj, bp,
Borislav Petkov, peterz, pbonzini, tim.c.chen,
Greg Kroah-Hartman
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: David Woodhouse <dwmw@amazon.co.uk>
commit fc67dd70adb711a45d2ef34e12d1a8be75edde61 upstream.
Add three feature bits exposed by new microcode on Intel CPUs for
speculation control.
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-by: Borislav Petkov <bp@suse.de>
Cc: gnomes@lxorguk.ukuu.org.uk
Cc: ak@linux.intel.com
Cc: ashok.raj@intel.com
Cc: dave.hansen@intel.com
Cc: karahmed@amazon.de
Cc: arjan@linux.intel.com
Cc: torvalds@linux-foundation.org
Cc: peterz@infradead.org
Cc: bp@alien8.de
Cc: pbonzini@redhat.com
Cc: tim.c.chen@linux.intel.com
Cc: gregkh@linux-foundation.org
Link: https://lkml.kernel.org/r/1516896855-7642-3-git-send-email-dwmw@amazon.co.uk
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: This CPUID word wasn't used at all yet, so
add it as feature word 10]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/include/asm/cpufeature.h | 7 ++++++-
arch/x86/kernel/cpu/common.c | 1 +
2 files changed, 7 insertions(+), 1 deletion(-)
--- a/arch/x86/include/asm/cpufeature.h
+++ b/arch/x86/include/asm/cpufeature.h
@@ -8,7 +8,7 @@
#include <asm/required-features.h>
#endif
-#define NCAPINTS 10 /* N 32-bit words worth of info */
+#define NCAPINTS 11 /* N 32-bit words worth of info */
#define NBUGINTS 1 /* N 32-bit bug flags */
/*
@@ -234,6 +234,11 @@
#define X86_FEATURE_AVX512ER (9*32+27) /* AVX-512 Exponential and Reciprocal */
#define X86_FEATURE_AVX512CD (9*32+28) /* AVX-512 Conflict Detection */
+/* Intel-defined CPU features, CPUID level 0x00000007:0 (EDX), word 10 */
+#define X86_FEATURE_SPEC_CTRL (10*32+26) /* Speculation Control (IBRS + IBPB) */
+#define X86_FEATURE_STIBP (10*32+27) /* Single Thread Indirect Branch Predictors */
+#define X86_FEATURE_ARCH_CAPABILITIES (10*32+29) /* IA32_ARCH_CAPABILITIES MSR (Intel) */
+
/*
* BUG word(s)
*/
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -701,6 +701,7 @@ void get_cpu_cap(struct cpuinfo_x86 *c)
cpuid_count(0x00000007, 0, &eax, &ebx, &ecx, &edx);
c->x86_capability[9] = ebx;
+ c->x86_capability[10] = edx;
}
/* AMD-defined flags: level 0x80000001 */
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 244/410] Add delay-init quirk for Corsair K70 RGB keyboards
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (284 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 307/410] serial: 8250_pci: Add Brainboxes UC-260 4 port serial device Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 132/410] IB/mlx4: Fix incorrectly releasing steerable UD QPs when have only ETH ports Ben Hutchings
` (123 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jack Stocker, Greg Kroah-Hartman
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jack Stocker <jackstocker.93@gmail.com>
commit 7a1646d922577b5b48c0d222e03831141664bb59 upstream.
Following on from this patch: https://lkml.org/lkml/2017/11/3/516,
Corsair K70 RGB keyboards also require the DELAY_INIT quirk to
start correctly at boot.
Device ids found here:
usb 3-3: New USB device found, idVendor=1b1c, idProduct=1b13
usb 3-3: New USB device strings: Mfr=1, Product=2, SerialNumber=3
usb 3-3: Product: Corsair K70 RGB Gaming Keyboard
Signed-off-by: Jack Stocker <jackstocker.93@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/core/quirks.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -222,6 +222,9 @@ static const struct usb_device_id usb_qu
{ USB_DEVICE(0x1a0a, 0x0200), .driver_info =
USB_QUIRK_LINEAR_UFRAME_INTR_BINTERVAL },
+ /* Corsair K70 RGB */
+ { USB_DEVICE(0x1b1c, 0x1b13), .driver_info = USB_QUIRK_DELAY_INIT },
+
/* Corsair Strafe RGB */
{ USB_DEVICE(0x1b1c, 0x1b20), .driver_info = USB_QUIRK_DELAY_INIT },
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 007/410] media: dvb-usb-v2: lmedm04: Improve logic checking of warm start
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (217 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 226/410] usb: dwc3: gadget: Set maxpacket size for ep0 IN Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 394/410] batman-adv: fix multicast-via-unicast transmission with AP isolation Ben Hutchings
` (190 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Malcolm Priestley, Mauro Carvalho Chehab, Andrey Konovalov
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Malcolm Priestley <tvboxspy@gmail.com>
commit 3d932ee27e852e4904647f15b64dedca51187ad7 upstream.
Warm start has no check as whether a genuine device has
connected and proceeds to next execution path.
Check device should read 0x47 at offset of 2 on USB descriptor read
and it is the amount requested of 6 bytes.
Fix for
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access as
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/media/usb/dvb-usb-v2/lmedm04.c | 26 ++++++++++++++++++--------
1 file changed, 18 insertions(+), 8 deletions(-)
--- a/drivers/media/usb/dvb-usb-v2/lmedm04.c
+++ b/drivers/media/usb/dvb-usb-v2/lmedm04.c
@@ -434,18 +434,23 @@ static int lme2510_pid_filter(struct dvb
static int lme2510_return_status(struct dvb_usb_device *d)
{
- int ret = 0;
+ int ret;
u8 *data;
- data = kzalloc(10, GFP_KERNEL);
+ data = kzalloc(6, GFP_KERNEL);
if (!data)
return -ENOMEM;
- ret |= usb_control_msg(d->udev, usb_rcvctrlpipe(d->udev, 0),
- 0x06, 0x80, 0x0302, 0x00, data, 0x0006, 200);
- info("Firmware Status: %x (%x)", ret , data[2]);
+ ret = usb_control_msg(d->udev, usb_rcvctrlpipe(d->udev, 0),
+ 0x06, 0x80, 0x0302, 0x00,
+ data, 0x6, 200);
+ if (ret != 6)
+ ret = -EINVAL;
+ else
+ ret = data[2];
+
+ info("Firmware Status: %6ph", data);
- ret = (ret < 0) ? -ENODEV : data[2];
kfree(data);
return ret;
}
@@ -1228,6 +1233,7 @@ static int lme2510_get_adapter_count(str
static int lme2510_identify_state(struct dvb_usb_device *d, const char **name)
{
struct lme2510_state *st = d->priv;
+ int status;
usb_reset_configuration(d->udev);
@@ -1236,12 +1242,16 @@ static int lme2510_identify_state(struct
st->dvb_usb_lme2510_firmware = dvb_usb_lme2510_firmware;
- if (lme2510_return_status(d) == 0x44) {
+ status = lme2510_return_status(d);
+ if (status == 0x44) {
*name = lme_firmware_switch(d, 0);
return COLD;
}
- return 0;
+ if (status != 0x47)
+ return -EINVAL;
+
+ return WARM;
}
static int lme2510_get_stream_config(struct dvb_frontend *fe, u8 *ts_type,
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 048/410] x86/cpufeatures: Clean up Spectre v2 related CPUID flags
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (22 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 342/410] ALSA: seq: Fix possible UAF in snd_seq_check_queue() Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 082/410] ima: relax requiring a file signature for new files with zero length Ben Hutchings
` (385 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, peterz, bp, David Woodhouse, Greg Kroah-Hartman,
tim.c.chen, pbonzini, torvalds, Thomas Gleixner, karahmed, arjan,
gregkh, ak, dave.hansen
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: David Woodhouse <dwmw@amazon.co.uk>
commit 2961298efe1ea1b6fc0d7ee8b76018fa6c0bcef2 upstream.
We want to expose the hardware features simply in /proc/cpuinfo as "ibrs",
"ibpb" and "stibp". Since AMD has separate CPUID bits for those, use them
as the user-visible bits.
When the Intel SPEC_CTRL bit is set which indicates both IBRS and IBPB
capability, set those (AMD) bits accordingly. Likewise if the Intel STIBP
bit is set, set the AMD STIBP that's used for the generic hardware
capability.
Hide the rest from /proc/cpuinfo by putting "" in the comments. Including
RETPOLINE and RETPOLINE_AMD which shouldn't be visible there. There are
patches to make the sysfs vulnerabilities information non-readable by
non-root, and the same should apply to all information about which
mitigations are actually in use. Those *shouldn't* appear in /proc/cpuinfo.
The feature bit for whether IBPB is actually used, which is needed for
ALTERNATIVEs, is renamed to X86_FEATURE_USE_IBPB.
Originally-by: Borislav Petkov <bp@suse.de>
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: ak@linux.intel.com
Cc: dave.hansen@intel.com
Cc: karahmed@amazon.de
Cc: arjan@linux.intel.com
Cc: torvalds@linux-foundation.org
Cc: peterz@infradead.org
Cc: bp@alien8.de
Cc: pbonzini@redhat.com
Cc: tim.c.chen@linux.intel.com
Cc: gregkh@linux-foundation.org
Link: https://lkml.kernel.org/r/1517070274-12128-2-git-send-email-dwmw@amazon.co.uk
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: Adjust context and numbering]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/include/asm/cpufeature.h | 12 +++++------
arch/x86/include/asm/nospec-branch.h | 2 +-
arch/x86/kernel/cpu/bugs.c | 7 +++----
arch/x86/kernel/cpu/intel.c | 31 +++++++++++++++++++---------
4 files changed, 31 insertions(+), 21 deletions(-)
--- a/arch/x86/include/asm/cpufeature.h
+++ b/arch/x86/include/asm/cpufeature.h
@@ -189,7 +189,7 @@
#define X86_FEATURE_INVPCID_SINGLE (7*32+10) /* Effectively INVPCID && CR4.PCIDE=1 */
#define X86_FEATURE_RSB_CTXSW (7*32+11) /* "" Fill RSB on context switches */
-#define X86_FEATURE_IBPB (7*32+12) /* Indirect Branch Prediction Barrier enabled*/
+#define X86_FEATURE_USE_IBPB (7*32+12) /* "" Indirect Branch Prediction Barrier enabled */
#define X86_FEATURE_RETPOLINE (7*32+29) /* "" Generic Retpoline mitigation for Spectre variant 2 */
#define X86_FEATURE_RETPOLINE_AMD (7*32+30) /* "" AMD Retpoline mitigation for Spectre variant 2 */
@@ -237,14 +237,14 @@
#define X86_FEATURE_AVX512CD (9*32+28) /* AVX-512 Conflict Detection */
/* Intel-defined CPU features, CPUID level 0x00000007:0 (EDX), word 10 */
-#define X86_FEATURE_SPEC_CTRL (10*32+26) /* Speculation Control (IBRS + IBPB) */
-#define X86_FEATURE_STIBP (10*32+27) /* Single Thread Indirect Branch Predictors */
+#define X86_FEATURE_SPEC_CTRL (10*32+26) /* "" Speculation Control (IBRS + IBPB) */
+#define X86_FEATURE_INTEL_STIBP (10*32+27) /* "" Single Thread Indirect Branch Predictors */
#define X86_FEATURE_ARCH_CAPABILITIES (10*32+29) /* IA32_ARCH_CAPABILITIES MSR (Intel) */
/* AMD-defined CPU features, CPUID level 0x80000008 (EBX), word 11 */
-#define X86_FEATURE_AMD_PRED_CMD (11*32+12) /* Prediction Command MSR (AMD) */
-#define X86_FEATURE_AMD_SPEC_CTRL (11*32+14) /* Speculation Control MSR only (AMD) */
-#define X86_FEATURE_AMD_STIBP (11*32+15) /* Single Thread Indirect Branch Predictors (AMD) */
+#define X86_FEATURE_IBPB (11*32+12) /* Indirect Branch Prediction Barrier */
+#define X86_FEATURE_IBRS (11*32+14) /* Indirect Branch Restricted Speculation */
+#define X86_FEATURE_STIBP (11*32+15) /* Single Thread Indirect Branch Predictors */
/*
* BUG word(s)
--- a/arch/x86/include/asm/nospec-branch.h
+++ b/arch/x86/include/asm/nospec-branch.h
@@ -201,7 +201,7 @@ static inline void indirect_branch_predi
"movl %[val], %%eax\n\t"
"movl $0, %%edx\n\t"
"wrmsr",
- X86_FEATURE_IBPB)
+ X86_FEATURE_USE_IBPB)
: : [msr] "i" (MSR_IA32_PRED_CMD),
[val] "i" (PRED_CMD_IBPB)
: "eax", "ecx", "edx", "memory");
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -360,9 +360,8 @@ retpoline_auto:
}
/* Initialize Indirect Branch Prediction Barrier if supported */
- if (boot_cpu_has(X86_FEATURE_SPEC_CTRL) ||
- boot_cpu_has(X86_FEATURE_AMD_PRED_CMD)) {
- setup_force_cpu_cap(X86_FEATURE_IBPB);
+ if (boot_cpu_has(X86_FEATURE_IBPB)) {
+ setup_force_cpu_cap(X86_FEATURE_USE_IBPB);
pr_info("Enabling Indirect Branch Prediction Barrier\n");
}
}
@@ -395,7 +394,7 @@ ssize_t cpu_show_spectre_v2(struct devic
return sprintf(buf, "Not affected\n");
return sprintf(buf, "%s%s%s\n", spectre_v2_strings[spectre_v2_enabled],
- boot_cpu_has(X86_FEATURE_IBPB) ? ", IPBP" : "",
+ boot_cpu_has(X86_FEATURE_USE_IBPB) ? ", IBPB" : "",
spectre_v2_module_string());
}
#endif
--- a/arch/x86/kernel/cpu/intel.c
+++ b/arch/x86/kernel/cpu/intel.c
@@ -105,17 +105,28 @@ static void early_init_intel(struct cpui
rdmsr(MSR_IA32_UCODE_REV, lower_word, c->microcode);
}
- if ((cpu_has(c, X86_FEATURE_SPEC_CTRL) ||
- cpu_has(c, X86_FEATURE_STIBP) ||
- cpu_has(c, X86_FEATURE_AMD_SPEC_CTRL) ||
- cpu_has(c, X86_FEATURE_AMD_PRED_CMD) ||
- cpu_has(c, X86_FEATURE_AMD_STIBP)) && bad_spectre_microcode(c)) {
- pr_warn("Intel Spectre v2 broken microcode detected; disabling SPEC_CTRL\n");
- clear_cpu_cap(c, X86_FEATURE_SPEC_CTRL);
+ /*
+ * The Intel SPEC_CTRL CPUID bit implies IBRS and IBPB support,
+ * and they also have a different bit for STIBP support. Also,
+ * a hypervisor might have set the individual AMD bits even on
+ * Intel CPUs, for finer-grained selection of what's available.
+ */
+ if (cpu_has(c, X86_FEATURE_SPEC_CTRL)) {
+ set_cpu_cap(c, X86_FEATURE_IBRS);
+ set_cpu_cap(c, X86_FEATURE_IBPB);
+ }
+ if (cpu_has(c, X86_FEATURE_INTEL_STIBP))
+ set_cpu_cap(c, X86_FEATURE_STIBP);
+
+ /* Now if any of them are set, check the blacklist and clear the lot */
+ if ((cpu_has(c, X86_FEATURE_IBRS) || cpu_has(c, X86_FEATURE_IBPB) ||
+ cpu_has(c, X86_FEATURE_STIBP)) && bad_spectre_microcode(c)) {
+ pr_warn("Intel Spectre v2 broken microcode detected; disabling Speculation Control\n");
+ clear_cpu_cap(c, X86_FEATURE_IBRS);
+ clear_cpu_cap(c, X86_FEATURE_IBPB);
clear_cpu_cap(c, X86_FEATURE_STIBP);
- clear_cpu_cap(c, X86_FEATURE_AMD_SPEC_CTRL);
- clear_cpu_cap(c, X86_FEATURE_AMD_PRED_CMD);
- clear_cpu_cap(c, X86_FEATURE_AMD_STIBP);
+ clear_cpu_cap(c, X86_FEATURE_SPEC_CTRL);
+ clear_cpu_cap(c, X86_FEATURE_INTEL_STIBP);
}
/*
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 148/410] staging: lustre: libcfs: Prevent harmless read underflow
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (398 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 136/410] usb: uas: unconditionally bring back host after reset Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 131/410] ASoC: au1x: Fix timeout tests in au1xac97c_ac97_read() Ben Hutchings
` (9 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Greg Kroah-Hartman, Dan Carpenter
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit 134aecbc25fd77645baaea5467b2a7ed8e9d1ea7 upstream.
Because this is a post-op instead of a pre-op, then it means we check
if knl_buffer[-1] is a space. It doesn't really hurt anything, but
it causes a static checker warning so let's fix it.
Fixes: d7e09d0397e8 ("staging: add Lustre file system client support")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/staging/lustre/lustre/libcfs/tracefile.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/staging/lustre/lustre/libcfs/tracefile.c
+++ b/drivers/staging/lustre/lustre/libcfs/tracefile.c
@@ -767,7 +767,7 @@ int cfs_trace_copyin_string(char *knl_bu
return -EFAULT;
nob = strnlen(knl_buffer, usr_buffer_nob);
- while (nob-- >= 0) /* strip trailing whitespace */
+ while (--nob >= 0) /* strip trailing whitespace */
if (!isspace(knl_buffer[nob]))
break;
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 096/410] xtensa: fix futex_atomic_cmpxchg_inatomic
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (41 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 309/410] xen: Add xen_arch_suspend() Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 379/410] libata: Make Crucial BX100 500GB LPM quirk apply to all firmware versions Ben Hutchings
` (366 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Max Filippov
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Max Filippov <jcmvbkbc@gmail.com>
commit ca47480921587ae30417dd234a9f79af188e3666 upstream.
Return 0 if the operation was successful, not the userspace memory
value. Check that userspace value equals passed oldval, not itself.
Don't update *uval if the value wasn't read from userspace memory.
This fixes process hang due to infinite loop in futex_lock_pi.
It also fixes a bunch of glibc tests nptl/tst-mutexpi*.
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/xtensa/include/asm/futex.h | 23 ++++++++++-------------
1 file changed, 10 insertions(+), 13 deletions(-)
--- a/arch/xtensa/include/asm/futex.h
+++ b/arch/xtensa/include/asm/futex.h
@@ -109,7 +109,6 @@ futex_atomic_cmpxchg_inatomic(u32 *uval,
u32 oldval, u32 newval)
{
int ret = 0;
- u32 prev;
if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
return -EFAULT;
@@ -120,26 +119,24 @@ futex_atomic_cmpxchg_inatomic(u32 *uval,
__asm__ __volatile__ (
" # futex_atomic_cmpxchg_inatomic\n"
- "1: l32i %1, %3, 0\n"
- " mov %0, %5\n"
- " wsr %1, scompare1\n"
- "2: s32c1i %0, %3, 0\n"
- "3:\n"
+ " wsr %5, scompare1\n"
+ "1: s32c1i %1, %4, 0\n"
+ " s32i %1, %6, 0\n"
+ "2:\n"
" .section .fixup,\"ax\"\n"
" .align 4\n"
- "4: .long 3b\n"
- "5: l32r %1, 4b\n"
- " movi %0, %6\n"
+ "3: .long 2b\n"
+ "4: l32r %1, 3b\n"
+ " movi %0, %7\n"
" jx %1\n"
" .previous\n"
" .section __ex_table,\"a\"\n"
- " .long 1b,5b,2b,5b\n"
+ " .long 1b,4b\n"
" .previous\n"
- : "+r" (ret), "=&r" (prev), "+m" (*uaddr)
- : "r" (uaddr), "r" (oldval), "r" (newval), "I" (-EFAULT)
+ : "+r" (ret), "+r" (newval), "+m" (*uaddr), "+m" (*uval)
+ : "r" (uaddr), "r" (oldval), "r" (uval), "I" (-EFAULT)
: "memory");
- *uval = prev;
return ret;
}
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 322/410] bcache: fix crashes in duplicate cache device register
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (336 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 241/410] usbip: keep usbip_device sockfd state in sync with tcp_socket Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 349/410] can: cc770: Fix queue stall & dropped RTR reply Ben Hutchings
` (71 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Jens Axboe, Michael Lyle, Marc MERLIN, Tang Junhui
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Tang Junhui <tang.junhui@zte.com.cn>
commit cc40daf91bdddbba72a4a8cd0860640e06668309 upstream.
Kernel crashed when register a duplicate cache device, the call trace is
bellow:
[ 417.643790] CPU: 1 PID: 16886 Comm: bcache-register Tainted: G
W OE 4.15.5-amd64-preempt-sysrq-20171018 #2
[ 417.643861] Hardware name: LENOVO 20ERCTO1WW/20ERCTO1WW, BIOS
N1DET41W (1.15 ) 12/31/2015
[ 417.643870] RIP: 0010:bdevname+0x13/0x1e
[ 417.643876] RSP: 0018:ffffa3aa9138fd38 EFLAGS: 00010282
[ 417.643884] RAX: 0000000000000000 RBX: ffff8c8f2f2f8000 RCX: ffffd6701f8
c7edf
[ 417.643890] RDX: ffffa3aa9138fd88 RSI: ffffa3aa9138fd88 RDI: 00000000000
00000
[ 417.643895] RBP: ffffa3aa9138fde0 R08: ffffa3aa9138fae8 R09: 00000000000
1850e
[ 417.643901] R10: ffff8c8eed34b271 R11: ffff8c8eed34b250 R12: 00000000000
00000
[ 417.643906] R13: ffffd6701f78f940 R14: ffff8c8f38f80000 R15: ffff8c8ea7d
90000
[ 417.643913] FS: 00007fde7e66f500(0000) GS:ffff8c8f61440000(0000) knlGS:
0000000000000000
[ 417.643919] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 417.643925] CR2: 0000000000000314 CR3: 00000007e6fa0001 CR4: 00000000003
606e0
[ 417.643931] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 00000000000
00000
[ 417.643938] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 00000000000
00400
[ 417.643946] Call Trace:
[ 417.643978] register_bcache+0x1117/0x1270 [bcache]
[ 417.643994] ? slab_pre_alloc_hook+0x15/0x3c
[ 417.644001] ? slab_post_alloc_hook.isra.44+0xa/0x1a
[ 417.644013] ? kernfs_fop_write+0xf6/0x138
[ 417.644020] kernfs_fop_write+0xf6/0x138
[ 417.644031] __vfs_write+0x31/0xcc
[ 417.644043] ? current_kernel_time64+0x10/0x36
[ 417.644115] ? __audit_syscall_entry+0xbf/0xe3
[ 417.644124] vfs_write+0xa5/0xe2
[ 417.644133] SyS_write+0x5c/0x9f
[ 417.644144] do_syscall_64+0x72/0x81
[ 417.644161] entry_SYSCALL_64_after_hwframe+0x3d/0xa2
[ 417.644169] RIP: 0033:0x7fde7e1c1974
[ 417.644175] RSP: 002b:00007fff13009a38 EFLAGS: 00000246 ORIG_RAX: 0000000
000000001
[ 417.644183] RAX: ffffffffffffffda RBX: 0000000001658280 RCX: 00007fde7e1c
1974
[ 417.644188] RDX: 000000000000000a RSI: 0000000001658280 RDI: 000000000000
0001
[ 417.644193] RBP: 000000000000000a R08: 0000000000000003 R09: 000000000000
0077
[ 417.644198] R10: 000000000000089e R11: 0000000000000246 R12: 000000000000
0001
[ 417.644203] R13: 000000000000000a R14: 7fffffffffffffff R15: 000000000000
0000
[ 417.644213] Code: c7 c2 83 6f ee 98 be 20 00 00 00 48 89 df e8 6c 27 3b 0
0 48 89 d8 5b c3 0f 1f 44 00 00 48 8b 47 70 48 89 f2 48 8b bf 80 00 00 00 <8
b> b0 14 03 00 00 e9 73 ff ff ff 0f 1f 44 00 00 48 8b 47 40 39
[ 417.644302] RIP: bdevname+0x13/0x1e RSP: ffffa3aa9138fd38
[ 417.644306] CR2: 0000000000000314
When registering duplicate cache device in register_cache(), after failure
on calling register_cache_set(), bch_cache_release() will be called, then
bdev will be freed, so bdevname(bdev, name) caused kernel crash.
Since bch_cache_release() will free bdev, so in this patch we make sure
bdev being freed if register_cache() fail, and do not free bdev again in
register_bcache() when register_cache() fail.
Signed-off-by: Tang Junhui <tang.junhui@zte.com.cn>
Reported-by: Marc MERLIN <marc@merlins.org>
Tested-by: Michael Lyle <mlyle@lyle.org>
Reviewed-by: Michael Lyle <mlyle@lyle.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/md/bcache/super.c | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)
--- a/drivers/md/bcache/super.c
+++ b/drivers/md/bcache/super.c
@@ -1203,7 +1203,7 @@ static void register_bdev(struct cache_s
return;
err:
- pr_notice("error opening %s: %s", bdevname(bdev, name), err);
+ pr_notice("error %s: %s", bdevname(bdev, name), err);
bcache_device_stop(&dc->disk);
}
@@ -1861,6 +1861,8 @@ static int register_cache(struct cache_s
const char *err = NULL; /* must be set for any error case */
int ret = 0;
+ bdevname(bdev, name);
+
memcpy(&ca->sb, sb, sizeof(struct cache_sb));
ca->bdev = bdev;
ca->bdev->bd_holder = ca;
@@ -1871,11 +1873,12 @@ static int register_cache(struct cache_s
ca->sb_bio.bi_io_vec[0].bv_page = sb_page;
get_page(sb_page);
- if (blk_queue_discard(bdev_get_queue(ca->bdev)))
+ if (blk_queue_discard(bdev_get_queue(bdev)))
ca->discard = CACHE_DISCARD(&ca->sb);
ret = cache_alloc(sb, ca);
if (ret != 0) {
+ blkdev_put(bdev, FMODE_READ|FMODE_WRITE|FMODE_EXCL);
if (ret == -ENOMEM)
err = "cache_alloc(): -ENOMEM";
else
@@ -1898,14 +1901,14 @@ static int register_cache(struct cache_s
goto out;
}
- pr_info("registered cache device %s", bdevname(bdev, name));
+ pr_info("registered cache device %s", name);
out:
kobject_put(&ca->kobj);
err:
if (err)
- pr_notice("error opening %s: %s", bdevname(bdev, name), err);
+ pr_notice("error %s: %s", name, err);
return ret;
}
@@ -1994,6 +1997,7 @@ static ssize_t register_bcache(struct ko
if (err)
goto err_close;
+ err = "failed to register device";
if (SB_IS_BDEV(sb)) {
struct cached_dev *dc = kzalloc(sizeof(*dc), GFP_KERNEL);
if (!dc)
@@ -2008,7 +2012,7 @@ static ssize_t register_bcache(struct ko
goto err_close;
if (register_cache(sb, sb_page, bdev, ca) != 0)
- goto err_close;
+ goto err;
}
out:
if (sb_page)
@@ -2021,7 +2025,7 @@ out:
err_close:
blkdev_put(bdev, FMODE_READ|FMODE_WRITE|FMODE_EXCL);
err:
- pr_info("error opening %s: %s", path, err);
+ pr_info("error %s: %s", path, err);
ret = -EINVAL;
goto out;
}
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 252/410] dn_getsockoptdecnet: move nf_{get/set}sockopt outside sock lock
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (226 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 056/410] KVM/VMX: Emulate MSR_IA32_ARCH_CAPABILITIES Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 276/410] kernel/relay.c: limit kmalloc size to KMALLOC_MAX_SIZE Ben Hutchings
` (181 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Paolo Abeni, David S. Miller, Petr Vandrovec
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
commit dfec091439bb2acf763497cfc58f2bdfc67c56b7 upstream.
After commit 3f34cfae1238 ("netfilter: on sockopt() acquire sock lock
only in the required scope"), the caller of nf_{get/set}sockopt() must
not hold any lock, but, in such changeset, I forgot to cope with DECnet.
This commit addresses the issue moving the nf call outside the lock,
in the dn_{get,set}sockopt() with the same schema currently used by
ipv4 and ipv6. Also moves the unhandled sockopts of the end of the main
switch statements, to improve code readability.
Reported-by: Petr Vandrovec <petr@vandrovec.name>
BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=198791#c2
Fixes: 3f34cfae1238 ("netfilter: on sockopt() acquire sock lock only in the required scope")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/decnet/af_decnet.c | 62 ++++++++++++++++++++++--------------------
1 file changed, 33 insertions(+), 29 deletions(-)
--- a/net/decnet/af_decnet.c
+++ b/net/decnet/af_decnet.c
@@ -1336,6 +1336,12 @@ static int dn_setsockopt(struct socket *
lock_sock(sk);
err = __dn_setsockopt(sock, level, optname, optval, optlen, 0);
release_sock(sk);
+#ifdef CONFIG_NETFILTER
+ /* we need to exclude all possible ENOPROTOOPTs except default case */
+ if (err == -ENOPROTOOPT && optname != DSO_LINKINFO &&
+ optname != DSO_STREAM && optname != DSO_SEQPACKET)
+ err = nf_setsockopt(sk, PF_DECnet, optname, optval, optlen);
+#endif
return err;
}
@@ -1443,15 +1449,6 @@ static int __dn_setsockopt(struct socket
dn_nsp_send_disc(sk, 0x38, 0, sk->sk_allocation);
break;
- default:
-#ifdef CONFIG_NETFILTER
- return nf_setsockopt(sk, PF_DECnet, optname, optval, optlen);
-#endif
- case DSO_LINKINFO:
- case DSO_STREAM:
- case DSO_SEQPACKET:
- return -ENOPROTOOPT;
-
case DSO_MAXWINDOW:
if (optlen != sizeof(unsigned long))
return -EINVAL;
@@ -1499,6 +1496,12 @@ static int __dn_setsockopt(struct socket
return -EINVAL;
scp->info_loc = u.info;
break;
+
+ case DSO_LINKINFO:
+ case DSO_STREAM:
+ case DSO_SEQPACKET:
+ default:
+ return -ENOPROTOOPT;
}
return 0;
@@ -1512,6 +1515,20 @@ static int dn_getsockopt(struct socket *
lock_sock(sk);
err = __dn_getsockopt(sock, level, optname, optval, optlen, 0);
release_sock(sk);
+#ifdef CONFIG_NETFILTER
+ if (err == -ENOPROTOOPT && optname != DSO_STREAM &&
+ optname != DSO_SEQPACKET && optname != DSO_CONACCEPT &&
+ optname != DSO_CONREJECT) {
+ int len;
+
+ if (get_user(len, optlen))
+ return -EFAULT;
+
+ err = nf_getsockopt(sk, PF_DECnet, optname, optval, &len);
+ if (err >= 0)
+ err = put_user(len, optlen);
+ }
+#endif
return err;
}
@@ -1577,26 +1594,6 @@ static int __dn_getsockopt(struct socket
r_data = &link;
break;
- default:
-#ifdef CONFIG_NETFILTER
- {
- int ret, len;
-
- if (get_user(len, optlen))
- return -EFAULT;
-
- ret = nf_getsockopt(sk, PF_DECnet, optname, optval, &len);
- if (ret >= 0)
- ret = put_user(len, optlen);
- return ret;
- }
-#endif
- case DSO_STREAM:
- case DSO_SEQPACKET:
- case DSO_CONACCEPT:
- case DSO_CONREJECT:
- return -ENOPROTOOPT;
-
case DSO_MAXWINDOW:
if (r_len > sizeof(unsigned long))
r_len = sizeof(unsigned long);
@@ -1628,6 +1625,13 @@ static int __dn_getsockopt(struct socket
r_len = sizeof(unsigned char);
r_data = &scp->info_rem;
break;
+
+ case DSO_STREAM:
+ case DSO_SEQPACKET:
+ case DSO_CONACCEPT:
+ case DSO_CONREJECT:
+ default:
+ return -ENOPROTOOPT;
}
if (r_data) {
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 162/410] HID: roccat: prevent an out of bounds read in kovaplus_profile_activated()
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (177 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 234/410] netfilter: drop outermost socket lock in getsockopt() Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 397/410] netlink: make sure nladdr has correct size in netlink_connect() Ben Hutchings
` (230 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Dan Carpenter, Jiri Kosina, Silvan Jegen
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit 7ad81482cad67cbe1ec808490d1ddfc420c42008 upstream.
We get the "new_profile_index" value from the mouse device when we're
handling raw events. Smatch taints it as untrusted data and complains
that we need a bounds check. This seems like a reasonable warning
otherwise there is a small read beyond the end of the array.
Fixes: 0e70f97f257e ("HID: roccat: Add support for Kova[+] mouse")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Silvan Jegen <s.jegen@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/hid/hid-roccat-kovaplus.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/hid/hid-roccat-kovaplus.c
+++ b/drivers/hid/hid-roccat-kovaplus.c
@@ -37,6 +37,8 @@ static uint kovaplus_convert_event_cpi(u
static void kovaplus_profile_activated(struct kovaplus_device *kovaplus,
uint new_profile_index)
{
+ if (new_profile_index >= ARRAY_SIZE(kovaplus->profile_settings))
+ return;
kovaplus->actual_profile = new_profile_index;
kovaplus->actual_cpi = kovaplus->profile_settings[new_profile_index].cpi_startup_level;
kovaplus->actual_x_sensitivity = kovaplus->profile_settings[new_profile_index].sensitivity_x;
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 287/410] l2tp: remove l2tp_tunnel_count and l2tp_session_count
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (245 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 298/410] tpm: fix potential buffer overruns caused by bit glitches on the bus Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 092/410] video: fbdev: atmel_lcdfb: fix display-timings lookup Ben Hutchings
` (162 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller, Guillaume Nault
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Guillaume Nault <g.nault@alphalink.fr>
commit c7fa745d988812c4dea7dbc645f025c5bfa4917e upstream.
These variables have never been used.
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/l2tp/l2tp_core.c | 10 ----------
1 file changed, 10 deletions(-)
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -99,8 +99,6 @@ struct l2tp_skb_cb {
#define L2TP_SKB_CB(skb) ((struct l2tp_skb_cb *) &skb->cb[sizeof(struct inet_skb_parm)])
-static atomic_t l2tp_tunnel_count;
-static atomic_t l2tp_session_count;
static struct workqueue_struct *l2tp_wq;
/* per-net private data for this module */
@@ -419,10 +417,6 @@ int l2tp_session_register(struct l2tp_se
hlist_add_head(&session->hlist, head);
write_unlock_bh(&tunnel->hlist_lock);
- /* Ignore management session in session count value */
- if (session->session_id != 0)
- atomic_inc(&l2tp_session_count);
-
return 0;
err_tlock_pnlock:
@@ -1327,7 +1321,6 @@ static void l2tp_tunnel_destruct(struct
spin_lock_bh(&pn->l2tp_tunnel_list_lock);
list_del_rcu(&tunnel->list);
spin_unlock_bh(&pn->l2tp_tunnel_list_lock);
- atomic_dec(&l2tp_tunnel_count);
l2tp_tunnel_closeall(tunnel);
@@ -1749,7 +1742,6 @@ int l2tp_tunnel_create(struct net *net,
/* Add tunnel to our list */
INIT_LIST_HEAD(&tunnel->list);
- atomic_inc(&l2tp_tunnel_count);
/* Bump the reference count. The tunnel context is deleted
* only when this drops to zero. Must be done before list insertion
@@ -1795,8 +1787,6 @@ void l2tp_session_free(struct l2tp_sessi
if (tunnel) {
BUG_ON(tunnel->magic != L2TP_TUNNEL_MAGIC);
- if (session->session_id != 0)
- atomic_dec(&l2tp_session_count);
sock_put(tunnel->sock);
session->tunnel = NULL;
l2tp_tunnel_dec_refcount(tunnel);
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 189/410] Btrfs: fix use-after-free on root->orphan_block_rsv
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (31 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 410/410] net: Fix untag for vlan packets without ethernet header Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 164/410] cifs: Fix missing put_xid in cifs_file_strict_mmap Ben Hutchings
` (376 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Josef Bacik, Liu Bo, David Sterba
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Liu Bo <bo.li.liu@oracle.com>
commit 1a932ef4e47984dee227834667b5ff5a334e4805 upstream.
I got these from running generic/475,
WARNING: CPU: 0 PID: 26384 at fs/btrfs/inode.c:3326 btrfs_orphan_commit_root+0x1ac/0x2b0 [btrfs]
BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
IP: btrfs_block_rsv_release+0x1c/0x70 [btrfs]
Call Trace:
btrfs_orphan_release_metadata+0x9f/0x200 [btrfs]
btrfs_orphan_del+0x10d/0x170 [btrfs]
btrfs_setattr+0x500/0x640 [btrfs]
notify_change+0x7ae/0x870
do_truncate+0xca/0x130
vfs_truncate+0x2ee/0x3d0
do_sys_truncate+0xaf/0xf0
SyS_truncate+0xe/0x10
entry_SYSCALL_64_fastpath+0x1f/0x96
The race is between btrfs_orphan_commit_root and btrfs_orphan_del,
t1 t2
btrfs_orphan_commit_root btrfs_orphan_del
spin_lock
check (&root->orphan_inodes)
root->orphan_block_rsv = NULL;
spin_unlock
atomic_dec(&root->orphan_inodes);
access root->orphan_block_rsv
Accessing root->orphan_block_rsv must be done before decreasing
root->orphan_inodes.
Fixes: 703c88e03524 ("Btrfs: fix tracking of orphan inode count")
Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
Reviewed-by: Josef Bacik <jbacik@fb.com>
Signed-off-by: David Sterba <dsterba@suse.com>
[bwh: Backported to 3.16: Drop the added comment in a path that's
unreachable here]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/btrfs/inode.c | 34 +++++++++++++++++++++-------------
1 file changed, 21 insertions(+), 13 deletions(-)
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -3082,12 +3082,17 @@ int btrfs_orphan_add(struct btrfs_trans_
if (insert >= 1) {
ret = btrfs_insert_orphan_item(trans, root, btrfs_ino(inode));
if (ret) {
- atomic_dec(&root->orphan_inodes);
if (reserve) {
clear_bit(BTRFS_INODE_ORPHAN_META_RESERVED,
&BTRFS_I(inode)->runtime_flags);
btrfs_orphan_release_metadata(inode);
}
+ /*
+ * btrfs_orphan_commit_root may race with us and set
+ * ->orphan_block_rsv to zero, in order to avoid that,
+ * decrease ->orphan_inodes after everything is done.
+ */
+ atomic_dec(&root->orphan_inodes);
if (ret != -EEXIST) {
clear_bit(BTRFS_INODE_HAS_ORPHAN_ITEM,
&BTRFS_I(inode)->runtime_flags);
@@ -3119,28 +3124,26 @@ static int btrfs_orphan_del(struct btrfs
{
struct btrfs_root *root = BTRFS_I(inode)->root;
int delete_item = 0;
- int release_rsv = 0;
int ret = 0;
- spin_lock(&root->orphan_lock);
if (test_and_clear_bit(BTRFS_INODE_HAS_ORPHAN_ITEM,
&BTRFS_I(inode)->runtime_flags))
delete_item = 1;
+ if (delete_item && trans)
+ ret = btrfs_del_orphan_item(trans, root, btrfs_ino(inode));
+
if (test_and_clear_bit(BTRFS_INODE_ORPHAN_META_RESERVED,
&BTRFS_I(inode)->runtime_flags))
- release_rsv = 1;
- spin_unlock(&root->orphan_lock);
+ btrfs_orphan_release_metadata(inode);
- if (delete_item) {
+ /*
+ * btrfs_orphan_commit_root may race with us and set ->orphan_block_rsv
+ * to zero, in order to avoid that, decrease ->orphan_inodes after
+ * everything is done.
+ */
+ if (delete_item)
atomic_dec(&root->orphan_inodes);
- if (trans)
- ret = btrfs_del_orphan_item(trans, root,
- btrfs_ino(inode));
- }
-
- if (release_rsv)
- btrfs_orphan_release_metadata(inode);
return ret;
}
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 063/410] x86/speculation: Update Speculation Control microcode blacklist
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (359 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 243/410] usb: ohci: Proper handling of ed_rm_list to handle race condition between usb_kill_urb() and finish_unlinks() Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 178/410] drm/radeon: adjust tested variable Ben Hutchings
` (48 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, jmattson, sironi, Peter Zijlstra, David Woodhouse,
Borislav Petkov, Ingo Molnar, Greg Kroah-Hartman, Dave Hansen,
pbonzini, kvm, karahmed, Linus Torvalds, Thomas Gleixner,
Arjan van de Ven, Josh Poimboeuf, David Woodhouse,
Andy Lutomirski, arjan.van.de.ven, rkrcmar, Dan Williams
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: David Woodhouse <dwmw@amazon.co.uk>
commit 1751342095f0d2b36fa8114d8e12c5688c455ac4 upstream.
Intel have retroactively blessed the 0xc2 microcode on Skylake mobile
and desktop parts, and the Gemini Lake 0x22 microcode is apparently fine
too. We blacklisted the latter purely because it was present with all
the other problematic ones in the 2018-01-08 release, but now it's
explicitly listed as OK.
We still list 0x84 for the various Kaby Lake / Coffee Lake parts, as
that appeared in one version of the blacklist and then reverted to
0x80 again. We can change it if 0x84 is actually announced to be safe.
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Arjan van de Ven <arjan@linux.intel.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: arjan.van.de.ven@intel.com
Cc: jmattson@google.com
Cc: karahmed@amazon.de
Cc: kvm@vger.kernel.org
Cc: pbonzini@redhat.com
Cc: rkrcmar@redhat.com
Cc: sironi@amazon.de
Link: http://lkml.kernel.org/r/1518305967-31356-2-git-send-email-dwmw@amazon.co.uk
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/kernel/cpu/intel.c | 4 ----
1 file changed, 4 deletions(-)
--- a/arch/x86/kernel/cpu/intel.c
+++ b/arch/x86/kernel/cpu/intel.c
@@ -47,8 +47,6 @@ static const struct sku_microcode spectr
{ INTEL_FAM6_KABYLAKE_MOBILE, 0x09, 0x84 },
{ INTEL_FAM6_SKYLAKE_X, 0x03, 0x0100013e },
{ INTEL_FAM6_SKYLAKE_X, 0x04, 0x0200003c },
- { INTEL_FAM6_SKYLAKE_MOBILE, 0x03, 0xc2 },
- { INTEL_FAM6_SKYLAKE_DESKTOP, 0x03, 0xc2 },
{ INTEL_FAM6_BROADWELL_CORE, 0x04, 0x28 },
{ INTEL_FAM6_BROADWELL_GT3E, 0x01, 0x1b },
{ INTEL_FAM6_BROADWELL_XEON_D, 0x02, 0x14 },
@@ -60,8 +58,6 @@ static const struct sku_microcode spectr
{ INTEL_FAM6_HASWELL_X, 0x02, 0x3b },
{ INTEL_FAM6_HASWELL_X, 0x04, 0x10 },
{ INTEL_FAM6_IVYBRIDGE_X, 0x04, 0x42a },
- /* Updated in the 20180108 release; blacklist until we know otherwise */
- { INTEL_FAM6_ATOM_GEMINI_LAKE, 0x01, 0x22 },
/* Observed in the wild */
{ INTEL_FAM6_SANDYBRIDGE_X, 0x06, 0x61b },
{ INTEL_FAM6_SANDYBRIDGE_X, 0x07, 0x712 },
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 325/410] MIPS: BMIPS: Do not mask IPIs during suspend
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (191 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 215/410] pipe: simplify round_pipe_size() Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 339/410] usb: usbmon: Read text within supplied buffer size Ben Hutchings
` (216 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Justin Chen, Florian Fainelli, linux-mips, James Hogan
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Justin Chen <justinpopo6@gmail.com>
commit 06a3f0c9f2725f5d7c63c4203839373c9bd00c28 upstream.
Commit a3e6c1eff548 ("MIPS: IRQ: Fix disable_irq on CPU IRQs") fixes an
issue where disable_irq did not actually disable the irq. The bug caused
our IPIs to not be disabled, which actually is the correct behavior.
With the addition of commit a3e6c1eff548 ("MIPS: IRQ: Fix disable_irq on
CPU IRQs"), the IPIs were getting disabled going into suspend, thus
schedule_ipi() was not being called. This caused deadlocks where
schedulable task were not being scheduled and other cpus were waiting
for them to do something.
Add the IRQF_NO_SUSPEND flag so an irq_disable will not be called on the
IPIs during suspend.
Signed-off-by: Justin Chen <justinpopo6@gmail.com>
Fixes: a3e6c1eff548 ("MIPS: IRQ: Fix disabled_irq on CPU IRQs")
Cc: Florian Fainelli <f.fainelli@gmail.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/17385/
[jhogan@kernel.org: checkpatch: wrap long lines and fix commit refs]
Signed-off-by: James Hogan <jhogan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/mips/kernel/smp-bmips.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/arch/mips/kernel/smp-bmips.c
+++ b/arch/mips/kernel/smp-bmips.c
@@ -159,11 +159,11 @@ static void bmips_prepare_cpus(unsigned
return;
}
- if (request_irq(IPI0_IRQ, bmips_ipi_interrupt, IRQF_PERCPU,
- "smp_ipi0", NULL))
+ if (request_irq(IPI0_IRQ, bmips_ipi_interrupt,
+ IRQF_PERCPU | IRQF_NO_SUSPEND, "smp_ipi0", NULL))
panic("Can't request IPI0 interrupt");
- if (request_irq(IPI1_IRQ, bmips_ipi_interrupt, IRQF_PERCPU,
- "smp_ipi1", NULL))
+ if (request_irq(IPI1_IRQ, bmips_ipi_interrupt,
+ IRQF_PERCPU | IRQF_NO_SUSPEND, "smp_ipi1", NULL))
panic("Can't request IPI1 interrupt");
}
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 324/410] ia64: convert unwcheck.py to python3
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (332 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 388/410] ALSA: aloop: Fix access to not-yet-ready substream via cable Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 182/410] Revert "apple-gmux: lock iGP IO to protect from vgaarb changes" Ben Hutchings
` (75 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Tony Luck, Corentin Labbe
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Corentin Labbe <clabbe@baylibre.com>
commit bd5edbe677948d0883f59d9625c444818d5284b1 upstream.
Since my system use python3 as default, arch/ia64/scripts/unwcheck.py no
longer run.
This patch convert it to the python3 syntax.
I have ran it with python2/python3 while printing values of
start/end/rlen_sum which could be impacted by this change and I see no difference.
Fixes: 94a47083522e ("scripts: change scripts to use system python instead of env")
Signed-off-by: Corentin Labbe <clabbe@baylibre.com>
Signed-off-by: Tony Luck <tony.luck@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/ia64/scripts/unwcheck.py | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
--- a/arch/ia64/scripts/unwcheck.py
+++ b/arch/ia64/scripts/unwcheck.py
@@ -15,7 +15,7 @@ import re
import sys
if len(sys.argv) != 2:
- print "Usage: %s FILE" % sys.argv[0]
+ print("Usage: %s FILE" % sys.argv[0])
sys.exit(2)
readelf = os.getenv("READELF", "readelf")
@@ -28,7 +28,7 @@ def check_func (func, slots, rlen_sum):
global num_errors
num_errors += 1
if not func: func = "[%#x-%#x]" % (start, end)
- print "ERROR: %s: %lu slots, total region length = %lu" % (func, slots, rlen_sum)
+ print("ERROR: %s: %lu slots, total region length = %lu" % (func, slots, rlen_sum))
return
num_funcs = 0
@@ -42,23 +42,23 @@ for line in os.popen("%s -u %s" % (reade
check_func(func, slots, rlen_sum)
func = m.group(1)
- start = long(m.group(2), 16)
- end = long(m.group(3), 16)
+ start = int(m.group(2), 16)
+ end = int(m.group(3), 16)
slots = 3 * (end - start) / 16
- rlen_sum = 0L
+ rlen_sum = 0
num_funcs += 1
else:
m = rlen_pattern.match(line)
if m:
- rlen_sum += long(m.group(1))
+ rlen_sum += int(m.group(1))
check_func(func, slots, rlen_sum)
if num_errors == 0:
- print "No errors detected in %u functions." % num_funcs
+ print("No errors detected in %u functions." % num_funcs)
else:
if num_errors > 1:
err="errors"
else:
err="error"
- print "%u %s detected in %u functions." % (num_errors, err, num_funcs)
+ print("%u %s detected in %u functions." % (num_errors, err, num_funcs))
sys.exit(1)
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 401/410] bonding: move dev_mc_sync after master_upper_dev_link in bond_enslave
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (294 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 250/410] mm: hide a #warning for COMPILE_TEST Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 145/410] kernfs: fix regression in kernfs_fop_write caused by wrong type Ben Hutchings
` (113 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Andy Gospodarek, Xin Long, Beniamino Galvani, David S. Miller
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Xin Long <lucien.xin@gmail.com>
commit ae42cc62a9f07f1f6979054ed92606b9c30f4a2e upstream.
Beniamino found a crash when adding vlan as slave of bond which is also
the parent link:
ip link add bond1 type bond
ip link set bond1 up
ip link add link bond1 vlan1 type vlan id 80
ip link set vlan1 master bond1
The call trace is as below:
[<ffffffffa850842a>] queued_spin_lock_slowpath+0xb/0xf
[<ffffffffa8515680>] _raw_spin_lock+0x20/0x30
[<ffffffffa83f6f07>] dev_mc_sync+0x37/0x80
[<ffffffffc08687dc>] vlan_dev_set_rx_mode+0x1c/0x30 [8021q]
[<ffffffffa83efd2a>] __dev_set_rx_mode+0x5a/0xa0
[<ffffffffa83f7138>] dev_mc_sync_multiple+0x78/0x80
[<ffffffffc084127c>] bond_enslave+0x67c/0x1190 [bonding]
[<ffffffffa8401909>] do_setlink+0x9c9/0xe50
[<ffffffffa8403bf2>] rtnl_newlink+0x522/0x880
[<ffffffffa8403ff7>] rtnetlink_rcv_msg+0xa7/0x260
[<ffffffffa8424ecb>] netlink_rcv_skb+0xab/0xc0
[<ffffffffa83fe498>] rtnetlink_rcv+0x28/0x30
[<ffffffffa8424850>] netlink_unicast+0x170/0x210
[<ffffffffa8424bf8>] netlink_sendmsg+0x308/0x420
[<ffffffffa83cc396>] sock_sendmsg+0xb6/0xf0
This is actually a dead lock caused by sync slave hwaddr from master when
the master is the slave's 'slave'. This dead loop check is actually done
by netdev_master_upper_dev_link. However, Commit 1f718f0f4f97 ("bonding:
populate neighbour's private on enslave") moved it after dev_mc_sync.
This patch is to fix it by moving dev_mc_sync after master_upper_dev_link,
so that this loop check would be earlier than dev_mc_sync. It also moves
if (mode == BOND_MODE_8023AD) into if (!bond_uses_primary) clause as an
improvement.
Note team driver also has this issue, I will fix it in another patch.
Fixes: 1f718f0f4f97 ("bonding: populate neighbour's private on enslave")
Reported-by: Beniamino Galvani <bgalvani@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Andy Gospodarek <andy@greyhouse.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/bonding/bond_main.c | 73 ++++++++++++++++-----------------
1 file changed, 35 insertions(+), 38 deletions(-)
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -1414,44 +1414,11 @@ int bond_enslave(struct net_device *bond
goto err_close;
}
- /* If the mode uses primary, then the following is handled by
- * bond_change_active_slave().
- */
- if (!bond_uses_primary(bond)) {
- /* set promiscuity level to new slave */
- if (bond_dev->flags & IFF_PROMISC) {
- res = dev_set_promiscuity(slave_dev, 1);
- if (res)
- goto err_close;
- }
-
- /* set allmulti level to new slave */
- if (bond_dev->flags & IFF_ALLMULTI) {
- res = dev_set_allmulti(slave_dev, 1);
- if (res)
- goto err_close;
- }
-
- netif_addr_lock_bh(bond_dev);
-
- dev_mc_sync_multiple(slave_dev, bond_dev);
- dev_uc_sync_multiple(slave_dev, bond_dev);
-
- netif_addr_unlock_bh(bond_dev);
- }
-
- if (BOND_MODE(bond) == BOND_MODE_8023AD) {
- /* add lacpdu mc addr to mc list */
- u8 lacpdu_multicast[ETH_ALEN] = MULTICAST_LACPDU_ADDR;
-
- dev_mc_add(slave_dev, lacpdu_multicast);
- }
-
res = vlan_vids_add_by_dev(slave_dev, bond_dev);
if (res) {
pr_err("%s: Error: Couldn't add bond vlan ids to %s\n",
bond_dev->name, slave_dev->name);
- goto err_hwaddr_unsync;
+ goto err_close;
}
prev_slave = bond_last_slave(bond);
@@ -1598,6 +1565,37 @@ int bond_enslave(struct net_device *bond
goto err_upper_unlink;
}
+ /* If the mode uses primary, then the following is handled by
+ * bond_change_active_slave().
+ */
+ if (!bond_uses_primary(bond)) {
+ /* set promiscuity level to new slave */
+ if (bond_dev->flags & IFF_PROMISC) {
+ res = dev_set_promiscuity(slave_dev, 1);
+ if (res)
+ goto err_sysfs_del;
+ }
+
+ /* set allmulti level to new slave */
+ if (bond_dev->flags & IFF_ALLMULTI) {
+ res = dev_set_allmulti(slave_dev, 1);
+ if (res)
+ goto err_sysfs_del;
+ }
+
+ netif_addr_lock_bh(bond_dev);
+ dev_mc_sync_multiple(slave_dev, bond_dev);
+ dev_uc_sync_multiple(slave_dev, bond_dev);
+ netif_addr_unlock_bh(bond_dev);
+
+ if (BOND_MODE(bond) == BOND_MODE_8023AD) {
+ /* add lacpdu mc addr to mc list */
+ u8 lacpdu_multicast[ETH_ALEN] = MULTICAST_LACPDU_ADDR;
+
+ dev_mc_add(slave_dev, lacpdu_multicast);
+ }
+ }
+
bond->slave_cnt++;
bond_compute_features(bond);
bond_set_carrier(bond);
@@ -1619,6 +1617,9 @@ int bond_enslave(struct net_device *bond
return 0;
/* Undo stages on error */
+err_sysfs_del:
+ bond_sysfs_slave_del(new_slave);
+
err_upper_unlink:
bond_upper_dev_unlink(bond_dev, slave_dev);
@@ -1639,10 +1640,6 @@ err_detach:
}
slave_disable_netpoll(new_slave);
-err_hwaddr_unsync:
- if (!bond_uses_primary(bond))
- bond_hw_addr_flush(bond_dev, slave_dev);
-
err_close:
slave_dev->priv_flags &= ~IFF_BONDING;
dev_close(slave_dev);
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 248/410] staging: android: ashmem: Fix a race condition in pin ioctls
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (364 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 155/410] USB: serial: simple: add Motorola Tetra driver Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 347/410] IB/mlx5: Fix integer overflows in mlx5_ib_create_srq Ben Hutchings
` (43 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Greg Kroah-Hartman
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ben Hutchings <ben@decadent.org.uk>
commit ce8a3a9e76d0193e2e8d74a06d275b3c324ca652 upstream.
ashmem_pin_unpin() reads asma->file and asma->size before taking the
ashmem_mutex, so it can race with other operations that modify them.
Build-tested only.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/android/ashmem.c | 19 +++++++++++--------
1 file changed, 11 insertions(+), 8 deletions(-)
--- a/drivers/staging/android/ashmem.c
+++ b/drivers/staging/android/ashmem.c
@@ -703,30 +703,32 @@ static int ashmem_pin_unpin(struct ashme
size_t pgstart, pgend;
int ret = -EINVAL;
+ mutex_lock(&ashmem_mutex);
+
if (unlikely(!asma->file))
- return -EINVAL;
+ goto out_unlock;
- if (unlikely(copy_from_user(&pin, p, sizeof(pin))))
- return -EFAULT;
+ if (unlikely(copy_from_user(&pin, p, sizeof(pin)))) {
+ ret = -EFAULT;
+ goto out_unlock;
+ }
/* per custom, you can pass zero for len to mean "everything onward" */
if (!pin.len)
pin.len = PAGE_ALIGN(asma->size) - pin.offset;
if (unlikely((pin.offset | pin.len) & ~PAGE_MASK))
- return -EINVAL;
+ goto out_unlock;
if (unlikely(((__u32) -1) - pin.offset < pin.len))
- return -EINVAL;
+ goto out_unlock;
if (unlikely(PAGE_ALIGN(asma->size) < pin.offset + pin.len))
- return -EINVAL;
+ goto out_unlock;
pgstart = pin.offset / PAGE_SIZE;
pgend = pgstart + (pin.len / PAGE_SIZE) - 1;
- mutex_lock(&ashmem_mutex);
-
switch (cmd) {
case ASHMEM_PIN:
ret = ashmem_pin(asma, pgstart, pgend);
@@ -739,6 +741,7 @@ static int ashmem_pin_unpin(struct ashme
break;
}
+out_unlock:
mutex_unlock(&ashmem_mutex);
return ret;
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 279/410] KVM: mmu: Fix overlap between public and private memslots
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (185 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 025/410] ALSA: seq: Don't allow resizing pool in use Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 203/410] pipe: simplify logic in alloc_pipe_info() Ben Hutchings
` (222 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Radim Krčmář,
Wanpeng Li, Paolo Bonzini, Eric Biggers, Dmitry Vyukov
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Wanpeng Li <wanpeng.li@hotmail.com>
commit b28676bb8ae4569cced423dc2a88f7cb319d5379 upstream.
