July 2019 - Linux-stable-mirror

Backport request for 4.9 99253eb750fd ("ipv6: check sk sk_type and protocol early in ip_mroute_set/getsockopt")

by Salvatore Bonaccorso

Hi As this goes to the 4.9 series according to https://www.kernel.org/doc/html/latest/networking/netdev-FAQ.html#q-are-all… I'm sending it primarily to stable(a)v.k.o but Cc'ing Dave and Xin Long. Could you please apply 99253eb750fd ("ipv6: check sk sk_type and protocol early in ip_mroute_set/getsockopt") to the 4.9 stable series? While 5e1859fbcc3c was done back in 3.8-rc1, 99253eb750fd from 4.11-rc1 was not backported to older stable series itself, where it is needed as well. Only checked if applicable without change in 4.9, but the fix should probably go as well to the 4.4 and 3.16. Regards, Salvatore

6 years, 1 month

2
1
0 0

[PATCH v5 07/29] ceph: fix compat_ioctl for ceph_dir_operations

by Arnd Bergmann

The ceph_ioctl function is used both for files and directories, but only the files support doing that in 32-bit compat mode. For consistency, add the same compat handler to the dir operations as well, and use a handler that applies the appropriate compat_ptr() conversion. Reviewed-by: "Yan, Zheng" <zyan(a)redhat.com> Cc: stable(a)vger.kernel.org Signed-off-by: Arnd Bergmann <arnd(a)arndb.de> --- fs/ceph/dir.c | 1 + fs/ceph/file.c | 2 +- fs/ceph/super.h | 10 ++++++++++ 3 files changed, 12 insertions(+), 1 deletion(-) diff --git a/fs/ceph/dir.c b/fs/ceph/dir.c index 4ca0b8ff9a72..401c17d36b71 100644 --- a/fs/ceph/dir.c +++ b/fs/ceph/dir.c @@ -1808,6 +1808,7 @@ const struct file_operations ceph_dir_fops = { .open = ceph_open, .release = ceph_release, .unlocked_ioctl = ceph_ioctl, + .compat_ioctl = ceph_compat_ioctl, .fsync = ceph_fsync, .lock = ceph_lock, .flock = ceph_flock, diff --git a/fs/ceph/file.c b/fs/ceph/file.c index 685a03cc4b77..99712b6b1ad5 100644 --- a/fs/ceph/file.c +++ b/fs/ceph/file.c @@ -2138,7 +2138,7 @@ const struct file_operations ceph_file_fops = { .splice_read = generic_file_splice_read, .splice_write = iter_file_splice_write, .unlocked_ioctl = ceph_ioctl, - .compat_ioctl = ceph_ioctl, + .compat_ioctl = ceph_compat_ioctl, .fallocate = ceph_fallocate, .copy_file_range = ceph_copy_file_range, }; diff --git a/fs/ceph/super.h b/fs/ceph/super.h index d2352fd95dbc..0aebccd48fa0 100644 --- a/fs/ceph/super.h +++ b/fs/ceph/super.h @@ -6,6 +6,7 @@ #include <asm/unaligned.h> #include <linux/backing-dev.h> +#include <linux/compat.h> #include <linux/completion.h> #include <linux/exportfs.h> #include <linux/fs.h> @@ -1108,6 +1109,15 @@ extern void ceph_readdir_cache_release(struct ceph_readdir_cache_control *ctl); /* ioctl.c */ extern long ceph_ioctl(struct file *file, unsigned int cmd, unsigned long arg); +static inline long +ceph_compat_ioctl(struct file *file, unsigned int cmd, unsigned long arg) +{ +#ifdef CONFIG_COMPAT + return ceph_ioctl(file, cmd, (unsigned long)compat_ptr(arg)); +#else + return -ENOTTY; +#endif +} /* export.c */ extern const struct export_operations ceph_export_ops; -- 2.20.0

