- Linux-stable-mirror - lists.linaro.org

[Linux-stable-mirror] Patch "can: mcba_usb: cancel urb on -EPROTO" has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled can: mcba_usb: cancel urb on -EPROTO to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: can-mcba_usb-cancel-urb-on-eproto.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From c7f33023308f3142433b7379718af5f0c2c322a6 Mon Sep 17 00:00:00 2001 From: Martin Kelly <mkelly(a)xevo.com> Date: Tue, 5 Dec 2017 10:34:03 -0800 Subject: can: mcba_usb: cancel urb on -EPROTO From: Martin Kelly <mkelly(a)xevo.com> commit c7f33023308f3142433b7379718af5f0c2c322a6 upstream. When we unplug the device, we can see both -EPIPE and -EPROTO depending on exact timing and what system we run on. If we continue to resubmit URBs, they will immediately fail, and they can cause stalls, especially on slower CPUs. Fix this by not resubmitting on -EPROTO, as we already do on -EPIPE. Signed-off-by: Martin Kelly <mkelly(a)xevo.com> Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/net/can/usb/mcba_usb.c | 1 + 1 file changed, 1 insertion(+) --- a/drivers/net/can/usb/mcba_usb.c +++ b/drivers/net/can/usb/mcba_usb.c @@ -593,6 +593,7 @@ static void mcba_usb_read_bulk_callback( case -ENOENT: case -EPIPE: + case -EPROTO: case -ESHUTDOWN: return; Patches currently in stable-queue which might be from mkelly(a)xevo.com are queue-4.14/can-ems_usb-cancel-urb-on-epipe-and-eproto.patch queue-4.14/can-mcba_usb-fix-device-disconnect-bug.patch queue-4.14/can-esd_usb2-cancel-urb-on-epipe-and-eproto.patch queue-4.14/can-usb_8dev-cancel-urb-on-epipe-and-eproto.patch queue-4.14/can-kvaser_usb-cancel-urb-on-epipe-and-eproto.patch queue-4.14/can-mcba_usb-cancel-urb-on-eproto.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "can: kvaser_usb: ratelimit errors if incomplete messages are received" has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled can: kvaser_usb: ratelimit errors if incomplete messages are received to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: can-kvaser_usb-ratelimit-errors-if-incomplete-messages-are-received.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 8bd13bd522ff7dfa0eb371921aeb417155f7a3be Mon Sep 17 00:00:00 2001 From: Jimmy Assarsson <jimmyassarsson(a)gmail.com> Date: Tue, 21 Nov 2017 08:22:28 +0100 Subject: can: kvaser_usb: ratelimit errors if incomplete messages are received From: Jimmy Assarsson <jimmyassarsson(a)gmail.com> commit 8bd13bd522ff7dfa0eb371921aeb417155f7a3be upstream. Avoid flooding the kernel log with "Formate error", if incomplete message are received. Signed-off-by: Jimmy Assarsson <jimmyassarsson(a)gmail.com> Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/net/can/usb/kvaser_usb.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) --- a/drivers/net/can/usb/kvaser_usb.c +++ b/drivers/net/can/usb/kvaser_usb.c @@ -609,8 +609,8 @@ static int kvaser_usb_wait_msg(const str } if (pos + tmp->len > actual_len) { - dev_err(dev->udev->dev.parent, - "Format error\n"); + dev_err_ratelimited(dev->udev->dev.parent, + "Format error\n"); break; } @@ -1353,7 +1353,8 @@ static void kvaser_usb_read_bulk_callbac } if (pos + msg->len > urb->actual_length) { - dev_err(dev->udev->dev.parent, "Format error\n"); + dev_err_ratelimited(dev->udev->dev.parent, + "Format error\n"); break; } Patches currently in stable-queue which might be from jimmyassarsson(a)gmail.com are queue-4.14/can-kvaser_usb-ratelimit-errors-if-incomplete-messages-are-received.patch queue-4.14/can-kvaser_usb-free-buf-in-error-paths.patch queue-4.14/can-kvaser_usb-fix-comparison-bug-in-kvaser_usb_read_bulk_callback.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "can: kvaser_usb: free buf in error paths" has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled can: kvaser_usb: free buf in error paths to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: can-kvaser_usb-free-buf-in-error-paths.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 435019b48033138581a6171093b181fc6b4d3d30 Mon Sep 17 00:00:00 2001 From: Jimmy Assarsson <jimmyassarsson(a)gmail.com> Date: Tue, 21 Nov 2017 08:22:26 +0100 Subject: can: kvaser_usb: free buf in error paths From: Jimmy Assarsson <jimmyassarsson(a)gmail.com> commit 435019b48033138581a6171093b181fc6b4d3d30 upstream. The allocated buffer was not freed if usb_submit_urb() failed. Signed-off-by: Jimmy Assarsson <jimmyassarsson(a)gmail.com> Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/net/can/usb/kvaser_usb.c | 2 ++ 1 file changed, 2 insertions(+) --- a/drivers/net/can/usb/kvaser_usb.c +++ b/drivers/net/can/usb/kvaser_usb.c @@ -813,6 +813,7 @@ static int kvaser_usb_simple_msg_async(s if (err) { netdev_err(netdev, "Error transmitting URB\n"); usb_unanchor_urb(urb); + kfree(buf); usb_free_urb(urb); return err; } @@ -1768,6 +1769,7 @@ static netdev_tx_t kvaser_usb_start_xmit spin_unlock_irqrestore(&priv->tx_contexts_lock, flags); usb_unanchor_urb(urb); + kfree(buf); stats->tx_dropped++; Patches currently in stable-queue which might be from jimmyassarsson(a)gmail.com are queue-4.14/can-kvaser_usb-ratelimit-errors-if-incomplete-messages-are-received.patch queue-4.14/can-kvaser_usb-free-buf-in-error-paths.patch queue-4.14/can-kvaser_usb-fix-comparison-bug-in-kvaser_usb_read_bulk_callback.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "can: kvaser_usb: Fix comparison bug in kvaser_usb_read_bulk_callback()" has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled can: kvaser_usb: Fix comparison bug in kvaser_usb_read_bulk_callback() to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: can-kvaser_usb-fix-comparison-bug-in-kvaser_usb_read_bulk_callback.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From e84f44eb5523401faeb9cc1c97895b68e3cfb78d Mon Sep 17 00:00:00 2001 From: Jimmy Assarsson <jimmyassarsson(a)gmail.com> Date: Tue, 21 Nov 2017 08:22:27 +0100 Subject: can: kvaser_usb: Fix comparison bug in kvaser_usb_read_bulk_callback() From: Jimmy Assarsson <jimmyassarsson(a)gmail.com> commit e84f44eb5523401faeb9cc1c97895b68e3cfb78d upstream. The conditon in the while-loop becomes true when actual_length is less than 2 (MSG_HEADER_LEN). In best case we end up with a former, already dispatched msg, that got msg->len greater than actual_length. This will result in a "Format error" error printout. Problem seen when unplugging a Kvaser USB device connected to a vbox guest. warning: comparison between signed and unsigned integer expressions [-Wsign-compare] Signed-off-by: Jimmy Assarsson <jimmyassarsson(a)gmail.com> Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/net/can/usb/kvaser_usb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/net/can/usb/kvaser_usb.c +++ b/drivers/net/can/usb/kvaser_usb.c @@ -1334,7 +1334,7 @@ static void kvaser_usb_read_bulk_callbac goto resubmit_urb; } - while (pos <= urb->actual_length - MSG_HEADER_LEN) { + while (pos <= (int)(urb->actual_length - MSG_HEADER_LEN)) { msg = urb->transfer_buffer + pos; /* The Kvaser firmware can only read and write messages that Patches currently in stable-queue which might be from jimmyassarsson(a)gmail.com are queue-4.14/can-kvaser_usb-ratelimit-errors-if-incomplete-messages-are-received.patch queue-4.14/can-kvaser_usb-free-buf-in-error-paths.patch queue-4.14/can-kvaser_usb-fix-comparison-bug-in-kvaser_usb_read_bulk_callback.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "can: kvaser_usb: cancel urb on -EPIPE and -EPROTO" has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled can: kvaser_usb: cancel urb on -EPIPE and -EPROTO to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: can-kvaser_usb-cancel-urb-on-epipe-and-eproto.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 6aa8d5945502baf4687d80de59b7ac865e9e666b Mon Sep 17 00:00:00 2001 From: Martin Kelly <mkelly(a)xevo.com> Date: Tue, 5 Dec 2017 11:15:49 -0800 Subject: can: kvaser_usb: cancel urb on -EPIPE and -EPROTO From: Martin Kelly <mkelly(a)xevo.com> commit 6aa8d5945502baf4687d80de59b7ac865e9e666b upstream. In mcba_usb, we have observed that when you unplug the device, the driver will endlessly resubmit failing URBs, which can cause CPU stalls. This issue is fixed in mcba_usb by catching the codes seen on device disconnect (-EPIPE and -EPROTO). This driver also resubmits in the case of -EPIPE and -EPROTO, so fix it in the same way. Signed-off-by: Martin Kelly <mkelly(a)xevo.com> Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/net/can/usb/kvaser_usb.c | 2 ++ 1 file changed, 2 insertions(+) --- a/drivers/net/can/usb/kvaser_usb.c +++ b/drivers/net/can/usb/kvaser_usb.c @@ -1326,6 +1326,8 @@ static void kvaser_usb_read_bulk_callbac case 0: break; case -ENOENT: + case -EPIPE: + case -EPROTO: case -ESHUTDOWN: return; default: Patches currently in stable-queue which might be from mkelly(a)xevo.com are queue-4.14/can-ems_usb-cancel-urb-on-epipe-and-eproto.patch queue-4.14/can-mcba_usb-fix-device-disconnect-bug.patch queue-4.14/can-esd_usb2-cancel-urb-on-epipe-and-eproto.patch queue-4.14/can-usb_8dev-cancel-urb-on-epipe-and-eproto.patch queue-4.14/can-kvaser_usb-cancel-urb-on-epipe-and-eproto.patch queue-4.14/can-mcba_usb-cancel-urb-on-eproto.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "can: flexcan: fix VF610 state transition issue" has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled can: flexcan: fix VF610 state transition issue to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: can-flexcan-fix-vf610-state-transition-issue.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 29c64b17a0bc72232acc45e9533221d88a262efb Mon Sep 17 00:00:00 2001 From: Marc Kleine-Budde <mkl(a)pengutronix.de> Date: Mon, 27 Nov 2017 09:18:21 +0100 Subject: can: flexcan: fix VF610 state transition issue From: Marc Kleine-Budde <mkl(a)pengutronix.de> commit 29c64b17a0bc72232acc45e9533221d88a262efb upstream. Enable FLEXCAN_QUIRK_BROKEN_PERR_STATE for VF610 to report correct state transitions. Tested-by: Mirza Krak <mirza.krak(a)gmail.com> Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/net/can/flexcan.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) --- a/drivers/net/can/flexcan.c +++ b/drivers/net/can/flexcan.c @@ -189,7 +189,7 @@ * MX35 FlexCAN2 03.00.00.00 no no ? no no * MX53 FlexCAN2 03.00.00.00 yes no no no no * MX6s FlexCAN3 10.00.12.00 yes yes no no yes - * VF610 FlexCAN3 ? no yes ? yes yes? + * VF610 FlexCAN3 ? no yes no yes yes? * * Some SOCs do not have the RX_WARN & TX_WARN interrupt line connected. */ @@ -297,7 +297,8 @@ static const struct flexcan_devtype_data static const struct flexcan_devtype_data fsl_vf610_devtype_data = { .quirks = FLEXCAN_QUIRK_DISABLE_RXFG | FLEXCAN_QUIRK_ENABLE_EACEN_RRS | - FLEXCAN_QUIRK_DISABLE_MECR | FLEXCAN_QUIRK_USE_OFF_TIMESTAMP, + FLEXCAN_QUIRK_DISABLE_MECR | FLEXCAN_QUIRK_USE_OFF_TIMESTAMP | + FLEXCAN_QUIRK_BROKEN_PERR_STATE, }; static const struct can_bittiming_const flexcan_bittiming_const = { Patches currently in stable-queue which might be from mkl(a)pengutronix.de are queue-4.14/can-ems_usb-cancel-urb-on-epipe-and-eproto.patch queue-4.14/can-mcba_usb-fix-device-disconnect-bug.patch queue-4.14/can-peak-pcie_fd-fix-potential-bug-in-restarting-tx-queue.patch queue-4.14/can-flexcan-fix-vf610-state-transition-issue.patch queue-4.14/can-esd_usb2-cancel-urb-on-epipe-and-eproto.patch queue-4.14/can-ti_hecc-fix-napi-poll-return-value-for-repoll.patch queue-4.14/can-usb_8dev-cancel-urb-on-epipe-and-eproto.patch queue-4.14/can-kvaser_usb-cancel-urb-on-epipe-and-eproto.patch queue-4.14/can-mcba_usb-cancel-urb-on-eproto.patch queue-4.14/can-peak-pci-fix-potential-bug-when-probe-fails.patch queue-4.14/can-kvaser_usb-ratelimit-errors-if-incomplete-messages-are-received.patch queue-4.14/can-kvaser_usb-free-buf-in-error-paths.patch queue-4.14/can-kvaser_usb-fix-comparison-bug-in-kvaser_usb_read_bulk_callback.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "can: esd_usb2: cancel urb on -EPIPE and -EPROTO" has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled can: esd_usb2: cancel urb on -EPIPE and -EPROTO to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: can-esd_usb2-cancel-urb-on-epipe-and-eproto.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 7a31ced3de06e9878e4f9c3abe8f87d9344d8144 Mon Sep 17 00:00:00 2001 From: Martin Kelly <mkelly(a)xevo.com> Date: Tue, 5 Dec 2017 11:15:48 -0800 Subject: can: esd_usb2: cancel urb on -EPIPE and -EPROTO From: Martin Kelly <mkelly(a)xevo.com> commit 7a31ced3de06e9878e4f9c3abe8f87d9344d8144 upstream. In mcba_usb, we have observed that when you unplug the device, the driver will endlessly resubmit failing URBs, which can cause CPU stalls. This issue is fixed in mcba_usb by catching the codes seen on device disconnect (-EPIPE and -EPROTO). This driver also resubmits in the case of -EPIPE and -EPROTO, so fix it in the same way. Signed-off-by: Martin Kelly <mkelly(a)xevo.com> Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/net/can/usb/esd_usb2.c | 2 ++ 1 file changed, 2 insertions(+) --- a/drivers/net/can/usb/esd_usb2.c +++ b/drivers/net/can/usb/esd_usb2.c @@ -393,6 +393,8 @@ static void esd_usb2_read_bulk_callback( break; case -ENOENT: + case -EPIPE: + case -EPROTO: case -ESHUTDOWN: return; Patches currently in stable-queue which might be from mkelly(a)xevo.com are queue-4.14/can-ems_usb-cancel-urb-on-epipe-and-eproto.patch queue-4.14/can-mcba_usb-fix-device-disconnect-bug.patch queue-4.14/can-esd_usb2-cancel-urb-on-epipe-and-eproto.patch queue-4.14/can-usb_8dev-cancel-urb-on-epipe-and-eproto.patch queue-4.14/can-kvaser_usb-cancel-urb-on-epipe-and-eproto.patch queue-4.14/can-mcba_usb-cancel-urb-on-eproto.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "can: ems_usb: cancel urb on -EPIPE and -EPROTO" has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled can: ems_usb: cancel urb on -EPIPE and -EPROTO to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: can-ems_usb-cancel-urb-on-epipe-and-eproto.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From bd352e1adfe0d02d3ea7c8e3fb19183dc317e679 Mon Sep 17 00:00:00 2001 From: Martin Kelly <mkelly(a)xevo.com> Date: Tue, 5 Dec 2017 11:15:47 -0800 Subject: can: ems_usb: cancel urb on -EPIPE and -EPROTO From: Martin Kelly <mkelly(a)xevo.com> commit bd352e1adfe0d02d3ea7c8e3fb19183dc317e679 upstream. In mcba_usb, we have observed that when you unplug the device, the driver will endlessly resubmit failing URBs, which can cause CPU stalls. This issue is fixed in mcba_usb by catching the codes seen on device disconnect (-EPIPE and -EPROTO). This driver also resubmits in the case of -EPIPE and -EPROTO, so fix it in the same way. Signed-off-by: Martin Kelly <mkelly(a)xevo.com> Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/net/can/usb/ems_usb.c | 2 ++ 1 file changed, 2 insertions(+) --- a/drivers/net/can/usb/ems_usb.c +++ b/drivers/net/can/usb/ems_usb.c @@ -288,6 +288,8 @@ static void ems_usb_read_interrupt_callb case -ECONNRESET: /* unlink */ case -ENOENT: + case -EPIPE: + case -EPROTO: case -ESHUTDOWN: return; Patches currently in stable-queue which might be from mkelly(a)xevo.com are queue-4.14/can-ems_usb-cancel-urb-on-epipe-and-eproto.patch queue-4.14/can-mcba_usb-fix-device-disconnect-bug.patch queue-4.14/can-esd_usb2-cancel-urb-on-epipe-and-eproto.patch queue-4.14/can-usb_8dev-cancel-urb-on-epipe-and-eproto.patch queue-4.14/can-kvaser_usb-cancel-urb-on-epipe-and-eproto.patch queue-4.14/can-mcba_usb-cancel-urb-on-eproto.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "can: usb_8dev: cancel urb on -EPIPE and -EPROTO" has been added to the 3.18-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled can: usb_8dev: cancel urb on -EPIPE and -EPROTO to the 3.18-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: can-usb_8dev-cancel-urb-on-epipe-and-eproto.patch and it can be found in the queue-3.18 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 12147edc434c9e4c7c2f5fee2e5519b2e5ac34ce Mon Sep 17 00:00:00 2001 From: Martin Kelly <mkelly(a)xevo.com> Date: Tue, 5 Dec 2017 11:15:50 -0800 Subject: can: usb_8dev: cancel urb on -EPIPE and -EPROTO From: Martin Kelly <mkelly(a)xevo.com> commit 12147edc434c9e4c7c2f5fee2e5519b2e5ac34ce upstream. In mcba_usb, we have observed that when you unplug the device, the driver will endlessly resubmit failing URBs, which can cause CPU stalls. This issue is fixed in mcba_usb by catching the codes seen on device disconnect (-EPIPE and -EPROTO). This driver also resubmits in the case of -EPIPE and -EPROTO, so fix it in the same way. Signed-off-by: Martin Kelly <mkelly(a)xevo.com> Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/net/can/usb/usb_8dev.c | 2 ++ 1 file changed, 2 insertions(+) --- a/drivers/net/can/usb/usb_8dev.c +++ b/drivers/net/can/usb/usb_8dev.c @@ -527,6 +527,8 @@ static void usb_8dev_read_bulk_callback( break; case -ENOENT: + case -EPIPE: + case -EPROTO: case -ESHUTDOWN: return; Patches currently in stable-queue which might be from mkelly(a)xevo.com are queue-3.18/can-ems_usb-cancel-urb-on-epipe-and-eproto.patch queue-3.18/can-esd_usb2-cancel-urb-on-epipe-and-eproto.patch queue-3.18/can-usb_8dev-cancel-urb-on-epipe-and-eproto.patch queue-3.18/can-kvaser_usb-cancel-urb-on-epipe-and-eproto.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "can: kvaser_usb: ratelimit errors if incomplete messages are received" has been added to the 3.18-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled can: kvaser_usb: ratelimit errors if incomplete messages are received to the 3.18-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: can-kvaser_usb-ratelimit-errors-if-incomplete-messages-are-received.patch and it can be found in the queue-3.18 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 8bd13bd522ff7dfa0eb371921aeb417155f7a3be Mon Sep 17 00:00:00 2001 From: Jimmy Assarsson <jimmyassarsson(a)gmail.com> Date: Tue, 21 Nov 2017 08:22:28 +0100 Subject: can: kvaser_usb: ratelimit errors if incomplete messages are received From: Jimmy Assarsson <jimmyassarsson(a)gmail.com> commit 8bd13bd522ff7dfa0eb371921aeb417155f7a3be upstream. Avoid flooding the kernel log with "Formate error", if incomplete message are received. Signed-off-by: Jimmy Assarsson <jimmyassarsson(a)gmail.com> Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/net/can/usb/kvaser_usb.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) --- a/drivers/net/can/usb/kvaser_usb.c +++ b/drivers/net/can/usb/kvaser_usb.c @@ -415,8 +415,8 @@ static int kvaser_usb_wait_msg(const str } if (pos + tmp->len > actual_len) { - dev_err(dev->udev->dev.parent, - "Format error\n"); + dev_err_ratelimited(dev->udev->dev.parent, + "Format error\n"); break; } @@ -1007,7 +1007,8 @@ static void kvaser_usb_read_bulk_callbac } if (pos + msg->len > urb->actual_length) { - dev_err(dev->udev->dev.parent, "Format error\n"); + dev_err_ratelimited(dev->udev->dev.parent, + "Format error\n"); break; } Patches currently in stable-queue which might be from jimmyassarsson(a)gmail.com are queue-3.18/can-kvaser_usb-ratelimit-errors-if-incomplete-messages-are-received.patch queue-3.18/can-kvaser_usb-free-buf-in-error-paths.patch queue-3.18/can-kvaser_usb-fix-comparison-bug-in-kvaser_usb_read_bulk_callback.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "can: kvaser_usb: free buf in error paths" has been added to the 3.18-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled can: kvaser_usb: free buf in error paths to the 3.18-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: can-kvaser_usb-free-buf-in-error-paths.patch and it can be found in the queue-3.18 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 435019b48033138581a6171093b181fc6b4d3d30 Mon Sep 17 00:00:00 2001 From: Jimmy Assarsson <jimmyassarsson(a)gmail.com> Date: Tue, 21 Nov 2017 08:22:26 +0100 Subject: can: kvaser_usb: free buf in error paths From: Jimmy Assarsson <jimmyassarsson(a)gmail.com> commit 435019b48033138581a6171093b181fc6b4d3d30 upstream. The allocated buffer was not freed if usb_submit_urb() failed. Signed-off-by: Jimmy Assarsson <jimmyassarsson(a)gmail.com> Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/net/can/usb/kvaser_usb.c | 2 ++ 1 file changed, 2 insertions(+) --- a/drivers/net/can/usb/kvaser_usb.c +++ b/drivers/net/can/usb/kvaser_usb.c @@ -602,6 +602,7 @@ static int kvaser_usb_simple_msg_async(s if (err) { netdev_err(netdev, "Error transmitting URB\n"); usb_unanchor_urb(urb); + kfree(buf); usb_free_urb(urb); kfree(buf); return err; @@ -1385,6 +1386,7 @@ static netdev_tx_t kvaser_usb_start_xmit atomic_dec(&priv->active_tx_urbs); usb_unanchor_urb(urb); + kfree(buf); stats->tx_dropped++; Patches currently in stable-queue which might be from jimmyassarsson(a)gmail.com are queue-3.18/can-kvaser_usb-ratelimit-errors-if-incomplete-messages-are-received.patch queue-3.18/can-kvaser_usb-free-buf-in-error-paths.patch queue-3.18/can-kvaser_usb-fix-comparison-bug-in-kvaser_usb_read_bulk_callback.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "can: kvaser_usb: Fix comparison bug in kvaser_usb_read_bulk_callback()" has been added to the 3.18-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled can: kvaser_usb: Fix comparison bug in kvaser_usb_read_bulk_callback() to the 3.18-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: can-kvaser_usb-fix-comparison-bug-in-kvaser_usb_read_bulk_callback.patch and it can be found in the queue-3.18 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From e84f44eb5523401faeb9cc1c97895b68e3cfb78d Mon Sep 17 00:00:00 2001 From: Jimmy Assarsson <jimmyassarsson(a)gmail.com> Date: Tue, 21 Nov 2017 08:22:27 +0100 Subject: can: kvaser_usb: Fix comparison bug in kvaser_usb_read_bulk_callback() From: Jimmy Assarsson <jimmyassarsson(a)gmail.com> commit e84f44eb5523401faeb9cc1c97895b68e3cfb78d upstream. The conditon in the while-loop becomes true when actual_length is less than 2 (MSG_HEADER_LEN). In best case we end up with a former, already dispatched msg, that got msg->len greater than actual_length. This will result in a "Format error" error printout. Problem seen when unplugging a Kvaser USB device connected to a vbox guest. warning: comparison between signed and unsigned integer expressions [-Wsign-compare] Signed-off-by: Jimmy Assarsson <jimmyassarsson(a)gmail.com> Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/net/can/usb/kvaser_usb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/net/can/usb/kvaser_usb.c +++ b/drivers/net/can/usb/kvaser_usb.c @@ -989,7 +989,7 @@ static void kvaser_usb_read_bulk_callbac goto resubmit_urb; } - while (pos <= urb->actual_length - MSG_HEADER_LEN) { + while (pos <= (int)(urb->actual_length - MSG_HEADER_LEN)) { msg = urb->transfer_buffer + pos; /* The Kvaser firmware can only read and write messages that Patches currently in stable-queue which might be from jimmyassarsson(a)gmail.com are queue-3.18/can-kvaser_usb-ratelimit-errors-if-incomplete-messages-are-received.patch queue-3.18/can-kvaser_usb-free-buf-in-error-paths.patch queue-3.18/can-kvaser_usb-fix-comparison-bug-in-kvaser_usb_read_bulk_callback.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "can: kvaser_usb: cancel urb on -EPIPE and -EPROTO" has been added to the 3.18-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled can: kvaser_usb: cancel urb on -EPIPE and -EPROTO to the 3.18-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: can-kvaser_usb-cancel-urb-on-epipe-and-eproto.patch and it can be found in the queue-3.18 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 6aa8d5945502baf4687d80de59b7ac865e9e666b Mon Sep 17 00:00:00 2001 From: Martin Kelly <mkelly(a)xevo.com> Date: Tue, 5 Dec 2017 11:15:49 -0800 Subject: can: kvaser_usb: cancel urb on -EPIPE and -EPROTO From: Martin Kelly <mkelly(a)xevo.com> commit 6aa8d5945502baf4687d80de59b7ac865e9e666b upstream. In mcba_usb, we have observed that when you unplug the device, the driver will endlessly resubmit failing URBs, which can cause CPU stalls. This issue is fixed in mcba_usb by catching the codes seen on device disconnect (-EPIPE and -EPROTO). This driver also resubmits in the case of -EPIPE and -EPROTO, so fix it in the same way. Signed-off-by: Martin Kelly <mkelly(a)xevo.com> Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/net/can/usb/kvaser_usb.c | 2 ++ 1 file changed, 2 insertions(+) --- a/drivers/net/can/usb/kvaser_usb.c +++ b/drivers/net/can/usb/kvaser_usb.c @@ -981,6 +981,8 @@ static void kvaser_usb_read_bulk_callbac case 0: break; case -ENOENT: + case -EPIPE: + case -EPROTO: case -ESHUTDOWN: return; default: Patches currently in stable-queue which might be from mkelly(a)xevo.com are queue-3.18/can-ems_usb-cancel-urb-on-epipe-and-eproto.patch queue-3.18/can-esd_usb2-cancel-urb-on-epipe-and-eproto.patch queue-3.18/can-usb_8dev-cancel-urb-on-epipe-and-eproto.patch queue-3.18/can-kvaser_usb-cancel-urb-on-epipe-and-eproto.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "can: esd_usb2: cancel urb on -EPIPE and -EPROTO" has been added to the 3.18-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled can: esd_usb2: cancel urb on -EPIPE and -EPROTO to the 3.18-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: can-esd_usb2-cancel-urb-on-epipe-and-eproto.patch and it can be found in the queue-3.18 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 7a31ced3de06e9878e4f9c3abe8f87d9344d8144 Mon Sep 17 00:00:00 2001 From: Martin Kelly <mkelly(a)xevo.com> Date: Tue, 5 Dec 2017 11:15:48 -0800 Subject: can: esd_usb2: cancel urb on -EPIPE and -EPROTO From: Martin Kelly <mkelly(a)xevo.com> commit 7a31ced3de06e9878e4f9c3abe8f87d9344d8144 upstream. In mcba_usb, we have observed that when you unplug the device, the driver will endlessly resubmit failing URBs, which can cause CPU stalls. This issue is fixed in mcba_usb by catching the codes seen on device disconnect (-EPIPE and -EPROTO). This driver also resubmits in the case of -EPIPE and -EPROTO, so fix it in the same way. Signed-off-by: Martin Kelly <mkelly(a)xevo.com> Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/net/can/usb/esd_usb2.c | 2 ++ 1 file changed, 2 insertions(+) --- a/drivers/net/can/usb/esd_usb2.c +++ b/drivers/net/can/usb/esd_usb2.c @@ -395,6 +395,8 @@ static void esd_usb2_read_bulk_callback( break; case -ENOENT: + case -EPIPE: + case -EPROTO: case -ESHUTDOWN: return; Patches currently in stable-queue which might be from mkelly(a)xevo.com are queue-3.18/can-ems_usb-cancel-urb-on-epipe-and-eproto.patch queue-3.18/can-esd_usb2-cancel-urb-on-epipe-and-eproto.patch queue-3.18/can-usb_8dev-cancel-urb-on-epipe-and-eproto.patch queue-3.18/can-kvaser_usb-cancel-urb-on-epipe-and-eproto.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "can: ems_usb: cancel urb on -EPIPE and -EPROTO" has been added to the 3.18-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled can: ems_usb: cancel urb on -EPIPE and -EPROTO to the 3.18-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: can-ems_usb-cancel-urb-on-epipe-and-eproto.patch and it can be found in the queue-3.18 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From bd352e1adfe0d02d3ea7c8e3fb19183dc317e679 Mon Sep 17 00:00:00 2001 From: Martin Kelly <mkelly(a)xevo.com> Date: Tue, 5 Dec 2017 11:15:47 -0800 Subject: can: ems_usb: cancel urb on -EPIPE and -EPROTO From: Martin Kelly <mkelly(a)xevo.com> commit bd352e1adfe0d02d3ea7c8e3fb19183dc317e679 upstream. In mcba_usb, we have observed that when you unplug the device, the driver will endlessly resubmit failing URBs, which can cause CPU stalls. This issue is fixed in mcba_usb by catching the codes seen on device disconnect (-EPIPE and -EPROTO). This driver also resubmits in the case of -EPIPE and -EPROTO, so fix it in the same way. Signed-off-by: Martin Kelly <mkelly(a)xevo.com> Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/net/can/usb/ems_usb.c | 2 ++ 1 file changed, 2 insertions(+) --- a/drivers/net/can/usb/ems_usb.c +++ b/drivers/net/can/usb/ems_usb.c @@ -290,6 +290,8 @@ static void ems_usb_read_interrupt_callb case -ECONNRESET: /* unlink */ case -ENOENT: + case -EPIPE: + case -EPROTO: case -ESHUTDOWN: return; Patches currently in stable-queue which might be from mkelly(a)xevo.com are queue-3.18/can-ems_usb-cancel-urb-on-epipe-and-eproto.patch queue-3.18/can-esd_usb2-cancel-urb-on-epipe-and-eproto.patch queue-3.18/can-usb_8dev-cancel-urb-on-epipe-and-eproto.patch queue-3.18/can-kvaser_usb-cancel-urb-on-epipe-and-eproto.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] WTF: patch "[PATCH] fw_cfg: fix driver remove" was seriously submitted to be applied to the 4.14-stable tree?

