December 2017 - Linux-stable-mirror

[Linux-stable-mirror] Patch "scsi: lpfc: Fix crash during Hardware error recovery on SLI3 adapters" has been added to the 3.18-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled scsi: lpfc: Fix crash during Hardware error recovery on SLI3 adapters to the 3.18-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: scsi-lpfc-fix-crash-during-hardware-error-recovery-on-sli3-adapters.patch and it can be found in the queue-3.18 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Thu Dec 14 21:30:47 CET 2017 From: James Smart <jsmart2021(a)gmail.com> Date: Sat, 4 Mar 2017 09:30:25 -0800 Subject: scsi: lpfc: Fix crash during Hardware error recovery on SLI3 adapters From: James Smart <jsmart2021(a)gmail.com> [ Upstream commit 5d181531bc6169e19a02a27d202cf0e982db9d0e ] if REG_VPI fails, the driver was incorrectly issuing INIT_VFI (a SLI4 command) on a SLI3 adapter. Signed-off-by: Dick Kennedy <dick.kennedy(a)broadcom.com> Signed-off-by: James Smart <james.smart(a)broadcom.com> Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> Signed-off-by: Sasha Levin <alexander.levin(a)verizon.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/scsi/lpfc/lpfc_els.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) --- a/drivers/scsi/lpfc/lpfc_els.c +++ b/drivers/scsi/lpfc/lpfc_els.c @@ -7265,11 +7265,17 @@ lpfc_cmpl_reg_new_vport(struct lpfc_hba spin_lock_irq(shost->host_lock); vport->fc_flag |= FC_VPORT_NEEDS_REG_VPI; spin_unlock_irq(shost->host_lock); - if (vport->port_type == LPFC_PHYSICAL_PORT - && !(vport->fc_flag & FC_LOGO_RCVD_DID_CHNG)) - lpfc_issue_init_vfi(vport); - else + if (mb->mbxStatus == MBX_NOT_FINISHED) + break; + if ((vport->port_type == LPFC_PHYSICAL_PORT) && + !(vport->fc_flag & FC_LOGO_RCVD_DID_CHNG)) { + if (phba->sli_rev == LPFC_SLI_REV4) + lpfc_issue_init_vfi(vport); + else + lpfc_initial_flogi(vport); + } else { lpfc_initial_fdisc(vport); + } break; } } else { Patches currently in stable-queue which might be from jsmart2021(a)gmail.com are queue-3.18/scsi-lpfc-fix-crash-during-hardware-error-recovery-on-sli3-adapters.patch