6 years, 1 month

1
0
0 0

[PATCH stable v5.2] drm/i915/vbt: Fix VBT parsing for the PSR section

by Dhinakaran Pandiyan

A single 32-bit PSR2 training pattern field follows the sixteen element array of PSR table entries in the VBT spec. But, we incorrectly define this PSR2 field for each of the PSR table entries. As a result, the PSR1 training pattern duration for any panel_type != 0 will be parsed incorrectly. Secondly, PSR2 training pattern durations for VBTs with bdb version >= 226 will also be wrong. Cc: Rodrigo Vivi <rodrigo.vivi(a)intel.com> Cc: José Roberto de Souza <jose.souza(a)intel.com> Cc: stable(a)vger.kernel.org Cc: stable(a)vger.kernel.org #v5.2 Fixes: 88a0d9606aff ("drm/i915/vbt: Parse and use the new field with PSR2 TP2/3 wakeup time") Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=111088 Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=204183 Signed-off-by: Dhinakaran Pandiyan <dhinakaran.pandiyan(a)intel.com> Reviewed-by: Ville Syrjälä <ville.syrjala(a)linux.intel.com> Reviewed-by: José Roberto de Souza <jose.souza(a)intel.com> Acked-by: Rodrigo Vivi <rodrigo.vivi(a)intel.com> Tested-by: François Guerraz <kubrick(a)fgv6.net> Signed-off-by: Rodrigo Vivi <rodrigo.vivi(a)intel.com> Link: https://patchwork.freedesktop.org/patch/msgid/20190717223451.2595-1-dhinaka… (cherry picked from commit b5ea9c9337007d6e700280c8a60b4e10d070fb53) --- drivers/gpu/drm/i915/intel_bios.c | 2 +- drivers/gpu/drm/i915/intel_vbt_defs.h | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/gpu/drm/i915/intel_bios.c b/drivers/gpu/drm/i915/intel_bios.c index 1dc8d03ff127..ee6fa75d65a2 100644 --- a/drivers/gpu/drm/i915/intel_bios.c +++ b/drivers/gpu/drm/i915/intel_bios.c @@ -762,7 +762,7 @@ parse_psr(struct drm_i915_private *dev_priv, const struct bdb_header *bdb) } if (bdb->version >= 226) { - u32 wakeup_time = psr_table->psr2_tp2_tp3_wakeup_time; + u32 wakeup_time = psr->psr2_tp2_tp3_wakeup_time; wakeup_time = (wakeup_time >> (2 * panel_type)) & 0x3; switch (wakeup_time) { diff --git a/drivers/gpu/drm/i915/intel_vbt_defs.h b/drivers/gpu/drm/i915/intel_vbt_defs.h index fdbbb9a53804..796c070bbe6f 100644 --- a/drivers/gpu/drm/i915/intel_vbt_defs.h +++ b/drivers/gpu/drm/i915/intel_vbt_defs.h @@ -772,13 +772,13 @@ struct psr_table { /* TP wake up time in multiple of 100 */ u16 tp1_wakeup_time; u16 tp2_tp3_wakeup_time; - - /* PSR2 TP2/TP3 wakeup time for 16 panels */ - u32 psr2_tp2_tp3_wakeup_time; } __packed; struct bdb_psr { struct psr_table psr_table[16]; + + /* PSR2 TP2/TP3 wakeup time for 16 panels */ + u32 psr2_tp2_tp3_wakeup_time; } __packed; /* -- 2.17.1