by gregkh＠linuxfoundation.org

The patch below was submitted to be applied to the 4.14-stable tree. I fail to see how this patch meets the stable kernel rules as found at Documentation/process/stable-kernel-rules.rst. I could be totally wrong, and if so, please respond to <stable(a)vger.kernel.org> and let me know why this patch should be applied. Otherwise, it is now dropped from my patch queues, never to be seen again. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 23f1b8d938c861ee0bbb786162f7ce0685f722ec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= <marcandre.lureau(a)redhat.com> Date: Mon, 20 Nov 2017 10:55:15 +0100 Subject: [PATCH] fw_cfg: fix driver remove MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit On driver remove(), all objects created during probe() should be removed, but sysfs qemu_fw_cfg/rev file was left. Also reorder functions to match probe() error cleanup code. Cc: stable(a)vger.kernel.org Signed-off-by: Marc-André Lureau <marcandre.lureau(a)redhat.com> Signed-off-by: Michael S. Tsirkin <mst(a)redhat.com> diff --git a/drivers/firmware/qemu_fw_cfg.c b/drivers/firmware/qemu_fw_cfg.c index 5cfe39f7a45f..deb483064f53 100644 --- a/drivers/firmware/qemu_fw_cfg.c +++ b/drivers/firmware/qemu_fw_cfg.c @@ -582,9 +582,10 @@ static int fw_cfg_sysfs_remove(struct platform_device *pdev) { pr_debug("fw_cfg: unloading.\n"); fw_cfg_sysfs_cache_cleanup(); + sysfs_remove_file(fw_cfg_top_ko, &fw_cfg_rev_attr.attr); + fw_cfg_io_cleanup(); fw_cfg_kset_unregister_recursive(fw_cfg_fname_kset); fw_cfg_kobj_cleanup(fw_cfg_sel_ko); - fw_cfg_io_cleanup(); return 0; }

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] FAILED: patch "[PATCH] usb: f_fs: Force Reserved1=1 in OS_DESC_EXT_COMPAT" failed to apply to 4.9-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.9-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From a3acc696085e112733d191a77b106e67a4fa110b Mon Sep 17 00:00:00 2001 From: John Keeping <john(a)metanate.com> Date: Mon, 27 Nov 2017 18:15:40 +0000 Subject: [PATCH] usb: f_fs: Force Reserved1=1 in OS_DESC_EXT_COMPAT The specification says that the Reserved1 field in OS_DESC_EXT_COMPAT must have the value "1", but when this feature was first implemented we rejected any non-zero values. This was adjusted to accept all non-zero values (while now rejecting zero) in commit 53642399aa71 ("usb: gadget: f_fs: Fix wrong check on reserved1 of OS_DESC_EXT_COMPAT"), but that breaks any userspace programs that worked previously by returning EINVAL when Reserved1 == 0 which was previously the only value that succeeded! If we just set the field to "1" ourselves, both old and new userspace programs continue to work correctly and, as a bonus, old programs are now compliant with the specification without having to fix anything themselves. Fixes: 53642399aa71 ("usb: gadget: f_fs: Fix wrong check on reserved1 of OS_DESC_EXT_COMPAT") Cc: <stable(a)vger.kernel.org> Signed-off-by: John Keeping <john(a)metanate.com> Signed-off-by: Felipe Balbi <felipe.balbi(a)linux.intel.com> diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c index 9aa457b53e01..b6cf5ab5a0a1 100644 --- a/drivers/usb/gadget/function/f_fs.c +++ b/drivers/usb/gadget/function/f_fs.c @@ -2282,9 +2282,18 @@ static int __ffs_data_do_os_desc(enum ffs_os_desc_type type, int i; if (len < sizeof(*d) || - d->bFirstInterfaceNumber >= ffs->interfaces_count || - !d->Reserved1) + d->bFirstInterfaceNumber >= ffs->interfaces_count) return -EINVAL; + if (d->Reserved1 != 1) { + /* + * According to the spec, Reserved1 must be set to 1 + * but older kernels incorrectly rejected non-zero + * values. We fix it here to avoid returning EINVAL + * in response to values we used to accept. + */ + pr_debug("usb_ext_compat_desc::Reserved1 forced to 1\n"); + d->Reserved1 = 1; + } for (i = 0; i < ARRAY_SIZE(d->Reserved2); ++i) if (d->Reserved2[i]) return -EINVAL;

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] v4.14.5 build: 0 failures 0 warnings (v4.14.5)

by Build bot for Mark Brown

Tree/Branch: v4.14.5 Git describe: v4.14.5 Commit: 64138f0adb Linux 4.14.5 Build Time: 119 min 24 sec Passed: 10 / 10 (100.00 %) Failed: 0 / 10 ( 0.00 %) Errors: 0 Warnings: 0 Section Mismatches: 0 ------------------------------------------------------------------------------- defconfigs with issues (other than build errors): ------------------------------------------------------------------------------- =============================================================================== Detailed per-defconfig build reports below: ------------------------------------------------------------------------------- Passed with no errors, warnings or mismatches: arm64-allnoconfig arm64-allmodconfig arm-multi_v5_defconfig arm-multi_v7_defconfig x86_64-defconfig arm-allmodconfig arm-allnoconfig x86_64-allnoconfig arm-multi_v4t_defconfig arm64-defconfig close failed in file object destructor: sys.excepthook is missing lost sys.stderr

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] [PATCH 4.14 00/75] 4.14.5-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.14.5 release. There are 75 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sat Dec 9 13:07:57 UTC 2017. Anything received after that time might be too late. The whole patch series can be found in one patch at: kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.5-rc1.gz or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.14.5-rc1 Colin Ian King <colin.king(a)canonical.com> usb: host: fix incorrect updating of offset Oliver Neukum <oneukum(a)suse.com> USB: usbfs: Filter flags passed in from user space Masakazu Mokuno <masakazu.mokuno(a)gmail.com> USB: core: Add type-specific length check of BOS descriptors Yu Chen <chenyu56(a)huawei.com> usb: xhci: fix panic in xhci_free_virt_devices_depth_first Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: Don't show incorrect WARN message about events for empty rings Johan Hovold <johan(a)kernel.org> USB: ulpi: fix bus-node lookup Mike Looijmans <mike.looijmans(a)topic.nl> usb: hub: Cycle HUB power when initialization fails Gilad Ben-Yossef <gilad(a)benyossef.com> staging: ccree: fix leak of import() after init() Dominik Behr <dbehr(a)chromium.org> dma-buf/sw_sync: force signal all unsignaled fences on dying timeline Naveen N. Rao <naveen.n.rao(a)linux.vnet.ibm.com> powerpc/kprobes: Disable preemption before invoking probe handler for optprobes Naveen N. Rao <naveen.n.rao(a)linux.vnet.ibm.com> powerpc/jprobes: Disable preemption when triggered through ftrace Kees Cook <keescook(a)chromium.org> locking/refcounts, x86/asm: Enable CONFIG_ARCH_HAS_REFCOUNT Gustavo A. R. Silva <garsilva(a)embeddedor.com> iio: multiplexer: add NULL check on devm_kzalloc() and devm_kmemdup() return values Ladislav Michl <ladis(a)linux-mips.org> iio: adc: ti-ads1015: add 10% to conversion wait time Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> mm, x86/mm: Fix performance regression in get_user_pages_fast() Martin Kepplinger <martink(a)posteo.de> perf tools: Fix leaking rec_argv in error cases Arnaldo Carvalho de Melo <acme(a)redhat.com> tools include: Do not use poison with C++ Heiko Carstens <heiko.carstens(a)de.ibm.com> s390/ptrace: fix guarded storage regset handling Kees Cook <keescook(a)chromium.org> locking/refcounts, x86/asm: Use unique .text section for refcount exceptions Masami Hiramatsu <mhiramat(a)kernel.org> kprobes/x86: Disable preemption in ftrace-based jprobes Thomas Richter <tmricht(a)linux.vnet.ibm.com> perf test attr: Fix python error on empty result Thomas Richter <tmricht(a)linux.vnet.ibm.com> perf test attr: Fix ignored test case result Ioana Radulescu <ruxandra.radulescu(a)nxp.com> staging: fsl-mc/dpio: Fix incorrect comparison Ian Jamison <ian.dev(a)arkver.com> serial: imx: Update cached mctrl value when changing RTS Ben Hutchings <ben(a)decadent.org.uk> usbip: tools: Install all headers needed for libusbip development Andy Lowe <andy_lowe(a)mentor.com> serial: sh-sci: suppress warning for ports without dma channels Jibin Xu <jibin.xu(a)windriver.com> sysrq : fix Show Regs call trace on ARM Lu Baolu <baolu.lu(a)linux.intel.com> usb: xhci: Return error when host is dead in xhci_disable_slot() Leo Yan <leo.yan(a)linaro.org> ARM: cpuidle: Correct driver unregistration if init fails Larry Finger <Larry.Finger(a)lwfinger.net> staging: rtl8822be: Keep array subscript no lower than zero Ioana Radulescu <ruxandra.radulescu(a)nxp.com> staging: fsl-dpaa2/eth: Account for Rx FD buffers on error path Chunfeng Yun <chunfeng.yun(a)mediatek.com> usb: mtu3: fix error return code in ssusb_gadget_init() Gustavo A. R. Silva <garsilva(a)embeddedor.com> EDAC, sb_edac: Fix missing break in switch Geert Uytterhoeven <geert+renesas(a)glider.be> dt-bindings: timer: renesas, cmt: Fix SoC-specific compatible values Ard Biesheuvel <ard.biesheuvel(a)linaro.org> clocksource/drivers/arm_arch_timer: Validate CNTFRQ after enabling frame Dave Hansen <dave.hansen(a)linux.intel.com> x86/entry: Use SYSCALL_DEFINE() macros for sys_modify_ldt() Masami Hiramatsu <mhiramat(a)kernel.org> kprobes: Use synchronize_rcu_tasks() for optprobe with CONFIG_PREEMPT=y Aaron Sierra <asierra(a)xes-inc.com> serial: 8250: Preserve DLD[7:4] for PORT_XR17V35X Reinette Chatre <reinette.chatre(a)intel.com> x86/intel_rdt: Fix potential deadlock during resctrl mount Reinette Chatre <reinette.chatre(a)intel.com> x86/intel_rdt: Initialize bitmask of shareable resource if CDP enabled Kishon Vijay Abraham I <kishon(a)ti.com> PCI: dra7xx: Create functional dependency between PCIe and PHY Alexey Khoroshilov <khoroshilov(a)ispras.ru> usb: phy: tahvo: fix error handling in tahvo_usb_probe() John Stultz <john.stultz(a)linaro.org> usb: dwc2: Error out of dwc2_hsotg_ep_disable() if we're in host mode John Stultz <john.stultz(a)linaro.org> usb: dwc2: Fix UDC state tracking Peter Zijlstra <peterz(a)infradead.org> perf/core: Fix __perf_read_group_add() locking Edward A. James <eajames(a)us.ibm.com> hwmon: (pmbus/core) Prevent unintentional setting of page to 0xFF Subhash Jadavani <subhashj(a)codeaurora.org> mmc: sdhci-msm: fix issue with power irq Fabrizio Castro <fabrizio.castro(a)bp.renesas.com> mmc: tmio: check mmc_regulator_get_supply return value Johan Hovold <johan(a)kernel.org> spi: spi-axi: fix potential use-after-free after deregistration Hiromitsu Yamasaki <hiromitsu.yamasaki.ym(a)renesas.com> spi: sh-msiof: Fix DMA transfer size check Colin Ian King <colin.king(a)canonical.com> staging: rtl8188eu: avoid a null dereference on pmlmepriv Stanislaw Gruszka <sgruszka(a)redhat.com> staging: rtl8822be: fix wrong dma unmap len Lukas Wunner <lukas(a)wunner.de> serial: 8250_fintek: Fix rs485 disablement on invalid ioctl() Greg Ungerer <gerg(a)linux-m68k.org> m68k: fix ColdFire node shift size calculation Bryan O'Donoghue <pure.logic(a)nexus-software.ie> staging: greybus: loopback: Fix iteration count on async path Andy Lutomirski <luto(a)kernel.org> selftests/x86/ldt_gdt: Robustify against set_thread_area() and LAR oddities Andy Lutomirski <luto(a)kernel.org> selftests/x86/ldt_get: Add a few additional tests for limits Christian Borntraeger <borntraeger(a)de.ibm.com> s390/pci: do not require AIS facility Ulf Hansson <ulf.hansson(a)linaro.org> PM / Domains: Fix genpd to deal with drivers returning 1 from ->prepare() Jason J. Herne <jjherne(a)linux.vnet.ibm.com> s390: vfio-ccw: Do not attempt to free no-op, test and tic cda. Boshi Wang <wangboshi(a)huawei.com> ima: fix hash algorithm initialization Matt Redfearn <matt.redfearn(a)mips.com> MIPS: Add custom serial.h with BASE_BAUD override for generic kernel Matt Redfearn <matt.redfearn(a)mips.com> serial: 8250_early: Only set divisor if valid clk & baud Lu Baolu <baolu.lu(a)linux.intel.com> USB: serial: usb_debug: add new USB device id Sebastian Sjoholm <ssjoholm(a)mac.com> USB: serial: option: add Quectel BG96 id Martijn Coenen <maco(a)android.com> ANDROID: binder: fix transaction leak. Matt Wilson <msw(a)amazon.com> serial: 8250_pci: Add Amazon PCI serial device ID Kai-Heng Feng <kai.heng.feng(a)canonical.com> usb: quirks: Add no-lpm quirk for KY-688 USB 3.1 Type-C Hub Hans de Goede <hdegoede(a)redhat.com> uas: Always apply US_FL_NO_ATA_1X quirk to Seagate devices Yuyang Du <yuyang.du(a)intel.com> usbip: Fix USB device hang due to wrong enabling of scatter-gather Shuah Khan <shuah(a)kernel.org> usbip: fix usbip attach to find a port that matches the requested speed Heiko Carstens <heiko.carstens(a)de.ibm.com> s390/runtime instrumentation: simplify task exit handling Michel Dänzer <michel.daenzer(a)amd.com> drm/amdgpu: Use unsigned ring indices in amdgpu_queue_mgr_map Stefan Agner <stefan(a)agner.ch> drm/fsl-dcu: enable IRQ before drm_atomic_helper_resume() Stefan Agner <stefan(a)agner.ch> drm/fsl-dcu: avoid disabling pixel clock twice on suspend ------------- Diffstat: .../devicetree/bindings/timer/renesas,cmt.txt | 24 +++--- Makefile | 4 +- arch/Kconfig | 2 +- arch/m68k/mm/mcfmmu.c | 2 +- arch/mips/include/asm/Kbuild | 1 - arch/mips/include/asm/serial.h | 22 +++++ arch/powerpc/kernel/kprobes-ftrace.c | 15 +++- arch/powerpc/kernel/optprobes.c | 5 +- arch/s390/include/asm/pci_insn.h | 2 +- arch/s390/include/asm/runtime_instr.h | 4 +- arch/s390/kernel/process.c | 5 +- arch/s390/kernel/ptrace.c | 33 +++++--- arch/s390/kernel/runtime_instr.c | 30 +++---- arch/s390/pci/pci.c | 5 +- arch/s390/pci/pci_insn.c | 6 +- arch/x86/Kconfig | 2 +- arch/x86/include/asm/refcount.h | 2 +- arch/x86/include/asm/syscalls.h | 2 +- arch/x86/kernel/cpu/intel_rdt.c | 1 + arch/x86/kernel/cpu/intel_rdt_rdtgroup.c | 8 +- arch/x86/kernel/kprobes/ftrace.c | 23 +++-- arch/x86/kernel/ldt.c | 16 +++- arch/x86/mm/extable.c | 7 +- arch/x86/um/ldt.c | 7 +- drivers/android/binder.c | 40 +++++++-- drivers/base/power/domain.c | 5 +- drivers/clocksource/arm_arch_timer.c | 38 +++++---- drivers/cpuidle/cpuidle-arm.c | 22 +++-- drivers/dma-buf/sw_sync.c | 10 ++- drivers/edac/sb_edac.c | 1 + drivers/gpu/drm/amd/amdgpu/amdgpu.h | 2 +- drivers/gpu/drm/amd/amdgpu/amdgpu_queue_mgr.c | 6 +- drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_drv.c | 3 +- drivers/hwmon/pmbus/pmbus.h | 6 +- drivers/hwmon/pmbus/pmbus_core.c | 25 +++--- drivers/iio/adc/ti-ads1015.c | 1 + drivers/iio/multiplexer/iio-mux.c | 6 ++ drivers/mmc/host/sdhci-msm.c | 18 ++++ drivers/mmc/host/tmio_mmc_core.c | 5 +- drivers/pci/dwc/pci-dra7xx.c | 16 ++++ drivers/s390/cio/vfio_ccw_cp.c | 2 + drivers/spi/spi-axi-spi-engine.c | 4 +- drivers/spi/spi-sh-msiof.c | 2 +- drivers/staging/ccree/ssi_hash.c | 9 +- drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c | 15 +++- drivers/staging/fsl-mc/bus/dpio/dpio-service.c | 4 +- drivers/staging/fsl-mc/include/dpaa2-io.h | 6 +- drivers/staging/greybus/loopback.c | 4 +- drivers/staging/rtl8188eu/core/rtw_mlme.c | 6 +- drivers/staging/rtlwifi/phydm/phydm_dig.c | 2 + drivers/staging/rtlwifi/rtl8822be/fw.c | 2 +- drivers/tty/serial/8250/8250_early.c | 14 ++-- drivers/tty/serial/8250/8250_fintek.c | 2 +- drivers/tty/serial/8250/8250_pci.c | 3 + drivers/tty/serial/8250/8250_port.c | 5 +- drivers/tty/serial/imx.c | 6 +- drivers/tty/serial/sh-sci.c | 8 ++ drivers/tty/sysrq.c | 9 +- drivers/usb/common/ulpi.c | 4 +- drivers/usb/core/config.c | 28 ++++++- drivers/usb/core/devio.c | 14 ++-- drivers/usb/core/hub.c | 9 ++ drivers/usb/core/quirks.c | 3 + drivers/usb/dwc2/gadget.c | 7 ++ drivers/usb/host/ehci-dbg.c | 2 +- drivers/usb/host/xhci-mem.c | 7 ++ drivers/usb/host/xhci-ring.c | 12 ++- drivers/usb/host/xhci.c | 3 +- drivers/usb/mtu3/mtu3_core.c | 4 +- drivers/usb/phy/phy-tahvo.c | 3 +- drivers/usb/serial/option.c | 3 + drivers/usb/serial/usb_debug.c | 2 + drivers/usb/storage/uas-detect.h | 4 + drivers/usb/usbip/vhci_hcd.c | 1 - include/asm-generic/vmlinux.lds.h | 1 + include/uapi/linux/usb/ch9.h | 3 + kernel/events/core.c | 4 +- kernel/kprobes.c | 14 ++-- mm/gup.c | 97 +++++++++++++--------- security/integrity/ima/ima_main.c | 4 + tools/include/linux/poison.h | 5 ++ tools/perf/builtin-c2c.c | 1 + tools/perf/builtin-mem.c | 1 + tools/perf/builtin-timechart.c | 4 +- tools/perf/builtin-trace.c | 1 + tools/perf/tests/attr.c | 2 +- tools/perf/tests/attr.py | 6 +- tools/testing/selftests/x86/ldt_gdt.c | 27 +++++- tools/usb/usbip/Makefile.am | 3 +- tools/usb/usbip/libsrc/vhci_driver.c | 14 +++- 90 files changed, 580 insertions(+), 248 deletions(-)