Reported by syzkaller:
pte_list_remove: ffff9714eb1f8078 0->BUG
------------[ cut here ]------------
kernel BUG at arch/x86/kvm/mmu.c:1157!
invalid opcode: 0000 [#1] SMP
RIP: 0010:pte_list_remove+0x11b/0x120 [kvm]
Call Trace:
drop_spte+0x83/0xb0 [kvm]
mmu_page_zap_pte+0xcc/0xe0 [kvm]
kvm_mmu_prepare_zap_page+0x81/0x4a0 [kvm]
kvm_mmu_invalidate_zap_all_pages+0x159/0x220 [kvm]
kvm_arch_flush_shadow_all+0xe/0x10 [kvm]
kvm_mmu_notifier_release+0x6c/0xa0 [kvm]
? kvm_mmu_notifier_release+0x5/0xa0 [kvm]
__mmu_notifier_release+0x79/0x110
? __mmu_notifier_release+0x5/0x110
exit_mmap+0x15a/0x170
? do_exit+0x281/0xcb0
mmput+0x66/0x160
do_exit+0x2c9/0xcb0
? __context_tracking_exit.part.5+0x4a/0x150
do_group_exit+0x50/0xd0
SyS_exit_group+0x14/0x20
do_syscall_64+0x73/0x1f0
entry_SYSCALL64_slow_path+0x25/0x25
The reason is that when creates new memslot, there is no guarantee for new
memslot not overlap with private memslots. This can be triggered by the
following program:
#include <fcntl.h>
#include <pthread.h>
#include <setjmp.h>
#include <signal.h>
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ioctl.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>
#include <linux/kvm.h>
long r[16];
int main()
{
void *p = valloc(0x4000);
r[2] = open("/dev/kvm", 0);
r[3] = ioctl(r[2], KVM_CREATE_VM, 0x0ul);
uint64_t addr = 0xf000;
ioctl(r[3], KVM_SET_IDENTITY_MAP_ADDR, &addr);
r[6] = ioctl(r[3], KVM_CREATE_VCPU, 0x0ul);
ioctl(r[3], KVM_SET_TSS_ADDR, 0x0ul);
ioctl(r[6], KVM_RUN, 0);
ioctl(r[6], KVM_RUN, 0);
struct kvm_userspace_memory_region mr = {
.slot = 0,
.flags = KVM_MEM_LOG_DIRTY_PAGES,
.guest_phys_addr = 0xf000,
.memory_size = 0x4000,
.userspace_addr = (uintptr_t) p
};
ioctl(r[3], KVM_SET_USER_MEMORY_REGION, &mr);
return 0;
}
This patch fixes the bug by not adding a new memslot even if it
overlaps with private memslots.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Radim Krčmář <rkrcmar@redhat.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Eric Biggers <ebiggers3@gmail.com>
Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
virt/kvm/kvm_main.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -837,8 +837,7 @@ int __kvm_set_memory_region(struct kvm *
/* Check for overlaps */
r = -EEXIST;
kvm_for_each_memslot(slot, kvm->memslots) {
- if ((slot->id >= KVM_USER_MEM_SLOTS) ||
- (slot->id == mem->slot))
+ if (slot->id == mem->slot)
continue;
if (!((base_gfn + npages <= slot->base_gfn) ||
(base_gfn >= slot->base_gfn + slot->npages)))
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 031/410] drm: udl: Properly check framebuffer mmap offsets
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (255 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 354/410] aio: change exit_aio() to load mm->ioctx_table once and avoid rcu_read_lock() Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 086/410] ath9k_htc: Add a sanity check in ath9k_htc_ampdu_action() Ben Hutchings
` (152 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Greg Kroah-Hartman, Eyal Itkin, Daniel Vetter
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 3b82a4db8eaccce735dffd50b4d4e1578099b8e8 upstream.
The memmap options sent to the udl framebuffer driver were not being
checked for all sets of possible crazy values. Fix this up by properly
bounding the allowed values.
Reported-by: Eyal Itkin <eyalit@checkpoint.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/20180321154553.GA18454@kroah.com
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/udl/udl_fb.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/drivers/gpu/drm/udl/udl_fb.c
+++ b/drivers/gpu/drm/udl/udl_fb.c
@@ -256,10 +256,15 @@ static int udl_fb_mmap(struct fb_info *i
{
unsigned long start = vma->vm_start;
unsigned long size = vma->vm_end - vma->vm_start;
- unsigned long offset = vma->vm_pgoff << PAGE_SHIFT;
+ unsigned long offset;
unsigned long page, pos;
- if (offset + size > info->fix.smem_len)
+ if (vma->vm_pgoff > (~0UL >> PAGE_SHIFT))
+ return -EINVAL;
+
+ offset = vma->vm_pgoff << PAGE_SHIFT;
+
+ if (offset > info->fix.smem_len || size > info->fix.smem_len - offset)
return -EINVAL;
pos = (unsigned long)info->fix.smem_start + offset;
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 108/410] ahci: add new Intel device IDs
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (269 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 024/410] ALSA: seq: Fix racy pool initializations Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 259/410] iio: adis_lib: Initialize trigger before requesting interrupt Ben Hutchings
` (138 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Tejun Heo, Alexandra Yates
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alexandra Yates <alexandra.yates@linux.intel.com>
commit 56e74338a535cbcc2f2da08b1ea1a92920194364 upstream.
Adding Intel codename Lewisburg platform device IDs for SATA.
Signed-off-by: Alexandra Yates <alexandra.yates@linux.intel.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/ata/ahci.c | 10 ++++++++++
1 file changed, 10 insertions(+)
--- a/drivers/ata/ahci.c
+++ b/drivers/ata/ahci.c
@@ -332,6 +332,16 @@ static const struct pci_device_id ahci_p
{ PCI_VDEVICE(INTEL, 0x1f37), board_ahci_avn }, /* Avoton RAID */
{ PCI_VDEVICE(INTEL, 0x1f3e), board_ahci_avn }, /* Avoton RAID */
{ PCI_VDEVICE(INTEL, 0x1f3f), board_ahci_avn }, /* Avoton RAID */
+ { PCI_VDEVICE(INTEL, 0xa182), board_ahci }, /* Lewisburg AHCI*/
+ { PCI_VDEVICE(INTEL, 0xa202), board_ahci }, /* Lewisburg AHCI*/
+ { PCI_VDEVICE(INTEL, 0xa184), board_ahci }, /* Lewisburg RAID*/
+ { PCI_VDEVICE(INTEL, 0xa204), board_ahci }, /* Lewisburg RAID*/
+ { PCI_VDEVICE(INTEL, 0xa186), board_ahci }, /* Lewisburg RAID*/
+ { PCI_VDEVICE(INTEL, 0xa206), board_ahci }, /* Lewisburg RAID*/
+ { PCI_VDEVICE(INTEL, 0x2822), board_ahci }, /* Lewisburg RAID*/
+ { PCI_VDEVICE(INTEL, 0x2826), board_ahci }, /* Lewisburg RAID*/
+ { PCI_VDEVICE(INTEL, 0xa18e), board_ahci }, /* Lewisburg RAID*/
+ { PCI_VDEVICE(INTEL, 0xa20e), board_ahci }, /* Lewisburg RAID*/
{ PCI_VDEVICE(INTEL, 0x2823), board_ahci }, /* Wellsburg RAID */
{ PCI_VDEVICE(INTEL, 0x2827), board_ahci }, /* Wellsburg RAID */
{ PCI_VDEVICE(INTEL, 0x8d02), board_ahci }, /* Wellsburg AHCI */
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 073/410] perf annotate: Fix objdump comment parsing for Intel mov dissassembly
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (243 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 321/410] e1000e: Fix check_for_link return value with autoneg off Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 298/410] tpm: fix potential buffer overruns caused by bit glitches on the bus Ben Hutchings
` (164 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Thomas Richter, Hendrik Brueckner,
Arnaldo Carvalho de Melo, Ravi Bangoria, Heiko Carstens,
Martin Schwidefsky
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Richter <tmricht@linux.vnet.ibm.com>
commit 35a8a148d8c1ee9e5ae18f9565a880490f816f89 upstream.
The command 'perf annotate' parses the output of objdump and also
investigates the comments produced by objdump. For example the
output of objdump produces (on x86):
23eee: 4c 8b 3d 13 01 21 00 mov 0x210113(%rip),%r15
# 234008 <stderr@@GLIBC_2.2.5+0x9a8>
and the function mov__parse() is called to investigate the complete
line. Mov__parse() breaks this line into several parts and finally
calls function comment__symbol() to parse the data after the comment
character '#'. Comment__symbol() expects a hexadecimal address followed
by a symbol in '<' and '>' brackets.
However the 2nd parameter given to function comment__symbol()
always points to the comment character '#'. The address parsing
always returns 0 because the character '#' is not a digit and
strtoull() fails without being noticed.
Fix this by advancing the second parameter to function comment__symbol()
by one byte before invocation and add an error check after strtoull()
has been called.
Signed-off-by: Thomas Richter <tmricht@linux.vnet.ibm.com>
Reviewed-by: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
Acked-by: Ravi Bangoria <ravi.bangoria@linux.vnet.ibm.com>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
Fixes: 6de783b6f50f ("perf annotate: Resolve symbols using objdump comment")
Link: http://lkml.kernel.org/r/20171128075632.72182-1-tmricht@linux.vnet.ibm.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
tools/perf/util/annotate.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--- a/tools/perf/util/annotate.c
+++ b/tools/perf/util/annotate.c
@@ -146,6 +146,8 @@ static int comment__symbol(char *raw, ch
return 0;
*addrp = strtoull(comment, &endptr, 16);
+ if (endptr == comment)
+ return 0;
name = strchr(endptr, '<');
if (name == NULL)
return -1;
@@ -251,8 +253,8 @@ static int mov__parse(struct ins_operand
while (comment[0] != '\0' && isspace(comment[0]))
++comment;
- comment__symbol(ops->source.raw, comment, &ops->source.addr, &ops->source.name);
- comment__symbol(ops->target.raw, comment, &ops->target.addr, &ops->target.name);
+ comment__symbol(ops->source.raw, comment + 1, &ops->source.addr, &ops->source.name);
+ comment__symbol(ops->target.raw, comment + 1, &ops->target.addr, &ops->target.name);
return 0;
@@ -298,7 +300,7 @@ static int dec__parse(struct ins_operand
while (comment[0] != '\0' && isspace(comment[0]))
++comment;
- comment__symbol(ops->target.raw, comment, &ops->target.addr, &ops->target.name);
+ comment__symbol(ops->target.raw, comment + 1, &ops->target.addr, &ops->target.name);
return 0;
}
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 093/410] PM / devfreq: Propagate error from devfreq_add_device()
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (26 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 176/410] vhost_net: stop device during reset owner Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 163/410] Input: edt-ft5x06 - fix error handling for factory mode on non-M06 Ben Hutchings
` (381 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Chanwoo Choi, Bjorn Andersson, MyungJoo Ham
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Bjorn Andersson <bjorn.andersson@linaro.org>
commit d1bf2d30728f310f72296b54f0651ecdb09cbb12 upstream.
Propagate the error of devfreq_add_device() in devm_devfreq_add_device()
rather than statically returning ENOMEM. This makes it slightly faster
to pinpoint the cause of a returned error.
Fixes: 8cd84092d35e ("PM / devfreq: Add resource-managed function for devfreq device")
Acked-by: Chanwoo Choi <cw00.choi@samsung.com>
Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Signed-off-by: MyungJoo Ham <myungjoo.ham@samsung.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/devfreq/devfreq.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/devfreq/devfreq.c
+++ b/drivers/devfreq/devfreq.c
@@ -592,7 +592,7 @@ struct devfreq *devm_devfreq_add_device(
devfreq = devfreq_add_device(dev, profile, governor_name, data);
if (IS_ERR(devfreq)) {
devres_free(ptr);
- return ERR_PTR(-ENOMEM);
+ return devfreq;
}
*ptr = devfreq;
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 066/410] perf record: Generate PERF_RECORD_{MMAP,COMM,EXEC} with --delay
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (366 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 347/410] IB/mlx5: Fix integer overflows in mlx5_ib_create_srq Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 188/410] Btrfs: fix extent state leak from tree log Ben Hutchings
` (41 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Arnaldo Carvalho de Melo, Adrian Hunter, Wang Nan,
David Ahern, Jiri Olsa, Namhyung Kim, Bram Stolk, Andi Kleen
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Arnaldo Carvalho de Melo <acme@redhat.com>
commit d3dbf43c56f9176be325ce1cc72a44c8d3c210dc upstream.
When we use an initial delay, e.g.: 'perf record --delay 1000', we do not
enable the events until that delay has passed after we started the workload,
including the tracking event, i.e. the one for which we have attr.mmap, etc,
enabled to ask the kernel to generate the PERF_RECORD_{MMAP,COMM,EXEC} metadata
events that will then allow us to resolve addresses in samples to the map, dso
and symbol. There will be a shadow that even synthesizing samples won't cover,
i.e. the workload that we start and other processes forking while we
wait for the initial delay to expire.
So use a dummy event to be the tracking one and make it be enabled on exec.
Before:
# perf record --delay 1000 stress --cpu 1 --timeout 5
stress: info: [9029] dispatching hogs: 1 cpu, 0 io, 0 vm, 0 hdd
stress: info: [9029] successful run completed in 5s
[ perf record: Woken up 3 times to write data ]
[ perf record: Captured and wrote 0.624 MB perf.data (15908 samples) ]
# perf script | head
:9031 9031 32001.826888: 1 cycles:ppp: ffffffff831aa30d event_function (/lib/modules/4.14.0-rc6+/build/vmlinux)
:9031 9031 32001.826893: 1 cycles:ppp: ffffffff8300d1a0 intel_bts_enable_local (/lib/modules/4.14.0-rc6+/build/vmlinux)
:9031 9031 32001.826895: 7 cycles:ppp: ffffffff83023870 sched_clock (/lib/modules/4.14.0-rc6+/build/vmlinux)
:9031 9031 32001.826897: 103 cycles:ppp: ffffffff8300c331 intel_pmu_handle_irq (/lib/modules/4.14.0-rc6+/build/vmlinux)
:9031 9031 32001.826899: 1615 cycles:ppp: ffffffff830231f8 native_sched_clock (/lib/modules/4.14.0-rc6+/build/vmlinux)
:9031 9031 32001.826902: 26724 cycles:ppp: ffffffff8384c6a7 native_irq_return_iret (/lib/modules/4.14.0-rc6+/build/vmlinux)
:9031 9031 32001.826913: 329739 cycles:ppp: 7fb2a5410932 [unknown] ([unknown])
:9031 9031 32001.827033: 1225451 cycles:ppp: 7fb2a5410930 [unknown] ([unknown])
:9031 9031 32001.827474: 1391725 cycles:ppp: 7fb2a5410930 [unknown] ([unknown])
:9031 9031 32001.827978: 1233697 cycles:ppp: 7fb2a5410928 [unknown] ([unknown])
#
After:
# perf record --delay 1000 stress --cpu 1 --timeout 5
stress: info: [9741] dispatching hogs: 1 cpu, 0 io, 0 vm, 0 hdd
stress: info: [9741] successful run completed in 5s
[ perf record: Woken up 3 times to write data ]
[ perf record: Captured and wrote 0.751 MB perf.data (15976 samples) ]
# perf script | head
stress 9742 32110.959106: 1 cycles:ppp: ffffffff831b26f6 __perf_event_task_sched_in (/lib/modules/4.14.0-rc6+/build/vmlinux)
stress 9742 32110.959110: 1 cycles:ppp: ffffffff8300c2e9 intel_pmu_handle_irq (/lib/modules/4.14.0-rc6+/build/vmlinux)
stress 9742 32110.959112: 7 cycles:ppp: ffffffff830231e0 native_sched_clock (/lib/modules/4.14.0-rc6+/build/vmlinux)
stress 9742 32110.959115: 101 cycles:ppp: ffffffff83023870 sched_clock (/lib/modules/4.14.0-rc6+/build/vmlinux)
stress 9742 32110.959117: 1533 cycles:ppp: ffffffff830231f8 native_sched_clock (/lib/modules/4.14.0-rc6+/build/vmlinux)
stress 9742 32110.959119: 23992 cycles:ppp: ffffffff831b0900 ctx_sched_in (/lib/modules/4.14.0-rc6+/build/vmlinux)
stress 9742 32110.959129: 329406 cycles:ppp: 7f4b1b661930 __random_r (/usr/lib64/libc-2.25.so)
stress 9742 32110.959249: 1288322 cycles:ppp: 5566e1e7cbc9 hogcpu (/usr/bin/stress)
stress 9742 32110.959712: 1464046 cycles:ppp: 7f4b1b66179e __random (/usr/lib64/libc-2.25.so)
stress 9742 32110.960241: 1266918 cycles:ppp: 7f4b1b66195b __random_r (/usr/lib64/libc-2.25.so)
#
Reported-by: Bram Stolk <b.stolk@gmail.com>
Tested-by: Bram Stolk <b.stolk@gmail.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: David Ahern <dsahern@gmail.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Wang Nan <wangnan0@huawei.com>
Fixes: 6619a53ef757 ("perf record: Add --initial-delay option")
Link: http://lkml.kernel.org/n/tip-nrdfchshqxf7diszhxcecqb9@git.kernel.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
[bwh: Backported to 3.16:
- Don't set perf_evsel::tracking fields
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/tools/perf/builtin-record.c
+++ b/tools/perf/builtin-record.c
@@ -140,6 +140,19 @@ static int record__open(struct record *r
struct record_opts *opts = &rec->opts;
int rc = 0;
+ /*
+ * For initial_delay we need to add a dummy event so that we can track
+ * PERF_RECORD_MMAP while we wait for the initial delay to enable the
+ * real events, the ones asked by the user.
+ */
+ if (opts->initial_delay) {
+ if (perf_evlist__add_dummy(evlist))
+ return -ENOMEM;
+
+ pos = perf_evlist__last(evlist);
+ pos->attr.enable_on_exec = 1;
+ }
+
perf_evlist__config(evlist, opts);
evlist__for_each(evlist, pos) {
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 377/410] can: cc770: Fix use after free in cc770_tx_interrupt()
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (99 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 295/410] tpm_tis: fix potential buffer overruns caused by bit glitches on the bus Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 121/410] crypto: hash - introduce crypto_hash_alg_has_setkey() Ben Hutchings
` (308 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Marc Kleine-Budde, Andri Yngvason
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Andri Yngvason <andri.yngvason@marel.com>
commit 9ffd7503944ec7c0ef41c3245d1306c221aef2be upstream.
This fixes use after free introduced by the last cc770 patch.
Signed-off-by: Andri Yngvason <andri.yngvason@marel.com>
Fixes: 746201235b3f ("can: cc770: Fix queue stall & dropped RTR reply")
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/can/cc770/cc770.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/drivers/net/can/cc770/cc770.c
+++ b/drivers/net/can/cc770/cc770.c
@@ -705,13 +705,12 @@ static void cc770_tx_interrupt(struct ne
return;
}
- can_put_echo_skb(priv->tx_skb, dev, 0);
- can_get_echo_skb(dev, 0);
-
cf = (struct can_frame *)priv->tx_skb->data;
stats->tx_bytes += cf->can_dlc;
stats->tx_packets++;
+ can_put_echo_skb(priv->tx_skb, dev, 0);
+ can_get_echo_skb(dev, 0);
priv->tx_skb = NULL;
netif_wake_queue(dev);
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 364/410] fs: Teach path_connected to handle nfs filesystems with multiple roots.
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (194 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 081/410] rcutorture/kvm.sh: Use consistent help text for --qemu-args Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 353/410] ipv4: lock mtu in fnhe when received PMTU < net.ipv4.route.min_pmtu Ben Hutchings
` (213 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Eric W. Biederman, Al Viro, Al Viro
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Eric W. Biederman" <ebiederm@xmission.com>
commit 95dd77580ccd66a0da96e6d4696945b8cea39431 upstream.
On nfsv2 and nfsv3 the nfs server can export subsets of the same
filesystem and report the same filesystem identifier, so that the nfs
client can know they are the same filesystem. The subsets can be from
disjoint directory trees. The nfsv2 and nfsv3 filesystems provides no
way to find the common root of all directory trees exported form the
server with the same filesystem identifier.
The practical result is that in struct super s_root for nfs s_root is
not necessarily the root of the filesystem. The nfs mount code sets
s_root to the root of the first subset of the nfs filesystem that the
kernel mounts.
This effects the dcache invalidation code in generic_shutdown_super
currently called shrunk_dcache_for_umount and that code for years
has gone through an additional list of dentries that might be dentry
trees that need to be freed to accomodate nfs.
When I wrote path_connected I did not realize nfs was so special, and
it's hueristic for avoiding calling is_subdir can fail.
The practical case where this fails is when there is a move of a
directory from the subtree exposed by one nfs mount to the subtree
exposed by another nfs mount. This move can happen either locally or
remotely. With the remote case requiring that the move directory be cached
before the move and that after the move someone walks the path
to where the move directory now exists and in so doing causes the
already cached directory to be moved in the dcache through the magic
of d_splice_alias.
If someone whose working directory is in the move directory or a
subdirectory and now starts calling .. from the initial mount of nfs
(where s_root == mnt_root), then path_connected as a heuristic will
not bother with the is_subdir check. As s_root really is not the root
of the nfs filesystem this heuristic is wrong, and the path may
actually not be connected and path_connected can fail.
The is_subdir function might be cheap enough that we can call it
unconditionally. Verifying that will take some benchmarking and
the result may not be the same on all kernels this fix needs
to be backported to. So I am avoiding that for now.
Filesystems with snapshots such as nilfs and btrfs do something
similar. But as the directory tree of the snapshots are disjoint
from one another and from the main directory tree rename won't move
things between them and this problem will not occur.
Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
Fixes: 397d425dc26d ("vfs: Test for and handle paths that are unreachable from their mnt_root")
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[bwh: Backported to 3.16:
- Add the super_block::s_iflags field
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -496,9 +496,10 @@ EXPORT_SYMBOL(path_put);
static bool path_connected(const struct path *path)
{
struct vfsmount *mnt = path->mnt;
+ struct super_block *sb = mnt->mnt_sb;
- /* Only bind mounts can have disconnected paths */
- if (mnt->mnt_root == mnt->mnt_sb->s_root)
+ /* Bind mounts and multi-root filesystems can have disconnected paths */
+ if (!(sb->s_iflags & SB_I_MULTIROOT) && (mnt->mnt_root == sb->s_root))
return true;
return is_subdir(path->dentry, mnt->mnt_root);
--- a/fs/nfs/super.c
+++ b/fs/nfs/super.c
@@ -2590,6 +2590,8 @@ struct dentry *nfs_fs_mount_common(struc
/* initial superblock/root creation */
mount_info->fill_super(s, mount_info);
nfs_get_cache_cookie(s, mount_info->parsed, mount_info->cloned);
+ if (!(server->flags & NFS_MOUNT_UNSHARED))
+ s->s_iflags |= SB_I_MULTIROOT;
}
mntroot = nfs_get_root(s, mount_info->mntfh, dev_name);
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -1150,6 +1150,9 @@ struct mm_struct;
#define UMOUNT_NOFOLLOW 0x00000008 /* Don't follow symlink on umount */
#define UMOUNT_UNUSED 0x80000000 /* Flag guaranteed to be unused */
+/* sb->s_iflags */
+#define SB_I_MULTIROOT 0x00000008 /* Multiple roots to the dentry tree */
+
extern struct list_head super_blocks;
extern spinlock_t sb_lock;
@@ -1190,6 +1193,7 @@ struct super_block {
const struct quotactl_ops *s_qcop;
const struct export_operations *s_export_op;
unsigned long s_flags;
+ unsigned long s_iflags; /* internal SB_I_* flags */
unsigned long s_magic;
struct dentry *s_root;
struct rw_semaphore s_umount;
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 046/410] x86/cpufeature: Blacklist SPEC_CTRL/PRED_CMD on early Spectre v2 microcodes
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (222 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 008/410] media: dvb-usb-v2: lmedm04: move ts2020 attach to dm04_lme2510_tuner Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 356/410] aio: fix serial draining in exit_aio() Ben Hutchings
` (185 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, tim.c.chen, pbonzini, Greg Kroah-Hartman, bp,
David Woodhouse, ashok.raj, peterz, dave.hansen, gregkh, ak,
gnomes, arjan, torvalds, Thomas Gleixner, karahmed
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: David Woodhouse <dwmw@amazon.co.uk>
commit a5b2966364538a0e68c9fa29bc0a3a1651799035 upstream.
This doesn't refuse to load the affected microcodes; it just refuses to
use the Spectre v2 mitigation features if they're detected, by clearing
the appropriate feature bits.
The AMD CPUID bits are handled here too, because hypervisors *may* have
been exposing those bits even on Intel chips, for fine-grained control
of what's available.
It is non-trivial to use x86_match_cpu() for this table because that
doesn't handle steppings. And the approach taken in commit bd9240a18
almost made me lose my lunch.
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: gnomes@lxorguk.ukuu.org.uk
Cc: ak@linux.intel.com
Cc: ashok.raj@intel.com
Cc: dave.hansen@intel.com
Cc: karahmed@amazon.de
Cc: arjan@linux.intel.com
Cc: torvalds@linux-foundation.org
Cc: peterz@infradead.org
Cc: bp@alien8.de
Cc: pbonzini@redhat.com
Cc: tim.c.chen@linux.intel.com
Cc: gregkh@linux-foundation.org
Link: https://lkml.kernel.org/r/1516896855-7642-7-git-send-email-dwmw@amazon.co.uk
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: Add #include <asm/intel-family.h>]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/include/asm/intel-family.h | 7 ++-
arch/x86/kernel/cpu/intel.c | 67 +++++++++++++++++++++++++++++
2 files changed, 72 insertions(+), 2 deletions(-)
--- a/arch/x86/include/asm/intel-family.h
+++ b/arch/x86/include/asm/intel-family.h
@@ -12,6 +12,7 @@
*/
#define INTEL_FAM6_CORE_YONAH 0x0E
+
#define INTEL_FAM6_CORE2_MEROM 0x0F
#define INTEL_FAM6_CORE2_MEROM_L 0x16
#define INTEL_FAM6_CORE2_PENRYN 0x17
@@ -21,6 +22,7 @@
#define INTEL_FAM6_NEHALEM_G 0x1F /* Auburndale / Havendale */
#define INTEL_FAM6_NEHALEM_EP 0x1A
#define INTEL_FAM6_NEHALEM_EX 0x2E
+
#define INTEL_FAM6_WESTMERE 0x25
#define INTEL_FAM6_WESTMERE_EP 0x2C
#define INTEL_FAM6_WESTMERE_EX 0x2F
@@ -36,9 +38,9 @@
#define INTEL_FAM6_HASWELL_GT3E 0x46
#define INTEL_FAM6_BROADWELL_CORE 0x3D
-#define INTEL_FAM6_BROADWELL_XEON_D 0x56
#define INTEL_FAM6_BROADWELL_GT3E 0x47
#define INTEL_FAM6_BROADWELL_X 0x4F
+#define INTEL_FAM6_BROADWELL_XEON_D 0x56
#define INTEL_FAM6_SKYLAKE_MOBILE 0x4E
#define INTEL_FAM6_SKYLAKE_DESKTOP 0x5E
@@ -57,9 +59,10 @@
#define INTEL_FAM6_ATOM_SILVERMONT2 0x4D /* Avaton/Rangely */
#define INTEL_FAM6_ATOM_AIRMONT 0x4C /* CherryTrail / Braswell */
#define INTEL_FAM6_ATOM_MERRIFIELD 0x4A /* Tangier */
-#define INTEL_FAM6_ATOM_MOOREFIELD 0x5A /* Annidale */
+#define INTEL_FAM6_ATOM_MOOREFIELD 0x5A /* Anniedale */
#define INTEL_FAM6_ATOM_GOLDMONT 0x5C
#define INTEL_FAM6_ATOM_DENVERTON 0x5F /* Goldmont Microserver */
+#define INTEL_FAM6_ATOM_GEMINI_LAKE 0x7A
/* Xeon Phi */
--- a/arch/x86/kernel/cpu/intel.c
+++ b/arch/x86/kernel/cpu/intel.c
@@ -13,6 +13,7 @@
#include <asm/msr.h>
#include <asm/bugs.h>
#include <asm/cpu.h>
+#include <asm/intel-family.h>
#ifdef CONFIG_X86_64
#include <linux/topology.h>
@@ -25,6 +26,59 @@
#include <asm/apic.h>
#endif
+/*
+ * Early microcode releases for the Spectre v2 mitigation were broken.
+ * Information taken from;
+ * - https://newsroom.intel.com/wp-content/uploads/sites/11/2018/01/microcode-update-guidance.pdf
+ * - https://kb.vmware.com/s/article/52345
+ * - Microcode revisions observed in the wild
+ * - Release note from 20180108 microcode release
+ */
+struct sku_microcode {
+ u8 model;
+ u8 stepping;
+ u32 microcode;
+};
+static const struct sku_microcode spectre_bad_microcodes[] = {
+ { INTEL_FAM6_KABYLAKE_DESKTOP, 0x0B, 0x84 },
+ { INTEL_FAM6_KABYLAKE_DESKTOP, 0x0A, 0x84 },
+ { INTEL_FAM6_KABYLAKE_DESKTOP, 0x09, 0x84 },
+ { INTEL_FAM6_KABYLAKE_MOBILE, 0x0A, 0x84 },
+ { INTEL_FAM6_KABYLAKE_MOBILE, 0x09, 0x84 },
+ { INTEL_FAM6_SKYLAKE_X, 0x03, 0x0100013e },
+ { INTEL_FAM6_SKYLAKE_X, 0x04, 0x0200003c },
+ { INTEL_FAM6_SKYLAKE_MOBILE, 0x03, 0xc2 },
+ { INTEL_FAM6_SKYLAKE_DESKTOP, 0x03, 0xc2 },
+ { INTEL_FAM6_BROADWELL_CORE, 0x04, 0x28 },
+ { INTEL_FAM6_BROADWELL_GT3E, 0x01, 0x1b },
+ { INTEL_FAM6_BROADWELL_XEON_D, 0x02, 0x14 },
+ { INTEL_FAM6_BROADWELL_XEON_D, 0x03, 0x07000011 },
+ { INTEL_FAM6_BROADWELL_X, 0x01, 0x0b000025 },
+ { INTEL_FAM6_HASWELL_ULT, 0x01, 0x21 },
+ { INTEL_FAM6_HASWELL_GT3E, 0x01, 0x18 },
+ { INTEL_FAM6_HASWELL_CORE, 0x03, 0x23 },
+ { INTEL_FAM6_HASWELL_X, 0x02, 0x3b },
+ { INTEL_FAM6_HASWELL_X, 0x04, 0x10 },
+ { INTEL_FAM6_IVYBRIDGE_X, 0x04, 0x42a },
+ /* Updated in the 20180108 release; blacklist until we know otherwise */
+ { INTEL_FAM6_ATOM_GEMINI_LAKE, 0x01, 0x22 },
+ /* Observed in the wild */
+ { INTEL_FAM6_SANDYBRIDGE_X, 0x06, 0x61b },
+ { INTEL_FAM6_SANDYBRIDGE_X, 0x07, 0x712 },
+};
+
+static bool bad_spectre_microcode(struct cpuinfo_x86 *c)
+{
+ int i;
+
+ for (i = 0; i < ARRAY_SIZE(spectre_bad_microcodes); i++) {
+ if (c->x86_model == spectre_bad_microcodes[i].model &&
+ c->x86_mask == spectre_bad_microcodes[i].stepping)
+ return (c->microcode <= spectre_bad_microcodes[i].microcode);
+ }
+ return false;
+}
+
static void early_init_intel(struct cpuinfo_x86 *c)
{
u64 misc_enable;
@@ -51,6 +105,19 @@ static void early_init_intel(struct cpui
rdmsr(MSR_IA32_UCODE_REV, lower_word, c->microcode);
}
+ if ((cpu_has(c, X86_FEATURE_SPEC_CTRL) ||
+ cpu_has(c, X86_FEATURE_STIBP) ||
+ cpu_has(c, X86_FEATURE_AMD_SPEC_CTRL) ||
+ cpu_has(c, X86_FEATURE_AMD_PRED_CMD) ||
+ cpu_has(c, X86_FEATURE_AMD_STIBP)) && bad_spectre_microcode(c)) {
+ pr_warn("Intel Spectre v2 broken microcode detected; disabling SPEC_CTRL\n");
+ clear_cpu_cap(c, X86_FEATURE_SPEC_CTRL);
+ clear_cpu_cap(c, X86_FEATURE_STIBP);
+ clear_cpu_cap(c, X86_FEATURE_AMD_SPEC_CTRL);
+ clear_cpu_cap(c, X86_FEATURE_AMD_PRED_CMD);
+ clear_cpu_cap(c, X86_FEATURE_AMD_STIBP);
+ }
+
/*
* Atom erratum AAE44/AAF40/AAG38/AAH41:
*
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 177/410] rbd: whitelist RBD_FEATURE_OPERATIONS feature bit
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (323 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 097/410] signal/sh: Ensure si_signo is initialized in do_divide_error Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 282/410] batman-adv: fix packet checksum in receive path Ben Hutchings
` (84 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jason Dillaman, Ilya Dryomov
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ilya Dryomov <idryomov@gmail.com>
commit e573427a440fd67d3f522357d7ac901d59281948 upstream.
This feature bit restricts older clients from performing certain
maintenance operations against an image (e.g. clone, snap create).
krbd does not perform maintenance operations.
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Jason Dillaman <dillaman@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/block/rbd.c
+++ b/drivers/block/rbd.c
@@ -117,8 +117,11 @@ static int atomic_dec_return_safe(atomic
#define RBD_FEATURE_LAYERING (1<<0)
#define RBD_FEATURE_STRIPINGV2 (1<<1)
-#define RBD_FEATURES_ALL \
- (RBD_FEATURE_LAYERING | RBD_FEATURE_STRIPINGV2)
+#define RBD_FEATURE_OPERATIONS (1<<8)
+
+#define RBD_FEATURES_ALL (RBD_FEATURE_LAYERING | \
+ RBD_FEATURE_STRIPINGV2 | \
+ RBD_FEATURE_OPERATIONS)
/* Features supported by this (client software) implementation. */
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 371/410] ALSA: hda/realtek - Always immediately update mute LED with pin VREF
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (404 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 023/410] fbdev: Fixing arbitrary kernel leak in case FBIOGETCMAP_SPARC in sbusfb_ioctl_helper() Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 042/410] x86/cpufeatures: Add AMD feature bits for Speculation Control Ben Hutchings
` (3 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Takashi Iwai
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit e40bdb03d3cd7da66bd0bc1e40cbcfb49351265c upstream.
Some HP laptops have a mute mute LED controlled by a pin VREF. The
Realtek codec driver updates the VREF via vmaster hook by calling
snd_hda_set_pin_ctl_cache().
This works fine as long as the driver is running in a normal mode.
However, when the VREF change happens during the codec being in
runtime PM suspend, the regmap access will skip and postpone the
actual register change. This ends up with the unchanged LED status
until the next runtime PM resume even if you change the Master mute
switch. (Interestingly, the machine keeps the LED status even after
the codec goes into D3 -- but it's another story.)
For improving this usability, let the driver temporarily powering up /
down only during the pin VREF change. This can be achieved easily by
wrapping the call with snd_hda_power_up_pm() / *_down_pm().
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199073
Signed-off-by: Takashi Iwai <tiwai@suse.de>
[bwh: Backported to 3.16: Use snd_hda_power{down,up}() (without the _pm
suffix]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/pci/hda/patch_realtek.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -3435,8 +3435,12 @@ static void alc269_fixup_mic_mute_hook(v
pinval = snd_hda_codec_get_pin_target(codec, spec->mute_led_nid);
pinval &= ~AC_PINCTL_VREFEN;
pinval |= enabled ? AC_PINCTL_VREF_HIZ : AC_PINCTL_VREF_80;
- if (spec->mute_led_nid)
+ if (spec->mute_led_nid) {
+ /* temporarily power up/down for setting VREF */
+ snd_hda_power_up(codec);
snd_hda_set_pin_ctl_cache(codec, spec->mute_led_nid, pinval);
+ snd_hda_power_down(codec);
+ }
}
/* Make sure the led works even in runtime suspend */
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 024/410] ALSA: seq: Fix racy pool initializations
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (268 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 293/410] l2tp: fix race in pppol2tp_release with session object destroy Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 108/410] ahci: add new Intel device IDs Ben Hutchings
` (139 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, 范龙飞, Takashi Iwai
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit d15d662e89fc667b90cd294b0eb45694e33144da upstream.
ALSA sequencer core initializes the event pool on demand by invoking
snd_seq_pool_init() when the first write happens and the pool is
empty. Meanwhile user can reset the pool size manually via ioctl
concurrently, and this may lead to UAF or out-of-bound accesses since
the function tries to vmalloc / vfree the buffer.
A simple fix is to just wrap the snd_seq_pool_init() call with the
recently introduced client->ioctl_mutex; as the calls for
snd_seq_pool_init() from other side are always protected with this
mutex, we can avoid the race.
Reported-by: 范龙飞 <long7573@126.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/core/seq/seq_clientmgr.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/sound/core/seq/seq_clientmgr.c
+++ b/sound/core/seq/seq_clientmgr.c
@@ -1012,7 +1012,7 @@ static ssize_t snd_seq_write(struct file
{
struct snd_seq_client *client = file->private_data;
int written = 0, len;
- int err = -EINVAL;
+ int err;
struct snd_seq_event event;
if (!(snd_seq_file_flags(file) & SNDRV_SEQ_LFLG_OUTPUT))
@@ -1027,11 +1027,15 @@ static ssize_t snd_seq_write(struct file
/* allocate the pool now if the pool is not allocated yet */
if (client->pool->size > 0 && !snd_seq_write_pool_allocated(client)) {
- if (snd_seq_pool_init(client->pool) < 0)
+ mutex_lock(&client->ioctl_mutex);
+ err = snd_seq_pool_init(client->pool);
+ mutex_unlock(&client->ioctl_mutex);
+ if (err < 0)
return -ENOMEM;
}
/* only process whole events */
+ err = -EINVAL;
while (count >= sizeof(struct snd_seq_event)) {
/* Read in the event header from the user */
len = sizeof(event);
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 100/410] scsi: libsas: fix error when getting phy events
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (204 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 345/410] netfilter: bridge: ebt_among: add more missing match size checks Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 139/410] ubi: Fix race condition between ubi volume creation and udev Ben Hutchings
` (203 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Christoph Hellwig, chenqilin, Martin K. Petersen,
Jason Yan, chenxiang, John Garry, Hannes Reinecke
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jason Yan <yanaijie@huawei.com>
commit 2b23d9509fd7174b362482cf5f3b5f9a2265bc33 upstream.
The intend purpose here was to goto out if smp_execute_task() returned
error. Obviously something got screwed up. We will never get these link
error statistics below:
~:/sys/class/sas_phy/phy-1:0:12 # cat invalid_dword_count
0
~:/sys/class/sas_phy/phy-1:0:12 # cat running_disparity_error_count
0
~:/sys/class/sas_phy/phy-1:0:12 # cat loss_of_dword_sync_count
0
~:/sys/class/sas_phy/phy-1:0:12 # cat phy_reset_problem_count
0
Obviously we should goto error handler if smp_execute_task() returns
non-zero.
Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver")
Signed-off-by: Jason Yan <yanaijie@huawei.com>
CC: John Garry <john.garry@huawei.com>
CC: chenqilin <chenqilin2@huawei.com>
CC: chenxiang <chenxiang66@hisilicon.com>
Reviewed-by: Hannes Reinecke <hare@suse.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/scsi/libsas/sas_expander.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/scsi/libsas/sas_expander.c
+++ b/drivers/scsi/libsas/sas_expander.c
@@ -675,7 +675,7 @@ int sas_smp_get_phy_events(struct sas_ph
res = smp_execute_task(dev, req, RPEL_REQ_SIZE,
resp, RPEL_RESP_SIZE);
- if (!res)
+ if (res)
goto out;
phy->invalid_dword_count = scsi_to_u32(&resp[12]);
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 087/410] media: exynos4-is: properly initialize frame format
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (407 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 311/410] x86/xen: Zero MSR_IA32_SPEC_CTRL before suspend Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-08 14:14 ` [PATCH 3.16 000/410] 3.16.57-rc1 review Guenter Roeck
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Sylwester Nawrocki, Mauro Carvalho Chehab, Arnd Bergmann
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
commit 97913bcbe6da3957af27d9fdd76b3d97b99e6d6a upstream.
We copy the subdev frame format from a partially initialized
structure, which is not entirely well-defined. Older compilers
like gcc-4.4 can copy uninitialized stack data here and warn
about it:
drivers/media/platform/exynos4-is/fimc-isp.c: In function 'fimc_isp_subdev_open':
drivers/media/platform/exynos4-is/fimc-isp.c:379: error: 'fmt.reserved[10u]' may be used uninitialized in this function
drivers/media/platform/exynos4-is/fimc-isp.c:379: error: 'fmt.reserved[9u]' may be used uninitialized in this function
...
drivers/media/platform/exynos4-is/fimc-isp.c:379: error: 'fmt.reserved[0u]' may be used uninitialized in this function
drivers/media/platform/exynos4-is/fimc-isp.c:379: error: 'fmt.xfer_func' may be used uninitialized in this function
On newer compilers, only the initialized fields get copied, but
we should not rely on that, so this changes the code to zero-out
the remaining fields first.
Fixes: 9a761e436843 ("[media] exynos4-is: Add Exynos4x12 FIMC-IS driver")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/media/platform/exynos4-is/fimc-isp.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
--- a/drivers/media/platform/exynos4-is/fimc-isp.c
+++ b/drivers/media/platform/exynos4-is/fimc-isp.c
@@ -366,16 +366,16 @@ static int fimc_isp_subdev_s_power(struc
static int fimc_isp_subdev_open(struct v4l2_subdev *sd,
struct v4l2_subdev_fh *fh)
{
- struct v4l2_mbus_framefmt fmt;
struct v4l2_mbus_framefmt *format;
+ struct v4l2_mbus_framefmt fmt = {
+ .colorspace = V4L2_COLORSPACE_SRGB,
+ .code = fimc_isp_formats[0].mbus_code,
+ .width = DEFAULT_PREVIEW_STILL_WIDTH + FIMC_ISP_CAC_MARGIN_WIDTH,
+ .height = DEFAULT_PREVIEW_STILL_HEIGHT + FIMC_ISP_CAC_MARGIN_HEIGHT,
+ .field = V4L2_FIELD_NONE,
+ };
format = v4l2_subdev_get_try_format(fh, FIMC_ISP_SD_PAD_SINK);
-
- fmt.colorspace = V4L2_COLORSPACE_SRGB;
- fmt.code = fimc_isp_formats[0].mbus_code;
- fmt.width = DEFAULT_PREVIEW_STILL_WIDTH + FIMC_ISP_CAC_MARGIN_WIDTH;
- fmt.height = DEFAULT_PREVIEW_STILL_HEIGHT + FIMC_ISP_CAC_MARGIN_HEIGHT;
- fmt.field = V4L2_FIELD_NONE;
*format = fmt;
format = v4l2_subdev_get_try_format(fh, FIMC_ISP_SD_PAD_SRC_FIFO);
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 286/410] clocksource/drivers/fsl_ftm_timer: Fix error return checking
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (329 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 278/410] drm/radeon: insist on 32-bit DMA for Cedar on PPC64/PPC64LE Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 067/410] EDAC, octeon: Fix an uninitialized variable warning Ben Hutchings
` (78 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Daniel Lezcano, kernel-janitors, Thomas Gleixner, Colin Ian King
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Colin Ian King <colin.king@canonical.com>
commit f287eb9013ccf199cbfa4eabd80c36fedfc15a73 upstream.
The error checks on freq for a negative error return always fails because
freq is unsigned and can never be negative. Fix this by making freq a
signed long.
Detected with Coccinelle:
drivers/clocksource/fsl_ftm_timer.c:287:5-9: WARNING: Unsigned expression
compared with zero: freq <= 0
drivers/clocksource/fsl_ftm_timer.c:291:5-9: WARNING: Unsigned expression
compared with zero: freq <= 0
Fixes: 2529c3a33079 ("clocksource: Add Freescale FlexTimer Module (FTM) timer support")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Daniel Lezcano <daniel.lezcano@linaro.org>
Cc: kernel-janitors@vger.kernel.org
Link: https://lkml.kernel.org/r/20180226113614.3092-1-colin.king@canonical.com
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/clocksource/fsl_ftm_timer.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/clocksource/fsl_ftm_timer.c
+++ b/drivers/clocksource/fsl_ftm_timer.c
@@ -282,7 +282,7 @@ static int __init __ftm_clk_init(struct
static unsigned long __init ftm_clk_init(struct device_node *np)
{
- unsigned long freq;
+ long freq;
freq = __ftm_clk_init(np, "ftm-evt-counter-en", "ftm-evt");
if (freq <= 0)
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 229/410] libata: remove WARN() for DMA or PIO command without data
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (55 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 384/410] RDMA/ucma: Correct option size check using optlen Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 130/410] console/dummy: leave .con_font_get set to NULL Ben Hutchings
` (352 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, syzbot+f7b556d1766502a69d85071d2ff08bd87be53d0f,
Eric Biggers, Tejun Heo
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
commit 9173e5e80729c8434b8d27531527c5245f4a5594 upstream.
syzkaller hit a WARN() in ata_qc_issue() when writing to /dev/sg0. This
happened because it issued a READ_6 command with no data buffer.
Just remove the WARN(), as it doesn't appear indicate a kernel bug. The
expected behavior is to fail the command, which the code does.
Here's a reproducer that works in QEMU when /dev/sg0 refers to a disk of
the default type ("82371SB PIIX3 IDE"):
#include <fcntl.h>
#include <unistd.h>
int main()
{
char buf[42] = { [36] = 0x8 /* READ_6 */ };
write(open("/dev/sg0", O_RDWR), buf, sizeof(buf));
}
Fixes: f92a26365a72 ("libata: change ATA_QCFLAG_DMAMAP semantics")
Reported-by: syzbot+f7b556d1766502a69d85071d2ff08bd87be53d0f@syzkaller.appspotmail.com
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/ata/libata-core.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/ata/libata-core.c
+++ b/drivers/ata/libata-core.c
@@ -5139,8 +5139,7 @@ void ata_qc_issue(struct ata_queued_cmd
* We guarantee to LLDs that they will have at least one
* non-zero sg if the command is a data command.
*/
- if (WARN_ON_ONCE(ata_is_data(prot) &&
- (!qc->sg || !qc->n_elem || !qc->nbytes)))
+ if (ata_is_data(prot) && (!qc->sg || !qc->n_elem || !qc->nbytes))
goto sys_err;
if (ata_is_dma(prot) || (ata_is_pio(prot) &&
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 349/410] can: cc770: Fix queue stall & dropped RTR reply
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (337 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 322/410] bcache: fix crashes in duplicate cache device register Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 297/410] tpm_i2c_infineon: fix potential buffer overruns caused by bit glitches on the bus Ben Hutchings
` (70 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Richard Weinberger, Andri Yngvason, Marc Kleine-Budde
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Andri Yngvason <andri.yngvason@marel.com>
commit 746201235b3f876792099079f4c6fea941d76183 upstream.
While waiting for the TX object to send an RTR, an external message with a
matching id can overwrite the TX data. In this case we must call the rx
routine and then try transmitting the message that was overwritten again.
The queue was being stalled because the RX event did not generate an
interrupt to wake up the queue again and the TX event did not happen
because the TXRQST flag is reset by the chip when new data is received.
According to the CC770 datasheet the id of a message object should not be
changed while the MSGVAL bit is set. This has been fixed by resetting the
MSGVAL bit before modifying the object in the transmit function and setting
it after. It is not enough to set & reset CPUUPD.
It is important to keep the MSGVAL bit reset while the message object is
being modified. Otherwise, during RTR transmission, a frame with matching
id could trigger an rx-interrupt, which would cause a race condition
between the interrupt routine and the transmit function.
Signed-off-by: Andri Yngvason <andri.yngvason@marel.com>
Tested-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/can/cc770/cc770.c | 94 ++++++++++++++++++++++++-----------
drivers/net/can/cc770/cc770.h | 2 +
2 files changed, 68 insertions(+), 28 deletions(-)
--- a/drivers/net/can/cc770/cc770.c
+++ b/drivers/net/can/cc770/cc770.c
@@ -390,37 +390,23 @@ static int cc770_get_berr_counter(const
return 0;
}
-static netdev_tx_t cc770_start_xmit(struct sk_buff *skb, struct net_device *dev)
+static void cc770_tx(struct net_device *dev, int mo)
{
struct cc770_priv *priv = netdev_priv(dev);
- struct net_device_stats *stats = &dev->stats;
- struct can_frame *cf = (struct can_frame *)skb->data;
- unsigned int mo = obj2msgobj(CC770_OBJ_TX);
+ struct can_frame *cf = (struct can_frame *)priv->tx_skb->data;
u8 dlc, rtr;
u32 id;
int i;
- if (can_dropped_invalid_skb(dev, skb))
- return NETDEV_TX_OK;
-
- if ((cc770_read_reg(priv,
- msgobj[mo].ctrl1) & TXRQST_UNC) == TXRQST_SET) {
- netdev_err(dev, "TX register is still occupied!\n");
- return NETDEV_TX_BUSY;
- }
-
- netif_stop_queue(dev);
-
dlc = cf->can_dlc;
id = cf->can_id;
- if (cf->can_id & CAN_RTR_FLAG)
- rtr = 0;
- else
- rtr = MSGCFG_DIR;
+ rtr = cf->can_id & CAN_RTR_FLAG ? 0 : MSGCFG_DIR;
+
+ cc770_write_reg(priv, msgobj[mo].ctrl0,
+ MSGVAL_RES | TXIE_RES | RXIE_RES | INTPND_RES);
cc770_write_reg(priv, msgobj[mo].ctrl1,
RMTPND_RES | TXRQST_RES | CPUUPD_SET | NEWDAT_RES);
- cc770_write_reg(priv, msgobj[mo].ctrl0,
- MSGVAL_SET | TXIE_SET | RXIE_RES | INTPND_RES);
+
if (id & CAN_EFF_FLAG) {
id &= CAN_EFF_MASK;
cc770_write_reg(priv, msgobj[mo].config,
@@ -439,13 +425,30 @@ static netdev_tx_t cc770_start_xmit(stru
for (i = 0; i < dlc; i++)
cc770_write_reg(priv, msgobj[mo].data[i], cf->data[i]);
- /* Store echo skb before starting the transfer */
- can_put_echo_skb(skb, dev, 0);
-
cc770_write_reg(priv, msgobj[mo].ctrl1,
- RMTPND_RES | TXRQST_SET | CPUUPD_RES | NEWDAT_UNC);
+ RMTPND_UNC | TXRQST_SET | CPUUPD_RES | NEWDAT_UNC);
+ cc770_write_reg(priv, msgobj[mo].ctrl0,
+ MSGVAL_SET | TXIE_SET | RXIE_SET | INTPND_UNC);
+}
+
+static netdev_tx_t cc770_start_xmit(struct sk_buff *skb, struct net_device *dev)
+{
+ struct cc770_priv *priv = netdev_priv(dev);
+ unsigned int mo = obj2msgobj(CC770_OBJ_TX);
+
+ if (can_dropped_invalid_skb(dev, skb))
+ return NETDEV_TX_OK;
+
+ netif_stop_queue(dev);
+
+ if ((cc770_read_reg(priv,
+ msgobj[mo].ctrl1) & TXRQST_UNC) == TXRQST_SET) {
+ netdev_err(dev, "TX register is still occupied!\n");
+ return NETDEV_TX_BUSY;
+ }
- stats->tx_bytes += dlc;
+ priv->tx_skb = skb;
+ cc770_tx(dev, mo);
return NETDEV_TX_OK;
}
@@ -670,13 +673,47 @@ static void cc770_tx_interrupt(struct ne
struct cc770_priv *priv = netdev_priv(dev);
struct net_device_stats *stats = &dev->stats;
unsigned int mo = obj2msgobj(o);
+ struct can_frame *cf;
+ u8 ctrl1;
+
+ ctrl1 = cc770_read_reg(priv, msgobj[mo].ctrl1);
- /* Nothing more to send, switch off interrupts */
cc770_write_reg(priv, msgobj[mo].ctrl0,
MSGVAL_RES | TXIE_RES | RXIE_RES | INTPND_RES);
+ cc770_write_reg(priv, msgobj[mo].ctrl1,
+ RMTPND_RES | TXRQST_RES | MSGLST_RES | NEWDAT_RES);
- stats->tx_packets++;
+ if (unlikely(!priv->tx_skb)) {
+ netdev_err(dev, "missing tx skb in tx interrupt\n");
+ return;
+ }
+
+ if (unlikely(ctrl1 & MSGLST_SET)) {
+ stats->rx_over_errors++;
+ stats->rx_errors++;
+ }
+
+ /* When the CC770 is sending an RTR message and it receives a regular
+ * message that matches the id of the RTR message, it will overwrite the
+ * outgoing message in the TX register. When this happens we must
+ * process the received message and try to transmit the outgoing skb
+ * again.
+ */
+ if (unlikely(ctrl1 & NEWDAT_SET)) {
+ cc770_rx(dev, mo, ctrl1);
+ cc770_tx(dev, mo);
+ return;
+ }
+
+ can_put_echo_skb(priv->tx_skb, dev, 0);
can_get_echo_skb(dev, 0);
+
+ cf = (struct can_frame *)priv->tx_skb->data;
+ stats->tx_bytes += cf->can_dlc;
+ stats->tx_packets++;
+
+ priv->tx_skb = NULL;
+
netif_wake_queue(dev);
}
@@ -788,6 +825,7 @@ struct net_device *alloc_cc770dev(int si
priv->can.do_set_bittiming = cc770_set_bittiming;
priv->can.do_set_mode = cc770_set_mode;
priv->can.ctrlmode_supported = CAN_CTRLMODE_3_SAMPLES;
+ priv->tx_skb = NULL;
memcpy(priv->obj_flags, cc770_obj_flags, sizeof(cc770_obj_flags));
--- a/drivers/net/can/cc770/cc770.h
+++ b/drivers/net/can/cc770/cc770.h
@@ -193,6 +193,8 @@ struct cc770_priv {
u8 cpu_interface; /* CPU interface register */
u8 clkout; /* Clock out register */
u8 bus_config; /* Bus conffiguration register */
+
+ struct sk_buff *tx_skb;
};
struct net_device *alloc_cc770dev(int sizeof_priv);
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 139/410] ubi: Fix race condition between ubi volume creation and udev
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (205 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 100/410] scsi: libsas: fix error when getting phy events Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 358/410] fs/aio: Use RCU accessors for kioctx_table->table[] Ben Hutchings
` (202 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Clay McClure, Richard Weinberger
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Clay McClure <clay@daemons.net>
commit a51a0c8d213594bc094cb8e54aad0cb6d7f7b9a6 upstream.
Similar to commit 714fb87e8bc0 ("ubi: Fix race condition between ubi
device creation and udev"), we should make the volume active before
registering it.
Signed-off-by: Clay McClure <clay@daemons.net>
Signed-off-by: Richard Weinberger <richard@nod.at>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/mtd/ubi/vmt.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
--- a/drivers/mtd/ubi/vmt.c
+++ b/drivers/mtd/ubi/vmt.c
@@ -308,6 +308,12 @@ int ubi_create_volume(struct ubi_device
vol->last_eb_bytes = vol->usable_leb_size;
}
+ /* Make volume "available" before it becomes accessible via sysfs */
+ spin_lock(&ubi->volumes_lock);
+ ubi->volumes[vol_id] = vol;
+ ubi->vol_count += 1;
+ spin_unlock(&ubi->volumes_lock);
+
/* Register character device for the volume */
cdev_init(&vol->cdev, &ubi_vol_cdev_operations);
vol->cdev.owner = THIS_MODULE;
@@ -350,11 +356,6 @@ int ubi_create_volume(struct ubi_device
if (err)
goto out_sysfs;
- spin_lock(&ubi->volumes_lock);
- ubi->volumes[vol_id] = vol;
- ubi->vol_count += 1;
- spin_unlock(&ubi->volumes_lock);
-
ubi_volume_notify(ubi, vol, UBI_VOLUME_ADDED);
self_check_volumes(ubi);
return err;
@@ -374,6 +375,10 @@ out_sysfs:
out_cdev:
cdev_del(&vol->cdev);
out_mapping:
+ spin_lock(&ubi->volumes_lock);
+ ubi->volumes[vol_id] = NULL;
+ ubi->vol_count -= 1;
+ spin_unlock(&ubi->volumes_lock);
if (do_free)
kfree(vol->eba_tbl);
out_acc:
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 368/410] skbuff: Fix not waking applications when errors are enqueued
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (346 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 288/410] l2tp: don't close sessions in l2tp_tunnel_destruct() Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 223/410] s390/qeth: fix SETIP command handling Ben Hutchings
` (61 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Randy E. Witt, Vinicius Costa Gomes, David S. Miller, Eric Dumazet
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Vinicius Costa Gomes <vinicius.gomes@intel.com>
commit 6e5d58fdc9bedd0255a8781b258f10bbdc63e975 upstream.
When errors are enqueued to the error queue via sock_queue_err_skb()
function, it is possible that the waiting application is not notified.
Calling 'sk->sk_data_ready()' would not notify applications that
selected only POLLERR events in poll() (for example).
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Randy E. Witt <randy.e.witt@intel.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/core/skbuff.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -3512,7 +3512,7 @@ int sock_queue_err_skb(struct sock *sk,
skb_queue_tail(&sk->sk_error_queue, skb);
if (!sock_flag(sk, SOCK_DEAD))
- sk->sk_data_ready(sk);
+ sk->sk_error_report(sk);
return 0;
}
EXPORT_SYMBOL(sock_queue_err_skb);
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 319/410] ahci: Add PCI-id for the Highpoint Rocketraid 644L card
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (213 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 190/410] btrfs: remove spurious WARN_ON(ref->count < 0) in find_parent_nodes Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 027/410] hugetlbfs: fix offset overflow in hugetlbfs mmap Ben Hutchings
` (194 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Bjorn Helgaas, Hans de Goede, Tejun Heo
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Hans de Goede <hdegoede@redhat.com>
commit 28b2182dad43f6f8fcbd167539a26714fd12bd64 upstream.
Like the Highpoint Rocketraid 642L and cards using a Marvel 88SE9235
controller in general, this RAID card also supports AHCI mode and short
of a custom driver, this is the only way to make it work under Linux.
Note that even though the card is called to 644L, it has a product-id
of 0x0645.
BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1534106
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Acked-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/ata/ahci.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/ata/ahci.c
+++ b/drivers/ata/ahci.c
@@ -529,7 +529,9 @@ static const struct pci_device_id ahci_p
.driver_data = board_ahci_yes_fbs },
{ PCI_DEVICE(PCI_VENDOR_ID_MARVELL_EXT, 0x9230),
.driver_data = board_ahci_yes_fbs },
- { PCI_DEVICE(PCI_VENDOR_ID_TTI, 0x0642),
+ { PCI_DEVICE(PCI_VENDOR_ID_TTI, 0x0642), /* highpoint rocketraid 642L */
+ .driver_data = board_ahci_yes_fbs },
+ { PCI_DEVICE(PCI_VENDOR_ID_TTI, 0x0645), /* highpoint rocketraid 644L */
.driver_data = board_ahci_yes_fbs },
/* Promise */
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 065/410] perf evlist: Introduce perf_evlist__new_dummy constructor
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (139 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 373/410] batman-adv: Fix skbuff rcsum on packet reroute Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 323/410] bcache: don't attach backing with duplicate UUID Ben Hutchings
` (268 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, David Ahern, Namhyung Kim, Jiri Olsa, Wang Nan,
Adrian Hunter, Arnaldo Carvalho de Melo
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Arnaldo Carvalho de Melo <acme@redhat.com>
commit 5bae0250237f7a5ec4355f9920701de247b8db91 upstream.
For case where all we need is an evlist with just an "dummy" evsel,
like in some 'perf test' entries.
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: David Ahern <dsahern@gmail.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Wang Nan <wangnan0@huawei.com>
Link: http://lkml.kernel.org/n/tip-q52le0pblm2k3ncvyilelr9z@git.kernel.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
tools/perf/util/evlist.c | 28 ++++++++++++++++++++++++++++
tools/perf/util/evlist.h | 3 +++
2 files changed, 31 insertions(+)
--- a/tools/perf/util/evlist.c
+++ b/tools/perf/util/evlist.c
@@ -62,6 +62,18 @@ struct perf_evlist *perf_evlist__new_def
return evlist;
}
+struct perf_evlist *perf_evlist__new_dummy(void)
+{
+ struct perf_evlist *evlist = perf_evlist__new();
+
+ if (evlist && perf_evlist__add_dummy(evlist)) {
+ perf_evlist__delete(evlist);
+ evlist = NULL;
+ }
+
+ return evlist;
+}
+
/**
* perf_evlist__set_id_pos - set the positions of event ids.