6 years, 1 month

5
10
0 0

+ mm-memcontrol-fix-use-after-free-in-mem_cgroup_iter.patch added to -mm tree

by akpm＠linux-foundation.org

The patch titled Subject: mm/memcontrol.c: fix use after free in mem_cgroup_iter() has been added to the -mm tree. Its filename is mm-memcontrol-fix-use-after-free-in-mem_cgroup_iter.patch This patch should soon appear at http://ozlabs.org/~akpm/mmots/broken-out/mm-memcontrol-fix-use-after-free-i… and later at http://ozlabs.org/~akpm/mmotm/broken-out/mm-memcontrol-fix-use-after-free-i… Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next and is updated there every 3-4 working days ------------------------------------------------------ From: Miles Chen <miles.chen(a)mediatek.com> Subject: mm/memcontrol.c: fix use after free in mem_cgroup_iter() This patch is sent to report an use after free in mem_cgroup_iter() after merging commit be2657752e9e ("mm: memcg: fix use after free in mem_cgroup_iter()"). I work with android kernel tree (4.9 & 4.14), and commit be2657752e9e ("mm: memcg: fix use after free in mem_cgroup_iter()") has been merged to the trees. However, I can still observe use after free issues addressed in the commit be2657752e9e. (on low-end devices, a few times this month) backtrace: css_tryget <- crash here mem_cgroup_iter shrink_node shrink_zones do_try_to_free_pages try_to_free_pages __perform_reclaim __alloc_pages_direct_reclaim __alloc_pages_slowpath __alloc_pages_nodemask To debug, I poisoned mem_cgroup before freeing it: static void __mem_cgroup_free(struct mem_cgroup *memcg) for_each_node(node) free_mem_cgroup_per_node_info(memcg, node); free_percpu(memcg->stat); + /* poison memcg before freeing it */ + memset(memcg, 0x78, sizeof(struct mem_cgroup)); kfree(memcg); } The coredump shows the position=0xdbbc2a00 is freed. (gdb) p/x ((struct mem_cgroup_per_node *)0xe5009e00)->iter[8] $13 = {position = 0xdbbc2a00, generation = 0x2efd} 0xdbbc2a00: 0xdbbc2e00 0x00000000 0xdbbc2800 0x00000100 0xdbbc2a10: 0x00000200 0x78787878 0x00026218 0x00000000 0xdbbc2a20: 0xdcad6000 0x00000001 0x78787800 0x00000000 0xdbbc2a30: 0x78780000 0x00000000 0x0068fb84 0x78787878 0xdbbc2a40: 0x78787878 0x78787878 0x78787878 0xe3fa5cc0 0xdbbc2a50: 0x78787878 0x78787878 0x00000000 0x00000000 0xdbbc2a60: 0x00000000 0x00000000 0x00000000 0x00000000 0xdbbc2a70: 0x00000000 0x00000000 0x00000000 0x00000000 0xdbbc2a80: 0x00000000 0x00000000 0x00000000 0x00000000 0xdbbc2a90: 0x00000001 0x00000000 0x00000000 0x00100000 0xdbbc2aa0: 0x00000001 0xdbbc2ac8 0x00000000 0x00000000 0xdbbc2ab0: 0x00000000 0x00000000 0x00000000 0x00000000 0xdbbc2ac0: 0x00000000 0x00000000 0xe5b02618 0x00001000 0xdbbc2ad0: 0x00000000 0x78787878 0x78787878 0x78787878 0xdbbc2ae0: 0x78787878 0x78787878 0x78787878 0x78787878 0xdbbc2af0: 0x78787878 0x78787878 0x78787878 0x78787878 0xdbbc2b00: 0x78787878 0x78787878 0x78787878 0x78787878 0xdbbc2b10: 0x78787878 0x78787878 0x78787878 0x78787878 0xdbbc2b20: 0x78787878 0x78787878 0x78787878 0x78787878 0xdbbc2b30: 0x78787878 0x78787878 0x78787878 0x78787878 0xdbbc2b40: 0x78787878 0x78787878 0x78787878 0x78787878 0xdbbc2b50: 0x78787878 0x78787878 0x78787878 0x78787878 0xdbbc2b60: 0x78787878 0x78787878 0x78787878 0x78787878 0xdbbc2b70: 0x78787878 0x78787878 0x78787878 0x78787878 0xdbbc2b80: 0x78787878 0x78787878 0x00000000 0x78787878 0xdbbc2b90: 0x78787878 0x78787878 0x78787878 0x78787878 0xdbbc2ba0: 0x78787878 0x78787878 0x78787878 0x78787878 In the reclaim path, try_to_free_pages() does not setup sc.target_mem_cgroup and sc is passed to do_try_to_free_pages(), ..., shrink_node(). In mem_cgroup_iter(), root is set to root_mem_cgroup because sc->target_mem_cgroup is NULL. It is possible to assign a memcg to root_mem_cgroup.nodeinfo.iter in mem_cgroup_iter(). try_to_free_pages struct scan_control sc = {...