7 years, 9 months

6
83
0 0

[Linux-stable-mirror] Patch "locking/refcounts: Do not force refcount_t usage as GPL-only export" has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled locking/refcounts: Do not force refcount_t usage as GPL-only export to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: locking-refcounts-do-not-force-refcount_t-usage-as-gpl-only-export.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From b562c171cf011d297059bd0265742eb5fab0ad2f Mon Sep 17 00:00:00 2001 From: Kees Cook <keescook(a)chromium.org> Date: Mon, 4 Dec 2017 17:24:54 -0800 Subject: locking/refcounts: Do not force refcount_t usage as GPL-only export From: Kees Cook <keescook(a)chromium.org> commit b562c171cf011d297059bd0265742eb5fab0ad2f upstream. The refcount_t protection on x86 was not intended to use the stricter GPL export. This adjusts the linkage again to avoid a regression in the availability of the refcount API. Reported-by: Dave Airlie <airlied(a)gmail.com> Fixes: 7a46ec0e2f48 ("locking/refcounts, x86/asm: Implement fast refcount overflow protection") Signed-off-by: Kees Cook <keescook(a)chromium.org> Signed-off-by: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: Ivan Kozik <ivan(a)ludios.org> Cc: Thomas Backlund <tmb(a)mageia.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- arch/x86/mm/extable.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/arch/x86/mm/extable.c +++ b/arch/x86/mm/extable.c @@ -82,7 +82,7 @@ bool ex_handler_refcount(const struct ex return true; } -EXPORT_SYMBOL_GPL(ex_handler_refcount); +EXPORT_SYMBOL(ex_handler_refcount); /* * Handler for when we fail to restore a task's FPU state. We should never get Patches currently in stable-queue which might be from keescook(a)chromium.org are queue-4.14/locking-refcounts-x86-asm-use-unique-.text-section-for-refcount-exceptions.patch queue-4.14/locking-refcounts-x86-asm-enable-config_arch_has_refcount.patch queue-4.14/locking-refcounts-do-not-force-refcount_t-usage-as-gpl-only-export.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] [PATCH] mm, oom_reaper: fix memory corruption

by Michal Hocko

From: Michal Hocko <mhocko(a)suse.com> David Rientjes has reported the following memory corruption while the oom reaper tries to unmap the victims address space BUG: Bad page map in process oom_reaper pte:6353826300000000 pmd:00000000 addr:00007f50cab1d000 vm_flags:08100073 anon_vma:ffff9eea335603f0 mapping: (null) index:7f50cab1d file: (null) fault: (null) mmap: (null) readpage: (null) CPU: 2 PID: 1001 Comm: oom_reaper Call Trace: [<ffffffffa4bd967d>] dump_stack+0x4d/0x70 [<ffffffffa4a03558>] unmap_page_range+0x1068/0x1130 [<ffffffffa4a2e07f>] __oom_reap_task_mm+0xd5/0x16b [<ffffffffa4a2e226>] oom_reaper+0xff/0x14c [<ffffffffa48d6ad1>] kthread+0xc1/0xe0 Tetsuo Handa has noticed that the synchronization inside exit_mmap is insufficient. We only synchronize with the oom reaper if tsk_is_oom_victim which is not true if the final __mmput is called from a different context than the oom victim exit path. This can trivially happen from context of any task which has grabbed mm reference (e.g. to read /proc/<pid>/ file which requires mm etc.). The race would look like this oom_reaper oom_victim task mmget_not_zero do_exit mmput __oom_reap_task_mm mmput __mmput exit_mmap remove_vma unmap_page_range Fix this issue by providing a new mm_is_oom_victim() helper which operates on the mm struct rather than a task. Any context which operates on a remote mm struct should use this helper in place of tsk_is_oom_victim. The flag is set in mark_oom_victim and never cleared so it is stable in the exit_mmap path. Changes since v1 - set MMF_OOM_SKIP in exit_mmap only for the oom mm as suggested by Tetsuo because there is no reason to set the flag unless we are synchronizing with the oom reaper. - do not modify values of other MMF_ flags and add MMF_OOM_VICTIM as the last one as requested by David Rientjes because they have "automated tools that look at specific bits in mm->flags and it would be nice to not have them be inconsistent between kernel versions. Not absolutely required, but nice to avoid" Reported-by: David Rientjes <rientjes(a)google.com> Debugged-by: Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> Fixes: 212925802454 ("mm: oom: let oom_reap_task and exit_mmap run concurrently") Cc: stable # 4.14 Acked-by: David Rientjes <rientjes(a)google.com> Signed-off-by: Michal Hocko <mhocko(a)suse.com> --- Hi, this patch fixes issue reported by David [1][2]. [1] http://lkml.kernel.org/r/alpine.DEB.2.10.1712051824050.91099@chino.kir.corp… [2] http://lkml.kernel.org/r/alpine.DEB.2.10.1712071315570.135101@chino.kir.cor… include/linux/oom.h | 9 +++++++++ include/linux/sched/coredump.h | 1 + mm/mmap.c | 10 +++++----- mm/oom_kill.c | 4 +++- 4 files changed, 18 insertions(+), 6 deletions(-) diff --git a/include/linux/oom.h b/include/linux/oom.h index 27cd36b762b5..c4139e79771d 100644 --- a/include/linux/oom.h +++ b/include/linux/oom.h @@ -77,6 +77,15 @@ static inline bool tsk_is_oom_victim(struct task_struct * tsk) return tsk->signal->oom_mm; } +/* + * Use this helper if tsk->mm != mm and the victim mm needs a special + * handling. This is guaranteed to stay true after once set. + */ +static inline bool mm_is_oom_victim(struct mm_struct *mm) +{ + return test_bit(MMF_OOM_VICTIM, &mm->flags); +} + /* * Checks whether a page fault on the given mm is still reliable. * This is no longer true if the oom reaper started to reap the diff --git a/include/linux/sched/coredump.h b/include/linux/sched/coredump.h index 9c8847395b5e..ec912d01126f 100644 --- a/include/linux/sched/coredump.h +++ b/include/linux/sched/coredump.h @@ -70,6 +70,7 @@ static inline int get_dumpable(struct mm_struct *mm) #define MMF_UNSTABLE 22 /* mm is unstable for copy_from_user */ #define MMF_HUGE_ZERO_PAGE 23 /* mm has ever used the global huge zero page */ #define MMF_DISABLE_THP 24 /* disable THP for all VMAs */ +#define MMF_OOM_VICTIM 25 /* mm is the oom victim */ #define MMF_DISABLE_THP_MASK (1 << MMF_DISABLE_THP) #define MMF_INIT_MASK (MMF_DUMPABLE_MASK | MMF_DUMP_FILTER_MASK |\ diff --git a/mm/mmap.c b/mm/mmap.c index 476e810cf100..0de87a376aaa 100644 --- a/mm/mmap.c +++ b/mm/mmap.c @@ -3004,20 +3004,20 @@ void exit_mmap(struct mm_struct *mm) /* Use -1 here to ensure all VMAs in the mm are unmapped */ unmap_vmas(&tlb, vma, 0, -1); - set_bit(MMF_OOM_SKIP, &mm->flags); - if (unlikely(tsk_is_oom_victim(current))) { + if (unlikely(mm_is_oom_victim(mm))) { /* * Wait for oom_reap_task() to stop working on this * mm. Because MMF_OOM_SKIP is already set before * calling down_read(), oom_reap_task() will not run * on this "mm" post up_write(). * - * tsk_is_oom_victim() cannot be set from under us - * either because current->mm is already set to NULL + * mm_is_oom_victim() cannot be set from under us + * either because victim->mm is already set to NULL * under task_lock before calling mmput and oom_mm is - * set not NULL by the OOM killer only if current->mm + * set not NULL by the OOM killer only if victim->mm * is found not NULL while holding the task_lock. */ + set_bit(MMF_OOM_SKIP, &mm->flags); down_write(&mm->mmap_sem); up_write(&mm->mmap_sem); } diff --git a/mm/oom_kill.c b/mm/oom_kill.c index 3b0d0fed8480..e4d290b6804b 100644 --- a/mm/oom_kill.c +++ b/mm/oom_kill.c @@ -666,8 +666,10 @@ static void mark_oom_victim(struct task_struct *tsk) return; /* oom_mm is bound to the signal struct life time. */ - if (!cmpxchg(&tsk->signal->oom_mm, NULL, mm)) + if (!cmpxchg(&tsk->signal->oom_mm, NULL, mm)) { mmgrab(tsk->signal->oom_mm); + set_bit(MMF_OOM_VICTIM, &mm->flags); + } /* * Make sure that the task is woken up from uninterruptible sleep -- 2.15.0

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] v4.9.68 build: 0 failures 0 warnings (v4.9.68)

by Build bot for Mark Brown

Tree/Branch: v4.9.68 Git describe: v4.9.68 Commit: 3781db07c7 Linux 4.9.68 Build Time: 101 min 24 sec Passed: 10 / 10 (100.00 %) Failed: 0 / 10 ( 0.00 %) Errors: 0 Warnings: 0 Section Mismatches: 0 ------------------------------------------------------------------------------- defconfigs with issues (other than build errors): ------------------------------------------------------------------------------- =============================================================================== Detailed per-defconfig build reports below: ------------------------------------------------------------------------------- Passed with no errors, warnings or mismatches: arm64-allnoconfig arm64-allmodconfig arm-multi_v5_defconfig arm-multi_v7_defconfig x86_64-defconfig arm-allmodconfig arm-allnoconfig x86_64-allnoconfig arm-multi_v4t_defconfig arm64-defconfig close failed in file object destructor: sys.excepthook is missing lost sys.stderr

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] v4.4.105 build: 0 failures 0 warnings (v4.4.105)

by Build bot for Mark Brown

Tree/Branch: v4.4.105 Git describe: v4.4.105 Commit: 69b0bf95a5 Linux 4.4.105 Build Time: 87 min 19 sec Passed: 9 / 9 (100.00 %) Failed: 0 / 9 ( 0.00 %) Errors: 0 Warnings: 0 Section Mismatches: 0 ------------------------------------------------------------------------------- defconfigs with issues (other than build errors): ------------------------------------------------------------------------------- =============================================================================== Detailed per-defconfig build reports below: ------------------------------------------------------------------------------- Passed with no errors, warnings or mismatches: arm64-allnoconfig arm64-allmodconfig arm-multi_v5_defconfig arm-multi_v7_defconfig x86_64-defconfig arm-allmodconfig arm-allnoconfig x86_64-allnoconfig arm64-defconfig close failed in file object destructor: sys.excepthook is missing lost sys.stderr

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] v3.18.87 build: 0 failures 1 warnings (v3.18.87)

by Build bot for Mark Brown

Tree/Branch: v3.18.87 Git describe: v3.18.87 Commit: 2179863ede Linux 3.18.87 Build Time: 67 min 13 sec Passed: 9 / 9 (100.00 %) Failed: 0 / 9 ( 0.00 %) Errors: 0 Warnings: 1 Section Mismatches: 0 ------------------------------------------------------------------------------- defconfigs with issues (other than build errors): 2 warnings 0 mismatches : x86_64-defconfig ------------------------------------------------------------------------------- Warnings Summary: 1 2 ../include/linux/ftrace.h:632:36: warning: calling '__builtin_return_address' with a nonzero argument is unsafe [-Wframe-address] =============================================================================== Detailed per-defconfig build reports below: ------------------------------------------------------------------------------- x86_64-defconfig : PASS, 0 errors, 2 warnings, 0 section mismatches Warnings: ../include/linux/ftrace.h:632:36: warning: calling '__builtin_return_address' with a nonzero argument is unsafe [-Wframe-address] ../include/linux/ftrace.h:632:36: warning: calling '__builtin_return_address' with a nonzero argument is unsafe [-Wframe-address] ------------------------------------------------------------------------------- Passed with no errors, warnings or mismatches: arm64-allnoconfig arm64-allmodconfig arm-multi_v5_defconfig arm-multi_v7_defconfig arm-allmodconfig arm-allnoconfig x86_64-allnoconfig arm64-defconfig

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "usb: dwc2: Improve gadget state disconnection handling" has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled usb: dwc2: Improve gadget state disconnection handling to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: usb-dwc2-improve-gadget-state-disconnection-handling.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From d2471d4a24dfbff5e463d382e2c6fec7d7e25a09 Mon Sep 17 00:00:00 2001 From: John Stultz <john.stultz(a)linaro.org> Date: Mon, 23 Oct 2017 14:32:48 -0700 Subject: usb: dwc2: Improve gadget state disconnection handling From: John Stultz <john.stultz(a)linaro.org> commit d2471d4a24dfbff5e463d382e2c6fec7d7e25a09 upstream. In the earlier commit dad3f793f20f ("usb: dwc2: Make sure we disconnect the gadget state"), I was trying to fix up the fact that we somehow weren't disconnecting the gadget state, so that when the OTG port was plugged in the second time we would get warnings about the state tracking being wrong. (This seems to be due to a quirk of the HiKey board where we do not ever get any otg interrupts, particularly the session end detected signal. Instead we only see status change interrupt.) The fix there was somewhat simple, as it just made sure to call dwc2_hsotg_disconnect() before we connected things up in OTG mode, ensuring the state handling didn't throw errors. But in looking at a different issue I was seeing with UDC state handling, I realized that it would be much better to call dwc2_hsotg_disconnect when we get the state change signal moving to host mode. Thus, this patch removes the earlier disconnect call I added and moves it (and the needed locking) to the host mode transition. Cc: Wei Xu <xuwei5(a)hisilicon.com> Cc: Guodong Xu <guodong.xu(a)linaro.org> Cc: Amit Pundir <amit.pundir(a)linaro.org> Cc: YongQin Liu <yongqin.liu(a)linaro.org> Cc: John Youn <johnyoun(a)synopsys.com> Cc: Minas Harutyunyan <Minas.Harutyunyan(a)synopsys.com> Cc: Douglas Anderson <dianders(a)chromium.org> Cc: Chen Yu <chenyu56(a)huawei.com> Cc: Felipe Balbi <felipe.balbi(a)linux.intel.com> Cc: linux-usb(a)vger.kernel.org Acked-by: Minas Harutyunyan <hminas(a)synopsys.com> Tested-by: Minas Harutyunyan <hminas(a)synopsys.com> Signed-off-by: John Stultz <john.stultz(a)linaro.org> Signed-off-by: Felipe Balbi <felipe.balbi(a)linux.intel.com> Cc: Ben Hutchings <ben.hutchings(a)codethink.co.uk> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/usb/dwc2/hcd.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) --- a/drivers/usb/dwc2/hcd.c +++ b/drivers/usb/dwc2/hcd.c @@ -3277,7 +3277,6 @@ static void dwc2_conn_id_status_change(s dwc2_core_init(hsotg, false); dwc2_enable_global_interrupts(hsotg); spin_lock_irqsave(&hsotg->lock, flags); - dwc2_hsotg_disconnect(hsotg); dwc2_hsotg_core_init_disconnected(hsotg, false); spin_unlock_irqrestore(&hsotg->lock, flags); dwc2_hsotg_core_connect(hsotg); @@ -3296,8 +3295,12 @@ host: if (count > 250) dev_err(hsotg->dev, "Connection id status change timed out\n"); - hsotg->op_state = OTG_STATE_A_HOST; + spin_lock_irqsave(&hsotg->lock, flags); + dwc2_hsotg_disconnect(hsotg); + spin_unlock_irqrestore(&hsotg->lock, flags); + + hsotg->op_state = OTG_STATE_A_HOST; /* Initialize the Core for Host mode */ dwc2_core_init(hsotg, false); dwc2_enable_global_interrupts(hsotg); Patches currently in stable-queue which might be from john.stultz(a)linaro.org are queue-4.14/usb-dwc2-improve-gadget-state-disconnection-handling.patch

7 years, 9 months

2
1
0 0

[Linux-stable-mirror] Patch "xen-netfront: avoid crashing on resume after a failure in talk_to_netback()" has been added to the 4.9-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled xen-netfront: avoid crashing on resume after a failure in talk_to_netback() to the 4.9-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: xen-netfront-avoid-crashing-on-resume-after-a-failure-in-talk_to_netback.patch and it can be found in the queue-4.9 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From d86b5672b1adb98b4cdd6fbf0224bbfb03db6e2e Mon Sep 17 00:00:00 2001 From: Vitaly Kuznetsov <vkuznets(a)redhat.com> Date: Thu, 11 May 2017 13:58:06 +0200 Subject: xen-netfront: avoid crashing on resume after a failure in talk_to_netback() From: Vitaly Kuznetsov <vkuznets(a)redhat.com> commit d86b5672b1adb98b4cdd6fbf0224bbfb03db6e2e upstream. Unavoidable crashes in netfront_resume() and netback_changed() after a previous fail in talk_to_netback() (e.g. when we fail to read MAC from xenstore) were discovered. The failure path in talk_to_netback() does unregister/free for netdev but we don't reset drvdata and we try accessing it after resume. Fix the bug by removing the whole xen device completely with device_unregister(), this guarantees we won't have any calls into netfront after a failure. Signed-off-by: Vitaly Kuznetsov <vkuznets(a)redhat.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Cc: Ben Hutchings <ben.hutchings(a)codethink.co.uk> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/net/xen-netfront.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) --- a/drivers/net/xen-netfront.c +++ b/drivers/net/xen-netfront.c @@ -1958,8 +1958,7 @@ abort_transaction_no_dev_fatal: xennet_disconnect_backend(info); xennet_destroy_queues(info); out: - unregister_netdev(info->netdev); - xennet_free_netdev(info->netdev); + device_unregister(&dev->dev); return err; } Patches currently in stable-queue which might be from vkuznets(a)redhat.com are queue-4.9/xen-netfront-avoid-crashing-on-resume-after-a-failure-in-talk_to_netback.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "xen-netfront: avoid crashing on resume after a failure in talk_to_netback()" has been added to the 4.4-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled xen-netfront: avoid crashing on resume after a failure in talk_to_netback() to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: xen-netfront-avoid-crashing-on-resume-after-a-failure-in-talk_to_netback.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From d86b5672b1adb98b4cdd6fbf0224bbfb03db6e2e Mon Sep 17 00:00:00 2001 From: Vitaly Kuznetsov <vkuznets(a)redhat.com> Date: Thu, 11 May 2017 13:58:06 +0200 Subject: xen-netfront: avoid crashing on resume after a failure in talk_to_netback() From: Vitaly Kuznetsov <vkuznets(a)redhat.com> commit d86b5672b1adb98b4cdd6fbf0224bbfb03db6e2e upstream. Unavoidable crashes in netfront_resume() and netback_changed() after a previous fail in talk_to_netback() (e.g. when we fail to read MAC from xenstore) were discovered. The failure path in talk_to_netback() does unregister/free for netdev but we don't reset drvdata and we try accessing it after resume. Fix the bug by removing the whole xen device completely with device_unregister(), this guarantees we won't have any calls into netfront after a failure. Signed-off-by: Vitaly Kuznetsov <vkuznets(a)redhat.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Cc: Ben Hutchings <ben.hutchings(a)codethink.co.uk> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/net/xen-netfront.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) --- a/drivers/net/xen-netfront.c +++ b/drivers/net/xen-netfront.c @@ -1944,8 +1944,7 @@ abort_transaction_no_dev_fatal: xennet_disconnect_backend(info); xennet_destroy_queues(info); out: - unregister_netdev(info->netdev); - xennet_free_netdev(info->netdev); + device_unregister(&dev->dev); return err; } Patches currently in stable-queue which might be from vkuznets(a)redhat.com are queue-4.4/xen-netfront-avoid-crashing-on-resume-after-a-failure-in-talk_to_netback.patch

7 years, 9 months

1
0
0 0

Re: [Linux-stable-mirror] [PATCH 4.4 00/49] 4.4.105-stable review

by Greg Kroah-Hartman

On Fri, Dec 08, 2017 at 12:00:47PM -0800, Kevin Hilman wrote: > kernelci.org bot <bot(a)kernelci.org> writes: > > > stable-rc/linux-4.4.y boot: 122 boots: 2 failed, 106 passed with 12 offline, 2 conflicts (v4.4.104-50-gffc1d3fcd46a) > > > > Full Boot Summary: https://kernelci.org/boot/all/job/stable-rc/branch/linux-4.4.y/kernel/v4.4.… > > Full Build Summary: https://kernelci.org/build/stable-rc/branch/linux-4.4.y/kernel/v4.4.104-50-… > > > > Tree: stable-rc > > Branch: linux-4.4.y > > Git Describe: v4.4.104-50-gffc1d3fcd46a > > Git Commit: ffc1d3fcd46a59815958ce25e4e70da1a8a5799d > > Git URL: http://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git > > Tested: 62 unique boards, 20 SoC families, 18 builds out of 182 > > > > Boot Regressions Detected: > > > > arm: > > > > exynos_defconfig: > > exynos5422-odroidxu3: > > lab-collabora: failing since 31 days (last pass: v4.4.95-21-g32458fcb7bd6 - first fail: v4.4.96-41-g336421367b9c) > > exynos5422-odroidxu3_rootfs:nfs: > > lab-collabora: failing since 23 days (last pass: v4.4.95-21-g32458fcb7bd6 - first fail: v4.4.97-57-g528c687b455d) > > TL;DR; All is well. > > These two are passing in another lab, so this is a board/lab setup issue > under. Guillaume (Cc'd) is investigating. I figured with a lab that was failing for that long, I didn't need to worry about it. thanks, greg k-h > Kevin

7 years, 9 months

1
0
0 0

Re: [Linux-stable-mirror] [PATCH 4.14 00/75] 4.14.5-stable review

by Greg Kroah-Hartman

On Fri, Dec 08, 2017 at 12:03:34PM -0800, Kevin Hilman wrote: > kernelci.org bot <bot(a)kernelci.org> writes: > > > stable-rc/linux-4.14.y boot: 142 boots: 1 failed, 127 passed with 14 offline (v4.14.4-76-gf91a57b206e0) > > > > Full Boot Summary: https://kernelci.org/boot/all/job/stable-rc/branch/linux-4.14.y/kernel/v4.1… > > Full Build Summary: https://kernelci.org/build/stable-rc/branch/linux-4.14.y/kernel/v4.14.4-76-… > > > > Tree: stable-rc > > Branch: linux-4.14.y > > Git Describe: v4.14.4-76-gf91a57b206e0 > > Git Commit: f91a57b206e0ca82c4d3f13372c392e3b374e1ce > > Git URL: http://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git > > Tested: 76 unique boards, 23 SoC families, 18 builds out of 189 > > > > Boot Regressions Detected: > > > > arm64: > > > > defconfig: > > meson-gxbb-p200: > > TL;DR; All is well. > > Re-ran this one and it's fine. Great, thanks for letting me know. greg k-h