* @evlist: selected event list
@@ -188,6 +200,22 @@ error:
return -ENOMEM;
}
+int perf_evlist__add_dummy(struct perf_evlist *evlist)
+{
+ struct perf_event_attr attr = {
+ .type = PERF_TYPE_SOFTWARE,
+ .config = PERF_COUNT_SW_DUMMY,
+ .size = sizeof(attr), /* to capture ABI version */
+ };
+ struct perf_evsel *evsel = perf_evsel__new(&attr);
+
+ if (evsel == NULL)
+ return -ENOMEM;
+
+ perf_evlist__add(evlist, evsel);
+ return 0;
+}
+
static int perf_evlist__add_attrs(struct perf_evlist *evlist,
struct perf_event_attr *attrs, size_t nr_attrs)
{
--- a/tools/perf/util/evlist.h
+++ b/tools/perf/util/evlist.h
@@ -54,6 +54,7 @@ struct perf_evsel_str_handler {
struct perf_evlist *perf_evlist__new(void);
struct perf_evlist *perf_evlist__new_default(void);
+struct perf_evlist *perf_evlist__new_dummy(void);
void perf_evlist__init(struct perf_evlist *evlist, struct cpu_map *cpus,
struct thread_map *threads);
void perf_evlist__exit(struct perf_evlist *evlist);
@@ -67,6 +68,8 @@ int __perf_evlist__add_default_attrs(str
#define perf_evlist__add_default_attrs(evlist, array) \
__perf_evlist__add_default_attrs(evlist, array, ARRAY_SIZE(array))
+int perf_evlist__add_dummy(struct perf_evlist *evlist);
+
int perf_evlist__add_newtp(struct perf_evlist *evlist,
const char *sys, const char *name, void *handler);
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 272/410] md raid10: fix NULL deference in handle_write_completed()
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (202 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 115/410] ext4: correct documentation for grpid mount option Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 345/410] netfilter: bridge: ebt_among: add more missing match size checks Ben Hutchings
` (205 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Shaohua Li, stable, NeilBrown, Yufen Yu
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Yufen Yu <yuyufen@huawei.com>
commit 01a69cab01c184d3786af09e9339311123d63d22 upstream.
In the case of 'recover', an r10bio with R10BIO_WriteError &
R10BIO_IsRecover will be progressed by handle_write_completed().
This function traverses all r10bio->devs[copies].
If devs[m].repl_bio != NULL, it thinks conf->mirrors[dev].replacement
is also not NULL. However, this is not always true.
When there is an rdev of raid10 has replacement, then each r10bio
->devs[m].repl_bio != NULL in conf->r10buf_pool. However, in 'recover',
even if corresponded replacement is NULL, it doesn't clear r10bio
->devs[m].repl_bio, resulting in replacement NULL deference.
This bug was introduced when replacement support for raid10 was
added in Linux 3.3.
As NeilBrown suggested:
Elsewhere the determination of "is this device part of the
resync/recovery" is made by resting bio->bi_end_io.
If this is end_sync_write, then we tried to write here.
If it is NULL, then we didn't try to write.
Fixes: 9ad1aefc8ae8 ("md/raid10: Handle replacement devices during resync.")
Cc: stable (V3.3+)
Suggested-by: NeilBrown <neilb@suse.com>
Signed-off-by: Yufen Yu <yuyufen@huawei.com>
Signed-off-by: Shaohua Li <sh.li@alibaba-inc.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/md/raid10.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/md/raid10.c
+++ b/drivers/md/raid10.c
@@ -2746,7 +2746,8 @@ static void handle_write_completed(struc
for (m = 0; m < conf->copies; m++) {
int dev = r10_bio->devs[m].devnum;
rdev = conf->mirrors[dev].rdev;
- if (r10_bio->devs[m].bio == NULL)
+ if (r10_bio->devs[m].bio == NULL ||
+ r10_bio->devs[m].bio->bi_end_io == NULL)
continue;
if (test_bit(BIO_UPTODATE,
&r10_bio->devs[m].bio->bi_flags)) {
@@ -2762,7 +2763,8 @@ static void handle_write_completed(struc
md_error(conf->mddev, rdev);
}
rdev = conf->mirrors[dev].replacement;
- if (r10_bio->devs[m].repl_bio == NULL)
+ if (r10_bio->devs[m].repl_bio == NULL ||
+ r10_bio->devs[m].repl_bio->bi_end_io == NULL)
continue;
if (test_bit(BIO_UPTODATE,
&r10_bio->devs[m].repl_bio->bi_flags)) {
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 097/410] signal/sh: Ensure si_signo is initialized in do_divide_error
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (322 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 273/410] x86/mm: Fix {pmd,pud}_{set,clear}_flags() Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 177/410] rbd: whitelist RBD_FEATURE_OPERATIONS feature bit Ben Hutchings
` (85 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Rich Felker, Eric W. Biederman, Paul Mundt, Yoshinori Sato,
linux-sh
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Eric W. Biederman" <ebiederm@xmission.com>
commit 0e88bb002a9b2ee8cc3cc9478ce2dc126f849696 upstream.
Set si_signo.
Cc: Yoshinori Sato <ysato@users.sourceforge.jp>
Cc: Rich Felker <dalias@libc.org>
Cc: Paul Mundt <lethal@linux-sh.org>
Cc: linux-sh@vger.kernel.org
Fixes: 0983b31849bb ("sh: Wire up division and address error exceptions on SH-2A.")
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/sh/kernel/traps_32.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/arch/sh/kernel/traps_32.c
+++ b/arch/sh/kernel/traps_32.c
@@ -607,7 +607,8 @@ asmlinkage void do_divide_error(unsigned
break;
}
- force_sig_info(SIGFPE, &info, current);
+ info.si_signo = SIGFPE;
+ force_sig_info(info.si_signo, &info, current);
}
#endif
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 375/410] ip_tunnel: Clamp MTU to bounds on new link
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (118 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 179/410] scsi: ibmvfc: fix misdefined reserved field in ibmvfc_fcp_rsp_info Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 079/410] ASoC: nuc900: Fix a loop timeout test Ben Hutchings
` (289 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Sabrina Dubroca, Steffen Klassert, Stefano Brivio
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Stefano Brivio <sbrivio@redhat.com>
commit 24fc79798b8ddfd46f2dd363a8d29072c083b977 upstream.
Otherwise, it's possible to specify invalid MTU values directly
on creation of a link (via 'ip link add'). This is already
prevented on subsequent MTU changes by commit b96f9afee4eb
("ipv4/6: use core net MTU range checking").
Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Acked-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
[bwh: Backported to 3.16: Add definition of ETH_MIN_MTU]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv4/ip_tunnel.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/net/ipv4/ip_tunnel.c
+++ b/net/ipv4/ip_tunnel.c
@@ -968,8 +968,14 @@ int ip_tunnel_newlink(struct net_device
eth_hw_addr_random(dev);
mtu = ip_tunnel_bind_dev(dev);
- if (!tb[IFLA_MTU])
+ if (tb[IFLA_MTU]) {
+ unsigned int max = 0xfff8 - dev->hard_header_len - nt->hlen;
+
+ dev->mtu = clamp(dev->mtu, (unsigned int)ETH_MIN_MTU,
+ (unsigned int)(max - sizeof(struct iphdr)));
+ } else {
dev->mtu = mtu;
+ }
ip_tunnel_add(itn, nt);
--- a/include/uapi/linux/if_ether.h
+++ b/include/uapi/linux/if_ether.h
@@ -36,6 +36,8 @@
#define ETH_FRAME_LEN 1514 /* Max. octets in frame sans FCS */
#define ETH_FCS_LEN 4 /* Octets in the FCS */
+#define ETH_MIN_MTU 68 /* Min IPv4 MTU per RFC791 */
+
/*
* These are the defined Ethernet Protocol ID's.
*/
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 025/410] ALSA: seq: Don't allow resizing pool in use
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (184 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 233/410] net: fix race on decreasing number of TX queues Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 279/410] KVM: mmu: Fix overlap between public and private memslots Ben Hutchings
` (223 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, 范龙飞, Takashi Iwai, Nicolai Stange
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit d85739367c6d56e475c281945c68fdb05ca74b4c upstream.
This is a fix for a (sort of) fallout in the recent commit
d15d662e89fc ("ALSA: seq: Fix racy pool initializations") for
CVE-2018-1000004.
As the pool resize deletes the existing cells, it may lead to a race
when another thread is writing concurrently, eventually resulting a
UAF.
A simple workaround is not to allow the pool resizing when the pool is
in use. It's an invalid behavior in anyway.
Fixes: d15d662e89fc ("ALSA: seq: Fix racy pool initializations")
Reported-by: 范龙飞 <long7573@126.com>
Reported-by: Nicolai Stange <nstange@suse.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/core/seq/seq_clientmgr.c | 3 +++
1 file changed, 3 insertions(+)
--- a/sound/core/seq/seq_clientmgr.c
+++ b/sound/core/seq/seq_clientmgr.c
@@ -1929,6 +1929,9 @@ static int snd_seq_ioctl_set_client_pool
(! snd_seq_write_pool_allocated(client) ||
info.output_pool != client->pool->size)) {
if (snd_seq_write_pool_allocated(client)) {
+ /* is the pool in use? */
+ if (atomic_read(&client->pool->counter))
+ return -EBUSY;
/* remove all existing cells */
snd_seq_pool_mark_closing(client->pool);
snd_seq_queue_client_leave_cells(client->number);
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 028/410] hugetlbfs: check for pgoff value overflow
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (215 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 027/410] hugetlbfs: fix offset overflow in hugetlbfs mmap Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 226/410] usb: dwc3: gadget: Set maxpacket size for ep0 IN Ben Hutchings
` (192 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Michal Hocko, Nic Losby, Mike Kravetz, Kirill A . Shutemov,
Yisheng Xie, Linus Torvalds
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mike Kravetz <mike.kravetz@oracle.com>
commit 63489f8e821144000e0bdca7e65a8d1cc23a7ee7 upstream.
A vma with vm_pgoff large enough to overflow a loff_t type when
converted to a byte offset can be passed via the remap_file_pages system
call. The hugetlbfs mmap routine uses the byte offset to calculate
reservations and file size.
A sequence such as:
mmap(0x20a00000, 0x600000, 0, 0x66033, -1, 0);
remap_file_pages(0x20a00000, 0x600000, 0, 0x20000000000000, 0);
will result in the following when task exits/file closed,
kernel BUG at mm/hugetlb.c:749!
Call Trace:
hugetlbfs_evict_inode+0x2f/0x40
evict+0xcb/0x190
__dentry_kill+0xcb/0x150
__fput+0x164/0x1e0
task_work_run+0x84/0xa0
exit_to_usermode_loop+0x7d/0x80
do_syscall_64+0x18b/0x190
entry_SYSCALL_64_after_hwframe+0x3d/0xa2
The overflowed pgoff value causes hugetlbfs to try to set up a mapping
with a negative range (end < start) that leaves invalid state which
causes the BUG.
The previous overflow fix to this code was incomplete and did not take
the remap_file_pages system call into account.
[mike.kravetz@oracle.com: v3]
Link: http://lkml.kernel.org/r/20180309002726.7248-1-mike.kravetz@oracle.com
[akpm@linux-foundation.org: include mmdebug.h]
[akpm@linux-foundation.org: fix -ve left shift count on sh]
Link: http://lkml.kernel.org/r/20180308210502.15952-1-mike.kravetz@oracle.com
Fixes: 045c7a3f53d9 ("hugetlbfs: fix offset overflow in hugetlbfs mmap")
Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
Reported-by: Nic Losby <blurbdust@gmail.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>
Cc: Yisheng Xie <xieyisheng1@huawei.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.16:
- Use a conditional WARN() instead of VM_WARN()
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/hugetlbfs/inode.c | 17 ++++++++++++++---
mm/hugetlb.c | 7 +++++++
2 files changed, 21 insertions(+), 3 deletions(-)
--- a/fs/hugetlbfs/inode.c
+++ b/fs/hugetlbfs/inode.c
@@ -97,6 +97,16 @@ static void huge_pagevec_release(struct
pagevec_reinit(pvec);
}
+/*
+ * Mask used when checking the page offset value passed in via system
+ * calls. This value will be converted to a loff_t which is signed.
+ * Therefore, we want to check the upper PAGE_SHIFT + 1 bits of the
+ * value. The extra bit (- 1 in the shift value) is to take the sign
+ * bit into account.
+ */
+#define PGOFF_LOFFT_MAX \
+ (((1UL << (PAGE_SHIFT + 1)) - 1) << (BITS_PER_LONG - (PAGE_SHIFT + 1)))
+
static int hugetlbfs_file_mmap(struct file *file, struct vm_area_struct *vma)
{
struct inode *inode = file_inode(file);
@@ -116,12 +126,13 @@ static int hugetlbfs_file_mmap(struct fi
vma->vm_ops = &hugetlb_vm_ops;
/*
- * Offset passed to mmap (before page shift) could have been
- * negative when represented as a (l)off_t.
+ * page based offset in vm_pgoff could be sufficiently large to
+ * overflow a (l)off_t when converted to byte offset.
*/
- if (((loff_t)vma->vm_pgoff << PAGE_SHIFT) < 0)
+ if (vma->vm_pgoff & PGOFF_LOFFT_MAX)
return -EINVAL;
+ /* must be huge page aligned */
if (vma->vm_pgoff & (~huge_page_mask(h) >> PAGE_SHIFT))
return -EINVAL;
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -19,6 +19,7 @@
#include <linux/bootmem.h>
#include <linux/sysfs.h>
#include <linux/slab.h>
+#include <linux/mmdebug.h>
#include <linux/rmap.h>
#include <linux/swap.h>
#include <linux/swapops.h>
@@ -3504,6 +3505,14 @@ int hugetlb_reserve_pages(struct inode *
struct hugepage_subpool *spool = subpool_inode(inode);
struct resv_map *resv_map;
+ /* This should never happen */
+ if (from > to) {
+#ifdef CONFIG_DEBUG_VM
+ WARN(1, "%s called with a negative range\n", __func__);
+#endif
+ return -EINVAL;
+ }
+
/*
* Only apply hugepage reservation if asked. At fault time, an
* attempt will be made for VM_NORESERVE to allocate a page
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 394/410] batman-adv: fix multicast-via-unicast transmission with AP isolation
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (218 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 007/410] media: dvb-usb-v2: lmedm04: Improve logic checking of warm start Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 064/410] x86/speculation: Correct Speculation Control microcode blacklist again Ben Hutchings
` (189 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Simon Wunderlich, Sven Eckelmann, Linus Lüssing
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Linus Lüssing <linus.luessing@c0d3.blue>
commit f8fb3419ead44f9a3136995acd24e35da4525177 upstream.
For multicast frames AP isolation is only supposed to be checked on
the receiving nodes and never on the originating one.
Furthermore, the isolation or wifi flag bits should only be intepreted
as such for unicast and never multicast TT entries.
By injecting flags to the multicast TT entry claimed by a single
target node it was verified in tests that this multicast address
becomes unreachable, leading to packet loss.
Omitting the "src" parameter to the batadv_transtable_search() call
successfully skipped the AP isolation check and made the target
reachable again.
Fixes: 1d8ab8d3c176 ("batman-adv: Modified forwarding behaviour for multicast packets")
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/batman-adv/multicast.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/net/batman-adv/multicast.c
+++ b/net/batman-adv/multicast.c
@@ -398,8 +398,8 @@ static struct batadv_orig_node *
batadv_mcast_forw_tt_node_get(struct batadv_priv *bat_priv,
struct ethhdr *ethhdr)
{
- return batadv_transtable_search(bat_priv, ethhdr->h_source,
- ethhdr->h_dest, BATADV_NO_FLAGS);
+ return batadv_transtable_search(bat_priv, NULL, ethhdr->h_dest,
+ BATADV_NO_FLAGS);
}
/**
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 384/410] RDMA/ucma: Correct option size check using optlen
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (54 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 183/410] mm: pin address_space before dereferencing it while isolating an LRU page Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 229/410] libata: remove WARN() for DMA or PIO command without data Ben Hutchings
` (353 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Jason Gunthorpe, Shiraz Saleem, Leon Romanovsky, Chien Tin Tung
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Chien Tin Tung <chien.tin.tung@intel.com>
commit 5f3e3b85cc0a5eae1c46d72e47d3de7bf208d9e2 upstream.
The option size check is using optval instead of optlen
causing the set option call to fail. Use the correct
field, optlen, for size check.
Fixes: 6a21dfc0d0db ("RDMA/ucma: Limit possible option size")
Signed-off-by: Chien Tin Tung <chien.tin.tung@intel.com>
Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/infiniband/core/ucma.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/infiniband/core/ucma.c
+++ b/drivers/infiniband/core/ucma.c
@@ -1200,7 +1200,7 @@ static ssize_t ucma_set_option(struct uc
if (IS_ERR(ctx))
return PTR_ERR(ctx);
- if (unlikely(cmd.optval > KMALLOC_MAX_SIZE))
+ if (unlikely(cmd.optlen > KMALLOC_MAX_SIZE))
return -EINVAL;
optval = memdup_user((void __user *) (unsigned long) cmd.optval,
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 116/410] arm: spear600: Add missing interrupt-parent of rtc
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (109 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 061/410] KVM/VMX: Optimize vmx_vcpu_run() and svm_vcpu_run() by marking the RDMSR path as unlikely() Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 398/410] ipv6: the entire IPv6 header chain must fit the first fragment Ben Hutchings
` (298 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Olof Johansson, Viresh Kumar, Arnd Bergmann
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Viresh Kumar <viresh.kumar@linaro.org>
commit 6ffb5b4f248fe53e0361b8cbc2a523b432566442 upstream.
The interrupt-parent of rtc was missing, add it.
Fixes: 8113ba917dfa ("ARM: SPEAr: DT: Update device nodes")
Reported-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Olof Johansson <olof@lixom.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm/boot/dts/spear600.dtsi | 1 +
1 file changed, 1 insertion(+)
--- a/arch/arm/boot/dts/spear600.dtsi
+++ b/arch/arm/boot/dts/spear600.dtsi
@@ -194,6 +194,7 @@
rtc@fc900000 {
compatible = "st,spear600-rtc";
reg = <0xfc900000 0x1000>;
+ interrupt-parent = <&vic0>;
interrupts = <10>;
status = "disabled";
};
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 348/410] can: cc770: Fix stalls on rt-linux, remove redundant IRQ ack
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (198 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 310/410] xen/arm: Define xen_arch_suspend() Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 332/410] RDMA/ucma: Check that user doesn't overflow QP state Ben Hutchings
` (209 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Andri Yngvason, Richard Weinberger, Marc Kleine-Budde
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Andri Yngvason <andri.yngvason@marel.com>
commit f4353daf4905c0099fd25fa742e2ffd4a4bab26a upstream.
This has been reported to cause stalls on rt-linux.
Suggested-by: Richard Weinberger <richard@nod.at>
Tested-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Andri Yngvason <andri.yngvason@marel.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/can/cc770/cc770.c | 15 ---------------
1 file changed, 15 deletions(-)
--- a/drivers/net/can/cc770/cc770.c
+++ b/drivers/net/can/cc770/cc770.c
@@ -447,15 +447,6 @@ static netdev_tx_t cc770_start_xmit(stru
stats->tx_bytes += dlc;
-
- /*
- * HM: We had some cases of repeated IRQs so make sure the
- * INT is acknowledged I know it's already further up, but
- * doing again fixed the issue
- */
- cc770_write_reg(priv, msgobj[mo].ctrl0,
- MSGVAL_UNC | TXIE_UNC | RXIE_UNC | INTPND_RES);
-
return NETDEV_TX_OK;
}
@@ -683,12 +674,6 @@ static void cc770_tx_interrupt(struct ne
/* Nothing more to send, switch off interrupts */
cc770_write_reg(priv, msgobj[mo].ctrl0,
MSGVAL_RES | TXIE_RES | RXIE_RES | INTPND_RES);
- /*
- * We had some cases of repeated IRQ so make sure the
- * INT is acknowledged
- */
- cc770_write_reg(priv, msgobj[mo].ctrl0,
- MSGVAL_UNC | TXIE_UNC | RXIE_UNC | INTPND_RES);
stats->tx_packets++;
can_get_echo_skb(dev, 0);
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 095/410] pktcdvd: Fix pkt_setup_dev() error path
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (361 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 178/410] drm/radeon: adjust tested variable Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 219/410] powerpc/numa: Invalidate numa_cpu_lookup_table on cpu remove Ben Hutchings
` (46 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Jens Axboe, Maciej S. Szmigiero, Tejun Heo, Bart Van Assche
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Bart Van Assche <bart.vanassche@wdc.com>
commit 5a0ec388ef0f6e33841aeb810d7fa23f049ec4cd upstream.
Commit 523e1d399ce0 ("block: make gendisk hold a reference to its queue")
modified add_disk() and disk_release() but did not update any of the
error paths that trigger a put_disk() call after disk->queue has been
assigned. That introduced the following behavior in the pktcdvd driver
if pkt_new_dev() fails:
Kernel BUG at 00000000e98fd882 [verbose debug info unavailable]
Since disk_release() calls blk_put_queue() anyway if disk->queue != NULL,
fix this by removing the blk_cleanup_queue() call from the pkt_setup_dev()
error path.
Fixes: commit 523e1d399ce0 ("block: make gendisk hold a reference to its queue")
Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
Cc: Tejun Heo <tj@kernel.org>
Cc: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/block/pktcdvd.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
--- a/drivers/block/pktcdvd.c
+++ b/drivers/block/pktcdvd.c
@@ -2796,7 +2796,7 @@ static int pkt_setup_dev(dev_t dev, dev_
pd->pkt_dev = MKDEV(pktdev_major, idx);
ret = pkt_new_dev(pd, dev);
if (ret)
- goto out_new_dev;
+ goto out_mem2;
/* inherit events of the host device */
disk->events = pd->bdev->bd_disk->events;
@@ -2814,8 +2814,6 @@ static int pkt_setup_dev(dev_t dev, dev_
mutex_unlock(&ctl_mutex);
return 0;
-out_new_dev:
- blk_cleanup_queue(disk->queue);
out_mem2:
put_disk(disk);
out_mem:
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 391/410] mm/mempolicy.c: avoid use uninitialized preferred_node
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (106 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 262/410] ASoC: rt5651: Fix regcache sync errors on resume Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 019/410] ext4: add validity checks for bitmap block numbers Ben Hutchings
` (301 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Michal Hocko, Vlastimil Babka, Linus Torvalds, Yisheng Xie,
Alexander Potapenko, Dmitriy Vyukov
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Yisheng Xie <xieyisheng1@huawei.com>
commit 8970a63e965b43288c4f5f40efbc2bbf80de7f16 upstream.
Alexander reported a use of uninitialized memory in __mpol_equal(),
which is caused by incorrect use of preferred_node.
When mempolicy in mode MPOL_PREFERRED with flags MPOL_F_LOCAL, it uses
numa_node_id() instead of preferred_node, however, __mpol_equal() uses
preferred_node without checking whether it is MPOL_F_LOCAL or not.
[akpm@linux-foundation.org: slight comment tweak]
Link: http://lkml.kernel.org/r/4ebee1c2-57f6-bcb8-0e2d-1833d1ee0bb7@huawei.com
Fixes: fc36b8d3d819 ("mempolicy: use MPOL_F_LOCAL to Indicate Preferred Local Policy")
Signed-off-by: Yisheng Xie <xieyisheng1@huawei.com>
Reported-by: Alexander Potapenko <glider@google.com>
Tested-by: Alexander Potapenko <glider@google.com>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Dmitriy Vyukov <dvyukov@google.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Michal Hocko <mhocko@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
mm/mempolicy.c | 3 +++
1 file changed, 3 insertions(+)
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -2160,6 +2160,9 @@ bool __mpol_equal(struct mempolicy *a, s
case MPOL_INTERLEAVE:
return !!nodes_equal(a->v.nodes, b->v.nodes);
case MPOL_PREFERRED:
+ /* a's ->flags is the same as b's */
+ if (a->flags & MPOL_F_LOCAL)
+ return true;
return a->v.preferred_node == b->v.preferred_node;
default:
BUG();
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 021/410] dccp: check sk for closed state in dccp_sendmsg()
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (19 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 303/410] mmc: dw_mmc: Fix out-of-bounds access for slot's caps Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 258/410] nospec: Allow index argument to have const-qualified type Ben Hutchings
` (388 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, syzbot+f99ab3887ab65d70f816, Alexey Kodanev, David S. Miller
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Kodanev <alexey.kodanev@oracle.com>
commit 67f93df79aeefc3add4e4b31a752600f834236e2 upstream.
dccp_disconnect() sets 'dp->dccps_hc_tx_ccid' tx handler to NULL,
therefore if DCCP socket is disconnected and dccp_sendmsg() is
called after it, it will cause a NULL pointer dereference in
dccp_write_xmit().
This crash and the reproducer was reported by syzbot. Looks like
it is reproduced if commit 69c64866ce07 ("dccp: CVE-2017-8824:
use-after-free in DCCP code") is applied.
Reported-by: syzbot+f99ab3887ab65d70f816@syzkaller.appspotmail.com
Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/dccp/proto.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/net/dccp/proto.c
+++ b/net/dccp/proto.c
@@ -785,6 +785,11 @@ int dccp_sendmsg(struct kiocb *iocb, str
if (skb == NULL)
goto out_release;
+ if (sk->sk_state == DCCP_CLOSED) {
+ rc = -ENOTCONN;
+ goto out_discard;
+ }
+
skb_reserve(skb, sk->sk_prot->max_header);
rc = memcpy_fromiovec(skb_put(skb, len), msg->msg_iov, len);
if (rc != 0)
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 406/410] net/mlx4_en: Fix mixed PFC and Global pause user control requests
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (101 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 121/410] crypto: hash - introduce crypto_hash_alg_has_setkey() Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 149/410] usb: option: Add support for FS040U modem Ben Hutchings
` (306 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Tariq Toukan, David S. Miller, Eran Ben Elisha
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eran Ben Elisha <eranbe@mellanox.com>
commit 6e8814ceb7e8f468659ef9253bd212c07ae19584 upstream.
Global pause and PFC configuration should be mutually exclusive (i.e. only
one of them at most can be set). However, once PFC was turned off,
driver automatically turned Global pause on. This is a bug.
Fix the driver behaviour to turn off PFC/Global once the user turned the
other on.
This also fixed a weird behaviour that at a current time, the profile
had both PFC and global pause configuration turned on, which is
Hardware-wise impossible and caused returning false positive indication
to query tools.
In addition, fix error code when setting global pause or PFC to change
metadata only upon successful change.
Also, removed useless debug print.
Fixes: af7d51852631 ("net/mlx4_en: Add DCB PFC support through CEE netlink commands")
Fixes: c27a02cd94d6 ("mlx4_en: Add driver for Mellanox ConnectX 10GbE NIC")
Signed-off-by: Eran Ben Elisha <eranbe@mellanox.com>
Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16:
- Drop changes to mlx4_en_dcbnl_set_all()
- Don't call mlx4_en_update_pfc_stats_bitmap()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/net/ethernet/mellanox/mlx4/en_dcb_nl.c
+++ b/drivers/net/ethernet/mellanox/mlx4/en_dcb_nl.c
@@ -162,6 +162,7 @@ static int mlx4_en_dcbnl_ieee_setpfc(str
struct mlx4_en_priv *priv = netdev_priv(dev);
struct mlx4_en_port_profile *prof = priv->prof;
struct mlx4_en_dev *mdev = priv->mdev;
+ u32 tx_pause, tx_ppp, rx_pause, rx_ppp;
int err;
en_dbg(DRV, priv, "cap: 0x%x en: 0x%x mbc: 0x%x delay: %d\n",
@@ -170,19 +171,23 @@ static int mlx4_en_dcbnl_ieee_setpfc(str
pfc->mbc,
pfc->delay);
- prof->rx_pause = !pfc->pfc_en;
- prof->tx_pause = !pfc->pfc_en;
- prof->rx_ppp = pfc->pfc_en;
- prof->tx_ppp = pfc->pfc_en;
+ rx_pause = prof->rx_pause && !pfc->pfc_en;
+ tx_pause = prof->tx_pause && !pfc->pfc_en;
+ rx_ppp = pfc->pfc_en;
+ tx_ppp = pfc->pfc_en;
err = mlx4_SET_PORT_general(mdev->dev, priv->port,
priv->rx_skb_size + ETH_FCS_LEN,
- prof->tx_pause,
- prof->tx_ppp,
- prof->rx_pause,
- prof->rx_ppp);
- if (err)
+ tx_pause, tx_ppp, rx_pause, rx_ppp);
+ if (err) {
en_err(priv, "Failed setting pause params\n");
+ return err;
+ }
+
+ prof->tx_ppp = tx_ppp;
+ prof->rx_ppp = rx_ppp;
+ prof->rx_pause = rx_pause;
+ prof->tx_pause = tx_pause;
return err;
}
--- a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c
+++ b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c
@@ -474,21 +474,29 @@ static int mlx4_en_set_pauseparam(struct
{
struct mlx4_en_priv *priv = netdev_priv(dev);
struct mlx4_en_dev *mdev = priv->mdev;
+ u8 tx_pause, tx_ppp, rx_pause, rx_ppp;
int err;
if (pause->autoneg)
return -EINVAL;
- priv->prof->tx_pause = pause->tx_pause != 0;
- priv->prof->rx_pause = pause->rx_pause != 0;
+ tx_pause = !!(pause->tx_pause);
+ rx_pause = !!(pause->rx_pause);
+ rx_ppp = priv->prof->rx_ppp && !(tx_pause || rx_pause);
+ tx_ppp = priv->prof->tx_ppp && !(tx_pause || rx_pause);
+
err = mlx4_SET_PORT_general(mdev->dev, priv->port,
priv->rx_skb_size + ETH_FCS_LEN,
- priv->prof->tx_pause,
- priv->prof->tx_ppp,
- priv->prof->rx_pause,
- priv->prof->rx_ppp);
- if (err)
- en_err(priv, "Failed setting pause params\n");
+ tx_pause, tx_ppp, rx_pause, rx_ppp);
+ if (err) {
+ en_err(priv, "Failed setting pause params, err = %d\n", err);
+ return err;
+ }
+
+ priv->prof->tx_pause = tx_pause;
+ priv->prof->rx_pause = rx_pause;
+ priv->prof->tx_ppp = tx_ppp;
+ priv->prof->rx_ppp = rx_ppp;
return err;
}
--- a/drivers/net/ethernet/mellanox/mlx4/en_main.c
+++ b/drivers/net/ethernet/mellanox/mlx4/en_main.c
@@ -137,9 +137,9 @@ static int mlx4_en_get_profile(struct ml
params->udp_rss = 0;
}
for (i = 1; i <= MLX4_MAX_PORTS; i++) {
- params->prof[i].rx_pause = 1;
+ params->prof[i].rx_pause = !(pfcrx || pfctx);
params->prof[i].rx_ppp = pfcrx;
- params->prof[i].tx_pause = 1;
+ params->prof[i].tx_pause = !(pfcrx || pfctx);
params->prof[i].tx_ppp = pfctx;
params->prof[i].tx_ring_size = MLX4_EN_DEF_TX_RING_SIZE;
params->prof[i].rx_ring_size = MLX4_EN_DEF_RX_RING_SIZE;
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 051/410] KVM: nVMX: mark vmcs12 pages dirty on L2 exit
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (341 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 336/410] team: Fix double free in error path Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 338/410] USB: usbmon: remove assignment from IS_ERR argument Ben Hutchings
` (66 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Radim Krčmář,
David Matlack, David Woodhouse, Greg Kroah-Hartman,
Paolo Bonzini
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: David Matlack <dmatlack@google.com>
commit c9f04407f2e0b3fc9ff7913c65fcfcb0a4b61570 upstream.
The host physical addresses of L1's Virtual APIC Page and Posted
Interrupt descriptor are loaded into the VMCS02. The CPU may write
to these pages via their host physical address while L2 is running,
bypassing address-translation-based dirty tracking (e.g. EPT write
protection). Mark them dirty on every exit from L2 to prevent them
from getting out of sync with dirty tracking.
Also mark the virtual APIC page and the posted interrupt descriptor
dirty when KVM is virtualizing posted interrupt processing.
Signed-off-by: David Matlack <dmatlack@google.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16:
- No nested posted interrupt support
- No SMM support, so use mark_page_dirty() instead of
kvm_vcpu_mark_page_dirty()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/kvm/vmx.c | 29 +++++++++++++++++++++++++++++
1 file changed, 29 insertions(+)
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -4197,6 +4197,23 @@ static int vmx_vm_has_apicv(struct kvm *
return enable_apicv && irqchip_in_kernel(kvm);
}
+static void nested_mark_vmcs12_pages_dirty(struct kvm_vcpu *vcpu)
+{
+ struct vmcs12 *vmcs12 = get_vmcs12(vcpu);
+ gfn_t gfn;
+
+ /*
+ * Don't need to mark the APIC access page dirty; it is never
+ * written to by the CPU during APIC virtualization.
+ */
+
+ if (nested_cpu_has(vmcs12, CPU_BASED_TPR_SHADOW)) {
+ gfn = vmcs12->virtual_apic_page_addr >> PAGE_SHIFT;
+ mark_page_dirty(vcpu->kvm, gfn);
+ }
+}
+
+
/*
* Send interrupt to vcpu via posted interrupt way.
* 1. If target vcpu is running(non-root mode), send posted interrupt
@@ -6902,6 +6919,18 @@ static bool nested_vmx_exit_handled(stru
vmcs_read32(VM_EXIT_INTR_ERROR_CODE),
KVM_ISA_VMX);
+ /*
+ * The host physical addresses of some pages of guest memory
+ * are loaded into VMCS02 (e.g. L1's Virtual APIC Page). The CPU
+ * may write to these pages via their host physical address while
+ * L2 is running, bypassing any address-translation-based dirty
+ * tracking (e.g. EPT write protection).
+ *
+ * Mark them dirty on every exit from L2 to prevent them from
+ * getting out of sync with dirty tracking.
+ */
+ nested_mark_vmcs12_pages_dirty(vcpu);
+
if (vmx->nested.nested_run_pending)
return 0;
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 327/410] usb: quirks: add control message delay for 1b1c:1b20
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (37 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 271/410] netfilter: IDLETIMER: be syzkaller friendly Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 246/410] binder: check for binder_thread allocation failure in binder_poll() Ben Hutchings
` (370 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Greg Kroah-Hartman, Danilo Krummrich
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Danilo Krummrich <danilokrummrich@dk-develop.de>
commit cb88a0588717ba6c756cb5972d75766b273a6817 upstream.
Corsair Strafe RGB keyboard does not respond to usb control messages
sometimes and hence generates timeouts.
Commit de3af5bf259d ("usb: quirks: add delay init quirk for Corsair
Strafe RGB keyboard") tried to fix those timeouts by adding
USB_QUIRK_DELAY_INIT.
Unfortunately, even with this quirk timeouts of usb_control_msg()
can still be seen, but with a lower frequency (approx. 1 out of 15):
[ 29.103520] usb 1-8: string descriptor 0 read error: -110
[ 34.363097] usb 1-8: can't set config #1, error -110
Adding further delays to different locations where usb control
messages are issued just moves the timeouts to other locations,
e.g.:
[ 35.400533] usbhid 1-8:1.0: can't add hid device: -110
[ 35.401014] usbhid: probe of 1-8:1.0 failed with error -110
The only way to reliably avoid those issues is having a pause after
each usb control message. In approx. 200 boot cycles no more timeouts
were seen.
Addionaly, keep USB_QUIRK_DELAY_INIT as it turned out to be necessary
to have the delay in hub_port_connect() after hub_port_init().
The overall boot time seems not to be influenced by these additional
delays, even on fast machines and lightweight distributions.
Fixes: de3af5bf259d ("usb: quirks: add delay init quirk for Corsair Strafe RGB keyboard")
Signed-off-by: Danilo Krummrich <danilokrummrich@dk-develop.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/core/message.c | 4 ++++
drivers/usb/core/quirks.c | 3 ++-
include/linux/usb/quirks.h | 3 +++
3 files changed, 9 insertions(+), 1 deletion(-)
--- a/drivers/usb/core/message.c
+++ b/drivers/usb/core/message.c
@@ -147,6 +147,10 @@ int usb_control_msg(struct usb_device *d
ret = usb_internal_control_msg(dev, pipe, dr, data, size, timeout);
+ /* Linger a bit, prior to the next control message. */
+ if (dev->quirks & USB_QUIRK_DELAY_CTRL_MSG)
+ msleep(200);
+
kfree(dr);
return ret;
--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -226,7 +226,8 @@ static const struct usb_device_id usb_qu
{ USB_DEVICE(0x1b1c, 0x1b13), .driver_info = USB_QUIRK_DELAY_INIT },
/* Corsair Strafe RGB */
- { USB_DEVICE(0x1b1c, 0x1b20), .driver_info = USB_QUIRK_DELAY_INIT },
+ { USB_DEVICE(0x1b1c, 0x1b20), .driver_info = USB_QUIRK_DELAY_INIT |
+ USB_QUIRK_DELAY_CTRL_MSG },
/* Corsair K70 LUX */
{ USB_DEVICE(0x1b1c, 0x1b36), .driver_info = USB_QUIRK_DELAY_INIT },
--- a/include/linux/usb/quirks.h
+++ b/include/linux/usb/quirks.h
@@ -56,4 +56,7 @@
*/
#define USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL BIT(11)
+/* Device needs a pause after every control message. */
+#define USB_QUIRK_DELAY_CTRL_MSG BIT(13)
+
#endif /* __LINUX_USB_QUIRKS_H */
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 337/410] USB: storage: Add JMicron bridge 152d:2567 to unusual_devs.h
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (180 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 118/410] arm: spear13xx: Fix spics gpio controller's warning Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 369/410] batman-adv: update data pointers after skb_cow() Ben Hutchings
` (227 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Teijo Kinnunen, Alan Stern, Greg Kroah-Hartman
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Teijo Kinnunen <teijo.kinnunen@code-q.fi>
commit 5126a504b63d82785eaece3a9c30c660b313785a upstream.
This USB-SATA controller seems to be similar with JMicron bridge
152d:2566 already on the list. Adding it here fixes "Invalid
field in cdb" errors.
Signed-off-by: Teijo Kinnunen <teijo.kinnunen@code-q.fi>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/storage/unusual_devs.h | 7 +++++++
1 file changed, 7 insertions(+)
--- a/drivers/usb/storage/unusual_devs.h
+++ b/drivers/usb/storage/unusual_devs.h
@@ -2004,6 +2004,13 @@ UNUSUAL_DEV( 0x152d, 0x2566, 0x0114, 0x
USB_SC_DEVICE, USB_PR_DEVICE, NULL,
US_FL_BROKEN_FUA ),
+/* Reported by Teijo Kinnunen <teijo.kinnunen@code-q.fi> */
+UNUSUAL_DEV( 0x152d, 0x2567, 0x0117, 0x0117,
+ "JMicron",
+ "USB to ATA/ATAPI Bridge",
+ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
+ US_FL_BROKEN_FUA ),
+
/* Reported-by George Cherian <george.cherian@cavium.com> */
UNUSUAL_DEV(0x152d, 0x9561, 0x0000, 0x9999,
"JMicron",
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 076/410] media: cpia2: Fix a couple off by one bugs
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (272 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 251/410] NFC: llcp: Limit size of SDP URI Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 225/410] ALSA: usb-audio: add implicit fb quirk for Behringer UFX1204 Ben Hutchings
` (135 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Hans Verkuil, Dan Carpenter, Mauro Carvalho Chehab
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit d5ac225c7d64c9c3ef821239edc035634e594ec9 upstream.
The cam->buffers[] array has cam->num_frames elements so the > needs to
be changed to >= to avoid going beyond the end of the array. The
->buffers[] array is allocated in cpia2_allocate_buffers() if you want
to confirm.
Fixes: ab33d5071de7 ("V4L/DVB (3376): Add cpia2 camera support")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/media/usb/cpia2/cpia2_v4l.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/media/usb/cpia2/cpia2_v4l.c
+++ b/drivers/media/usb/cpia2/cpia2_v4l.c
@@ -812,7 +812,7 @@ static int cpia2_querybuf(struct file *f
struct camera_data *cam = video_drvdata(file);
if(buf->type != V4L2_BUF_TYPE_VIDEO_CAPTURE ||
- buf->index > cam->num_frames)
+ buf->index >= cam->num_frames)
return -EINVAL;
buf->m.offset = cam->buffers[buf->index].data - cam->frame_buffer;
@@ -863,7 +863,7 @@ static int cpia2_qbuf(struct file *file,
if(buf->type != V4L2_BUF_TYPE_VIDEO_CAPTURE ||
buf->memory != V4L2_MEMORY_MMAP ||
- buf->index > cam->num_frames)
+ buf->index >= cam->num_frames)
return -EINVAL;
DBG("QBUF #%d\n", buf->index);
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 091/410] drivers: video: fbdev: atmel_lcdfb.c: fix error return code
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (264 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 334/410] x86/spectre_v2: Don't check microcode versions when running under hypervisors Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 125/410] signal/openrisc: Fix do_unaligned_access to send the proper signal Ben Hutchings
` (143 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Nicolas Ferre, Tomi Valkeinen, Julia Lawall
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Julia Lawall <Julia.Lawall@lip6.fr>
commit 6c131850eca653344c41d68ce87f3ab5a89af89e upstream.
Convert a zero return value on error to a negative one, as returned
elsewhere in the function.
A simplified version of the semantic match that finds this problem is as
follows: (http://coccinelle.lip6.fr/)
// <smpl>
(
if@p1 (\(ret < 0\|ret != 0\))
{ ... return ret; }
|
ret@p1 = 0
)
... when != ret = e1
when != &ret
*if(...)
{
... when != ret = e2
when forall
return ret;
}
// </smpl>
Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
Acked-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/video/fbdev/atmel_lcdfb.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/video/fbdev/atmel_lcdfb.c
+++ b/drivers/video/fbdev/atmel_lcdfb.c
@@ -1101,12 +1101,14 @@ static int atmel_lcdfb_of_init(struct at
timings = of_get_display_timings(display_np);
if (!timings) {
dev_err(dev, "failed to get display timings\n");
+ ret = -EINVAL;
goto put_display_node;
}
timings_np = of_find_node_by_name(display_np, "display-timings");
if (!timings_np) {
dev_err(dev, "failed to find display-timings node\n");
+ ret = -ENODEV;
goto put_display_node;
}
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 201/410] pipe: refactor argument for account_pipe_buffers()
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (72 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 263/410] cfg80211: fix cfg80211_beacon_dup Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 291/410] l2tp: don't use inet_shutdown on ppp session destroy Ben Hutchings
` (335 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Jens Axboe, socketpair, Al Viro, Willy Tarreau,
Michael Kerrisk (man-pages),
Vegard Nossum, Tetsuo Handa, Linus Torvalds
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>
commit 3734a13b96ebf039b293d8d37a934fd1bd9e03ab upstream.
This is a preparatory patch for following work. account_pipe_buffers()
performs accounting in the 'user_struct'. There is no need to pass a
pointer to a 'pipe_inode_info' struct (which is then dereferenced to
obtain a pointer to the 'user' field). Instead, pass a pointer directly
to the 'user_struct'. This change is needed in preparation for a
subsequent patch that the fixes the limit checking in alloc_pipe_info()
(and the resulting code is a little more logical).
Link: http://lkml.kernel.org/r/7277bf8c-a6fc-4a7d-659c-f5b145c981ab@gmail.com
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
Reviewed-by: Vegard Nossum <vegard.nossum@oracle.com>
Cc: Willy Tarreau <w@1wt.eu>
Cc: <socketpair@gmail.com>
Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: Jens Axboe <axboe@fb.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/pipe.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -590,10 +590,10 @@ pipe_fasync(int fd, struct file *filp, i
return retval;
}
-static void account_pipe_buffers(struct pipe_inode_info *pipe,
+static void account_pipe_buffers(struct user_struct *user,
unsigned long old, unsigned long new)
{
- atomic_long_add(new - old, &pipe->user->pipe_bufs);
+ atomic_long_add(new - old, &user->pipe_bufs);
}
static bool too_many_pipe_buffers_soft(struct user_struct *user)
@@ -628,7 +628,7 @@ struct pipe_inode_info *alloc_pipe_info(
pipe->r_counter = pipe->w_counter = 1;
pipe->buffers = pipe_bufs;
pipe->user = user;
- account_pipe_buffers(pipe, 0, pipe_bufs);
+ account_pipe_buffers(user, 0, pipe_bufs);
mutex_init(&pipe->mutex);
return pipe;
}
@@ -643,7 +643,7 @@ void free_pipe_info(struct pipe_inode_in
{
int i;
- account_pipe_buffers(pipe, pipe->buffers, 0);
+ account_pipe_buffers(pipe->user, pipe->buffers, 0);
free_uid(pipe->user);
for (i = 0; i < pipe->buffers; i++) {
struct pipe_buffer *buf = pipe->bufs + i;
@@ -1062,7 +1062,7 @@ static long pipe_set_size(struct pipe_in
memcpy(bufs + head, pipe->bufs, tail * sizeof(struct pipe_buffer));
}
- account_pipe_buffers(pipe, pipe->buffers, nr_pages);
+ account_pipe_buffers(pipe->user, pipe->buffers, nr_pages);
pipe->curbuf = 0;
kfree(pipe->bufs);
pipe->bufs = bufs;
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 257/410] drm/radeon: Fix deadlock on runtime suspend
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (69 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 275/410] x86/oprofile: Fix bogus GCC-8 warning in nmi_setup() Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 361/410] drm/radeon: fix prime teardown order Ben Hutchings
` (338 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Dave Airlie, Lukas Wunner, Lyude Paul, Alex Deucher, Ismo Toijala
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Wunner <lukas@wunner.de>
commit 15734feff2bdac24aa3266c437cffa42851990e3 upstream.
radeon's ->runtime_suspend hook calls drm_kms_helper_poll_disable(),
which waits for the output poll worker to finish if it's running.
The output poll worker meanwhile calls pm_runtime_get_sync() in
radeon's ->detect hooks, which waits for the ongoing suspend to finish,
causing a deadlock.
Fix by not acquiring a runtime PM ref if the ->detect hooks are called
in the output poll worker's context. This is safe because the poll
worker is only enabled while runtime active and we know that
->runtime_suspend waits for it to finish.
Stack trace for posterity:
INFO: task kworker/0:3:31847 blocked for more than 120 seconds
Workqueue: events output_poll_execute [drm_kms_helper]
Call Trace:
schedule+0x3c/0x90
rpm_resume+0x1e2/0x690
__pm_runtime_resume+0x3f/0x60
radeon_lvds_detect+0x39/0xf0 [radeon]
output_poll_execute+0xda/0x1e0 [drm_kms_helper]
process_one_work+0x14b/0x440
worker_thread+0x48/0x4a0
INFO: task kworker/2:0:10493 blocked for more than 120 seconds.
Workqueue: pm pm_runtime_work
Call Trace:
schedule+0x3c/0x90
schedule_timeout+0x1b3/0x240
wait_for_common+0xc2/0x180
wait_for_completion+0x1d/0x20
flush_work+0xfc/0x1a0
__cancel_work_timer+0xa5/0x1d0
cancel_delayed_work_sync+0x13/0x20
drm_kms_helper_poll_disable+0x1f/0x30 [drm_kms_helper]
radeon_pmops_runtime_suspend+0x3d/0xa0 [radeon]
pci_pm_runtime_suspend+0x61/0x1a0
vga_switcheroo_runtime_suspend+0x21/0x70
__rpm_callback+0x32/0x70
rpm_callback+0x24/0x80
rpm_suspend+0x12b/0x640
pm_runtime_work+0x6f/0xb0
process_one_work+0x14b/0x440
worker_thread+0x48/0x4a0
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=94147
Fixes: 10ebc0bc0934 ("drm/radeon: add runtime PM support (v2)")
Cc: Ismo Toijala <ismo.toijala@gmail.com>
Cc: Alex Deucher <alexander.deucher@amd.com>
Cc: Dave Airlie <airlied@redhat.com>
Reviewed-by: Lyude Paul <lyude@redhat.com>
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Link: https://patchwork.freedesktop.org/patch/msgid/64ea02c44f91dda19bc563902b97bbc699040392.1518338789.git.lukas@wunner.de
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/radeon/radeon_connectors.c | 74 ++++++++++++++--------
1 file changed, 49 insertions(+), 25 deletions(-)
--- a/drivers/gpu/drm/radeon/radeon_connectors.c
+++ b/drivers/gpu/drm/radeon/radeon_connectors.c
@@ -707,9 +707,11 @@ radeon_lvds_detect(struct drm_connector
enum drm_connector_status ret = connector_status_disconnected;
int r;
- r = pm_runtime_get_sync(connector->dev->dev);
- if (r < 0)
- return connector_status_disconnected;
+ if (!drm_kms_helper_is_poll_worker()) {
+ r = pm_runtime_get_sync(connector->dev->dev);
+ if (r < 0)
+ return connector_status_disconnected;
+ }
if (encoder) {
struct radeon_encoder *radeon_encoder = to_radeon_encoder(encoder);
@@ -739,8 +741,12 @@ radeon_lvds_detect(struct drm_connector
/* check acpi lid status ??? */
radeon_connector_update_scratch_regs(connector, ret);
- pm_runtime_mark_last_busy(connector->dev->dev);
- pm_runtime_put_autosuspend(connector->dev->dev);
+
+ if (!drm_kms_helper_is_poll_worker()) {
+ pm_runtime_mark_last_busy(connector->dev->dev);
+ pm_runtime_put_autosuspend(connector->dev->dev);
+ }
+
return ret;
}
@@ -842,9 +848,11 @@ radeon_vga_detect(struct drm_connector *
enum drm_connector_status ret = connector_status_disconnected;
int r;
- r = pm_runtime_get_sync(connector->dev->dev);
- if (r < 0)
- return connector_status_disconnected;
+ if (!drm_kms_helper_is_poll_worker()) {
+ r = pm_runtime_get_sync(connector->dev->dev);
+ if (r < 0)
+ return connector_status_disconnected;
+ }
encoder = radeon_best_single_encoder(connector);
if (!encoder)
@@ -913,8 +921,10 @@ radeon_vga_detect(struct drm_connector *
radeon_connector_update_scratch_regs(connector, ret);
out:
- pm_runtime_mark_last_busy(connector->dev->dev);
- pm_runtime_put_autosuspend(connector->dev->dev);
+ if (!drm_kms_helper_is_poll_worker()) {
+ pm_runtime_mark_last_busy(connector->dev->dev);
+ pm_runtime_put_autosuspend(connector->dev->dev);
+ }
return ret;
}
@@ -977,9 +987,11 @@ radeon_tv_detect(struct drm_connector *c
if (!radeon_connector->dac_load_detect)
return ret;
- r = pm_runtime_get_sync(connector->dev->dev);
- if (r < 0)
- return connector_status_disconnected;
+ if (!drm_kms_helper_is_poll_worker()) {
+ r = pm_runtime_get_sync(connector->dev->dev);
+ if (r < 0)
+ return connector_status_disconnected;
+ }
encoder = radeon_best_single_encoder(connector);
if (!encoder)
@@ -991,8 +1003,12 @@ radeon_tv_detect(struct drm_connector *c
if (ret == connector_status_connected)
ret = radeon_connector_analog_encoder_conflict_solve(connector, encoder, ret, false);
radeon_connector_update_scratch_regs(connector, ret);
- pm_runtime_mark_last_busy(connector->dev->dev);
- pm_runtime_put_autosuspend(connector->dev->dev);
+
+ if (!drm_kms_helper_is_poll_worker()) {
+ pm_runtime_mark_last_busy(connector->dev->dev);
+ pm_runtime_put_autosuspend(connector->dev->dev);
+ }
+
return ret;
}
@@ -1064,9 +1080,11 @@ radeon_dvi_detect(struct drm_connector *
enum drm_connector_status ret = connector_status_disconnected;
bool dret = false, broken_edid = false;
- r = pm_runtime_get_sync(connector->dev->dev);
- if (r < 0)
- return connector_status_disconnected;
+ if (!drm_kms_helper_is_poll_worker()) {
+ r = pm_runtime_get_sync(connector->dev->dev);
+ if (r < 0)
+ return connector_status_disconnected;
+ }
if (!force && radeon_check_hpd_status_unchanged(connector)) {
ret = connector->status;
@@ -1225,8 +1243,10 @@ out:
radeon_connector_update_scratch_regs(connector, ret);
exit:
- pm_runtime_mark_last_busy(connector->dev->dev);
- pm_runtime_put_autosuspend(connector->dev->dev);
+ if (!drm_kms_helper_is_poll_worker()) {
+ pm_runtime_mark_last_busy(connector->dev->dev);
+ pm_runtime_put_autosuspend(connector->dev->dev);
+ }
return ret;
}
@@ -1480,9 +1500,11 @@ radeon_dp_detect(struct drm_connector *c
struct drm_encoder *encoder = radeon_best_single_encoder(connector);
int r;
- r = pm_runtime_get_sync(connector->dev->dev);
- if (r < 0)
- return connector_status_disconnected;
+ if (!drm_kms_helper_is_poll_worker()) {
+ r = pm_runtime_get_sync(connector->dev->dev);
+ if (r < 0)
+ return connector_status_disconnected;
+ }
if (!force && radeon_check_hpd_status_unchanged(connector)) {
ret = connector->status;
@@ -1557,8 +1579,10 @@ radeon_dp_detect(struct drm_connector *c
radeon_connector_update_scratch_regs(connector, ret);
out:
- pm_runtime_mark_last_busy(connector->dev->dev);
- pm_runtime_put_autosuspend(connector->dev->dev);
+ if (!drm_kms_helper_is_poll_worker()) {
+ pm_runtime_mark_last_busy(connector->dev->dev);
+ pm_runtime_put_autosuspend(connector->dev->dev);
+ }
return ret;
}
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 207/410] pipe: avoid round_pipe_size() nr_pages overflow on 32-bit
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (249 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 127/410] NFS: Add a cond_resched() to nfs_commit_release_pages() Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 402/410] bonding: process the err returned by dev_set_allmulti properly in bond_enslave Ben Hutchings
` (158 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Josh Poimboeuf, Linus Torvalds, Jens Axboe,
Mikulas Patocka, Joe Lawrence, Al Viro, Randy Dunlap,
Michael Kerrisk
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Joe Lawrence <joe.lawrence@redhat.com>
commit d3f14c485867cfb2e0c48aa88c41d0ef4bf5209c upstream.
round_pipe_size() contains a right-bit-shift expression which may
overflow, which would cause undefined results in a subsequent
roundup_pow_of_two() call.
static inline unsigned int round_pipe_size(unsigned int size)
{
unsigned long nr_pages;
nr_pages = (size + PAGE_SIZE - 1) >> PAGE_SHIFT;
return roundup_pow_of_two(nr_pages) << PAGE_SHIFT;
}
PAGE_SIZE is defined as (1UL << PAGE_SHIFT), so:
- 4 bytes wide on 32-bit (0 to 0xffffffff)
- 8 bytes wide on 64-bit (0 to 0xffffffffffffffff)
That means that 32-bit round_pipe_size(), nr_pages may overflow to 0:
size=0x00000000 nr_pages=0x0
size=0x00000001 nr_pages=0x1
size=0xfffff000 nr_pages=0xfffff
size=0xfffff001 nr_pages=0x0 << !
size=0xffffffff nr_pages=0x0 << !
This is bad because roundup_pow_of_two(n) is undefined when n == 0!
64-bit is not a problem as the unsigned int size is 4 bytes wide
(similar to 32-bit) and the larger, 8 byte wide unsigned long, is
sufficient to handle the largest value of the bit shift expression:
size=0xffffffff nr_pages=100000
Modify round_pipe_size() to return 0 if n == 0 and updates its callers to
handle accordingly.
Link: http://lkml.kernel.org/r/1507658689-11669-3-git-send-email-joe.lawrence@redhat.com
Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
Reported-by: Mikulas Patocka <mpatocka@redhat.com>
Reviewed-by: Mikulas Patocka <mpatocka@redhat.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: Michael Kerrisk <mtk.manpages@gmail.com>
Cc: Randy Dunlap <rdunlap@infradead.org>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/pipe.c | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -1006,13 +1006,19 @@ const struct file_operations pipefifo_fo
/*
* Currently we rely on the pipe array holding a power-of-2 number
- * of pages.
+ * of pages. Returns 0 on error.
*/
static inline unsigned int round_pipe_size(unsigned int size)
{
unsigned long nr_pages;
+ if (size < pipe_min_size)
+ size = pipe_min_size;
+
nr_pages = (size + PAGE_SIZE - 1) >> PAGE_SHIFT;
+ if (nr_pages == 0)
+ return 0;
+
return roundup_pow_of_two(nr_pages) << PAGE_SHIFT;
}
@@ -1028,6 +1034,8 @@ static long pipe_set_size(struct pipe_in
long ret = 0;
size = round_pipe_size(arg);
+ if (size == 0)
+ return -EINVAL;
nr_pages = size >> PAGE_SHIFT;
if (!nr_pages)
@@ -1110,13 +1118,18 @@ out_revert_acct:
int pipe_proc_fn(struct ctl_table *table, int write, void __user *buf,
size_t *lenp, loff_t *ppos)
{
+ unsigned int rounded_pipe_max_size;
int ret;
ret = proc_dointvec_minmax(table, write, buf, lenp, ppos);
if (ret < 0 || !write)
return ret;
- pipe_max_size = round_pipe_size(pipe_max_size);
+ rounded_pipe_max_size = round_pipe_size(pipe_max_size);
+ if (rounded_pipe_max_size == 0)
+ return -EINVAL;
+
+ pipe_max_size = rounded_pipe_max_size;
return ret;
}
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 345/410] netfilter: bridge: ebt_among: add more missing match size checks
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (203 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 272/410] md raid10: fix NULL deference in handle_write_completed() Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 100/410] scsi: libsas: fix error when getting phy events Ben Hutchings
` (204 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Florian Westphal, Pablo Neira Ayuso,
syzbot+bdabab6f1983a03fc009, Eric Dumazet
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
commit c8d70a700a5b486bfa8e5a7d33d805389f6e59f9 upstream.
ebt_among is special, it has a dynamic match size and is exempt
from the central size checks.
commit c4585a2823edf ("bridge: ebt_among: add missing match size checks")
added validation for pool size, but missed fact that the macros
ebt_among_wh_src/dst can already return out-of-bound result because
they do not check value of wh_src/dst_ofs (an offset) vs. the size
of the match that userspace gave to us.
v2:
check that offset has correct alignment.
Paolo Abeni points out that we should also check that src/dst
wormhash arrays do not overlap, and src + length lines up with
start of dst (or vice versa).
v3: compact wormhash_sizes_valid() part
NB: Fixes tag is intentionally wrong, this bug exists from day
one when match was added for 2.6 kernel. Tag is there so stable
maintainers will notice this one too.
Tested with same rules from the earlier patch.