}, target_mem_cgroup is 0x0; do_try_to_free_pages shrink_zones shrink_node mem_cgroup *root = sc->target_mem_cgroup; memcg = mem_cgroup_iter(root, NULL, &reclaim); mem_cgroup_iter() if (!root) root = root_mem_cgroup; ... css = css_next_descendant_pre(css, &root->css); memcg = mem_cgroup_from_css(css); cmpxchg(&iter->position, pos, memcg); My device uses memcg non-hierarchical mode. When we release a memcg: invalidate_reclaim_iterators() reaches only dead_memcg and its parents. If non-hierarchical mode is used, invalidate_reclaim_iterators() never reaches root_mem_cgroup. static void invalidate_reclaim_iterators(struct mem_cgroup *dead_memcg) { struct mem_cgroup *memcg = dead_memcg; for (; memcg; memcg = parent_mem_cgroup(memcg) ... } So the use after free scenario looks like: CPU1 CPU2 try_to_free_pages do_try_to_free_pages shrink_zones shrink_node mem_cgroup_iter() if (!root) root = root_mem_cgroup; ... css = css_next_descendant_pre(css, &root->css); memcg = mem_cgroup_from_css(css); cmpxchg(&iter->position, pos, memcg); invalidate_reclaim_iterators(memcg); ... __mem_cgroup_free() kfree(memcg); try_to_free_pages do_try_to_free_pages shrink_zones shrink_node mem_cgroup_iter() if (!root) root = root_mem_cgroup; ... mz = mem_cgroup_nodeinfo(root, reclaim->pgdat->node_id); iter = &mz->iter[reclaim->priority]; pos = READ_ONCE(iter->position); css_tryget(&pos->css) <- use after free To avoid this, we should also invalidate root_mem_cgroup.nodeinfo.iter in invalidate_reclaim_iterators(). Link: http://lkml.kernel.org/r/20190730015729.4406-1-miles.chen@mediatek.com Fixes: 5ac8fb31ad2e ("mm: memcontrol: convert reclaim iterator to simple css refcounting") Signed-off-by: Miles Chen <miles.chen(a)mediatek.com> Acked-by: Michal Hocko <mhocko(a)suse.com> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Cc: Vladimir Davydov <vdavydov.dev(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/memcontrol.c | 39 +++++++++++++++++++++++++++++---------- 1 file changed, 29 insertions(+), 10 deletions(-) --- a/mm/memcontrol.c~mm-memcontrol-fix-use-after-free-in-mem_cgroup_iter +++ a/mm/memcontrol.c @@ -1130,26 +1130,45 @@ void mem_cgroup_iter_break(struct mem_cg css_put(&prev->css); } -static void invalidate_reclaim_iterators(struct mem_cgroup *dead_memcg) +static void __invalidate_reclaim_iterators(struct mem_cgroup *from, + struct mem_cgroup *dead_memcg) { - struct mem_cgroup *memcg = dead_memcg; struct mem_cgroup_reclaim_iter *iter; struct mem_cgroup_per_node *mz; int nid; int i; - for (; memcg; memcg = parent_mem_cgroup(memcg)) { - for_each_node(nid) { - mz = mem_cgroup_nodeinfo(memcg, nid); - for (i = 0; i <= DEF_PRIORITY; i++) { - iter = &mz->iter[i]; - cmpxchg(&iter->position, - dead_memcg, NULL); - } + for_each_node(nid) { + mz = mem_cgroup_nodeinfo(from, nid); + for (i = 0; i <= DEF_PRIORITY; i++) { + iter = &mz->iter[i]; + cmpxchg(&iter->position, + dead_memcg, NULL); } } } +static void invalidate_reclaim_iterators(struct mem_cgroup *dead_memcg) +{ + struct mem_cgroup *memcg = dead_memcg; + struct mem_cgroup *last; + + do { + __invalidate_reclaim_iterators(memcg, dead_memcg); + last = memcg; + } while (memcg = parent_mem_cgroup(memcg)); + + /* + * When cgruop1 non-hierarchy mode is used, + * parent_mem_cgroup() does not walk all the way up to the + * cgroup root (root_mem_cgroup). So we have to handle + * dead_memcg from cgroup root separately. + */ + if (last != root_mem_cgroup) + __invalidate_reclaim_iterators(root_mem_cgroup, + dead_memcg); +} + /** * mem_cgroup_scan_tasks - iterate over tasks of a memory cgroup hierarchy * @memcg: hierarchy root _ Patches currently in -mm which might be from miles.chen(a)mediatek.com are mm-memcontrol-fix-use-after-free-in-mem_cgroup_iter.patch