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] [PATCH 4.4 00/96] 4.4.103-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.4.103 release. There are 96 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu Nov 30 10:04:41 UTC 2017. Anything received after that time might be too late. The whole patch series can be found in one patch at: kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.103-rc1.gz or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.4.103-rc1 Juergen Gross <jgross(a)suse.com> xen: xenbus driver must not accept invalid transaction ids Heiko Carstens <heiko.carstens(a)de.ibm.com> s390/kbuild: enable modversions for symbols exported from asm Richard Fitzgerald <rf(a)opensource.wolfsonmicro.com> ASoC: wm_adsp: Don't overrun firmware file buffer when reading region data Pan Bian <bianpan2016(a)163.com> btrfs: return the actual error value from from btrfs_uuid_tree_iterate Colin Ian King <colin.king(a)canonical.com> ASoC: rsnd: don't double free kctrl Florian Westphal <fw(a)strlen.de> netfilter: nf_tables: fix oob access Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nft_queue: use raw_smp_processor_id() Geert Uytterhoeven <geert(a)linux-m68k.org> spi: SPI_FSL_DSPI should depend on HAS_DMA Pan Bian <bianpan2016(a)163.com> staging: iio: cdc: fix improper return value Pan Bian <bianpan2016(a)163.com> iio: light: fix improper return value Masashi Honma <masashi.honma(a)gmail.com> mac80211: Suppress NEW_PEER_CANDIDATE event if no room Masashi Honma <masashi.honma(a)gmail.com> mac80211: Remove invalid flag operations in mesh TSF synchronization Chris Wilson <chris(a)chris-wilson.co.uk> drm: Apply range restriction after color adjustment when allocation Gabriele Mazzotta <gabriele.mzt(a)gmail.com> ALSA: hda - Apply ALC269_FIXUP_NO_SHUTUP on HDA_FIXUP_ACT_PROBE Bartosz Markowski <bartosz.markowski(a)tieto.com> ath10k: set CTS protection VDEV param only if VDEV is up Christian Lamparter <chunkeey(a)googlemail.com> ath10k: fix potential memory leak in ath10k_wmi_tlv_op_pull_fw_stats() Ryan Hsu <ryanhsu(a)qca.qualcomm.com> ath10k: ignore configuring the incorrect board_id Ryan Hsu <ryanhsu(a)qca.qualcomm.com> ath10k: fix incorrect txpower set by P2P_DEVICE interface Daniel Vetter <daniel.vetter(a)ffwll.ch> drm/armada: Fix compile fail Thomas Preisner <thomas.preisner+linux(a)fau.de> net: 3com: typhoon: typhoon_init_one: fix incorrect return values Thomas Preisner <thomas.preisner+linux(a)fau.de> net: 3com: typhoon: typhoon_init_one: make return values more specific David Ahern <dsa(a)cumulusnetworks.com> net: Allow IP_MULTICAST_IF to set index to L3 slave Shawn Guo <shawn.guo(a)linaro.org> dmaengine: zx: set DMA_CYCLIC cap_mask bit Bjorn Helgaas <bhelgaas(a)google.com> PCI: Apply _HPX settings only to relevant devices Santosh Shilimkar <santosh.shilimkar(a)oracle.com> RDS: RDMA: return appropriate error on rdma map failures Benjamin Poirier <bpoirier(a)suse.com> e1000e: Separate signaling for link check/link up Benjamin Poirier <bpoirier(a)suse.com> e1000e: Fix return value test Benjamin Poirier <bpoirier(a)suse.com> e1000e: Fix error path in link detection Tobias Jordan <Tobias.Jordan(a)elektrobit.com> PM / OPP: Add missing of_node_put(np) Tuomas Tynkkynen <tuomas(a)tuxera.com> net/9p: Switch to wait_event_killable() Eric Biggers <ebiggers(a)google.com> fscrypt: lock mutex before checking for bounce page pool Steven Rostedt (Red Hat) <rostedt(a)goodmis.org> sched/rt: Simplify the IPI based RT balancing logic Ricardo Ribalda Delgado <ricardo.ribalda(a)gmail.com> media: v4l2-ctrl: Fix flags field on Control events Johan Hovold <johan(a)kernel.org> cx231xx-cards: fix NULL-deref on missing association descriptor Sean Young <sean(a)mess.org> media: rc: check for integer overflow Michele Baldessari <michele(a)acksyn.org> media: Don't do DMA on stack for firmware upload in the AS102 driver Naveen N. Rao <naveen.n.rao(a)linux.vnet.ibm.com> powerpc/signal: Properly handle return value from uprobe_deny_signal() John David Anglin <dave.anglin(a)bell.net> parisc: Fix validity check of pointer size argument in new CAS implementation Brian King <brking(a)linux.vnet.ibm.com> ixgbe: Fix skb list corruption on Power systems Brian King <brking(a)linux.vnet.ibm.com> fm10k: Use smp_rmb rather than read_barrier_depends Brian King <brking(a)linux.vnet.ibm.com> i40evf: Use smp_rmb rather than read_barrier_depends Brian King <brking(a)linux.vnet.ibm.com> ixgbevf: Use smp_rmb rather than read_barrier_depends Brian King <brking(a)linux.vnet.ibm.com> igbvf: Use smp_rmb rather than read_barrier_depends Brian King <brking(a)linux.vnet.ibm.com> igb: Use smp_rmb rather than read_barrier_depends Brian King <brking(a)linux.vnet.ibm.com> i40e: Use smp_rmb rather than read_barrier_depends Johan Hovold <johan(a)kernel.org> NFC: fix device-allocation error return Bart Van Assche <bart.vanassche(a)wdc.com> IB/srp: Avoid that a cable pull can trigger a kernel crash Bart Van Assche <bart.vanassche(a)wdc.com> IB/srpt: Do not accept invalid initiator port names Dan Williams <dan.j.williams(a)intel.com> libnvdimm, namespace: make 'resource' attribute only readable by root Dan Williams <dan.j.williams(a)intel.com> libnvdimm, namespace: fix label initialization to use valid seq numbers Johan Hovold <johan(a)kernel.org> clk: ti: dra7-atl-clock: fix child-node lookups Peter Ujfalusi <peter.ujfalusi(a)ti.com> clk: ti: dra7-atl-clock: Fix of_node reference counting Trond Myklebust <trond.myklebust(a)primarydata.com> SUNRPC: Fix tracepoint storage issues with svc_recv and svc_rqst_status Paolo Bonzini <pbonzini(a)redhat.com> KVM: SVM: obey guest PAT Ladi Prosek <lprosek(a)redhat.com> KVM: nVMX: set IDTR and GDTR limits when loading L1 host state Nicholas Bellinger <nab(a)linux-iscsi.org> target: Fix QUEUE_FULL + SCSI task attribute handling Nicholas Bellinger <nab(a)linux-iscsi.org> iscsi-target: Fix non-immediate TMR reference leak Tuomas Tynkkynen <tuomas(a)tuxera.com> fs/9p: Compare qid.path in v9fs_test_inode Al Viro <viro(a)zeniv.linux.org.uk> fix a page leak in vhost_scsi_iov_to_sgl() error recovery Kailang Yang <kailang(a)realtek.com> ALSA: hda/realtek - Fix ALC700 family no sound issue Takashi Iwai <tiwai(a)suse.de> ALSA: timer: Remove kernel warning at compat ioctl error paths Takashi Iwai <tiwai(a)suse.de> ALSA: usb-audio: Add sanity checks in v2 clock parsers Takashi Iwai <tiwai(a)suse.de> ALSA: usb-audio: Fix potential out-of-bound access at parsing SU Takashi Iwai <tiwai(a)suse.de> ALSA: usb-audio: Add sanity checks to FE parser Henrik Eriksson <henrik.eriksson(a)axis.com> ALSA: pcm: update tstamp only if audio_tstamp changed Theodore Ts'o <tytso(a)mit.edu> ext4: fix interaction between i_size, fallocate, and delalloc after a crash Rameshwar Prasad Sahu <rsahu(a)apm.com> ata: fixes kernel crash while tracing ata_eh_link_autopsy event Arnd Bergmann <arnd(a)arndb.de> rtlwifi: fix uninitialized rtlhal->last_suspend_sec time Larry Finger <Larry.Finger(a)lwfinger.net> rtlwifi: rtl8192ee: Fix memory leak when loading firmware Andrew Elble <aweits(a)rit.edu> nfsd: deal with revoked delegations appropriately Chuck Lever <chuck.lever(a)oracle.com> nfs: Fix ugly referral attributes Joshua Watt <jpewhacker(a)gmail.com> NFS: Fix typo in nomigration mount option Arnd Bergmann <arnd(a)arndb.de> isofs: fix timestamps beyond 2027 Coly Li <colyli(a)suse.de> bcache: check ca->alloc_thread initialized before wake up it Dan Carpenter <dan.carpenter(a)oracle.com> eCryptfs: use after free in ecryptfs_release_messaging() Andreas Rohner <andreas.rohner(a)gmx.net> nilfs2: fix race condition that causes file system corruption NeilBrown <neilb(a)suse.com> autofs: don't fail mount for transient error Mirko Parthey <mirko.parthey(a)web.de> MIPS: BCM47XX: Fix LED inversion for WRT54GSv1 Maciej W. Rozycki <macro(a)mips.com> MIPS: Fix an n32 core file generation regset support regression Hou Tao <houtao1(a)huawei.com> dm: fix race between dm_get_from_kobject() and __dm_destroy() Eric Biggers <ebiggers(a)google.com> dm bufio: fix integer overflow when limiting maximum cache size Vijendar Mukunda <Vijendar.Mukunda(a)amd.com> ALSA: hda: Add Raven PCI ID Mathias Kresin <dev(a)kresin.me> MIPS: ralink: Fix typo in mt7628 pinmux function Mathias Kresin <dev(a)kresin.me> MIPS: ralink: Fix MT7628 pinmux Philip Derrin <philip(a)cog.systems> ARM: 8721/1: mm: dump: check hardware RO bit for LPAE Philip Derrin <philip(a)cog.systems> ARM: 8722/1: mm: make STRICT_KERNEL_RWX effective for LPAE Masami Hiramatsu <mhiramat(a)kernel.org> x86/decoder: Add new TEST instruction pattern Eric Biggers <ebiggers(a)google.com> lib/mpi: call cond_resched() from mpi_powm() loop Paul E. McKenney <paulmck(a)linux.vnet.ibm.com> sched: Make resched_cpu() unconditional WANG Cong <xiyou.wangcong(a)gmail.com> vsock: use new wait API for vsock_stream_sendmsg() Claudio Imbrenda <imbrenda(a)linux.vnet.ibm.com> AF_VSOCK: Shrink the area influenced by prepare_to_wait WANG Cong <xiyou.wangcong(a)gmail.com> ipv6: only call ip6_route_dev_notify() once for NETDEV_UNREGISTER Vasily Gorbik <gor(a)linux.vnet.ibm.com> s390/disassembler: increase show_code buffer size Heiko Carstens <heiko.carstens(a)de.ibm.com> s390/disassembler: add missing end marker for e7 table Heiko Carstens <heiko.carstens(a)de.ibm.com> s390/runtime instrumention: fix possible memory corruption Heiko Carstens <heiko.carstens(a)de.ibm.com> s390: fix transactional execution control register handling ------------- Diffstat: Makefile | 4 +- arch/arm/mm/dump.c | 4 +- arch/arm/mm/init.c | 4 +- arch/mips/bcm47xx/leds.c | 2 +- arch/mips/kernel/ptrace.c | 17 ++ arch/mips/ralink/mt7620.c | 4 +- arch/parisc/kernel/syscall.S | 6 +- arch/powerpc/kernel/signal.c | 2 +- arch/s390/include/asm/asm-prototypes.h | 8 + arch/s390/include/asm/switch_to.h | 2 +- arch/s390/kernel/dis.c | 5 +- arch/s390/kernel/early.c | 4 +- arch/s390/kernel/process.c | 1 + arch/s390/kernel/runtime_instr.c | 4 +- arch/x86/kvm/svm.c | 7 + arch/x86/kvm/vmx.c | 2 + arch/x86/lib/x86-opcode-map.txt | 2 +- drivers/ata/libata-eh.c | 2 +- drivers/base/power/opp/core.c | 1 + drivers/clk/ti/clk-dra7-atl.c | 3 +- drivers/dma/zx296702_dma.c | 1 + drivers/gpu/drm/armada/Makefile | 2 + drivers/gpu/drm/drm_mm.c | 16 +- drivers/iio/light/cm3232.c | 2 +- drivers/infiniband/ulp/srp/ib_srp.c | 25 ++- drivers/infiniband/ulp/srpt/ib_srpt.c | 9 +- drivers/md/bcache/alloc.c | 3 +- drivers/md/dm-bufio.c | 15 +- drivers/md/dm.c | 12 +- drivers/media/rc/ir-lirc-codec.c | 9 +- drivers/media/usb/as102/as102_fw.c | 28 ++- drivers/media/usb/cx231xx/cx231xx-cards.c | 2 +- drivers/media/v4l2-core/v4l2-ctrls.c | 16 +- drivers/net/ethernet/3com/typhoon.c | 25 ++- drivers/net/ethernet/intel/e1000e/mac.c | 11 +- drivers/net/ethernet/intel/e1000e/netdev.c | 4 +- drivers/net/ethernet/intel/e1000e/phy.c | 7 +- drivers/net/ethernet/intel/fm10k/fm10k_main.c | 2 +- drivers/net/ethernet/intel/i40e/i40e_main.c | 2 +- drivers/net/ethernet/intel/i40e/i40e_txrx.c | 2 +- drivers/net/ethernet/intel/i40evf/i40e_txrx.c | 2 +- drivers/net/ethernet/intel/igb/igb_main.c | 2 +- drivers/net/ethernet/intel/igbvf/netdev.c | 2 +- drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 2 +- drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c | 2 +- drivers/net/wireless/ath/ath10k/core.c | 5 +- drivers/net/wireless/ath/ath10k/mac.c | 58 ++++- drivers/net/wireless/ath/ath10k/wmi-tlv.c | 12 +- .../net/wireless/realtek/rtlwifi/rtl8192ee/fw.c | 6 +- .../net/wireless/realtek/rtlwifi/rtl8821ae/hw.c | 1 + drivers/nvdimm/label.c | 2 +- drivers/nvdimm/namespace_devs.c | 2 +- drivers/pci/probe.c | 15 +- drivers/spi/Kconfig | 1 + drivers/staging/iio/cdc/ad7150.c | 2 +- drivers/target/iscsi/iscsi_target.c | 8 +- drivers/target/target_core_transport.c | 4 + drivers/vhost/scsi.c | 5 +- drivers/xen/xenbus/xenbus_dev_frontend.c | 2 +- fs/9p/vfs_inode.c | 3 + fs/9p/vfs_inode_dotl.c | 3 + fs/autofs4/waitq.c | 15 +- fs/btrfs/uuid-tree.c | 4 +- fs/ecryptfs/messaging.c | 7 +- fs/ext4/crypto_key.c | 8 +- fs/ext4/extents.c | 6 +- fs/isofs/isofs.h | 2 +- fs/isofs/rock.h | 2 +- fs/isofs/util.c | 2 +- fs/nfs/nfs4proc.c | 18 +- fs/nfs/super.c | 2 +- fs/nfsd/nfs4state.c | 25 ++- fs/nilfs2/segment.c | 6 +- include/trace/events/sunrpc.h | 17 +- kernel/sched/core.c | 9 +- kernel/sched/rt.c | 235 ++++++++++----------- kernel/sched/sched.h | 24 ++- lib/mpi/mpi-pow.c | 2 + net/9p/client.c | 3 +- net/9p/trans_virtio.c | 13 +- net/ipv4/ip_sockglue.c | 7 +- net/ipv6/ipv6_sockglue.c | 16 +- net/ipv6/route.c | 6 +- net/mac80211/ieee80211_i.h | 1 - net/mac80211/mesh.c | 3 - net/mac80211/mesh_plink.c | 14 +- net/mac80211/mesh_sync.c | 11 - net/netfilter/nf_tables_api.c | 2 +- net/netfilter/nft_queue.c | 2 +- net/nfc/core.c | 2 +- net/rds/send.c | 11 +- net/vmw_vsock/af_vsock.c | 167 ++++++++------- sound/core/pcm_lib.c | 6 +- sound/core/timer_compat.c | 12 +- sound/pci/hda/hda_intel.c | 3 + sound/pci/hda/patch_realtek.c | 4 +- sound/soc/codecs/wm_adsp.c | 25 ++- sound/soc/sh/rcar/core.c | 4 +- sound/usb/clock.c | 9 +- sound/usb/mixer.c | 15 +- 100 files changed, 699 insertions(+), 437 deletions(-)

7 years, 9 months

9
118
0 0

[Linux-stable-mirror] [PATCH] acpi, nfit: fix health event notification

by Dan Williams

Integration testing with a BIOS that generates injected health event notifications fails to communicate those events to userspace. The nfit driver neglects to link the ACPI DIMM device with the necessary driver data so acpi_nvdimm_notify() fails this lookup: nfit_mem = dev_get_drvdata(dev); if (nfit_mem && nfit_mem->flags_attr) sysfs_notify_dirent(nfit_mem->flags_attr); Add the necessary linkage when installing the notification handler and clean it up when the nfit driver instance is torn down. Cc: <stable(a)vger.kernel.org> Cc: Toshi Kani <toshi.kani(a)hpe.com> Cc: Vishal Verma <vishal.l.verma(a)intel.com> Fixes: ba9c8dd3c222 ("acpi, nfit: add dimm device notification support") Reported-by: Daniel Osawa <daniel.k.osawa(a)intel.com> Signed-off-by: Dan Williams <dan.j.williams(a)intel.com> --- drivers/acpi/nfit/core.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/acpi/nfit/core.c b/drivers/acpi/nfit/core.c index ff2580e7611d..947ea8a92761 100644 --- a/drivers/acpi/nfit/core.c +++ b/drivers/acpi/nfit/core.c @@ -1670,6 +1670,11 @@ static int acpi_nfit_add_dimm(struct acpi_nfit_desc *acpi_desc, dev_name(&adev_dimm->dev)); return -ENXIO; } + /* + * Record nfit_mem for the notification path to track back to + * the nfit sysfs attributes for this dimm device object. + */ + dev_set_drvdata(&adev_dimm->dev, nfit_mem); /* * Until standardization materializes we need to consider 4 @@ -1755,6 +1760,7 @@ static void shutdown_dimm_notify(void *data) if (adev_dimm) acpi_remove_notify_handler(adev_dimm->handle, ACPI_DEVICE_NOTIFY, acpi_nvdimm_notify); + dev_set_drvdata(&adev_dimm->dev, NULL); } mutex_unlock(&acpi_desc->init_mutex); }

7 years, 9 months

2
1
0 0

[Linux-stable-mirror] [PATCH 1/2] ARC: uaccess: dont use "l" inline as constraint

by Vineet Gupta

This constraint has been removed from gcc There was an earlier fix 3c7c7a2fc8811 which fixed this in delay.h but somehow missed this one as gcc change had not made its way into production toolchains Cc: stable(a)vger.kernel.org Signed-off-by: Vineet Gupta <vgupta(a)synopsys.com> --- arch/arc/include/asm/uaccess.h | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/arch/arc/include/asm/uaccess.h b/arch/arc/include/asm/uaccess.h index f35974ee7264..c9173c02081c 100644 --- a/arch/arc/include/asm/uaccess.h +++ b/arch/arc/include/asm/uaccess.h @@ -668,6 +668,7 @@ __arc_strncpy_from_user(char *dst, const char __user *src, long count) return 0; __asm__ __volatile__( + " mov lp_count, %5 \n" " lp 3f \n" "1: ldb.ab %3, [%2, 1] \n" " breq.d %3, 0, 3f \n" @@ -684,8 +685,8 @@ __arc_strncpy_from_user(char *dst, const char __user *src, long count) " .word 1b, 4b \n" " .previous \n" : "+r"(res), "+r"(dst), "+r"(src), "=r"(val) - : "g"(-EFAULT), "l"(count) - : "memory"); + : "g"(-EFAULT), "r"(count) + : "lp_count", "lp_start", "lp_end", "memory"); return res; } -- 2.7.4

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] [PATCH] KEYS: reject NULL restriction string when type is specified

by Eric Biggers

From: Eric Biggers <ebiggers(a)google.com> keyctl_restrict_keyring() allows through a NULL restriction when the "type" is non-NULL, which causes a NULL pointer dereference in asymmetric_lookup_restriction() when it calls strcmp() on the restriction string. But no key types actually use a "NULL restriction" to mean anything, so update keyctl_restrict_keyring() to reject it with EINVAL. Reported-by: syzbot <syzkaller(a)googlegroups.com> Fixes: 97d3aa0f3134 ("KEYS: Add a lookup_restriction function for the asymmetric key type") Cc: <stable(a)vger.kernel.org> # v4.12+ Signed-off-by: Eric Biggers <ebiggers(a)google.com> --- security/keys/keyctl.c | 24 ++++++++++-------------- 1 file changed, 10 insertions(+), 14 deletions(-) diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c index 76d22f726ae4..1ffe60bb2845 100644 --- a/security/keys/keyctl.c +++ b/security/keys/keyctl.c @@ -1588,9 +1588,8 @@ long keyctl_session_to_parent(void) * The caller must have Setattr permission to change keyring restrictions. * * The requested type name may be a NULL pointer to reject all attempts - * to link to the keyring. If _type is non-NULL, _restriction can be - * NULL or a pointer to a string describing the restriction. If _type is - * NULL, _restriction must also be NULL. + * to link to the keyring. In this case, _restriction must also be NULL. + * Otherwise, both _type and _restriction must be non-NULL. * * Returns 0 if successful. */ @@ -1598,7 +1597,6 @@ long keyctl_restrict_keyring(key_serial_t id, const char __user *_type, const char __user *_restriction) { key_ref_t key_ref; - bool link_reject = !_type; char type[32]; char *restriction = NULL; long ret; @@ -1607,31 +1605,29 @@ long keyctl_restrict_keyring(key_serial_t id, const char __user *_type, if (IS_ERR(key_ref)) return PTR_ERR(key_ref); + ret = -EINVAL; if (_type) { - ret = key_get_type_from_user(type, _type, sizeof(type)); - if (ret < 0) + if (!_restriction) goto error; - } - if (_restriction) { - if (!_type) { - ret = -EINVAL; + ret = key_get_type_from_user(type, _type, sizeof(type)); + if (ret < 0) goto error; - } restriction = strndup_user(_restriction, PAGE_SIZE); if (IS_ERR(restriction)) { ret = PTR_ERR(restriction); goto error; } + } else { + if (_restriction) + goto error; } - ret = keyring_restrict(key_ref, link_reject ? NULL : type, restriction); + ret = keyring_restrict(key_ref, _type ? type : NULL, restriction); kfree(restriction); - error: key_ref_put(key_ref); - return ret; } -- 2.15.0.531.g2ccb3012c9-goog

7 years, 9 months

3
3
0 0

[Linux-stable-mirror] patch "usb: xhci: fix TDS for MTK xHCI1.1" added to usb-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled usb: xhci: fix TDS for MTK xHCI1.1 to my usb git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git in the usb-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. >From 72b663a99c074a8d073e7ecdae446cfb024ef551 Mon Sep 17 00:00:00 2001 From: Chunfeng Yun <chunfeng.yun(a)mediatek.com> Date: Fri, 8 Dec 2017 18:10:06 +0200 Subject: usb: xhci: fix TDS for MTK xHCI1.1 For MTK's xHCI 1.0 or latter, TD size is the number of max packet sized packets remaining in the TD, not including this TRB (following spec). For MTK's xHCI 0.96 and older, TD size is the number of max packet sized packets remaining in the TD, including this TRB (not following spec). Cc: stable <stable(a)vger.kernel.org> Signed-off-by: Chunfeng Yun <chunfeng.yun(a)mediatek.com> Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/usb/host/xhci-ring.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c index 6eb87c6e4d24..c5cbc685c691 100644 --- a/drivers/usb/host/xhci-ring.c +++ b/drivers/usb/host/xhci-ring.c @@ -3112,7 +3112,7 @@ static u32 xhci_td_remainder(struct xhci_hcd *xhci, int transferred, { u32 maxp, total_packet_count; - /* MTK xHCI is mostly 0.97 but contains some features from 1.0 */ + /* MTK xHCI 0.96 contains some features from 1.0 */ if (xhci->hci_version < 0x100 && !(xhci->quirks & XHCI_MTK_HOST)) return ((td_total_len - transferred) >> 10); @@ -3121,8 +3121,8 @@ static u32 xhci_td_remainder(struct xhci_hcd *xhci, int transferred, trb_buff_len == td_total_len) return 0; - /* for MTK xHCI, TD size doesn't include this TRB */ - if (xhci->quirks & XHCI_MTK_HOST) + /* for MTK xHCI 0.96, TD size include this TRB, but not in 1.x */ + if ((xhci->quirks & XHCI_MTK_HOST) && (xhci->hci_version < 0x100)) trb_buff_len = 0; maxp = usb_endpoint_maxp(&urb->ep->desc); -- 2.15.1

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] patch "xhci: Don't add a virt_dev to the devs array before it's fully" added to usb-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled xhci: Don't add a virt_dev to the devs array before it's fully to my usb git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git in the usb-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. >From 5d9b70f7d52eb14bb37861c663bae44de9521c35 Mon Sep 17 00:00:00 2001 From: Mathias Nyman <mathias.nyman(a)linux.intel.com> Date: Fri, 8 Dec 2017 18:10:05 +0200 Subject: xhci: Don't add a virt_dev to the devs array before it's fully allocated Avoid null pointer dereference if some function is walking through the devs array accessing members of a new virt_dev that is mid allocation. Add the virt_dev to xhci->devs[i] _after_ the virt_device and all its members are properly allocated. issue found by KASAN: null-ptr-deref in xhci_find_slot_id_by_port "Quick analysis suggests that xhci_alloc_virt_device() is not mutex protected. If so, there is a time frame where xhci->devs[slot_id] is set but not fully initialized. Specifically, xhci->devs[i]->udev can be NULL." Cc: stable <stable(a)vger.kernel.org> Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/usb/host/xhci-mem.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c index 15f7d422885f..3a29b32a3bd0 100644 --- a/drivers/usb/host/xhci-mem.c +++ b/drivers/usb/host/xhci-mem.c @@ -971,10 +971,9 @@ int xhci_alloc_virt_device(struct xhci_hcd *xhci, int slot_id, return 0; } - xhci->devs[slot_id] = kzalloc(sizeof(*xhci->devs[slot_id]), flags); - if (!xhci->devs[slot_id]) + dev = kzalloc(sizeof(*dev), flags); + if (!dev) return 0; - dev = xhci->devs[slot_id]; /* Allocate the (output) device context that will be used in the HC. */ dev->out_ctx = xhci_alloc_container_ctx(xhci, XHCI_CTX_TYPE_DEVICE, flags); @@ -1015,9 +1014,17 @@ int xhci_alloc_virt_device(struct xhci_hcd *xhci, int slot_id, trace_xhci_alloc_virt_device(dev); + xhci->devs[slot_id] = dev; + return 1; fail: - xhci_free_virt_device(xhci, slot_id); + + if (dev->in_ctx) + xhci_free_container_ctx(xhci, dev->in_ctx); + if (dev->out_ctx) + xhci_free_container_ctx(xhci, dev->out_ctx); + kfree(dev); + return 0; } -- 2.15.1

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] [PATCH] ASoC: wm_adsp: Fix validation of firmware and coeff lengths

by Ben Hutchings

The checks for whether another region/block header could be present are subtracting the size from the current offset. Obviously we should instead subtract the offset from the size. The checks for whether the region/block data fit in the file are adding the data size to the current offset and header size, without checking for integer overflow. Rearrange these so that overflow is impossible. Cc: stable(a)vger.kernel.org Signed-off-by: Ben Hutchings <ben.hutchings(a)codethink.co.uk> --- sound/soc/codecs/wm_adsp.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/sound/soc/codecs/wm_adsp.c b/sound/soc/codecs/wm_adsp.c index 65c059b5ffd7..66e32f5d2917 100644 --- a/sound/soc/codecs/wm_adsp.c +++ b/sound/soc/codecs/wm_adsp.c @@ -1733,7 +1733,7 @@ static int wm_adsp_load(struct wm_adsp *dsp) le64_to_cpu(footer->timestamp)); while (pos < firmware->size && - pos - firmware->size > sizeof(*region)) { + sizeof(*region) < firmware->size - pos) { region = (void *)&(firmware->data[pos]); region_name = "Unknown"; reg = 0; @@ -1782,8 +1782,8 @@ static int wm_adsp_load(struct wm_adsp *dsp) regions, le32_to_cpu(region->len), offset, region_name); - if ((pos + le32_to_cpu(region->len) + sizeof(*region)) > - firmware->size) { + if (le32_to_cpu(region->len) > + firmware->size - pos - sizeof(*region)) { adsp_err(dsp, "%s.%d: %s region len %d bytes exceeds file length %zu\n", file, regions, region_name, @@ -2253,7 +2253,7 @@ static int wm_adsp_load_coeff(struct wm_adsp *dsp) blocks = 0; while (pos < firmware->size && - pos - firmware->size > sizeof(*blk)) { + sizeof(*blk) < firmware->size - pos) { blk = (void *)(&firmware->data[pos]); type = le16_to_cpu(blk->type); @@ -2327,8 +2327,8 @@ static int wm_adsp_load_coeff(struct wm_adsp *dsp) } if (reg) { - if ((pos + le32_to_cpu(blk->len) + sizeof(*blk)) > - firmware->size) { + if (le32_to_cpu(blk->len) > + firmware->size - pos - sizeof(*blk)) { adsp_err(dsp, "%s.%d: %s region len %d bytes exceeds file length %zu\n", file, blocks, region_name, -- 2.15.0.rc0

7 years, 9 months

3
2
0 0

Re: [Linux-stable-mirror] [PATCH AUTOSEL for 4.14 012/135] ASoC: cs42l56: Fix reset GPIO name in example DT binding

by Andrew F. Davis

On 12/08/2017 05:36 AM, Mark Brown wrote: > On Thu, Dec 07, 2017 at 09:03:01PM +0000, alexander.levin(a)verizon.com wrote: >> On Thu, Dec 07, 2017 at 05:25:02PM +0000, Mark Brown wrote: > >>> We shouldn't be getting into adding completely new DT properties in >>> stable backports like this. Old kernels have the bindings they have. > >> I thought that this one just adjust the example to match the code, and >> doesn't actually change anything? > > No, there's a corresponding code change - the changelog is badly written. > Not this patch, this one was just the example was wrong, the driver looks for, and always did look for, the "cirrus,gpio-nreset". Only the tlv* drivers looked for the other property and needed code changing, and those are separate patches.

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] patch "usbip: prevent vhci_hcd driver from leaking a socket pointer address" added to usb-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled usbip: prevent vhci_hcd driver from leaking a socket pointer address to my usb git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git in the usb-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. >From 2f2d0088eb93db5c649d2a5e34a3800a8a935fc5 Mon Sep 17 00:00:00 2001 From: Shuah Khan <shuahkh(a)osg.samsung.com> Date: Thu, 7 Dec 2017 14:16:49 -0700 Subject: usbip: prevent vhci_hcd driver from leaking a socket pointer address When a client has a USB device attached over IP, the vhci_hcd driver is locally leaking a socket pointer address via the /sys/devices/platform/vhci_hcd/status file (world-readable) and in debug output when "usbip --debug port" is run. Fix it to not leak. The socket pointer address is not used at the moment and it was made visible as a convenient way to find IP address from socket pointer address by looking up /proc/net/{tcp,tcp6}. As this opens a security hole, the fix replaces socket pointer address with sockfd. Reported-by: Secunia Research <vuln(a)secunia.com> Cc: stable <stable(a)vger.kernel.org> Signed-off-by: Shuah Khan <shuahkh(a)osg.samsung.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/usb/usbip/usbip_common.h | 1 + drivers/usb/usbip/vhci_sysfs.c | 25 ++++++++++++++++--------- tools/usb/usbip/libsrc/vhci_driver.c | 8 ++++---- 3 files changed, 21 insertions(+), 13 deletions(-) diff --git a/drivers/usb/usbip/usbip_common.h b/drivers/usb/usbip/usbip_common.h index e5de35c8c505..473fb8a87289 100644 --- a/drivers/usb/usbip/usbip_common.h +++ b/drivers/usb/usbip/usbip_common.h @@ -256,6 +256,7 @@ struct usbip_device { /* lock for status */ spinlock_t lock; + int sockfd; struct socket *tcp_socket; struct task_struct *tcp_rx; diff --git a/drivers/usb/usbip/vhci_sysfs.c b/drivers/usb/usbip/vhci_sysfs.c index e78f7472cac4..091f76b7196d 100644 --- a/drivers/usb/usbip/vhci_sysfs.c +++ b/drivers/usb/usbip/vhci_sysfs.c @@ -17,15 +17,20 @@ /* * output example: - * hub port sta spd dev socket local_busid - * hs 0000 004 000 00000000 c5a7bb80 1-2.3 + * hub port sta spd dev sockfd local_busid + * hs 0000 004 000 00000000 3 1-2.3 * ................................................ - * ss 0008 004 000 00000000 d8cee980 2-3.4 + * ss 0008 004 000 00000000 4 2-3.4 * ................................................ * - * IP address can be retrieved from a socket pointer address by looking - * up /proc/net/{tcp,tcp6}. Also, a userland program may remember a - * port number and its peer IP address. + * Output includes socket fd instead of socket pointer address to avoid + * leaking kernel memory address in: + * /sys/devices/platform/vhci_hcd.0/status and in debug output. + * The socket pointer address is not used at the moment and it was made + * visible as a convenient way to find IP address from socket pointer + * address by looking up /proc/net/{tcp,tcp6}. As this opens a security + * hole, the change is made to use sockfd instead. + * */ static void port_show_vhci(char **out, int hub, int port, struct vhci_device *vdev) { @@ -39,8 +44,8 @@ static void port_show_vhci(char **out, int hub, int port, struct vhci_device *vd if (vdev->ud.status == VDEV_ST_USED) { *out += sprintf(*out, "%03u %08x ", vdev->speed, vdev->devid); - *out += sprintf(*out, "%16p %s", - vdev->ud.tcp_socket, + *out += sprintf(*out, "%u %s", + vdev->ud.sockfd, dev_name(&vdev->udev->dev)); } else { @@ -160,7 +165,8 @@ static ssize_t nports_show(struct device *dev, struct device_attribute *attr, char *s = out; /* - * Half the ports are for SPEED_HIGH and half for SPEED_SUPER, thus the * 2. + * Half the ports are for SPEED_HIGH and half for SPEED_SUPER, + * thus the * 2. */ out += sprintf(out, "%d\n", VHCI_PORTS * vhci_num_controllers); return out - s; @@ -366,6 +372,7 @@ static ssize_t store_attach(struct device *dev, struct device_attribute *attr, vdev->devid = devid; vdev->speed = speed; + vdev->ud.sockfd = sockfd; vdev->ud.tcp_socket = socket; vdev->ud.status = VDEV_ST_NOTASSIGNED; diff --git a/tools/usb/usbip/libsrc/vhci_driver.c b/tools/usb/usbip/libsrc/vhci_driver.c index 627d1dfc332b..c9c81614a66a 100644 --- a/tools/usb/usbip/libsrc/vhci_driver.c +++ b/tools/usb/usbip/libsrc/vhci_driver.c @@ -50,14 +50,14 @@ static int parse_status(const char *value) while (*c != '\0') { int port, status, speed, devid; - unsigned long socket; + int sockfd; char lbusid[SYSFS_BUS_ID_SIZE]; struct usbip_imported_device *idev; char hub[3]; - ret = sscanf(c, "%2s %d %d %d %x %lx %31s\n", + ret = sscanf(c, "%2s %d %d %d %x %u %31s\n", hub, &port, &status, &speed, - &devid, &socket, lbusid); + &devid, &sockfd, lbusid); if (ret < 5) { dbg("sscanf failed: %d", ret); @@ -66,7 +66,7 @@ static int parse_status(const char *value) dbg("hub %s port %d status %d speed %d devid %x", hub, port, status, speed, devid); - dbg("socket %lx lbusid %s", socket, lbusid); + dbg("sockfd %u lbusid %s", sockfd, lbusid); /* if a device is connected, look at it */ idev = &vhci_driver->idev[port]; -- 2.15.1