Fixes: c4585a2823edf ("bridge: ebt_among: add missing match size checks")
Reported-by: <syzbot+bdabab6f1983a03fc009@syzkaller.appspotmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/bridge/netfilter/ebt_among.c | 34 ++++++++++++++++++++++++++++++++
1 file changed, 34 insertions(+)
--- a/net/bridge/netfilter/ebt_among.c
+++ b/net/bridge/netfilter/ebt_among.c
@@ -177,6 +177,28 @@ static bool poolsize_invalid(const struc
return w && w->poolsize >= (INT_MAX / sizeof(struct ebt_mac_wormhash_tuple));
}
+static bool wormhash_offset_invalid(int off, unsigned int len)
+{
+ if (off == 0) /* not present */
+ return false;
+
+ if (off < (int)sizeof(struct ebt_among_info) ||
+ off % __alignof__(struct ebt_mac_wormhash))
+ return true;
+
+ off += sizeof(struct ebt_mac_wormhash);
+
+ return off > len;
+}
+
+static bool wormhash_sizes_valid(const struct ebt_mac_wormhash *wh, int a, int b)
+{
+ if (a == 0)
+ a = sizeof(struct ebt_among_info);
+
+ return ebt_mac_wormhash_size(wh) + a == b;
+}
+
static int ebt_among_mt_check(const struct xt_mtchk_param *par)
{
const struct ebt_among_info *info = par->matchinfo;
@@ -189,6 +211,10 @@ static int ebt_among_mt_check(const stru
if (expected_length > em->match_size)
return -EINVAL;
+ if (wormhash_offset_invalid(info->wh_dst_ofs, em->match_size) ||
+ wormhash_offset_invalid(info->wh_src_ofs, em->match_size))
+ return -EINVAL;
+
wh_dst = ebt_among_wh_dst(info);
if (poolsize_invalid(wh_dst))
return -EINVAL;
@@ -201,6 +227,14 @@ static int ebt_among_mt_check(const stru
if (poolsize_invalid(wh_src))
return -EINVAL;
+ if (info->wh_src_ofs < info->wh_dst_ofs) {
+ if (!wormhash_sizes_valid(wh_src, info->wh_src_ofs, info->wh_dst_ofs))
+ return -EINVAL;
+ } else {
+ if (!wormhash_sizes_valid(wh_dst, info->wh_dst_ofs, info->wh_src_ofs))
+ return -EINVAL;
+ }
+
expected_length += ebt_mac_wormhash_size(wh_src);
if (em->match_size != EBT_ALIGN(expected_length)) {
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 011/410] scsi: libsas: remove the numbering for each event enum
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (131 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 200/410] pipe: move limit checking logic into pipe_set_size() Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 300/410] mmc: sdhci: export sdhci_execute_tuning() Ben Hutchings
` (276 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Johannes Thumshirn, Martin K. Petersen, Tomas Henzl,
Christoph Hellwig, John Garry, Ewan Milne, Jason Yan
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jason Yan <yanaijie@huawei.com>
commit 0d78f969b10f27e0be34210d482a01e1ee92994c upstream.
Numbering for each event enum makes no sense. Remove the numbering so
that we don't have to calculate the number by hand every time.
Signed-off-by: Jason Yan <yanaijie@huawei.com>
CC: John Garry <john.garry@huawei.com>
CC: Johannes Thumshirn <jthumshirn@suse.de>
CC: Ewan Milne <emilne@redhat.com>
CC: Christoph Hellwig <hch@lst.de>
CC: Tomas Henzl <thenzl@redhat.com>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/scsi/libsas.h | 34 +++++++++++++++++-----------------
1 file changed, 17 insertions(+), 17 deletions(-)
--- a/include/scsi/libsas.h
+++ b/include/scsi/libsas.h
@@ -67,31 +67,31 @@ enum ha_event {
enum port_event {
PORTE_BYTES_DMAED = 0U,
- PORTE_BROADCAST_RCVD = 1,
- PORTE_LINK_RESET_ERR = 2,
- PORTE_TIMER_EVENT = 3,
- PORTE_HARD_RESET = 4,
- PORT_NUM_EVENTS = 5,
+ PORTE_BROADCAST_RCVD,
+ PORTE_LINK_RESET_ERR,
+ PORTE_TIMER_EVENT,
+ PORTE_HARD_RESET,
+ PORT_NUM_EVENTS,
};
enum phy_event {
PHYE_LOSS_OF_SIGNAL = 0U,
- PHYE_OOB_DONE = 1,
- PHYE_OOB_ERROR = 2,
- PHYE_SPINUP_HOLD = 3, /* hot plug SATA, no COMWAKE sent */
- PHYE_RESUME_TIMEOUT = 4,
- PHY_NUM_EVENTS = 5,
+ PHYE_OOB_DONE,
+ PHYE_OOB_ERROR,
+ PHYE_SPINUP_HOLD, /* hot plug SATA, no COMWAKE sent */
+ PHYE_RESUME_TIMEOUT,
+ PHY_NUM_EVENTS,
};
enum discover_event {
DISCE_DISCOVER_DOMAIN = 0U,
- DISCE_REVALIDATE_DOMAIN = 1,
- DISCE_PORT_GONE = 2,
- DISCE_PROBE = 3,
- DISCE_SUSPEND = 4,
- DISCE_RESUME = 5,
- DISCE_DESTRUCT = 6,
- DISC_NUM_EVENTS = 7,
+ DISCE_REVALIDATE_DOMAIN,
+ DISCE_PORT_GONE,
+ DISCE_PROBE,
+ DISCE_SUSPEND,
+ DISCE_RESUME,
+ DISCE_DESTRUCT,
+ DISC_NUM_EVENTS,
};
/* ---------- Expander Devices ---------- */
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 193/410] MIPS: TXx9: use IS_BUILTIN() for CONFIG_LEDS_CLASS
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (148 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 335/410] x86/MCE: Save microcode revision in machine check records Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 362/410] mmc: block: fix updating ext_csd caches on ioctl call Ben Hutchings
` (259 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, James Hogan, linux-mips, Ralf Baechle, Matt Redfearn
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Matt Redfearn <matt.redfearn@mips.com>
commit 0cde5b44a30f1daaef1c34e08191239dc63271c4 upstream.
When commit b27311e1cace ("MIPS: TXx9: Add RBTX4939 board support")
added board support for the RBTX4939, it added a call to
led_classdev_register even if the LED class is built as a module.
Built-in arch code cannot call module code directly like this. Commit
b33b44073734 ("MIPS: TXX9: use IS_ENABLED() macro") subsequently
changed the inclusion of this code to a single check that
CONFIG_LEDS_CLASS is either builtin or a module, but the same issue
remains.
This leads to MIPS allmodconfig builds failing when CONFIG_MACH_TX49XX=y
is set:
arch/mips/txx9/rbtx4939/setup.o: In function `rbtx4939_led_probe':
setup.c:(.init.text+0xc0): undefined reference to `of_led_classdev_register'
make: *** [Makefile:999: vmlinux] Error 1
Fix this by using the IS_BUILTIN() macro instead.
Fixes: b27311e1cace ("MIPS: TXx9: Add RBTX4939 board support")
Signed-off-by: Matt Redfearn <matt.redfearn@mips.com>
Reviewed-by: James Hogan <jhogan@kernel.org>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/18544/
Signed-off-by: James Hogan <jhogan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/mips/txx9/rbtx4939/setup.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/mips/txx9/rbtx4939/setup.c
+++ b/arch/mips/txx9/rbtx4939/setup.c
@@ -186,7 +186,7 @@ static void __init rbtx4939_update_ioc_p
#define RBTX4939_MAX_7SEGLEDS 8
-#if IS_ENABLED(CONFIG_LEDS_CLASS)
+#if IS_BUILTIN(CONFIG_LEDS_CLASS)
static u8 led_val[RBTX4939_MAX_7SEGLEDS];
struct rbtx4939_led_data {
struct led_classdev cdev;
@@ -262,7 +262,7 @@ static inline void rbtx4939_led_setup(vo
static void __rbtx4939_7segled_putc(unsigned int pos, unsigned char val)
{
-#if IS_ENABLED(CONFIG_LEDS_CLASS)
+#if IS_BUILTIN(CONFIG_LEDS_CLASS)
unsigned long flags;
local_irq_save(flags);
/* bit7: reserved for LED class */
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 255/410] drm: Allow determining if current task is output poll worker
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (82 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 281/410] ALSA: usb-audio: Add a quirck for B&W PX headphones Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 166/410] USB: serial: pl2303: new device id for Chilitag Ben Hutchings
` (325 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Alex Deucher, Lyude Paul, Lukas Wunner, Dave Airlie, Ben Skeggs
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Wunner <lukas@wunner.de>
commit 25c058ccaf2ebbc3e250ec1e199e161f91fe27d4 upstream.
Introduce a helper to determine if the current task is an output poll
worker.
This allows us to fix a long-standing deadlock in several DRM drivers
wherein the ->runtime_suspend callback waits for the output poll worker
to finish and the worker in turn calls a ->detect callback which waits
for runtime suspend to finish. The ->detect callback is invoked from
multiple call sites and waiting for runtime suspend to finish is the
correct thing to do except if it's executing in the context of the
worker.
v2: Expand kerneldoc to specifically mention deadlock between
output poll worker and autosuspend worker as use case. (Lyude)
Cc: Dave Airlie <airlied@redhat.com>
Cc: Ben Skeggs <bskeggs@redhat.com>
Cc: Alex Deucher <alexander.deucher@amd.com>
Reviewed-by: Lyude Paul <lyude@redhat.com>
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Link: https://patchwork.freedesktop.org/patch/msgid/3549ce32e7f1467102e70d3e9cbf70c46bfe108e.1518593424.git.lukas@wunner.de
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/drm_probe_helper.c | 20 ++++++++++++++++++++
include/drm/drm_crtc_helper.h | 1 +
2 files changed, 21 insertions(+)
--- a/drivers/gpu/drm/drm_probe_helper.c
+++ b/drivers/gpu/drm/drm_probe_helper.c
@@ -303,6 +303,26 @@ static void output_poll_execute(struct w
}
/**
+ * drm_kms_helper_is_poll_worker - is %current task an output poll worker?
+ *
+ * Determine if %current task is an output poll worker. This can be used
+ * to select distinct code paths for output polling versus other contexts.
+ *
+ * One use case is to avoid a deadlock between the output poll worker and
+ * the autosuspend worker wherein the latter waits for polling to finish
+ * upon calling drm_kms_helper_poll_disable(), while the former waits for
+ * runtime suspend to finish upon calling pm_runtime_get_sync() in a
+ * connector ->detect hook.
+ */
+bool drm_kms_helper_is_poll_worker(void)
+{
+ struct work_struct *work = current_work();
+
+ return work && work->func == output_poll_execute;
+}
+EXPORT_SYMBOL(drm_kms_helper_is_poll_worker);
+
+/**
* drm_kms_helper_poll_disable - disable output polling
* @dev: drm_device
*
--- a/include/drm/drm_crtc_helper.h
+++ b/include/drm/drm_crtc_helper.h
@@ -176,5 +176,6 @@ extern void drm_kms_helper_hotplug_event
extern void drm_kms_helper_poll_disable(struct drm_device *dev);
extern void drm_kms_helper_poll_enable(struct drm_device *dev);
+bool drm_kms_helper_is_poll_worker(void);
#endif
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 112/410] AHCI: Remove obsolete Intel Lewisburg SATA RAID device IDs
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (15 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 208/410] pipe: add proc_dopipe_max_size() to safely assign pipe_max_size Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 157/410] usbip: list: don't list devices attached to vhci_hcd Ben Hutchings
` (392 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Tejun Heo, Scott Lawson
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Scott Lawson <scott.lawson@intel.com>
commit 8ba559fd09bcf4e87faad3efa465dacf04c076c9 upstream.
These PCI device IDs have been removed from the Intel Lewisburg design
specification. They are no longer needed.
Signed-off-by: Scott Lawson <scott.lawson@intel.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/ata/ahci.c | 4 ----
1 file changed, 4 deletions(-)
--- a/drivers/ata/ahci.c
+++ b/drivers/ata/ahci.c
@@ -369,15 +369,11 @@ static const struct pci_device_id ahci_p
{ PCI_VDEVICE(INTEL, 0x2826), board_ahci }, /* Lewisburg RAID*/
{ PCI_VDEVICE(INTEL, 0x2827), board_ahci }, /* Lewisburg RAID*/
{ PCI_VDEVICE(INTEL, 0xa182), board_ahci }, /* Lewisburg AHCI*/
- { PCI_VDEVICE(INTEL, 0xa184), board_ahci }, /* Lewisburg RAID*/
{ PCI_VDEVICE(INTEL, 0xa186), board_ahci }, /* Lewisburg RAID*/
- { PCI_VDEVICE(INTEL, 0xa18e), board_ahci }, /* Lewisburg RAID*/
{ PCI_VDEVICE(INTEL, 0xa1d2), board_ahci }, /* Lewisburg RAID*/
{ PCI_VDEVICE(INTEL, 0xa1d6), board_ahci }, /* Lewisburg RAID*/
{ PCI_VDEVICE(INTEL, 0xa202), board_ahci }, /* Lewisburg AHCI*/
- { PCI_VDEVICE(INTEL, 0xa204), board_ahci }, /* Lewisburg RAID*/
{ PCI_VDEVICE(INTEL, 0xa206), board_ahci }, /* Lewisburg RAID*/
- { PCI_VDEVICE(INTEL, 0xa20e), board_ahci }, /* Lewisburg RAID*/
{ PCI_VDEVICE(INTEL, 0xa252), board_ahci }, /* Lewisburg RAID*/
{ PCI_VDEVICE(INTEL, 0xa256), board_ahci }, /* Lewisburg RAID*/
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 212/410] pipe: actually allow root to exceed the pipe buffer limits
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (356 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 210/410] pipe, sysctl: drop 'min' parameter from pipe-max-size converter Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 331/410] RDMA/ucma: Limit possible option size Ben Hutchings
` (51 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Linus Torvalds, Luis R . Rodriguez, Mikulas Patocka,
Eric Biggers, Willy Tarreau, Alexander Viro, Joe Lawrence,
Michael Kerrisk, Kees Cook
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
commit 85c2dd5473b2718b4b63e74bfeb1ca876868e11f upstream.
pipe-user-pages-hard and pipe-user-pages-soft are only supposed to apply
to unprivileged users, as documented in both Documentation/sysctl/fs.txt
and the pipe(7) man page.
However, the capabilities are actually only checked when increasing a
pipe's size using F_SETPIPE_SZ, not when creating a new pipe. Therefore,
if pipe-user-pages-hard has been set, the root user can run into it and be
unable to create pipes. Similarly, if pipe-user-pages-soft has been set,
the root user can run into it and have their pipes limited to 1 page each.
Fix this by allowing the privileged override in both cases.
Link: http://lkml.kernel.org/r/20180111052902.14409-4-ebiggers3@gmail.com
Fixes: 759c01142a5d ("pipe: limit the per-user amount of pages allocated in pipes")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Acked-by: Kees Cook <keescook@chromium.org>
Acked-by: Joe Lawrence <joe.lawrence@redhat.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: "Luis R . Rodriguez" <mcgrof@kernel.org>
Cc: Michael Kerrisk <mtk.manpages@gmail.com>
Cc: Mikulas Patocka <mpatocka@redhat.com>
Cc: Willy Tarreau <w@1wt.eu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/pipe.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -601,6 +601,11 @@ static bool too_many_pipe_buffers_hard(u
return pipe_user_pages_hard && user_bufs >= pipe_user_pages_hard;
}
+static bool is_unprivileged_user(void)
+{
+ return !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN);
+}
+
struct pipe_inode_info *alloc_pipe_info(void)
{
struct pipe_inode_info *pipe;
@@ -617,12 +622,12 @@ struct pipe_inode_info *alloc_pipe_info(
user_bufs = account_pipe_buffers(user, 0, pipe_bufs);
- if (too_many_pipe_buffers_soft(user_bufs)) {
+ if (too_many_pipe_buffers_soft(user_bufs) && is_unprivileged_user()) {
user_bufs = account_pipe_buffers(user, pipe_bufs, 1);
pipe_bufs = 1;
}
- if (too_many_pipe_buffers_hard(user_bufs))
+ if (too_many_pipe_buffers_hard(user_bufs) && is_unprivileged_user())
goto out_revert_acct;
pipe->bufs = kcalloc(pipe_bufs, sizeof(struct pipe_buffer),
@@ -1053,7 +1058,7 @@ static long pipe_set_size(struct pipe_in
if (nr_pages > pipe->buffers &&
(too_many_pipe_buffers_hard(user_bufs) ||
too_many_pipe_buffers_soft(user_bufs)) &&
- !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN)) {
+ is_unprivileged_user()) {
ret = -EPERM;
goto out_revert_acct;
}
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 078/410] powerpc/64: Don't trace irqs-off at interrupt return to soft-disabled context
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (400 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 131/410] ASoC: au1x: Fix timeout tests in au1xac97c_ac97_read() Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 217/410] cifs: silence compiler warnings showing up with gcc-8.0.0 Ben Hutchings
` (7 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Nicholas Piggin, Michael Ellerman
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Nicholas Piggin <npiggin@gmail.com>
commit acb1feab320e38588fccc568e3767761f494976f upstream.
When an interrupt is returning to a soft-disabled context (which can
happen for non-maskable interrupts or synchronous interrupts), it goes
through the motions of soft-disabling again, including calling
TRACE_DISABLE_INTS (i.e., trace_hardirqs_off()).
This is not necessary, because we must already be soft-disabled in the
interrupt context, it also may be causing crashes in the irq tracing
code to re-enter as an nmi. Replace it with a warning to ensure that
soft-interrupts are still disabled.
Fixes: 7c0482e3d055 ("powerpc/irq: Fix another case of lazy IRQ state getting out of sync")
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/powerpc/kernel/entry_64.S | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
--- a/arch/powerpc/kernel/entry_64.S
+++ b/arch/powerpc/kernel/entry_64.S
@@ -885,9 +885,13 @@ restore_irq_off:
beq 1f
rlwinm r7,r7,0,~PACA_IRQ_HARD_DIS
stb r7,PACAIRQHAPPENED(r13)
-1: li r0,0
- stb r0,PACASOFTIRQEN(r13);
- TRACE_DISABLE_INTS
+1:
+#if defined(CONFIG_TRACE_IRQFLAGS) && defined(CONFIG_BUG)
+ /* The interrupt should not have soft enabled. */
+ lbz r7,PACASOFTIRQEN(r13)
+1: tdnei r7,0
+ EMIT_BUG_ENTRY 1b,__FILE__,__LINE__,BUGFLAG_WARNING
+#endif
b do_restore
/*
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 195/410] arm: KVM: Fix SMCCC handling of unimplemented SMC/HVC calls
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (313 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 080/410] rcutorture/configinit: Fix build directory error message Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 161/410] s390: fix handling of -1 in set{,fs}[gu]id16 syscalls Ben Hutchings
` (94 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Marc Zyngier, Catalin Marinas, Ard Biesheuvel
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Marc Zyngier <marc.zyngier@arm.com>
commit 20e8175d246e9f9deb377f2784b3e7dfb2ad3e86 upstream.
KVM doesn't follow the SMCCC when it comes to unimplemented calls,
and inject an UNDEF instead of returning an error. Since firmware
calls are now used for security mitigation, they are becoming more
common, and the undef is counter productive.
Instead, let's follow the SMCCC which states that -1 must be returned
to the caller when getting an unknown function number.
Tested-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
[bwh: Backported to 3.16: Use vcpu_reg() instead of vcpu_set_reg()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm/kvm/handle_exit.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
--- a/arch/arm/kvm/handle_exit.c
+++ b/arch/arm/kvm/handle_exit.c
@@ -45,7 +45,7 @@ static int handle_hvc(struct kvm_vcpu *v
ret = kvm_psci_call(vcpu);
if (ret < 0) {
- kvm_inject_undefined(vcpu);
+ *vcpu_reg(vcpu, 0) = ~0UL;
return 1;
}
@@ -54,7 +54,16 @@ static int handle_hvc(struct kvm_vcpu *v
static int handle_smc(struct kvm_vcpu *vcpu, struct kvm_run *run)
{
- kvm_inject_undefined(vcpu);
+ /*
+ * "If an SMC instruction executed at Non-secure EL1 is
+ * trapped to EL2 because HCR_EL2.TSC is 1, the exception is a
+ * Trap exception, not a Secure Monitor Call exception [...]"
+ *
+ * We need to advance the PC after the trap, as it would
+ * otherwise return to the same address...
+ */
+ *vcpu_reg(vcpu, 0) = ~0UL;
+ kvm_skip_instr(vcpu, kvm_vcpu_trap_il_is32bit(vcpu));
return 1;
}
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 113/410] ahci: Add PCI ids for Intel Bay Trail, Cherry Trail and Apollo Lake AHCI
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (92 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 247/410] binder: replace "%p" with "%pK" Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 053/410] KVM: VMX: introduce alloc_loaded_vmcs Ben Hutchings
` (315 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Hans de Goede, Tejun Heo
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Hans de Goede <hdegoede@redhat.com>
commit 998008b779e424bd7513c434d0ab9c1268459009 upstream.
Add PCI ids for Intel Bay Trail, Cherry Trail and Apollo Lake AHCI
SATA controllers. This commit is a preparation patch for allowing a
different default sata link powermanagement policy for mobile chipsets.
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/ata/ahci.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/ata/ahci.c
+++ b/drivers/ata/ahci.c
@@ -376,6 +376,10 @@ static const struct pci_device_id ahci_p
{ PCI_VDEVICE(INTEL, 0xa206), board_ahci }, /* Lewisburg RAID*/
{ PCI_VDEVICE(INTEL, 0xa252), board_ahci }, /* Lewisburg RAID*/
{ PCI_VDEVICE(INTEL, 0xa256), board_ahci }, /* Lewisburg RAID*/
+ { PCI_VDEVICE(INTEL, 0x0f22), board_ahci }, /* Bay Trail AHCI */
+ { PCI_VDEVICE(INTEL, 0x0f23), board_ahci }, /* Bay Trail AHCI */
+ { PCI_VDEVICE(INTEL, 0x22a3), board_ahci }, /* Cherry Trail AHCI */
+ { PCI_VDEVICE(INTEL, 0x5ae3), board_ahci }, /* Apollo Lake AHCI */
/* JMicron 360/1/3/5/6, match class to avoid IDE function */
{ PCI_VENDOR_ID_JMICRON, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID,
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 378/410] libata: Apply NOLPM quirk to Crucial M500 480 and 960GB SSDs
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (60 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 340/410] xhci: Fix front USB ports on ASUS PRIME B350M-A Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 380/410] libata: Modify quirks for MX100 to limit NCQ_TRIM quirk to MU01 version Ben Hutchings
` (347 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Hans de Goede, Tejun Heo
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Hans de Goede <hdegoede@redhat.com>
commit 62ac3f7305470e3f52f159de448bc1a771717e88 upstream.
There have been reports of the Crucial M500 480GB model not working
with LPM set to min_power / med_power_with_dipm level.
It has not been tested with medium_power, but that typically has no
measurable power-savings.
Note the reporters Crucial_CT480M500SSD3 has a firmware version of MU03
and there is a MU05 update available, but that update does not mention any
LPM fixes in its changelog, so the quirk matches all firmware versions.
In my experience the LPM problems with (older) Crucial SSDs seem to be
limited to higher capacity versions of the SSDs (different firmware?),
so this commit adds a NOLPM quirk for the 480 and 960GB versions of the
M500, to avoid LPM causing issues with these SSDs.
Reported-and-tested-by: Martin Steigerwald <martin@lichtvoll.de>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
[bwh: Backported to 3.16: There's no ATA_HORKAGE_ZERO_AFTER_TRIM flag]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/ata/libata-core.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/ata/libata-core.c
+++ b/drivers/ata/libata-core.c
@@ -4231,6 +4231,12 @@ static const struct ata_blacklist_entry
{ "Crucial_CT512MX100*", NULL, ATA_HORKAGE_NO_NCQ_TRIM |
ATA_HORKAGE_NOLPM, },
+ /* 480GB+ M500 SSDs have both queued TRIM and LPM issues */
+ { "Crucial_CT480M500*", NULL, ATA_HORKAGE_NO_NCQ_TRIM |
+ ATA_HORKAGE_NOLPM, },
+ { "Crucial_CT960M500*", NULL, ATA_HORKAGE_NO_NCQ_TRIM |
+ ATA_HORKAGE_NOLPM, },
+
/* devices that don't properly handle queued TRIM commands */
{ "Micron_M500_*", NULL, ATA_HORKAGE_NO_NCQ_TRIM, },
{ "Crucial_CT*M500*", NULL, ATA_HORKAGE_NO_NCQ_TRIM, },
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 083/410] RDMA/iwpm: Fix uninitialized error code in iwpm_send_mapinfo()
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (368 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 188/410] Btrfs: fix extent state leak from tree log Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 128/410] NFS: Fix 2 use after free issues in the I/O code Ben Hutchings
` (39 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Geert Uytterhoeven, Jason Gunthorpe, Tatyana Nikolova
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Geert Uytterhoeven <geert@linux-m68k.org>
commit 302d6424e4a293a5761997e6c9fc3dfb1e4c355f upstream.
With gcc-4.1.2:
drivers/infiniband/core/iwpm_util.c: In function ‘iwpm_send_mapinfo’:
drivers/infiniband/core/iwpm_util.c:647: warning: ‘ret’ may be used uninitialized in this function
Indeed, if nl_client is not found in any of the scanned has buckets, ret
will be used uninitialized.
Preinitialize ret to -EINVAL to fix this.
Fixes: 30dc5e63d6a5ad24 ("RDMA/core: Add support for iWARP Port Mapper user space service")
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Reviewed-by: Tatyana Nikolova <tatyana.e.nikolova@intel.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/infiniband/core/iwpm_util.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/infiniband/core/iwpm_util.c
+++ b/drivers/infiniband/core/iwpm_util.c
@@ -513,6 +513,7 @@ int iwpm_send_mapinfo(u8 nl_client, int
}
skb_num++;
spin_lock_irqsave(&iwpm_mapinfo_lock, flags);
+ ret = -EINVAL;
for (i = 0; i < IWPM_HASH_BUCKET_SIZE; i++) {
hlist_for_each_entry(map_info, &iwpm_hash_bucket[i],
hlist_node) {
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 222/410] 9p/trans_virtio: discard zero-length reply
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (5 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 363/410] drm/radeon: Don't turn off DP sink when disconnected Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 124/410] crypto: hash - prevent using keyed hashes without setting key Ben Hutchings
` (402 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Greg Kurz, Michael S. Tsirkin
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kurz <groug@kaod.org>
commit 26d99834f89e76514076d9cd06f61e56e6a509b8 upstream.
When a 9p request is successfully flushed, the server is expected to just
mark it as used without sending a 9p reply (ie, without writing data into
the buffer). In this case, virtqueue_get_buf() will return len == 0 and
we must not report a REQ_STATUS_RCVD status to the client, otherwise the
client will erroneously assume the request has not been flushed.
Signed-off-by: Greg Kurz <groug@kaod.org>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/9p/trans_virtio.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/9p/trans_virtio.c
+++ b/net/9p/trans_virtio.c
@@ -164,7 +164,8 @@ static void req_done(struct virtqueue *v
p9_debug(P9_DEBUG_TRANS, ": rc %p\n", rc);
p9_debug(P9_DEBUG_TRANS, ": lookup tag %d\n", rc->tag);
req = p9_tag_lookup(chan->client, rc->tag);
- p9_client_cb(chan->client, req, REQ_STATUS_RCVD);
+ if (len)
+ p9_client_cb(chan->client, req, REQ_STATUS_RCVD);
}
}
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 300/410] mmc: sdhci: export sdhci_execute_tuning()
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (132 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 011/410] scsi: libsas: remove the numbering for each event enum Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 026/410] ALSA: seq: More protection for concurrent write and ioctl races Ben Hutchings
` (275 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Adrian Hunter, Ulf Hansson, Masahiro Yamada
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Masahiro Yamada <yamada.masahiro@socionext.com>
commit 85a882c2e91d3655927ecdc1db823d1420a65b8f upstream.
Some SDHCI-compat controllers support not only SD, but also eMMC,
but they use different commands for tuning: CMD19 for SD, CMD21 for
eMMC.
Due to the difference of the underlying mechanism, some controllers
(at least, the Cadence IP is the case) provide their own registers
for the eMMC tuning.
This commit will be useful when we want to override .execute_tuning
callback (for eMMC HS200 tuning), but still let it fall back to
sdhci_execute_tuning() for SD timing.
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Acked-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
[bwh: Backported to 3.16: Delete an additional prototype]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/mmc/host/sdhci.c
+++ b/drivers/mmc/host/sdhci.c
@@ -52,7 +52,6 @@ static unsigned int debug_quirks2;
static void sdhci_finish_data(struct sdhci_host *);
static void sdhci_finish_command(struct sdhci_host *);
-static int sdhci_execute_tuning(struct mmc_host *mmc, u32 opcode);
static void sdhci_tuning_timer(unsigned long data);
static void sdhci_enable_preset_value(struct sdhci_host *host, bool enable);
@@ -1840,7 +1839,7 @@ static int sdhci_card_busy(struct mmc_ho
return !(present_state & SDHCI_DATA_LVL_MASK);
}
-static int sdhci_execute_tuning(struct mmc_host *mmc, u32 opcode)
+int sdhci_execute_tuning(struct mmc_host *mmc, u32 opcode)
{
struct sdhci_host *host = mmc_priv(mmc);
u16 ctrl;
@@ -2054,6 +2053,7 @@ out:
return err;
}
+EXPORT_SYMBOL_GPL(sdhci_execute_tuning);
static void sdhci_enable_preset_value(struct sdhci_host *host, bool enable)
--- a/drivers/mmc/host/sdhci.h
+++ b/drivers/mmc/host/sdhci.h
@@ -402,6 +402,7 @@ void sdhci_set_clock(struct sdhci_host *
void sdhci_set_bus_width(struct sdhci_host *host, int width);
void sdhci_reset(struct sdhci_host *host, u8 mask);
void sdhci_set_uhs_signaling(struct sdhci_host *host, unsigned timing);
+int sdhci_execute_tuning(struct mmc_host *mmc, u32 opcode);
#ifdef CONFIG_PM
extern int sdhci_suspend_host(struct sdhci_host *host);
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 115/410] ext4: correct documentation for grpid mount option
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (201 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 235/410] netfilter: ipt_CLUSTERIP: fix a refcount bug in clusterip_config_find_get() Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 272/410] md raid10: fix NULL deference in handle_write_completed() Ben Hutchings
` (206 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Ernesto A. Fernández, Theodore Ts'o
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ernesto A. Fernández
<ernesto.mnd.fernandez@gmail.com>
commit 9f0372488cc9243018a812e8cfbf27de650b187b upstream.
The grpid option is currently described as being the same as nogrpid.
Signed-off-by: Ernesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
Documentation/filesystems/ext4.txt | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/Documentation/filesystems/ext4.txt
+++ b/Documentation/filesystems/ext4.txt
@@ -233,7 +233,7 @@ data_err=ignore(*) Just print an error m
data_err=abort Abort the journal if an error occurs in a file
data buffer in ordered mode.
-grpid Give objects the same group ID as their creator.
+grpid New objects have the group ID of their parent.
bsdgroups
nogrpid (*) New objects have the group ID of their creator.
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 224/410] Input: matrix_keypad - fix race when disabling interrupts
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (207 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 358/410] fs/aio: Use RCU accessors for kioctx_table->table[] Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 383/410] RDMA/ucma: Ensure that CM_ID exists prior to access it Ben Hutchings
` (200 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Dmitry Torokhov, Zhang Bo
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Bo <zbsdta@126.com>
commit ea4f7bd2aca9f68470e9aac0fc9432fd180b1fe7 upstream.
If matrix_keypad_stop() is executing and the keypad interrupt is triggered,
disable_row_irqs() may be called by both matrix_keypad_interrupt() and
matrix_keypad_stop() at the same time, causing interrupts to be disabled
twice and the keypad being "stuck" after resuming.
Take lock when setting keypad->stopped to ensure that ISR will not race
with matrix_keypad_stop() disabling interrupts.
Signed-off-by: Zhang Bo <zbsdta@126.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/input/keyboard/matrix_keypad.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/input/keyboard/matrix_keypad.c
+++ b/drivers/input/keyboard/matrix_keypad.c
@@ -216,8 +216,10 @@ static void matrix_keypad_stop(struct in
{
struct matrix_keypad *keypad = input_get_drvdata(dev);
+ spin_lock_irq(&keypad->lock);
keypad->stopped = true;
- mb();
+ spin_unlock_irq(&keypad->lock);
+
flush_work(&keypad->work.work);
/*
* matrix_keypad_scan() will leave IRQs enabled;
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 362/410] mmc: block: fix updating ext_csd caches on ioctl call
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (149 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 193/410] MIPS: TXx9: use IS_BUILTIN() for CONFIG_LEDS_CLASS Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 399/410] ALSA: pcm: Use dma_bytes as size parameter in dma_mmap_coherent() Ben Hutchings
` (258 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jan Luebbe, Bastian Stender, Ulf Hansson
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Bastian Stender <bst@pengutronix.de>
commit e74ef2194b41ba5e511fab29fe5ff00e72d2f42a upstream.
PARTITION_CONFIG is cached in mmc_card->ext_csd.part_config and the
currently active partition in mmc_blk_data->part_curr. These caches do
not always reflect changes if the ioctl call modifies the
PARTITION_CONFIG registers, e.g. by changing BOOT_PARTITION_ENABLE.
Write the PARTITION_CONFIG value extracted from the ioctl call to the
cache and update the currently active partition accordingly. This
ensures that the user space cannot change the values behind the
kernel's back. The next call to mmc_blk_part_switch() will operate on
the data set by the ioctl and reflect the changes appropriately.
Signed-off-by: Bastian Stender <bst@pengutronix.de>
Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
[bwh: Backported to 3.16:
- Also add the definition of MMC_EXTRACT_INDEX_FROM_ARG()
- Adjust filename, context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/drivers/mmc/card/block.c
+++ b/drivers/mmc/card/block.c
@@ -67,6 +67,9 @@ MODULE_ALIAS("mmc:block");
#define PACKED_CMD_VER 0x01
#define PACKED_CMD_WR 0x02
+#define MMC_EXTRACT_INDEX_FROM_ARG(x) ((x & 0x00FF0000) >> 16)
+#define MMC_EXTRACT_VALUE_FROM_ARG(x) ((x & 0x0000FF00) >> 8)
+
static DEFINE_MUTEX(block_mutex);
/*
@@ -569,6 +572,24 @@ static int mmc_blk_ioctl_cmd(struct bloc
}
/*
+ * Make sure the cache of the PARTITION_CONFIG register and
+ * PARTITION_ACCESS bits is updated in case the ioctl ext_csd write
+ * changed it successfully.
+ */
+ if ((MMC_EXTRACT_INDEX_FROM_ARG(cmd.arg) == EXT_CSD_PART_CONFIG) &&
+ (cmd.opcode == MMC_SWITCH)) {
+ struct mmc_blk_data *main_md = dev_get_drvdata(&card->dev);
+ u8 value = MMC_EXTRACT_VALUE_FROM_ARG(cmd.arg);
+
+ /*
+ * Update cache so the next mmc_blk_part_switch call operates
+ * on up-to-date data.
+ */
+ card->ext_csd.part_config = value;
+ main_md->part_curr = value & EXT_CSD_PART_CONFIG_ACC_MASK;
+ }
+
+ /*
* According to the SD specs, some commands require a delay after
* issuing the command.
*/
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 332/410] RDMA/ucma: Check that user doesn't overflow QP state
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (199 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 348/410] can: cc770: Fix stalls on rt-linux, remove redundant IRQ ack Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 235/410] netfilter: ipt_CLUSTERIP: fix a refcount bug in clusterip_config_find_get() Ben Hutchings
` (208 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Leon Romanovsky, Doug Ledford, syzbot+0df1ab766f8924b1edba
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Leon Romanovsky <leonro@mellanox.com>
commit a5880b84430316e3e1c1f5d23aa32ec6000cc717 upstream.
The QP state is limited and declared in enum ib_qp_state,
but ucma user was able to supply any possible (u32) value.
Reported-by: syzbot+0df1ab766f8924b1edba@syzkaller.appspotmail.com
Fixes: 75216638572f ("RDMA/cma: Export rdma cm interface to userspace")
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/infiniband/core/ucma.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/infiniband/core/ucma.c
+++ b/drivers/infiniband/core/ucma.c
@@ -1050,6 +1050,9 @@ static ssize_t ucma_init_qp_attr(struct
if (copy_from_user(&cmd, inbuf, sizeof(cmd)))
return -EFAULT;
+ if (cmd.qp_state > IB_QPS_ERR)
+ return -EINVAL;
+
ctx = ucma_get_ctx(file, cmd.id);
if (IS_ERR(ctx))
return PTR_ERR(ctx);
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 166/410] USB: serial: pl2303: new device id for Chilitag
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (83 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 255/410] drm: Allow determining if current task is output poll worker Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 151/410] CDC-ACM: apply quirk for card reader Ben Hutchings
` (324 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Chu.Mike [朱堅宜],
Greg Kroah-Hartman, Johan Hovold
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d08dd3f3dd2ae351b793fc5b76abdbf0fd317b12 upstream.
This adds a new device id for Chilitag devices to the pl2303 driver.
Reported-by: "Chu.Mike [朱堅宜]" <Mike-Chu@prolific.com.tw>
Acked-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/pl2303.c | 1 +
drivers/usb/serial/pl2303.h | 1 +
2 files changed, 2 insertions(+)
--- a/drivers/usb/serial/pl2303.c
+++ b/drivers/usb/serial/pl2303.c
@@ -39,6 +39,7 @@ static const struct usb_device_id id_tab
{ USB_DEVICE(PL2303_VENDOR_ID, PL2303_PRODUCT_ID_RSAQ2) },
{ USB_DEVICE(PL2303_VENDOR_ID, PL2303_PRODUCT_ID_DCU11) },
{ USB_DEVICE(PL2303_VENDOR_ID, PL2303_PRODUCT_ID_RSAQ3) },
+ { USB_DEVICE(PL2303_VENDOR_ID, PL2303_PRODUCT_ID_CHILITAG) },
{ USB_DEVICE(PL2303_VENDOR_ID, PL2303_PRODUCT_ID_PHAROS) },
{ USB_DEVICE(PL2303_VENDOR_ID, PL2303_PRODUCT_ID_ALDIGA) },
{ USB_DEVICE(PL2303_VENDOR_ID, PL2303_PRODUCT_ID_MMX) },
--- a/drivers/usb/serial/pl2303.h
+++ b/drivers/usb/serial/pl2303.h
@@ -17,6 +17,7 @@
#define PL2303_PRODUCT_ID_DCU11 0x1234
#define PL2303_PRODUCT_ID_PHAROS 0xaaa0
#define PL2303_PRODUCT_ID_RSAQ3 0xaaa2
+#define PL2303_PRODUCT_ID_CHILITAG 0xaaa8
#define PL2303_PRODUCT_ID_ALDIGA 0x0611
#define PL2303_PRODUCT_ID_MMX 0x0612
#define PL2303_PRODUCT_ID_GPRS 0x0609
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 038/410] KVM: x86: pass host_initiated to functions that read MSRs
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (377 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 350/410] libata: Enable queued TRIM for Samsung SSD 860 Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 381/410] ALSA: usb-audio: Fix parsing descriptor of UAC2 processing unit Ben Hutchings
` (30 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Radim Krčmář, Paolo Bonzini
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Bonzini <pbonzini@redhat.com>
commit 609e36d372ad9329269e4a1467bd35311893d1d6 upstream.
SMBASE is only readable from SMM for the VCPU, but it must be always
accessible if userspace is accessing it. Thus, all functions that
read MSRs are changed to accept a struct msr_data; the host_initiated
and index fields are pre-initialized, while the data field is filled
on return.
Reviewed-by: Radim Krčmář <rkrcmar@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[carnil: backport to 3.16, adjust context]
[bwh: Adjust context again after update to 3.16.51]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/include/asm/kvm_host.h | 6 +-
arch/x86/kvm/svm.c | 52 ++++++++--------
arch/x86/kvm/vmx.c | 51 +++++++--------
arch/x86/kvm/x86.c | 106 ++++++++++++++++++++------------
4 files changed, 118 insertions(+), 97 deletions(-)
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -683,7 +683,7 @@ struct kvm_x86_ops {
void (*vcpu_put)(struct kvm_vcpu *vcpu);
void (*update_bp_intercept)(struct kvm_vcpu *vcpu);
- int (*get_msr)(struct kvm_vcpu *vcpu, u32 msr_index, u64 *pdata);
+ int (*get_msr)(struct kvm_vcpu *vcpu, struct msr_data *msr);
int (*set_msr)(struct kvm_vcpu *vcpu, struct msr_data *msr);
u64 (*get_segment_base)(struct kvm_vcpu *vcpu, int seg);
void (*get_segment)(struct kvm_vcpu *vcpu,
@@ -853,7 +853,7 @@ static inline int emulate_instruction(st
void kvm_enable_efer_bits(u64);
bool kvm_valid_efer(struct kvm_vcpu *vcpu, u64 efer);
-int kvm_get_msr(struct kvm_vcpu *vcpu, u32 msr_index, u64 *data);
+int kvm_get_msr(struct kvm_vcpu *vcpu, struct msr_data *msr);
int kvm_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr);
struct x86_emulate_ctxt;
@@ -881,7 +881,7 @@ void kvm_lmsw(struct kvm_vcpu *vcpu, uns
void kvm_get_cs_db_l_bits(struct kvm_vcpu *vcpu, int *db, int *l);
int kvm_set_xcr(struct kvm_vcpu *vcpu, u32 index, u64 xcr);
-int kvm_get_msr_common(struct kvm_vcpu *vcpu, u32 msr, u64 *pdata);
+int kvm_get_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr);
int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr);
unsigned long kvm_get_rflags(struct kvm_vcpu *vcpu);
--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
@@ -3037,42 +3037,42 @@ u64 svm_read_l1_tsc(struct kvm_vcpu *vcp
svm_scale_tsc(vcpu, host_tsc);
}
-static int svm_get_msr(struct kvm_vcpu *vcpu, unsigned ecx, u64 *data)
+static int svm_get_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
{
struct vcpu_svm *svm = to_svm(vcpu);
- switch (ecx) {
+ switch (msr_info->index) {
case MSR_IA32_TSC: {
- *data = svm->vmcb->control.tsc_offset +
+ msr_info->data = svm->vmcb->control.tsc_offset +
svm_scale_tsc(vcpu, native_read_tsc());
break;
}
case MSR_STAR:
- *data = svm->vmcb->save.star;
+ msr_info->data = svm->vmcb->save.star;
break;
#ifdef CONFIG_X86_64
case MSR_LSTAR:
- *data = svm->vmcb->save.lstar;
+ msr_info->data = svm->vmcb->save.lstar;
break;
case MSR_CSTAR:
- *data = svm->vmcb->save.cstar;
+ msr_info->data = svm->vmcb->save.cstar;
break;
case MSR_KERNEL_GS_BASE:
- *data = svm->vmcb->save.kernel_gs_base;
+ msr_info->data = svm->vmcb->save.kernel_gs_base;
break;
case MSR_SYSCALL_MASK:
- *data = svm->vmcb->save.sfmask;
+ msr_info->data = svm->vmcb->save.sfmask;
break;
#endif
case MSR_IA32_SYSENTER_CS:
- *data = svm->vmcb->save.sysenter_cs;
+ msr_info->data = svm->vmcb->save.sysenter_cs;
break;
case MSR_IA32_SYSENTER_EIP:
- *data = svm->sysenter_eip;
+ msr_info->data = svm->sysenter_eip;
break;
case MSR_IA32_SYSENTER_ESP:
- *data = svm->sysenter_esp;
+ msr_info->data = svm->sysenter_esp;
break;
/*
* Nobody will change the following 5 values in the VMCB so we can
@@ -3080,31 +3080,31 @@ static int svm_get_msr(struct kvm_vcpu *
* implemented.
*/
case MSR_IA32_DEBUGCTLMSR:
- *data = svm->vmcb->save.dbgctl;
+ msr_info->data = svm->vmcb->save.dbgctl;
break;
case MSR_IA32_LASTBRANCHFROMIP:
- *data = svm->vmcb->save.br_from;
+ msr_info->data = svm->vmcb->save.br_from;
break;
case MSR_IA32_LASTBRANCHTOIP:
- *data = svm->vmcb->save.br_to;
+ msr_info->data = svm->vmcb->save.br_to;
break;
case MSR_IA32_LASTINTFROMIP:
- *data = svm->vmcb->save.last_excp_from;
+ msr_info->data = svm->vmcb->save.last_excp_from;
break;
case MSR_IA32_LASTINTTOIP:
- *data = svm->vmcb->save.last_excp_to;
+ msr_info->data = svm->vmcb->save.last_excp_to;
break;
case MSR_VM_HSAVE_PA:
- *data = svm->nested.hsave_msr;
+ msr_info->data = svm->nested.hsave_msr;
break;
case MSR_VM_CR:
- *data = svm->nested.vm_cr_msr;
+ msr_info->data = svm->nested.vm_cr_msr;
break;
case MSR_IA32_UCODE_REV:
- *data = 0x01000065;
+ msr_info->data = 0x01000065;
break;
default:
- return kvm_get_msr_common(vcpu, ecx, data);
+ return kvm_get_msr_common(vcpu, msr_info);
}
return 0;
}
@@ -3112,16 +3112,18 @@ static int svm_get_msr(struct kvm_vcpu *
static int rdmsr_interception(struct vcpu_svm *svm)
{
u32 ecx = svm->vcpu.arch.regs[VCPU_REGS_RCX];
- u64 data;
+ struct msr_data msr_info;
- if (svm_get_msr(&svm->vcpu, ecx, &data)) {
+ msr_info.index = ecx;
+ msr_info.host_initiated = false;
+ if (svm_get_msr(&svm->vcpu, &msr_info)) {
trace_kvm_msr_read_ex(ecx);
kvm_inject_gp(&svm->vcpu, 0);
} else {
- trace_kvm_msr_read(ecx, data);
+ trace_kvm_msr_read(ecx, msr_info.data);
- svm->vcpu.arch.regs[VCPU_REGS_RAX] = data & 0xffffffff;
- svm->vcpu.arch.regs[VCPU_REGS_RDX] = data >> 32;
+ svm->vcpu.arch.regs[VCPU_REGS_RAX] = msr_info.data & 0xffffffff;
+ svm->vcpu.arch.regs[VCPU_REGS_RDX] = msr_info.data >> 32;
svm->next_rip = kvm_rip_read(&svm->vcpu) + 2;
skip_emulated_instruction(&svm->vcpu);
}
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -2493,71 +2493,64 @@ static int vmx_get_vmx_msr(struct kvm_vc
* Returns 0 on success, non-0 otherwise.
* Assumes vcpu_load() was already called.
*/
-static int vmx_get_msr(struct kvm_vcpu *vcpu, u32 msr_index, u64 *pdata)
+static int vmx_get_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
{
- u64 data;
struct shared_msr_entry *msr;
- if (!pdata) {
- printk(KERN_ERR "BUG: get_msr called with NULL pdata\n");
- return -EINVAL;
- }
-
- switch (msr_index) {
+ switch (msr_info->index) {
#ifdef CONFIG_X86_64
case MSR_FS_BASE:
- data = vmcs_readl(GUEST_FS_BASE);
+ msr_info->data = vmcs_readl(GUEST_FS_BASE);
break;
case MSR_GS_BASE:
- data = vmcs_readl(GUEST_GS_BASE);
+ msr_info->data = vmcs_readl(GUEST_GS_BASE);
break;
case MSR_KERNEL_GS_BASE:
vmx_load_host_state(to_vmx(vcpu));
- data = to_vmx(vcpu)->msr_guest_kernel_gs_base;
+ msr_info->data = to_vmx(vcpu)->msr_guest_kernel_gs_base;
break;
#endif
case MSR_EFER:
- return kvm_get_msr_common(vcpu, msr_index, pdata);
+ return kvm_get_msr_common(vcpu, msr_info);
case MSR_IA32_TSC:
- data = guest_read_tsc();
+ msr_info->data = guest_read_tsc();
break;
case MSR_IA32_SYSENTER_CS:
- data = vmcs_read32(GUEST_SYSENTER_CS);
+ msr_info->data = vmcs_read32(GUEST_SYSENTER_CS);
break;
case MSR_IA32_SYSENTER_EIP:
- data = vmcs_readl(GUEST_SYSENTER_EIP);
+ msr_info->data = vmcs_readl(GUEST_SYSENTER_EIP);
break;
case MSR_IA32_SYSENTER_ESP:
- data = vmcs_readl(GUEST_SYSENTER_ESP);
+ msr_info->data = vmcs_readl(GUEST_SYSENTER_ESP);
break;
case MSR_IA32_BNDCFGS:
if (!vmx_mpx_supported() || !guest_cpuid_has_mpx(vcpu))
return 1;
- data = vmcs_read64(GUEST_BNDCFGS);
+ msr_info->data = vmcs_read64(GUEST_BNDCFGS);
break;
case MSR_IA32_FEATURE_CONTROL:
if (!nested_vmx_allowed(vcpu))
return 1;
- data = to_vmx(vcpu)->nested.msr_ia32_feature_control;
+ msr_info->data = to_vmx(vcpu)->nested.msr_ia32_feature_control;
break;
case MSR_IA32_VMX_BASIC ... MSR_IA32_VMX_VMFUNC:
if (!nested_vmx_allowed(vcpu))
return 1;
- return vmx_get_vmx_msr(vcpu, msr_index, pdata);
+ return vmx_get_vmx_msr(vcpu, msr_info->index, &msr_info->data);
case MSR_TSC_AUX:
if (!to_vmx(vcpu)->rdtscp_enabled)
return 1;
/* Otherwise falls through */
default:
- msr = find_msr_entry(to_vmx(vcpu), msr_index);
+ msr = find_msr_entry(to_vmx(vcpu), msr_info->index);
if (msr) {
- data = msr->data;
+ msr_info->data = msr->data;
break;
}
- return kvm_get_msr_common(vcpu, msr_index, pdata);
+ return kvm_get_msr_common(vcpu, msr_info);
}
- *pdata = data;
return 0;
}
@@ -5261,19 +5254,21 @@ static int handle_cpuid(struct kvm_vcpu
static int handle_rdmsr(struct kvm_vcpu *vcpu)
{
u32 ecx = vcpu->arch.regs[VCPU_REGS_RCX];
- u64 data;
+ struct msr_data msr_info;
- if (vmx_get_msr(vcpu, ecx, &data)) {
+ msr_info.index = ecx;
+ msr_info.host_initiated = false;
+ if (vmx_get_msr(vcpu, &msr_info)) {
trace_kvm_msr_read_ex(ecx);
kvm_inject_gp(vcpu, 0);
return 1;
}
- trace_kvm_msr_read(ecx, data);
+ trace_kvm_msr_read(ecx, msr_info.data);
/* FIXME: handling of bits 32:63 of rax, rdx */
- vcpu->arch.regs[VCPU_REGS_RAX] = data & -1u;
- vcpu->arch.regs[VCPU_REGS_RDX] = (data >> 32) & -1u;
+ vcpu->arch.regs[VCPU_REGS_RAX] = msr_info.data & -1u;
+ vcpu->arch.regs[VCPU_REGS_RDX] = (msr_info.data >> 32) & -1u;
skip_emulated_instruction(vcpu);
return 1;
}
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -999,6 +999,21 @@ EXPORT_SYMBOL_GPL(kvm_set_msr);
/*
* Adapt set_msr() to msr_io()'s calling convention
*/
+static int do_get_msr(struct kvm_vcpu *vcpu, unsigned index, u64 *data)
+{
+ struct msr_data msr;
+ int r;
+
+ msr.index = index;
+ msr.host_initiated = true;
+ r = kvm_get_msr(vcpu, &msr);
+ if (r)
+ return r;
+
+ *data = msr.data;
+ return 0;
+}
+
static int do_set_msr(struct kvm_vcpu *vcpu, unsigned index, u64 *data)
{
struct msr_data msr;
@@ -2280,9 +2295,9 @@ EXPORT_SYMBOL_GPL(kvm_set_msr_common);
* Returns 0 on success, non-0 otherwise.
* Assumes vcpu_load() was already called.
*/
-int kvm_get_msr(struct kvm_vcpu *vcpu, u32 msr_index, u64 *pdata)
+int kvm_get_msr(struct kvm_vcpu *vcpu, struct msr_data *msr)
{
- return kvm_x86_ops->get_msr(vcpu, msr_index, pdata);
+ return kvm_x86_ops->get_msr(vcpu, msr);
}
static int get_msr_mtrr(struct kvm_vcpu *vcpu, u32 msr, u64 *pdata)
@@ -2418,11 +2433,11 @@ static int get_msr_hyperv(struct kvm_vcp
return 0;
}
-int kvm_get_msr_common(struct kvm_vcpu *vcpu, u32 msr, u64 *pdata)
+int kvm_get_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
{
u64 data;
- switch (msr) {
+ switch (msr_info->index) {
case MSR_IA32_PLATFORM_ID:
case MSR_IA32_EBL_CR_POWERON:
case MSR_IA32_DEBUGCTLMSR:
@@ -2441,26 +2456,26 @@ int kvm_get_msr_common(struct kvm_vcpu *
case MSR_AMD64_NB_CFG:
case MSR_FAM10H_MMIO_CONF_BASE:
case MSR_AMD64_BU_CFG2:
- data = 0;
+ msr_info->data = 0;
break;
case MSR_P6_PERFCTR0:
case MSR_P6_PERFCTR1:
case MSR_P6_EVNTSEL0:
case MSR_P6_EVNTSEL1:
- if (kvm_pmu_msr(vcpu, msr))
- return kvm_pmu_get_msr(vcpu, msr, pdata);
- data = 0;
+ if (kvm_pmu_msr(vcpu, msr_info->index))
+ return kvm_pmu_get_msr(vcpu, msr_info->index, &msr_info->data);
+ msr_info->data = 0;
break;
case MSR_IA32_UCODE_REV:
- data = 0x100000000ULL;
+ msr_info->data = 0x100000000ULL;
break;
case MSR_MTRRcap:
- data = 0x500 | KVM_NR_VAR_MTRR;
+ msr_info->data = 0x500 | KVM_NR_VAR_MTRR;
break;
case 0x200 ... 0x2ff:
- return get_msr_mtrr(vcpu, msr, pdata);
+ return get_msr_mtrr(vcpu, msr_info->index, &msr_info->data);
case 0xcd: /* fsb frequency */
- data = 3;
+ msr_info->data = 3;
break;
/*
* MSR_EBC_FREQUENCY_ID
@@ -2474,48 +2489,48 @@ int kvm_get_msr_common(struct kvm_vcpu *
* multiplying by zero otherwise.
*/
case MSR_EBC_FREQUENCY_ID:
- data = 1 << 24;
+ msr_info->data = 1 << 24;
break;
case MSR_IA32_APICBASE:
- data = kvm_get_apic_base(vcpu);
+ msr_info->data = kvm_get_apic_base(vcpu);
break;
case APIC_BASE_MSR ... APIC_BASE_MSR + 0x3ff:
- return kvm_x2apic_msr_read(vcpu, msr, pdata);
+ return kvm_x2apic_msr_read(vcpu, msr_info->index, &msr_info->data);
break;
case MSR_IA32_TSCDEADLINE:
- data = kvm_get_lapic_tscdeadline_msr(vcpu);
+ msr_info->data = kvm_get_lapic_tscdeadline_msr(vcpu);
break;
case MSR_IA32_TSC_ADJUST:
- data = (u64)vcpu->arch.ia32_tsc_adjust_msr;
+ msr_info->data = (u64)vcpu->arch.ia32_tsc_adjust_msr;
break;
case MSR_IA32_MISC_ENABLE:
- data = vcpu->arch.ia32_misc_enable_msr;
+ msr_info->data = vcpu->arch.ia32_misc_enable_msr;
break;
case MSR_IA32_PERF_STATUS:
/* TSC increment by tick */
- data = 1000ULL;
+ msr_info->data = 1000ULL;
/* CPU multiplier */
data |= (((uint64_t)4ULL) << 40);
break;
case MSR_EFER:
- data = vcpu->arch.efer;
+ msr_info->data = vcpu->arch.efer;
break;
case MSR_KVM_WALL_CLOCK:
case MSR_KVM_WALL_CLOCK_NEW:
- data = vcpu->kvm->arch.wall_clock;
+ msr_info->data = vcpu->kvm->arch.wall_clock;
break;
case MSR_KVM_SYSTEM_TIME:
case MSR_KVM_SYSTEM_TIME_NEW:
- data = vcpu->arch.time;
+ msr_info->data = vcpu->arch.time;
break;
case MSR_KVM_ASYNC_PF_EN:
- data = vcpu->arch.apf.msr_val;
+ msr_info->data = vcpu->arch.apf.msr_val;
break;
case MSR_KVM_STEAL_TIME:
- data = vcpu->arch.st.msr_val;
+ msr_info->data = vcpu->arch.st.msr_val;
break;
case MSR_KVM_PV_EOI_EN:
- data = vcpu->arch.pv_eoi.msr_val;
+ msr_info->data = vcpu->arch.pv_eoi.msr_val;
break;
case MSR_IA32_P5_MC_ADDR:
case MSR_IA32_P5_MC_TYPE:
@@ -2523,7 +2538,7 @@ int kvm_get_msr_common(struct kvm_vcpu *
case MSR_IA32_MCG_CTL:
case MSR_IA32_MCG_STATUS:
case MSR_IA32_MC0_CTL ... MSR_IA32_MC0_CTL + 4 * KVM_MAX_MCE_BANKS - 1:
- return get_msr_mce(vcpu, msr, pdata);
+ return get_msr_mce(vcpu, msr_info->index, &msr_info->data);
case MSR_K7_CLK_CTL:
/*
* Provide expected ramp-up count for K7. All other
@@ -2534,17 +2549,17 @@ int kvm_get_msr_common(struct kvm_vcpu *
* type 6, model 8 and higher from exploding due to
* the rdmsr failing.