7 years, 1 month

1
0
0 0

[Linux-stable-mirror] Patch "Revert "drm/armada: Fix compile fail"" has been added to the 3.18-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled Revert "drm/armada: Fix compile fail" to the 3.18-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: revert-drm-armada-fix-compile-fail.patch and it can be found in the queue-3.18 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Thu Dec 14 21:30:47 CET 2017 From: Sasha Levin <alexander.levin(a)verizon.com> Date: Thu, 7 Dec 2017 23:21:06 -0500 Subject: Revert "drm/armada: Fix compile fail" From: Sasha Levin <alexander.levin(a)verizon.com> This reverts commit 82f260d472c3b4dbb7324624e395c3e91f73a040. Not required on < 4.10. Signed-off-by: Sasha Levin <alexander.levin(a)verizon.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/gpu/drm/armada/Makefile | 2 -- 1 file changed, 2 deletions(-) --- a/drivers/gpu/drm/armada/Makefile +++ b/drivers/gpu/drm/armada/Makefile @@ -5,5 +5,3 @@ armada-y += armada_510.o armada-$(CONFIG_DEBUG_FS) += armada_debugfs.o obj-$(CONFIG_DRM_ARMADA) := armada.o - -CFLAGS_armada_trace.o := -I$(src) Patches currently in stable-queue which might be from alexander.levin(a)verizon.com are queue-3.18/xfrm-copy-policy-family-in-clone_policy.patch queue-3.18/scsi-lpfc-fix-crash-during-hardware-error-recovery-on-sli3-adapters.patch queue-3.18/atm-horizon-fix-irq-release-error.patch queue-3.18/ipv6-reorder-icmpv6_init-and-ip6_mr_init.patch queue-3.18/kvm-nvmx-reset-nested_run_pending-if-the-vcpu-is-going-to-be-reset.patch queue-3.18/axonram-fix-gendisk-handling.patch queue-3.18/usb-gadgetfs-fix-a-potential-memory-leak-in-dev_config.patch queue-3.18/spi_ks8995-fix-bug-key-accdaa28-not-in-.data.patch queue-3.18/bnx2x-fix-possible-overrun-of-vfpf-multicast-addresses-array.patch queue-3.18/sunrpc-fix-rpc_task_begin-trace-point.patch queue-3.18/arm-kvm-survive-unknown-traps-from-guests.patch queue-3.18/crypto-s5p-sss-fix-completing-crypto-request-in-irq-handler.patch queue-3.18/ib-mlx5-assign-send-cq-and-recv-cq-of-umr-qp.patch queue-3.18/lib-genalloc.c-make-the-avail-variable-an-atomic_long_t.patch queue-3.18/afs-connect-up-the-cb.probeuuid.patch queue-3.18/route-update-fnhe_expires-for-redirect-when-the-fnhe-exists.patch queue-3.18/edac-i5000-i5400-fix-definition-of-nrecmemb-register.patch queue-3.18/libata-drop-warn-from-protocol-error-in-ata_sff_qc_issue.patch queue-3.18/nfs-fix-a-typo-in-nfs_rename.patch queue-3.18/audit-ensure-that-audit-1-actually-enables-audit-for-pid-1.patch queue-3.18/sparc64-mm-set-fields-in-deferred-pages.patch queue-3.18/route-also-update-fnhe_genid-when-updating-a-route-cache.patch queue-3.18/selftest-powerpc-fix-false-failures-for-skipped-tests.patch queue-3.18/edac-i5000-i5400-fix-use-of-mtr_dram_width-macro.patch queue-3.18/workqueue-trigger-warn-if-queue_delayed_work-is-called-with-null-wq.patch queue-3.18/irqchip-crossbar-fix-incorrect-type-of-register-size.patch queue-3.18/revert-s390-kbuild-enable-modversions-for-symbols-exported-from-asm.patch queue-3.18/sctp-use-the-right-sk-after-waking-up-from-wait_buf-sleep.patch queue-3.18/dynamic-debug-howto-fix-optional-omitted-ending-line-number-to-be-large-instead-of-0.patch queue-3.18/i2c-riic-fix-restart-condition.patch queue-3.18/ib-mlx4-increase-maximal-message-size-under-ud-qp.patch queue-3.18/usb-gadget-configs-plug-memory-leak.patch queue-3.18/revert-drm-armada-fix-compile-fail.patch queue-3.18/sctp-do-not-free-asoc-when-it-is-already-dead-in-sctp_sendmsg.patch