6 years, 1 month

1
0
0 0

[PATCH v2] mpt3sas: Use 63-bit DMA addressing on SAS35 HBA

by Suganath Prabu

Although SAS3 & SAS3.5 IT HBA controllers support 64-bit DMA addressing, as per hardware design, if DMA able range contains all 64-bits set (0xFFFFFFFF-FFFFFFFF) then it results in a firmware fault. e.g. SGE's start address is 0xFFFFFFFF-FFFF000 and data length is 0x1000 bytes. when HBA tries to DMA the data at 0xFFFFFFFF-FFFFFFFF location then HBA will fault the firmware. Fix: Driver will set 63-bit DMA mask to ensure the above address will not be used. Cc: <stable(a)vger.kernel.org> # 5.1.20+ Signed-off-by: Suganath Prabu <suganath-prabu.subramani(a)broadcom.com> Reviewed-by: Christoph Hellwig <hch(a)lst.de> --- V1 Change: Added tag for stable tree V2 Change: Updated patch description. drivers/scsi/mpt3sas/mpt3sas_base.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/drivers/scsi/mpt3sas/mpt3sas_base.c b/drivers/scsi/mpt3sas/mpt3sas_base.c index 6846628..050c0f0 100644 --- a/drivers/scsi/mpt3sas/mpt3sas_base.c +++ b/drivers/scsi/mpt3sas/mpt3sas_base.c @@ -2703,6 +2703,8 @@ _base_config_dma_addressing(struct MPT3SAS_ADAPTER *ioc, struct pci_dev *pdev) { u64 required_mask, coherent_mask; struct sysinfo s; + /* Set 63 bit DMA mask for all SAS3 and SAS35 controllers */ + int dma_mask = (ioc->hba_mpi_version_belonged > MPI2_VERSION) ? 63 : 64; if (ioc->is_mcpu_endpoint) goto try_32bit; @@ -2712,17 +2714,17 @@ _base_config_dma_addressing(struct MPT3SAS_ADAPTER *ioc, struct pci_dev *pdev) goto try_32bit; if (ioc->dma_mask) - coherent_mask = DMA_BIT_MASK(64); + coherent_mask = DMA_BIT_MASK(dma_mask); else coherent_mask = DMA_BIT_MASK(32); - if (dma_set_mask(&pdev->dev, DMA_BIT_MASK(64)) || + if (dma_set_mask(&pdev->dev, DMA_BIT_MASK(dma_mask)) || dma_set_coherent_mask(&pdev->dev, coherent_mask)) goto try_32bit; ioc->base_add_sg_single = &_base_add_sg_single_64; ioc->sge_size = sizeof(Mpi2SGESimple64_t); - ioc->dma_mask = 64; + ioc->dma_mask = dma_mask; goto out; try_32bit: @@ -2744,7 +2746,7 @@ static int _base_change_consistent_dma_mask(struct MPT3SAS_ADAPTER *ioc, struct pci_dev *pdev) { - if (pci_set_consistent_dma_mask(pdev, DMA_BIT_MASK(64))) { + if (pci_set_consistent_dma_mask(pdev, DMA_BIT_MASK(ioc->dma_mask))) { if (pci_set_consistent_dma_mask(pdev, DMA_BIT_MASK(32))) return -ENODEV; } @@ -4989,7 +4991,7 @@ _base_allocate_memory_pools(struct MPT3SAS_ADAPTER *ioc) total_sz += sz; } while (ioc->rdpq_array_enable && (++i < ioc->reply_queue_count)); - if (ioc->dma_mask == 64) { + if (ioc->dma_mask > 32) { if (_base_change_consistent_dma_mask(ioc, ioc->pdev) != 0) { ioc_warn(ioc, "no suitable consistent DMA mask for %s\n", pci_name(ioc->pdev)); -- 1.8.3.1