*/
- data = 0x20000000;
+ msr_info->data = 0x20000000;
break;
case HV_X64_MSR_GUEST_OS_ID ... HV_X64_MSR_SINT15:
- if (kvm_hv_msr_partition_wide(msr)) {
+ if (kvm_hv_msr_partition_wide(msr_info->index)) {
int r;
mutex_lock(&vcpu->kvm->lock);
- r = get_msr_hyperv_pw(vcpu, msr, pdata);
+ r = get_msr_hyperv_pw(vcpu, msr_info->index, &msr_info->data);
mutex_unlock(&vcpu->kvm->lock);
return r;
} else
- return get_msr_hyperv(vcpu, msr, pdata);
+ return get_msr_hyperv(vcpu, msr_info->index, &msr_info->data);
break;
case MSR_IA32_BBL_CR_CTL3:
/* This legacy MSR exists but isn't fully documented in current
@@ -2557,31 +2572,30 @@ int kvm_get_msr_common(struct kvm_vcpu *
* L2 cache control register 3: 64GB range, 256KB size,
* enabled, latency 0x1, configured
*/
- data = 0xbe702111;
+ msr_info->data = 0xbe702111;
break;
case MSR_AMD64_OSVW_ID_LENGTH:
if (!guest_cpuid_has_osvw(vcpu))
return 1;
- data = vcpu->arch.osvw.length;
+ msr_info->data = vcpu->arch.osvw.length;
break;
case MSR_AMD64_OSVW_STATUS:
if (!guest_cpuid_has_osvw(vcpu))
return 1;
- data = vcpu->arch.osvw.status;
+ msr_info->data = vcpu->arch.osvw.status;
break;
default:
- if (kvm_pmu_msr(vcpu, msr))
- return kvm_pmu_get_msr(vcpu, msr, pdata);
+ if (kvm_pmu_msr(vcpu, msr_info->index))
+ return kvm_pmu_get_msr(vcpu, msr_info->index, &msr_info->data);
if (!ignore_msrs) {
- vcpu_unimpl(vcpu, "unhandled rdmsr: 0x%x\n", msr);
+ vcpu_unimpl(vcpu, "unhandled rdmsr: 0x%x\n", msr_info->index);
return 1;
} else {
- vcpu_unimpl(vcpu, "ignored rdmsr: 0x%x\n", msr);
- data = 0;
+ vcpu_unimpl(vcpu, "ignored rdmsr: 0x%x\n", msr_info->index);
+ msr_info->data = 0;
}
break;
}
- *pdata = data;
return 0;
}
EXPORT_SYMBOL_GPL(kvm_get_msr_common);
@@ -3290,7 +3304,7 @@ long kvm_arch_vcpu_ioctl(struct file *fi
break;
}
case KVM_GET_MSRS:
- r = msr_io(vcpu, argp, kvm_get_msr, 1);
+ r = msr_io(vcpu, argp, do_get_msr, 1);
break;
case KVM_SET_MSRS:
r = msr_io(vcpu, argp, do_set_msr, 0);
@@ -4810,7 +4824,17 @@ static void emulator_set_segment(struct
static int emulator_get_msr(struct x86_emulate_ctxt *ctxt,
u32 msr_index, u64 *pdata)
{
- return kvm_get_msr(emul_to_vcpu(ctxt), msr_index, pdata);
+ struct msr_data msr;
+ int r;
+
+ msr.index = msr_index;
+ msr.host_initiated = false;
+ r = kvm_get_msr(emul_to_vcpu(ctxt), &msr);
+ if (r)
+ return r;
+
+ *pdata = msr.data;
+ return 0;
}
static int emulator_set_msr(struct x86_emulate_ctxt *ctxt,
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 237/410] netfilter: nat: cope with negative port range
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (67 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 333/410] drm/radeon: fix KV harvesting Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 275/410] x86/oprofile: Fix bogus GCC-8 warning in nmi_setup() Ben Hutchings
` (340 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Pablo Neira Ayuso, Paolo Abeni, syzbot+8012e198bd037f4871e5
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
commit db57ccf0f2f4624b4c4758379f8165277504fbd7 upstream.
syzbot reported a division by 0 bug in the netfilter nat code:
divide error: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 4168 Comm: syzkaller034710 Not tainted 4.16.0-rc1+ #309
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:nf_nat_l4proto_unique_tuple+0x291/0x530
net/netfilter/nf_nat_proto_common.c:88
RSP: 0018:ffff8801b2466778 EFLAGS: 00010246
RAX: 000000000000f153 RBX: ffff8801b2466dd8 RCX: ffff8801b2466c7c
RDX: 0000000000000000 RSI: ffff8801b2466c58 RDI: ffff8801db5293ac
RBP: ffff8801b24667d8 R08: ffff8801b8ba6dc0 R09: ffffffff88af5900
R10: ffff8801b24666f0 R11: 0000000000000000 R12: 000000002990f153
R13: 0000000000000001 R14: 0000000000000000 R15: ffff8801b2466c7c
FS: 00000000017e3880(0000) GS:ffff8801db500000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000208fdfe4 CR3: 00000001b5340002 CR4: 00000000001606e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
dccp_unique_tuple+0x40/0x50 net/netfilter/nf_nat_proto_dccp.c:30
get_unique_tuple+0xc28/0x1c10 net/netfilter/nf_nat_core.c:362
nf_nat_setup_info+0x1c2/0xe00 net/netfilter/nf_nat_core.c:406
nf_nat_redirect_ipv6+0x306/0x730 net/netfilter/nf_nat_redirect.c:124
redirect_tg6+0x7f/0xb0 net/netfilter/xt_REDIRECT.c:34
ip6t_do_table+0xc2a/0x1a30 net/ipv6/netfilter/ip6_tables.c:365
ip6table_nat_do_chain+0x65/0x80 net/ipv6/netfilter/ip6table_nat.c:41
nf_nat_ipv6_fn+0x594/0xa80 net/ipv6/netfilter/nf_nat_l3proto_ipv6.c:302
nf_nat_ipv6_local_fn+0x33/0x5d0
net/ipv6/netfilter/nf_nat_l3proto_ipv6.c:407
ip6table_nat_local_fn+0x2c/0x40 net/ipv6/netfilter/ip6table_nat.c:69
nf_hook_entry_hookfn include/linux/netfilter.h:120 [inline]
nf_hook_slow+0xba/0x1a0 net/netfilter/core.c:483
nf_hook include/linux/netfilter.h:243 [inline]
NF_HOOK include/linux/netfilter.h:286 [inline]
ip6_xmit+0x10ec/0x2260 net/ipv6/ip6_output.c:277
inet6_csk_xmit+0x2fc/0x580 net/ipv6/inet6_connection_sock.c:139
dccp_transmit_skb+0x9ac/0x10f0 net/dccp/output.c:142
dccp_connect+0x369/0x670 net/dccp/output.c:564
dccp_v6_connect+0xe17/0x1bf0 net/dccp/ipv6.c:946
__inet_stream_connect+0x2d4/0xf00 net/ipv4/af_inet.c:620
inet_stream_connect+0x58/0xa0 net/ipv4/af_inet.c:684
SYSC_connect+0x213/0x4a0 net/socket.c:1639
SyS_connect+0x24/0x30 net/socket.c:1620
do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x26/0x9b
RIP: 0033:0x441c69
RSP: 002b:00007ffe50cc0be8 EFLAGS: 00000217 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000441c69
RDX: 000000000000001c RSI: 00000000208fdfe4 RDI: 0000000000000003
RBP: 00000000006cc018 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000538 R11: 0000000000000217 R12: 0000000000403590
R13: 0000000000403620 R14: 0000000000000000 R15: 0000000000000000
Code: 48 89 f0 83 e0 07 83 c0 01 38 d0 7c 08 84 d2 0f 85 46 02 00 00 48 8b
45 c8 44 0f b7 20 e8 88 97 04 fd 31 d2 41 0f b7 c4 4c 89 f9 <41> f7 f6 48
c1 e9 03 48 b8 00 00 00 00 00 fc ff df 0f b6 0c 01
RIP: nf_nat_l4proto_unique_tuple+0x291/0x530
net/netfilter/nf_nat_proto_common.c:88 RSP: ffff8801b2466778
The problem is that currently we don't have any check on the
configured port range. A port range == -1 triggers the bug, while
other negative values may require a very long time to complete the
following loop.
This commit addresses the issue swapping the two ends on negative
ranges. The check is performed in nf_nat_l4proto_unique_tuple() since
the nft nat loads the port values from nft registers at runtime.
v1 -> v2: use the correct 'Fixes' tag
v2 -> v3: update commit message, drop unneeded READ_ONCE()
Fixes: 5b1158e909ec ("[NETFILTER]: Add NAT support for nf_conntrack")
Reported-by: syzbot+8012e198bd037f4871e5@syzkaller.appspotmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/netfilter/nf_nat_proto_common.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/net/netfilter/nf_nat_proto_common.c
+++ b/net/netfilter/nf_nat_proto_common.c
@@ -41,7 +41,7 @@ void nf_nat_l4proto_unique_tuple(const s
const struct nf_conn *ct,
u16 *rover)
{
- unsigned int range_size, min, i;
+ unsigned int range_size, min, max, i;
__be16 *portptr;
u_int16_t off;
@@ -71,7 +71,10 @@ void nf_nat_l4proto_unique_tuple(const s
}
} else {
min = ntohs(range->min_proto.all);
- range_size = ntohs(range->max_proto.all) - min + 1;
+ max = ntohs(range->max_proto.all);
+ if (unlikely(max < min))
+ swap(max, min);
+ range_size = max - min + 1;
}
if (range->flags & NF_NAT_RANGE_PROTO_RANDOM) {
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 013/410] f2fs: fix a panic caused by NULL flush_cmd_control
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (301 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 099/410] wl1251: check return from call to wl1251_acx_arp_ip_filter Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 370/410] batman-adv: fix header size check in batadv_dbg_arp() Ben Hutchings
` (106 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Jaegeuk Kim, Yunlei He
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Yunlei He <heyunlei@huawei.com>
commit d4fdf8ba0e5808ba9ad6b44337783bd9935e0982 upstream.
Mount fs with option noflush_merge, boot failed for illegal address
fcc in function f2fs_issue_flush:
if (!test_opt(sbi, FLUSH_MERGE)) {
ret = submit_flush_wait(sbi);
atomic_inc(&fcc->issued_flush); -> Here, fcc illegal
return ret;
}
Signed-off-by: Yunlei He <heyunlei@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/f2fs/segment.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/fs/f2fs/segment.c
+++ b/fs/f2fs/segment.c
@@ -273,6 +273,9 @@ int create_flush_cmd_control(struct f2fs
spin_lock_init(&fcc->issue_lock);
init_waitqueue_head(&fcc->flush_wait_queue);
sbi->sm_info->cmd_control_info = fcc;
+ if (!test_opt(sbi, FLUSH_MERGE))
+ return err;
+
fcc->f2fs_issue_flush = kthread_run(issue_flush_thread, sbi,
"f2fs_flush-%u:%u", MAJOR(dev), MINOR(dev));
if (IS_ERR(fcc->f2fs_issue_flush)) {
@@ -1905,7 +1908,7 @@ int build_segment_manager(struct f2fs_sb
sm_info->nr_discards = 0;
sm_info->max_discards = 0;
- if (test_opt(sbi, FLUSH_MERGE) && !f2fs_readonly(sbi->sb)) {
+ if (!f2fs_readonly(sbi->sb)) {
err = create_flush_cmd_control(sbi);
if (err)
return err;
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 360/410] RDMA/ucma: Don't allow join attempts for unsupported AF family
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (17 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 157/410] usbip: list: don't list devices attached to vhci_hcd Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 303/410] mmc: dw_mmc: Fix out-of-bounds access for slot's caps Ben Hutchings
` (390 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Leon Romanovsky, syzbot+2287ac532caa81900a4e, Doug Ledford,
Sean Hefty
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Leon Romanovsky <leonro@mellanox.com>
commit 0c81ffc60d5280991773d17e84bda605387148b1 upstream.
Users can provide garbage while calling to ucma_join_ip_multicast(),
it will indirectly cause to rdma_addr_size() return 0, making the
call to ucma_process_join(), which had the right checks, but it is
better to check the input as early as possible.
The following crash from syzkaller revealed it.
kernel BUG at lib/string.c:1052!
invalid opcode: 0000 [#1] SMP KASAN Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 4113 Comm: syz-executor0 Not tainted 4.16.0-rc5+ #261
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:fortify_panic+0x13/0x20 lib/string.c:1051
RSP: 0018:ffff8801ca81f8f0 EFLAGS: 00010286
RAX: 0000000000000022 RBX: 1ffff10039503f23 RCX: 0000000000000000
RDX: 0000000000000022 RSI: 1ffff10039503ed3 RDI: ffffed0039503f12
RBP: ffff8801ca81f8f0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000006 R11: 0000000000000000 R12: ffff8801ca81f998
R13: ffff8801ca81f938 R14: ffff8801ca81fa58 R15: 000000000000fa00
FS: 0000000000000000(0000) GS:ffff8801db200000(0063) knlGS:000000000a12a900
CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 0000000008138024 CR3: 00000001cbb58004 CR4: 00000000001606f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
memcpy include/linux/string.h:344 [inline]
ucma_join_ip_multicast+0x36b/0x3b0 drivers/infiniband/core/ucma.c:1421
ucma_write+0x2d6/0x3d0 drivers/infiniband/core/ucma.c:1633
__vfs_write+0xef/0x970 fs/read_write.c:480
vfs_write+0x189/0x510 fs/read_write.c:544
SYSC_write fs/read_write.c:589 [inline]
SyS_write+0xef/0x220 fs/read_write.c:581
do_syscall_32_irqs_on arch/x86/entry/common.c:330 [inline]
do_fast_syscall_32+0x3ec/0xf9f arch/x86/entry/common.c:392
entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
RIP: 0023:0xf7f9ec99
RSP: 002b:00000000ff8172cc EFLAGS: 00000282 ORIG_RAX: 0000000000000004
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020000100
RDX: 0000000000000063 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Code: 08 5b 41 5c 41 5d 41 5e 41 5f 5d c3 0f 0b 48 89 df e8 42 2c e3 fb eb de
55 48 89 fe 48 c7 c7 80 75 98 86 48 89 e5 e8 85 95 94 fb <0f> 0b 90 90 90 90
90 90 90 90 90 90 90 55 48 89 e5 41 57 41 56
RIP: fortify_panic+0x13/0x20 lib/string.c:1051 RSP: ffff8801ca81f8f0
Fixes: 5bc2b7b397b0 ("RDMA/ucma: Allow user space to specify AF_IB when joining multicast")
Reported-by: <syzbot+2287ac532caa81900a4e@syzkaller.appspotmail.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Reviewed-by: Sean Hefty <sean.hefty@intel.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/infiniband/core/ucma.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/infiniband/core/ucma.c
+++ b/drivers/infiniband/core/ucma.c
@@ -1241,7 +1241,7 @@ static ssize_t ucma_process_join(struct
return -ENOSPC;
addr = (struct sockaddr *) &cmd->addr;
- if (cmd->reserved || !cmd->addr_size || (cmd->addr_size != rdma_addr_size(addr)))
+ if (cmd->reserved || cmd->addr_size != rdma_addr_size(addr))
return -EINVAL;
ctx = ucma_get_ctx(file, cmd->id);
@@ -1301,6 +1301,9 @@ static ssize_t ucma_join_ip_multicast(st
join_cmd.uid = cmd.uid;
join_cmd.id = cmd.id;
join_cmd.addr_size = rdma_addr_size((struct sockaddr *) &cmd.addr);
+ if (!join_cmd.addr_size)
+ return -EINVAL;
+
join_cmd.reserved = 0;
memcpy(&join_cmd.addr, &cmd.addr, join_cmd.addr_size);
@@ -1316,6 +1319,9 @@ static ssize_t ucma_join_multicast(struc
if (copy_from_user(&cmd, inbuf, sizeof(cmd)))
return -EFAULT;
+ if (!rdma_addr_size((struct sockaddr *)&cmd.addr))
+ return -EINVAL;
+
return ucma_process_join(file, &cmd, out_len);
}
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 387/410] ALSA: aloop: Sync stale timer before release
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (188 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 186/410] Btrfs: fix deadlock in run_delalloc_nocow Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 122/410] crypto: cryptd - pass through absence of ->setkey() Ben Hutchings
` (219 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Takashi Iwai
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit 67a01afaf3d34893cf7d2ea19b34555d6abb7cb0 upstream.
The aloop driver tries to stop the pending timer via timer_del() in
the trigger callback and in the close callback. The former is
correct, as it's an atomic operation, while the latter expects that
the timer gets really removed and proceeds the resource releases after
that. But timer_del() doesn't synchronize, hence the running timer
may still access the released resources.
A similar situation can be also seen in the prepare callback after
trigger(STOP) where the prepare tries to re-initialize the things
while a timer is still running.
The problems like the above are seen indirectly in some syzkaller
reports (although it's not 100% clear whether this is the only cause,
as the race condition is quite narrow and not always easy to
trigger).
For addressing these issues, this patch adds the explicit alls of
timer_del_sync() in some places, so that the pending timer is properly
killed / synced.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/drivers/aloop.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/sound/drivers/aloop.c
+++ b/sound/drivers/aloop.c
@@ -193,6 +193,11 @@ static inline void loopback_timer_stop(s
dpcm->timer.expires = 0;
}
+static inline void loopback_timer_stop_sync(struct loopback_pcm *dpcm)
+{
+ del_timer_sync(&dpcm->timer);
+}
+
#define CABLE_VALID_PLAYBACK (1 << SNDRV_PCM_STREAM_PLAYBACK)
#define CABLE_VALID_CAPTURE (1 << SNDRV_PCM_STREAM_CAPTURE)
#define CABLE_VALID_BOTH (CABLE_VALID_PLAYBACK|CABLE_VALID_CAPTURE)
@@ -327,6 +332,8 @@ static int loopback_prepare(struct snd_p
struct loopback_cable *cable = dpcm->cable;
int bps, salign;
+ loopback_timer_stop_sync(dpcm);
+
salign = (snd_pcm_format_width(runtime->format) *
runtime->channels) / 8;
bps = salign * runtime->rate;
@@ -746,7 +753,7 @@ static int loopback_close(struct snd_pcm
struct loopback *loopback = substream->private_data;
struct loopback_pcm *dpcm = substream->runtime->private_data;
- loopback_timer_stop(dpcm);
+ loopback_timer_stop_sync(dpcm);
mutex_lock(&loopback->cable_lock);
free_cable(substream);
mutex_unlock(&loopback->cable_lock);
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 330/410] l2tp: do not accept arbitrary sockets
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (239 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 094/410] scsi: aacraid: Fix udev inquiry race condition Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 366/410] net: Fix vlan untag for bridge and vlan_dev with reorder_hdr off Ben Hutchings
` (168 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Guillaume Nault, Eric Dumazet, syzbot, David S. Miller,
James Chapman
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit 17cfe79a65f98abe535261856c5aef14f306dff7 upstream.
syzkaller found an issue caused by lack of sufficient checks
in l2tp_tunnel_create()
RAW sockets can not be considered as UDP ones for instance.
In another patch, we shall replace all pr_err() by less intrusive
pr_debug() so that syzkaller can find other bugs faster.
Acked-by: Guillaume Nault <g.nault@alphalink.fr>
Acked-by: James Chapman <jchapman@katalix.com>
==================================================================
BUG: KASAN: slab-out-of-bounds in setup_udp_tunnel_sock+0x3ee/0x5f0 net/ipv4/udp_tunnel.c:69
dst_release: dst:00000000d53d0d0f refcnt:-1
Write of size 1 at addr ffff8801d013b798 by task syz-executor3/6242
CPU: 1 PID: 6242 Comm: syz-executor3 Not tainted 4.16.0-rc2+ #253
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x24d lib/dump_stack.c:53
print_address_description+0x73/0x250 mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report+0x23b/0x360 mm/kasan/report.c:412
__asan_report_store1_noabort+0x17/0x20 mm/kasan/report.c:435
setup_udp_tunnel_sock+0x3ee/0x5f0 net/ipv4/udp_tunnel.c:69
l2tp_tunnel_create+0x1354/0x17f0 net/l2tp/l2tp_core.c:1596
pppol2tp_connect+0x14b1/0x1dd0 net/l2tp/l2tp_ppp.c:707
SYSC_connect+0x213/0x4a0 net/socket.c:1640
SyS_connect+0x24/0x30 net/socket.c:1621
do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/l2tp/l2tp_core.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -1581,9 +1581,14 @@ int l2tp_tunnel_create(struct net *net,
encap = cfg->encap;
/* Quick sanity checks */
+ err = -EPROTONOSUPPORT;
+ if (sk->sk_type != SOCK_DGRAM) {
+ pr_debug("tunl %hu: fd %d wrong socket type\n",
+ tunnel_id, fd);
+ goto err;
+ }
switch (encap) {
case L2TP_ENCAPTYPE_UDP:
- err = -EPROTONOSUPPORT;
if (sk->sk_protocol != IPPROTO_UDP) {
pr_err("tunl %hu: fd %d wrong protocol, got %d, expected %d\n",
tunnel_id, fd, sk->sk_protocol, IPPROTO_UDP);
@@ -1591,7 +1596,6 @@ int l2tp_tunnel_create(struct net *net,
}
break;
case L2TP_ENCAPTYPE_IP:
- err = -EPROTONOSUPPORT;
if (sk->sk_protocol != IPPROTO_L2TP) {
pr_err("tunl %hu: fd %d wrong protocol, got %d, expected %d\n",
tunnel_id, fd, sk->sk_protocol, IPPROTO_L2TP);
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 382/410] RDMA/ucma: Fix use-after-free access in ucma_close
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (169 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 198/410] kernel/async.c: revert "async: simplify lowest_in_progress()" Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 105/410] drm/radeon: Add dpm quirk for Jet PRO (v2) Ben Hutchings
` (238 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Leon Romanovsky, Jason Gunthorpe,
syzbot+dcfd344365a56fbebd0f, Sean Hefty
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Leon Romanovsky <leonro@mellanox.com>
commit ed65a4dc22083e73bac599ded6a262318cad7baf upstream.
The error in ucma_create_id() left ctx in the list of contexts belong
to ucma file descriptor. The attempt to close this file descriptor causes
to use-after-free accesses while iterating over such list.
Fixes: 75216638572f ("RDMA/cma: Export rdma cm interface to userspace")
Reported-by: <syzbot+dcfd344365a56fbebd0f@syzkaller.appspotmail.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Reviewed-by: Sean Hefty <sean.hefty@intel.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/infiniband/core/ucma.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/infiniband/core/ucma.c
+++ b/drivers/infiniband/core/ucma.c
@@ -411,6 +411,9 @@ err1:
mutex_lock(&mut);
idr_remove(&ctx_idr, ctx->id);
mutex_unlock(&mut);
+ mutex_lock(&file->mut);
+ list_del(&ctx->list);
+ mutex_unlock(&file->mut);
kfree(ctx);
return ret;
}
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 226/410] usb: dwc3: gadget: Set maxpacket size for ep0 IN
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (216 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 028/410] hugetlbfs: check for pgoff value overflow Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 007/410] media: dvb-usb-v2: lmedm04: Improve logic checking of warm start Ben Hutchings
` (191 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Felipe Balbi, Thinh Nguyen, Thinh Nguyen
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
commit 6180026341e852a250e1f97ebdcf71684a3c81b9 upstream.
There are 2 control endpoint structures for DWC3. However, the driver
only updates the OUT direction control endpoint structure during
ConnectDone event. DWC3 driver needs to update the endpoint max packet
size for control IN endpoint as well. If the max packet size is not
properly set, then the driver will incorrectly calculate the data
transfer size and fail to send ZLP for HS/FS 3-stage control read
transfer.
The fix is simply to update the max packet size for the ep0 IN direction
during ConnectDone event.
Fixes: 72246da40f37 ("usb: Introduce DesignWare USB3 DRD Driver")
Signed-off-by: Thinh Nguyen <thinhn@synopsys.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/dwc3/gadget.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -2436,6 +2436,8 @@ static void dwc3_gadget_conndone_interru
break;
}
+ dwc->eps[1]->endpoint.maxpacket = dwc->gadget.ep0->maxpacket;
+
/* Enable USB2 LPM Capability */
if ((dwc->revision > DWC3_REVISION_194A)
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 333/410] drm/radeon: fix KV harvesting
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (66 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 103/410] usb: f_fs: Prevent gadget unbind if it is already unbound Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 237/410] netfilter: nat: cope with negative port range Ben Hutchings
` (341 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Alex Deucher, Christian König
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
commit 0b58d90f89545e021d188c289fa142e5ff9e708b upstream.
Always set the graphics values to the max for the
asic type. E.g., some 1 RB chips are actually 1 RB chips,
others are actually harvested 2 RB chips.
Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=99353
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/radeon/cik.c | 31 ++-----------------------------
1 file changed, 2 insertions(+), 29 deletions(-)
--- a/drivers/gpu/drm/radeon/cik.c
+++ b/drivers/gpu/drm/radeon/cik.c
@@ -3299,35 +3299,8 @@ static void cik_gpu_init(struct radeon_d
case CHIP_KAVERI:
rdev->config.cik.max_shader_engines = 1;
rdev->config.cik.max_tile_pipes = 4;
- if ((rdev->pdev->device == 0x1304) ||
- (rdev->pdev->device == 0x1305) ||
- (rdev->pdev->device == 0x130C) ||
- (rdev->pdev->device == 0x130F) ||
- (rdev->pdev->device == 0x1310) ||
- (rdev->pdev->device == 0x1311) ||
- (rdev->pdev->device == 0x131C)) {
- rdev->config.cik.max_cu_per_sh = 8;
- rdev->config.cik.max_backends_per_se = 2;
- } else if ((rdev->pdev->device == 0x1309) ||
- (rdev->pdev->device == 0x130A) ||
- (rdev->pdev->device == 0x130D) ||
- (rdev->pdev->device == 0x1313) ||
- (rdev->pdev->device == 0x131D)) {
- rdev->config.cik.max_cu_per_sh = 6;
- rdev->config.cik.max_backends_per_se = 2;
- } else if ((rdev->pdev->device == 0x1306) ||
- (rdev->pdev->device == 0x1307) ||
- (rdev->pdev->device == 0x130B) ||
- (rdev->pdev->device == 0x130E) ||
- (rdev->pdev->device == 0x1315) ||
- (rdev->pdev->device == 0x1318) ||
- (rdev->pdev->device == 0x131B)) {
- rdev->config.cik.max_cu_per_sh = 4;
- rdev->config.cik.max_backends_per_se = 1;
- } else {
- rdev->config.cik.max_cu_per_sh = 3;
- rdev->config.cik.max_backends_per_se = 1;
- }
+ rdev->config.cik.max_cu_per_sh = 8;
+ rdev->config.cik.max_backends_per_se = 2;
rdev->config.cik.max_sh_per_se = 1;
rdev->config.cik.max_texture_channel_caches = 4;
rdev->config.cik.max_gprs = 256;
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 205/410] pipe: make account_pipe_buffers() return a value, and use it
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (126 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 181/410] netfilter: on sockopt() acquire sock lock only in the required scope Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 074/410] HID: add quirk for another PIXART OEM mouse used by HP Ben Hutchings
` (281 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, socketpair, Al Viro, Willy Tarreau, Jens Axboe,
Vegard Nossum, Tetsuo Handa, Michael Kerrisk (man-pages),
Linus Torvalds
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>
commit 9c87bcf0a31b338dc8a69a5d251a037565a94e13 upstream.
This is an optional patch, to provide a small performance
improvement. Alter account_pipe_buffers() so that it returns the
new value in user->pipe_bufs. This means that we can refactor
too_many_pipe_buffers_soft() and too_many_pipe_buffers_hard() to
avoid the costs of repeated use of atomic_long_read() to get the
value user->pipe_bufs.
Link: http://lkml.kernel.org/r/93e5f193-1e5e-3e1f-3a20-eae79b7e1310@gmail.com
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
Reviewed-by: Vegard Nossum <vegard.nossum@oracle.com>
Cc: Willy Tarreau <w@1wt.eu>
Cc: <socketpair@gmail.com>
Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: Jens Axboe <axboe@fb.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/pipe.c | 36 ++++++++++++++++++------------------
1 file changed, 18 insertions(+), 18 deletions(-)
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -590,22 +590,20 @@ pipe_fasync(int fd, struct file *filp, i
return retval;
}
-static void account_pipe_buffers(struct user_struct *user,
+static unsigned long account_pipe_buffers(struct user_struct *user,
unsigned long old, unsigned long new)
{
- atomic_long_add(new - old, &user->pipe_bufs);
+ return atomic_long_add_return(new - old, &user->pipe_bufs);
}
-static bool too_many_pipe_buffers_soft(struct user_struct *user)
+static bool too_many_pipe_buffers_soft(unsigned long user_bufs)
{
- return pipe_user_pages_soft &&
- atomic_long_read(&user->pipe_bufs) >= pipe_user_pages_soft;
+ return pipe_user_pages_soft && user_bufs >= pipe_user_pages_soft;
}
-static bool too_many_pipe_buffers_hard(struct user_struct *user)
+static bool too_many_pipe_buffers_hard(unsigned long user_bufs)
{
- return pipe_user_pages_hard &&
- atomic_long_read(&user->pipe_bufs) >= pipe_user_pages_hard;
+ return pipe_user_pages_hard && user_bufs >= pipe_user_pages_hard;
}
struct pipe_inode_info *alloc_pipe_info(void)
@@ -613,19 +611,20 @@ struct pipe_inode_info *alloc_pipe_info(
struct pipe_inode_info *pipe;
unsigned long pipe_bufs = PIPE_DEF_BUFFERS;
struct user_struct *user = get_current_user();
+ unsigned long user_bufs;
pipe = kzalloc(sizeof(struct pipe_inode_info), GFP_KERNEL);
if (pipe == NULL)
goto out_free_uid;
- account_pipe_buffers(user, 0, pipe_bufs);
+ user_bufs = account_pipe_buffers(user, 0, pipe_bufs);
- if (too_many_pipe_buffers_soft(user)) {
- account_pipe_buffers(user, pipe_bufs, 1);
+ if (too_many_pipe_buffers_soft(user_bufs)) {
+ user_bufs = account_pipe_buffers(user, pipe_bufs, 1);
pipe_bufs = 1;
}
- if (too_many_pipe_buffers_hard(user))
+ if (too_many_pipe_buffers_hard(user_bufs))
goto out_revert_acct;
pipe->bufs = kcalloc(pipe_bufs, sizeof(struct pipe_buffer),
@@ -641,7 +640,7 @@ struct pipe_inode_info *alloc_pipe_info(
}
out_revert_acct:
- account_pipe_buffers(user, pipe_bufs, 0);
+ (void) account_pipe_buffers(user, pipe_bufs, 0);
kfree(pipe);
out_free_uid:
free_uid(user);
@@ -652,7 +651,7 @@ void free_pipe_info(struct pipe_inode_in
{
int i;
- account_pipe_buffers(pipe->user, pipe->buffers, 0);
+ (void) account_pipe_buffers(pipe->user, pipe->buffers, 0);
free_uid(pipe->user);
for (i = 0; i < pipe->buffers; i++) {
struct pipe_buffer *buf = pipe->bufs + i;
@@ -1022,6 +1021,7 @@ static long pipe_set_size(struct pipe_in
{
struct pipe_buffer *bufs;
unsigned int size, nr_pages;
+ unsigned long user_bufs;
long ret = 0;
size = round_pipe_size(arg);
@@ -1041,11 +1041,11 @@ static long pipe_set_size(struct pipe_in
size > pipe_max_size && !capable(CAP_SYS_RESOURCE))
return -EPERM;
- account_pipe_buffers(pipe->user, pipe->buffers, nr_pages);
+ user_bufs = account_pipe_buffers(pipe->user, pipe->buffers, nr_pages);
if (nr_pages > pipe->buffers &&
- (too_many_pipe_buffers_hard(pipe->user) ||
- too_many_pipe_buffers_soft(pipe->user)) &&
+ (too_many_pipe_buffers_hard(user_bufs) ||
+ too_many_pipe_buffers_soft(user_bufs)) &&
!capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN)) {
ret = -EPERM;
goto out_revert_acct;
@@ -1096,7 +1096,7 @@ static long pipe_set_size(struct pipe_in
return nr_pages * PAGE_SIZE;
out_revert_acct:
- account_pipe_buffers(pipe->user, nr_pages, pipe->buffers);
+ (void) account_pipe_buffers(pipe->user, nr_pages, pipe->buffers);
return ret;
}
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 061/410] KVM/VMX: Optimize vmx_vcpu_run() and svm_vcpu_run() by marking the RDMSR path as unlikely()
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (108 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 019/410] ext4: add validity checks for bitmap block numbers Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 116/410] arm: spear600: Add missing interrupt-parent of rtc Ben Hutchings
` (299 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Paolo Bonzini, Ingo Molnar, David Woodhouse,
Peter Zijlstra, Jim Mattson, Radim Krčmář,
KarimAllah Ahmed, kvm, Thomas Gleixner, Linus Torvalds
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Bonzini <pbonzini@redhat.com>
commit 946fbbc13dce68902f64515b610eeb2a6c3d7a64 upstream.
vmx_vcpu_run() and svm_vcpu_run() are large functions, and giving
branch hints to the compiler can actually make a substantial cycle
difference by keeping the fast path contiguous in memory.
With this optimization, the retpoline-guest/retpoline-host case is
about 50 cycles faster.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Jim Mattson <jmattson@google.com>
Cc: David Woodhouse <dwmw@amazon.co.uk>
Cc: KarimAllah Ahmed <karahmed@amazon.de>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Radim Krčmář <rkrcmar@redhat.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: kvm@vger.kernel.org
Link: http://lkml.kernel.org/r/20180222154318.20361-3-pbonzini@redhat.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/kvm/svm.c | 2 +-
arch/x86/kvm/vmx.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
@@ -4077,7 +4077,7 @@ static void svm_vcpu_run(struct kvm_vcpu
* If the L02 MSR bitmap does not intercept the MSR, then we need to
* save it.
*/
- if (!msr_write_intercepted(vcpu, MSR_IA32_SPEC_CTRL))
+ if (unlikely(!msr_write_intercepted(vcpu, MSR_IA32_SPEC_CTRL)))
svm->spec_ctrl = native_read_msr(MSR_IA32_SPEC_CTRL);
if (svm->spec_ctrl)
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -7673,7 +7673,7 @@ static void __noclone vmx_vcpu_run(struc
* If the L01 MSR bitmap does not intercept the MSR, then we need to
* save it.
*/
- if (!msr_write_intercepted_l01(vcpu, MSR_IA32_SPEC_CTRL))
+ if (unlikely(!msr_write_intercepted_l01(vcpu, MSR_IA32_SPEC_CTRL)))
vmx->spec_ctrl = native_read_msr(MSR_IA32_SPEC_CTRL);
if (vmx->spec_ctrl)
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 295/410] tpm_tis: fix potential buffer overruns caused by bit glitches on the bus
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (98 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 280/410] lock_parent() needs to recheck if dentry got __dentry_kill'ed under it Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 377/410] can: cc770: Fix use after free in cc770_tx_interrupt() Ben Hutchings
` (309 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Jarkko Sakkinen, Jeremy Boone, James Bottomley, James Morris
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jeremy Boone <jeremy.boone@nccgroup.trust>
commit 6bb320ca4a4a7b5b3db8c8d7250cc40002046878 upstream.
Discrete TPMs are often connected over slow serial buses which, on
some platforms, can have glitches causing bit flips. In all the
driver _recv() functions, we need to use a u32 to unmarshal the
response size, otherwise a bit flip of the 31st bit would cause the
expected variable to go negative, which would then try to read a huge
amount of data. Also sanity check that the expected amount of data is
large enough for the TPM header.
Signed-off-by: Jeremy Boone <jeremy.boone@nccgroup.trust>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: James Morris <james.morris@microsoft.com>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/char/tpm/tpm_tis.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/char/tpm/tpm_tis.c
+++ b/drivers/char/tpm/tpm_tis.c
@@ -234,7 +234,8 @@ static int recv_data(struct tpm_chip *ch
static int tpm_tis_recv(struct tpm_chip *chip, u8 *buf, size_t count)
{
int size = 0;
- int expected, status;
+ int status;
+ u32 expected;
if (count < TPM_HEADER_SIZE) {
size = -EIO;
@@ -249,7 +250,7 @@ static int tpm_tis_recv(struct tpm_chip
}
expected = be32_to_cpu(*(__be32 *) (buf + 2));
- if (expected > count) {
+ if (expected > count || expected < TPM_HEADER_SIZE) {
size = -EIO;
goto out;
}
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 209/410] sysctl: check for UINT_MAX before unsigned int min/max
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (394 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 266/410] arm64: traps: Don't print stack or raw PC/LR values in backtraces Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 318/410] ata: do not schedule hot plug if it is a sas host Ben Hutchings
` (13 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Randy Dunlap, Michael Kerrisk, Jens Axboe, Mikulas Patocka,
Joe Lawrence, Al Viro, Josh Poimboeuf, Linus Torvalds
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Joe Lawrence <joe.lawrence@redhat.com>
commit fb910c42ccebf853c29296185c45c11164a56098 upstream.
Mikulas noticed in the existing do_proc_douintvec_minmax_conv() and
do_proc_dopipe_max_size_conv() introduced in this patchset, that they
inconsistently handle overflow and min/max range inputs:
For example:
0 ... param->min - 1 ---> ERANGE
param->min ... param->max ---> the value is accepted
param->max + 1 ... 0x100000000L + param->min - 1 ---> ERANGE
0x100000000L + param->min ... 0x100000000L + param->max ---> EINVAL
0x100000000L + param->max + 1, 0x200000000L + param->min - 1 ---> ERANGE
0x200000000L + param->min ... 0x200000000L + param->max ---> EINVAL
0x200000000L + param->max + 1, 0x300000000L + param->min - 1 ---> ERANGE
In do_proc_do*() routines which store values into unsigned int variables
(4 bytes wide for 64-bit builds), first validate that the input unsigned
long value (8 bytes wide for 64-bit builds) will fit inside the smaller
unsigned int variable. Then check that the unsigned int value falls
inside the specified parameter min, max range. Otherwise the unsigned
long -> unsigned int conversion drops leading bits from the input value,
leading to the inconsistent pattern Mikulas documented above.
Link: http://lkml.kernel.org/r/1507658689-11669-5-git-send-email-joe.lawrence@redhat.com
Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
Reported-by: Mikulas Patocka <mpatocka@redhat.com>
Reviewed-by: Mikulas Patocka <mpatocka@redhat.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: Michael Kerrisk <mtk.manpages@gmail.com>
Cc: Randy Dunlap <rdunlap@infradead.org>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.16:
- Drop changes in do_proc_douintvec_minmax_conv()
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -2233,17 +2233,18 @@ static int do_proc_dopipe_max_size_conv(
struct do_proc_dopipe_max_size_conv_param *param = data;
if (write) {
- unsigned int val = round_pipe_size(*lvalp);
+ unsigned int val;
+ if (*lvalp > UINT_MAX)
+ return -EINVAL;
+
+ val = round_pipe_size(*lvalp);
if (*negp || val == 0)
return -EINVAL;
if (param->min && *param->min > val)
return -ERANGE;
- if (*lvalp > UINT_MAX)
- return -EINVAL;
-
*valp = val;
} else {
unsigned int val = *valp;
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 160/410] scsi: fas216: fix sense buffer initialization
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (390 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 385/410] MIPS: ralink: Don't set pm_power_off Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 014/410] cifs: empty TargetInfo leads to crash on recovery Ben Hutchings
` (17 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Arnd Bergmann, Martin K. Petersen
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
commit 96d5eaa9bb74d299508d811d865c2c41b38b0301 upstream.
While testing with the ARM specific memset() macro removed, I ran into a
compiler warning that shows an old bug:
drivers/scsi/arm/fas216.c: In function 'fas216_rq_sns_done':
drivers/scsi/arm/fas216.c:2014:40: error: argument to 'sizeof' in 'memset' call is the same expression as the destination; did you mean to provide an explicit length? [-Werror=sizeof-pointer-memaccess]
It turns out that the definition of the scsi_cmd structure changed back
in linux-2.6.25, so now we clear only four bytes (sizeof(pointer))
instead of 96 (SCSI_SENSE_BUFFERSIZE). I did not check whether we
actually need to initialize the buffer here, but it's clear that if we
do it, we should use the correct size.
Fixes: de25deb18016 ("[SCSI] use dynamically allocated sense buffer")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/scsi/arm/fas216.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/scsi/arm/fas216.c
+++ b/drivers/scsi/arm/fas216.c
@@ -2009,7 +2009,7 @@ static void fas216_rq_sns_done(FAS216_In
* have valid data in the sense buffer that could
* confuse the higher levels.
*/
- memset(SCpnt->sense_buffer, 0, sizeof(SCpnt->sense_buffer));
+ memset(SCpnt->sense_buffer, 0, SCSI_SENSE_BUFFERSIZE);
//printk("scsi%d.%c: sense buffer: ", info->host->host_no, '0' + SCpnt->device->id);
//{ int i; for (i = 0; i < 32; i++) printk("%02x ", SCpnt->sense_buffer[i]); printk("\n"); }
/*
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 234/410] netfilter: drop outermost socket lock in getsockopt()
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (176 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 376/410] vti4: Don't override MTU passed on link creation via IFLA_MTU Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 162/410] HID: roccat: prevent an out of bounds read in kovaplus_profile_activated() Ben Hutchings
` (231 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Pablo Neira Ayuso, syzbot+ddde1c7b7ff7442d7f2d,
Florian Westphal, Paolo Abeni, Xin Long
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
commit 01ea306f2ac2baff98d472da719193e738759d93 upstream.
The Syzbot reported a possible deadlock in the netfilter area caused by
rtnl lock, xt lock and socket lock being acquired with a different order
on different code paths, leading to the following backtrace:
Reviewed-by: Xin Long <lucien.xin@gmail.com>
======================================================
WARNING: possible circular locking dependency detected
4.15.0+ #301 Not tainted
------------------------------------------------------
syzkaller233489/4179 is trying to acquire lock:
(rtnl_mutex){+.+.}, at: [<0000000048e996fd>] rtnl_lock+0x17/0x20
net/core/rtnetlink.c:74
but task is already holding lock:
(&xt[i].mutex){+.+.}, at: [<00000000328553a2>]
xt_find_table_lock+0x3e/0x3e0 net/netfilter/x_tables.c:1041
which lock already depends on the new lock.
===
Since commit 3f34cfae1230 ("netfilter: on sockopt() acquire sock lock
only in the required scope"), we already acquire the socket lock in
the innermost scope, where needed. In such commit I forgot to remove
the outer-most socket lock from the getsockopt() path, this commit
addresses the issues dropping it now.
v1 -> v2: fix bad subj, added relavant 'fixes' tag
Fixes: 22265a5c3c10 ("netfilter: xt_TEE: resolve oif using netdevice notifiers")
Fixes: 202f59afd441 ("netfilter: ipt_CLUSTERIP: do not hold dev")
Fixes: 3f34cfae1230 ("netfilter: on sockopt() acquire sock lock only in the required scope")
Reported-by: syzbot+ddde1c7b7ff7442d7f2d@syzkaller.appspotmail.com
Suggested-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/ipv4/ip_sockglue.c | 7 +------
net/ipv6/ipv6_sockglue.c | 10 ++--------
2 files changed, 3 insertions(+), 14 deletions(-)
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -1391,10 +1391,7 @@ int ip_getsockopt(struct sock *sk, int l
if (get_user(len, optlen))
return -EFAULT;
- lock_sock(sk);
- err = nf_getsockopt(sk, PF_INET, optname, optval,
- &len);
- release_sock(sk);
+ err = nf_getsockopt(sk, PF_INET, optname, optval, &len);
if (err >= 0)
err = put_user(len, optlen);
return err;
@@ -1426,9 +1423,7 @@ int compat_ip_getsockopt(struct sock *sk
if (get_user(len, optlen))
return -EFAULT;
- lock_sock(sk);
err = compat_nf_getsockopt(sk, PF_INET, optname, optval, &len);
- release_sock(sk);
if (err >= 0)
err = put_user(len, optlen);
return err;
--- a/net/ipv6/ipv6_sockglue.c
+++ b/net/ipv6/ipv6_sockglue.c
@@ -1309,10 +1309,7 @@ int ipv6_getsockopt(struct sock *sk, int
if (get_user(len, optlen))
return -EFAULT;
- lock_sock(sk);
- err = nf_getsockopt(sk, PF_INET6, optname, optval,
- &len);
- release_sock(sk);
+ err = nf_getsockopt(sk, PF_INET6, optname, optval, &len);
if (err >= 0)
err = put_user(len, optlen);
}
@@ -1352,10 +1349,7 @@ int compat_ipv6_getsockopt(struct sock *
if (get_user(len, optlen))
return -EFAULT;
- lock_sock(sk);
- err = compat_nf_getsockopt(sk, PF_INET6,
- optname, optval, &len);
- release_sock(sk);
+ err = compat_nf_getsockopt(sk, PF_INET6, optname, optval, &len);
if (err >= 0)
err = put_user(len, optlen);
}
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 243/410] usb: ohci: Proper handling of ed_rm_list to handle race condition between usb_kill_urb() and finish_unlinks()
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (358 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 331/410] RDMA/ucma: Limit possible option size Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 063/410] x86/speculation: Update Speculation Control microcode blacklist Ben Hutchings
` (49 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Alan Stern, Greg Kroah-Hartman, Jeffy Chen, AMAN DEEP
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: AMAN DEEP <aman.deep@samsung.com>
commit 46408ea558df13b110e0866b99624384a33bdeba upstream.
There is a race condition between finish_unlinks->finish_urb() function
and usb_kill_urb() in ohci controller case. The finish_urb calls
spin_unlock(&ohci->lock) before usb_hcd_giveback_urb() function call,
then if during this time, usb_kill_urb is called for another endpoint,
then new ed will be added to ed_rm_list at beginning for unlink, and
ed_rm_list will point to newly added.
When finish_urb() is completed in finish_unlinks() and ed->td_list
becomes empty as in below code (in finish_unlinks() function):
if (list_empty(&ed->td_list)) {
*last = ed->ed_next;
ed->ed_next = NULL;
} else if (ohci->rh_state == OHCI_RH_RUNNING) {
*last = ed->ed_next;
ed->ed_next = NULL;
ed_schedule(ohci, ed);
}
The *last = ed->ed_next will make ed_rm_list to point to ed->ed_next
and previously added ed by usb_kill_urb will be left unreferenced by
ed_rm_list. This causes usb_kill_urb() hang forever waiting for
finish_unlink to remove added ed from ed_rm_list.
The main reason for hang in this race condtion is addition and removal
of ed from ed_rm_list in the beginning during usb_kill_urb and later
last* is modified in finish_unlinks().
As suggested by Alan Stern, the solution for proper handling of
ohci->ed_rm_list is to remove ed from the ed_rm_list before finishing
any URBs. Then at the end, we can add ed back to the list if necessary.
This properly handle the updated ohci->ed_rm_list in usb_kill_urb().
Fixes: 977dcfdc6031 ("USB: OHCI: don't lose track of EDs when a controller dies")
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Aman Deep <aman.deep@samsung.com>
Signed-off-by: Jeffy Chen <jeffy.chen@rock-chips.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/host/ohci-q.c | 17 ++++++++++-------
1 file changed, 10 insertions(+), 7 deletions(-)
--- a/drivers/usb/host/ohci-q.c
+++ b/drivers/usb/host/ohci-q.c
@@ -966,6 +966,8 @@ skip_ed:
* have modified this list. normally it's just prepending
* entries (which we'd ignore), but paranoia won't hurt.
*/
+ *last = ed->ed_next;
+ ed->ed_next = NULL;
modified = 0;
/* unlink urbs as requested, but rescan the list after
@@ -1024,20 +1026,21 @@ rescan_this:
goto rescan_this;
/*
- * If no TDs are queued, take ED off the ed_rm_list.
+ * If no TDs are queued, ED is now idle.
* Otherwise, if the HC is running, reschedule.
- * If not, leave it on the list for further dequeues.
+ * If the HC isn't running, add ED back to the
+ * start of the list for later processing.
*/
if (list_empty(&ed->td_list)) {
- *last = ed->ed_next;
- ed->ed_next = NULL;
ed->state = ED_IDLE;
} else if (ohci->rh_state == OHCI_RH_RUNNING) {
- *last = ed->ed_next;
- ed->ed_next = NULL;
ed_schedule(ohci, ed);
} else {
- last = &ed->ed_next;
+ ed->ed_next = ohci->ed_rm_list;
+ ohci->ed_rm_list = ed;
+ /* Don't loop on the same ED */
+ if (last == &ohci->ed_rm_list)
+ last = &ed->ed_next;
}
if (modified)
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 128/410] NFS: Fix 2 use after free issues in the I/O code
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (369 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 083/410] RDMA/iwpm: Fix uninitialized error code in iwpm_send_mapinfo() Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 044/410] x86/pti: Do not enable PTI on CPUs which are not vulnerable to Meltdown Ben Hutchings
` (38 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Trond Myklebust
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Trond Myklebust <trond.myklebust@primarydata.com>
commit 196639ebbe63a037fe9a80669140bd292d8bcd80 upstream.
The writeback code wants to send a commit after processing the pages,
which is why we want to delay releasing the struct path until after
that's done.
Also, the layout code expects that we do not free the inode before
we've put the layout segments in pnfs_writehdr_free() and
pnfs_readhdr_free()
Fixes: 919e3bd9a875 ("NFS: Ensure we commit after writeback is complete")
Fixes: 4714fb51fd03 ("nfs: remove pgio_header refcount, related cleanup")
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/nfs/internal.h | 1 -
fs/nfs/pagelist.c | 26 ++++++++++++--------------
fs/nfs/pnfs.c | 2 --
3 files changed, 12 insertions(+), 17 deletions(-)
--- a/fs/nfs/internal.h
+++ b/fs/nfs/internal.h
@@ -249,7 +249,6 @@ int nfs_iocounter_wait(struct nfs_io_cou
extern const struct nfs_pageio_ops nfs_pgio_rw_ops;
struct nfs_pgio_header *nfs_pgio_header_alloc(const struct nfs_rw_ops *);
void nfs_pgio_header_free(struct nfs_pgio_header *);
-void nfs_pgio_data_destroy(struct nfs_pgio_header *);
int nfs_generic_pgio(struct nfs_pageio_descriptor *, struct nfs_pgio_header *);
int nfs_initiate_pgio(struct rpc_clnt *, struct nfs_pgio_header *,
const struct rpc_call_ops *, int, int);
--- a/fs/nfs/pagelist.c
+++ b/fs/nfs/pagelist.c
@@ -508,16 +508,6 @@ struct nfs_pgio_header *nfs_pgio_header_
}
EXPORT_SYMBOL_GPL(nfs_pgio_header_alloc);
-/*
- * nfs_pgio_header_free - Free a read or write header
- * @hdr: The header to free
- */
-void nfs_pgio_header_free(struct nfs_pgio_header *hdr)
-{
- hdr->rw_ops->rw_free_header(hdr);
-}
-EXPORT_SYMBOL_GPL(nfs_pgio_header_free);
-
/**
* nfs_pgio_data_destroy - make @hdr suitable for reuse
*
@@ -526,14 +516,24 @@ EXPORT_SYMBOL_GPL(nfs_pgio_header_free);
*
* @hdr: A header that has had nfs_generic_pgio called
*/
-void nfs_pgio_data_destroy(struct nfs_pgio_header *hdr)
+static void nfs_pgio_data_destroy(struct nfs_pgio_header *hdr)
{
if (hdr->args.context)
put_nfs_open_context(hdr->args.context);
if (hdr->page_array.pagevec != hdr->page_array.page_array)
kfree(hdr->page_array.pagevec);
}
-EXPORT_SYMBOL_GPL(nfs_pgio_data_destroy);
+
+/*
+ * nfs_pgio_header_free - Free a read or write header
+ * @hdr: The header to free
+ */
+void nfs_pgio_header_free(struct nfs_pgio_header *hdr)
+{
+ nfs_pgio_data_destroy(hdr);
+ hdr->rw_ops->rw_free_header(hdr);
+}
+EXPORT_SYMBOL_GPL(nfs_pgio_header_free);
/**
* nfs_pgio_rpcsetup - Set up arguments for a pageio call
@@ -648,7 +648,6 @@ static int nfs_pgio_error(struct nfs_pag
struct nfs_pgio_header *hdr)
{
set_bit(NFS_IOHDR_REDO, &hdr->flags);
- nfs_pgio_data_destroy(hdr);
hdr->completion_ops->completion(hdr);
desc->pg_completion_ops->error_cleanup(&desc->pg_list);
return -ENOMEM;
@@ -663,7 +662,6 @@ static void nfs_pgio_release(void *calld
struct nfs_pgio_header *hdr = calldata;
if (hdr->rw_ops->rw_release)
hdr->rw_ops->rw_release(hdr);
- nfs_pgio_data_destroy(hdr);
hdr->completion_ops->completion(hdr);
}
--- a/fs/nfs/pnfs.c
+++ b/fs/nfs/pnfs.c
@@ -1557,7 +1557,6 @@ pnfs_write_through_mds(struct nfs_pageio
nfs_pageio_reset_write_mds(desc);
desc->pg_recoalesce = 1;
}
- nfs_pgio_data_destroy(hdr);
hdr->release(hdr);
}
@@ -1695,7 +1694,6 @@ pnfs_read_through_mds(struct nfs_pageio_
nfs_pageio_reset_read_mds(desc);
desc->pg_recoalesce = 1;
}
- nfs_pgio_data_destroy(hdr);
hdr->release(hdr);
}
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 062/410] x86/speculation: Use Indirect Branch Prediction Barrier in context switch
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (352 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 405/410] net/mlx4_en: do not ignore autoneg in mlx4_en_set_pauseparam() Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 351/410] route: remove unsed variable in __mkroute_input Ben Hutchings
` (55 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, linux, Tim Chen, pbonzini, bp, David Woodhouse, peterz,
gregkh, luto, ak, arjan, Thomas Gleixner, torvalds, karahmed
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Tim Chen <tim.c.chen@linux.intel.com>
commit 18bf3c3ea8ece8f03b6fc58508f2dfd23c7711c7 upstream.
Flush indirect branches when switching into a process that marked itself
non dumpable. This protects high value processes like gpg better,
without having too high performance overhead.
If done naïvely, we could switch to a kernel idle thread and then back
to the original process, such as:
process A -> idle -> process A
In such scenario, we do not have to do IBPB here even though the process
is non-dumpable, as we are switching back to the same process after a
hiatus.
To avoid the redundant IBPB, which is expensive, we track the last mm
user context ID. The cost is to have an extra u64 mm context id to track
the last mm we were using before switching to the init_mm used by idle.
Avoiding the extra IBPB is probably worth the extra memory for this
common scenario.
For those cases where tlb_defer_switch_to_init_mm() returns true (non
PCID), lazy tlb will defer switch to init_mm, so we will not be changing
the mm for the process A -> idle -> process A switch. So IBPB will be
skipped for this case.
Thanks to the reviewers and Andy Lutomirski for the suggestion of
using ctx_id which got rid of the problem of mm pointer recycling.
Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com>
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: ak@linux.intel.com
Cc: karahmed@amazon.de
Cc: arjan@linux.intel.com
Cc: torvalds@linux-foundation.org
Cc: linux@dominikbrodowski.net
Cc: peterz@infradead.org
Cc: bp@alien8.de
Cc: luto@kernel.org
Cc: pbonzini@redhat.com
Cc: gregkh@linux-foundation.org
Link: https://lkml.kernel.org/r/1517263487-3708-1-git-send-email-dwmw@amazon.co.uk
[bwh: Backported to 3.16: Drop the optimisation for switching via the idle
task, since we don't have mm_context_t::ctx_id here]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/x86/mm/tlb.c
+++ b/arch/x86/mm/tlb.c
@@ -10,6 +10,7 @@
#include <asm/tlbflush.h>
#include <asm/mmu_context.h>
+#include <asm/nospec-branch.h>
#include <asm/cache.h>
#include <asm/apic.h>
#include <asm/uv/uv.h>
@@ -100,6 +101,24 @@ void switch_mm_irqs_off(struct mm_struct
unsigned cpu = smp_processor_id();
if (likely(prev != next)) {
+ /*
+ * Avoid user/user BTB poisoning by flushing the branch
+ * predictor when switching between processes. This stops
+ * one process from doing Spectre-v2 attacks on another.
+ *
+ * As an optimization, flush indirect branches only when
+ * switching into processes that disable dumping. This
+ * protects high value processes like gpg, without having
+ * too high performance overhead. IBPB is *expensive*!
+ *
+ * This will not flush branches when switching into kernel
+ * threads. It will flush if we switch to a different non-
+ * dumpable process.
+ */
+ if (tsk && tsk->mm &&
+ get_dumpable(tsk->mm) != SUID_DUMP_USER)
+ indirect_branch_prediction_barrier();
+
this_cpu_write(cpu_tlbstate.state, TLBSTATE_OK);
this_cpu_write(cpu_tlbstate.active_mm, next);
cpumask_set_cpu(cpu, mm_cpumask(next));
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 082/410] ima: relax requiring a file signature for new files with zero length
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (23 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 048/410] x86/cpufeatures: Clean up Spectre v2 related CPUID flags Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 320/410] PCI: Add function 1 DMA alias quirk for Highpoint RocketRAID 644L Ben Hutchings
` (384 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Mimi Zohar
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
commit b7e27bc1d42e8e0cc58b602b529c25cd0071b336 upstream.
Custom policies can require file signatures based on LSM labels. These
files are normally created and only afterwards labeled, requiring them
to be signed.
Instead of requiring file signatures based on LSM labels, entire
filesystems could require file signatures. In this case, we need the
ability of writing new files without requiring file signatures.
The definition of a "new" file was originally defined as any file with
a length of zero. Subsequent patches redefined a "new" file to be based
on the FILE_CREATE open flag. By combining the open flag with a file
size of zero, this patch relaxes the file signature requirement.
Fixes: 1ac202e978e1 ima: accept previously set IMA_NEW_FILE
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
security/integrity/ima/ima_appraise.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/security/integrity/ima/ima_appraise.c
+++ b/security/integrity/ima/ima_appraise.c
@@ -198,7 +198,8 @@ int ima_appraise_measurement(int func, s
if (opened & FILE_CREATED)
iint->flags |= IMA_NEW_FILE;
if ((iint->flags & IMA_NEW_FILE) &&
- !(iint->flags & IMA_DIGSIG_REQUIRED))
+ (!(iint->flags & IMA_DIGSIG_REQUIRED) ||
+ (inode->i_size == 0)))
status = INTEGRITY_PASS;
goto out;
}
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 306/410] tty/serial: atmel: add new version check for usart
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (371 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 044/410] x86/pti: Do not enable PTI on CPUs which are not vulnerable to Meltdown Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 194/410] x86/xen: init %gs very early to avoid page faults with stack protector Ben Hutchings
` (36 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Richard Genoud, Greg Kroah-Hartman, Jonas Danielsson,
Nicolas Ferre
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jonas Danielsson <jonas@orbital-systems.com>
commit fd63a8903a2c40425a9811c3371dd4d0f42c0ad3 upstream.
On our at91sam9260 based board the usart0 and usart1 ports report
their versions (ATMEL_US_VERSION) as 0x10302. This version is not
included in the current checks in the driver.
Signed-off-by: Jonas Danielsson <jonas@orbital-systems.com>
Acked-by: Richard Genoud <richard.genoud@gmail.com>
Acked-by: Nicolas Ferre <nicolas.ferre@microchip.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/tty/serial/atmel_serial.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/tty/serial/atmel_serial.c
+++ b/drivers/tty/serial/atmel_serial.c
@@ -1644,6 +1644,7 @@ static void atmel_get_ip_name(struct uar
switch (version) {
case 0x302:
case 0x10213:
+ case 0x10302:
dev_dbg(port->dev, "This version is usart\n");
atmel_port->is_usart = true;
break;
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 316/410] staging: android: ashmem: Fix lockdep issue during llseek
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (166 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 314/410] btrfs: alloc_chunk: fix DUP stripe size handling Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 211/410] pipe, sysctl: remove pipe_proc_fn() Ben Hutchings
` (241 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Greg Hackmann, Arve Hjonnevag, Todd Kjos, Joel Fernandes,
Greg Kroah-Hartman, syzbot+8ec30bb7bf1a981a2012
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Joel Fernandes <joelaf@google.com>
commit cb57469c9573f6018cd1302953dd45d6e05aba7b upstream.
ashmem_mutex create a chain of dependencies like so:
(1)
mmap syscall ->
mmap_sem -> (acquired)
ashmem_mmap
ashmem_mutex (try to acquire)
(block)
(2)
llseek syscall ->
ashmem_llseek ->
ashmem_mutex -> (acquired)
inode_lock ->
inode->i_rwsem (try to acquire)
(block)
(3)
getdents ->
iterate_dir ->
inode_lock ->
inode->i_rwsem (acquired)
copy_to_user ->
mmap_sem (try to acquire)
There is a lock ordering created between mmap_sem and inode->i_rwsem
causing a lockdep splat [2] during a syzcaller test, this patch fixes
the issue by unlocking the mutex earlier. Functionally that's Ok since
we don't need to protect vfs_llseek.