7 years, 1 month

1
0
0 0

[Linux-stable-mirror] Patch "Revert "s390/kbuild: enable modversions for symbols exported from asm"" has been added to the 3.18-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled Revert "s390/kbuild: enable modversions for symbols exported from asm" to the 3.18-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: revert-s390-kbuild-enable-modversions-for-symbols-exported-from-asm.patch and it can be found in the queue-3.18 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Thu Dec 14 21:30:47 CET 2017 From: Sasha Levin <alexander.levin(a)verizon.com> Date: Fri, 8 Dec 2017 00:11:47 -0500 Subject: Revert "s390/kbuild: enable modversions for symbols exported from asm" From: Sasha Levin <alexander.levin(a)verizon.com> This reverts commit cabab3f9f5ca077535080b3252e6168935b914af. Not needed for < 4.9. Signed-off-by: Sasha Levin <alexander.levin(a)verizon.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- arch/s390/include/asm/asm-prototypes.h | 8 -------- 1 file changed, 8 deletions(-) delete mode 100644 arch/s390/include/asm/asm-prototypes.h --- a/arch/s390/include/asm/asm-prototypes.h +++ /dev/null @@ -1,8 +0,0 @@ -#ifndef _ASM_S390_PROTOTYPES_H - -#include <linux/kvm_host.h> -#include <linux/ftrace.h> -#include <asm/fpu/api.h> -#include <asm-generic/asm-prototypes.h> - -#endif /* _ASM_S390_PROTOTYPES_H */ Patches currently in stable-queue which might be from alexander.levin(a)verizon.com are queue-3.18/xfrm-copy-policy-family-in-clone_policy.patch queue-3.18/scsi-lpfc-fix-crash-during-hardware-error-recovery-on-sli3-adapters.patch queue-3.18/atm-horizon-fix-irq-release-error.patch queue-3.18/ipv6-reorder-icmpv6_init-and-ip6_mr_init.patch queue-3.18/kvm-nvmx-reset-nested_run_pending-if-the-vcpu-is-going-to-be-reset.patch queue-3.18/axonram-fix-gendisk-handling.patch queue-3.18/usb-gadgetfs-fix-a-potential-memory-leak-in-dev_config.patch queue-3.18/spi_ks8995-fix-bug-key-accdaa28-not-in-.data.patch queue-3.18/bnx2x-fix-possible-overrun-of-vfpf-multicast-addresses-array.patch queue-3.18/sunrpc-fix-rpc_task_begin-trace-point.patch queue-3.18/arm-kvm-survive-unknown-traps-from-guests.patch queue-3.18/crypto-s5p-sss-fix-completing-crypto-request-in-irq-handler.patch queue-3.18/ib-mlx5-assign-send-cq-and-recv-cq-of-umr-qp.patch queue-3.18/lib-genalloc.c-make-the-avail-variable-an-atomic_long_t.patch queue-3.18/afs-connect-up-the-cb.probeuuid.patch queue-3.18/route-update-fnhe_expires-for-redirect-when-the-fnhe-exists.patch queue-3.18/edac-i5000-i5400-fix-definition-of-nrecmemb-register.patch queue-3.18/libata-drop-warn-from-protocol-error-in-ata_sff_qc_issue.patch queue-3.18/nfs-fix-a-typo-in-nfs_rename.patch queue-3.18/audit-ensure-that-audit-1-actually-enables-audit-for-pid-1.patch queue-3.18/sparc64-mm-set-fields-in-deferred-pages.patch queue-3.18/route-also-update-fnhe_genid-when-updating-a-route-cache.patch queue-3.18/selftest-powerpc-fix-false-failures-for-skipped-tests.patch queue-3.18/edac-i5000-i5400-fix-use-of-mtr_dram_width-macro.patch queue-3.18/workqueue-trigger-warn-if-queue_delayed_work-is-called-with-null-wq.patch queue-3.18/irqchip-crossbar-fix-incorrect-type-of-register-size.patch queue-3.18/revert-s390-kbuild-enable-modversions-for-symbols-exported-from-asm.patch queue-3.18/sctp-use-the-right-sk-after-waking-up-from-wait_buf-sleep.patch queue-3.18/dynamic-debug-howto-fix-optional-omitted-ending-line-number-to-be-large-instead-of-0.patch queue-3.18/i2c-riic-fix-restart-condition.patch queue-3.18/ib-mlx4-increase-maximal-message-size-under-ud-qp.patch queue-3.18/usb-gadget-configs-plug-memory-leak.patch queue-3.18/revert-drm-armada-fix-compile-fail.patch queue-3.18/sctp-do-not-free-asoc-when-it-is-already-dead-in-sctp_sendmsg.patch