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] patch "usbip: fix stub_send_ret_submit() vulnerability to null" added to usb-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled usbip: fix stub_send_ret_submit() vulnerability to null to my usb git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git in the usb-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. >From be6123df1ea8f01ee2f896a16c2b7be3e4557a5a Mon Sep 17 00:00:00 2001 From: Shuah Khan <shuahkh(a)osg.samsung.com> Date: Thu, 7 Dec 2017 14:16:50 -0700 Subject: usbip: fix stub_send_ret_submit() vulnerability to null transfer_buffer stub_send_ret_submit() handles urb with a potential null transfer_buffer, when it replays a packet with potential malicious data that could contain a null buffer. Add a check for the condition when actual_length > 0 and transfer_buffer is null. Reported-by: Secunia Research <vuln(a)secunia.com> Cc: stable <stable(a)vger.kernel.org> Signed-off-by: Shuah Khan <shuahkh(a)osg.samsung.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/usb/usbip/stub_tx.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/usb/usbip/stub_tx.c b/drivers/usb/usbip/stub_tx.c index b18bce96c212..53172b1f6257 100644 --- a/drivers/usb/usbip/stub_tx.c +++ b/drivers/usb/usbip/stub_tx.c @@ -167,6 +167,13 @@ static int stub_send_ret_submit(struct stub_device *sdev) memset(&pdu_header, 0, sizeof(pdu_header)); memset(&msg, 0, sizeof(msg)); + if (urb->actual_length > 0 && !urb->transfer_buffer) { + dev_err(&sdev->udev->dev, + "urb: actual_length %d transfer_buffer null\n", + urb->actual_length); + return -1; + } + if (usb_pipetype(urb->pipe) == PIPE_ISOCHRONOUS) iovnum = 2 + urb->number_of_packets; else -- 2.15.1

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] patch "usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input" added to usb-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input to my usb git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git in the usb-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. >From c6688ef9f29762e65bce325ef4acd6c675806366 Mon Sep 17 00:00:00 2001 From: Shuah Khan <shuahkh(a)osg.samsung.com> Date: Thu, 7 Dec 2017 14:16:48 -0700 Subject: usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input Harden CMD_SUBMIT path to handle malicious input that could trigger large memory allocations. Add checks to validate transfer_buffer_length and number_of_packets to protect against bad input requesting for unbounded memory allocations. Validate early in get_pipe() and return failure. Reported-by: Secunia Research <vuln(a)secunia.com> Cc: stable <stable(a)vger.kernel.org> Signed-off-by: Shuah Khan <shuahkh(a)osg.samsung.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/usb/usbip/stub_rx.c | 35 +++++++++++++++++++++++++++++++---- 1 file changed, 31 insertions(+), 4 deletions(-) diff --git a/drivers/usb/usbip/stub_rx.c b/drivers/usb/usbip/stub_rx.c index 4d61063c259d..493ac2928391 100644 --- a/drivers/usb/usbip/stub_rx.c +++ b/drivers/usb/usbip/stub_rx.c @@ -322,11 +322,13 @@ static struct stub_priv *stub_priv_alloc(struct stub_device *sdev, return priv; } -static int get_pipe(struct stub_device *sdev, int epnum, int dir) +static int get_pipe(struct stub_device *sdev, struct usbip_header *pdu) { struct usb_device *udev = sdev->udev; struct usb_host_endpoint *ep; struct usb_endpoint_descriptor *epd = NULL; + int epnum = pdu->base.ep; + int dir = pdu->base.direction; if (epnum < 0 || epnum > 15) goto err_ret; @@ -339,6 +341,15 @@ static int get_pipe(struct stub_device *sdev, int epnum, int dir) goto err_ret; epd = &ep->desc; + + /* validate transfer_buffer_length */ + if (pdu->u.cmd_submit.transfer_buffer_length > INT_MAX) { + dev_err(&sdev->udev->dev, + "CMD_SUBMIT: -EMSGSIZE transfer_buffer_length %d\n", + pdu->u.cmd_submit.transfer_buffer_length); + return -1; + } + if (usb_endpoint_xfer_control(epd)) { if (dir == USBIP_DIR_OUT) return usb_sndctrlpipe(udev, epnum); @@ -361,6 +372,21 @@ static int get_pipe(struct stub_device *sdev, int epnum, int dir) } if (usb_endpoint_xfer_isoc(epd)) { + /* validate packet size and number of packets */ + unsigned int maxp, packets, bytes; + + maxp = usb_endpoint_maxp(epd); + maxp *= usb_endpoint_maxp_mult(epd); + bytes = pdu->u.cmd_submit.transfer_buffer_length; + packets = DIV_ROUND_UP(bytes, maxp); + + if (pdu->u.cmd_submit.number_of_packets < 0 || + pdu->u.cmd_submit.number_of_packets > packets) { + dev_err(&sdev->udev->dev, + "CMD_SUBMIT: isoc invalid num packets %d\n", + pdu->u.cmd_submit.number_of_packets); + return -1; + } if (dir == USBIP_DIR_OUT) return usb_sndisocpipe(udev, epnum); else @@ -369,7 +395,7 @@ static int get_pipe(struct stub_device *sdev, int epnum, int dir) err_ret: /* NOT REACHED */ - dev_err(&sdev->udev->dev, "get pipe() invalid epnum %d\n", epnum); + dev_err(&sdev->udev->dev, "CMD_SUBMIT: invalid epnum %d\n", epnum); return -1; } @@ -434,7 +460,7 @@ static void stub_recv_cmd_submit(struct stub_device *sdev, struct stub_priv *priv; struct usbip_device *ud = &sdev->ud; struct usb_device *udev = sdev->udev; - int pipe = get_pipe(sdev, pdu->base.ep, pdu->base.direction); + int pipe = get_pipe(sdev, pdu); if (pipe == -1) return; @@ -456,7 +482,8 @@ static void stub_recv_cmd_submit(struct stub_device *sdev, } /* allocate urb transfer buffer, if needed */ - if (pdu->u.cmd_submit.transfer_buffer_length > 0) { + if (pdu->u.cmd_submit.transfer_buffer_length > 0 && + pdu->u.cmd_submit.transfer_buffer_length <= INT_MAX) { priv->urb->transfer_buffer = kzalloc(pdu->u.cmd_submit.transfer_buffer_length, GFP_KERNEL); -- 2.15.1

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] patch "usbip: fix stub_rx: get_pipe() to validate endpoint number" added to usb-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled usbip: fix stub_rx: get_pipe() to validate endpoint number to my usb git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git in the usb-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. >From 635f545a7e8be7596b9b2b6a43cab6bbd5a88e43 Mon Sep 17 00:00:00 2001 From: Shuah Khan <shuahkh(a)osg.samsung.com> Date: Thu, 7 Dec 2017 14:16:47 -0700 Subject: usbip: fix stub_rx: get_pipe() to validate endpoint number get_pipe() routine doesn't validate the input endpoint number and uses to reference ep_in and ep_out arrays. Invalid endpoint number can trigger BUG(). Range check the epnum and returning error instead of calling BUG(). Change caller stub_recv_cmd_submit() to handle the get_pipe() error return. Reported-by: Secunia Research <vuln(a)secunia.com> Cc: stable <stable(a)vger.kernel.org> Signed-off-by: Shuah Khan <shuahkh(a)osg.samsung.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/usb/usbip/stub_rx.c | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/drivers/usb/usbip/stub_rx.c b/drivers/usb/usbip/stub_rx.c index 536e037f541f..4d61063c259d 100644 --- a/drivers/usb/usbip/stub_rx.c +++ b/drivers/usb/usbip/stub_rx.c @@ -328,15 +328,15 @@ static int get_pipe(struct stub_device *sdev, int epnum, int dir) struct usb_host_endpoint *ep; struct usb_endpoint_descriptor *epd = NULL; + if (epnum < 0 || epnum > 15) + goto err_ret; + if (dir == USBIP_DIR_IN) ep = udev->ep_in[epnum & 0x7f]; else ep = udev->ep_out[epnum & 0x7f]; - if (!ep) { - dev_err(&sdev->udev->dev, "no such endpoint?, %d\n", - epnum); - BUG(); - } + if (!ep) + goto err_ret; epd = &ep->desc; if (usb_endpoint_xfer_control(epd)) { @@ -367,9 +367,10 @@ static int get_pipe(struct stub_device *sdev, int epnum, int dir) return usb_rcvisocpipe(udev, epnum); } +err_ret: /* NOT REACHED */ - dev_err(&sdev->udev->dev, "get pipe, epnum %d\n", epnum); - return 0; + dev_err(&sdev->udev->dev, "get pipe() invalid epnum %d\n", epnum); + return -1; } static void masking_bogus_flags(struct urb *urb) @@ -435,6 +436,9 @@ static void stub_recv_cmd_submit(struct stub_device *sdev, struct usb_device *udev = sdev->udev; int pipe = get_pipe(sdev, pdu->base.ep, pdu->base.direction); + if (pipe == -1) + return; + priv = stub_priv_alloc(sdev, pdu); if (!priv) return; -- 2.15.1

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] patch "USB: uas and storage: Add US_FL_BROKEN_FUA for another JMicron JMS567" added to usb-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled USB: uas and storage: Add US_FL_BROKEN_FUA for another JMicron JMS567 to my usb git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git in the usb-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. >From 62354454625741f0569c2cbe45b2d192f8fd258e Mon Sep 17 00:00:00 2001 From: David Kozub <zub(a)linux.fjfi.cvut.cz> Date: Tue, 5 Dec 2017 22:40:04 +0100 Subject: USB: uas and storage: Add US_FL_BROKEN_FUA for another JMicron JMS567 ID There is another JMS567-based USB3 UAS enclosure (152d:0578) that fails with the following error: [sda] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE [sda] tag#0 Sense Key : Illegal Request [current] [sda] tag#0 Add. Sense: Invalid field in cdb The issue occurs both with UAS (occasionally) and mass storage (immediately after mounting a FS on a disk in the enclosure). Enabling US_FL_BROKEN_FUA quirk solves this issue. This patch adds an UNUSUAL_DEV with US_FL_BROKEN_FUA for the enclosure for both UAS and mass storage. Signed-off-by: David Kozub <zub(a)linux.fjfi.cvut.cz> Acked-by: Alan Stern <stern(a)rowland.harvard.edu> Cc: stable <stable(a)vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/usb/storage/unusual_devs.h | 7 +++++++ drivers/usb/storage/unusual_uas.h | 7 +++++++ 2 files changed, 14 insertions(+) diff --git a/drivers/usb/storage/unusual_devs.h b/drivers/usb/storage/unusual_devs.h index 2968046e7c05..f72d045ee9ef 100644 --- a/drivers/usb/storage/unusual_devs.h +++ b/drivers/usb/storage/unusual_devs.h @@ -2100,6 +2100,13 @@ UNUSUAL_DEV( 0x152d, 0x0567, 0x0114, 0x0116, USB_SC_DEVICE, USB_PR_DEVICE, NULL, US_FL_BROKEN_FUA ), +/* Reported by David Kozub <zub(a)linux.fjfi.cvut.cz> */ +UNUSUAL_DEV(0x152d, 0x0578, 0x0000, 0x9999, + "JMicron", + "JMS567", + USB_SC_DEVICE, USB_PR_DEVICE, NULL, + US_FL_BROKEN_FUA), + /* * Reported by Alexandre Oliva <oliva(a)lsd.ic.unicamp.br> * JMicron responds to USN and several other SCSI ioctls with a diff --git a/drivers/usb/storage/unusual_uas.h b/drivers/usb/storage/unusual_uas.h index d520374a824e..e6127fb21c12 100644 --- a/drivers/usb/storage/unusual_uas.h +++ b/drivers/usb/storage/unusual_uas.h @@ -129,6 +129,13 @@ UNUSUAL_DEV(0x152d, 0x0567, 0x0000, 0x9999, USB_SC_DEVICE, USB_PR_DEVICE, NULL, US_FL_BROKEN_FUA | US_FL_NO_REPORT_OPCODES), +/* Reported-by: David Kozub <zub(a)linux.fjfi.cvut.cz> */ +UNUSUAL_DEV(0x152d, 0x0578, 0x0000, 0x9999, + "JMicron", + "JMS567", + USB_SC_DEVICE, USB_PR_DEVICE, NULL, + US_FL_BROKEN_FUA), + /* Reported-by: Hans de Goede <hdegoede(a)redhat.com> */ UNUSUAL_DEV(0x2109, 0x0711, 0x0000, 0x9999, "VIA", -- 2.15.1

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] [PATCH RESEND] ASoC: wm_adsp: Fix validation of firmware and coeff lengths

by Ben Hutchings

The checks for whether another region/block header could be present are subtracting the size from the current offset. Obviously we should instead subtract the offset from the size. The checks for whether the region/block data fit in the file are adding the data size to the current offset and header size, without checking for integer overflow. Rearrange these so that overflow is impossible. Cc: stable(a)vger.kernel.org Signed-off-by: Ben Hutchings <ben.hutchings(a)codethink.co.uk> Acked-by: Charles Keepax <ckeepax(a)opensource.cirrus.com> Tested-by: Charles Keepax <ckeepax(a)opensource.cirrus.com> --- sound/soc/codecs/wm_adsp.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/sound/soc/codecs/wm_adsp.c b/sound/soc/codecs/wm_adsp.c index 65c059b5ffd7..66e32f5d2917 100644 --- a/sound/soc/codecs/wm_adsp.c +++ b/sound/soc/codecs/wm_adsp.c @@ -1733,7 +1733,7 @@ static int wm_adsp_load(struct wm_adsp *dsp) le64_to_cpu(footer->timestamp)); while (pos < firmware->size && - pos - firmware->size > sizeof(*region)) { + sizeof(*region) < firmware->size - pos) { region = (void *)&(firmware->data[pos]); region_name = "Unknown"; reg = 0; @@ -1782,8 +1782,8 @@ static int wm_adsp_load(struct wm_adsp *dsp) regions, le32_to_cpu(region->len), offset, region_name); - if ((pos + le32_to_cpu(region->len) + sizeof(*region)) > - firmware->size) { + if (le32_to_cpu(region->len) > + firmware->size - pos - sizeof(*region)) { adsp_err(dsp, "%s.%d: %s region len %d bytes exceeds file length %zu\n", file, regions, region_name, @@ -2253,7 +2253,7 @@ static int wm_adsp_load_coeff(struct wm_adsp *dsp) blocks = 0; while (pos < firmware->size && - pos - firmware->size > sizeof(*blk)) { + sizeof(*blk) < firmware->size - pos) { blk = (void *)(&firmware->data[pos]); type = le16_to_cpu(blk->type); @@ -2327,8 +2327,8 @@ static int wm_adsp_load_coeff(struct wm_adsp *dsp) } if (reg) { - if ((pos + le32_to_cpu(blk->len) + sizeof(*blk)) > - firmware->size) { + if (le32_to_cpu(blk->len) > + firmware->size - pos - sizeof(*blk)) { adsp_err(dsp, "%s.%d: %s region len %d bytes exceeds file length %zu\n", file, blocks, region_name, -- 2.15.0.rc0

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] [PATCH 2/2] usb: xhci: fix TDS for MTK xHCI1.1

by Mathias Nyman

From: Chunfeng Yun <chunfeng.yun(a)mediatek.com> For MTK's xHCI 1.0 or latter, TD size is the number of max packet sized packets remaining in the TD, not including this TRB (following spec). For MTK's xHCI 0.96 and older, TD size is the number of max packet sized packets remaining in the TD, including this TRB (not following spec). Cc: stable <stable(a)vger.kernel.org> Signed-off-by: Chunfeng Yun <chunfeng.yun(a)mediatek.com> Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> --- drivers/usb/host/xhci-ring.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c index 6eb87c6..c5cbc68 100644 --- a/drivers/usb/host/xhci-ring.c +++ b/drivers/usb/host/xhci-ring.c @@ -3112,7 +3112,7 @@ static u32 xhci_td_remainder(struct xhci_hcd *xhci, int transferred, { u32 maxp, total_packet_count; - /* MTK xHCI is mostly 0.97 but contains some features from 1.0 */ + /* MTK xHCI 0.96 contains some features from 1.0 */ if (xhci->hci_version < 0x100 && !(xhci->quirks & XHCI_MTK_HOST)) return ((td_total_len - transferred) >> 10); @@ -3121,8 +3121,8 @@ static u32 xhci_td_remainder(struct xhci_hcd *xhci, int transferred, trb_buff_len == td_total_len) return 0; - /* for MTK xHCI, TD size doesn't include this TRB */ - if (xhci->quirks & XHCI_MTK_HOST) + /* for MTK xHCI 0.96, TD size include this TRB, but not in 1.x */ + if ((xhci->quirks & XHCI_MTK_HOST) && (xhci->hci_version < 0x100)) trb_buff_len = 0; maxp = usb_endpoint_maxp(&urb->ep->desc); -- 2.7.4

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] [PATCH 1/2] xhci: Don't add a virt_dev to the devs array before it's fully allocated

by Mathias Nyman

Avoid null pointer dereference if some function is walking through the devs array accessing members of a new virt_dev that is mid allocation. Add the virt_dev to xhci->devs[i] _after_ the virt_device and all its members are properly allocated. issue found by KASAN: null-ptr-deref in xhci_find_slot_id_by_port "Quick analysis suggests that xhci_alloc_virt_device() is not mutex protected. If so, there is a time frame where xhci->devs[slot_id] is set but not fully initialized. Specifically, xhci->devs[i]->udev can be NULL." Cc: stable <stable(a)vger.kernel.org> Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> --- drivers/usb/host/xhci-mem.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c index 15f7d42..3a29b32 100644 --- a/drivers/usb/host/xhci-mem.c +++ b/drivers/usb/host/xhci-mem.c @@ -971,10 +971,9 @@ int xhci_alloc_virt_device(struct xhci_hcd *xhci, int slot_id, return 0; } - xhci->devs[slot_id] = kzalloc(sizeof(*xhci->devs[slot_id]), flags); - if (!xhci->devs[slot_id]) + dev = kzalloc(sizeof(*dev), flags); + if (!dev) return 0; - dev = xhci->devs[slot_id]; /* Allocate the (output) device context that will be used in the HC. */ dev->out_ctx = xhci_alloc_container_ctx(xhci, XHCI_CTX_TYPE_DEVICE, flags); @@ -1015,9 +1014,17 @@ int xhci_alloc_virt_device(struct xhci_hcd *xhci, int slot_id, trace_xhci_alloc_virt_device(dev); + xhci->devs[slot_id] = dev; + return 1; fail: - xhci_free_virt_device(xhci, slot_id); + + if (dev->in_ctx) + xhci_free_container_ctx(xhci, dev->in_ctx); + if (dev->out_ctx) + xhci_free_container_ctx(xhci, dev->out_ctx); + kfree(dev); + return 0; } -- 2.7.4

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] [PATCH 6/6] can: peak/pcie_fd: fix potential bug in restarting tx queue

by Marc Kleine-Budde

From: Stephane Grosjean <s.grosjean(a)peak-system.com> Don't rely on can_get_echo_skb() return value to wake the network tx queue up: can_get_echo_skb() returns 0 if the echo array slot was not occupied, but also when the DLC of the released echo frame was 0. Signed-off-by: Stephane Grosjean <s.grosjean(a)peak-system.com> Cc: linux-stable <stable(a)vger.kernel.org> Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> --- drivers/net/can/peak_canfd/peak_canfd.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/drivers/net/can/peak_canfd/peak_canfd.c b/drivers/net/can/peak_canfd/peak_canfd.c index 85268be0c913..55513411a82e 100644 --- a/drivers/net/can/peak_canfd/peak_canfd.c +++ b/drivers/net/can/peak_canfd/peak_canfd.c @@ -258,21 +258,18 @@ static int pucan_handle_can_rx(struct peak_canfd_priv *priv, /* if this frame is an echo, */ if ((rx_msg_flags & PUCAN_MSG_LOOPED_BACK) && !(rx_msg_flags & PUCAN_MSG_SELF_RECEIVE)) { - int n; unsigned long flags; spin_lock_irqsave(&priv->echo_lock, flags); - n = can_get_echo_skb(priv->ndev, msg->client); + can_get_echo_skb(priv->ndev, msg->client); spin_unlock_irqrestore(&priv->echo_lock, flags); /* count bytes of the echo instead of skb */ stats->tx_bytes += cf_len; stats->tx_packets++; - if (n) { - /* restart tx queue only if a slot is free */ - netif_wake_queue(priv->ndev); - } + /* restart tx queue (a slot is free) */ + netif_wake_queue(priv->ndev); return 0; } -- 2.15.0

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] [PATCH 5/6] can: usb_8dev: cancel urb on -EPIPE and -EPROTO

by Marc Kleine-Budde

From: Martin Kelly <mkelly(a)xevo.com> In mcba_usb, we have observed that when you unplug the device, the driver will endlessly resubmit failing URBs, which can cause CPU stalls. This issue is fixed in mcba_usb by catching the codes seen on device disconnect (-EPIPE and -EPROTO). This driver also resubmits in the case of -EPIPE and -EPROTO, so fix it in the same way. Signed-off-by: Martin Kelly <mkelly(a)xevo.com> Cc: linux-stable <stable(a)vger.kernel.org> Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> --- drivers/net/can/usb/usb_8dev.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/can/usb/usb_8dev.c b/drivers/net/can/usb/usb_8dev.c index d000cb62d6ae..27861c417c94 100644 --- a/drivers/net/can/usb/usb_8dev.c +++ b/drivers/net/can/usb/usb_8dev.c @@ -524,6 +524,8 @@ static void usb_8dev_read_bulk_callback(struct urb *urb) break; case -ENOENT: + case -EPIPE: + case -EPROTO: case -ESHUTDOWN: return; -- 2.15.0

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] [PATCH 4/6] can: kvaser_usb: cancel urb on -EPIPE and -EPROTO

by Marc Kleine-Budde

From: Martin Kelly <mkelly(a)xevo.com> In mcba_usb, we have observed that when you unplug the device, the driver will endlessly resubmit failing URBs, which can cause CPU stalls. This issue is fixed in mcba_usb by catching the codes seen on device disconnect (-EPIPE and -EPROTO). This driver also resubmits in the case of -EPIPE and -EPROTO, so fix it in the same way. Signed-off-by: Martin Kelly <mkelly(a)xevo.com> Cc: linux-stable <stable(a)vger.kernel.org> Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> --- drivers/net/can/usb/kvaser_usb.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/can/usb/kvaser_usb.c b/drivers/net/can/usb/kvaser_usb.c index f95945915d20..63587b8e6825 100644 --- a/drivers/net/can/usb/kvaser_usb.c +++ b/drivers/net/can/usb/kvaser_usb.c @@ -1326,6 +1326,8 @@ static void kvaser_usb_read_bulk_callback(struct urb *urb) case 0: break; case -ENOENT: + case -EPIPE: + case -EPROTO: case -ESHUTDOWN: return; default: -- 2.15.0

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] [PATCH 3/6] can: esd_usb2: cancel urb on -EPIPE and -EPROTO

by Marc Kleine-Budde

From: Martin Kelly <mkelly(a)xevo.com> In mcba_usb, we have observed that when you unplug the device, the driver will endlessly resubmit failing URBs, which can cause CPU stalls. This issue is fixed in mcba_usb by catching the codes seen on device disconnect (-EPIPE and -EPROTO). This driver also resubmits in the case of -EPIPE and -EPROTO, so fix it in the same way. Signed-off-by: Martin Kelly <mkelly(a)xevo.com> Cc: linux-stable <stable(a)vger.kernel.org> Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> --- drivers/net/can/usb/esd_usb2.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/can/usb/esd_usb2.c b/drivers/net/can/usb/esd_usb2.c index 9fdb0f0bfa06..c6dcf93675c0 100644 --- a/drivers/net/can/usb/esd_usb2.c +++ b/drivers/net/can/usb/esd_usb2.c @@ -393,6 +393,8 @@ static void esd_usb2_read_bulk_callback(struct urb *urb) break; case -ENOENT: + case -EPIPE: + case -EPROTO: case -ESHUTDOWN: return; -- 2.15.0

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] [PATCH 2/6] can: ems_usb: cancel urb on -EPIPE and -EPROTO

by Marc Kleine-Budde

From: Martin Kelly <mkelly(a)xevo.com> In mcba_usb, we have observed that when you unplug the device, the driver will endlessly resubmit failing URBs, which can cause CPU stalls. This issue is fixed in mcba_usb by catching the codes seen on device disconnect (-EPIPE and -EPROTO). This driver also resubmits in the case of -EPIPE and -EPROTO, so fix it in the same way. Signed-off-by: Martin Kelly <mkelly(a)xevo.com> Cc: linux-stable <stable(a)vger.kernel.org> Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> --- drivers/net/can/usb/ems_usb.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/can/usb/ems_usb.c b/drivers/net/can/usb/ems_usb.c index b3d02759c226..b00358297424 100644 --- a/drivers/net/can/usb/ems_usb.c +++ b/drivers/net/can/usb/ems_usb.c @@ -288,6 +288,8 @@ static void ems_usb_read_interrupt_callback(struct urb *urb) case -ECONNRESET: /* unlink */ case -ENOENT: + case -EPIPE: + case -EPROTO: case -ESHUTDOWN: return; -- 2.15.0