6 years, 1 month

2
1
0 0

[PATCH] kbuild: initialize CLANG_FLAGS correctly in the top Makefile

by Masahiro Yamada

CLANG_FLAGS is initialized by the following line: CLANG_FLAGS := --target=$(notdir $(CROSS_COMPILE:%-=%)) ..., which is run only when CROSS_COMPILE is set. Some build targets (bindeb-pkg etc.) recurse to the top Makefile. When you build the kernel with Clang but without CROSS_COMPILE, the same compiler flags such as -no-integrated-as are accumulated into CLANG_FLAGS. If you run 'make CC=clang' and then 'make CC=clang bindeb-pkg', Kbuild will recompile everything needlessly due to the build command change. Fix this by correctly initializing CLANG_FLAGS. Fixes: 238bcbc4e07f ("kbuild: consolidate Clang compiler flags") Cc: <stable(a)vger.kernel.org> # v4.20+ Signed-off-by: Masahiro Yamada <yamada.masahiro(a)socionext.com> --- Makefile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Makefile b/Makefile index fa0fbe7851ea..5ee6f6889869 100644 --- a/Makefile +++ b/Makefile @@ -472,6 +472,7 @@ KBUILD_CFLAGS_MODULE := -DMODULE KBUILD_LDFLAGS_MODULE := -T $(srctree)/scripts/module-common.lds KBUILD_LDFLAGS := GCC_PLUGINS_CFLAGS := +CLANG_FLAGS := export ARCH SRCARCH CONFIG_SHELL HOSTCC KBUILD_HOSTCFLAGS CROSS_COMPILE AS LD CC export CPP AR NM STRIP OBJCOPY OBJDUMP PAHOLE KBUILD_HOSTLDFLAGS KBUILD_HOSTLDLIBS @@ -519,7 +520,7 @@ endif ifneq ($(shell $(CC) --version 2>&1 | head -n 1 | grep clang),) ifneq ($(CROSS_COMPILE),) -CLANG_FLAGS := --target=$(notdir $(CROSS_COMPILE:%-=%)) +CLANG_FLAGS += --target=$(notdir $(CROSS_COMPILE:%-=%)) GCC_TOOLCHAIN_DIR := $(dir $(shell which $(CROSS_COMPILE)elfedit)) CLANG_FLAGS += --prefix=$(GCC_TOOLCHAIN_DIR) GCC_TOOLCHAIN := $(realpath $(GCC_TOOLCHAIN_DIR)/..) -- 2.17.1

6 years, 1 month

3
4
0 0

[PATCH 1/4] kbuild: modpost: include .*.cmd files only when targets exist

by Masahiro Yamada

A build rule fails, the .DELETE_ON_ERROR special target removes the target, but does nothing for the .*.cmd file, which might be corrupted. So, .*.cmd files should be included only when the corresponding targets exist. Commit 392885ee82d3 ("kbuild: let fixdep directly write to .*.cmd files") missed to fix up this file. Fixes: 392885ee82d3 ("kbuild: let fixdep directly write to .*.cmd") Cc: <stable(a)vger.kernel.org> # v5.0+ Signed-off-by: Masahiro Yamada <yamada.masahiro(a)socionext.com> --- scripts/Makefile.modpost | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/scripts/Makefile.modpost b/scripts/Makefile.modpost index 6b19c1a4eae5..ad4b9829a456 100644 --- a/scripts/Makefile.modpost +++ b/scripts/Makefile.modpost @@ -145,10 +145,8 @@ FORCE: # optimization, we don't need to read them if the target does not # exist, we will rebuild anyway in that case. -cmd_files := $(wildcard $(foreach f,$(sort $(targets)),$(dir $(f)).$(notdir $(f)).cmd)) +existing-targets := $(wildcard $(sort $(targets))) -ifneq ($(cmd_files),) - include $(cmd_files) -endif +-include $(foreach f,$(existing-targets),$(dir $(f)).$(notdir $(f)).cmd) .PHONY: $(PHONY) -- 2.17.1