7 years, 1 month

1
0
0 0

[Linux-stable-mirror] Patch "lib/genalloc.c: make the avail variable an atomic_long_t" has been added to the 3.18-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled lib/genalloc.c: make the avail variable an atomic_long_t to the 3.18-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: lib-genalloc.c-make-the-avail-variable-an-atomic_long_t.patch and it can be found in the queue-3.18 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Thu Dec 14 21:30:47 CET 2017 From: Stephen Bates <sbates(a)raithlin.com> Date: Fri, 17 Nov 2017 15:28:16 -0800 Subject: lib/genalloc.c: make the avail variable an atomic_long_t From: Stephen Bates <sbates(a)raithlin.com> [ Upstream commit 36a3d1dd4e16bcd0d2ddfb4a2ec7092f0ae0d931 ] If the amount of resources allocated to a gen_pool exceeds 2^32 then the avail atomic overflows and this causes problems when clients try and borrow resources from the pool. This is only expected to be an issue on 64 bit systems. Add the <linux/atomic.h> header to pull in atomic_long* operations. So that 32 bit systems continue to use atomic32_t but 64 bit systems can use atomic64_t. Link: http://lkml.kernel.org/r/1509033843-25667-1-git-send-email-sbates@raithlin.… Signed-off-by: Stephen Bates <sbates(a)raithlin.com> Reviewed-by: Logan Gunthorpe <logang(a)deltatee.com> Reviewed-by: Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> Reviewed-by: Daniel Mentz <danielmentz(a)google.com> Cc: Jonathan Corbet <corbet(a)lwn.net> Cc: Andrew Morton <akpm(a)linux-foundation.org> Cc: Will Deacon <will.deacon(a)arm.com> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds(a)linux-foundation.org> Signed-off-by: Sasha Levin <alexander.levin(a)verizon.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- include/linux/genalloc.h | 3 ++- lib/genalloc.c | 10 +++++----- 2 files changed, 7 insertions(+), 6 deletions(-) --- a/include/linux/genalloc.h +++ b/include/linux/genalloc.h @@ -31,6 +31,7 @@ #define __GENALLOC_H__ #include <linux/spinlock_types.h> +#include <linux/atomic.h> struct device; struct device_node; @@ -66,7 +67,7 @@ struct gen_pool { */ struct gen_pool_chunk { struct list_head next_chunk; /* next chunk in pool */ - atomic_t avail; + atomic_long_t avail; phys_addr_t phys_addr; /* physical starting address of memory chunk */ unsigned long start_addr; /* start address of memory chunk */ unsigned long end_addr; /* end address of memory chunk (inclusive) */ --- a/lib/genalloc.c +++ b/lib/genalloc.c @@ -194,7 +194,7 @@ int gen_pool_add_virt(struct gen_pool *p chunk->phys_addr = phys; chunk->start_addr = virt; chunk->end_addr = virt + size - 1; - atomic_set(&chunk->avail, size); + atomic_long_set(&chunk->avail, size); spin_lock(&pool->lock); list_add_rcu(&chunk->next_chunk, &pool->chunks); @@ -285,7 +285,7 @@ unsigned long gen_pool_alloc(struct gen_ nbits = (size + (1UL << order) - 1) >> order; rcu_read_lock(); list_for_each_entry_rcu(chunk, &pool->chunks, next_chunk) { - if (size > atomic_read(&chunk->avail)) + if (size > atomic_long_read(&chunk->avail)) continue; end_bit = chunk_size(chunk) >> order; @@ -304,7 +304,7 @@ retry: addr = chunk->start_addr + ((unsigned long)start_bit << order); size = nbits << order; - atomic_sub(size, &chunk->avail); + atomic_long_sub(size, &chunk->avail); break; } rcu_read_unlock(); @@ -370,7 +370,7 @@ void gen_pool_free(struct gen_pool *pool remain = bitmap_clear_ll(chunk->bits, start_bit, nbits); BUG_ON(remain); size = nbits << order; - atomic_add(size, &chunk->avail); + atomic_long_add(size, &chunk->avail); rcu_read_unlock(); return; } @@ -444,7 +444,7 @@ size_t gen_pool_avail(struct gen_pool *p rcu_read_lock(); list_for_each_entry_rcu(chunk, &pool->chunks, next_chunk) - avail += atomic_read(&chunk->avail); + avail += atomic_long_read(&chunk->avail); rcu_read_unlock(); return avail; } Patches currently in stable-queue which might be from sbates(a)raithlin.com are queue-3.18/lib-genalloc.c-make-the-avail-variable-an-atomic_long_t.patch

7 years, 1 month

1
0
0 0

[Linux-stable-mirror] Patch "NFS: Fix a typo in nfs_rename()" has been added to the 3.18-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled NFS: Fix a typo in nfs_rename() to the 3.18-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: nfs-fix-a-typo-in-nfs_rename.patch and it can be found in the queue-3.18 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Thu Dec 14 21:30:47 CET 2017 From: Trond Myklebust <trond.myklebust(a)primarydata.com> Date: Mon, 6 Nov 2017 15:28:04 -0500 Subject: NFS: Fix a typo in nfs_rename() From: Trond Myklebust <trond.myklebust(a)primarydata.com> [ Upstream commit d803224c84be067754db7fa58a93f36f61566493 ] On successful rename, the "old_dentry" is retained and is attached to the "new_dir", so we need to call nfs_set_verifier() accordingly. Signed-off-by: Trond Myklebust <trond.myklebust(a)primarydata.com> Signed-off-by: Anna Schumaker <Anna.Schumaker(a)Netapp.com> Signed-off-by: Sasha Levin <alexander.levin(a)verizon.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- fs/nfs/dir.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/fs/nfs/dir.c +++ b/fs/nfs/dir.c @@ -2063,7 +2063,7 @@ out: if (new_inode != NULL) nfs_drop_nlink(new_inode); d_move(old_dentry, new_dentry); - nfs_set_verifier(new_dentry, + nfs_set_verifier(old_dentry, nfs_save_change_attribute(new_dir)); } else if (error == -ENOENT) nfs_dentry_handle_enoent(old_dentry); Patches currently in stable-queue which might be from trond.myklebust(a)primarydata.com are queue-3.18/nfs-fix-a-typo-in-nfs_rename.patch