[1] https://patchwork.kernel.org/patch/10185031/
[2] https://lkml.org/lkml/2018/1/10/48
Acked-by: Todd Kjos <tkjos@google.com>
Cc: Arve Hjonnevag <arve@android.com>
Reported-by: syzbot+8ec30bb7bf1a981a2012@syzkaller.appspotmail.com
Signed-off-by: Joel Fernandes <joelaf@google.com>
Acked-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/staging/android/ashmem.c | 15 +++++++--------
1 file changed, 7 insertions(+), 8 deletions(-)
--- a/drivers/staging/android/ashmem.c
+++ b/drivers/staging/android/ashmem.c
@@ -330,24 +330,23 @@ static loff_t ashmem_llseek(struct file
mutex_lock(&ashmem_mutex);
if (asma->size == 0) {
- ret = -EINVAL;
- goto out;
+ mutex_unlock(&ashmem_mutex);
+ return -EINVAL;
}
if (!asma->file) {
- ret = -EBADF;
- goto out;
+ mutex_unlock(&ashmem_mutex);
+ return -EBADF;
}
+ mutex_unlock(&ashmem_mutex);
+
ret = asma->file->f_op->llseek(asma->file, offset, origin);
if (ret < 0)
- goto out;
+ return ret;
/** Copy f_pos from backing file, since f_ops->llseek() sets it */
file->f_pos = asma->file->f_pos;
-
-out:
- mutex_unlock(&ashmem_mutex);
return ret;
}
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 211/410] pipe, sysctl: remove pipe_proc_fn()
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (167 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 316/410] staging: android: ashmem: Fix lockdep issue during llseek Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 198/410] kernel/async.c: revert "async: simplify lowest_in_progress()" Ben Hutchings
` (240 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Linus Torvalds, Luis R . Rodriguez, Kees Cook,
Michael Kerrisk, Alexander Viro, Willy Tarreau, Joe Lawrence,
Eric Biggers, Mikulas Patocka
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
commit 319e0a21bb7823abbb4818fe2724e572bbac77a2 upstream.
pipe_proc_fn() is no longer needed, as it only calls through to
proc_dopipe_max_size(). Just put proc_dopipe_max_size() in the ctl_table
entry directly, and remove the unneeded EXPORT_SYMBOL() and the ENOSYS
stub for it.
(The reason the ENOSYS stub isn't needed is that the pipe-max-size
ctl_table entry is located directly in 'kern_table' rather than being
registered separately. Therefore, the entry is already only defined when
the kernel is built with sysctl support.)
Link: http://lkml.kernel.org/r/20180111052902.14409-3-ebiggers3@gmail.com
Signed-off-by: Eric Biggers <ebiggers@google.com>
Acked-by: Kees Cook <keescook@chromium.org>
Acked-by: Joe Lawrence <joe.lawrence@redhat.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: "Luis R . Rodriguez" <mcgrof@kernel.org>
Cc: Michael Kerrisk <mtk.manpages@gmail.com>
Cc: Mikulas Patocka <mpatocka@redhat.com>
Cc: Willy Tarreau <w@1wt.eu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/pipe.c | 10 ----------
include/linux/pipe_fs_i.h | 1 -
include/linux/sysctl.h | 3 ---
kernel/sysctl.c | 15 +++++----------
4 files changed, 5 insertions(+), 24 deletions(-)
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -1108,16 +1108,6 @@ out_revert_acct:
}
/*
- * This should work even if CONFIG_PROC_FS isn't set, as proc_dopipe_max_size
- * will return an error.
- */
-int pipe_proc_fn(struct ctl_table *table, int write, void __user *buf,
- size_t *lenp, loff_t *ppos)
-{
- return proc_dopipe_max_size(table, write, buf, lenp, ppos);
-}
-
-/*
* After the inode slimming patch, i_pipe/i_bdev/i_cdev share the same
* location, so checking ->i_pipe is not enough to verify that this is a
* pipe.
--- a/include/linux/pipe_fs_i.h
+++ b/include/linux/pipe_fs_i.h
@@ -127,7 +127,6 @@ void pipe_double_lock(struct pipe_inode_
extern unsigned int pipe_max_size;
extern unsigned long pipe_user_pages_hard;
extern unsigned long pipe_user_pages_soft;
-int pipe_proc_fn(struct ctl_table *, int, void __user *, size_t *, loff_t *);
/* Drop the inode semaphore and wait for a pipe event, atomically */
--- a/include/linux/sysctl.h
+++ b/include/linux/sysctl.h
@@ -45,9 +45,6 @@ extern int proc_dointvec(struct ctl_tabl
void __user *, size_t *, loff_t *);
extern int proc_dointvec_minmax(struct ctl_table *, int,
void __user *, size_t *, loff_t *);
-extern int proc_dopipe_max_size(struct ctl_table *table, int write,
- void __user *buffer, size_t *lenp,
- loff_t *ppos);
extern int proc_dointvec_jiffies(struct ctl_table *, int,
void __user *, size_t *, loff_t *);
extern int proc_dointvec_userhz_jiffies(struct ctl_table *, int,
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -194,6 +194,8 @@ static int proc_dointvec_minmax_coredump
static int proc_dostring_coredump(struct ctl_table *table, int write,
void __user *buffer, size_t *lenp, loff_t *ppos);
#endif
+static int proc_dopipe_max_size(struct ctl_table *table, int write,
+ void __user *buffer, size_t *lenp, loff_t *ppos);
#ifdef CONFIG_MAGIC_SYSRQ
/* Note: sysrq code uses it's own private copy */
@@ -1671,7 +1673,7 @@ static struct ctl_table fs_table[] = {
.data = &pipe_max_size,
.maxlen = sizeof(int),
.mode = 0644,
- .proc_handler = &pipe_proc_fn,
+ .proc_handler = proc_dopipe_max_size,
},
{
.procname = "pipe-user-pages-hard",
@@ -2245,8 +2247,8 @@ static int do_proc_dopipe_max_size_conv(
return 0;
}
-int proc_dopipe_max_size(struct ctl_table *table, int write,
- void __user *buffer, size_t *lenp, loff_t *ppos)
+static int proc_dopipe_max_size(struct ctl_table *table, int write,
+ void __user *buffer, size_t *lenp, loff_t *ppos)
{
return do_proc_dointvec(table, write, buffer, lenp, ppos,
do_proc_dopipe_max_size_conv, NULL);
@@ -2767,12 +2769,6 @@ int proc_dointvec_minmax(struct ctl_tabl
return -ENOSYS;
}
-int proc_dopipe_max_size(struct ctl_table *table, int write,
- void __user *buffer, size_t *lenp, loff_t *ppos)
-{
- return -ENOSYS;
-}
-
int proc_dointvec_jiffies(struct ctl_table *table, int write,
void __user *buffer, size_t *lenp, loff_t *ppos)
{
@@ -2814,7 +2810,6 @@ int proc_doulongvec_ms_jiffies_minmax(st
EXPORT_SYMBOL(proc_dointvec);
EXPORT_SYMBOL(proc_dointvec_jiffies);
EXPORT_SYMBOL(proc_dointvec_minmax);
-EXPORT_SYMBOL_GPL(proc_dopipe_max_size);
EXPORT_SYMBOL(proc_dointvec_userhz_jiffies);
EXPORT_SYMBOL(proc_dointvec_ms_jiffies);
EXPORT_SYMBOL(proc_dostring);
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 043/410] x86/msr: Add definitions for new speculation control MSRs
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (158 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 134/410] USB: cdc-acm: Do not log urb submission errors on disconnect Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 253/410] udplite: fix partial checksum initialization Ben Hutchings
` (249 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, dave.hansen, gregkh, ak, gnomes, arjan, torvalds,
Thomas Gleixner, karahmed, tim.c.chen, pbonzini,
Greg Kroah-Hartman, bp, David Woodhouse, ashok.raj, peterz
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: David Woodhouse <dwmw@amazon.co.uk>
commit 1e340c60d0dd3ae07b5bedc16a0469c14b9f3410 upstream.
Add MSR and bit definitions for SPEC_CTRL, PRED_CMD and ARCH_CAPABILITIES.
See Intel's 336996-Speculative-Execution-Side-Channel-Mitigations.pdf
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: gnomes@lxorguk.ukuu.org.uk
Cc: ak@linux.intel.com
Cc: ashok.raj@intel.com
Cc: dave.hansen@intel.com
Cc: karahmed@amazon.de
Cc: arjan@linux.intel.com
Cc: torvalds@linux-foundation.org
Cc: peterz@infradead.org
Cc: bp@alien8.de
Cc: pbonzini@redhat.com
Cc: tim.c.chen@linux.intel.com
Cc: gregkh@linux-foundation.org
Link: https://lkml.kernel.org/r/1516896855-7642-5-git-send-email-dwmw@amazon.co.uk
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/include/uapi/asm/msr-index.h | 12 ++++++++++++
1 file changed, 12 insertions(+)
--- a/arch/x86/include/uapi/asm/msr-index.h
+++ b/arch/x86/include/uapi/asm/msr-index.h
@@ -32,6 +32,13 @@
#define EFER_FFXSR (1<<_EFER_FFXSR)
/* Intel MSRs. Some also available on other CPUs */
+#define MSR_IA32_SPEC_CTRL 0x00000048 /* Speculation Control */
+#define SPEC_CTRL_IBRS (1 << 0) /* Indirect Branch Restricted Speculation */
+#define SPEC_CTRL_STIBP (1 << 1) /* Single Thread Indirect Branch Predictors */
+
+#define MSR_IA32_PRED_CMD 0x00000049 /* Prediction Command */
+#define PRED_CMD_IBPB (1 << 0) /* Indirect Branch Prediction Barrier */
+
#define MSR_IA32_PERFCTR0 0x000000c1
#define MSR_IA32_PERFCTR1 0x000000c2
#define MSR_FSB_FREQ 0x000000cd
@@ -46,6 +53,11 @@
#define MSR_PLATFORM_INFO 0x000000ce
#define MSR_MTRRcap 0x000000fe
+
+#define MSR_IA32_ARCH_CAPABILITIES 0x0000010a
+#define ARCH_CAP_RDCL_NO (1 << 0) /* Not susceptible to Meltdown */
+#define ARCH_CAP_IBRS_ALL (1 << 1) /* Enhanced IBRS support */
+
#define MSR_IA32_BBL_CR_CTL 0x00000119
#define MSR_IA32_BBL_CR_CTL3 0x0000011e
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 030/410] x86/MCE: Serialize sysfs changes
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (287 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 047/410] x86/speculation: Add basic IBPB (Indirect Branch Prediction Barrier) support Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 107/410] ahci: Remove Device ID for Intel Sunrise Point PCH Ben Hutchings
` (120 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Tony Luck, Thomas Gleixner, linux-edac, Greg Kroah-Hartman,
Seunghun Han, Borislav Petkov
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Seunghun Han <kkamagui@gmail.com>
commit b3b7c4795ccab5be71f080774c45bbbcc75c2aaf upstream.
The check_interval file in
/sys/devices/system/machinecheck/machinecheck<cpu number>
directory is a global timer value for MCE polling. If it is changed by one
CPU, mce_restart() broadcasts the event to other CPUs to delete and restart
the MCE polling timer and __mcheck_cpu_init_timer() reinitializes the
mce_timer variable.
If more than one CPU writes a specific value to the check_interval file
concurrently, mce_timer is not protected from such concurrent accesses and
all kinds of explosions happen. Since only root can write to those sysfs
variables, the issue is not a big deal security-wise.
However, concurrent writes to these configuration variables is void of
reason so the proper thing to do is to serialize the access with a mutex.
Boris:
- Make store_int_with_restart() use device_store_ulong() to filter out
negative intervals
- Limit min interval to 1 second
- Correct locking
- Massage commit message
Signed-off-by: Seunghun Han <kkamagui@gmail.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Tony Luck <tony.luck@intel.com>
Cc: linux-edac <linux-edac@vger.kernel.org>
Link: http://lkml.kernel.org/r/20180302202706.9434-1-kkamagui@gmail.com
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/kernel/cpu/mcheck/mce.c | 22 +++++++++++++++++++++-
1 file changed, 21 insertions(+), 1 deletion(-)
--- a/arch/x86/kernel/cpu/mcheck/mce.c
+++ b/arch/x86/kernel/cpu/mcheck/mce.c
@@ -57,6 +57,9 @@ static DEFINE_MUTEX(mce_chrdev_read_mute
rcu_read_lock_sched_held() || \
lockdep_is_held(&mce_chrdev_read_mutex))
+/* sysfs synchronization */
+static DEFINE_MUTEX(mce_sysfs_mutex);
+
#define CREATE_TRACE_POINTS
#include <trace/events/mce.h>
@@ -2199,6 +2202,7 @@ static ssize_t set_ignore_ce(struct devi
if (strict_strtoull(buf, 0, &new) < 0)
return -EINVAL;
+ mutex_lock(&mce_sysfs_mutex);
if (mca_cfg.ignore_ce ^ !!new) {
if (new) {
/* disable ce features */
@@ -2211,6 +2215,8 @@ static ssize_t set_ignore_ce(struct devi
on_each_cpu(mce_enable_ce, (void *)1, 1);
}
}
+ mutex_unlock(&mce_sysfs_mutex);
+
return size;
}
@@ -2223,6 +2229,7 @@ static ssize_t set_cmci_disabled(struct
if (strict_strtoull(buf, 0, &new) < 0)
return -EINVAL;
+ mutex_lock(&mce_sysfs_mutex);
if (mca_cfg.cmci_disabled ^ !!new) {
if (new) {
/* disable cmci */
@@ -2234,6 +2241,8 @@ static ssize_t set_cmci_disabled(struct
on_each_cpu(mce_enable_ce, NULL, 1);
}
}
+ mutex_unlock(&mce_sysfs_mutex);
+
return size;
}
@@ -2241,8 +2250,19 @@ static ssize_t store_int_with_restart(st
struct device_attribute *attr,
const char *buf, size_t size)
{
- ssize_t ret = device_store_int(s, attr, buf, size);
+ unsigned long old_check_interval = check_interval;
+ ssize_t ret = device_store_ulong(s, attr, buf, size);
+
+ if (check_interval == old_check_interval)
+ return ret;
+
+ if (check_interval < 1)
+ check_interval = 1;
+
+ mutex_lock(&mce_sysfs_mutex);
mce_restart();
+ mutex_unlock(&mce_sysfs_mutex);
+
return ret;
}
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 256/410] drm/nouveau: Fix deadlock on runtime suspend
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (349 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 165/410] cifs: Fix autonegotiate security settings mismatch Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 041/410] x86/cpufeatures: Add Intel feature bits for Speculation Control Ben Hutchings
` (58 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Lukas Wunner, Lyude Paul, Dave Airlie, Ben Skeggs
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Wunner <lukas@wunner.de>
commit d61a5c1063515e855bedb1b81e20e50b0ac3541e upstream.
nouveau's ->runtime_suspend hook calls drm_kms_helper_poll_disable(),
which waits for the output poll worker to finish if it's running.
The output poll worker meanwhile calls pm_runtime_get_sync() in
nouveau_connector_detect() which waits for the ongoing suspend to finish,
causing a deadlock.
Fix by not acquiring a runtime PM ref if nouveau_connector_detect() is
called in the output poll worker's context. This is safe because
the poll worker is only enabled while runtime active and we know that
->runtime_suspend waits for it to finish.
Other contexts calling nouveau_connector_detect() do require a runtime
PM ref, these comprise:
status_store() drm sysfs interface
->fill_modes drm callback
drm_fb_helper_probe_connector_modes()
drm_mode_getconnector()
nouveau_connector_hotplug()
nouveau_display_hpd_work()
nv17_tv_set_property()
Stack trace for posterity:
INFO: task kworker/0:1:58 blocked for more than 120 seconds.
Workqueue: events output_poll_execute [drm_kms_helper]
Call Trace:
schedule+0x28/0x80
rpm_resume+0x107/0x6e0
__pm_runtime_resume+0x47/0x70
nouveau_connector_detect+0x7e/0x4a0 [nouveau]
nouveau_connector_detect_lvds+0x132/0x180 [nouveau]
drm_helper_probe_detect_ctx+0x85/0xd0 [drm_kms_helper]
output_poll_execute+0x11e/0x1c0 [drm_kms_helper]
process_one_work+0x184/0x380
worker_thread+0x2e/0x390
INFO: task kworker/0:2:252 blocked for more than 120 seconds.
Workqueue: pm pm_runtime_work
Call Trace:
schedule+0x28/0x80
schedule_timeout+0x1e3/0x370
wait_for_completion+0x123/0x190
flush_work+0x142/0x1c0
nouveau_pmops_runtime_suspend+0x7e/0xd0 [nouveau]
pci_pm_runtime_suspend+0x5c/0x180
vga_switcheroo_runtime_suspend+0x1e/0xa0
__rpm_callback+0xc1/0x200
rpm_callback+0x1f/0x70
rpm_suspend+0x13c/0x640
pm_runtime_work+0x6e/0x90
process_one_work+0x184/0x380
worker_thread+0x2e/0x390
Bugzilla: https://bugs.archlinux.org/task/53497
Bugzilla: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870523
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=70388#c33
Fixes: 5addcf0a5f0f ("nouveau: add runtime PM support (v0.9)")
Cc: Ben Skeggs <bskeggs@redhat.com>
Cc: Dave Airlie <airlied@redhat.com>
Reviewed-by: Lyude Paul <lyude@redhat.com>
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Link: https://patchwork.freedesktop.org/patch/msgid/b7d2cbb609a80f59ccabfdf479b9d5907c603ea1.1518338789.git.lukas@wunner.de
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/nouveau/nouveau_connector.c | 18 +++++++++++++-----
1 file changed, 13 insertions(+), 5 deletions(-)
--- a/drivers/gpu/drm/nouveau/nouveau_connector.c
+++ b/drivers/gpu/drm/nouveau/nouveau_connector.c
@@ -256,9 +256,15 @@ nouveau_connector_detect(struct drm_conn
nv_connector->edid = NULL;
}
- ret = pm_runtime_get_sync(connector->dev->dev);
- if (ret < 0 && ret != -EACCES)
- return conn_status;
+ /* Outputs are only polled while runtime active, so acquiring a
+ * runtime PM ref here is unnecessary (and would deadlock upon
+ * runtime suspend because it waits for polling to finish).
+ */
+ if (!drm_kms_helper_is_poll_worker()) {
+ ret = pm_runtime_get_sync(connector->dev->dev);
+ if (ret < 0 && ret != -EACCES)
+ return conn_status;
+ }
nv_encoder = nouveau_connector_ddc_detect(connector);
if (nv_encoder && (i2c = nv_encoder->i2c) != NULL) {
@@ -326,8 +332,10 @@ detect_analog:
out:
- pm_runtime_mark_last_busy(connector->dev->dev);
- pm_runtime_put_autosuspend(connector->dev->dev);
+ if (!drm_kms_helper_is_poll_worker()) {
+ pm_runtime_mark_last_busy(connector->dev->dev);
+ pm_runtime_put_autosuspend(connector->dev->dev);
+ }
return conn_status;
}
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 187/410] Btrfs: fix crash due to not cleaning up tree log block's dirty bits
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (145 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 180/410] netfilter: ipt_CLUSTERIP: fix out-of-bounds accesses in clusterip_tg_check() Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 277/410] regulatory: add NUL to request alpha2 Ben Hutchings
` (262 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David Sterba, Josef Bacik, Liu Bo
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Liu Bo <bo.li.liu@oracle.com>
commit 1846430c24d66e85cc58286b3319c82cd54debb2 upstream.
In cases that the whole fs flips into readonly status due to failures in
critical sections, then log tree's blocks are still dirty, and this leads
to a crash during umount time, the crash is about use-after-free,
umount
-> close_ctree
-> stop workers
-> iput(btree_inode)
-> iput_final
-> write_inode_now
-> ...
-> queue job on stop'd workers
Fixes: 681ae50917df ("Btrfs: cleanup reserved space when freeing tree log on error")
Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
Reviewed-by: Josef Bacik <jbacik@fb.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/btrfs/tree-log.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/fs/btrfs/tree-log.c
+++ b/fs/btrfs/tree-log.c
@@ -2197,6 +2197,9 @@ static noinline int walk_down_log_tree(s
clean_tree_block(trans, root, next);
btrfs_wait_tree_block_writeback(next);
btrfs_tree_unlock(next);
+ } else {
+ if (test_and_clear_bit(EXTENT_BUFFER_DIRTY, &next->bflags))
+ clear_extent_buffer_dirty(next);
}
WARN_ON(root_owner !=
@@ -2275,6 +2278,9 @@ static noinline int walk_up_log_tree(str
clean_tree_block(trans, root, next);
btrfs_wait_tree_block_writeback(next);
btrfs_tree_unlock(next);
+ } else {
+ if (test_and_clear_bit(EXTENT_BUFFER_DIRTY, &next->bflags))
+ clear_extent_buffer_dirty(next);
}
WARN_ON(root_owner != BTRFS_TREE_LOG_OBJECTID);
@@ -2351,6 +2357,9 @@ static int walk_log_tree(struct btrfs_tr
clean_tree_block(trans, log, next);
btrfs_wait_tree_block_writeback(next);
btrfs_tree_unlock(next);
+ } else {
+ if (test_and_clear_bit(EXTENT_BUFFER_DIRTY, &next->bflags))
+ clear_extent_buffer_dirty(next);
}
WARN_ON(log->root_key.objectid !=
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 144/410] MIPS: Fix clean of vmlinuz.{32,ecoff,bin,srec}
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (160 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 253/410] udplite: fix partial checksum initialization Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 403/410] ALSA: pcm: potential uninitialized return values Ben Hutchings
` (247 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, James Hogan, linux-mips, Ralf Baechle
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: James Hogan <jhogan@kernel.org>
commit 5f2483eb2423152445b39f2db59d372f523e664e upstream.
Make doesn't expand shell style "vmlinuz.{32,ecoff,bin,srec}" to the 4
separate files, so none of these files get cleaned up by make clean.
List the files separately instead.
Fixes: ec3352925b74 ("MIPS: Remove all generated vmlinuz* files on "make clean"")
Signed-off-by: James Hogan <jhogan@kernel.org>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/18491/
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/mips/boot/compressed/Makefile | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/arch/mips/boot/compressed/Makefile
+++ b/arch/mips/boot/compressed/Makefile
@@ -117,4 +117,8 @@ OBJCOPYFLAGS_vmlinuz.srec := $(OBJCOPYFL
vmlinuz.srec: vmlinuz
$(call cmd,objcopy)
-clean-files := $(objtree)/vmlinuz $(objtree)/vmlinuz.{32,ecoff,bin,srec}
+clean-files += $(objtree)/vmlinuz
+clean-files += $(objtree)/vmlinuz.32
+clean-files += $(objtree)/vmlinuz.ecoff
+clean-files += $(objtree)/vmlinuz.bin
+clean-files += $(objtree)/vmlinuz.srec
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 217/410] cifs: silence compiler warnings showing up with gcc-8.0.0
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (401 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 078/410] powerpc/64: Don't trace irqs-off at interrupt return to soft-disabled context Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 022/410] sctp: verify size of a new chunk in _sctp_make_chunk() Ben Hutchings
` (6 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Arnd Bergmann, Steve French
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
commit ade7db991b47ab3016a414468164f4966bd08202 upstream.
This bug was fixed before, but came up again with the latest
compiler in another function:
fs/cifs/cifssmb.c: In function 'CIFSSMBSetEA':
fs/cifs/cifssmb.c:6362:3: error: 'strncpy' offset 8 is out of the bounds [0, 4] [-Werror=array-bounds]
strncpy(parm_data->list[0].name, ea_name, name_len);
Let's apply the same fix that was used for the other instances.
Fixes: b2a3ad9ca502 ("cifs: silence compiler warnings showing up with gcc-4.7.0")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Steve French <smfrench@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/cifs/cifssmb.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
--- a/fs/cifs/cifssmb.c
+++ b/fs/cifs/cifssmb.c
@@ -6366,9 +6366,7 @@ SetEARetry:
pSMB->InformationLevel =
cpu_to_le16(SMB_SET_FILE_EA);
- parm_data =
- (struct fealist *) (((char *) &pSMB->hdr.Protocol) +
- offset);
+ parm_data = (void *)pSMB + offsetof(struct smb_hdr, Protocol) + offset;
pSMB->ParameterOffset = cpu_to_le16(param_offset);
pSMB->DataOffset = cpu_to_le16(offset);
pSMB->SetupCount = 1;
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 223/410] s390/qeth: fix SETIP command handling
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (347 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 368/410] skbuff: Fix not waking applications when errors are enqueued Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 165/410] cifs: Fix autonegotiate security settings mismatch Ben Hutchings
` (60 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller, Julian Wiedmann
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Julian Wiedmann <jwi@linux.vnet.ibm.com>
commit 1c5b2216fbb973a9410e0b06389740b5c1289171 upstream.
send_control_data() applies some special handling to SETIP v4 IPA
commands. But current code parses *all* command types for the SETIP
command code. Limit the command code check to IPA commands.
Fixes: 5b54e16f1a54 ("qeth: do not spin for SETIP ip assist command")
Signed-off-by: Julian Wiedmann <jwi@linux.vnet.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/s390/net/qeth_core.h | 5 +++++
drivers/s390/net/qeth_core_main.c | 14 ++++++++------
2 files changed, 13 insertions(+), 6 deletions(-)
--- a/drivers/s390/net/qeth_core.h
+++ b/drivers/s390/net/qeth_core.h
@@ -593,6 +593,11 @@ struct qeth_cmd_buffer {
void (*callback) (struct qeth_channel *, struct qeth_cmd_buffer *);
};
+static inline struct qeth_ipa_cmd *__ipa_cmd(struct qeth_cmd_buffer *iob)
+{
+ return (struct qeth_ipa_cmd *)(iob->data + IPA_PDU_HEADER_SIZE);
+}
+
/**
* definition of a qeth channel, used for read and write
*/
--- a/drivers/s390/net/qeth_core_main.c
+++ b/drivers/s390/net/qeth_core_main.c
@@ -2025,7 +2025,7 @@ int qeth_send_control_data(struct qeth_c
unsigned long flags;
struct qeth_reply *reply = NULL;
unsigned long timeout, event_timeout;
- struct qeth_ipa_cmd *cmd;
+ struct qeth_ipa_cmd *cmd = NULL;
QETH_CARD_TEXT(card, 2, "sendctl");
@@ -2052,10 +2052,13 @@ int qeth_send_control_data(struct qeth_c
while (atomic_cmpxchg(&card->write.irq_pending, 0, 1)) ;
qeth_prepare_control_data(card, len, iob);
- if (IS_IPA(iob->data))
+ if (IS_IPA(iob->data)) {
+ cmd = __ipa_cmd(iob);
event_timeout = QETH_IPA_TIMEOUT;
- else
+ } else {
event_timeout = QETH_TIMEOUT;
+ }
+
timeout = jiffies + event_timeout;
QETH_CARD_TEXT(card, 6, "noirqpnd");
@@ -2080,9 +2083,8 @@ int qeth_send_control_data(struct qeth_c
/* we have only one long running ipassist, since we can ensure
process context of this command we can sleep */
- cmd = (struct qeth_ipa_cmd *)(iob->data+IPA_PDU_HEADER_SIZE);
- if ((cmd->hdr.command == IPA_CMD_SETIP) &&
- (cmd->hdr.prot_version == QETH_PROT_IPV4)) {
+ if (cmd && cmd->hdr.command == IPA_CMD_SETIP &&
+ cmd->hdr.prot_version == QETH_PROT_IPV4) {
if (!wait_event_timeout(reply->wait_q,
atomic_read(&reply->received), event_timeout))
goto time_err;
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 216/410] pipe: read buffer limits atomically
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (327 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 158/410] NFS: reject request for id_legacy key without auxdata Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 278/410] drm/radeon: insist on 32-bit DMA for Cedar on PPC64/PPC64LE Ben Hutchings
` (80 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Michael Kerrisk, Kees Cook, Mikulas Patocka, Eric Biggers,
Alexander Viro, Willy Tarreau, Joe Lawrence, Linus Torvalds,
Luis R . Rodriguez
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers <ebiggers@google.com>
commit f7340761812fc10313e6fcc115e0bc4f7a799112 upstream.
The pipe buffer limits are accessed without any locking, and may be
changed at any time by the sysctl handlers. In theory this could cause
problems for expressions like the following:
pipe_user_pages_hard && user_bufs > pipe_user_pages_hard
... since the assembly code might reference the 'pipe_user_pages_hard'
memory location multiple times, and if the admin removes the limit by
setting it to 0, there is a very brief window where processes could
incorrectly observe the limit to be exceeded.
Fix this by loading the limits with READ_ONCE() prior to use.
Link: http://lkml.kernel.org/r/20180111052902.14409-8-ebiggers3@gmail.com
Signed-off-by: Eric Biggers <ebiggers@google.com>
Acked-by: Kees Cook <keescook@chromium.org>
Acked-by: Joe Lawrence <joe.lawrence@redhat.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Michael Kerrisk <mtk.manpages@gmail.com>
Cc: Willy Tarreau <w@1wt.eu>
Cc: Mikulas Patocka <mpatocka@redhat.com>
Cc: "Luis R . Rodriguez" <mcgrof@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.16:
- Use ACCESS_ONCE() instead of READ_ONCE()
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/pipe.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -593,12 +593,16 @@ static unsigned long account_pipe_buffer
static bool too_many_pipe_buffers_soft(unsigned long user_bufs)
{
- return pipe_user_pages_soft && user_bufs > pipe_user_pages_soft;
+ unsigned long soft_limit = ACCESS_ONCE(pipe_user_pages_soft);
+
+ return soft_limit && user_bufs > soft_limit;
}
static bool too_many_pipe_buffers_hard(unsigned long user_bufs)
{
- return pipe_user_pages_hard && user_bufs > pipe_user_pages_hard;
+ unsigned long hard_limit = ACCESS_ONCE(pipe_user_pages_hard);
+
+ return hard_limit && user_bufs > hard_limit;
}
static bool is_unprivileged_user(void)
@@ -612,13 +616,14 @@ struct pipe_inode_info *alloc_pipe_info(
unsigned long pipe_bufs = PIPE_DEF_BUFFERS;
struct user_struct *user = get_current_user();
unsigned long user_bufs;
+ unsigned int max_size = ACCESS_ONCE(pipe_max_size);
pipe = kzalloc(sizeof(struct pipe_inode_info), GFP_KERNEL);
if (pipe == NULL)
goto out_free_uid;
- if (pipe_bufs * PAGE_SIZE > pipe_max_size && !capable(CAP_SYS_RESOURCE))
- pipe_bufs = pipe_max_size >> PAGE_SHIFT;
+ if (pipe_bufs * PAGE_SIZE > max_size && !capable(CAP_SYS_RESOURCE))
+ pipe_bufs = max_size >> PAGE_SHIFT;
user_bufs = account_pipe_buffers(user, 0, pipe_bufs);
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 275/410] x86/oprofile: Fix bogus GCC-8 warning in nmi_setup()
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (68 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 237/410] netfilter: nat: cope with negative port range Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 257/410] drm/radeon: Fix deadlock on runtime suspend Ben Hutchings
` (339 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Ingo Molnar, Jessica Yu, Robert Richter, Kees Cook,
oprofile-list, Peter Zijlstra, Arnd Bergmann, Martin Sebor,
stable, Linus Torvalds, Thomas Gleixner
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
commit 85c615eb52222bc5fab6c7190d146bc59fac289e upstream.
GCC-8 shows a warning for the x86 oprofile code that copies per-CPU
data from CPU 0 to all other CPUs, which when building a non-SMP
kernel turns into a memcpy() with identical source and destination
pointers:
arch/x86/oprofile/nmi_int.c: In function 'mux_clone':
arch/x86/oprofile/nmi_int.c:285:2: error: 'memcpy' source argument is the same as destination [-Werror=restrict]
memcpy(per_cpu(cpu_msrs, cpu).multiplex,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
per_cpu(cpu_msrs, 0).multiplex,
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
sizeof(struct op_msr) * model->num_virt_counters);
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
arch/x86/oprofile/nmi_int.c: In function 'nmi_setup':
arch/x86/oprofile/nmi_int.c:466:3: error: 'memcpy' source argument is the same as destination [-Werror=restrict]
arch/x86/oprofile/nmi_int.c:470:3: error: 'memcpy' source argument is the same as destination [-Werror=restrict]
I have analyzed a number of such warnings now: some are valid and the
GCC warning is welcome. Others turned out to be false-positives, and
GCC was changed to not warn about those any more. This is a corner case
that is a false-positive but the GCC developers feel it's better to keep
warning about it.
In this case, it seems best to work around it by telling GCC
a little more clearly that this code path is never hit with
an IS_ENABLED() configuration check.
Cc:stable as we also want old kernels to build cleanly with GCC-8.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Cc: Jessica Yu <jeyu@kernel.org>
Cc: Kees Cook <keescook@chromium.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Martin Sebor <msebor@gcc.gnu.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Robert Richter <rric@kernel.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: oprofile-list@lists.sf.net
Link: http://lkml.kernel.org/r/20180220205826.2008875-1-arnd@arndb.de
Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=84095
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/oprofile/nmi_int.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/x86/oprofile/nmi_int.c
+++ b/arch/x86/oprofile/nmi_int.c
@@ -471,7 +471,7 @@ static int nmi_setup(void)
goto fail;
for_each_possible_cpu(cpu) {
- if (!cpu)
+ if (!IS_ENABLED(CONFIG_SMP) || !cpu)
continue;
memcpy(per_cpu(cpu_msrs, cpu).counters,
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 405/410] net/mlx4_en: do not ignore autoneg in mlx4_en_set_pauseparam()
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (351 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 041/410] x86/cpufeatures: Add Intel feature bits for Speculation Control Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 062/410] x86/speculation: Use Indirect Branch Prediction Barrier in context switch Ben Hutchings
` (56 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Ivan Vecera, David S. Miller, Amir Vadai
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ivan Vecera <ivecera@redhat.com>
commit 278d436a476f69fc95d5c82bf61b6c2d02f4d44e upstream.
The driver does not support pause autonegotiation so it should return
-EINVAL when the function is called with non-zero autoneg.
Cc: Amir Vadai <amirv@mellanox.com>
Signed-off-by: Ivan Vecera <ivecera@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c
+++ b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c
@@ -476,6 +476,9 @@ static int mlx4_en_set_pauseparam(struct
struct mlx4_en_dev *mdev = priv->mdev;
int err;
+ if (pause->autoneg)
+ return -EINVAL;
+
priv->prof->tx_pause = pause->tx_pause != 0;
priv->prof->rx_pause = pause->rx_pause != 0;
err = mlx4_SET_PORT_general(mdev->dev, priv->port,
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 383/410] RDMA/ucma: Ensure that CM_ID exists prior to access it
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (208 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 224/410] Input: matrix_keypad - fix race when disabling interrupts Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 408/410] RDMA/ucma: Check that device exists prior to accessing it Ben Hutchings
` (199 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Leon Romanovsky, Jason Gunthorpe, syzbot+36712f50b0552615bf59
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Leon Romanovsky <leonro@mellanox.com>
commit e8980d67d6017c8eee8f9c35f782c4bd68e004c9 upstream.
Prior to access UCMA commands, the context should be initialized
and connected to CM_ID with ucma_create_id(). In case user skips
this step, he can provide non-valid ctx without CM_ID and cause
to multiple NULL dereferences.
Also there are situations where the create_id can be raced with
other user access, ensure that the context is only shared to
other threads once it is fully initialized to avoid the races.
[ 109.088108] BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
[ 109.090315] IP: ucma_connect+0x138/0x1d0
[ 109.092595] PGD 80000001dc02d067 P4D 80000001dc02d067 PUD 1da9ef067 PMD 0
[ 109.095384] Oops: 0000 [#1] SMP KASAN PTI
[ 109.097834] CPU: 0 PID: 663 Comm: uclose Tainted: G B 4.16.0-rc1-00062-g2975d5de6428 #45
[ 109.100816] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org 04/01/2014
[ 109.105943] RIP: 0010:ucma_connect+0x138/0x1d0
[ 109.108850] RSP: 0018:ffff8801c8567a80 EFLAGS: 00010246
[ 109.111484] RAX: 0000000000000000 RBX: 1ffff100390acf50 RCX: ffffffff9d7812e2
[ 109.114496] RDX: 1ffffffff3f507a5 RSI: 0000000000000297 RDI: 0000000000000297
[ 109.117490] RBP: ffff8801daa15600 R08: 0000000000000000 R09: ffffed00390aceeb
[ 109.120429] R10: 0000000000000001 R11: ffffed00390aceea R12: 0000000000000000
[ 109.123318] R13: 0000000000000120 R14: ffff8801de6459c0 R15: 0000000000000118
[ 109.126221] FS: 00007fabb68d6700(0000) GS:ffff8801e5c00000(0000) knlGS:0000000000000000
[ 109.129468] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 109.132523] CR2: 0000000000000020 CR3: 00000001d45d8003 CR4: 00000000003606b0
[ 109.135573] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 109.138716] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 109.142057] Call Trace:
[ 109.144160] ? ucma_listen+0x110/0x110
[ 109.146386] ? wake_up_q+0x59/0x90
[ 109.148853] ? futex_wake+0x10b/0x2a0
[ 109.151297] ? save_stack+0x89/0xb0
[ 109.153489] ? _copy_from_user+0x5e/0x90
[ 109.155500] ucma_write+0x174/0x1f0
[ 109.157933] ? ucma_resolve_route+0xf0/0xf0
[ 109.160389] ? __mod_node_page_state+0x1d/0x80
[ 109.162706] __vfs_write+0xc4/0x350
[ 109.164911] ? kernel_read+0xa0/0xa0
[ 109.167121] ? path_openat+0x1b10/0x1b10
[ 109.169355] ? fsnotify+0x899/0x8f0
[ 109.171567] ? fsnotify_unmount_inodes+0x170/0x170
[ 109.174145] ? __fget+0xa8/0xf0
[ 109.177110] vfs_write+0xf7/0x280
[ 109.179532] SyS_write+0xa1/0x120
[ 109.181885] ? SyS_read+0x120/0x120
[ 109.184482] ? compat_start_thread+0x60/0x60
[ 109.187124] ? SyS_read+0x120/0x120
[ 109.189548] do_syscall_64+0xeb/0x250
[ 109.192178] entry_SYSCALL_64_after_hwframe+0x21/0x86
[ 109.194725] RIP: 0033:0x7fabb61ebe99
[ 109.197040] RSP: 002b:00007fabb68d5e98 EFLAGS: 00000202 ORIG_RAX: 0000000000000001
[ 109.200294] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fabb61ebe99
[ 109.203399] RDX: 0000000000000120 RSI: 00000000200001c0 RDI: 0000000000000004
[ 109.206548] RBP: 00007fabb68d5ec0 R08: 0000000000000000 R09: 0000000000000000
[ 109.209902] R10: 0000000000000000 R11: 0000000000000202 R12: 00007fabb68d5fc0
[ 109.213327] R13: 0000000000000000 R14: 00007fff40ab2430 R15: 00007fabb68d69c0
[ 109.216613] Code: 88 44 24 2c 0f b6 84 24 6e 01 00 00 88 44 24 2d 0f
b6 84 24 69 01 00 00 88 44 24 2e 8b 44 24 60 89 44 24 30 e8 da f6 06 ff
31 c0 <66> 41 83 7c 24 20 1b 75 04 8b 44 24 64 48 8d 74 24 20 4c 89 e7
[ 109.223602] RIP: ucma_connect+0x138/0x1d0 RSP: ffff8801c8567a80
[ 109.226256] CR2: 0000000000000020
Fixes: 75216638572f ("RDMA/cma: Export rdma cm interface to userspace")
Reported-by: <syzbot+36712f50b0552615bf59@syzkaller.appspotmail.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/infiniband/core/ucma.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
--- a/drivers/infiniband/core/ucma.c
+++ b/drivers/infiniband/core/ucma.c
@@ -121,7 +121,7 @@ static inline struct ucma_context *_ucma
ctx = idr_find(&ctx_idr, id);
if (!ctx)
ctx = ERR_PTR(-ENOENT);
- else if (ctx->file != file)
+ else if (ctx->file != file || !ctx->cm_id)
ctx = ERR_PTR(-EINVAL);
return ctx;
}
@@ -371,6 +371,7 @@ static ssize_t ucma_create_id(struct ucm
struct rdma_ucm_create_id cmd;
struct rdma_ucm_create_id_resp resp;
struct ucma_context *ctx;
+ struct rdma_cm_id *cm_id;
enum ib_qp_type qp_type;
int ret;
@@ -391,9 +392,9 @@ static ssize_t ucma_create_id(struct ucm
return -ENOMEM;
ctx->uid = cmd.uid;
- ctx->cm_id = rdma_create_id(ucma_event_handler, ctx, cmd.ps, qp_type);
- if (IS_ERR(ctx->cm_id)) {
- ret = PTR_ERR(ctx->cm_id);
+ cm_id = rdma_create_id(ucma_event_handler, ctx, cmd.ps, qp_type);
+ if (IS_ERR(cm_id)) {
+ ret = PTR_ERR(cm_id);
goto err1;
}
@@ -403,10 +404,12 @@ static ssize_t ucma_create_id(struct ucm
ret = -EFAULT;
goto err2;
}
+
+ ctx->cm_id = cm_id;
return 0;
err2:
- rdma_destroy_id(ctx->cm_id);
+ rdma_destroy_id(cm_id);
err1:
mutex_lock(&mut);
idr_remove(&ctx_idr, ctx->id);
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 023/410] fbdev: Fixing arbitrary kernel leak in case FBIOGETCMAP_SPARC in sbusfb_ioctl_helper().
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (403 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 022/410] sctp: verify size of a new chunk in _sctp_make_chunk() Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 371/410] ALSA: hda/realtek - Always immediately update mute LED with pin VREF Ben Hutchings
` (4 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Peter Malone, Mathieu Malaterre, Bartlomiej Zolnierkiewicz
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Peter Malone <peter.malone@gmail.com>
commit 250c6c49e3b68756b14983c076183568636e2bde upstream.
Fixing arbitrary kernel leak in case FBIOGETCMAP_SPARC in
sbusfb_ioctl_helper().
'index' is defined as an int in sbusfb_ioctl_helper().
We retrieve this from the user:
if (get_user(index, &c->index) ||
__get_user(count, &c->count) ||
__get_user(ured, &c->red) ||
__get_user(ugreen, &c->green) ||
__get_user(ublue, &c->blue))
return -EFAULT;
and then we use 'index' in the following way:
red = cmap->red[index + i] >> 8;
green = cmap->green[index + i] >> 8;
blue = cmap->blue[index + i] >> 8;
This is a classic information leak vulnerability. 'index' should be
an unsigned int, given its usage above.
This patch is straight-forward; it changes 'index' to unsigned int
in two switch-cases: FBIOGETCMAP_SPARC && FBIOPUTCMAP_SPARC.
This patch fixes CVE-2018-6412.
Signed-off-by: Peter Malone <peter.malone@gmail.com>
Acked-by: Mathieu Malaterre <malat@debian.org>
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/video/fbdev/sbuslib.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/video/fbdev/sbuslib.c
+++ b/drivers/video/fbdev/sbuslib.c
@@ -121,7 +121,7 @@ int sbusfb_ioctl_helper(unsigned long cm
unsigned char __user *ured;
unsigned char __user *ugreen;
unsigned char __user *ublue;
- int index, count, i;
+ unsigned int index, count, i;
if (get_user(index, &c->index) ||
__get_user(count, &c->count) ||
@@ -160,7 +160,7 @@ int sbusfb_ioctl_helper(unsigned long cm
unsigned char __user *ugreen;
unsigned char __user *ublue;
struct fb_cmap *cmap = &info->cmap;
- int index, count, i;
+ unsigned int index, count, i;
u8 red, green, blue;
if (get_user(index, &c->index) ||
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 363/410] drm/radeon: Don't turn off DP sink when disconnected
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (4 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 386/410] MIPS: ralink: Remove ralink_halt() Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 222/410] 9p/trans_virtio: discard zero-length reply Ben Hutchings
` (403 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Michel Dänzer, Alex Deucher
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Michel Dänzer <michel.daenzer@amd.com>
commit 2681bc79eeb640562c932007bfebbbdc55bf6a7d upstream.
Turning off the sink in this case causes various issues, because
userspace expects it to stay on until it turns it off explicitly.
Instead, turn the sink off and back on when a display is connected
again. This dance seems necessary for link training to work correctly.
Bugzilla: https://bugs.freedesktop.org/105308
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Michel Dänzer <michel.daenzer@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/radeon/radeon_connectors.c | 31 +++++++++-------------
1 file changed, 12 insertions(+), 19 deletions(-)
--- a/drivers/gpu/drm/radeon/radeon_connectors.c
+++ b/drivers/gpu/drm/radeon/radeon_connectors.c
@@ -66,25 +66,18 @@ void radeon_connector_hotplug(struct drm
/* don't do anything if sink is not display port, i.e.,
* passive dp->(dvi|hdmi) adaptor
*/
- if (dig_connector->dp_sink_type == CONNECTOR_OBJECT_ID_DISPLAYPORT) {
- int saved_dpms = connector->dpms;
- /* Only turn off the display if it's physically disconnected */
- if (!radeon_hpd_sense(rdev, radeon_connector->hpd.hpd)) {
- drm_helper_connector_dpms(connector, DRM_MODE_DPMS_OFF);
- } else if (radeon_dp_needs_link_train(radeon_connector)) {
- /* Don't try to start link training before we
- * have the dpcd */
- if (!radeon_dp_getdpcd(radeon_connector))
- return;
+ if (dig_connector->dp_sink_type == CONNECTOR_OBJECT_ID_DISPLAYPORT &&
+ radeon_hpd_sense(rdev, radeon_connector->hpd.hpd) &&
+ radeon_dp_needs_link_train(radeon_connector)) {
+ /* Don't start link training before we have the DPCD */
+ if (!radeon_dp_getdpcd(radeon_connector))
+ return;
- /* set it to OFF so that drm_helper_connector_dpms()
- * won't return immediately since the current state
- * is ON at this point.
- */
- connector->dpms = DRM_MODE_DPMS_OFF;
- drm_helper_connector_dpms(connector, DRM_MODE_DPMS_ON);
- }
- connector->dpms = saved_dpms;
+ /* Turn the connector off and back on immediately, which
+ * will trigger link training
+ */
+ drm_helper_connector_dpms(connector, DRM_MODE_DPMS_OFF);
+ drm_helper_connector_dpms(connector, DRM_MODE_DPMS_ON);
}
}
}
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 206/410] pipe: cap initial pipe capacity according to pipe-max-size limit
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (383 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 344/410] netfilter: bridge: ebt_among: add missing match size checks Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 017/410] kvm/x86: fix icebp instruction handling Ben Hutchings
` (24 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Linus Torvalds, Michael Kerrisk (man-pages),
Vegard Nossum, Tetsuo Handa, Jens Axboe, Willy Tarreau, Al Viro,
socketpair
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>
commit 086e774a57fba4695f14383c0818994c0b31da7c upstream.
This is a patch that provides behavior that is more consistent, and
probably less surprising to users. I consider the change optional, and
welcome opinions about whether it should be applied.
By default, pipes are created with a capacity of 64 kiB. However,
/proc/sys/fs/pipe-max-size may be set smaller than this value. In this
scenario, an unprivileged user could thus create a pipe whose initial
capacity exceeds the limit. Therefore, it seems logical to cap the
initial pipe capacity according to the value of pipe-max-size.
The test program shown earlier in this patch series can be used to
demonstrate the effect of the change brought about with this patch:
# cat /proc/sys/fs/pipe-max-size
1048576
# sudo -u mtk ./test_F_SETPIPE_SZ 1
Initial pipe capacity: 65536
# echo 10000 > /proc/sys/fs/pipe-max-size
# cat /proc/sys/fs/pipe-max-size
16384
# sudo -u mtk ./test_F_SETPIPE_SZ 1
Initial pipe capacity: 16384
# ./test_F_SETPIPE_SZ 1
Initial pipe capacity: 65536
The last two executions of 'test_F_SETPIPE_SZ' show that pipe-max-size
caps the initial allocation for a new pipe for unprivileged users, but
not for privileged users.
Link: http://lkml.kernel.org/r/31dc7064-2a17-9c5b-1df1-4e3012ee992c@gmail.com
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
Reviewed-by: Vegard Nossum <vegard.nossum@oracle.com>
Cc: Willy Tarreau <w@1wt.eu>
Cc: <socketpair@gmail.com>
Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: Jens Axboe <axboe@fb.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/pipe.c | 3 +++
1 file changed, 3 insertions(+)
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -617,6 +617,9 @@ struct pipe_inode_info *alloc_pipe_info(
if (pipe == NULL)
goto out_free_uid;
+ if (pipe_bufs * PAGE_SIZE > pipe_max_size && !capable(CAP_SYS_RESOURCE))
+ pipe_bufs = pipe_max_size >> PAGE_SHIFT;
+
user_bufs = account_pipe_buffers(user, 0, pipe_bufs);
if (too_many_pipe_buffers_soft(user_bufs)) {
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 204/410] pipe: fix limit checking in alloc_pipe_info()
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (153 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 006/410] Bluetooth: hidp_connection_add() unsafe use of l2cap_pi() Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 102/410] usb: gadget: f_fs: Fix possibe deadlock Ben Hutchings
` (254 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, socketpair, Al Viro, Willy Tarreau, Jens Axboe,
Vegard Nossum, Tetsuo Handa, Michael Kerrisk (man-pages),
Linus Torvalds
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>
commit a005ca0e6813e1d796a7422a7e31d8b8d6555df1 upstream.
The limit checking in alloc_pipe_info() (used by pipe(2) and when
opening a FIFO) has the following problems:
(1) When checking capacity required for the new pipe, the checks against
the limit in /proc/sys/fs/pipe-user-pages-{soft,hard} are made
against existing consumption, and exclude the memory required for
the new pipe capacity. As a consequence: (1) the memory allocation
throttling provided by the soft limit does not kick in quite as
early as it should, and (2) the user can overrun the hard limit.
(2) As currently implemented, accounting and checking against the limits
is done as follows:
(a) Test whether the user has exceeded the limit.
(b) Make new pipe buffer allocation.
(c) Account new allocation against the limits.
This is racey. Multiple processes may pass point (a) simultaneously,
and then allocate pipe buffers that are accounted for only in step
(c). The race means that the user's pipe buffer allocation could be
pushed over the limit (by an arbitrary amount, depending on how
unlucky we were in the race). [Thanks to Vegard Nossum for spotting
this point, which I had missed.]
This patch addresses the above problems as follows:
* Alter the checks against limits to include the memory required for the
new pipe.
* Re-order the accounting step so that it precedes the buffer allocation.
If the accounting step determines that a limit has been reached, revert
the accounting and cause the operation to fail.
Link: http://lkml.kernel.org/r/8ff3e9f9-23f6-510c-644f-8e70cd1c0bd9@gmail.com
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
Reviewed-by: Vegard Nossum <vegard.nossum@oracle.com>
Cc: Willy Tarreau <w@1wt.eu>
Cc: <socketpair@gmail.com>
Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: Jens Axboe <axboe@fb.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[bwh: Backported to 3.16: Don't use GFP_KERNEL_ACCOUNT]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/pipe.c | 20 +++++++++++++-------
1 file changed, 13 insertions(+), 7 deletions(-)
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -618,24 +618,30 @@ struct pipe_inode_info *alloc_pipe_info(
if (pipe == NULL)
goto out_free_uid;
- if (!too_many_pipe_buffers_hard(user)) {
- if (too_many_pipe_buffers_soft(user))
- pipe_bufs = 1;
- pipe->bufs = kcalloc(pipe_bufs,
- sizeof(struct pipe_buffer),
- GFP_KERNEL);
+ account_pipe_buffers(user, 0, pipe_bufs);
+
+ if (too_many_pipe_buffers_soft(user)) {
+ account_pipe_buffers(user, pipe_bufs, 1);
+ pipe_bufs = 1;
}
+ if (too_many_pipe_buffers_hard(user))
+ goto out_revert_acct;
+
+ pipe->bufs = kcalloc(pipe_bufs, sizeof(struct pipe_buffer),
+ GFP_KERNEL);
+
if (pipe->bufs) {
init_waitqueue_head(&pipe->wait);
pipe->r_counter = pipe->w_counter = 1;
pipe->buffers = pipe_bufs;
pipe->user = user;
- account_pipe_buffers(user, 0, pipe_bufs);
mutex_init(&pipe->mutex);
return pipe;
}
+out_revert_acct:
+ account_pipe_buffers(user, pipe_bufs, 0);
kfree(pipe);
out_free_uid:
free_uid(user);
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 107/410] ahci: Remove Device ID for Intel Sunrise Point PCH
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (288 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 030/410] x86/MCE: Serialize sysfs changes Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 230/410] xfrm_user: uncoditionally validate esn replay attribute struct Ben Hutchings
` (119 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Tejun Heo, James Ralston
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: James Ralston <james.d.ralston@intel.com>
commit 46319e13581a6c442b0a0e5a3bd5d9af4496f252 upstream.
This patch removes a duplicate AHCI-mode SATA Device ID for the Intel Sunrise Point PCH.
Signed-off-by: James Ralston <james.d.ralston@intel.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/ata/ahci.c | 1 -
1 file changed, 1 deletion(-)
--- a/drivers/ata/ahci.c
+++ b/drivers/ata/ahci.c
@@ -359,7 +359,6 @@ static const struct pci_device_id ahci_p
{ PCI_VDEVICE(INTEL, 0x9d05), board_ahci }, /* Sunrise Point-LP RAID */
{ PCI_VDEVICE(INTEL, 0x9d07), board_ahci }, /* Sunrise Point-LP RAID */
{ PCI_VDEVICE(INTEL, 0xa103), board_ahci }, /* Sunrise Point-H AHCI */
- { PCI_VDEVICE(INTEL, 0xa103), board_ahci }, /* Sunrise Point-H RAID */
{ PCI_VDEVICE(INTEL, 0xa105), board_ahci }, /* Sunrise Point-H RAID */
{ PCI_VDEVICE(INTEL, 0xa107), board_ahci }, /* Sunrise Point-H RAID */
{ PCI_VDEVICE(INTEL, 0xa10f), board_ahci }, /* Sunrise Point-H RAID */
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 169/410] jffs2: Fix use-after-free bug in jffs2_iget()'s error handling path
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (88 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 150/410] staging: rts5208: Fix "seg_no" calculation in reset_ms_card() Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 018/410] ext4: fail ext4_iget for root directory if unallocated Ben Hutchings
` (319 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Al Viro, Richard Weinberger, Jake Daryll Obina
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jake Daryll Obina <jake.obina@gmail.com>
commit 5bdd0c6f89fba430e18d636493398389dadc3b17 upstream.
If jffs2_iget() fails for a newly-allocated inode, jffs2_do_clear_inode()
can get called twice in the error handling path, the first call in
jffs2_iget() itself and the second through iget_failed(). This can result
to a use-after-free error in the second jffs2_do_clear_inode() call, such
as shown by the oops below wherein the second jffs2_do_clear_inode() call
was trying to free node fragments that were already freed in the first
jffs2_do_clear_inode() call.
[ 78.178860] jffs2: error: (1904) jffs2_do_read_inode_internal: CRC failed for read_inode of inode 24 at physical location 0x1fc00c
[ 78.178914] Unable to handle kernel paging request at virtual address 6b6b6b6b6b6b6b7b
[ 78.185871] pgd = ffffffc03a567000
[ 78.188794] [6b6b6b6b6b6b6b7b] *pgd=0000000000000000, *pud=0000000000000000
[ 78.194968] Internal error: Oops: 96000004 [#1] PREEMPT SMP
...
[ 78.513147] PC is at rb_first_postorder+0xc/0x28
[ 78.516503] LR is at jffs2_kill_fragtree+0x28/0x90 [jffs2]
[ 78.520672] pc : [<ffffff8008323d28>] lr : [<ffffff8000eb1cc8>] pstate: 60000105
[ 78.526757] sp : ffffff800cea38f0
[ 78.528753] x29: ffffff800cea38f0 x28: ffffffc01f3f8e80
[ 78.532754] x27: 0000000000000000 x26: ffffff800cea3c70
[ 78.536756] x25: 00000000dc67c8ae x24: ffffffc033d6945d
[ 78.540759] x23: ffffffc036811740 x22: ffffff800891a5b8
[ 78.544760] x21: 0000000000000000 x20: 0000000000000000
[ 78.548762] x19: ffffffc037d48910 x18: ffffff800891a588
[ 78.552764] x17: 0000000000000800 x16: 0000000000000c00
[ 78.556766] x15: 0000000000000010 x14: 6f2065646f6e695f
[ 78.560767] x13: 6461657220726f66 x12: 2064656c69616620
[ 78.564769] x11: 435243203a6c616e x10: 7265746e695f6564
[ 78.568771] x9 : 6f6e695f64616572 x8 : ffffffc037974038
[ 78.572774] x7 : bbbbbbbbbbbbbbbb x6 : 0000000000000008
[ 78.576775] x5 : 002f91d85bd44a2f x4 : 0000000000000000
[ 78.580777] x3 : 0000000000000000 x2 : 000000403755e000
[ 78.584779] x1 : 6b6b6b6b6b6b6b6b x0 : 6b6b6b6b6b6b6b6b
...
[ 79.038551] [<ffffff8008323d28>] rb_first_postorder+0xc/0x28
[ 79.042962] [<ffffff8000eb5578>] jffs2_do_clear_inode+0x88/0x100 [jffs2]
[ 79.048395] [<ffffff8000eb9ddc>] jffs2_evict_inode+0x3c/0x48 [jffs2]
[ 79.053443] [<ffffff8008201ca8>] evict+0xb0/0x168
[ 79.056835] [<ffffff8008202650>] iput+0x1c0/0x200
[ 79.060228] [<ffffff800820408c>] iget_failed+0x30/0x3c
[ 79.064097] [<ffffff8000eba0c0>] jffs2_iget+0x2d8/0x360 [jffs2]
[ 79.068740] [<ffffff8000eb0a60>] jffs2_lookup+0xe8/0x130 [jffs2]
[ 79.073434] [<ffffff80081f1a28>] lookup_slow+0x118/0x190
[ 79.077435] [<ffffff80081f4708>] walk_component+0xfc/0x28c
[ 79.081610] [<ffffff80081f4dd0>] path_lookupat+0x84/0x108
[ 79.085699] [<ffffff80081f5578>] filename_lookup+0x88/0x100
[ 79.089960] [<ffffff80081f572c>] user_path_at_empty+0x58/0x6c
[ 79.094396] [<ffffff80081ebe14>] vfs_statx+0xa4/0x114
[ 79.098138] [<ffffff80081ec44c>] SyS_newfstatat+0x58/0x98
[ 79.102227] [<ffffff800808354c>] __sys_trace_return+0x0/0x4
[ 79.106489] Code: d65f03c0 f9400001 b40000e1 aa0103e0 (f9400821)
The jffs2_do_clear_inode() call in jffs2_iget() is unnecessary since
iget_failed() will eventually call jffs2_do_clear_inode() if needed, so
just remove it.