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] [PATCH 1/6] can: mcba_usb: cancel urb on -EPROTO

by Marc Kleine-Budde

From: Martin Kelly <mkelly(a)xevo.com> When we unplug the device, we can see both -EPIPE and -EPROTO depending on exact timing and what system we run on. If we continue to resubmit URBs, they will immediately fail, and they can cause stalls, especially on slower CPUs. Fix this by not resubmitting on -EPROTO, as we already do on -EPIPE. Signed-off-by: Martin Kelly <mkelly(a)xevo.com> Cc: linux-stable <stable(a)vger.kernel.org> Signed-off-by: Marc Kleine-Budde <mkl(a)pengutronix.de> --- drivers/net/can/usb/mcba_usb.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/net/can/usb/mcba_usb.c b/drivers/net/can/usb/mcba_usb.c index ef417dcddbf7..8d8c2086424d 100644 --- a/drivers/net/can/usb/mcba_usb.c +++ b/drivers/net/can/usb/mcba_usb.c @@ -593,6 +593,7 @@ static void mcba_usb_read_bulk_callback(struct urb *urb) case -ENOENT: case -EPIPE: + case -EPROTO: case -ESHUTDOWN: return; -- 2.15.0

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] [PATCH v3 3/4] x86/xen: fix boot loader version reported for pvh guests

by Juergen Gross

The boot loader version reported via sysfs is wrong in case of the kernel being booted via the Xen PVH boot entry. it should be 2.12 (0x020c), but it is reported to be 2.18 (0x0212). As the current way to set the version is error prone use the more readable variant (2 << 8) | 12. Cc: <stable(a)vger.kernel.org> # 4.12 Signed-off-by: Juergen Gross <jgross(a)suse.com> --- arch/x86/xen/enlighten_pvh.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/xen/enlighten_pvh.c b/arch/x86/xen/enlighten_pvh.c index 436c4f003e17..6e6430cb5e3f 100644 --- a/arch/x86/xen/enlighten_pvh.c +++ b/arch/x86/xen/enlighten_pvh.c @@ -69,7 +69,7 @@ static void __init init_pvh_bootparams(void) * Version 2.12 supports Xen entry point but we will use default x86/PC * environment (i.e. hardware_subarch 0). */ - pvh_bootparams.hdr.version = 0x212; + pvh_bootparams.hdr.version = (2 << 8) | 12; pvh_bootparams.hdr.type_of_loader = (9 << 4) | 0; /* Xen loader */ } -- 2.12.3

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] [PATCH 4.9 000/109] 4.9.68-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.9.68 release. There are 109 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sat Dec 9 12:56:03 UTC 2017. Anything received after that time might be too late. The whole patch series can be found in one patch at: kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.68-rc1.gz or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.9.68-rc1 Colin Ian King <colin.king(a)canonical.com> usb: host: fix incorrect updating of offset Oliver Neukum <oneukum(a)suse.com> USB: usbfs: Filter flags passed in from user space Dan Carpenter <dan.carpenter(a)oracle.com> USB: devio: Prevent integer overflow in proc_do_submiturb() Mateusz Berezecki <mateuszb(a)fastmail.fm> USB: Increase usbfs transfer limit Masakazu Mokuno <masakazu.mokuno(a)gmail.com> USB: core: Add type-specific length check of BOS descriptors Yu Chen <chenyu56(a)huawei.com> usb: xhci: fix panic in xhci_free_virt_devices_depth_first Mike Looijmans <mike.looijmans(a)topic.nl> usb: hub: Cycle HUB power when initialization fails Daniel Vetter <daniel.vetter(a)ffwll.ch> dma-buf: Update kerneldoc for sync_file_create Gustavo Padovan <gustavo.padovan(a)collabora.co.uk> dma-buf/sync_file: hold reference to fence when creating sync_file Dominik Behr <dbehr(a)chromium.org> dma-buf/sw_sync: force signal all unsignaled fences on dying timeline Chris Wilson <chris(a)chris-wilson.co.uk> dma-fence: Introduce drm_fence_set_error() helper Chris Wilson <chris(a)chris-wilson.co.uk> dma-fence: Wrap querying the fence->status Chris Wilson <chris(a)chris-wilson.co.uk> dma-fence: Clear fence->status during dma_fence_init() Gustavo Padovan <gustavo.padovan(a)collabora.com> dma-buf/sw_sync: clean up list before signaling the fence Gustavo Padovan <gustavo.padovan(a)collabora.com> dma-buf/sw_sync: move timeline_fence_ops around Chris Wilson <chris(a)chris-wilson.co.uk> dma-buf/sw-sync: Use an rbtree to sort fences in the timeline Chris Wilson <chris(a)chris-wilson.co.uk> dma-buf/sw-sync: Fix locking around sync_timeline lists Chris Wilson <chris(a)chris-wilson.co.uk> dma-buf/sw-sync: sync_pt is private and of fixed size Chris Wilson <chris(a)chris-wilson.co.uk> dma-buf/sw-sync: Reduce irqsave/irqrestore from known context Chris Wilson <chris(a)chris-wilson.co.uk> dma-buf/sw-sync: Prevent user overflow on timeline advance Chris Wilson <chris(a)chris-wilson.co.uk> dma-buf/sw-sync: Fix the is-signaled test to handle u32 wraparound Chris Wilson <chris(a)chris-wilson.co.uk> dma-buf/dma-fence: Extract __dma_fence_is_later() Rui Sousa <rui.sousa(a)nxp.com> net: fec: fix multicast filtering hardware setup Mart van Santen <mart(a)greenhost.nl> xen-netback: vif counters from int/long to u64 Hans Verkuil <hverkuil(a)xs4all.nl> cec: initiator should be the same as the destination for, poll Ross Lagerwall <ross.lagerwall(a)citrix.com> xen-netfront: Improve error handling during initialization Jan Kara <jack(a)suse.cz> mm: avoid returning VM_FAULT_RETRY from ->page_mkwrite handlers Alexey Kardashevskiy <aik(a)ozlabs.ru> vfio/spapr: Fix missing mutex unlock when creating a window Ivan Vecera <cera(a)cera.cz> be2net: fix initial MAC setting Vincent <vincent.stehle(a)laposte.net> net: thunderx: avoid dereferencing xcv when NULL Sean Nyekjaer <sean.nyekjaer(a)prevas.dk> net: phy: micrel: KSZ8795 do not set SUPPORTED_[Asym_]Pause Andreas Schultz <aschultz(a)tpip.net> gtp: fix cross netns recv on gtp socket Andreas Schultz <aschultz(a)tpip.net> gtp: clear DF bit on GTP packet tx Sagi Grimberg <sagi(a)grimberg.me> nvmet: cancel fatal error and flush async work before free controller Mike Looijmans <mike.looijmans(a)topic.nl> i2c: i2c-cadence: Initialize configuration before probing devices Jason Baron <jbaron(a)akamai.com> tcp: correct memory barrier usage in tcp_check_space() Iago Abal <mail(a)iagoabal.eu> dmaengine: pl330: fix double lock Parthasarathy Bhuvaragan <parthasarathy.bhuvaragan(a)ericsson.com> tipc: fix cleanup at module unload Parthasarathy Bhuvaragan <parthasarathy.bhuvaragan(a)ericsson.com> tipc: fix nametbl_lock soft lockup at module exit Ram Amrani <Ram.Amrani(a)Cavium.com> RDMA/qedr: Fix RDMA CM loopback Ram Amrani <Ram.Amrani(a)Cavium.com> RDMA/qedr: Return success when not changing QP state Johannes Berg <johannes.berg(a)intel.com> mac80211: don't try to sleep in rate_control_rate_init() Xiangliang Yu <Xiangliang.Yu(a)amd.com> drm/amdgpu: fix unload driver issue for virtual display Kevin Hao <haokexin(a)gmail.com> x86/fpu: Set the xcomp_bv when we fake up a XSAVES area Colin Ian King <colin.king(a)canonical.com> net: sctp: fix array overrun read on sctp_timer_tbl Andrzej Hajda <a.hajda(a)samsung.com> drm/exynos/decon5433: set STANDALONE_UPDATE_F on output enablement Rex Zhu <Rex.Zhu(a)amd.com> drm/amdgpu: fix bug set incorrect value to vce register Quinn Tran <quinn.tran(a)cavium.com> qla2xxx: Fix wrong IOCB type assumption Reza Arbab <arbab(a)linux.vnet.ibm.com> powerpc/mm: Fix memory hotplug BUG() on radix Jiri Olsa <jolsa(a)kernel.org> perf/x86/intel: Account interrupts for PEBS errors Trond Myklebust <trond.myklebust(a)primarydata.com> NFSv4: Fix client recovery when server reboots multiple times Michal Kazior <michal.kazior(a)tieto.com> mac80211: prevent skb/txq mismatch Christoffer Dall <christoffer.dall(a)linaro.org> KVM: arm/arm64: Fix occasional warning from the timer work function Andrzej Hajda <a.hajda(a)samsung.com> drm/exynos/decon5433: set STANDALONE_UPDATE_F also if planes are disabled Andrzej Hajda <a.hajda(a)samsung.com> drm/exynos/decon5433: update shadow registers iff there are active windows Benjamin Coddington <bcodding(a)redhat.com> nfs: Don't take a reference on fl->fl_file for LOCK operation Kazuya Mizuguchi <kazuya.mizuguchi.ks(a)renesas.com> ravb: Remove Rx overflow log messages Johannes Berg <johannes.berg(a)intel.com> mac80211: calculate min channel width correctly Michal Hocko <mhocko(a)suse.com> mm: fix remote numa hits statistics Stephen Boyd <sboyd(a)codeaurora.org> net: qrtr: Mark 'buf' as little endian Eric W. Biederman <ebiederm(a)xmission.com> libfs: Modify mount_pseudo_xattr to be clear it is not a userspace mount Vlad Tsyrklevich <vlad(a)tsyrklevich.net> net/appletalk: Fix kernel memory disclosure Ivan Vecera <cera(a)cera.cz> be2net: fix unicast list filling Ivan Vecera <cera(a)cera.cz> be2net: fix accesses to unicast list David Forster <dforster(a)brocade.com> vti6: fix device register to report IFLA_INFO_KIND Peter Ujfalusi <peter.ujfalusi(a)ti.com> ARM: OMAP1: DMA: Correct the number of logical channels Adam Ford <aford173(a)gmail.com> ARM: OMAP2+: Fix WL1283 Bluetooth Baud Rate Florian Fainelli <f.fainelli(a)gmail.com> net: systemport: Pad packet before inserting TSB Florian Fainelli <f.fainelli(a)gmail.com> net: systemport: Utilize skb_put_padto() Varun Prakash <varun(a)chelsio.com> libcxgb: fix error check for ip6_route_output() Vincent Pelletier <plr.vincent(a)gmail.com> usb: gadget: f_fs: Fix ExtCompat descriptor validation M'boumba Cedric Madianga <cedric.madianga(a)gmail.com> dmaengine: stm32-dma: Fix null pointer dereference in stm32_dma_tx_status M'boumba Cedric Madianga <cedric.madianga(a)gmail.com> dmaengine: stm32-dma: Set correct args number for DMA request from DT Guillaume Nault <g.nault(a)alphalink.fr> l2tp: take remote address into account in l2tp_ip and l2tp_ip6 socket lookups Slava Shwartsman <slavash(a)mellanox.com> net/mlx4_en: Fix type mismatch for 32-bit systems Jan Kara <jack(a)suse.cz> dax: Avoid page invalidation races and unnecessary radix tree traversals Ladislav Michl <ladis(a)linux-mips.org> iio: adc: ti-ads1015: add 10% to conversion wait time Arnaldo Carvalho de Melo <acme(a)redhat.com> tools include: Do not use poison with C++ Masami Hiramatsu <mhiramat(a)kernel.org> kprobes/x86: Disable preemption in ftrace-based jprobes Thomas Richter <tmricht(a)linux.vnet.ibm.com> perf test attr: Fix ignored test case result Ben Hutchings <ben(a)decadent.org.uk> usbip: tools: Install all headers needed for libusbip development Jibin Xu <jibin.xu(a)windriver.com> sysrq : fix Show Regs call trace on ARM Gustavo A. R. Silva <garsilva(a)embeddedor.com> EDAC, sb_edac: Fix missing break in switch Dave Hansen <dave.hansen(a)linux.intel.com> x86/entry: Use SYSCALL_DEFINE() macros for sys_modify_ldt() Aaron Sierra <asierra(a)xes-inc.com> serial: 8250: Preserve DLD[7:4] for PORT_XR17V35X Alexey Khoroshilov <khoroshilov(a)ispras.ru> usb: phy: tahvo: fix error handling in tahvo_usb_probe() John Stultz <john.stultz(a)linaro.org> usb: dwc2: Error out of dwc2_hsotg_ep_disable() if we're in host mode John Stultz <john.stultz(a)linaro.org> usb: dwc2: Fix UDC state tracking Subhash Jadavani <subhashj(a)codeaurora.org> mmc: sdhci-msm: fix issue with power irq Johan Hovold <johan(a)kernel.org> spi: spi-axi: fix potential use-after-free after deregistration Hiromitsu Yamasaki <hiromitsu.yamasaki.ym(a)renesas.com> spi: sh-msiof: Fix DMA transfer size check Colin Ian King <colin.king(a)canonical.com> staging: rtl8188eu: avoid a null dereference on pmlmepriv Lukas Wunner <lukas(a)wunner.de> serial: 8250_fintek: Fix rs485 disablement on invalid ioctl() Greg Ungerer <gerg(a)linux-m68k.org> m68k: fix ColdFire node shift size calculation Bryan O'Donoghue <pure.logic(a)nexus-software.ie> staging: greybus: loopback: Fix iteration count on async path Andy Lutomirski <luto(a)kernel.org> selftests/x86/ldt_get: Add a few additional tests for limits Christian Borntraeger <borntraeger(a)de.ibm.com> s390/pci: do not require AIS facility Boshi Wang <wangboshi(a)huawei.com> ima: fix hash algorithm initialization Sebastian Sjoholm <ssjoholm(a)mac.com> USB: serial: option: add Quectel BG96 id Heiko Carstens <heiko.carstens(a)de.ibm.com> s390/runtime instrumentation: simplify task exit handling Matt Wilson <msw(a)amazon.com> serial: 8250_pci: Add Amazon PCI serial device ID Kai-Heng Feng <kai.heng.feng(a)canonical.com> usb: quirks: Add no-lpm quirk for KY-688 USB 3.1 Type-C Hub Hans de Goede <hdegoede(a)redhat.com> uas: Always apply US_FL_NO_ATA_1X quirk to Seagate devices Wang Nan <wangnan0(a)huawei.com> mm, oom_reaper: gather each vma to prevent leaking TLB entry Horia Geantă <horia.geanta(a)nxp.com> Revert "crypto: caam - get rid of tasklet" Stefan Agner <stefan(a)agner.ch> drm/fsl-dcu: enable IRQ before drm_atomic_helper_resume() Stefan Agner <stefan(a)agner.ch> drm/fsl-dcu: avoid disabling pixel clock twice on suspend Rui Hua <huarui.dev(a)gmail.com> bcache: recover data from backing when data is clean Coly Li <colyli(a)suse.de> bcache: only permit to recovery read error when cache device is clean ------------- Diffstat: Makefile | 4 +- arch/arm/mach-omap1/dma.c | 16 +- arch/arm/mach-omap2/pdata-quirks.c | 2 +- arch/m68k/mm/mcfmmu.c | 2 +- arch/powerpc/include/asm/book3s/64/hash.h | 4 + arch/powerpc/mm/hash_utils_64.c | 4 +- arch/powerpc/mm/pgtable-book3s64.c | 18 ++ arch/s390/include/asm/pci_insn.h | 2 +- arch/s390/include/asm/runtime_instr.h | 4 +- arch/s390/kernel/process.c | 3 +- arch/s390/kernel/runtime_instr.c | 30 +-- arch/s390/pci/pci.c | 5 +- arch/s390/pci/pci_insn.c | 6 +- arch/x86/events/intel/ds.c | 6 +- arch/x86/include/asm/syscalls.h | 2 +- arch/x86/kernel/fpu/xstate.c | 1 + arch/x86/kernel/kprobes/ftrace.c | 23 ++- arch/x86/kernel/ldt.c | 16 +- arch/x86/um/ldt.c | 7 +- drivers/crypto/caam/intern.h | 1 + drivers/crypto/caam/jr.c | 25 ++- drivers/dma-buf/fence.c | 26 +++ drivers/dma-buf/sw_sync.c | 211 +++++++++++++--------- drivers/dma-buf/sync_debug.c | 39 ++-- drivers/dma-buf/sync_debug.h | 27 ++- drivers/dma-buf/sync_file.c | 22 +-- drivers/dma/pl330.c | 19 +- drivers/dma/stm32-dma.c | 17 +- drivers/edac/sb_edac.c | 1 + drivers/gpu/drm/amd/amdgpu/dce_virtual.c | 5 +- drivers/gpu/drm/amd/amdgpu/vce_v3_0.c | 2 +- drivers/gpu/drm/exynos/exynos5433_drm_decon.c | 9 +- drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_drv.c | 3 +- drivers/i2c/busses/i2c-cadence.c | 8 +- drivers/iio/adc/ti-ads1015.c | 1 + drivers/infiniband/hw/qedr/qedr_cm.c | 4 +- drivers/infiniband/hw/qedr/verbs.c | 2 +- drivers/md/bcache/request.c | 9 +- drivers/mmc/host/sdhci-msm.c | 18 ++ drivers/net/appletalk/ipddp.c | 2 +- drivers/net/ethernet/broadcom/bcmsysport.c | 23 ++- drivers/net/ethernet/cavium/thunder/thunder_xcv.c | 3 +- drivers/net/ethernet/chelsio/libcxgb/libcxgb_cm.c | 12 +- drivers/net/ethernet/emulex/benet/be_main.c | 45 +++-- drivers/net/ethernet/freescale/fec_main.c | 23 +-- drivers/net/ethernet/mellanox/mlx4/en_clock.c | 8 +- drivers/net/ethernet/renesas/ravb_main.c | 8 +- drivers/net/gtp.c | 12 +- drivers/net/phy/micrel.c | 2 +- drivers/net/xen-netback/common.h | 8 +- drivers/net/xen-netback/interface.c | 8 +- drivers/net/xen-netfront.c | 29 ++- drivers/nvme/target/core.c | 3 + drivers/scsi/qla2xxx/qla_target.c | 8 +- drivers/spi/spi-axi-spi-engine.c | 4 +- drivers/spi/spi-sh-msiof.c | 2 +- drivers/staging/greybus/loopback.c | 4 +- drivers/staging/lustre/lustre/llite/llite_mmap.c | 4 +- drivers/staging/media/cec/cec-adap.c | 7 +- drivers/staging/rtl8188eu/core/rtw_mlme.c | 6 +- drivers/tty/serial/8250/8250_fintek.c | 2 +- drivers/tty/serial/8250/8250_pci.c | 3 + drivers/tty/serial/8250/8250_port.c | 5 +- drivers/tty/sysrq.c | 9 +- drivers/usb/core/config.c | 28 ++- drivers/usb/core/devio.c | 56 +++--- drivers/usb/core/hub.c | 9 + drivers/usb/core/quirks.c | 3 + drivers/usb/dwc2/gadget.c | 7 + drivers/usb/gadget/function/f_fs.c | 2 +- drivers/usb/host/ehci-dbg.c | 2 +- drivers/usb/host/xhci-mem.c | 7 + drivers/usb/phy/phy-tahvo.c | 3 +- drivers/usb/serial/option.c | 3 + drivers/usb/storage/uas-detect.h | 4 + drivers/vfio/vfio_iommu_spapr_tce.c | 11 +- fs/dax.c | 28 ++- fs/libfs.c | 3 +- fs/nfs/nfs4proc.c | 3 - fs/nfs/nfs4state.c | 1 - include/linux/buffer_head.h | 4 +- include/linux/fence.h | 67 ++++++- include/linux/perf_event.h | 1 + include/uapi/linux/usb/ch9.h | 3 + kernel/events/core.c | 47 +++-- mm/oom_kill.c | 7 +- mm/page_alloc.c | 15 +- net/ipv4/tcp_input.c | 2 +- net/ipv6/ip6_vti.c | 2 +- net/l2tp/l2tp_ip.c | 19 +- net/l2tp/l2tp_ip6.c | 20 +- net/mac80211/chan.c | 3 - net/mac80211/tx.c | 17 +- net/qrtr/qrtr.c | 4 +- net/sctp/debug.c | 2 +- net/tipc/server.c | 20 +- security/integrity/ima/ima_main.c | 4 + tools/include/linux/poison.h | 5 + tools/perf/tests/attr.c | 2 +- tools/testing/selftests/x86/ldt_gdt.c | 17 +- tools/usb/usbip/Makefile.am | 3 +- virt/kvm/arm/arch_timer.c | 3 - 102 files changed, 759 insertions(+), 522 deletions(-)

7 years, 9 months

8
119
0 0

Re: [Linux-stable-mirror] URGENT PLEASE

by Office Contact

7 years, 9 months

1
0
0 0

Re: [Linux-stable-mirror] [PATCH 1/2] ARM: BUG if jumping to usermode address in kernel mode

by Alex Shi

CC GregKH, since this patch would better to get to stable kernel. This patch also expose a qemu issue which fixed by upstream commit: 3aaf33bebda8d4ffcc0f ARM: avoid faulting on qemu Both of patches are tested in linaro's kernelci and LKFT on stable kernel 4.4/4.9/4.14, no regressions. The lts 3.18 isn't applicable for this patches. Regards Alex On 11/25/2017 07:33 PM, Russell King wrote: > Detect if we are returning to usermode via the normal kernel exit paths > but the saved PSR value indicates that we are in kernel mode. This > could occur due to corrupted stack state, which has been observed with > "ftracetest". > > This ensures that we catch the problem case before we get to user code. > > Signed-off-by: Russell King <rmk+kernel(a)armlinux.org.uk> > --- > arch/arm/include/asm/assembler.h | 18 ++++++++++++++++++ > arch/arm/kernel/entry-header.S | 6 ++++++ > 2 files changed, 24 insertions(+) > > diff --git a/arch/arm/include/asm/assembler.h b/arch/arm/include/asm/assembler.h > index ad301f107dd2..bc8d4bbd82e2 100644 > --- a/arch/arm/include/asm/assembler.h > +++ b/arch/arm/include/asm/assembler.h > @@ -518,4 +518,22 @@ THUMB( orr \reg , \reg , #PSR_T_BIT ) > #endif > .endm > > + .macro bug, msg, line > +#ifdef CONFIG_THUMB2_KERNEL > +1: .inst 0xde02 > +#else > +1: .inst 0xe7f001f2 > +#endif > +#ifdef CONFIG_DEBUG_BUGVERBOSE > + .pushsection .rodata.str, "aMS", %progbits, 1 > +2: .asciz "\msg" > + .popsection > + .pushsection __bug_table, "aw" > + .align 2 > + .word 1b, 2b > + .hword \line > + .popsection > +#endif > + .endm > + > #endif /* __ASM_ASSEMBLER_H__ */ > diff --git a/arch/arm/kernel/entry-header.S b/arch/arm/kernel/entry-header.S > index d523cd8439a3..7f4d80c2db6b 100644 > --- a/arch/arm/kernel/entry-header.S > +++ b/arch/arm/kernel/entry-header.S > @@ -300,6 +300,8 @@ > mov r2, sp > ldr r1, [r2, #\offset + S_PSR] @ get calling cpsr > ldr lr, [r2, #\offset + S_PC]! @ get pc > + tst r1, #0xcf > + bne 1f > msr spsr_cxsf, r1 @ save in spsr_svc > #if defined(CONFIG_CPU_V6) || defined(CONFIG_CPU_32v6K) > @ We must avoid clrex due to Cortex-A15 erratum #830321 > @@ -314,6 +316,7 @@ > @ after ldm {}^ > add sp, sp, #\offset + PT_REGS_SIZE > movs pc, lr @ return & move spsr_svc into cpsr > +1: bug "Returning to usermode but unexpected PSR bits set?", \@ > #elif defined(CONFIG_CPU_V7M) > @ V7M restore. > @ Note that we don't need to do clrex here as clearing the local > @@ -329,6 +332,8 @@ > ldr r1, [sp, #\offset + S_PSR] @ get calling cpsr > ldr lr, [sp, #\offset + S_PC] @ get pc > add sp, sp, #\offset + S_SP > + tst r1, #0xcf > + bne 1f > msr spsr_cxsf, r1 @ save in spsr_svc > > @ We must avoid clrex due to Cortex-A15 erratum #830321 > @@ -341,6 +346,7 @@ > .endif > add sp, sp, #PT_REGS_SIZE - S_SP > movs pc, lr @ return & move spsr_svc into cpsr > +1: bug "Returning to usermode but unexpected PSR bits set?", \@ > #endif /* !CONFIG_THUMB2_KERNEL */ > .endm > >

7 years, 9 months

2
1
0 0

[Linux-stable-mirror] [PATCH] libnvdimm, dax: fix 1GB-aligned namespaces vs physical misalignment

by Dan Williams

The following namespace configuration attempt: # ndctl create-namespace -e namespace0.0 -m devdax -a 1G -f libndctl: ndctl_dax_enable: dax0.1: failed to enable Error: namespace0.0: failed to enable failed to reconfigure namespace: No such device or address ...fails when the backing memory range is not physically aligned to 1G: # cat /proc/iomem | grep Persistent 210000000-30fffffff : Persistent Memory (legacy) In the above example the 4G persistent memory range starts and ends on a 256MB boundary. We handle this case correctly when needing to handle cases that violate section alignment (128MB) collisions against "System RAM", and we simply need to extend that padding/truncation for the 1GB alignment use case. Cc: <stable(a)vger.kernel.org> Fixes: 315c562536c4 ("libnvdimm, pfn: add 'align' attribute...") Reported-and-tested-by: Jane Chu <jane.chu(a)oracle.com> Signed-off-by: Dan Williams <dan.j.williams(a)intel.com> --- drivers/nvdimm/pfn_devs.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/drivers/nvdimm/pfn_devs.c b/drivers/nvdimm/pfn_devs.c index 65cc171c721d..5ba9ab7af736 100644 --- a/drivers/nvdimm/pfn_devs.c +++ b/drivers/nvdimm/pfn_devs.c @@ -582,6 +582,12 @@ static struct vmem_altmap *__nvdimm_setup_pfn(struct nd_pfn *nd_pfn, return altmap; } +static u64 phys_pmem_align_down(struct nd_pfn *nd_pfn, u64 phys) +{ + return min_t(u64, PHYS_SECTION_ALIGN_DOWN(phys), + ALIGN_DOWN(phys, nd_pfn->align)); +} + static int nd_pfn_init(struct nd_pfn *nd_pfn) { u32 dax_label_reserve = is_nd_dax(&nd_pfn->dev) ? SZ_128K : 0; @@ -637,13 +643,16 @@ static int nd_pfn_init(struct nd_pfn *nd_pfn) start = nsio->res.start; size = PHYS_SECTION_ALIGN_UP(start + size) - start; if (region_intersects(start, size, IORESOURCE_SYSTEM_RAM, - IORES_DESC_NONE) == REGION_MIXED) { + IORES_DESC_NONE) == REGION_MIXED + || !IS_ALIGNED(start + resource_size(&nsio->res), + nd_pfn->align)) { size = resource_size(&nsio->res); - end_trunc = start + size - PHYS_SECTION_ALIGN_DOWN(start + size); + end_trunc = start + size - phys_pmem_align_down(nd_pfn, + start + size); } if (start_pad + end_trunc) - dev_info(&nd_pfn->dev, "%s section collision, truncate %d bytes\n", + dev_info(&nd_pfn->dev, "%s alignment collision, truncate %d bytes\n", dev_name(&ndns->dev), start_pad + end_trunc); /*