7 years, 1 month

1
0
0 0

[Linux-stable-mirror] Patch "libata: drop WARN from protocol error in ata_sff_qc_issue()" has been added to the 3.18-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled libata: drop WARN from protocol error in ata_sff_qc_issue() to the 3.18-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: libata-drop-warn-from-protocol-error-in-ata_sff_qc_issue.patch and it can be found in the queue-3.18 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Thu Dec 14 21:30:47 CET 2017 From: Tejun Heo <tj(a)kernel.org> Date: Mon, 6 Mar 2017 15:26:54 -0500 Subject: libata: drop WARN from protocol error in ata_sff_qc_issue() From: Tejun Heo <tj(a)kernel.org> [ Upstream commit 0580b762a4d6b70817476b90042813f8573283fa ] ata_sff_qc_issue() expects upper layers to never issue commands on a command protocol that it doesn't implement. While the assumption holds fine with the usual IO path, nothing filters based on the command protocol in the passthrough path (which was added later), allowing the warning to be tripped with a passthrough command with the right (well, wrong) protocol. Failing with AC_ERR_SYSTEM is the right thing to do anyway. Remove the unnecessary WARN. Reported-by: Dmitry Vyukov <dvyukov(a)google.com> Link: http://lkml.kernel.org/r/CACT4Y+bXkvevNZU8uP6X0QVqsj6wNoUA_1exfTSOzc+SmUtMO… Signed-off-by: Tejun Heo <tj(a)kernel.org> Signed-off-by: Sasha Levin <alexander.levin(a)verizon.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/ata/libata-sff.c | 1 - 1 file changed, 1 deletion(-) --- a/drivers/ata/libata-sff.c +++ b/drivers/ata/libata-sff.c @@ -1480,7 +1480,6 @@ unsigned int ata_sff_qc_issue(struct ata break; default: - WARN_ON_ONCE(1); return AC_ERR_SYSTEM; } Patches currently in stable-queue which might be from tj(a)kernel.org are queue-3.18/libata-drop-warn-from-protocol-error-in-ata_sff_qc_issue.patch queue-3.18/workqueue-trigger-warn-if-queue_delayed_work-is-called-with-null-wq.patch