Fixes: 5451f79f5f81 ("iget: stop JFFS2 from using iget() and read_inode()")
Reviewed-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Jake Daryll Obina <jake.obina@gmail.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/jffs2/fs.c | 1 -
1 file changed, 1 deletion(-)
--- a/fs/jffs2/fs.c
+++ b/fs/jffs2/fs.c
@@ -363,7 +363,6 @@ error_io:
ret = -EIO;
error:
mutex_unlock(&f->sem);
- jffs2_do_clear_inode(c, f);
iget_failed(inode);
return ERR_PTR(ret);
}
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 151/410] CDC-ACM: apply quirk for card reader
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (84 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 166/410] USB: serial: pl2303: new device id for Chilitag Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 343/410] ALSA: seq: Clear client entry before deleting else at closing Ben Hutchings
` (323 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Greg Kroah-Hartman, Oliver Neukum
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Neukum <oneukum@suse.com>
commit df1cc78a52491f71d8170d513d0f6f114faa1bda upstream.
This devices drops random bytes from messages if you talk to it
too fast.
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/class/cdc-acm.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -1708,6 +1708,9 @@ static const struct usb_device_id acm_id
{ USB_DEVICE(0x0ace, 0x1611), /* ZyDAS 56K USB MODEM - new version */
.driver_info = SINGLE_RX_URB, /* firmware bug */
},
+ { USB_DEVICE(0x11ca, 0x0201), /* VeriFone Mx870 Gadget Serial */
+ .driver_info = SINGLE_RX_URB,
+ },
{ USB_DEVICE(0x22b8, 0x7000), /* Motorola Q Phone */
.driver_info = NO_UNION_NORMAL, /* has no union descriptor */
},
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 138/410] dm thin: fix documentation relative to low water mark threshold
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (237 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 040/410] x86/cpu: Rename Merrifield2 to Moorefield Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 094/410] scsi: aacraid: Fix udev inquiry race condition Ben Hutchings
` (170 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, mulhern, Mike Snitzer
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: mulhern <amulhern@redhat.com>
commit 9b28a1102efc75d81298198166ead87d643a29ce upstream.
Fixes:
1. The use of "exceeds" when the opposite of exceeds, falls below,
was meant.
2. Properly speaking, a table can not exceed a threshold.
It emphasizes the important point, which is that it is the userspace
daemon's responsibility to check for low free space when a device
is resumed, since it won't get a special event indicating low free
space in that situation.
Signed-off-by: mulhern <amulhern@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
Documentation/device-mapper/thin-provisioning.txt | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--- a/Documentation/device-mapper/thin-provisioning.txt
+++ b/Documentation/device-mapper/thin-provisioning.txt
@@ -112,9 +112,11 @@ $low_water_mark is expressed in blocks o
free space on the data device drops below this level then a dm event
will be triggered which a userspace daemon should catch allowing it to
extend the pool device. Only one such event will be sent.
-Resuming a device with a new table itself triggers an event so the
-userspace daemon can use this to detect a situation where a new table
-already exceeds the threshold.
+
+No special event is triggered if a just resumed device's free space is below
+the low water mark. However, resuming a device always triggers an
+event; a userspace daemon should verify that free space exceeds the low
+water mark when handling this event.
A low water mark for the metadata device is maintained in the kernel and
will trigger a dm event if free space on the metadata device drops below
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 178/410] drm/radeon: adjust tested variable
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (360 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 063/410] x86/speculation: Update Speculation Control microcode blacklist Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 095/410] pktcdvd: Fix pkt_setup_dev() error path Ben Hutchings
` (47 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Alex Deucher, Christian König, Julia Lawall
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Julia Lawall <Julia.Lawall@lip6.fr>
commit 3a61b527b4e1f285d21b6e9e623dc45cf8bb391f upstream.
Check the variable that was most recently initialized.
The semantic match that finds this problem is as follows:
(http://coccinelle.lip6.fr/)
// <smpl>
@@
expression x, y, f, g, e, m;
statement S1,S2,S3,S4;
@@
x = f(...);
if (\(<+...x...+>\&e\)) S1 else S2
(
x = g(...);
|
m = g(...,&x,...);
|
y = g(...);
*if (e)
S3 else S4
)
// </smpl>
Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/radeon/radeon_uvd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/radeon/radeon_uvd.c
+++ b/drivers/gpu/drm/radeon/radeon_uvd.c
@@ -950,7 +950,7 @@ int radeon_uvd_calc_upll_dividers(struct
/* calc dclk divider with current vco freq */
dclk_div = radeon_uvd_calc_upll_post_div(vco_freq, dclk,
pd_min, pd_even);
- if (vclk_div > pd_max)
+ if (dclk_div > pd_max)
break; /* vco is too big, it has to stop */
/* calc score with current vco freq */
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 016/410] netfilter: ebtables: fix erroneous reject of last rule
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (380 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 341/410] RDMA/mlx5: Fix integer overflow while resizing CQ Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 270/410] arm64: __show_regs: Only resolve kernel symbols when running at EL1 Ben Hutchings
` (27 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Florian Westphal, Pablo Neira Ayuso
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
commit 932909d9b28d27e807ff8eecb68c7748f6701628 upstream.
The last rule in the blob has next_entry offset that is same as total size.
This made "ebtables32 -A OUTPUT -d de:ad:be:ef:01:02" fail on 64 bit kernel.
Fixes: b71812168571fa ("netfilter: ebtables: CONFIG_COMPAT: don't trust userland offsets")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/bridge/netfilter/ebtables.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -2070,8 +2070,12 @@ static int size_entry_mwt(struct ebt_ent
* offsets are relative to beginning of struct ebt_entry (i.e., 0).
*/
for (i = 0; i < 4 ; ++i) {
- if (offsets[i] >= *total)
+ if (offsets[i] > *total)
return -EINVAL;
+
+ if (i < 3 && offsets[i] == *total)
+ return -EINVAL;
+
if (i == 0)
continue;
if (offsets[i-1] > offsets[i])
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 309/410] xen: Add xen_arch_suspend()
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (40 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 392/410] tracing: probeevent: Fix to support minus offset from symbol Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 096/410] xtensa: fix futex_atomic_cmpxchg_inatomic Ben Hutchings
` (367 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Boris Ostrovsky, David Vrabel
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ben Hutchings <ben@decadent.org.uk>
This is based on commit 2b953a5e994ce279904ec70220f7d4f31d380a0a
upstream, "xen: Suspend ticks on all CPUs during suspend", but
excluding the bug fix in that commit which is not needed in 3.16.
We only need the xen_arch_suspend() hook for the following fix.
Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Cc: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/x86/xen/suspend.c
+++ b/arch/x86/xen/suspend.c
@@ -91,8 +91,17 @@ static void xen_vcpu_notify_restore(void
clockevents_notify(reason, NULL);
}
+static void xen_vcpu_notify_suspend(void *data)
+{
+}
+
void xen_arch_resume(void)
{
on_each_cpu(xen_vcpu_notify_restore,
(void *)CLOCK_EVT_NOTIFY_RESUME, 1);
}
+
+void xen_arch_suspend(void)
+{
+ on_each_cpu(xen_vcpu_notify_suspend, NULL, 1);
+}
--- a/drivers/xen/manage.c
+++ b/drivers/xen/manage.c
@@ -131,6 +131,8 @@ static void do_suspend(void)
goto out_resume;
}
+ xen_arch_suspend();
+
si.cancelled = 1;
err = stop_machine(xen_suspend, &si, cpumask_of(0));
@@ -148,11 +150,12 @@ static void do_suspend(void)
si.cancelled = 1;
}
+ xen_arch_resume();
+
out_resume:
- if (!si.cancelled) {
- xen_arch_resume();
+ if (!si.cancelled)
xs_resume();
- } else
+ else
xs_suspend_cancel();
dpm_resume_end(si.cancelled ? PMSG_THAW : PMSG_RESTORE);
--- a/include/xen/xen-ops.h
+++ b/include/xen/xen-ops.h
@@ -12,6 +12,7 @@ void xen_arch_post_suspend(int suspend_c
void xen_timer_resume(void);
void xen_arch_resume(void);
+void xen_arch_suspend(void);
void xen_resume_notifier_register(struct notifier_block *nb);
void xen_resume_notifier_unregister(struct notifier_block *nb);
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 221/410] netlink: avoid a double skb free in genlmsg_mcast()
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (111 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 398/410] ipv6: the entire IPv6 header chain must fit the first fragment Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 137/410] NFS: commit direct writes even if they fail partially Ben Hutchings
` (296 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Nicolas Dichtel, David S. Miller, Ben Hutchings
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
commit 02a2385f37a7c6594c9d89b64c4a1451276f08eb upstream.
nlmsg_multicast() consumes always the skb, thus the original skb must be
freed only when this function is called with a clone.
Fixes: cb9f7a9a5c96 ("netlink: ensure to loop over all netns in genlmsg_multicast_allns()")
Reported-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/netlink/genetlink.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/netlink/genetlink.c
+++ b/net/netlink/genetlink.c
@@ -1067,7 +1067,7 @@ static int genlmsg_mcast(struct sk_buff
if (!err)
delivered = true;
else if (err != -ESRCH)
- goto error;
+ return err;
return delivered ? 0 : -ESRCH;
error:
kfree_skb(skb);
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 190/410] btrfs: remove spurious WARN_ON(ref->count < 0) in find_parent_nodes
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (212 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 261/410] libata: Apply NOLPM quirk to Crucial MX100 512GB SSDs Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 319/410] ahci: Add PCI-id for the Highpoint Rocketraid 644L card Ben Hutchings
` (195 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Zygo Blaxell, David Sterba, Lu Fengqi
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Zygo Blaxell <ce3g8jdj@umail.furryterror.org>
commit c8195a7b1ad5648857ce20ba24f384faed8512bc upstream.
Until v4.14, this warning was very infrequent:
WARNING: CPU: 3 PID: 18172 at fs/btrfs/backref.c:1391 find_parent_nodes+0xc41/0x14e0
Modules linked in: [...]
CPU: 3 PID: 18172 Comm: bees Tainted: G D W L 4.11.9-zb64+ #1
Hardware name: System manufacturer System Product Name/M5A78L-M/USB3, BIOS 2101 12/02/2014
Call Trace:
dump_stack+0x85/0xc2
__warn+0xd1/0xf0
warn_slowpath_null+0x1d/0x20
find_parent_nodes+0xc41/0x14e0
__btrfs_find_all_roots+0xad/0x120
? extent_same_check_offsets+0x70/0x70
iterate_extent_inodes+0x168/0x300
iterate_inodes_from_logical+0x87/0xb0
? iterate_inodes_from_logical+0x87/0xb0
? extent_same_check_offsets+0x70/0x70
btrfs_ioctl+0x8ac/0x2820
? lock_acquire+0xc2/0x200
do_vfs_ioctl+0x91/0x700
? __fget+0x112/0x200
SyS_ioctl+0x79/0x90
entry_SYSCALL_64_fastpath+0x23/0xc6
? trace_hardirqs_off_caller+0x1f/0x140
Starting with v4.14 (specifically 86d5f9944252 ("btrfs: convert prelimary
reference tracking to use rbtrees")) the WARN_ON occurs three orders of
magnitude more frequently--almost once per second while running workloads
like bees.
Replace the WARN_ON() with a comment rationale for its removal.
The rationale is paraphrased from an explanation by Edmund Nadolski
<enadolski@suse.de> on the linux-btrfs mailing list.
Fixes: 8da6d5815c59 ("Btrfs: added btrfs_find_all_roots()")
Signed-off-by: Zygo Blaxell <ce3g8jdj@umail.furryterror.org>
Reviewed-by: Lu Fengqi <lufq.fnst@cn.fujitsu.com>
Signed-off-by: David Sterba <dsterba@suse.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/btrfs/backref.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
--- a/fs/btrfs/backref.c
+++ b/fs/btrfs/backref.c
@@ -979,7 +979,16 @@ again:
while (!list_empty(&prefs)) {
ref = list_first_entry(&prefs, struct __prelim_ref, list);
- WARN_ON(ref->count < 0);
+ /*
+ * ref->count < 0 can happen here if there are delayed
+ * refs with a node->action of BTRFS_DROP_DELAYED_REF.
+ * prelim_ref_insert() relies on this when merging
+ * identical refs to keep the overall count correct.
+ * prelim_ref_insert() will merge only those refs
+ * which compare identically. Any refs having
+ * e.g. different offsets would not be merged,
+ * and would retain their original ref->count < 0.
+ */
if (roots && ref->count && ref->root_id && ref->parent == 0) {
/* no parent == root of tree */
ret = ulist_add(roots, ref->root_id, 0, GFP_NOFS);
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 103/410] usb: f_fs: Prevent gadget unbind if it is already unbound
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (65 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 232/410] ALSA: hda/realtek: PCI quirk for Fujitsu U7x7 Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 333/410] drm/radeon: fix KV harvesting Ben Hutchings
` (342 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, John Stultz, Felipe Balbi, Android Kernel Team,
Michal Nazarewicz, Badhri, Greg KH, Dmitry Shmidt, Amit Pundir,
Hemant Kumar, Greg Kroah-Hartman
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Hemant Kumar <hemantk@codeaurora.org>
commit ce5bf9a50daf2d9078b505aca1cea22e88ecb94a upstream.
Upon usb composition switch there is possibility of ep0 file
release happening after gadget driver bind. In case of composition
switch from adb to a non-adb composition gadget will never gets
bound again resulting into failure of usb device enumeration. Fix
this issue by checking FFS_FL_BOUND flag and avoid extra
gadget driver unbind if it is already done as part of composition
switch.
This fixes adb reconnection error reported on Android running
v4.4 and above kernel versions. Verified on Hikey running vanilla
v4.15-rc7 + few out of tree Mali patches.
Reviewed-at: https://android-review.googlesource.com/#/c/582632/
Cc: Felipe Balbi <balbi@kernel.org>
Cc: Greg KH <gregkh@linux-foundation.org>
Cc: Michal Nazarewicz <mina86@mina86.com>
Cc: John Stultz <john.stultz@linaro.org>
Cc: Dmitry Shmidt <dimitrysh@google.com>
Cc: Badhri <badhri@google.com>
Cc: Android Kernel Team <kernel-team@android.com>
Signed-off-by: Hemant Kumar <hemantk@codeaurora.org>
[AmitP: Cherry-picked it from android-4.14 and updated the commit log]
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/gadget/f_fs.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/usb/gadget/f_fs.c
+++ b/drivers/usb/gadget/f_fs.c
@@ -3019,7 +3019,8 @@ static void ffs_closed(struct ffs_data *
ci = ffs_obj->opts->func_inst.group.cg_item.ci_parent->ci_parent;
ffs_dev_unlock();
- unregister_gadget_item(ci);
+ if (test_bit(FFS_FL_BOUND, &ffs->flags))
+ unregister_gadget_item(ci);
return;
done:
ffs_dev_unlock();
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 336/410] team: Fix double free in error path
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (340 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 197/410] netfilter: xt_RATEEST: acquire xt_rateest_mutex for hash insert Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 051/410] KVM: nVMX: mark vmcs12 pages dirty on L2 exit Ben Hutchings
` (67 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Arkadi Sharshevsky, David S. Miller, Jiri Pirko
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Arkadi Sharshevsky <arkadis@mellanox.com>
commit cbcc607e18422555db569b593608aec26111cb0b upstream.
The __send_and_alloc_skb() receives a skb ptr as a parameter but in
case it fails the skb is not valid:
- Send failed and released the skb internally.
- Allocation failed.
The current code tries to release the skb in case of failure which
causes redundant freeing.
Fixes: 9b00cf2d1024 ("team: implement multipart netlink messages for options transfers")
Signed-off-by: Arkadi Sharshevsky <arkadis@mellanox.com>
Acked-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/net/team/team.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/net/team/team.c
+++ b/drivers/net/team/team.c
@@ -2356,7 +2356,7 @@ send_done:
if (!nlh) {
err = __send_and_alloc_skb(&skb, team, portid, send_func);
if (err)
- goto errout;
+ return err;
goto send_done;
}
@@ -2636,7 +2636,7 @@ send_done:
if (!nlh) {
err = __send_and_alloc_skb(&skb, team, portid, send_func);
if (err)
- goto errout;
+ return err;
goto send_done;
}
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 355/410] aio: kill the misleading rcu read locks in ioctx_add_table() and kill_ioctx()
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (233 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 184/410] KVM: PPC: Book3S PR: Fix svcpu copying with preemption enabled Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 284/410] netfilter: ipv6: fix use-after-free Write in nf_nat_ipv6_manip_pkt Ben Hutchings
` (174 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Oleg Nesterov, Benjamin LaHaise
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Oleg Nesterov <oleg@redhat.com>
commit 855ef0dec7271ff7be7381feaaf3f4aed80bd503 upstream.
ioctx_add_table() is the writer, it does not need rcu_read_lock() to
protect ->ioctx_table. It relies on mm->ioctx_lock and rcu locks just
add the confusion.
And it doesn't need rcu_dereference() by the same reason, it must see
any updates previously done under the same ->ioctx_lock. We could use
rcu_dereference_protected() but the patch uses rcu_dereference_raw(),
the function is simple enough.
The same for kill_ioctx(), although it does not update the pointer.
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Benjamin LaHaise <bcrl@kvack.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/aio.c | 14 +++-----------
1 file changed, 3 insertions(+), 11 deletions(-)
--- a/fs/aio.c
+++ b/fs/aio.c
@@ -563,8 +563,7 @@ static int ioctx_add_table(struct kioctx
struct aio_ring *ring;
spin_lock(&mm->ioctx_lock);
- rcu_read_lock();
- table = rcu_dereference(mm->ioctx_table);
+ table = rcu_dereference_raw(mm->ioctx_table);
while (1) {
if (table)
@@ -572,7 +571,6 @@ static int ioctx_add_table(struct kioctx
if (!table->table[i]) {
ctx->id = i;
table->table[i] = ctx;
- rcu_read_unlock();
spin_unlock(&mm->ioctx_lock);
/* While kioctx setup is in progress,
@@ -586,8 +584,6 @@ static int ioctx_add_table(struct kioctx
}
new_nr = (table ? table->nr : 1) * 4;
-
- rcu_read_unlock();
spin_unlock(&mm->ioctx_lock);
table = kzalloc(sizeof(*table) + sizeof(struct kioctx *) *
@@ -598,8 +594,7 @@ static int ioctx_add_table(struct kioctx
table->nr = new_nr;
spin_lock(&mm->ioctx_lock);
- rcu_read_lock();
- old = rcu_dereference(mm->ioctx_table);
+ old = rcu_dereference_raw(mm->ioctx_table);
if (!old) {
rcu_assign_pointer(mm->ioctx_table, table);
@@ -749,12 +744,9 @@ static int kill_ioctx(struct mm_struct *
spin_lock(&mm->ioctx_lock);
- rcu_read_lock();
- table = rcu_dereference(mm->ioctx_table);
-
+ table = rcu_dereference_raw(mm->ioctx_table);
WARN_ON(ctx != table->table[ctx->id]);
table->table[ctx->id] = NULL;
- rcu_read_unlock();
spin_unlock(&mm->ioctx_lock);
/* percpu_ref_kill() will do the necessary call_rcu() */
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 142/410] drm/ttm: fix adding foreign BOs to the swap LRU
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (134 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 026/410] ALSA: seq: More protection for concurrent write and ioctl races Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 267/410] arm64: do not use print_symbol() Ben Hutchings
` (273 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Christian König, Alex Deucher, Thomas Hellstrom
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Christian König <christian.koenig@amd.com>
commit ed704a43e84cc536081423dcd3491acf2791aaeb upstream.
It doesn't make any sense to try to swap out imported BOs.
Reviewed-by: Thomas Hellstrom <thellstrom@vmware.com>
Signed-off-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/ttm/ttm_bo.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/ttm/ttm_bo.c
+++ b/drivers/gpu/drm/ttm/ttm_bo.c
@@ -175,7 +175,7 @@ void ttm_bo_add_to_lru(struct ttm_buffer
list_add_tail(&bo->lru, &man->lru);
kref_get(&bo->list_kref);
- if (bo->ttm != NULL) {
+ if (bo->ttm && !(bo->ttm->page_flags & TTM_PAGE_FLAG_SG)) {
list_add_tail(&bo->swap, &bo->glob->swap_lru);
kref_get(&bo->list_kref);
}
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 253/410] udplite: fix partial checksum initialization
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (159 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 043/410] x86/msr: Add definitions for new speculation control MSRs Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 144/410] MIPS: Fix clean of vmlinuz.{32,ecoff,bin,srec} Ben Hutchings
` (248 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Alexey Kodanev, David S. Miller
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Kodanev <alexey.kodanev@oracle.com>
commit 15f35d49c93f4fa9875235e7bf3e3783d2dd7a1b upstream.
Since UDP-Lite is always using checksum, the following path is
triggered when calculating pseudo header for it:
udp4_csum_init() or udp6_csum_init()
skb_checksum_init_zero_check()
__skb_checksum_validate_complete()
The problem can appear if skb->len is less than CHECKSUM_BREAK. In
this particular case __skb_checksum_validate_complete() also invokes
__skb_checksum_complete(skb). If UDP-Lite is using partial checksum
that covers only part of a packet, the function will return bad
checksum and the packet will be dropped.
It can be fixed if we skip skb_checksum_init_zero_check() and only
set the required pseudo header checksum for UDP-Lite with partial
checksum before udp4_csum_init()/udp6_csum_init() functions return.
Fixes: ed70fcfcee95 ("net: Call skb_checksum_init in IPv4")
Fixes: e4f45b7f40bd ("net: Call skb_checksum_init in IPv6")
Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
include/net/udplite.h | 1 +
net/ipv4/udp.c | 5 +++++
net/ipv6/ip6_checksum.c | 5 +++++
3 files changed, 11 insertions(+)
--- a/include/net/udplite.h
+++ b/include/net/udplite.h
@@ -61,6 +61,7 @@ static inline int udplite_checksum_init(
UDP_SKB_CB(skb)->cscov = cscov;
if (skb->ip_summed == CHECKSUM_COMPLETE)
skb->ip_summed = CHECKSUM_NONE;
+ skb->csum_valid = 0;
}
return 0;
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -1729,6 +1729,11 @@ static inline int udp4_csum_init(struct
err = udplite_checksum_init(skb, uh);
if (err)
return err;
+
+ if (UDP_SKB_CB(skb)->partial_cov) {
+ skb->csum = inet_compute_pseudo(skb, proto);
+ return 0;
+ }
}
return skb_checksum_init_zero_check(skb, proto, uh->check,
--- a/net/ipv6/ip6_checksum.c
+++ b/net/ipv6/ip6_checksum.c
@@ -73,6 +73,11 @@ int udp6_csum_init(struct sk_buff *skb,
err = udplite_checksum_init(skb, uh);
if (err)
return err;
+
+ if (UDP_SKB_CB(skb)->partial_cov) {
+ skb->csum = ip6_compute_pseudo(skb, proto);
+ return 0;
+ }
}
/* To support RFC 6936 (allow zero checksum in UDP/IPV6 for tunnels)
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 294/410] l2tp: fix tunnel lookup use-after-free race
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (58 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 101/410] scsi: aacraid: remove redundant setting of variable c Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 340/410] xhci: Fix front USB ports on ASUS PRIME B350M-A Ben Hutchings
` (349 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, James Chapman, David S. Miller
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: James Chapman <jchapman@katalix.com>
commit 28f5bfb819195ad9c2eb9486babe7b0e4efe925f upstream.
l2tp_tunnel_get walks the tunnel list to find a matching tunnel
instance and if a match is found, its refcount is increased before
returning the tunnel pointer. But when tunnel objects are destroyed,
they are on the tunnel list after their refcount hits zero. Fix this
by moving the code that removes the tunnel from the tunnel list from
the tunnel socket destructor into in the l2tp_tunnel_delete path,
before the tunnel refcount is decremented.
refcount_t: increment on 0; use-after-free.
WARNING: CPU: 3 PID: 13507 at lib/refcount.c:153 refcount_inc+0x47/0x50
Modules linked in:
CPU: 3 PID: 13507 Comm: syzbot_6e6a5ec8 Not tainted 4.16.0-rc2+ #36
Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
RIP: 0010:refcount_inc+0x47/0x50
RSP: 0018:ffff8800136ffb20 EFLAGS: 00010286
RAX: dffffc0000000008 RBX: ffff880017068e68 RCX: ffffffff814d3333
RDX: 0000000000000000 RSI: ffff88001a59f6d8 RDI: ffff88001a59f6d8
RBP: ffff8800136ffb28 R08: 0000000000000000 R09: 0000000000000000
R10: ffff8800136ffab0 R11: 0000000000000000 R12: ffff880017068e50
R13: 0000000000000000 R14: ffff8800174da800 R15: 0000000000000004
FS: 00007f403ab1e700(0000) GS:ffff88001a580000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000205fafd2 CR3: 0000000016770000 CR4: 00000000000006e0
Call Trace:
l2tp_tunnel_get+0x2dd/0x4e0
pppol2tp_connect+0x428/0x13c0
? pppol2tp_session_create+0x170/0x170
? __might_fault+0x115/0x1d0
? lock_downgrade+0x860/0x860
? __might_fault+0xe5/0x1d0
? security_socket_connect+0x8e/0xc0
SYSC_connect+0x1b6/0x310
? SYSC_bind+0x280/0x280
? __do_page_fault+0x5d1/0xca0
? up_read+0x1f/0x40
? __do_page_fault+0x3c8/0xca0
SyS_connect+0x29/0x30
? SyS_accept+0x40/0x40
do_syscall_64+0x1e0/0x730
? trace_hardirqs_off_thunk+0x1a/0x1c
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x7f403a42f259
RSP: 002b:00007f403ab1dee8 EFLAGS: 00000296 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 00000000205fafe4 RCX: 00007f403a42f259
RDX: 000000000000002e RSI: 00000000205fafd2 RDI: 0000000000000004
RBP: 00007f403ab1df20 R08: 00007f403ab1e700 R09: 0000000000000000
R10: 00007f403ab1e700 R11: 0000000000000296 R12: 0000000000000000
R13: 00007ffc81906cbf R14: 0000000000000000 R15: 00007f403ab2b040
Code: 3b ff 5b 5d c3 e8 ca 5f 3b ff 80 3d 49 8e 66 04 00 75 ea e8 bc 5f 3b ff 48 c7 c7 60 69 64 85 c6 05 34 8e 66 04 01 e8 59 49 15 ff <0f> 0b eb ce 0f 1f 44 00 00 55 48 89 e5 41 56 41 55 41 54 53 49
Fixes: f8ccac0e44934 ("l2tp: put tunnel socket release on a workqueue")
Reported-and-tested-by: syzbot+19c09769f14b48810113@syzkaller.appspotmail.com
Reported-and-tested-by: syzbot+347bd5acde002e353a36@syzkaller.appspotmail.com
Reported-and-tested-by: syzbot+6e6a5ec8de31a94cd015@syzkaller.appspotmail.com
Reported-and-tested-by: syzbot+9df43faf09bd400f2993@syzkaller.appspotmail.com
Signed-off-by: James Chapman <jchapman@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/l2tp/l2tp_core.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -1249,7 +1249,6 @@ EXPORT_SYMBOL_GPL(l2tp_xmit_skb);
static void l2tp_tunnel_destruct(struct sock *sk)
{
struct l2tp_tunnel *tunnel = l2tp_tunnel(sk);
- struct l2tp_net *pn;
if (tunnel == NULL)
goto end;
@@ -1272,12 +1271,6 @@ static void l2tp_tunnel_destruct(struct
sk->sk_destruct = tunnel->old_sk_destruct;
sk->sk_user_data = NULL;
- /* Remove the tunnel struct from the tunnel list */
- pn = l2tp_pernet(tunnel->l2tp_net);
- spin_lock_bh(&pn->l2tp_tunnel_list_lock);
- list_del_rcu(&tunnel->list);
- spin_unlock_bh(&pn->l2tp_tunnel_list_lock);
-
/* Call the original destructor */
if (sk->sk_destruct)
(*sk->sk_destruct)(sk);
@@ -1359,6 +1352,7 @@ static void l2tp_tunnel_del_work(struct
del_work);
struct sock *sk = tunnel->sock;
struct socket *sock = sk->sk_socket;
+ struct l2tp_net *pn;
l2tp_tunnel_closeall(tunnel);
@@ -1371,6 +1365,12 @@ static void l2tp_tunnel_del_work(struct
sk_release_kernel(sk);
}
+ /* Remove the tunnel struct from the tunnel list */
+ pn = l2tp_pernet(tunnel->l2tp_net);
+ spin_lock_bh(&pn->l2tp_tunnel_list_lock);
+ list_del_rcu(&tunnel->list);
+ spin_unlock_bh(&pn->l2tp_tunnel_list_lock);
+
/* drop initial ref */
l2tp_tunnel_dec_refcount(tunnel);
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 006/410] Bluetooth: hidp_connection_add() unsafe use of l2cap_pi()
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (152 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 274/410] libata: disable LPM for Crucial BX100 SSD 500GB drive Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 204/410] pipe: fix limit checking in alloc_pipe_info() Ben Hutchings
` (255 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Al Viro, Marcel Holtmann
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit 51bda2bca53b265715ca1852528f38dc67429d9a upstream.
it's OK after we'd verified the sockets, but not before that.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/bluetooth/hidp/core.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/bluetooth/hidp/core.c
+++ b/net/bluetooth/hidp/core.c
@@ -1332,13 +1332,14 @@ int hidp_connection_add(struct hidp_conn
{
struct hidp_session *session;
struct l2cap_conn *conn;
- struct l2cap_chan *chan = l2cap_pi(ctrl_sock->sk)->chan;
+ struct l2cap_chan *chan;
int ret;
ret = hidp_verify_sockets(ctrl_sock, intr_sock);
if (ret)
return ret;
+ chan = l2cap_pi(ctrl_sock->sk)->chan;
conn = NULL;
l2cap_chan_lock(chan);
if (chan->conn) {
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 182/410] Revert "apple-gmux: lock iGP IO to protect from vgaarb changes"
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (333 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 324/410] ia64: convert unwcheck.py to python3 Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 146/410] alpha: fix reboot on Avanti platform Ben Hutchings
` (74 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Bruno Prémont, Ronald Tschalär, Petri Hodju,
Darren Hart (VMware),
Bjorn Helgaas, Andy Ritger, Wilfried Klaebe, Lukas Wunner
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Wunner <lukas@wunner.de>
commit d6fa7588fd7a8def4c747c0c574ce85d453e3788 upstream.
Commit 4eebd5a4e726 ("apple-gmux: lock iGP IO to protect from vgaarb
changes") amended this driver's ->probe hook to lock decoding of normal
(non-legacy) I/O space accesses to the integrated GPU on dual-GPU
MacBook Pros. The lock stays in place until the driver is unbound.
The change was made to work around an issue with the out-of-tree nvidia
graphics driver (available at http://www.nvidia.com/object/unix.html).
It contains the following sequence in nvidia/nv.c:
#if defined(CONFIG_VGA_ARB) && !defined(NVCPU_PPC64LE)
#if defined(VGA_DEFAULT_DEVICE)
vga_tryget(VGA_DEFAULT_DEVICE, VGA_RSRC_LEGACY_MASK);
#endif
vga_set_legacy_decoding(dev, VGA_RSRC_NONE);
#endif
This code was reported to cause deadlocks with VFIO already in 2013:
https://devtalk.nvidia.com/default/topic/545560
I've reported the issue to Nvidia developers once more in 2017:
https://www.spinics.net/lists/dri-devel/msg138754.html
On the MacBookPro10,1, this code apparently breaks backlight control
(which is handled by apple-gmux via an I/O region starting at 0x700),
as reported by Petri Hodju:
https://bugzilla.kernel.org/show_bug.cgi?id=86121
I tried to replicate Petri's observations on my MacBook9,1, which uses
the same Intel Ivy Bridge + Nvidia GeForce GT 650M architecture, to no
avail. On my machine apple-gmux' I/O region remains accessible even
with the nvidia driver loaded and commit 4eebd5a4e726 reverted.
Petri reported that apple-gmux becomes accessible again after a
suspend/resume cycle because the BIOS changed the VGA routing on the
root port to the Nvidia GPU. Perhaps this is a BIOS issue after all
that can be fixed with an update?
In any case, the change made by commit 4eebd5a4e726 has turned out to
cause two new issues:
* Wilfried Klaebe reports a deadlock when launching Xorg because it
opens /dev/vga_arbiter and calls vga_get(), but apple-gmux is holding
a lock on I/O space indefinitely. It looks like apple-gmux' current
behavior is an abuse of the vgaarb API as locks are not meant to be
held for longer periods:
https://bugzilla.kernel.org/show_bug.cgi?id=88861#c11
https://bugzilla.kernel.org/attachment.cgi?id=217541
* On dual GPU MacBook Pros introduced since 2013, the integrated GPU is
powergated on boot und thus becomes invisible to Linux unless a custom
EFI protocol is used to leave it powered on. (A patch exists but is
not in mainline yet due to several negative side effects.) On these
machines, locking I/O to the integrated GPU (as done by 4eebd5a4e726)
fails and backlight control is therefore broken:
https://bugzilla.kernel.org/show_bug.cgi?id=105051
So let's revert commit 4eebd5a4e726 please. Users experiencing the
issue with the proprietary nvidia driver can comment out the above-
quoted problematic code as a workaround (or try updating the BIOS).
Cc: Petri Hodju <petrihodju@yahoo.com>
Cc: Bjorn Helgaas <bhelgaas@google.com>
Cc: Bruno Prémont <bonbons@linux-vserver.org>
Cc: Andy Ritger <aritger@nvidia.com>
Cc: Ronald Tschalär <ronald@innovation.ch>
Tested-by: Wilfried Klaebe <linux-kernel@lebenslange-mailadresse.de>
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Darren Hart (VMware) <dvhart@infradead.org>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/platform/x86/apple-gmux.c | 48 +------------------------------
1 file changed, 1 insertion(+), 47 deletions(-)
--- a/drivers/platform/x86/apple-gmux.c
+++ b/drivers/platform/x86/apple-gmux.c
@@ -22,7 +22,6 @@
#include <linux/delay.h>
#include <linux/pci.h>
#include <linux/vga_switcheroo.h>
-#include <linux/vgaarb.h>
#include <acpi/video.h>
#include <asm/io.h>
@@ -32,7 +31,6 @@ struct apple_gmux_data {
bool indexed;
struct mutex index_lock;
- struct pci_dev *pdev;
struct backlight_device *bdev;
/* switcheroo data */
@@ -417,23 +415,6 @@ static int gmux_resume(struct device *de
return 0;
}
-static struct pci_dev *gmux_get_io_pdev(void)
-{
- struct pci_dev *pdev = NULL;
-
- while ((pdev = pci_get_class(PCI_CLASS_DISPLAY_VGA << 8, pdev))) {
- u16 cmd;
-
- pci_read_config_word(pdev, PCI_COMMAND, &cmd);
- if (!(cmd & PCI_COMMAND_IO))
- continue;
-
- return pdev;
- }
-
- return NULL;
-}
-
static int gmux_probe(struct pnp_dev *pnp, const struct pnp_device_id *id)
{
struct apple_gmux_data *gmux_data;
@@ -444,7 +425,6 @@ static int gmux_probe(struct pnp_dev *pn
int ret = -ENXIO;
acpi_status status;
unsigned long long gpe;
- struct pci_dev *pdev = NULL;
if (apple_gmux_data)
return -EBUSY;
@@ -495,7 +475,7 @@ static int gmux_probe(struct pnp_dev *pn
ver_minor = (version >> 16) & 0xff;
ver_release = (version >> 8) & 0xff;
} else {
- pr_info("gmux device not present or IO disabled\n");
+ pr_info("gmux device not present\n");
ret = -ENODEV;
goto err_release;
}
@@ -503,23 +483,6 @@ static int gmux_probe(struct pnp_dev *pn
pr_info("Found gmux version %d.%d.%d [%s]\n", ver_major, ver_minor,
ver_release, (gmux_data->indexed ? "indexed" : "classic"));
- /*
- * Apple systems with gmux are EFI based and normally don't use
- * VGA. In addition changing IO+MEM ownership between IGP and dGPU
- * disables IO/MEM used for backlight control on some systems.
- * Lock IO+MEM to GPU with active IO to prevent switch.
- */
- pdev = gmux_get_io_pdev();
- if (pdev && vga_tryget(pdev,
- VGA_RSRC_NORMAL_IO | VGA_RSRC_NORMAL_MEM)) {
- pr_err("IO+MEM vgaarb-locking for PCI:%s failed\n",
- pci_name(pdev));
- ret = -EBUSY;
- goto err_release;
- } else if (pdev)
- pr_info("locked IO for PCI:%s\n", pci_name(pdev));
- gmux_data->pdev = pdev;
-
memset(&props, 0, sizeof(props));
props.type = BACKLIGHT_PLATFORM;
props.max_brightness = gmux_read32(gmux_data, GMUX_PORT_MAX_BRIGHTNESS);
@@ -611,10 +574,6 @@ err_enable_gpe:
err_notify:
backlight_device_unregister(bdev);
err_release:
- if (gmux_data->pdev)
- vga_put(gmux_data->pdev,
- VGA_RSRC_NORMAL_IO | VGA_RSRC_NORMAL_MEM);
- pci_dev_put(pdev);
release_region(gmux_data->iostart, gmux_data->iolen);
err_free:
kfree(gmux_data);
@@ -634,11 +593,6 @@ static void gmux_remove(struct pnp_dev *
&gmux_notify_handler);
}
- if (gmux_data->pdev) {
- vga_put(gmux_data->pdev,
- VGA_RSRC_NORMAL_IO | VGA_RSRC_NORMAL_MEM);
- pci_dev_put(gmux_data->pdev);
- }
backlight_device_unregister(gmux_data->bdev);
release_region(gmux_data->iostart, gmux_data->iolen);
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 276/410] kernel/relay.c: limit kmalloc size to KMALLOC_MAX_SIZE
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (227 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 252/410] dn_getsockoptdecnet: move nf_{get/set}sockopt outside sock lock Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 329/410] sch_netem: fix skb leak in netem_enqueue() Ben Hutchings
` (180 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, David Rientjes, Linus Torvalds, Dan Carpenter, Al Viro,
Dave Jiang, Jens Axboe
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: David Rientjes <rientjes@google.com>
commit 88913bd8ea2a75d7e460a4bed5f75e1c32660d7e upstream.
chan->n_subbufs is set by the user and relay_create_buf() does a kmalloc()
of chan->n_subbufs * sizeof(size_t *).
kmalloc_slab() will generate a warning when this fails if
chan->subbufs * sizeof(size_t *) > KMALLOC_MAX_SIZE.
Limit chan->n_subbufs to the maximum allowed kmalloc() size.
Link: http://lkml.kernel.org/r/alpine.DEB.2.10.1802061216100.122576@chino.kir.corp.google.com
Fixes: f6302f1bcd75 ("relay: prevent integer overflow in relay_open()")
Signed-off-by: David Rientjes <rientjes@google.com>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: Dave Jiang <dave.jiang@intel.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
kernel/relay.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/kernel/relay.c
+++ b/kernel/relay.c
@@ -166,7 +166,7 @@ static struct rchan_buf *relay_create_bu
{
struct rchan_buf *buf;
- if (chan->n_subbufs > UINT_MAX / sizeof(size_t *))
+ if (chan->n_subbufs > KMALLOC_MAX_SIZE / sizeof(size_t *))
return NULL;
buf = kzalloc(sizeof(struct rchan_buf), GFP_KERNEL);
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 329/410] sch_netem: fix skb leak in netem_enqueue()
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (228 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 276/410] kernel/relay.c: limit kmalloc size to KMALLOC_MAX_SIZE Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 117/410] arm: spear13xx: Fix dmas cells Ben Hutchings
` (179 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Neil Horman, David S. Miller, Alexey Kodanev
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Kodanev <alexey.kodanev@oracle.com>
commit 35d889d10b649fda66121891ec05eca88150059d upstream.
When we exceed current packets limit and we have more than one
segment in the list returned by skb_gso_segment(), netem drops
only the first one, skipping the rest, hence kmemleak reports:
unreferenced object 0xffff880b5d23b600 (size 1024):
comm "softirq", pid 0, jiffies 4384527763 (age 2770.629s)
hex dump (first 32 bytes):
00 80 23 5d 0b 88 ff ff 00 00 00 00 00 00 00 00 ..#]............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<00000000d8a19b9d>] __alloc_skb+0xc9/0x520
[<000000001709b32f>] skb_segment+0x8c8/0x3710
[<00000000c7b9bb88>] tcp_gso_segment+0x331/0x1830
[<00000000c921cba1>] inet_gso_segment+0x476/0x1370
[<000000008b762dd4>] skb_mac_gso_segment+0x1f9/0x510
[<000000002182660a>] __skb_gso_segment+0x1dd/0x620
[<00000000412651b9>] netem_enqueue+0x1536/0x2590 [sch_netem]
[<0000000005d3b2a9>] __dev_queue_xmit+0x1167/0x2120
[<00000000fc5f7327>] ip_finish_output2+0x998/0xf00
[<00000000d309e9d3>] ip_output+0x1aa/0x2c0
[<000000007ecbd3a4>] tcp_transmit_skb+0x18db/0x3670
[<0000000042d2a45f>] tcp_write_xmit+0x4d4/0x58c0
[<0000000056a44199>] tcp_tasklet_func+0x3d9/0x540
[<0000000013d06d02>] tasklet_action+0x1ca/0x250
[<00000000fcde0b8b>] __do_softirq+0x1b4/0x5a3
[<00000000e7ed027c>] irq_exit+0x1e2/0x210
Fix it by adding the rest of the segments, if any, to skb 'to_free'
list. Add new __qdisc_drop_all() and qdisc_drop_all() functions
because they can be useful in the future if we need to drop segmented
GSO packets in other places.
Fixes: 6071bd1aa13e ("netem: Segment GSO packets on enqueue")
Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16:
- The reshape_fail operation still exists, so keep calling it here if the
skb did not require segmentation
- We don't have a to_free list, so free directly in qdisc_drop_all()
- Open-code qdisc_qstats_drop()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/include/net/sch_generic.h
+++ b/include/net/sch_generic.h
@@ -656,6 +656,14 @@ static inline int qdisc_drop(struct sk_b
return NET_XMIT_DROP;
}
+static inline int qdisc_drop_all(struct sk_buff *skb, struct Qdisc *sch)
+{
+ kfree_skb_list(skb);
+ sch->qstats.drops++;
+
+ return NET_XMIT_DROP;
+}
+
static inline int qdisc_reshape_fail(struct sk_buff *skb, struct Qdisc *sch)
{
sch->qstats.drops++;
--- a/net/sched/sch_netem.c
+++ b/net/sched/sch_netem.c
@@ -511,8 +511,12 @@ static int netem_enqueue(struct sk_buff
1<<(prandom_u32() % 8);
}
- if (unlikely(skb_queue_len(&sch->q) >= sch->limit))
+ if (unlikely(skb_queue_len(&sch->q) >= sch->limit)) {
+ /* qdisc_reshape_fail() can't handle segmented skb */
+ if (segs)
+ return qdisc_drop_all(skb, sch);
return qdisc_reshape_fail(skb, sch);
+ }
sch->qstats.backlog += qdisc_pkt_len(skb);
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 060/410] x86/speculation: Move firmware_restrict_branch_speculation_*() from C to CPP
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (7 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 124/410] crypto: hash - prevent using keyed hashes without setting key Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 109/410] ahci: Add Device ID for Intel Sunrise Point PCH Ben Hutchings
` (400 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, rkrcmar, dave.hansen, arjan.van.de.ven, Linus Torvalds,
Thomas Gleixner, kvm, karahmed, Ingo Molnar, pbonzini, jmattson,
Peter Zijlstra, bp, David Woodhouse
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ingo Molnar <mingo@kernel.org>
commit d72f4e29e6d84b7ec02ae93088aa459ac70e733b upstream.
firmware_restrict_branch_speculation_*() recently started using
preempt_enable()/disable(), but those are relatively high level
primitives and cause build failures on some 32-bit builds.
Since we want to keep <asm/nospec-branch.h> low level, convert
them to macros to avoid header hell...
Cc: David Woodhouse <dwmw@amazon.co.uk>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: arjan.van.de.ven@intel.com
Cc: bp@alien8.de
Cc: dave.hansen@intel.com
Cc: jmattson@google.com
Cc: karahmed@amazon.de
Cc: kvm@vger.kernel.org
Cc: pbonzini@redhat.com
Cc: rkrcmar@redhat.com
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/include/asm/nospec-branch.h | 28 +++++++++++++++-------------
1 file changed, 15 insertions(+), 13 deletions(-)
--- a/arch/x86/include/asm/nospec-branch.h
+++ b/arch/x86/include/asm/nospec-branch.h
@@ -213,20 +213,22 @@ static inline void indirect_branch_predi
/*
* With retpoline, we must use IBRS to restrict branch prediction
* before calling into firmware.
+ *
+ * (Implemented as CPP macros due to header hell.)
*/
-static inline void firmware_restrict_branch_speculation_start(void)
-{
- preempt_disable();
- alternative_msr_write(MSR_IA32_SPEC_CTRL, SPEC_CTRL_IBRS,
- X86_FEATURE_USE_IBRS_FW);
-}
+#define firmware_restrict_branch_speculation_start() \
+do { \
+ preempt_disable(); \
+ alternative_msr_write(MSR_IA32_SPEC_CTRL, SPEC_CTRL_IBRS, \
+ X86_FEATURE_USE_IBRS_FW); \
+} while (0)
-static inline void firmware_restrict_branch_speculation_end(void)
-{
- alternative_msr_write(MSR_IA32_SPEC_CTRL, 0,
- X86_FEATURE_USE_IBRS_FW);
- preempt_enable();
-}
+#define firmware_restrict_branch_speculation_end() \
+do { \
+ alternative_msr_write(MSR_IA32_SPEC_CTRL, 0, \
+ X86_FEATURE_USE_IBRS_FW); \
+ preempt_enable(); \
+} while (0)
#endif /* __ASSEMBLY__ */
#endif /* _ASM_X86_NOSPEC_BRANCH_H_ */
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 050/410] x86/speculation: Use IBRS if available before calling into firmware
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (277 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 404/410] net: fix possible out-of-bound read in skb_network_protocol() Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 010/410] ocfs2: subsystem.su_mutex is required while accessing the item->ci_parent Ben Hutchings
` (130 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, arjan.van.de.ven, dave.hansen, rkrcmar, karahmed, kvm,
Thomas Gleixner, Linus Torvalds, pbonzini, Ingo Molnar,
David Woodhouse, bp, Peter Zijlstra, jmattson
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: David Woodhouse <dwmw@amazon.co.uk>
commit dd84441a797150dcc49298ec95c459a8891d8bb1 upstream.
Retpoline means the kernel is safe because it has no indirect branches.
But firmware isn't, so use IBRS for firmware calls if it's available.
Block preemption while IBRS is set, although in practice the call sites
already had to be doing that.
Ignore hpwdt.c for now. It's taking spinlocks and calling into firmware
code, from an NMI handler. I don't want to touch that with a bargepole.
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: arjan.van.de.ven@intel.com
Cc: bp@alien8.de
Cc: dave.hansen@intel.com
Cc: jmattson@google.com
Cc: karahmed@amazon.de
Cc: kvm@vger.kernel.org
Cc: pbonzini@redhat.com
Cc: rkrcmar@redhat.com
Link: http://lkml.kernel.org/r/1519037457-7643-2-git-send-email-dwmw@amazon.co.uk
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[bwh: Backported to 3.16:
- x86 defines {,__}efi_call_virt() itself; update those definitions
- Renumber the feature bit
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/include/asm/apm.h | 6 +++++
arch/x86/include/asm/cpufeature.h | 1 +
arch/x86/include/asm/efi.h | 8 ++++++
arch/x86/include/asm/nospec-branch.h | 39 +++++++++++++++++++++-------
arch/x86/kernel/cpu/bugs.c | 12 ++++++++-
5 files changed, 56 insertions(+), 10 deletions(-)
--- a/arch/x86/include/asm/apm.h
+++ b/arch/x86/include/asm/apm.h
@@ -6,6 +6,8 @@
#ifndef _ASM_X86_MACH_DEFAULT_APM_H
#define _ASM_X86_MACH_DEFAULT_APM_H
+#include <asm/nospec-branch.h>
+
#ifdef APM_ZERO_SEGS
# define APM_DO_ZERO_SEGS \
"pushl %%ds\n\t" \
@@ -31,6 +33,7 @@ static inline void apm_bios_call_asm(u32
* N.B. We do NOT need a cld after the BIOS call
* because we always save and restore the flags.
*/
+ firmware_restrict_branch_speculation_start();
__asm__ __volatile__(APM_DO_ZERO_SEGS
"pushl %%edi\n\t"
"pushl %%ebp\n\t"
@@ -43,6 +46,7 @@ static inline void apm_bios_call_asm(u32
"=S" (*esi)
: "a" (func), "b" (ebx_in), "c" (ecx_in)
: "memory", "cc");
+ firmware_restrict_branch_speculation_end();
}
static inline u8 apm_bios_call_simple_asm(u32 func, u32 ebx_in,
@@ -55,6 +59,7 @@ static inline u8 apm_bios_call_simple_as
* N.B. We do NOT need a cld after the BIOS call
* because we always save and restore the flags.
*/
+ firmware_restrict_branch_speculation_start();
__asm__ __volatile__(APM_DO_ZERO_SEGS
"pushl %%edi\n\t"
"pushl %%ebp\n\t"
@@ -67,6 +72,7 @@ static inline u8 apm_bios_call_simple_as
"=S" (si)
: "a" (func), "b" (ebx_in), "c" (ecx_in)
: "memory", "cc");
+ firmware_restrict_branch_speculation_end();
return error;
}
--- a/arch/x86/include/asm/cpufeature.h
+++ b/arch/x86/include/asm/cpufeature.h
@@ -190,6 +190,7 @@
#define X86_FEATURE_RSB_CTXSW (7*32+11) /* "" Fill RSB on context switches */
#define X86_FEATURE_USE_IBPB (7*32+12) /* "" Indirect Branch Prediction Barrier enabled */
+#define X86_FEATURE_USE_IBRS_FW (7*32+13) /* "" Use IBRS during runtime firmware calls */
#define X86_FEATURE_RETPOLINE (7*32+29) /* "" Generic Retpoline mitigation for Spectre variant 2 */
#define X86_FEATURE_RETPOLINE_AMD (7*32+30) /* "" AMD Retpoline mitigation for Spectre variant 2 */
--- a/arch/x86/include/asm/efi.h
+++ b/arch/x86/include/asm/efi.h
@@ -2,6 +2,8 @@
#define _ASM_X86_EFI_H
#include <asm/i387.h>
+#include <asm/nospec-branch.h>
+
/*
* We map the EFI regions needed for runtime services non-contiguously,
* with preserved alignment on virtual addresses starting from -4G down
@@ -37,8 +39,10 @@ extern unsigned long asmlinkage efi_call
({ \
efi_status_t __s; \
kernel_fpu_begin(); \
+ firmware_restrict_branch_speculation_start(); \
__s = ((efi_##f##_t __attribute__((regparm(0)))*) \
efi.systab->runtime->f)(args); \
+ firmware_restrict_branch_speculation_end(); \
kernel_fpu_end(); \
__s; \
})
@@ -47,8 +51,10 @@ extern unsigned long asmlinkage efi_call
#define __efi_call_virt(f, args...) \
({ \
kernel_fpu_begin(); \
+ firmware_restrict_branch_speculation_start(); \
((efi_##f##_t __attribute__((regparm(0)))*) \
efi.systab->runtime->f)(args); \
+ firmware_restrict_branch_speculation_end(); \
kernel_fpu_end(); \
})
@@ -69,7 +75,9 @@ extern u64 asmlinkage efi_call(void *fp,
efi_sync_low_kernel_mappings(); \
preempt_disable(); \
__kernel_fpu_begin(); \
+ firmware_restrict_branch_speculation_start(); \
__s = efi_call((void *)efi.systab->runtime->f, __VA_ARGS__); \
+ firmware_restrict_branch_speculation_end(); \
__kernel_fpu_end(); \
preempt_enable(); \
__s; \
--- a/arch/x86/include/asm/nospec-branch.h
+++ b/arch/x86/include/asm/nospec-branch.h
@@ -194,17 +194,38 @@ static inline void vmexit_fill_RSB(void)
#endif
}
+#define alternative_msr_write(_msr, _val, _feature) \
+ asm volatile(ALTERNATIVE("", \
+ "movl %[msr], %%ecx\n\t" \
+ "movl %[val], %%eax\n\t" \
+ "movl $0, %%edx\n\t" \
+ "wrmsr", \
+ _feature) \
+ : : [msr] "i" (_msr), [val] "i" (_val) \
+ : "eax", "ecx", "edx", "memory")
+
static inline void indirect_branch_prediction_barrier(void)
{
- asm volatile(ALTERNATIVE("",
- "movl %[msr], %%ecx\n\t"
- "movl %[val], %%eax\n\t"
- "movl $0, %%edx\n\t"
- "wrmsr",
- X86_FEATURE_USE_IBPB)
- : : [msr] "i" (MSR_IA32_PRED_CMD),
- [val] "i" (PRED_CMD_IBPB)
- : "eax", "ecx", "edx", "memory");
+ alternative_msr_write(MSR_IA32_PRED_CMD, PRED_CMD_IBPB,
+ X86_FEATURE_USE_IBPB);
+}
+
+/*
+ * With retpoline, we must use IBRS to restrict branch prediction
+ * before calling into firmware.
+ */
+static inline void firmware_restrict_branch_speculation_start(void)
+{
+ preempt_disable();
+ alternative_msr_write(MSR_IA32_SPEC_CTRL, SPEC_CTRL_IBRS,
+ X86_FEATURE_USE_IBRS_FW);
+}
+
+static inline void firmware_restrict_branch_speculation_end(void)
+{
+ alternative_msr_write(MSR_IA32_SPEC_CTRL, 0,
+ X86_FEATURE_USE_IBRS_FW);
+ preempt_enable();
}
#endif /* __ASSEMBLY__ */
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -364,6 +364,15 @@ retpoline_auto:
setup_force_cpu_cap(X86_FEATURE_USE_IBPB);
pr_info("Enabling Indirect Branch Prediction Barrier\n");
}
+
+ /*
+ * Retpoline means the kernel is safe because it has no indirect
+ * branches. But firmware isn't, so use IBRS to protect that.
+ */
+ if (boot_cpu_has(X86_FEATURE_IBRS)) {
+ setup_force_cpu_cap(X86_FEATURE_USE_IBRS_FW);
+ pr_info("Enabling Restricted Speculation for firmware calls\n");
+ }
}
#undef pr_fmt
@@ -393,8 +402,9 @@ ssize_t cpu_show_spectre_v2(struct devic
if (!boot_cpu_has_bug(X86_BUG_SPECTRE_V2))
return sprintf(buf, "Not affected\n");
- return sprintf(buf, "%s%s%s\n", spectre_v2_strings[spectre_v2_enabled],
+ return sprintf(buf, "%s%s%s%s\n", spectre_v2_strings[spectre_v2_enabled],
boot_cpu_has(X86_FEATURE_USE_IBPB) ? ", IBPB" : "",
+ boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? ", IBRS_FW" : "",
spectre_v2_module_string());
}
#endif
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 264/410] drm/edid: Add 6 bpc quirk for CPT panel in Asus UX303LA
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (122 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 057/410] KVM/VMX: Allow direct access to MSR_IA32_SPEC_CTRL Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 242/410] usb: ldusb: add PIDs for new CASSY devices supported by this driver Ben Hutchings
` (285 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Daniel Vetter, Mario Kleiner, Kai-Heng Feng
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Kai-Heng Feng <kai.heng.feng@canonical.com>
commit 06998a756a3865817b87a129a7e5d5bb66dc1ec3 upstream.
Similar to commit e10aec652f31 ("drm/edid: Add 6 bpc quirk for display
AEO model 0."), the EDID reports "DFP 1.x compliant TMDS" but it support
6bpc instead of 8 bpc.
Hence, use 6 bpc quirk for this panel.
Fixes: 196f954e2509 ("drm/i915/dp: Revert "drm/i915/dp: fall back to 18 bpp when sink capability is unknown"")
BugLink: https://bugs.launchpad.net/bugs/1749420
Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
Reviewed-by: Mario Kleiner <mario.kleiner.de@gmail.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/20180218085359.7817-1-kai.heng.feng@canonical.com
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/gpu/drm/drm_edid.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/gpu/drm/drm_edid.c
+++ b/drivers/gpu/drm/drm_edid.c
@@ -105,6 +105,9 @@ static struct edid_quirk {
/* AEO model 0 reports 8 bpc, but is a 6 bpc panel */
{ "AEO", 0, EDID_QUIRK_FORCE_6BPC },
+ /* CPT panel of Asus UX303LA reports 8 bpc, but is a 6 bpc panel */
+ { "CPT", 0x17df, EDID_QUIRK_FORCE_6BPC },
+
/* Belinea 10 15 55 */
{ "MAX", 1516, EDID_QUIRK_PREFER_LARGE_60 },
{ "MAX", 0x77e, EDID_QUIRK_PREFER_LARGE_60 },
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 268/410] arm64: Disable unhandled signal log messages by default
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (52 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 133/410] hrtimer: Ensure POSIX compliance (relative CLOCK_REALTIME hrtimers) Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 183/410] mm: pin address_space before dereferencing it while isolating an LRU page Ben Hutchings
` (355 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Michael Weiser, Will Deacon
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Michael Weiser <michael.weiser@gmx.de>
commit 5ee39a71fd89ab7240c5339d04161c44a8e03269 upstream.
aarch64 unhandled signal kernel messages are very verbose, suggesting
them to be more of a debugging aid:
sigsegv[33]: unhandled level 2 translation fault (11) at 0x00000000, esr
0x92000046, in sigsegv[400000+71000]
CPU: 1 PID: 33 Comm: sigsegv Tainted: G W 4.15.0-rc3+ #3
Hardware name: linux,dummy-virt (DT)
pstate: 60000000 (nZCv daif -PAN -UAO)
pc : 0x4003f4
lr : 0x4006bc
sp : 0000fffffe94a060
x29: 0000fffffe94a070 x28: 0000000000000000
x27: 0000000000000000 x26: 0000000000000000
x25: 0000000000000000 x24: 00000000004001b0
x23: 0000000000486ac8 x22: 00000000004001c8
x21: 0000000000000000 x20: 0000000000400be8
x19: 0000000000400b30 x18: 0000000000484728
x17: 000000000865ffc8 x16: 000000000000270f
x15: 00000000000000b0 x14: 0000000000000002
x13: 0000000000000001 x12: 0000000000000000
x11: 0000000000000000 x10: 0008000020008008
x9 : 000000000000000f x8 : ffffffffffffffff
x7 : 0004000000000000 x6 : ffffffffffffffff
x5 : 0000000000000000 x4 : 0000000000000000
x3 : 00000000004003e4 x2 : 0000fffffe94a1e8
x1 : 000000000000000a x0 : 0000000000000000
Disable them by default, so they can be enabled using
/proc/sys/debug/exception-trace.