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] [PATCH 3.18 00/26] 3.18.87-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 3.18.87 release. There are 26 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sat Dec 9 12:46:34 UTC 2017. Anything received after that time might be too late. The whole patch series can be found in one patch at: kernel.org/pub/linux/kernel/v3.x/stable-review/patch-3.18.87-rc1.gz or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-3.18.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 3.18.87-rc1 Colin Ian King <colin.king(a)canonical.com> usb: host: fix incorrect updating of offset Oliver Neukum <oneukum(a)suse.com> USB: usbfs: Filter flags passed in from user space Dan Carpenter <dan.carpenter(a)oracle.com> USB: devio: Prevent integer overflow in proc_do_submiturb() Mateusz Berezecki <mateuszb(a)fastmail.fm> USB: Increase usbfs transfer limit Mike Looijmans <mike.looijmans(a)topic.nl> usb: hub: Cycle HUB power when initialization fails Matt Wilson <msw(a)amazon.com> serial: 8250_pci: Add Amazon PCI serial device ID Kai-Heng Feng <kai.heng.feng(a)canonical.com> usb: quirks: Add no-lpm quirk for KY-688 USB 3.1 Type-C Hub Hans de Goede <hdegoede(a)redhat.com> uas: Always apply US_FL_NO_ATA_1X quirk to Seagate devices Boshi Wang <wangboshi(a)huawei.com> ima: fix hash algorithm initialization Rui Sousa <rui.sousa(a)nxp.com> net: fec: fix multicast filtering hardware setup Jan Kara <jack(a)suse.cz> mm: avoid returning VM_FAULT_RETRY from ->page_mkwrite handlers Parthasarathy Bhuvaragan <parthasarathy.bhuvaragan(a)ericsson.com> tipc: fix cleanup at module unload Colin Ian King <colin.king(a)canonical.com> net: sctp: fix array overrun read on sctp_timer_tbl Trond Myklebust <trond.myklebust(a)primarydata.com> NFSv4: Fix client recovery when server reboots multiple times Benjamin Coddington <bcodding(a)redhat.com> nfs: Don't take a reference on fl->fl_file for LOCK operation Vlad Tsyrklevich <vlad(a)tsyrklevich.net> net/appletalk: Fix kernel memory disclosure David Forster <dforster(a)brocade.com> vti6: fix device register to report IFLA_INFO_KIND Peter Ujfalusi <peter.ujfalusi(a)ti.com> ARM: OMAP1: DMA: Correct the number of logical channels Thomas Richter <tmricht(a)linux.vnet.ibm.com> perf test attr: Fix ignored test case result Ben Hutchings <ben(a)decadent.org.uk> usbip: tools: Install all headers needed for libusbip development Jibin Xu <jibin.xu(a)windriver.com> sysrq : fix Show Regs call trace on ARM Gustavo A. R. Silva <garsilva(a)embeddedor.com> EDAC, sb_edac: Fix missing break in switch Hiromitsu Yamasaki <hiromitsu.yamasaki.ym(a)renesas.com> spi: sh-msiof: Fix DMA transfer size check Lukas Wunner <lukas(a)wunner.de> serial: 8250_fintek: Fix rs485 disablement on invalid ioctl() Rui Hua <huarui.dev(a)gmail.com> bcache: recover data from backing when data is clean Coly Li <colyli(a)suse.de> bcache: only permit to recovery read error when cache device is clean ------------- Diffstat: Makefile | 4 +- arch/arm/mach-omap1/dma.c | 16 +++---- drivers/edac/sb_edac.c | 1 + drivers/md/bcache/request.c | 9 +++- drivers/net/appletalk/ipddp.c | 2 +- drivers/net/ethernet/freescale/fec_main.c | 23 ++++------ drivers/spi/spi-sh-msiof.c | 2 +- drivers/staging/lustre/lustre/llite/llite_mmap.c | 4 +- drivers/tty/serial/8250/8250_fintek.c | 2 +- drivers/tty/serial/8250/8250_pci.c | 3 ++ drivers/tty/sysrq.c | 9 +++- drivers/usb/core/devio.c | 56 ++++++++++++------------ drivers/usb/core/hub.c | 9 ++++ drivers/usb/core/quirks.c | 3 ++ drivers/usb/host/ehci-dbg.c | 2 +- drivers/usb/storage/uas-detect.h | 4 ++ fs/nfs/nfs4proc.c | 3 -- fs/nfs/nfs4state.c | 1 - include/linux/buffer_head.h | 4 +- net/ipv6/ip6_vti.c | 2 +- net/sctp/debug.c | 2 +- net/tipc/server.c | 4 +- security/integrity/ima/ima_main.c | 4 ++ tools/perf/tests/attr.c | 2 +- tools/usb/usbip/Makefile.am | 3 +- 25 files changed, 96 insertions(+), 78 deletions(-)

7 years, 9 months

3
28
0 0

Re: [Linux-stable-mirror] [PATCH AUTOSEL for 4.14 012/135] ASoC: cs42l56: Fix reset GPIO name in example DT binding

by alexander.levin＠verizon.com

On Thu, Dec 07, 2017 at 05:25:02PM +0000, Mark Brown wrote: >On Thu, Dec 07, 2017 at 03:45:32PM +0000, alexander.levin(a)verizon.com wrote: > >> The binding states the reset GPIO property shall be named >> "cirrus,gpio-nreset" and this is what the driver looks for, >> but the example uses "gpio-reset". Fix this here. > >We shouldn't be getting into adding completely new DT properties in >stable backports like this. Old kernels have the bindings they have. I thought that this one just adjust the example to match the code, and doesn't actually change anything? I was not sure how much we need it since it's not an actual code change, but I thought that this one should go in because it does change buggy example code in documentation that can be copy pasted somewhere. -- Thanks, Sasha

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] v4.1.47 build: 0 failures 35 warnings (v4.1.47)

by Build bot for Mark Brown

Tree/Branch: v4.1.47 Git describe: v4.1.47 Commit: c3f4bb14a2 Linux 4.1.47 Build Time: 73 min 57 sec Passed: 9 / 9 (100.00 %) Failed: 0 / 9 ( 0.00 %) Errors: 0 Warnings: 35 Section Mismatches: 1 ------------------------------------------------------------------------------- defconfigs with issues (other than build errors): 24 warnings 3 mismatches : arm64-allmodconfig 2 warnings 0 mismatches : arm-multi_v7_defconfig 23 warnings 0 mismatches : arm-allmodconfig 2 warnings 0 mismatches : arm-multi_v5_defconfig 6 warnings 0 mismatches : x86_64-defconfig ------------------------------------------------------------------------------- Warnings Summary: 35 8 ../include/linux/kernel.h:723:17: warning: comparison of distinct pointer types lacks a cast 5 ../include/linux/blkdev.h:624:26: warning: switch condition has boolean value [-Wswitch-bool] 2 ../sound/pci/oxygen/oxygen_mixer.c:91:43: warning: logical not is only applied to the left hand side of comparison [-Wlogical-not-parentheses] 2 ../include/linux/ftrace.h:671:36: warning: calling '__builtin_return_address' with a nonzero argument is unsafe [-Wframe-address] 2 ../drivers/scsi/qla2xxx/qla_target.c:3086:6: warning: format '%llu' expects argument of type 'long long unsigned int', but argument 8 has type 'uint32_t {aka unsigned int}' [-Wformat=] 2 ../drivers/scsi/qla2xxx/qla_target.c:3083:17: warning: unused variable 'se_cmd' [-Wunused-variable] 2 ../drivers/scsi/ips.c:210:2: warning: #warning "This driver has only been tested on the x86/ia64/x86_64 platforms" [-Wcpp] 2 ../drivers/scsi/be2iscsi/be_main.c:3168:18: warning: logical not is only applied to the left hand side of comparison [-Wlogical-not-parentheses] 2 ../drivers/media/platform/s3c-camif/camif-capture.c:134:10: warning: logical not is only applied to the left hand side of comparison [-Wlogical-not-parentheses] 2 ../drivers/media/platform/s3c-camif/camif-capture.c:118:10: warning: logical not is only applied to the left hand side of comparison [-Wlogical-not-parentheses] 2 ../drivers/ata/pata_hpt366.c:382:9: warning: assignment discards 'const' qualifier from pointer target type [-Wdiscarded-array-qualifiers] 2 ../drivers/ata/pata_hpt366.c:379:9: warning: assignment discards 'const' qualifier from pointer target type [-Wdiscarded-array-qualifiers] 2 ../drivers/ata/pata_hpt366.c:376:9: warning: assignment discards 'const' qualifier from pointer target type [-Wdiscarded-array-qualifiers] 1 ../include/trace/ftrace.h:28:0: warning: "TRACE_SYSTEM_STRING" redefined 1 ../drivers/xen/swiotlb-xen.c:704:27: warning: passing argument 6 of '__generic_dma_ops(dev)->mmap' makes pointer from integer without a cast [-Wint-conversion] 1 ../drivers/usb/renesas_usbhs/common.c:492:25: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast] 1 ../drivers/rtc/rtc-pcf8563.c:444:5: warning: 'alm_pending' may be used uninitialized in this function [-Wmaybe-uninitialized] 1 ../drivers/rtc/rtc-armada38x.c:91:22: warning: unused variable 'flags' [-Wunused-variable] 1 ../drivers/net/wireless/brcm80211/brcmfmac/fwsignal.c:1478:8: warning: 'skb' may be used uninitialized in this function [-Wmaybe-uninitialized] 1 ../drivers/net/ethernet/dec/tulip/winbond-840.c:910:2: warning: #warning Processor architecture undefined [-Wcpp] 1 ../drivers/net/ethernet/dec/tulip/tulip_core.c:101:2: warning: #warning Processor architecture undefined! [-Wcpp] 1 ../drivers/mmc/host/sh_mmcif.c:402:4: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast] 1 ../drivers/mmc/host/sh_mmcif.c:401:4: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast] 1 ../drivers/media/platform/coda/./trace.h:12:0: warning: "TRACE_SYSTEM_STRING" redefined 1 ../drivers/iommu/intel-iommu.c:3798:5: warning: suggest explicit braces to avoid ambiguous 'else' [-Wparentheses] 1 ../drivers/iommu/dmar.c:1849:5: warning: suggest explicit braces to avoid ambiguous 'else' [-Wparentheses] 1 ../drivers/infiniband/hw/qib/qib_qp.c:44:0: warning: "BITS_PER_PAGE" redefined 1 ../drivers/infiniband/hw/cxgb4/mem.c:147:20: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast] 1 ../drivers/hid/hid-input.c:1163:67: warning: logical not is only applied to the left hand side of comparison [-Wlogical-not-parentheses] 1 ../drivers/gpu/drm/nouveau/nvkm/engine/gr/ctxgm204.c:975:1: warning: the frame size of 1192 bytes is larger than 1024 bytes [-Wframe-larger-than=] 1 ../drivers/gpio/gpio-74xx-mmio.c:132:16: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast] 1 ../arch/x86/include/asm/msr.h:209:23: warning: right shift count >= width of type [-Wshift-count-overflow] 1 ../arch/arm64/xen/../../arm/xen/mm.c:183:10: warning: initialization from incompatible pointer type [-Wincompatible-pointer-types] 1 ../arch/arm/mach-cns3xxx/pcie.c:266:1: warning: the frame size of 1088 bytes is larger than 1024 bytes [-Wframe-larger-than=] 1 ../arch/arm/include/asm/cmpxchg.h:205:3: warning: value computed is not used [-Wunused-value] Section Mismatch Summary: 1 3 WARNING: drivers/staging/fsl-mc/bus/mc-bus-driver.o(.init.text+0x168): Section mismatch in reference from the function init_module() to the function .exit.text:dprc_driver_exit() =============================================================================== Detailed per-defconfig build reports below: ------------------------------------------------------------------------------- arm64-allmodconfig : PASS, 0 errors, 24 warnings, 3 section mismatches Warnings: ../arch/arm64/xen/../../arm/xen/mm.c:183:10: warning: initialization from incompatible pointer type [-Wincompatible-pointer-types] ../drivers/ata/pata_hpt366.c:376:9: warning: assignment discards 'const' qualifier from pointer target type [-Wdiscarded-array-qualifiers] ../drivers/ata/pata_hpt366.c:379:9: warning: assignment discards 'const' qualifier from pointer target type [-Wdiscarded-array-qualifiers] ../drivers/ata/pata_hpt366.c:382:9: warning: assignment discards 'const' qualifier from pointer target type [-Wdiscarded-array-qualifiers] ../sound/pci/oxygen/oxygen_mixer.c:91:43: warning: logical not is only applied to the left hand side of comparison [-Wlogical-not-parentheses] ../drivers/gpio/gpio-74xx-mmio.c:132:16: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast] ../drivers/infiniband/hw/qib/qib_qp.c:44:0: warning: "BITS_PER_PAGE" redefined ../drivers/mmc/host/sh_mmcif.c:401:4: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast] ../drivers/mmc/host/sh_mmcif.c:402:4: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast] ../include/linux/blkdev.h:624:26: warning: switch condition has boolean value [-Wswitch-bool] ../drivers/media/platform/s3c-camif/camif-capture.c:118:10: warning: logical not is only applied to the left hand side of comparison [-Wlogical-not-parentheses] ../drivers/media/platform/s3c-camif/camif-capture.c:134:10: warning: logical not is only applied to the left hand side of comparison [-Wlogical-not-parentheses] ../drivers/scsi/be2iscsi/be_main.c:3168:18: warning: logical not is only applied to the left hand side of comparison [-Wlogical-not-parentheses] ../drivers/net/ethernet/dec/tulip/winbond-840.c:910:2: warning: #warning Processor architecture undefined [-Wcpp] ../drivers/net/ethernet/dec/tulip/tulip_core.c:101:2: warning: #warning Processor architecture undefined! [-Wcpp] ../drivers/scsi/qla2xxx/qla_target.c:3086:6: warning: format '%llu' expects argument of type 'long long unsigned int', but argument 8 has type 'uint32_t {aka unsigned int}' [-Wformat=] ../drivers/scsi/qla2xxx/qla_target.c:3083:17: warning: unused variable 'se_cmd' [-Wunused-variable] ../include/linux/kernel.h:723:17: warning: comparison of distinct pointer types lacks a cast ../include/linux/kernel.h:723:17: warning: comparison of distinct pointer types lacks a cast ../include/linux/kernel.h:723:17: warning: comparison of distinct pointer types lacks a cast ../include/linux/kernel.h:723:17: warning: comparison of distinct pointer types lacks a cast ../drivers/scsi/ips.c:210:2: warning: #warning "This driver has only been tested on the x86/ia64/x86_64 platforms" [-Wcpp] ../drivers/usb/renesas_usbhs/common.c:492:25: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast] ../drivers/xen/swiotlb-xen.c:704:27: warning: passing argument 6 of '__generic_dma_ops(dev)->mmap' makes pointer from integer without a cast [-Wint-conversion] Section Mismatches: WARNING: drivers/staging/fsl-mc/bus/mc-bus-driver.o(.init.text+0x168): Section mismatch in reference from the function init_module() to the function .exit.text:dprc_driver_exit() WARNING: drivers/staging/fsl-mc/bus/mc-bus-driver.o(.init.text+0x168): Section mismatch in reference from the function init_module() to the function .exit.text:dprc_driver_exit() WARNING: drivers/staging/fsl-mc/bus/mc-bus-driver.o(.init.text+0x168): Section mismatch in reference from the function init_module() to the function .exit.text:dprc_driver_exit() ------------------------------------------------------------------------------- arm-multi_v7_defconfig : PASS, 0 errors, 2 warnings, 0 section mismatches Warnings: ../include/linux/blkdev.h:624:26: warning: switch condition has boolean value [-Wswitch-bool] ../drivers/net/wireless/brcm80211/brcmfmac/fwsignal.c:1478:8: warning: 'skb' may be used uninitialized in this function [-Wmaybe-uninitialized] ------------------------------------------------------------------------------- arm-allmodconfig : PASS, 0 errors, 23 warnings, 0 section mismatches Warnings: ../arch/arm/mach-cns3xxx/pcie.c:266:1: warning: the frame size of 1088 bytes is larger than 1024 bytes [-Wframe-larger-than=] ../drivers/ata/pata_hpt366.c:376:9: warning: assignment discards 'const' qualifier from pointer target type [-Wdiscarded-array-qualifiers] ../drivers/ata/pata_hpt366.c:379:9: warning: assignment discards 'const' qualifier from pointer target type [-Wdiscarded-array-qualifiers] ../drivers/ata/pata_hpt366.c:382:9: warning: assignment discards 'const' qualifier from pointer target type [-Wdiscarded-array-qualifiers] ../arch/arm/include/asm/cmpxchg.h:205:3: warning: value computed is not used [-Wunused-value] ../include/linux/blkdev.h:624:26: warning: switch condition has boolean value [-Wswitch-bool] ../sound/pci/oxygen/oxygen_mixer.c:91:43: warning: logical not is only applied to the left hand side of comparison [-Wlogical-not-parentheses] ../drivers/gpu/drm/nouveau/nvkm/engine/gr/ctxgm204.c:975:1: warning: the frame size of 1192 bytes is larger than 1024 bytes [-Wframe-larger-than=] ../drivers/infiniband/hw/cxgb4/mem.c:147:20: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast] ../include/linux/blkdev.h:624:26: warning: switch condition has boolean value [-Wswitch-bool] ../drivers/rtc/rtc-armada38x.c:91:22: warning: unused variable 'flags' [-Wunused-variable] ../drivers/scsi/be2iscsi/be_main.c:3168:18: warning: logical not is only applied to the left hand side of comparison [-Wlogical-not-parentheses] ../include/trace/ftrace.h:28:0: warning: "TRACE_SYSTEM_STRING" redefined ../drivers/media/platform/coda/./trace.h:12:0: warning: "TRACE_SYSTEM_STRING" redefined ../drivers/media/platform/s3c-camif/camif-capture.c:118:10: warning: logical not is only applied to the left hand side of comparison [-Wlogical-not-parentheses] ../drivers/media/platform/s3c-camif/camif-capture.c:134:10: warning: logical not is only applied to the left hand side of comparison [-Wlogical-not-parentheses] ../drivers/scsi/qla2xxx/qla_target.c:3086:6: warning: format '%llu' expects argument of type 'long long unsigned int', but argument 8 has type 'uint32_t {aka unsigned int}' [-Wformat=] ../drivers/scsi/qla2xxx/qla_target.c:3083:17: warning: unused variable 'se_cmd' [-Wunused-variable] ../drivers/scsi/ips.c:210:2: warning: #warning "This driver has only been tested on the x86/ia64/x86_64 platforms" [-Wcpp] ../include/linux/kernel.h:723:17: warning: comparison of distinct pointer types lacks a cast ../include/linux/kernel.h:723:17: warning: comparison of distinct pointer types lacks a cast ../include/linux/kernel.h:723:17: warning: comparison of distinct pointer types lacks a cast ../include/linux/kernel.h:723:17: warning: comparison of distinct pointer types lacks a cast ------------------------------------------------------------------------------- arm-multi_v5_defconfig : PASS, 0 errors, 2 warnings, 0 section mismatches Warnings: ../include/linux/blkdev.h:624:26: warning: switch condition has boolean value [-Wswitch-bool] ../drivers/rtc/rtc-pcf8563.c:444:5: warning: 'alm_pending' may be used uninitialized in this function [-Wmaybe-uninitialized] ------------------------------------------------------------------------------- x86_64-defconfig : PASS, 0 errors, 6 warnings, 0 section mismatches Warnings: ../include/linux/ftrace.h:671:36: warning: calling '__builtin_return_address' with a nonzero argument is unsafe [-Wframe-address] ../include/linux/ftrace.h:671:36: warning: calling '__builtin_return_address' with a nonzero argument is unsafe [-Wframe-address] ../arch/x86/include/asm/msr.h:209:23: warning: right shift count >= width of type [-Wshift-count-overflow] ../drivers/hid/hid-input.c:1163:67: warning: logical not is only applied to the left hand side of comparison [-Wlogical-not-parentheses] ../drivers/iommu/dmar.c:1849:5: warning: suggest explicit braces to avoid ambiguous 'else' [-Wparentheses] ../drivers/iommu/intel-iommu.c:3798:5: warning: suggest explicit braces to avoid ambiguous 'else' [-Wparentheses] ------------------------------------------------------------------------------- Passed with no errors, warnings or mismatches: x86_64-allnoconfig arm64-allnoconfig arm-allnoconfig arm64-defconfig

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] [PATCH v4 05/15] drm/sun4i: Fix error path handling

by Maxime Ripard

The commit 4c7f16d14a33 ("drm/sun4i: Fix TCON clock and regmap initialization sequence") moved a bunch of logic around, but forgot to update the gotos after the introduction of the err_free_dotclock label. It means that if we fail later that the one introduced in that commit, we'll just to the old label which isn't free the clock we created. This will result in a breakage as soon as someone tries to do something with that clock, since its resources will have been long reclaimed. Cc: <stable(a)vger.kernel.org> Fixes: 4c7f16d14a33 ("drm/sun4i: Fix TCON clock and regmap initialization sequence") Reviewed-by: Chen-Yu Tsai <wens(a)csie.org> Signed-off-by: Maxime Ripard <maxime.ripard(a)free-electrons.com> --- drivers/gpu/drm/sun4i/sun4i_tcon.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/gpu/drm/sun4i/sun4i_tcon.c b/drivers/gpu/drm/sun4i/sun4i_tcon.c index a1ed462c2430..ea056a3d2131 100644 --- a/drivers/gpu/drm/sun4i/sun4i_tcon.c +++ b/drivers/gpu/drm/sun4i/sun4i_tcon.c @@ -724,12 +724,12 @@ static int sun4i_tcon_bind(struct device *dev, struct device *master, if (IS_ERR(tcon->crtc)) { dev_err(dev, "Couldn't create our CRTC\n"); ret = PTR_ERR(tcon->crtc); - goto err_free_clocks; + goto err_free_dotclock; } ret = sun4i_rgb_init(drm, tcon); if (ret < 0) - goto err_free_clocks; + goto err_free_dotclock; if (tcon->quirks->needs_de_be_mux) { /* -- git-series 0.9.1

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] [PATCH AUTOSEL for 3.18 01/59] usb: phy: isp1301: Add OF device ID table

by alexander.levin＠verizon.com

From: Javier Martinez Canillas <javier(a)osg.samsung.com> [ Upstream commit fd567653bdb908009b650f079bfd4b63169e2ac4 ] The driver doesn't have a struct of_device_id table but supported devices are registered via Device Trees. This is working on the assumption that a I2C device registered via OF will always match a legacy I2C device ID and that the MODALIAS reported will always be of the form i2c:<device>. But this could change in the future so the correct approach is to have an OF device ID table if the devices are registered via OF. Signed-off-by: Javier Martinez Canillas <javier(a)osg.samsung.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Sasha Levin <alexander.levin(a)verizon.com> --- drivers/usb/phy/phy-isp1301.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/usb/phy/phy-isp1301.c b/drivers/usb/phy/phy-isp1301.c index 8a55b37d1a02..d2ed59a38354 100644 --- a/drivers/usb/phy/phy-isp1301.c +++ b/drivers/usb/phy/phy-isp1301.c @@ -32,6 +32,12 @@ static const struct i2c_device_id isp1301_id[] = { { } }; +static const struct of_device_id isp1301_of_match[] = { + {.compatible = "nxp,isp1301" }, + { }, +}; +MODULE_DEVICE_TABLE(of, isp1301_of_match); + static struct i2c_client *isp1301_i2c_client; static int __isp1301_write(struct isp1301 *isp, u8 reg, u8 value, u8 clear) @@ -129,6 +135,7 @@ static int isp1301_remove(struct i2c_client *client) static struct i2c_driver isp1301_driver = { .driver = { .name = DRV_NAME, + .of_match_table = of_match_ptr(isp1301_of_match), }, .probe = isp1301_probe, .remove = isp1301_remove, -- 2.11.0

7 years, 9 months

1
57
0 0

[Linux-stable-mirror] [PATCH AUTOSEL for 4.4 001/101] usb: phy: isp1301: Add OF device ID table

by alexander.levin＠verizon.com

From: Javier Martinez Canillas <javier(a)osg.samsung.com> [ Upstream commit fd567653bdb908009b650f079bfd4b63169e2ac4 ] The driver doesn't have a struct of_device_id table but supported devices are registered via Device Trees. This is working on the assumption that a I2C device registered via OF will always match a legacy I2C device ID and that the MODALIAS reported will always be of the form i2c:<device>. But this could change in the future so the correct approach is to have an OF device ID table if the devices are registered via OF. Signed-off-by: Javier Martinez Canillas <javier(a)osg.samsung.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Sasha Levin <alexander.levin(a)verizon.com> --- drivers/usb/phy/phy-isp1301.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/usb/phy/phy-isp1301.c b/drivers/usb/phy/phy-isp1301.c index db68156568e6..b3b33cf7ddf6 100644 --- a/drivers/usb/phy/phy-isp1301.c +++ b/drivers/usb/phy/phy-isp1301.c @@ -33,6 +33,12 @@ static const struct i2c_device_id isp1301_id[] = { }; MODULE_DEVICE_TABLE(i2c, isp1301_id); +static const struct of_device_id isp1301_of_match[] = { + {.compatible = "nxp,isp1301" }, + { }, +}; +MODULE_DEVICE_TABLE(of, isp1301_of_match); + static struct i2c_client *isp1301_i2c_client; static int __isp1301_write(struct isp1301 *isp, u8 reg, u8 value, u8 clear) @@ -130,6 +136,7 @@ static int isp1301_remove(struct i2c_client *client) static struct i2c_driver isp1301_driver = { .driver = { .name = DRV_NAME, + .of_match_table = of_match_ptr(isp1301_of_match), }, .probe = isp1301_probe, .remove = isp1301_remove, -- 2.11.0

7 years, 9 months

1
99
0 0

[Linux-stable-mirror] [PATCH AUTOSEL for 4.9 001/156] usb: phy: isp1301: Add OF device ID table

by alexander.levin＠verizon.com

From: Javier Martinez Canillas <javier(a)osg.samsung.com> [ Upstream commit fd567653bdb908009b650f079bfd4b63169e2ac4 ] The driver doesn't have a struct of_device_id table but supported devices are registered via Device Trees. This is working on the assumption that a I2C device registered via OF will always match a legacy I2C device ID and that the MODALIAS reported will always be of the form i2c:<device>. But this could change in the future so the correct approach is to have an OF device ID table if the devices are registered via OF. Signed-off-by: Javier Martinez Canillas <javier(a)osg.samsung.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Sasha Levin <alexander.levin(a)verizon.com> --- drivers/usb/phy/phy-isp1301.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/usb/phy/phy-isp1301.c b/drivers/usb/phy/phy-isp1301.c index db68156568e6..b3b33cf7ddf6 100644 --- a/drivers/usb/phy/phy-isp1301.c +++ b/drivers/usb/phy/phy-isp1301.c @@ -33,6 +33,12 @@ static const struct i2c_device_id isp1301_id[] = { }; MODULE_DEVICE_TABLE(i2c, isp1301_id); +static const struct of_device_id isp1301_of_match[] = { + {.compatible = "nxp,isp1301" }, + { }, +}; +MODULE_DEVICE_TABLE(of, isp1301_of_match); + static struct i2c_client *isp1301_i2c_client; static int __isp1301_write(struct isp1301 *isp, u8 reg, u8 value, u8 clear) @@ -130,6 +136,7 @@ static int isp1301_remove(struct i2c_client *client) static struct i2c_driver isp1301_driver = { .driver = { .name = DRV_NAME, + .of_match_table = of_match_ptr(isp1301_of_match), }, .probe = isp1301_probe, .remove = isp1301_remove, -- 2.11.0