7 years, 1 month

1
0
0 0

[Linux-stable-mirror] Patch "KVM: nVMX: reset nested_run_pending if the vCPU is going to be reset" has been added to the 3.18-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled KVM: nVMX: reset nested_run_pending if the vCPU is going to be reset to the 3.18-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: kvm-nvmx-reset-nested_run_pending-if-the-vcpu-is-going-to-be-reset.patch and it can be found in the queue-3.18 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Thu Dec 14 21:30:47 CET 2017 From: Wanpeng Li <wanpeng.li(a)hotmail.com> Date: Mon, 6 Mar 2017 04:03:28 -0800 Subject: KVM: nVMX: reset nested_run_pending if the vCPU is going to be reset From: Wanpeng Li <wanpeng.li(a)hotmail.com> [ Upstream commit 2f707d97982286b307ef2a9b034e19aabc1abb56 ] Reported by syzkaller: WARNING: CPU: 1 PID: 27742 at arch/x86/kvm/vmx.c:11029 nested_vmx_vmexit+0x5c35/0x74d0 arch/x86/kvm/vmx.c:11029 CPU: 1 PID: 27742 Comm: a.out Not tainted 4.10.0+ #229 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:15 [inline] dump_stack+0x2ee/0x3ef lib/dump_stack.c:51 panic+0x1fb/0x412 kernel/panic.c:179 __warn+0x1c4/0x1e0 kernel/panic.c:540 warn_slowpath_null+0x2c/0x40 kernel/panic.c:583 nested_vmx_vmexit+0x5c35/0x74d0 arch/x86/kvm/vmx.c:11029 vmx_leave_nested arch/x86/kvm/vmx.c:11136 [inline] vmx_set_msr+0x1565/0x1910 arch/x86/kvm/vmx.c:3324 kvm_set_msr+0xd4/0x170 arch/x86/kvm/x86.c:1099 do_set_msr+0x11e/0x190 arch/x86/kvm/x86.c:1128 __msr_io arch/x86/kvm/x86.c:2577 [inline] msr_io+0x24b/0x450 arch/x86/kvm/x86.c:2614 kvm_arch_vcpu_ioctl+0x35b/0x46a0 arch/x86/kvm/x86.c:3497 kvm_vcpu_ioctl+0x232/0x1120 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2721 vfs_ioctl fs/ioctl.c:43 [inline] do_vfs_ioctl+0x1bf/0x1790 fs/ioctl.c:683 SYSC_ioctl fs/ioctl.c:698 [inline] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:689 entry_SYSCALL_64_fastpath+0x1f/0xc2 The syzkaller folks reported a nested_run_pending warning during userspace clear VMX capability which is exposed to L1 before. The warning gets thrown while doing (*(uint32_t*)0x20aecfe8 = (uint32_t)0x1); (*(uint32_t*)0x20aecfec = (uint32_t)0x0); (*(uint32_t*)0x20aecff0 = (uint32_t)0x3a); (*(uint32_t*)0x20aecff4 = (uint32_t)0x0); (*(uint64_t*)0x20aecff8 = (uint64_t)0x0); r[29] = syscall(__NR_ioctl, r[4], 0x4008ae89ul, 0x20aecfe8ul, 0, 0, 0, 0, 0, 0); i.e. KVM_SET_MSR ioctl with struct kvm_msrs { .nmsrs = 1, .pad = 0, .entries = { {.index = MSR_IA32_FEATURE_CONTROL, .reserved = 0, .data = 0} } } The VMLANCH/VMRESUME emulation should be stopped since the CPU is going to reset here. This patch resets the nested_run_pending since the CPU is going to be reset hence there should be nothing pending. Reported-by: Dmitry Vyukov <dvyukov(a)google.com> Suggested-by: Radim Krčmář <rkrcmar(a)redhat.com> Cc: Paolo Bonzini <pbonzini(a)redhat.com> Cc: Radim Krčmář <rkrcmar(a)redhat.com> Cc: Dmitry Vyukov <dvyukov(a)google.com> Cc: David Hildenbrand <david(a)redhat.com> Signed-off-by: Wanpeng Li <wanpeng.li(a)hotmail.com> Reviewed-by: David Hildenbrand <david(a)redhat.com> Reviewed-by: Jim Mattson <jmattson(a)google.com> Signed-off-by: Radim Krčmář <rkrcmar(a)redhat.com> Signed-off-by: Sasha Levin <alexander.levin(a)verizon.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- arch/x86/kvm/vmx.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/arch/x86/kvm/vmx.c +++ b/arch/x86/kvm/vmx.c @@ -9086,8 +9086,10 @@ static void nested_vmx_vmexit(struct kvm */ static void vmx_leave_nested(struct kvm_vcpu *vcpu) { - if (is_guest_mode(vcpu)) + if (is_guest_mode(vcpu)) { + to_vmx(vcpu)->nested.nested_run_pending = 0; nested_vmx_vmexit(vcpu, -1, 0, 0); + } free_nested(to_vmx(vcpu)); } Patches currently in stable-queue which might be from wanpeng.li(a)hotmail.com are queue-3.18/kvm-nvmx-reset-nested_run_pending-if-the-vcpu-is-going-to-be-reset.patch