Signed-off-by: Michael Weiser <michael.weiser@gmx.de>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/arm64/kernel/traps.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm64/kernel/traps.c
+++ b/arch/arm64/kernel/traps.c
@@ -45,7 +45,7 @@ static const char *handler[]= {
"Error"
};
-int show_unhandled_signals = 1;
+int show_unhandled_signals = 0;
static void dump_backtrace_entry(unsigned long where, unsigned long stack)
{
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 049/410] x86/cpuid: Fix up "virtual" IBRS/IBPB/STIBP feature bits on Intel
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (297 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 045/410] x86/pti: Mark constant arrays as __initconst Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 156/410] usbip: prevent bind loops on devices attached to vhci_hcd Ben Hutchings
` (110 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, bp, David Woodhouse, peterz, Greg Kroah-Hartman,
Thomas Gleixner, karahmed
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: David Woodhouse <dwmw@amazon.co.uk>
commit 7fcae1118f5fd44a862aa5c3525248e35ee67c3b upstream.
Despite the fact that all the other code there seems to be doing it, just
using set_cpu_cap() in early_intel_init() doesn't actually work.
For CPUs with PKU support, setup_pku() calls get_cpu_cap() after
c->c_init() has set those feature bits. That resets those bits back to what
was queried from the hardware.
Turning the bits off for bad microcode is easy to fix. That can just use
setup_clear_cpu_cap() to force them off for all CPUs.
I was less keen on forcing the feature bits *on* that way, just in case
of inconsistencies. I appreciate that the kernel is going to get this
utterly wrong if CPU features are not consistent, because it has already
applied alternatives by the time secondary CPUs are brought up.
But at least if setup_force_cpu_cap() isn't being used, we might have a
chance of *detecting* the lack of the corresponding bit and either
panicking or refusing to bring the offending CPU online.
So ensure that the appropriate feature bits are set within get_cpu_cap()
regardless of how many extra times it's called.
Fixes: 2961298e ("x86/cpufeatures: Clean up Spectre v2 related CPUID flags")
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: karahmed@amazon.de
Cc: peterz@infradead.org
Cc: bp@alien8.de
Link: https://lkml.kernel.org/r/1517322623-15261-1-git-send-email-dwmw@amazon.co.uk
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/kernel/cpu/common.c | 21 +++++++++++++++++++++
arch/x86/kernel/cpu/intel.c | 27 ++++++++-------------------
2 files changed, 29 insertions(+), 19 deletions(-)
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -682,6 +682,26 @@ static void apply_forced_caps(struct cpu
}
}
+static void init_speculation_control(struct cpuinfo_x86 *c)
+{
+ /*
+ * The Intel SPEC_CTRL CPUID bit implies IBRS and IBPB support,
+ * and they also have a different bit for STIBP support. Also,
+ * a hypervisor might have set the individual AMD bits even on
+ * Intel CPUs, for finer-grained selection of what's available.
+ *
+ * We use the AMD bits in 0x8000_0008 EBX as the generic hardware
+ * features, which are visible in /proc/cpuinfo and used by the
+ * kernel. So set those accordingly from the Intel bits.
+ */
+ if (cpu_has(c, X86_FEATURE_SPEC_CTRL)) {
+ set_cpu_cap(c, X86_FEATURE_IBRS);
+ set_cpu_cap(c, X86_FEATURE_IBPB);
+ }
+ if (cpu_has(c, X86_FEATURE_INTEL_STIBP))
+ set_cpu_cap(c, X86_FEATURE_STIBP);
+}
+
void get_cpu_cap(struct cpuinfo_x86 *c)
{
u32 tfms, xlvl;
@@ -735,6 +755,7 @@ void get_cpu_cap(struct cpuinfo_x86 *c)
c->x86_power = cpuid_edx(0x80000007);
init_scattered_cpuid_features(c);
+ init_speculation_control(c);
}
static void identify_cpu_without_cpuid(struct cpuinfo_x86 *c)
--- a/arch/x86/kernel/cpu/intel.c
+++ b/arch/x86/kernel/cpu/intel.c
@@ -105,28 +105,17 @@ static void early_init_intel(struct cpui
rdmsr(MSR_IA32_UCODE_REV, lower_word, c->microcode);
}
- /*
- * The Intel SPEC_CTRL CPUID bit implies IBRS and IBPB support,
- * and they also have a different bit for STIBP support. Also,
- * a hypervisor might have set the individual AMD bits even on
- * Intel CPUs, for finer-grained selection of what's available.
- */
- if (cpu_has(c, X86_FEATURE_SPEC_CTRL)) {
- set_cpu_cap(c, X86_FEATURE_IBRS);
- set_cpu_cap(c, X86_FEATURE_IBPB);
- }
- if (cpu_has(c, X86_FEATURE_INTEL_STIBP))
- set_cpu_cap(c, X86_FEATURE_STIBP);
-
/* Now if any of them are set, check the blacklist and clear the lot */
- if ((cpu_has(c, X86_FEATURE_IBRS) || cpu_has(c, X86_FEATURE_IBPB) ||
+ if ((cpu_has(c, X86_FEATURE_SPEC_CTRL) ||
+ cpu_has(c, X86_FEATURE_INTEL_STIBP) ||
+ cpu_has(c, X86_FEATURE_IBRS) || cpu_has(c, X86_FEATURE_IBPB) ||
cpu_has(c, X86_FEATURE_STIBP)) && bad_spectre_microcode(c)) {
pr_warn("Intel Spectre v2 broken microcode detected; disabling Speculation Control\n");
- clear_cpu_cap(c, X86_FEATURE_IBRS);
- clear_cpu_cap(c, X86_FEATURE_IBPB);
- clear_cpu_cap(c, X86_FEATURE_STIBP);
- clear_cpu_cap(c, X86_FEATURE_SPEC_CTRL);
- clear_cpu_cap(c, X86_FEATURE_INTEL_STIBP);
+ setup_clear_cpu_cap(X86_FEATURE_IBRS);
+ setup_clear_cpu_cap(X86_FEATURE_IBPB);
+ setup_clear_cpu_cap(X86_FEATURE_STIBP);
+ setup_clear_cpu_cap(X86_FEATURE_SPEC_CTRL);
+ setup_clear_cpu_cap(X86_FEATURE_INTEL_STIBP);
}
/*
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 154/410] USB: serial: add Medtronic CareLink USB driver
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (182 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 369/410] batman-adv: update data pointers after skb_cow() Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 233/410] net: fix race on decreasing number of TX queues Ben Hutchings
` (225 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Benjamin West, Johan Hovold
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan@kernel.org>
commit cff9c2339a6d5105d7f6b1f9a96dd1d239cc76ac upstream.
Add simple driver for Medtronic CareLink USB devices.
Reported-by: Benjamin West <bewest@gmail.com>
Tested-by: Benjamin West <bewest@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/serial/Kconfig | 1 +
drivers/usb/serial/usb-serial-simple.c | 7 +++++++
2 files changed, 8 insertions(+)
--- a/drivers/usb/serial/Kconfig
+++ b/drivers/usb/serial/Kconfig
@@ -58,6 +58,7 @@ config USB_SERIAL_SIMPLE
handles a wide range of very simple devices, all in one
driver. Specifically, it supports:
- Suunto ANT+ USB device.
+ - Medtronic CareLink USB device
- Fundamental Software dongle.
- Google USB serial devices
- HP4x calculators
--- a/drivers/usb/serial/usb-serial-simple.c
+++ b/drivers/usb/serial/usb-serial-simple.c
@@ -36,6 +36,11 @@ static struct usb_serial_driver vendor##
#define DEVICE(vendor, IDS) DEVICE_N(vendor, IDS, 1)
+/* Medtronic CareLink USB driver */
+#define CARELINK_IDS() \
+ { USB_DEVICE(0x0a21, 0x8001) } /* MMT-7305WW */
+DEVICE(carelink, CARELINK_IDS);
+
/* ZIO Motherboard USB driver */
#define ZIO_IDS() \
{ USB_DEVICE(0x1CBE, 0x0103) }
@@ -98,6 +103,7 @@ DEVICE(siemens_mpi, SIEMENS_IDS);
/* All of the above structures mushed into two lists */
static struct usb_serial_driver * const serial_drivers[] = {
+ &carelink_device,
&zio_device,
&funsoft_device,
&flashloader_device,
@@ -112,6 +118,7 @@ static struct usb_serial_driver * const
};
static const struct usb_device_id id_table[] = {
+ CARELINK_IDS(),
ZIO_IDS(),
FUNSOFT_IDS(),
FLASHLOADER_IDS(),
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 052/410] KVM: nVMX: Eliminate vmcs02 pool
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (253 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 218/410] crypto: caam - fix endless loop when DECO acquire fails Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 354/410] aio: change exit_aio() to load mm->ioctx_table once and avoid rcu_read_lock() Ben Hutchings
` (154 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, David Woodhouse, Ameya More, Jim Mattson, Mark Kanda,
Paolo Bonzini, Greg Kroah-Hartman, Radim Krčmář,
David Hildenbrand
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jim Mattson <jmattson@google.com>
commit de3a0021a60635de96aa92713c1a31a96747d72c upstream.
The potential performance advantages of a vmcs02 pool have never been
realized. To simplify the code, eliminate the pool. Instead, a single
vmcs02 is allocated per VCPU when the VCPU enters VMX operation.
Signed-off-by: Jim Mattson <jmattson@google.com>
Signed-off-by: Mark Kanda <mark.kanda@oracle.com>
Reviewed-by: Ameya More <ameya.more@oracle.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16:
- No loaded_vmcs::shadow_vmcs field to initialise
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -138,7 +138,6 @@ module_param(ple_window, int, S_IRUGO);
extern const ulong vmx_return;
#define NR_AUTOLOAD_MSRS 8
-#define VMCS02_POOL_SIZE 1
struct vmcs {
u32 revision_id;
@@ -171,7 +170,7 @@ struct shared_msr_entry {
* stored in guest memory specified by VMPTRLD, but is opaque to the guest,
* which must access it using VMREAD/VMWRITE/VMCLEAR instructions.
* More than one of these structures may exist, if L1 runs multiple L2 guests.
- * nested_vmx_run() will use the data here to build a vmcs02: a VMCS for the
+ * nested_vmx_run() will use the data here to build the vmcs02: a VMCS for the
* underlying hardware which will be used to run L2.
* This structure is packed to ensure that its layout is identical across
* machines (necessary for live migration).
@@ -342,13 +341,6 @@ struct __packed vmcs12 {
*/
#define VMCS12_SIZE 0x1000
-/* Used to remember the last vmcs02 used for some recently used vmcs12s */
-struct vmcs02_list {
- struct list_head list;
- gpa_t vmptr;
- struct loaded_vmcs vmcs02;
-};
-
/*
* The nested_vmx structure is part of vcpu_vmx, and holds information we need
* for correct emulation of VMX (i.e., nested VMX) on this vcpu.
@@ -370,16 +362,16 @@ struct nested_vmx {
*/
bool sync_shadow_vmcs;
- /* vmcs02_list cache of VMCSs recently used to run L2 guests */
- struct list_head vmcs02_pool;
- int vmcs02_num;
u64 vmcs01_tsc_offset;
bool change_vmcs01_virtual_x2apic_mode;
/* L2 must run next, and mustn't decide to exit to L1. */
bool nested_run_pending;
+
+ struct loaded_vmcs vmcs02;
+
/*
- * Guest pages referred to in vmcs02 with host-physical pointers, so
- * we must keep them pinned while L2 runs.
+ * Guest pages referred to in the vmcs02 with host-physical
+ * pointers, so we must keep them pinned while L2 runs.
*/
struct page *apic_access_page;
u64 msr_ia32_feature_control;
@@ -5751,93 +5743,6 @@ static int handle_monitor(struct kvm_vcp
}
/*
- * To run an L2 guest, we need a vmcs02 based on the L1-specified vmcs12.
- * We could reuse a single VMCS for all the L2 guests, but we also want the
- * option to allocate a separate vmcs02 for each separate loaded vmcs12 - this
- * allows keeping them loaded on the processor, and in the future will allow
- * optimizations where prepare_vmcs02 doesn't need to set all the fields on
- * every entry if they never change.
- * So we keep, in vmx->nested.vmcs02_pool, a cache of size VMCS02_POOL_SIZE
- * (>=0) with a vmcs02 for each recently loaded vmcs12s, most recent first.
- *
- * The following functions allocate and free a vmcs02 in this pool.
- */
-
-/* Get a VMCS from the pool to use as vmcs02 for the current vmcs12. */
-static struct loaded_vmcs *nested_get_current_vmcs02(struct vcpu_vmx *vmx)
-{
- struct vmcs02_list *item;
- list_for_each_entry(item, &vmx->nested.vmcs02_pool, list)
- if (item->vmptr == vmx->nested.current_vmptr) {
- list_move(&item->list, &vmx->nested.vmcs02_pool);
- return &item->vmcs02;
- }
-
- if (vmx->nested.vmcs02_num >= max(VMCS02_POOL_SIZE, 1)) {
- /* Recycle the least recently used VMCS. */
- item = list_entry(vmx->nested.vmcs02_pool.prev,
- struct vmcs02_list, list);
- item->vmptr = vmx->nested.current_vmptr;
- list_move(&item->list, &vmx->nested.vmcs02_pool);
- return &item->vmcs02;
- }
-
- /* Create a new VMCS */
- item = kmalloc(sizeof(struct vmcs02_list), GFP_KERNEL);
- if (!item)
- return NULL;
- item->vmcs02.vmcs = alloc_vmcs();
- if (!item->vmcs02.vmcs) {
- kfree(item);
- return NULL;
- }
- loaded_vmcs_init(&item->vmcs02);
- item->vmptr = vmx->nested.current_vmptr;
- list_add(&(item->list), &(vmx->nested.vmcs02_pool));
- vmx->nested.vmcs02_num++;
- return &item->vmcs02;
-}
-
-/* Free and remove from pool a vmcs02 saved for a vmcs12 (if there is one) */
-static void nested_free_vmcs02(struct vcpu_vmx *vmx, gpa_t vmptr)
-{
- struct vmcs02_list *item;
- list_for_each_entry(item, &vmx->nested.vmcs02_pool, list)
- if (item->vmptr == vmptr) {
- free_loaded_vmcs(&item->vmcs02);
- list_del(&item->list);
- kfree(item);
- vmx->nested.vmcs02_num--;
- return;
- }
-}
-
-/*
- * Free all VMCSs saved for this vcpu, except the one pointed by
- * vmx->loaded_vmcs. We must be running L1, so vmx->loaded_vmcs
- * must be &vmx->vmcs01.
- */
-static void nested_free_all_saved_vmcss(struct vcpu_vmx *vmx)
-{
- struct vmcs02_list *item, *n;
-
- WARN_ON(vmx->loaded_vmcs != &vmx->vmcs01);
- list_for_each_entry_safe(item, n, &vmx->nested.vmcs02_pool, list) {
- /*
- * Something will leak if the above WARN triggers. Better than
- * a use-after-free.
- */
- if (vmx->loaded_vmcs == &item->vmcs02)
- continue;
-
- free_loaded_vmcs(&item->vmcs02);
- list_del(&item->list);
- kfree(item);
- vmx->nested.vmcs02_num--;
- }
-}
-
-/*
* The following 3 functions, nested_vmx_succeed()/failValid()/failInvalid(),
* set the success or error code of an emulated VMX instruction, as specified
* by Vol 2B, VMX Instruction Reference, "Conventions".
@@ -6099,10 +6004,17 @@ static int handle_vmon(struct kvm_vcpu *
return 1;
}
+ vmx->nested.vmcs02.vmcs = alloc_vmcs();
+ if (!vmx->nested.vmcs02.vmcs)
+ return -ENOMEM;
+ loaded_vmcs_init(&vmx->nested.vmcs02);
+
if (enable_shadow_vmcs) {
shadow_vmcs = alloc_vmcs();
- if (!shadow_vmcs)
+ if (!shadow_vmcs) {
+ free_loaded_vmcs(&vmx->nested.vmcs02);
return -ENOMEM;
+ }
/* mark vmcs as shadow */
shadow_vmcs->revision_id |= (1u << 31);
/* init shadow vmcs */
@@ -6110,9 +6022,6 @@ static int handle_vmon(struct kvm_vcpu *
vmx->nested.current_shadow_vmcs = shadow_vmcs;
}
- INIT_LIST_HEAD(&(vmx->nested.vmcs02_pool));
- vmx->nested.vmcs02_num = 0;
-
hrtimer_init(&vmx->nested.preemption_timer, CLOCK_MONOTONIC,
HRTIMER_MODE_REL);
vmx->nested.preemption_timer.function = vmx_preemption_timer_fn;
@@ -6189,13 +6098,13 @@ static void free_nested(struct vcpu_vmx
}
if (enable_shadow_vmcs)
free_vmcs(vmx->nested.current_shadow_vmcs);
- /* Unpin physical memory we referred to in current vmcs02 */
+ /* Unpin physical memory we referred to in the vmcs02 */
if (vmx->nested.apic_access_page) {
nested_release_page(vmx->nested.apic_access_page);
vmx->nested.apic_access_page = 0;
}
- nested_free_all_saved_vmcss(vmx);
+ free_loaded_vmcs(&vmx->nested.vmcs02);
}
/* Emulate the VMXOFF instruction */
@@ -6246,8 +6155,6 @@ static int handle_vmclear(struct kvm_vcp
kunmap(page);
nested_release_page(page);
- nested_free_vmcs02(vmx, vmptr);
-
skip_emulated_instruction(vcpu);
nested_vmx_succeed(vcpu);
return 1;
@@ -6921,10 +6828,11 @@ static bool nested_vmx_exit_handled(stru
/*
* The host physical addresses of some pages of guest memory
- * are loaded into VMCS02 (e.g. L1's Virtual APIC Page). The CPU
- * may write to these pages via their host physical address while
- * L2 is running, bypassing any address-translation-based dirty
- * tracking (e.g. EPT write protection).
+ * are loaded into the vmcs02 (e.g. vmcs12's Virtual APIC
+ * Page). The CPU may write to these pages via their host
+ * physical address while L2 is running, bypassing any
+ * address-translation-based dirty tracking (e.g. EPT write
+ * protection).
*
* Mark them dirty on every exit from L2 to prevent them from
* getting out of sync with dirty tracking.
@@ -8235,7 +8143,6 @@ static int nested_vmx_run(struct kvm_vcp
struct vmcs12 *vmcs12;
struct vcpu_vmx *vmx = to_vmx(vcpu);
int cpu;
- struct loaded_vmcs *vmcs02;
bool ia32e;
if (!nested_vmx_check_permission(vcpu) ||
@@ -8372,16 +8279,12 @@ static int nested_vmx_run(struct kvm_vcp
* the nested entry.
*/
- vmcs02 = nested_get_current_vmcs02(vmx);
- if (!vmcs02)
- return -ENOMEM;
-
enter_guest_mode(vcpu);
vmx->nested.vmcs01_tsc_offset = vmcs_read64(TSC_OFFSET);
cpu = get_cpu();
- vmx->loaded_vmcs = vmcs02;
+ vmx->loaded_vmcs = &vmx->nested.vmcs02;
vmx_vcpu_put(vcpu);
vmx_vcpu_load(vcpu, cpu);
vcpu->cpu = cpu;
@@ -8861,10 +8764,6 @@ static void nested_vmx_vmexit(struct kvm
vm_exit_controls_init(vmx, vmcs_read32(VM_EXIT_CONTROLS));
vmx_segment_cache_clear(vmx);
- /* if no vmcs02 cache requested, remove the one we used */
- if (VMCS02_POOL_SIZE == 0)
- nested_free_vmcs02(vmx, vmx->nested.current_vmptr);
-
load_vmcs12_host_state(vcpu, vmcs12);
/* Update TSC_OFFSET if TSC was changed while L2 ran */
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 304/410] cpufreq: s3c24xx: Fix broken s3c_cpufreq_init()
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (79 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 359/410] RDMA/ucma: Fix access to non-initialized CM_ID object Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 199/410] pipe: relocate round_pipe_size() above pipe_set_size() Ben Hutchings
` (328 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Rafael J. Wysocki, Viresh Kumar
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Viresh Kumar <viresh.kumar@linaro.org>
commit 0373ca74831b0f93cd4cdbf7ad3aec3c33a479a5 upstream.
commit a307a1e6bc0d "cpufreq: s3c: use cpufreq_generic_init()"
accidentally broke cpufreq on s3c2410 and s3c2412.
These two platforms don't have a CPU frequency table and used to skip
calling cpufreq_table_validate_and_show() for them. But with the
above commit, we started calling it unconditionally and that will
eventually fail as the frequency table pointer is NULL.
Fix this by calling cpufreq_table_validate_and_show() conditionally
again.
Fixes: a307a1e6bc0d "cpufreq: s3c: use cpufreq_generic_init()"
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/cpufreq/s3c24xx-cpufreq.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/cpufreq/s3c24xx-cpufreq.c
+++ b/drivers/cpufreq/s3c24xx-cpufreq.c
@@ -370,7 +370,13 @@ struct clk *s3c_cpufreq_clk_get(struct d
static int s3c_cpufreq_init(struct cpufreq_policy *policy)
{
policy->clk = clk_arm;
- return cpufreq_generic_init(policy, ftab, cpu_cur.info->latency);
+
+ policy->cpuinfo.transition_latency = cpu_cur.info->latency;
+
+ if (ftab)
+ return cpufreq_table_validate_and_show(policy, ftab);
+
+ return 0;
}
static int __init s3c_cpufreq_initclks(void)
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 230/410] xfrm_user: uncoditionally validate esn replay attribute struct
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (289 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 107/410] ahci: Remove Device ID for Intel Sunrise Point PCH Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 240/410] crypto: s5p-sss - Fix kernel Oops in AES-ECB mode Ben Hutchings
` (118 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Florian Westphal, Mathias Krause, Steffen Klassert,
syzbot+0ab777c27d2bb7588f73
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
commit d97ca5d714a5334aecadadf696875da40f1fbf3e upstream.
The sanity test added in ecd7918745234 can be bypassed, validation
only occurs if XFRM_STATE_ESN flag is set, but rest of code doesn't care
and just checks if the attribute itself is present.
So always validate. Alternative is to reject if we have the attribute
without the flag but that would change abi.
Reported-by: syzbot+0ab777c27d2bb7588f73@syzkaller.appspotmail.com
Cc: Mathias Krause <minipli@googlemail.com>
Fixes: ecd7918745234 ("xfrm_user: ensure user supplied esn replay window is valid")
Fixes: d8647b79c3b7e ("xfrm: Add user interface for esn and big anti-replay windows")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/xfrm/xfrm_user.c | 21 ++++++++-------------
1 file changed, 8 insertions(+), 13 deletions(-)
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -120,22 +120,17 @@ static inline int verify_replay(struct x
struct nlattr *rt = attrs[XFRMA_REPLAY_ESN_VAL];
struct xfrm_replay_state_esn *rs;
- if (p->flags & XFRM_STATE_ESN) {
- if (!rt)
- return -EINVAL;
-
- rs = nla_data(rt);
+ if (!rt)
+ return (p->flags & XFRM_STATE_ESN) ? -EINVAL : 0;
- if (rs->bmp_len > XFRMA_REPLAY_ESN_MAX / sizeof(rs->bmp[0]) / 8)
- return -EINVAL;
+ rs = nla_data(rt);
- if (nla_len(rt) < xfrm_replay_state_esn_len(rs) &&
- nla_len(rt) != sizeof(*rs))
- return -EINVAL;
- }
+ if (rs->bmp_len > XFRMA_REPLAY_ESN_MAX / sizeof(rs->bmp[0]) / 8)
+ return -EINVAL;
- if (!rt)
- return 0;
+ if (nla_len(rt) < xfrm_replay_state_esn_len(rs) &&
+ nla_len(rt) != sizeof(*rs))
+ return -EINVAL;
/* As only ESP and AH support ESN feature. */
if ((p->id.proto != IPPROTO_ESP) && (p->id.proto != IPPROTO_AH))
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 227/410] bridge: check brport attr show in brport_show
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (224 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 356/410] aio: fix serial draining in exit_aio() Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 056/410] KVM/VMX: Emulate MSR_IA32_ARCH_CAPABILITIES Ben Hutchings
` (183 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Xin Long, Xiong Zhou, David S. Miller
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Xin Long <lucien.xin@gmail.com>
commit 1b12580af1d0677c3c3a19e35bfe5d59b03f737f upstream.
Now br_sysfs_if file flush doesn't have attr show. To read it will
cause kernel panic after users chmod u+r this file.
Xiong found this issue when running the commands:
ip link add br0 type bridge
ip link add type veth
ip link set veth0 master br0
chmod u+r /sys/devices/virtual/net/veth0/brport/flush
timeout 3 cat /sys/devices/virtual/net/veth0/brport/flush
kernel crashed with NULL a pointer dereference call trace.
This patch is to fix it by return -EINVAL when brport_attr->show
is null, just the same as the check for brport_attr->store in
brport_store().
Fixes: 9cf637473c85 ("bridge: add sysfs hook to flush forwarding table")
Reported-by: Xiong Zhou <xzhou@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/bridge/br_sysfs_if.c | 3 +++
1 file changed, 3 insertions(+)
--- a/net/bridge/br_sysfs_if.c
+++ b/net/bridge/br_sysfs_if.c
@@ -225,6 +225,9 @@ static ssize_t brport_show(struct kobjec
struct brport_attribute *brport_attr = to_brport_attr(attr);
struct net_bridge_port *p = to_brport(kobj);
+ if (!brport_attr->show)
+ return -EINVAL;
+
return brport_attr->show(p, buf);
}
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 140/410] mtd: ubi: wl: Fix error return code in ubi_wl_init()
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (258 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 400/410] bonding: fix the err path for dev hwaddr sync in bond_enslave Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 315/410] btrfs: use proper endianness accessors for super_copy Ben Hutchings
` (149 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Wei Yongjun, Richard Weinberger, Boris Brezillon
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Wei Yongjun <weiyongjun1@huawei.com>
commit 7233982ade15eeac05c6f351e8d347406e6bcd2f upstream.
Fix to return error code -ENOMEM from the kmem_cache_alloc() error
handling case instead of 0, as done elsewhere in this function.
Fixes: f78e5623f45b ("ubi: fastmap: Erase outdated anchor PEBs during
attach")
Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
Reviewed-by: Boris Brezillon <boris.brezillon@free-electrons.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/mtd/ubi/wl.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/drivers/mtd/ubi/wl.c
+++ b/drivers/mtd/ubi/wl.c
@@ -1925,8 +1925,10 @@ int ubi_wl_init(struct ubi_device *ubi,
cond_resched();
e = kmem_cache_alloc(ubi_wl_entry_slab, GFP_KERNEL);
- if (!e)
+ if (!e) {
+ err = -ENOMEM;
goto out_free;
+ }
e->pnum = aeb->pnum;
e->ec = aeb->ec;
@@ -1966,8 +1968,10 @@ int ubi_wl_init(struct ubi_device *ubi,
cond_resched();
e = kmem_cache_alloc(ubi_wl_entry_slab, GFP_KERNEL);
- if (!e)
+ if (!e) {
+ err = -ENOMEM;
goto out_free;
+ }
e->pnum = aeb->pnum;
e->ec = aeb->ec;
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 326/410] uas: fix comparison for error code
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (124 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 242/410] usb: ldusb: add PIDs for new CASSY devices supported by this driver Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 181/410] netfilter: on sockopt() acquire sock lock only in the required scope Ben Hutchings
` (283 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Oliver Neukum, Greg Kroah-Hartman, Hans de Goede
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Neukum <oneukum@suse.com>
commit 9a513c905bb95bef79d96feb08621c1ec8d8c4bb upstream.
A typo broke the comparison.
Fixes: cbeef22fd611 ("usb: uas: unconditionally bring back host after reset")
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Acked-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/storage/uas.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/storage/uas.c
+++ b/drivers/usb/storage/uas.c
@@ -1195,7 +1195,7 @@ static int uas_post_reset(struct usb_int
return 0;
err = uas_configure_endpoints(devinfo);
- if (err && err != ENODEV)
+ if (err && err != -ENODEV)
shost_printk(KERN_ERR, shost,
"%s: alloc streams error %d after reset",
__func__, err);
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 135/410] uas: Log error codes when logging errors
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (306 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 175/410] media: cxusb, dib0700: ignore XC2028_I2C_FLUSH Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 292/410] l2tp: fix races with tunnel socket close Ben Hutchings
` (101 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Greg Kroah-Hartman, Hans de Goede
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Hans de Goede <hdegoede@redhat.com>
commit ce39fe6fa115d9fea0112c907773a400b98d2463 upstream.
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/usb/storage/uas.c | 17 ++++++++++++-----
1 file changed, 12 insertions(+), 5 deletions(-)
--- a/drivers/usb/storage/uas.c
+++ b/drivers/usb/storage/uas.c
@@ -928,7 +928,8 @@ static int uas_eh_bus_reset_handler(stru
usb_unlock_device(udev);
if (err) {
- shost_printk(KERN_INFO, sdev->host, "%s FAILED\n", __func__);
+ shost_printk(KERN_INFO, sdev->host, "%s FAILED err %d\n",
+ __func__, err);
return FAILED;
}
@@ -1188,13 +1189,16 @@ static int uas_post_reset(struct usb_int
struct Scsi_Host *shost = usb_get_intfdata(intf);
struct uas_dev_info *devinfo = (struct uas_dev_info *)shost->hostdata;
unsigned long flags;
+ int err;
if (devinfo->shutdown)
return 0;
- if (uas_configure_endpoints(devinfo) != 0) {
+ err = uas_configure_endpoints(devinfo);
+ if (err) {
shost_printk(KERN_ERR, shost,
- "%s: alloc streams error after reset", __func__);
+ "%s: alloc streams error %d after reset",
+ __func__, err);
return 1;
}
@@ -1232,10 +1236,13 @@ static int uas_reset_resume(struct usb_i
struct Scsi_Host *shost = usb_get_intfdata(intf);
struct uas_dev_info *devinfo = (struct uas_dev_info *)shost->hostdata;
unsigned long flags;
+ int err;
- if (uas_configure_endpoints(devinfo) != 0) {
+ err = uas_configure_endpoints(devinfo);
+ if (err) {
shost_printk(KERN_ERR, shost,
- "%s: alloc streams error after reset", __func__);
+ "%s: alloc streams error %d after reset",
+ __func__, err);
return -EIO;
}
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 354/410] aio: change exit_aio() to load mm->ioctx_table once and avoid rcu_read_lock()
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (254 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 052/410] KVM: nVMX: Eliminate vmcs02 pool Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 031/410] drm: udl: Properly check framebuffer mmap offsets Ben Hutchings
` (153 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Oleg Nesterov, Benjamin LaHaise
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Oleg Nesterov <oleg@redhat.com>
commit 4b70ac5fd9b58bfaa5f25b4ea48f528aefbf3308 upstream.
On 04/30, Benjamin LaHaise wrote:
>
> > - ctx->mmap_size = 0;
> > -
> > - kill_ioctx(mm, ctx, NULL);
> > + if (ctx) {
> > + ctx->mmap_size = 0;
> > + kill_ioctx(mm, ctx, NULL);
> > + }
>
> Rather than indenting and moving the two lines changing mmap_size and the
> kill_ioctx() call, why not just do "if (!ctx) ... continue;"? That reduces
> the number of lines changed and avoid excessive indentation.
OK. To me the code looks better/simpler with "if (ctx)", but this is subjective
of course, I won't argue.
The patch still removes the empty line between mmap_size = 0 and kill_ioctx(),
we reset mmap_size only for kill_ioctx(). But feel free to remove this change.
-------------------------------------------------------------------------------
Subject: [PATCH v3 1/2] aio: change exit_aio() to load mm->ioctx_table once and avoid rcu_read_lock()
1. We can read ->ioctx_table only once and we do not read rcu_read_lock()
or even rcu_dereference().
This mm has no users, nobody else can play with ->ioctx_table. Otherwise
the code is buggy anyway, if we need rcu_read_lock() in a loop because
->ioctx_table can be updated then kfree(table) is obviously wrong.
2. Update the comment. "exit_mmap(mm) is coming" is the good reason to avoid
munmap(), but another reason is that we simply can't do vm_munmap() unless
current->mm == mm and this is not true in general, the caller is mmput().
3. We do not really need to nullify mm->ioctx_table before return, probably
the current code does this to catch the potential problems. But in this
case RCU_INIT_POINTER(NULL) looks better.
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Benjamin LaHaise <bcrl@kvack.org>
[bwh: Backported to 3.16: Adjust context to apply after backport of commit
6098b45b32e6 "aio: block exit_aio() until all context requests are completed"]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/fs/aio.c
+++ b/fs/aio.c
@@ -803,46 +803,35 @@ EXPORT_SYMBOL(wait_on_sync_kiocb);
*/
void exit_aio(struct mm_struct *mm)
{
- struct kioctx_table *table;
- struct kioctx *ctx;
- unsigned i = 0;
+ struct kioctx_table *table = rcu_dereference_raw(mm->ioctx_table);
+ int i;
- while (1) {
+ if (!table)
+ return;
+
+ for (i = 0; i < table->nr; ++i) {
+ struct kioctx *ctx = table->table[i];
struct completion requests_done =
COMPLETION_INITIALIZER_ONSTACK(requests_done);
- rcu_read_lock();
- table = rcu_dereference(mm->ioctx_table);
-
- do {
- if (!table || i >= table->nr) {
- rcu_read_unlock();
- rcu_assign_pointer(mm->ioctx_table, NULL);
- if (table)
- kfree(table);
- return;
- }
-
- ctx = table->table[i++];
- } while (!ctx);
-
- rcu_read_unlock();
-
+ if (!ctx)
+ continue;
/*
- * We don't need to bother with munmap() here -
- * exit_mmap(mm) is coming and it'll unmap everything.
- * Since aio_free_ring() uses non-zero ->mmap_size
- * as indicator that it needs to unmap the area,
- * just set it to 0; aio_free_ring() is the only
- * place that uses ->mmap_size, so it's safe.
+ * We don't need to bother with munmap() here - exit_mmap(mm)
+ * is coming and it'll unmap everything. And we simply can't,
+ * this is not necessarily our ->mm.
+ * Since kill_ioctx() uses non-zero ->mmap_size as indicator
+ * that it needs to unmap the area, just set it to 0.
*/
ctx->mmap_size = 0;
-
kill_ioctx(mm, ctx, &requests_done);
/* Wait until all IO for the context are done. */
wait_for_completion(&requests_done);
}
+
+ RCU_INIT_POINTER(mm->ioctx_table, NULL);
+ kfree(table);
}
static void put_reqs_available(struct kioctx *ctx, unsigned nr)
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 403/410] ALSA: pcm: potential uninitialized return values
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (161 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 144/410] MIPS: Fix clean of vmlinuz.{32,ecoff,bin,srec} Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 395/410] batman-adv: fix packet loss for broadcasted DHCP packets to a server Ben Hutchings
` (246 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Takashi Iwai, Dan Carpenter
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@oracle.com>
commit 5607dddbfca774fb38bffadcb077fe03aa4ac5c6 upstream.
Smatch complains that "tmp" can be uninitialized if we do a zero size
write.
Fixes: 02a5d6925cd3 ("ALSA: pcm: Avoid potential races between OSS ioctls and read/write")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
sound/core/oss/pcm_oss.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/sound/core/oss/pcm_oss.c
+++ b/sound/core/oss/pcm_oss.c
@@ -1362,7 +1362,7 @@ static ssize_t snd_pcm_oss_write2(struct
static ssize_t snd_pcm_oss_write1(struct snd_pcm_substream *substream, const char __user *buf, size_t bytes)
{
size_t xfer = 0;
- ssize_t tmp;
+ ssize_t tmp = 0;
struct snd_pcm_runtime *runtime = substream->runtime;
if (atomic_read(&substream->mmap_count))
@@ -1469,7 +1469,7 @@ static ssize_t snd_pcm_oss_read2(struct
static ssize_t snd_pcm_oss_read1(struct snd_pcm_substream *substream, char __user *buf, size_t bytes)
{
size_t xfer = 0;
- ssize_t tmp;
+ ssize_t tmp = 0;
struct snd_pcm_runtime *runtime = substream->runtime;
if (atomic_read(&substream->mmap_count))
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 161/410] s390: fix handling of -1 in set{,fs}[gu]id16 syscalls
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (314 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 195/410] arm: KVM: Fix SMCCC handling of unimplemented SMC/HVC calls Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 037/410] KVM: x86: rename update_db_bp_intercept to update_bp_intercept Ben Hutchings
` (93 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Martin Schwidefsky, Heiko Carstens, Eugene Syromiatnikov
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eugene Syromiatnikov <esyr@redhat.com>
commit 6dd0d2d22aa363fec075cb2577ba273ac8462e94 upstream.
For some reason, the implementation of some 16-bit ID system calls
(namely, setuid16/setgid16 and setfsuid16/setfsgid16) used type cast
instead of low2highgid/low2highuid macros for converting [GU]IDs, which
led to incorrect handling of value of -1 (which ought to be considered
invalid).
Discovered by strace test suite.
Signed-off-by: Eugene Syromiatnikov <esyr@redhat.com>
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/s390/kernel/compat_linux.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/arch/s390/kernel/compat_linux.c
+++ b/arch/s390/kernel/compat_linux.c
@@ -110,7 +110,7 @@ COMPAT_SYSCALL_DEFINE2(s390_setregid16,
COMPAT_SYSCALL_DEFINE1(s390_setgid16, u16, gid)
{
- return sys_setgid((gid_t)gid);
+ return sys_setgid(low2highgid(gid));
}
COMPAT_SYSCALL_DEFINE2(s390_setreuid16, u16, ruid, u16, euid)
@@ -120,7 +120,7 @@ COMPAT_SYSCALL_DEFINE2(s390_setreuid16,
COMPAT_SYSCALL_DEFINE1(s390_setuid16, u16, uid)
{
- return sys_setuid((uid_t)uid);
+ return sys_setuid(low2highuid(uid));
}
COMPAT_SYSCALL_DEFINE3(s390_setresuid16, u16, ruid, u16, euid, u16, suid)
@@ -173,12 +173,12 @@ COMPAT_SYSCALL_DEFINE3(s390_getresgid16,
COMPAT_SYSCALL_DEFINE1(s390_setfsuid16, u16, uid)
{
- return sys_setfsuid((uid_t)uid);
+ return sys_setfsuid(low2highuid(uid));
}
COMPAT_SYSCALL_DEFINE1(s390_setfsgid16, u16, gid)
{
- return sys_setfsgid((gid_t)gid);
+ return sys_setfsgid(low2highgid(gid));
}
static int groups16_to_user(u16 __user *grouplist, struct group_info *group_info)
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 034/410] x86/entry/64: Don't use IST entry for #BP stack
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (2 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 141/410] nfs: Do not convert nfs_idmap_cache_timeout to jiffies Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 386/410] MIPS: ralink: Remove ralink_halt() Ben Hutchings
` (405 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Thomas Gleixner, Linus Torvalds, Andy Lutomirski
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Andy Lutomirski <luto@kernel.org>
commit d8ba61ba58c88d5207c1ba2f7d9a2280e7d03be9 upstream.
There's nothing IST-worthy about #BP/int3. We don't allow kprobes
in the small handful of places in the kernel that run at CPL0 with
an invalid stack, and 32-bit kernels have used normal interrupt
gates for #BP forever.
Furthermore, we don't allow kprobes in places that have usergs while
in kernel mode, so "paranoid" is also unnecessary.
Signed-off-by: Andy Lutomirski <luto@kernel.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
[carnil: Backport to 3.16:
- Adjust finename change: arch/x86/kernel/entry_64.S
- Context changes
]
[bwh: Rebase on top of "x86/traps: Enable DEBUG_STACK after cpu_init() for
TRAP_DB/BP", and restore change in trap_init() instead of early_trap_init()]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/arch/x86/kernel/entry_64.S
+++ b/arch/x86/kernel/entry_64.S
@@ -1322,7 +1322,7 @@ apicinterrupt3 HYPERVISOR_CALLBACK_VECTO
#endif /* CONFIG_HYPERV */
idtentry debug do_debug has_error_code=0 paranoid=1 shift_ist=DEBUG_STACK
-idtentry int3 do_int3 has_error_code=0 paranoid=1 shift_ist=DEBUG_STACK
+idtentry int3 do_int3 has_error_code=0
idtentry stack_segment do_stack_segment has_error_code=1
#ifdef CONFIG_XEN
idtentry xen_debug do_debug has_error_code=0
--- a/arch/x86/kernel/traps.c
+++ b/arch/x86/kernel/traps.c
@@ -334,7 +334,6 @@ exit:
}
NOKPROBE_SYMBOL(do_general_protection);
-/* May run on IST stack. */
dotraplinkage void notrace do_int3(struct pt_regs *regs, long error_code)
{
enum ctx_state prev_state;
@@ -367,15 +366,9 @@ dotraplinkage void notrace do_int3(struc
SIGTRAP) == NOTIFY_STOP)
goto exit;
- /*
- * Let others (NMI) know that the debug stack is in use
- * as we may switch to the interrupt stack.
- */
- debug_stack_usage_inc();
preempt_conditional_sti(regs);
do_trap(X86_TRAP_BP, SIGTRAP, "int3", regs, error_code, NULL);
preempt_conditional_cli(regs);
- debug_stack_usage_dec();
exit:
exception_exit(prev_state);
}
@@ -862,19 +855,16 @@ void __init trap_init(void)
cpu_init();
/*
- * X86_TRAP_DB and X86_TRAP_BP have been set
- * in early_trap_init(). However, DEBUG_STACK works only after
- * cpu_init() loads TSS. See comments in early_trap_init().
+ * X86_TRAP_DB was installed in early_trap_init(). However,
+ * DEBUG_STACK works only after cpu_init() loads TSS. See comments
+ * in early_trap_init().
*/
set_intr_gate_ist(X86_TRAP_DB, &debug, DEBUG_STACK);
- /* int3 can be called from all */
- set_system_intr_gate_ist(X86_TRAP_BP, &int3, DEBUG_STACK);
x86_init.irqs.trap_init();
#ifdef CONFIG_X86_64
memcpy(&debug_idt_table, &idt_table, IDT_ENTRIES * 16);
set_nmi_gate(X86_TRAP_DB, &debug);
- set_nmi_gate(X86_TRAP_BP, &int3);
#endif
}
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 357/410] fs/aio: Add explicit RCU grace period when freeing kioctx
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (354 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 351/410] route: remove unsed variable in __mkroute_input Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 210/410] pipe, sysctl: drop 'min' parameter from pipe-max-size converter Ben Hutchings
` (53 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Jann Horn, Kent Overstreet, Tejun Heo, Linus Torvalds
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Tejun Heo <tj@kernel.org>
commit a6d7cff472eea87d96899a20fa718d2bab7109f3 upstream.
While fixing refcounting, e34ecee2ae79 ("aio: Fix a trinity splat")
incorrectly removed explicit RCU grace period before freeing kioctx.
The intention seems to be depending on the internal RCU grace periods
of percpu_ref; however, percpu_ref uses a different flavor of RCU,
sched-RCU. This can lead to kioctx being freed while RCU read
protected dereferences are still in progress.
Fix it by updating free_ioctx() to go through call_rcu() explicitly.
v2: Comment added to explain double bouncing.
Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-by: Jann Horn <jannh@google.com>
Fixes: e34ecee2ae79 ("aio: Fix a trinity splat")
Cc: Kent Overstreet <kent.overstreet@gmail.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/aio.c | 23 +++++++++++++++++++----
1 file changed, 19 insertions(+), 4 deletions(-)
--- a/fs/aio.c
+++ b/fs/aio.c
@@ -115,7 +115,8 @@ struct kioctx {
struct page **ring_pages;
long nr_pages;
- struct work_struct free_work;
+ struct rcu_head free_rcu;
+ struct work_struct free_work; /* see free_ioctx() */
/*
* signals when all in-flight requests are done
@@ -512,6 +513,12 @@ static int kiocb_cancel(struct kiocb *ki
return cancel(kiocb);
}
+/*
+ * free_ioctx() should be RCU delayed to synchronize against the RCU
+ * protected lookup_ioctx() and also needs process context to call
+ * aio_free_ring(), so the double bouncing through kioctx->free_rcu and
+ * ->free_work.
+ */
static void free_ioctx(struct work_struct *work)
{
struct kioctx *ctx = container_of(work, struct kioctx, free_work);
@@ -523,6 +530,14 @@ static void free_ioctx(struct work_struc
kmem_cache_free(kioctx_cachep, ctx);
}
+static void free_ioctx_rcufn(struct rcu_head *head)
+{
+ struct kioctx *ctx = container_of(head, struct kioctx, free_rcu);
+
+ INIT_WORK(&ctx->free_work, free_ioctx);
+ schedule_work(&ctx->free_work);
+}
+
static void free_ioctx_reqs(struct percpu_ref *ref)
{
struct kioctx *ctx = container_of(ref, struct kioctx, reqs);
@@ -531,8 +546,8 @@ static void free_ioctx_reqs(struct percp
if (ctx->rq_wait && atomic_dec_and_test(&ctx->rq_wait->count))
complete(&ctx->rq_wait->comp);
- INIT_WORK(&ctx->free_work, free_ioctx);
- schedule_work(&ctx->free_work);
+ /* Synchronize against RCU protected table->table[] dereferences */
+ call_rcu(&ctx->free_rcu, free_ioctx_rcufn);
}
/*
@@ -754,7 +769,7 @@ static int kill_ioctx(struct mm_struct *
table->table[ctx->id] = NULL;
spin_unlock(&mm->ioctx_lock);
- /* percpu_ref_kill() will do the necessary call_rcu() */
+ /* free_ioctx_reqs() will do the necessary RCU synchronization */
wake_up_all(&ctx->wait);
/*
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 370/410] batman-adv: fix header size check in batadv_dbg_arp()
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (302 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 013/410] f2fs: fix a panic caused by NULL flush_cmd_control Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 168/410] android: binder: use VM_ALLOC to get vm area Ben Hutchings
` (105 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Matthias Schiffer, Sven Eckelmann, Simon Wunderlich
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Matthias Schiffer <mschiffer@universe-factory.net>
commit 6f27d2c2a8c236d296201c19abb8533ec20d212b upstream.
Checking for 0 is insufficient: when an SKB without a batadv header, but
with a VLAN header is received, hdr_size will be 4, making the following
code interpret the Ethernet header as a batadv header.
Fixes: be1db4f6615b ("batman-adv: make the Distributed ARP Table vlan aware")
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/batman-adv/distributed-arp-table.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/batman-adv/distributed-arp-table.c
+++ b/net/batman-adv/distributed-arp-table.c
@@ -343,7 +343,7 @@ static void batadv_dbg_arp(struct batadv
batadv_arp_hw_src(skb, hdr_size), &ip_src,
batadv_arp_hw_dst(skb, hdr_size), &ip_dst);
- if (hdr_size == 0)
+ if (hdr_size < sizeof(struct batadv_unicast_packet))
return;
unicast_4addr_packet = (struct batadv_unicast_4addr_packet *)skb->data;
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 350/410] libata: Enable queued TRIM for Samsung SSD 860
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (376 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 171/410] CIFS: zero sensitive data when freeing Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 038/410] KVM: x86: pass host_initiated to functions that read MSRs Ben Hutchings
` (31 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Martin K. Petersen, Tejun Heo, Ju Hyung Park
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ju Hyung Park <qkrwngud825@gmail.com>
commit ca6bfcb2f6d9deab3924bf901e73622a94900473 upstream.
Samsung explicitly states that queued TRIM is supported for Linux with
860 PRO and 860 EVO.
Make the previous blacklist to cover only 840 and 850 series.
Signed-off-by: Park Ju Hyung <qkrwngud825@gmail.com>
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
[bwh: Backported to 3.16: There's no ATA_HORKAGE_ZERO_AFTER_TRIM flag]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/ata/libata-core.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/ata/libata-core.c
+++ b/drivers/ata/libata-core.c
@@ -4237,7 +4237,8 @@ static const struct ata_blacklist_entry
{ "Micron_M5[15]0_*", "MU01", ATA_HORKAGE_NO_NCQ_TRIM, },
{ "Crucial_CT*M550*", "MU01", ATA_HORKAGE_NO_NCQ_TRIM, },
{ "Crucial_CT*MX100*", "MU01", ATA_HORKAGE_NO_NCQ_TRIM, },
- { "Samsung SSD 8*", NULL, ATA_HORKAGE_NO_NCQ_TRIM, },
+ { "Samsung SSD 840*", NULL, ATA_HORKAGE_NO_NCQ_TRIM, },
+ { "Samsung SSD 850*", NULL, ATA_HORKAGE_NO_NCQ_TRIM, },
{ "FCCT*M500*", NULL, ATA_HORKAGE_NO_NCQ_TRIM, },
/* devices that don't properly handle TRIM commands */
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 037/410] KVM: x86: rename update_db_bp_intercept to update_bp_intercept
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (315 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 161/410] s390: fix handling of -1 in set{,fs}[gu]id16 syscalls Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 069/410] perf report: Fix -D output for user metadata events Ben Hutchings
` (92 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, Paolo Bonzini
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Bonzini <pbonzini@redhat.com>
commit a96036b8ef7df9f10cd575c0d78359bd33188e8e upstream.
Because #DB is now intercepted unconditionally, this callback
only operates on #BP for both VMX and SVM.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[carnil: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
arch/x86/include/asm/kvm_host.h | 2 +-
arch/x86/kvm/svm.c | 2 +-
arch/x86/kvm/vmx.c | 2 +-
arch/x86/kvm/x86.c | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -682,7 +682,7 @@ struct kvm_x86_ops {
void (*vcpu_load)(struct kvm_vcpu *vcpu, int cpu);
void (*vcpu_put)(struct kvm_vcpu *vcpu);
- void (*update_db_bp_intercept)(struct kvm_vcpu *vcpu);
+ void (*update_bp_intercept)(struct kvm_vcpu *vcpu);
int (*get_msr)(struct kvm_vcpu *vcpu, u32 msr_index, u64 *pdata);
int (*set_msr)(struct kvm_vcpu *vcpu, struct msr_data *msr);
u64 (*get_segment_base)(struct kvm_vcpu *vcpu, int seg);
--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
@@ -4353,7 +4353,7 @@ static struct kvm_x86_ops svm_x86_ops =
.vcpu_load = svm_vcpu_load,
.vcpu_put = svm_vcpu_put,
- .update_db_bp_intercept = update_bp_intercept,
+ .update_bp_intercept = update_bp_intercept,
.get_msr = svm_get_msr,
.set_msr = svm_set_msr,
.get_segment_base = svm_get_segment_base,
--- a/arch/x86/kvm/vmx.c
+++ b/arch/x86/kvm/vmx.c
@@ -8932,7 +8932,7 @@ static struct kvm_x86_ops vmx_x86_ops =
.vcpu_load = vmx_vcpu_load,
.vcpu_put = vmx_vcpu_put,
- .update_db_bp_intercept = update_exception_bitmap,
+ .update_bp_intercept = update_exception_bitmap,
.get_msr = vmx_get_msr,
.set_msr = vmx_set_msr,
.get_segment_base = vmx_get_segment_base,
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -6732,7 +6732,7 @@ int kvm_arch_vcpu_ioctl_set_guest_debug(
*/
kvm_set_rflags(vcpu, rflags);
- kvm_x86_ops->update_db_bp_intercept(vcpu);
+ kvm_x86_ops->update_bp_intercept(vcpu);
r = 0;
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 168/410] android: binder: use VM_ALLOC to get vm area
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (303 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 370/410] batman-adv: fix header size check in batadv_dbg_arp() Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 220/410] netlink: ensure to loop over all netns in genlmsg_multicast_allns() Ben Hutchings
` (104 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable
Cc: akpm, Greg Kroah-Hartman, Ganesh Mahendran, Todd Kjos, Martijn Coenen
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ganesh Mahendran <opensource.ganesh@gmail.com>
commit aac6830ec1cb681544212838911cdc57f2638216 upstream.
VM_IOREMAP is used to access hardware through a mechanism called
I/O mapped memory. Android binder is a IPC machanism which will
not access I/O memory.
And VM_IOREMAP has alignment requiement which may not needed in
binder.
__get_vm_area_node()
{
...
if (flags & VM_IOREMAP)
align = 1ul << clamp_t(int, fls_long(size),
PAGE_SHIFT, IOREMAP_MAX_ORDER);
...
}
This patch will save some kernel vm area, especially for 32bit os.
In 32bit OS, kernel vm area is only 240MB. We may got below
error when launching a app:
<3>[ 4482.440053] binder_alloc: binder_alloc_mmap_handler: 15728 8ce67000-8cf65000 get_vm_area failed -12
<3>[ 4483.218817] binder_alloc: binder_alloc_mmap_handler: 15745 8ce67000-8cf65000 get_vm_area failed -12
Signed-off-by: Ganesh Mahendran <opensource.ganesh@gmail.com>
Acked-by: Martijn Coenen <maco@android.com>
Acked-by: Todd Kjos <tkjos@google.com>
----
V3: update comments
V2: update comments
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[bwh: Backported to 3.16: adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
drivers/staging/android/binder.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/staging/android/binder.c
+++ b/drivers/staging/android/binder.c
@@ -2808,7 +2808,7 @@ static int binder_mmap(struct file *filp
goto err_already_mapped;
}
- area = get_vm_area(vma->vm_end - vma->vm_start, VM_IOREMAP);
+ area = get_vm_area(vma->vm_end - vma->vm_start, VM_ALLOC);
if (area == NULL) {
ret = -ENOMEM;
failure_string = "get_vm_area";
^ permalink raw reply [flat|nested] 428+ messages in thread
* [PATCH 3.16 410/410] net: Fix untag for vlan packets without ethernet header
2018-06-07 14:05 [PATCH 3.16 000/410] 3.16.57-rc1 review Ben Hutchings
` (30 preceding siblings ...)
2018-06-07 14:05 ` [PATCH 3.16 098/410] spi: imx: do not access registers while clocks disabled Ben Hutchings
@ 2018-06-07 14:05 ` Ben Hutchings
2018-06-07 14:05 ` [PATCH 3.16 189/410] Btrfs: fix use-after-free on root->orphan_block_rsv Ben Hutchings
` (377 subsequent siblings)
409 siblings, 0 replies; 428+ messages in thread
From: Ben Hutchings @ 2018-06-07 14:05 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: akpm, David S. Miller, Eric Dumazet, Toshiaki Makita
3.16.57-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
commit ae4745730cf8e693d354ccd4dbaf59ea440c09a9 upstream.
In some situation vlan packets do not have ethernet headers. One example
is packets from tun devices. Users can specify vlan protocol in tun_pi
field instead of IP protocol, and skb_vlan_untag() attempts to untag such
packets.
skb_vlan_untag() (more precisely, skb_reorder_vlan_header() called by it)
however did not expect packets without ethernet headers, so in such a case
size argument for memmove() underflowed and triggered crash.
====
BUG: unable to handle kernel paging request at ffff8801cccb8000
IP: __memmove+0x24/0x1a0 arch/x86/lib/memmove_64.S:43
PGD 9cee067 P4D 9cee067 PUD 1d9401063 PMD 1cccb7063 PTE 2810100028101
Oops: 000b [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 17663 Comm: syz-executor2 Not tainted 4.16.0-rc7+ #368
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__memmove+0x24/0x1a0 arch/x86/lib/memmove_64.S:43
RSP: 0018:ffff8801cc046e28 EFLAGS: 00010287
RAX: ffff8801ccc244c4 RBX: fffffffffffffffe RCX: fffffffffff6c4c2
RDX: fffffffffffffffe RSI: ffff8801cccb7ffc RDI: ffff8801cccb8000
RBP: ffff8801cc046e48 R08: ffff8801ccc244be R09: ffffed0039984899
R10: 0000000000000001 R11: ffffed0039984898 R12: ffff8801ccc244c4
R13: ffff8801ccc244c0 R14: ffff8801d96b7c06 R15: ffff8801d96b7b40
FS: 00007febd562d700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff8801cccb8000 CR3: 00000001ccb2f006 CR4: 00000000001606e0
DR0: 0000000020000000 DR1: 0000000020000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
Call Trace:
memmove include/linux/string.h:360 [inline]
skb_reorder_vlan_header net/core/skbuff.c:5031 [inline]
skb_vlan_untag+0x470/0xc40 net/core/skbuff.c:5061
__netif_receive_skb_core+0x119c/0x3460 net/core/dev.c:4460
__netif_receive_skb+0x2c/0x1b0 net/core/dev.c:4627
netif_receive_skb_internal+0x10b/0x670 net/core/dev.c:4701
netif_receive_skb+0xae/0x390 net/core/dev.c:4725
tun_rx_batched.isra.50+0x5ee/0x870 drivers/net/tun.c:1555
tun_get_user+0x299e/0x3c20 drivers/net/tun.c:1962
tun_chr_write_iter+0xb9/0x160 drivers/net/tun.c:1990
call_write_iter include/linux/fs.h:1782 [inline]
new_sync_write fs/read_write.c:469 [inline]
__vfs_write+0x684/0x970 fs/read_write.c:482
vfs_write+0x189/0x510 fs/read_write.c:544
SYSC_write fs/read_write.c:589 [inline]
SyS_write+0xef/0x220 fs/read_write.c:581
do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x454879
RSP: 002b:00007febd562cc68 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007febd562d6d4 RCX: 0000000000454879
RDX: 0000000000000157 RSI: 0000000020000180 RDI: 0000000000000014
RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000006b0 R14: 00000000006fc120 R15: 0000000000000000
Code: 90 90 90 90 90 90 90 48 89 f8 48 83 fa 20 0f 82 03 01 00 00 48 39 fe 7d 0f 49 89 f0 49 01 d0 49 39 f8 0f 8f 9f 00 00 00 48 89 d1 <f3> a4 c3 48 81 fa a8 02 00 00 72 05 40 38 fe 74 3b 48 83 ea 20
RIP: __memmove+0x24/0x1a0 arch/x86/lib/memmove_64.S:43 RSP: ffff8801cc046e28
CR2: ffff8801cccb8000
====
We don't need to copy headers for packets which do not have preceding
headers of vlan headers, so skip memmove() in that case.
Fixes: 4bbb3e0e8239 ("net: Fix vlan untag for bridge and vlan_dev with reorder_hdr off")
Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
net/core/skbuff.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -4002,8 +4002,10 @@ static struct sk_buff *skb_reorder_vlan_
}
mac_len = skb->data - skb_mac_header(skb);
- memmove(skb_mac_header(skb) + VLAN_HLEN, skb_mac_header(skb),
- mac_len - VLAN_HLEN - ETH_TLEN);
+ if (likely(mac_len > VLAN_HLEN + ETH_TLEN)) {
+ memmove(skb_mac_header(skb) + VLAN_HLEN, skb_mac_header(skb),
+ mac_len - VLAN_HLEN - ETH_TLEN);
+ }
skb->mac_header += VLAN_HLEN;
return skb;
}
^ permalink