6 years, 1 month

1
0
0 0

[PATCH v2] drm: mali-dp: Mark expected switch fall-through

by Anders Roxell

Now that -Wimplicit-fallthrough is passed to GCC by default, the following warnings shows up: ../drivers/gpu/drm/arm/malidp_hw.c: In function ‘malidp_format_get_bpp’: ../drivers/gpu/drm/arm/malidp_hw.c:387:8: warning: this statement may fall through [-Wimplicit-fallthrough=] bpp = 30; ~~~~^~~~ ../drivers/gpu/drm/arm/malidp_hw.c:388:3: note: here case DRM_FORMAT_YUV420_10BIT: ^~~~ ../drivers/gpu/drm/arm/malidp_hw.c: In function ‘malidp_se_irq’: ../drivers/gpu/drm/arm/malidp_hw.c:1311:4: warning: this statement may fall through [-Wimplicit-fallthrough=] drm_writeback_signal_completion(&malidp->mw_connector, 0); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ../drivers/gpu/drm/arm/malidp_hw.c:1313:3: note: here case MW_START: ^~~~ Rework to add a 'break;' in a case that didn't have it so that the compiler doesn't warn about fall-through. Cc: stable(a)vger.kernel.org # v5.2+ Fixes: b8207562abdd ("drm/arm/malidp: Specified the rotation memory requirements for AFBC YUV formats") Acked-by: Liviu Dudau <liviu.dudau(a)arm.com> Signed-off-by: Anders Roxell <anders.roxell(a)linaro.org> --- drivers/gpu/drm/arm/malidp_hw.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/arm/malidp_hw.c b/drivers/gpu/drm/arm/malidp_hw.c index 50af399d7f6f..380be66d4c6e 100644 --- a/drivers/gpu/drm/arm/malidp_hw.c +++ b/drivers/gpu/drm/arm/malidp_hw.c @@ -385,6 +385,7 @@ int malidp_format_get_bpp(u32 fmt) switch (fmt) { case DRM_FORMAT_VUY101010: bpp = 30; + break; case DRM_FORMAT_YUV420_10BIT: bpp = 15; break; @@ -1309,7 +1310,7 @@ static irqreturn_t malidp_se_irq(int irq, void *arg) break; case MW_RESTART: drm_writeback_signal_completion(&malidp->mw_connector, 0); - /* fall through to a new start */ + /* fall through - to a new start */ case MW_START: /* writeback started, need to emulate one-shot mode */ hw->disable_memwrite(hwdev); -- 2.20.1

6 years, 1 month

1
0
0 0

[PATCH 5.3] mwifiex: fix 802.11n/WPA detection

by Brian Norris

Commit 63d7ef36103d ("mwifiex: Don't abort on small, spec-compliant vendor IEs") adjusted the ieee_types_vendor_header struct, which inadvertently messed up the offsets used in mwifiex_is_wpa_oui_present(). Add that offset back in, mirroring mwifiex_is_rsn_oui_present(). As it stands, commit 63d7ef36103d breaks compatibility with WPA (not WPA2) 802.11n networks, since we hit the "info: Disable 11n if AES is not supported by AP" case in mwifiex_is_network_compatible(). Fixes: 63d7ef36103d ("mwifiex: Don't abort on small, spec-compliant vendor IEs") Cc: <stable(a)vger.kernel.org> Signed-off-by: Brian Norris <briannorris(a)chromium.org> --- drivers/net/wireless/marvell/mwifiex/main.h | 1 + drivers/net/wireless/marvell/mwifiex/scan.c | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/marvell/mwifiex/main.h b/drivers/net/wireless/marvell/mwifiex/main.h index 3e442c7f7882..095837fba300 100644 --- a/drivers/net/wireless/marvell/mwifiex/main.h +++ b/drivers/net/wireless/marvell/mwifiex/main.h @@ -124,6 +124,7 @@ enum { #define MWIFIEX_MAX_TOTAL_SCAN_TIME (MWIFIEX_TIMER_10S - MWIFIEX_TIMER_1S) +#define WPA_GTK_OUI_OFFSET 2 #define RSN_GTK_OUI_OFFSET 2 #define MWIFIEX_OUI_NOT_PRESENT 0 diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c index 0d6d41727037..21dda385f6c6 100644 --- a/drivers/net/wireless/marvell/mwifiex/scan.c +++ b/drivers/net/wireless/marvell/mwifiex/scan.c @@ -181,7 +181,8 @@ mwifiex_is_wpa_oui_present(struct mwifiex_bssdescriptor *bss_desc, u32 cipher) u8 ret = MWIFIEX_OUI_NOT_PRESENT; if (has_vendor_hdr(bss_desc->bcn_wpa_ie, WLAN_EID_VENDOR_SPECIFIC)) { - iebody = (struct ie_body *) bss_desc->bcn_wpa_ie->data; + iebody = (struct ie_body *)((u8 *)bss_desc->bcn_wpa_ie->data + + WPA_GTK_OUI_OFFSET); oui = &mwifiex_wpa_oui[cipher][0]; ret = mwifiex_search_oui_in_ie(iebody, oui); if (ret) -- 2.22.0.657.g960e92d24f-goog