7 years, 1 month

1
0
0 0

[Linux-stable-mirror] Patch "ipv6: reorder icmpv6_init() and ip6_mr_init()" has been added to the 3.18-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled ipv6: reorder icmpv6_init() and ip6_mr_init() to the 3.18-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: ipv6-reorder-icmpv6_init-and-ip6_mr_init.patch and it can be found in the queue-3.18 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Thu Dec 14 21:30:47 CET 2017 From: WANG Cong <xiyou.wangcong(a)gmail.com> Date: Sun, 5 Mar 2017 12:34:53 -0800 Subject: ipv6: reorder icmpv6_init() and ip6_mr_init() From: WANG Cong <xiyou.wangcong(a)gmail.com> [ Upstream commit 15e668070a64bb97f102ad9cf3bccbca0545cda8 ] Andrey reported the following kernel crash: kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: 0000 [#1] SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 0 PID: 14446 Comm: syz-executor6 Not tainted 4.10.0+ #82 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 task: ffff88001f311700 task.stack: ffff88001f6e8000 RIP: 0010:ip6mr_sk_done+0x15a/0x3d0 net/ipv6/ip6mr.c:1618 RSP: 0018:ffff88001f6ef418 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 1ffff10003edde8c RCX: ffffc900043ee000 RDX: 0000000000000004 RSI: ffffffff83e3b3f8 RDI: 0000000000000020 RBP: ffff88001f6ef508 R08: fffffbfff0dcc5d8 R09: 0000000000000000 R10: ffffffff86e62ec0 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: ffff88001f6ef4e0 R15: ffff8800380a0040 FS: 00007f7a52cec700(0000) GS:ffff88003ec00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000061c500 CR3: 000000001f1ae000 CR4: 00000000000006f0 DR0: 0000000020000000 DR1: 0000000020000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600 Call Trace: rawv6_close+0x4c/0x80 net/ipv6/raw.c:1217 inet_release+0xed/0x1c0 net/ipv4/af_inet.c:425 inet6_release+0x50/0x70 net/ipv6/af_inet6.c:432 sock_release+0x8d/0x1e0 net/socket.c:597 __sock_create+0x39d/0x880 net/socket.c:1226 sock_create_kern+0x3f/0x50 net/socket.c:1243 inet_ctl_sock_create+0xbb/0x280 net/ipv4/af_inet.c:1526 icmpv6_sk_init+0x163/0x500 net/ipv6/icmp.c:954 ops_init+0x10a/0x550 net/core/net_namespace.c:115 setup_net+0x261/0x660 net/core/net_namespace.c:291 copy_net_ns+0x27e/0x540 net/core/net_namespace.c:396 9pnet_virtio: no channels available for device ./file1 create_new_namespaces+0x437/0x9b0 kernel/nsproxy.c:106 unshare_nsproxy_namespaces+0xae/0x1e0 kernel/nsproxy.c:205 SYSC_unshare kernel/fork.c:2281 [inline] SyS_unshare+0x64e/0x1000 kernel/fork.c:2231 entry_SYSCALL_64_fastpath+0x1f/0xc2 This is because net->ipv6.mr6_tables is not initialized at that point, ip6mr_rules_init() is not called yet, therefore on the error path when we iterator the list, we trigger this oops. Fix this by reordering ip6mr_rules_init() before icmpv6_sk_init(). Reported-by: Andrey Konovalov <andreyknvl(a)google.com> Signed-off-by: Cong Wang <xiyou.wangcong(a)gmail.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Sasha Levin <alexander.levin(a)verizon.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- net/ipv6/af_inet6.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) --- a/net/ipv6/af_inet6.c +++ b/net/ipv6/af_inet6.c @@ -887,12 +887,12 @@ static int __init inet6_init(void) err = register_pernet_subsys(&inet6_net_ops); if (err) goto register_pernet_fail; - err = icmpv6_init(); - if (err) - goto icmp_fail; err = ip6_mr_init(); if (err) goto ipmr_fail; + err = icmpv6_init(); + if (err) + goto icmp_fail; err = ndisc_init(); if (err) goto ndisc_fail; @@ -1010,10 +1010,10 @@ igmp_fail: ndisc_cleanup(); ndisc_fail: ip6_mr_cleanup(); -ipmr_fail: - icmpv6_cleanup(); icmp_fail: unregister_pernet_subsys(&inet6_net_ops); +ipmr_fail: + icmpv6_cleanup(); register_pernet_fail: sock_unregister(PF_INET6); rtnl_unregister_all(PF_INET6); Patches currently in stable-queue which might be from xiyou.wangcong(a)gmail.com are queue-3.18/ipv6-reorder-icmpv6_init-and-ip6_mr_init.patch

7 years, 1 month

1
0
0 0

[Linux-stable-mirror] Patch "irqchip/crossbar: Fix incorrect type of register size" has been added to the 3.18-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled irqchip/crossbar: Fix incorrect type of register size to the 3.18-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: irqchip-crossbar-fix-incorrect-type-of-register-size.patch and it can be found in the queue-3.18 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Thu Dec 14 21:30:47 CET 2017 From: Franck Demathieu <fdemathieu(a)gmail.com> Date: Mon, 6 Mar 2017 14:41:06 +0100 Subject: irqchip/crossbar: Fix incorrect type of register size From: Franck Demathieu <fdemathieu(a)gmail.com> [ Upstream commit 4b9de5da7e120c7f02395da729f0ec77ce7a6044 ] The 'size' variable is unsigned according to the dt-bindings. As this variable is used as integer in other places, create a new variable that allows to fix the following sparse issue (-Wtypesign): drivers/irqchip/irq-crossbar.c:279:52: warning: incorrect type in argument 3 (different signedness) drivers/irqchip/irq-crossbar.c:279:52: expected unsigned int [usertype] *out_value drivers/irqchip/irq-crossbar.c:279:52: got int *<noident> Signed-off-by: Franck Demathieu <fdemathieu(a)gmail.com> Signed-off-by: Marc Zyngier <marc.zyngier(a)arm.com> Signed-off-by: Sasha Levin <alexander.levin(a)verizon.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/irqchip/irq-crossbar.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) --- a/drivers/irqchip/irq-crossbar.c +++ b/drivers/irqchip/irq-crossbar.c @@ -176,7 +176,7 @@ static const struct irq_domain_ops routa static int __init crossbar_of_init(struct device_node *node) { int i, size, reserved = 0; - u32 max = 0, entry; + u32 max = 0, entry, reg_size; const __be32 *irqsr; int ret = -ENOMEM; @@ -253,9 +253,9 @@ static int __init crossbar_of_init(struc if (!cb->register_offsets) goto err_irq_map; - of_property_read_u32(node, "ti,reg-size", &size); + of_property_read_u32(node, "ti,reg-size", &reg_size); - switch (size) { + switch (reg_size) { case 1: cb->write = crossbar_writeb; break; @@ -281,7 +281,7 @@ static int __init crossbar_of_init(struc continue; cb->register_offsets[i] = reserved; - reserved += size; + reserved += reg_size; } of_property_read_u32(node, "ti,irqs-safe-map", &cb->safe_map); Patches currently in stable-queue which might be from fdemathieu(a)gmail.com are queue-3.18/irqchip-crossbar-fix-incorrect-type-of-register-size.patch

7 years, 1 month

1
0
0 0

[Linux-stable-mirror] Patch "IB/mlx5: Assign send CQ and recv CQ of UMR QP" has been added to the 3.18-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled IB/mlx5: Assign send CQ and recv CQ of UMR QP to the 3.18-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: ib-mlx5-assign-send-cq-and-recv-cq-of-umr-qp.patch and it can be found in the queue-3.18 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Thu Dec 14 21:30:47 CET 2017 From: Majd Dibbiny <majd(a)mellanox.com> Date: Mon, 30 Oct 2017 14:23:13 +0200 Subject: IB/mlx5: Assign send CQ and recv CQ of UMR QP From: Majd Dibbiny <majd(a)mellanox.com> [ Upstream commit 31fde034a8bd964a5c7c1a5663fc87a913158db2 ] The UMR's QP is created by calling mlx5_ib_create_qp directly, and therefore the send CQ and the recv CQ on the ibqp weren't assigned. Assign them right after calling the mlx5_ib_create_qp to assure that any access to those pointers will work as expected and won't crash the system as might happen as part of reset flow. Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters") Signed-off-by: Majd Dibbiny <majd(a)mellanox.com> Reviewed-by: Yishai Hadas <yishaih(a)mellanox.com> Signed-off-by: Leon Romanovsky <leon(a)kernel.org> Signed-off-by: Doug Ledford <dledford(a)redhat.com> Signed-off-by: Sasha Levin <alexander.levin(a)verizon.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/infiniband/hw/mlx5/main.c | 2 ++ 1 file changed, 2 insertions(+) --- a/drivers/infiniband/hw/mlx5/main.c +++ b/drivers/infiniband/hw/mlx5/main.c @@ -1099,6 +1099,8 @@ static int create_umr_res(struct mlx5_ib qp->real_qp = qp; qp->uobject = NULL; qp->qp_type = MLX5_IB_QPT_REG_UMR; + qp->send_cq = init_attr->send_cq; + qp->recv_cq = init_attr->recv_cq; attr->qp_state = IB_QPS_INIT; attr->port_num = 1; Patches currently in stable-queue which might be from majd(a)mellanox.com are queue-3.18/ib-mlx5-assign-send-cq-and-recv-cq-of-umr-qp.patch queue-3.18/ib-mlx4-increase-maximal-message-size-under-ud-qp.patch

7 years, 1 month

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror December 2017