6 years, 1 month

4
6
0 0

Re: [Xen-devel] [PATCH v4 8/9] xen/gntdev.c: Convert to use vm_map_pages()

by Souptick Joarder

On Tue, Jul 30, 2019 at 7:52 PM Marek Marczykowski-Górecki <marmarek(a)invisiblethingslab.com> wrote: > > On Tue, Jul 30, 2019 at 10:05:42AM -0400, Boris Ostrovsky wrote: > > On 7/30/19 2:03 AM, Souptick Joarder wrote: > > > On Mon, Jul 29, 2019 at 7:06 PM Marek Marczykowski-Górecki > > > <marmarek(a)invisiblethingslab.com> wrote: > > >> On Mon, Jul 29, 2019 at 02:02:54PM +0530, Souptick Joarder wrote: > > >>> On Mon, Jul 29, 2019 at 1:35 PM Souptick Joarder <jrdr.linux(a)gmail.com> wrote: > > >>>> On Sun, Jul 28, 2019 at 11:36 PM Marek Marczykowski-Górecki > > >>>> <marmarek(a)invisiblethingslab.com> wrote: > > >>>>> On Fri, Feb 15, 2019 at 08:18:31AM +0530, Souptick Joarder wrote: > > >>>>>> Convert to use vm_map_pages() to map range of kernel > > >>>>>> memory to user vma. > > >>>>>> > > >>>>>> map->count is passed to vm_map_pages() and internal API > > >>>>>> verify map->count against count ( count = vma_pages(vma)) > > >>>>>> for page array boundary overrun condition. > > >>>>> This commit breaks gntdev driver. If vma->vm_pgoff > 0, vm_map_pages > > >>>>> will: > > >>>>> - use map->pages starting at vma->vm_pgoff instead of 0 > > >>>> The actual code ignores vma->vm_pgoff > 0 scenario and mapped > > >>>> the entire map->pages[i]. Why the entire map->pages[i] needs to be mapped > > >>>> if vma->vm_pgoff > 0 (in original code) ? > > >> vma->vm_pgoff is used as index passed to gntdev_find_map_index. It's > > >> basically (ab)using this parameter for "which grant reference to map". > > >> > > >>>> are you referring to set vma->vm_pgoff = 0 irrespective of value passed > > >>>> from user space ? If yes, using vm_map_pages_zero() is an alternate > > >>>> option. > > >> Yes, that should work. > > > I prefer to use vm_map_pages_zero() to resolve both the issues. Alternatively > > > the patch can be reverted as you suggested. Let me know you opinion and wait > > > for feedback from others. > > > > > > Boris, would you like to give any feedback ? > > > > vm_map_pages_zero() looks good to me. Marek, does it work for you? > > Yes, replacing vm_map_pages() with vm_map_pages_zero() fixes the > problem for me. Marek, I can send a patch for the same if you are ok. We need to cc stable as this changes are available in 5.2.4. > > -- > Best Regards, > Marek Marczykowski-Górecki > Invisible Things Lab > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing?

6 years, 1 month

2
1
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror July 2019