7 years, 9 months

1
154
0 0

[Linux-stable-mirror] [PATCH AUTOSEL for 4.14 001/135] IB/mlx4: Fix RSS's QPC attributes assignments

by alexander.levin＠verizon.com

From: Guy Levi <guyle(a)mellanox.com> [ Upstream commit 108809a0571cd1e1b317c5c083a371e163e1f8f9 ] In the modify QP handler the base_qpn_udp field in the RSS QPC is overwrite later by irrelevant value assignment. Hence, ingress packets which gets to the RSS QP will be steered then to a garbage QPN. The patch fixes this by skipping the above assignment when a RSS QP is modified, also, the RSS context's attributes assignments are relocated just before the context is posted to avoid future issues like this. Additionally, this patch takes the opportunity to change the code to be disciplined to the device's manual and assigns the RSS QP context just at RESET to INIT transition. Fixes:3078f5f1bd8b ("IB/mlx4: Add support for RSS QP") Signed-off-by: Guy Levi <guyle(a)mellanox.com> Reviewed-by: Yishai Hadas <yishaih(a)mellanox.com> Signed-off-by: Leon Romanovsky <leon(a)kernel.org> Signed-off-by: Doug Ledford <dledford(a)redhat.com> Signed-off-by: Sasha Levin <alexander.levin(a)verizon.com> --- drivers/infiniband/hw/mlx4/qp.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/drivers/infiniband/hw/mlx4/qp.c b/drivers/infiniband/hw/mlx4/qp.c index b6b33d99b0b4..26f3345948e2 100644 --- a/drivers/infiniband/hw/mlx4/qp.c +++ b/drivers/infiniband/hw/mlx4/qp.c @@ -2182,11 +2182,6 @@ static int __mlx4_ib_modify_qp(void *src, enum mlx4_ib_source_type src_type, context->flags = cpu_to_be32((to_mlx4_state(new_state) << 28) | (to_mlx4_st(dev, qp->mlx4_ib_qp_type) << 16)); - if (rwq_ind_tbl) { - fill_qp_rss_context(context, qp); - context->flags |= cpu_to_be32(1 << MLX4_RSS_QPC_FLAG_OFFSET); - } - if (!(attr_mask & IB_QP_PATH_MIG_STATE)) context->flags |= cpu_to_be32(MLX4_QP_PM_MIGRATED << 11); else { @@ -2387,6 +2382,7 @@ static int __mlx4_ib_modify_qp(void *src, enum mlx4_ib_source_type src_type, context->pd = cpu_to_be32(pd->pdn); if (!rwq_ind_tbl) { + context->params1 = cpu_to_be32(MLX4_IB_ACK_REQ_FREQ << 28); get_cqs(qp, src_type, &send_cq, &recv_cq); } else { /* Set dummy CQs to be compatible with HV and PRM */ send_cq = to_mcq(rwq_ind_tbl->ind_tbl[0]->cq); @@ -2394,7 +2390,6 @@ static int __mlx4_ib_modify_qp(void *src, enum mlx4_ib_source_type src_type, } context->cqn_send = cpu_to_be32(send_cq->mcq.cqn); context->cqn_recv = cpu_to_be32(recv_cq->mcq.cqn); - context->params1 = cpu_to_be32(MLX4_IB_ACK_REQ_FREQ << 28); /* Set "fast registration enabled" for all kernel QPs */ if (!ibuobject) @@ -2513,7 +2508,7 @@ static int __mlx4_ib_modify_qp(void *src, enum mlx4_ib_source_type src_type, MLX4_IB_LINK_TYPE_ETH; if (dev->dev->caps.tunnel_offload_mode == MLX4_TUNNEL_OFFLOAD_MODE_VXLAN) { /* set QP to receive both tunneled & non-tunneled packets */ - if (!(context->flags & cpu_to_be32(1 << MLX4_RSS_QPC_FLAG_OFFSET))) + if (!rwq_ind_tbl) context->srqn = cpu_to_be32(7 << 28); } } @@ -2562,6 +2557,13 @@ static int __mlx4_ib_modify_qp(void *src, enum mlx4_ib_source_type src_type, } } + if (rwq_ind_tbl && + cur_state == IB_QPS_RESET && + new_state == IB_QPS_INIT) { + fill_qp_rss_context(context, qp); + context->flags |= cpu_to_be32(1 << MLX4_RSS_QPC_FLAG_OFFSET); + } + err = mlx4_qp_modify(dev->dev, &qp->mtt, to_mlx4_state(cur_state), to_mlx4_state(new_state), context, optpar, sqd_event, &qp->mqp); -- 2.11.0

7 years, 9 months

1
133
0 0

[Linux-stable-mirror] Patch "kprobes: Use synchronize_rcu_tasks() for optprobe with CONFIG_PREEMPT=y" has been added to the 3.18-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled kprobes: Use synchronize_rcu_tasks() for optprobe with CONFIG_PREEMPT=y to the 3.18-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: kprobes-use-synchronize_rcu_tasks-for-optprobe-with-config_preempt-y.patch and it can be found in the queue-3.18 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Tue Dec 5 18:18:39 CET 2017 From: Masami Hiramatsu <mhiramat(a)kernel.org> Date: Fri, 20 Oct 2017 08:43:39 +0900 Subject: kprobes: Use synchronize_rcu_tasks() for optprobe with CONFIG_PREEMPT=y From: Masami Hiramatsu <mhiramat(a)kernel.org> [ Upstream commit a30b85df7d599f626973e9cd3056fe755bd778e0 ] We want to wait for all potentially preempted kprobes trampoline execution to have completed. This guarantees that any freed trampoline memory is not in use by any task in the system anymore. synchronize_rcu_tasks() gives such a guarantee, so use it. Also, this guarantees to wait for all potentially preempted tasks on the instructions which will be replaced with a jump. Since this becomes a problem only when CONFIG_PREEMPT=y, enable CONFIG_TASKS_RCU=y for synchronize_rcu_tasks() in that case. Signed-off-by: Masami Hiramatsu <mhiramat(a)kernel.org> Acked-by: Paul E. McKenney <paulmck(a)linux.vnet.ibm.com> Cc: Ananth N Mavinakayanahalli <ananth(a)linux.vnet.ibm.com> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: Naveen N . Rao <naveen.n.rao(a)linux.vnet.ibm.com> Cc: Paul E . McKenney <paulmck(a)linux.vnet.ibm.com> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Steven Rostedt <rostedt(a)goodmis.org> Cc: Thomas Gleixner <tglx(a)linutronix.de> Link: http://lkml.kernel.org/r/150845661962.5443.17724352636247312231.stgit@devbox Signed-off-by: Ingo Molnar <mingo(a)kernel.org> Signed-off-by: Sasha Levin <alexander.levin(a)verizon.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- arch/Kconfig | 2 +- kernel/kprobes.c | 14 ++++++++------ 2 files changed, 9 insertions(+), 7 deletions(-) --- a/arch/Kconfig +++ b/arch/Kconfig @@ -74,7 +74,7 @@ config JUMP_LABEL config OPTPROBES def_bool y depends on KPROBES && HAVE_OPTPROBES - depends on !PREEMPT + select TASKS_RCU if PREEMPT config KPROBES_ON_FTRACE def_bool y --- a/kernel/kprobes.c +++ b/kernel/kprobes.c @@ -540,13 +540,15 @@ static void kprobe_optimizer(struct work do_unoptimize_kprobes(); /* - * Step 2: Wait for quiesence period to ensure all running interrupts - * are done. Because optprobe may modify multiple instructions - * there is a chance that Nth instruction is interrupted. In that - * case, running interrupt can return to 2nd-Nth byte of jump - * instruction. This wait is for avoiding it. + * Step 2: Wait for quiesence period to ensure all potentially + * preempted tasks to have normally scheduled. Because optprobe + * may modify multiple instructions, there is a chance that Nth + * instruction is preempted. In that case, such tasks can return + * to 2nd-Nth byte of jump instruction. This wait is for avoiding it. + * Note that on non-preemptive kernel, this is transparently converted + * to synchronoze_sched() to wait for all interrupts to have completed. */ - synchronize_sched(); + synchronize_rcu_tasks(); /* Step 3: Optimize kprobes after quiesence period */ do_optimize_kprobes(); Patches currently in stable-queue which might be from mhiramat(a)kernel.org are queue-3.18/kprobes-use-synchronize_rcu_tasks-for-optprobe-with-config_preempt-y.patch

7 years, 9 months

4
5
0 0

[Linux-stable-mirror] [stable 4.9 1/3] thp: reduce indentation level in change_huge_pmd()

by Jack Wang

From: "Kirill A. Shutemov" <kirill.shutemov(a)linux.intel.com> commit 0a85e51d37645e9ce57e5e1a30859e07810ed07c upstream. Patch series "thp: fix few MADV_DONTNEED races" For MADV_DONTNEED to work properly with huge pages, it's critical to not clear pmd intermittently unless you hold down_write(mmap_sem). Otherwise MADV_DONTNEED can miss the THP which can lead to userspace breakage. See example of such race in commit message of patch 2/4. All these races are found by code inspection. I haven't seen them triggered. I don't think it's worth to apply them to stable@. This patch (of 4): Restructure code in preparation for a fix. Link: http://lkml.kernel.org/r/20170302151034.27829-2-kirill.shutemov@linux.intel… Signed-off-by: Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> Acked-by: Vlastimil Babka <vbabka(a)suse.cz> Cc: Andrea Arcangeli <aarcange(a)redhat.com> Cc: Hillf Danton <hillf.zj(a)alibaba-inc.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds(a)linux-foundation.org> [jwang: adjust context for 4.9] Signed-off-by: Jack Wang <jinpu.wang(a)profitbricks.com> --- mm/huge_memory.c | 52 ++++++++++++++++++++++++++-------------------------- 1 file changed, 26 insertions(+), 26 deletions(-) diff --git a/mm/huge_memory.c b/mm/huge_memory.c index 3cae1dc..660e732 100644 --- a/mm/huge_memory.c +++ b/mm/huge_memory.c @@ -1509,37 +1509,37 @@ int change_huge_pmd(struct vm_area_struct *vma, pmd_t *pmd, { struct mm_struct *mm = vma->vm_mm; spinlock_t *ptl; - int ret = 0; + pmd_t entry; + bool preserve_write; + int ret; ptl = __pmd_trans_huge_lock(pmd, vma); - if (ptl) { - pmd_t entry; - bool preserve_write = prot_numa && pmd_write(*pmd); - ret = 1; + if (!ptl) + return 0; - /* - * Avoid trapping faults against the zero page. The read-only - * data is likely to be read-cached on the local CPU and - * local/remote hits to the zero page are not interesting. - */ - if (prot_numa && is_huge_zero_pmd(*pmd)) { - spin_unlock(ptl); - return ret; - } + preserve_write = prot_numa && pmd_write(*pmd); + ret = 1; - if (!prot_numa || !pmd_protnone(*pmd)) { - entry = pmdp_huge_get_and_clear_notify(mm, addr, pmd); - entry = pmd_modify(entry, newprot); - if (preserve_write) - entry = pmd_mkwrite(entry); - ret = HPAGE_PMD_NR; - set_pmd_at(mm, addr, pmd, entry); - BUG_ON(vma_is_anonymous(vma) && !preserve_write && - pmd_write(entry)); - } - spin_unlock(ptl); - } + /* + * Avoid trapping faults against the zero page. The read-only + * data is likely to be read-cached on the local CPU and + * local/remote hits to the zero page are not interesting. + */ + if (prot_numa && is_huge_zero_pmd(*pmd)) + goto unlock; + if (prot_numa && pmd_protnone(*pmd)) + goto unlock; + + entry = pmdp_huge_get_and_clear_notify(mm, addr, pmd); + entry = pmd_modify(entry, newprot); + if (preserve_write) + entry = pmd_mkwrite(entry); + ret = HPAGE_PMD_NR; + set_pmd_at(mm, addr, pmd, entry); + BUG_ON(vma_is_anonymous(vma) && !preserve_write && pmd_write(entry)); +unlock: + spin_unlock(ptl); return ret; } -- 2.7.4

7 years, 9 months

1
2
0 0

[Linux-stable-mirror] [PATCH] cpufreq: longhaul: Set transition_delay_us to 20 ms

by Viresh Kumar

The commit e948bc8fbee0 ("cpufreq: Cap the default transition delay value to 10 ms") caused a regression on EPIA-M min-ITX computer where shutdown or reboot hangs occasionally with a print message like: longhaul: Warning: Timeout while waiting for idle PCI bus cpufreq: __target_index: Failed to change cpu frequency: -16 This probably happens because the cpufreq governor tries to change the frequency of the CPU faster than allowed by the hardware. With the above commit, the default transition delay comes to 10 ms for a transition_latency of 200 us. Set the default transition delay to 20 ms directly to fix this regression. Fixes: e948bc8fbee0 ("cpufreq: Cap the default transition delay value to 10 ms") Cc: 4.14+ <stable(a)vger.kernel.org> # 4.14+ Reported-by: Meelis Roos <mroos(a)linux.ee> Suggested-by: Rafael J. Wysocki <rjw(a)rjwysocki.net> Signed-off-by: Viresh Kumar <viresh.kumar(a)linaro.org> --- drivers/cpufreq/longhaul.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/cpufreq/longhaul.c b/drivers/cpufreq/longhaul.c index c46a12df40dd..56eafcb07859 100644 --- a/drivers/cpufreq/longhaul.c +++ b/drivers/cpufreq/longhaul.c @@ -894,7 +894,7 @@ static int longhaul_cpu_init(struct cpufreq_policy *policy) if ((longhaul_version != TYPE_LONGHAUL_V1) && (scale_voltage != 0)) longhaul_setup_voltagescaling(); - policy->cpuinfo.transition_latency = 200000; /* nsec */ + policy->transition_delay_us = 20000; /* usec */ return cpufreq_table_validate_and_show(policy, longhaul_table); } -- 2.15.0.194.g9af6a3dea062

7 years, 9 months

5
13
0 0

[Linux-stable-mirror] Patch "usb: ch9: Add size macro for SSP dev cap descriptor" has been added to the 4.4-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled usb: ch9: Add size macro for SSP dev cap descriptor to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: usb-ch9-add-size-macro-for-ssp-dev-cap-descriptor.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 446fa3a95df1e8b78f25e1babc41e46edd200821 Mon Sep 17 00:00:00 2001 From: John Youn <John.Youn(a)synopsys.com> Date: Fri, 5 Feb 2016 17:05:12 -0800 Subject: usb: ch9: Add size macro for SSP dev cap descriptor From: John Youn <John.Youn(a)synopsys.com> commit 446fa3a95df1e8b78f25e1babc41e46edd200821 upstream. The SuperspeedPlus Device Capability Descriptor has a variable size depending on the number of sublink speed attributes. This patch adds a macro to calculate that size. The macro takes one argument, the Sublink Speed Attribute Count (SSAC) as reported by the descriptor in bmAttributes[4:0]. See USB 3.1 9.6.2.5, Table 9-19. Signed-off-by: John Youn <johnyoun(a)synopsys.com> Signed-off-by: Felipe Balbi <balbi(a)kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- include/uapi/linux/usb/ch9.h | 6 ++++++ 1 file changed, 6 insertions(+) --- a/include/uapi/linux/usb/ch9.h +++ b/include/uapi/linux/usb/ch9.h @@ -906,6 +906,12 @@ struct usb_ptm_cap_descriptor { __u8 bDevCapabilityType; } __attribute__((packed)); +/* + * The size of the descriptor for the Sublink Speed Attribute Count + * (SSAC) specified in bmAttributes[4:0]. + */ +#define USB_DT_USB_SSP_CAP_SIZE(ssac) (16 + ssac * 4) + /*-------------------------------------------------------------------------*/ /* USB_DT_WIRELESS_ENDPOINT_COMP: companion descriptor associated with Patches currently in stable-queue which might be from John.Youn(a)synopsys.com are queue-4.4/usb-ch9-add-size-macro-for-ssp-dev-cap-descriptor.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "usb: Add USB 3.1 Precision time measurement capability descriptor support" has been added to the 4.4-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled usb: Add USB 3.1 Precision time measurement capability descriptor support to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: usb-add-usb-3.1-precision-time-measurement-capability-descriptor-support.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From faee822c5a7ab99de25cd34fcde3f8d37b6b9923 Mon Sep 17 00:00:00 2001 From: Mathias Nyman <mathias.nyman(a)linux.intel.com> Date: Fri, 12 Feb 2016 16:40:14 +0200 Subject: usb: Add USB 3.1 Precision time measurement capability descriptor support From: Mathias Nyman <mathias.nyman(a)linux.intel.com> commit faee822c5a7ab99de25cd34fcde3f8d37b6b9923 upstream. USB 3.1 devices that support precision time measurement have an additional PTM cabaility descriptor as part of the full BOS descriptor Look for this descriptor while parsing the BOS descriptor, and store it in struct usb_hub_bos if it exists. Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/usb/core/config.c | 3 +++ include/linux/usb.h | 1 + include/uapi/linux/usb/ch9.h | 10 ++++++++++ 3 files changed, 14 insertions(+) --- a/drivers/usb/core/config.c +++ b/drivers/usb/core/config.c @@ -959,6 +959,9 @@ int usb_get_bos_descriptor(struct usb_de dev->bos->ss_id = (struct usb_ss_container_id_descriptor *)buffer; break; + case USB_PTM_CAP_TYPE: + dev->bos->ptm_cap = + (struct usb_ptm_cap_descriptor *)buffer; default: break; } --- a/include/linux/usb.h +++ b/include/linux/usb.h @@ -330,6 +330,7 @@ struct usb_host_bos { struct usb_ss_cap_descriptor *ss_cap; struct usb_ssp_cap_descriptor *ssp_cap; struct usb_ss_container_id_descriptor *ss_id; + struct usb_ptm_cap_descriptor *ptm_cap; }; int __usb_get_extra_descriptor(char *buffer, unsigned size, --- a/include/uapi/linux/usb/ch9.h +++ b/include/uapi/linux/usb/ch9.h @@ -895,6 +895,16 @@ struct usb_ssp_cap_descriptor { #define USB_SSP_SUBLINK_SPEED_LSM (0xff << 16) /* Lanespeed mantissa */ } __attribute__((packed)); +/* + * Precision time measurement capability descriptor: advertised by devices and + * hubs that support PTM + */ +#define USB_PTM_CAP_TYPE 0xb +struct usb_ptm_cap_descriptor { + __u8 bLength; + __u8 bDescriptorType; + __u8 bDevCapabilityType; +} __attribute__((packed)); /*-------------------------------------------------------------------------*/ Patches currently in stable-queue which might be from mathias.nyman(a)linux.intel.com are queue-4.4/usb-xhci-fix-panic-in-xhci_free_virt_devices_depth_first.patch queue-4.4/usb-add-usb-3.1-precision-time-measurement-capability-descriptor-support.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "usb: xhci: fix panic in xhci_free_virt_devices_depth_first" has been added to the 4.9-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled usb: xhci: fix panic in xhci_free_virt_devices_depth_first to the 4.9-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: usb-xhci-fix-panic-in-xhci_free_virt_devices_depth_first.patch and it can be found in the queue-4.9 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 80e457699a8dbdd70f2d26911e46f538645c55fc Mon Sep 17 00:00:00 2001 From: Yu Chen <chenyu56(a)huawei.com> Date: Fri, 1 Dec 2017 13:41:20 +0200 Subject: usb: xhci: fix panic in xhci_free_virt_devices_depth_first From: Yu Chen <chenyu56(a)huawei.com> commit 80e457699a8dbdd70f2d26911e46f538645c55fc upstream. Check vdev->real_port 0 to avoid panic [ 9.261347] [<ffffff800884a390>] xhci_free_virt_devices_depth_first+0x58/0x108 [ 9.261352] [<ffffff800884a814>] xhci_mem_cleanup+0x1bc/0x570 [ 9.261355] [<ffffff8008842de8>] xhci_stop+0x140/0x1c8 [ 9.261365] [<ffffff80087ed304>] usb_remove_hcd+0xfc/0x1d0 [ 9.261369] [<ffffff80088551c4>] xhci_plat_remove+0x6c/0xa8 [ 9.261377] [<ffffff80086e928c>] platform_drv_remove+0x2c/0x70 [ 9.261384] [<ffffff80086e6ea0>] __device_release_driver+0x80/0x108 [ 9.261387] [<ffffff80086e7a1c>] device_release_driver+0x2c/0x40 [ 9.261392] [<ffffff80086e5f28>] bus_remove_device+0xe0/0x120 [ 9.261396] [<ffffff80086e2e34>] device_del+0x114/0x210 [ 9.261399] [<ffffff80086e9e00>] platform_device_del+0x30/0xa0 [ 9.261403] [<ffffff8008810bdc>] dwc3_otg_work+0x204/0x488 [ 9.261407] [<ffffff80088133fc>] event_work+0x304/0x5b8 [ 9.261414] [<ffffff80080e31b0>] process_one_work+0x148/0x490 [ 9.261417] [<ffffff80080e3548>] worker_thread+0x50/0x4a0 [ 9.261421] [<ffffff80080e9ea0>] kthread+0xe8/0x100 [ 9.261427] [<ffffff8008083680>] ret_from_fork+0x10/0x50 The problem can occur if xhci_plat_remove() is called shortly after xhci_plat_probe(). While xhci_free_virt_devices_depth_first been called before the device has been setup and get real_port initialized. The problem occurred on Hikey960 and was reproduced by Guenter Roeck on Kevin with chromeos-4.4. Fixes: ee8665e28e8d ("xhci: free xhci virtual devices with leaf nodes first") Cc: Guenter Roeck <groeck(a)google.com> Reviewed-by: Guenter Roeck <groeck(a)chromium.org> Tested-by: Guenter Roeck <linux(a)roeck-us.net> Signed-off-by: Fan Ning <fanning4(a)hisilicon.com> Signed-off-by: Li Rui <lirui39(a)hisilicon.com> Signed-off-by: yangdi <yangdi10(a)hisilicon.com> Signed-off-by: Yu Chen <chenyu56(a)huawei.com> Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/usb/host/xhci-mem.c | 7 +++++++ 1 file changed, 7 insertions(+) --- a/drivers/usb/host/xhci-mem.c +++ b/drivers/usb/host/xhci-mem.c @@ -996,6 +996,12 @@ void xhci_free_virt_devices_depth_first( if (!vdev) return; + if (vdev->real_port == 0 || + vdev->real_port > HCS_MAX_PORTS(xhci->hcs_params1)) { + xhci_dbg(xhci, "Bad vdev->real_port.\n"); + goto out; + } + tt_list_head = &(xhci->rh_bw[vdev->real_port - 1].tts); list_for_each_entry_safe(tt_info, next, tt_list_head, tt_list) { /* is this a hub device that added a tt_info to the tts list */ @@ -1009,6 +1015,7 @@ void xhci_free_virt_devices_depth_first( } } } +out: /* we are now at a leaf device */ xhci_free_virt_device(xhci, slot_id); } Patches currently in stable-queue which might be from chenyu56(a)huawei.com are queue-4.9/usb-xhci-fix-panic-in-xhci_free_virt_devices_depth_first.patch queue-4.9/usb-dwc2-error-out-of-dwc2_hsotg_ep_disable-if-we-re-in-host-mode.patch queue-4.9/usb-dwc2-fix-udc-state-tracking.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "USB: usbfs: Filter flags passed in from user space" has been added to the 4.9-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled USB: usbfs: Filter flags passed in from user space to the 4.9-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: usb-usbfs-filter-flags-passed-in-from-user-space.patch and it can be found in the queue-4.9 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 446f666da9f019ce2ffd03800995487e79a91462 Mon Sep 17 00:00:00 2001 From: Oliver Neukum <oneukum(a)suse.com> Date: Thu, 23 Nov 2017 16:39:52 +0100 Subject: USB: usbfs: Filter flags passed in from user space From: Oliver Neukum <oneukum(a)suse.com> commit 446f666da9f019ce2ffd03800995487e79a91462 upstream. USBDEVFS_URB_ISO_ASAP must be accepted only for ISO endpoints. Improve sanity checking. Reported-by: Andrey Konovalov <andreyknvl(a)google.com> Signed-off-by: Oliver Neukum <oneukum(a)suse.com> Acked-by: Alan Stern <stern(a)rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/usb/core/devio.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) --- a/drivers/usb/core/devio.c +++ b/drivers/usb/core/devio.c @@ -1454,14 +1454,18 @@ static int proc_do_submiturb(struct usb_ int number_of_packets = 0; unsigned int stream_id = 0; void *buf; - - if (uurb->flags & ~(USBDEVFS_URB_ISO_ASAP | - USBDEVFS_URB_SHORT_NOT_OK | + unsigned long mask = USBDEVFS_URB_SHORT_NOT_OK | USBDEVFS_URB_BULK_CONTINUATION | USBDEVFS_URB_NO_FSBR | USBDEVFS_URB_ZERO_PACKET | - USBDEVFS_URB_NO_INTERRUPT)) - return -EINVAL; + USBDEVFS_URB_NO_INTERRUPT; + /* USBDEVFS_URB_ISO_ASAP is a special case */ + if (uurb->type == USBDEVFS_URB_TYPE_ISO) + mask |= USBDEVFS_URB_ISO_ASAP; + + if (uurb->flags & ~mask) + return -EINVAL; + if ((unsigned int)uurb->buffer_length >= USBFS_XFER_MAX) return -EINVAL; if (uurb->buffer_length > 0 && !uurb->buffer) Patches currently in stable-queue which might be from oneukum(a)suse.com are queue-4.9/usb-usbfs-filter-flags-passed-in-from-user-space.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "USB: Increase usbfs transfer limit" has been added to the 4.9-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled USB: Increase usbfs transfer limit to the 4.9-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: usb-increase-usbfs-transfer-limit.patch and it can be found in the queue-4.9 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 1129d270cbfbb7e2b1ec3dede4a13930bdd10e41 Mon Sep 17 00:00:00 2001 From: Mateusz Berezecki <mateuszb(a)fastmail.fm> Date: Wed, 21 Dec 2016 09:19:14 -0800 Subject: USB: Increase usbfs transfer limit From: Mateusz Berezecki <mateuszb(a)fastmail.fm> commit 1129d270cbfbb7e2b1ec3dede4a13930bdd10e41 upstream. Promote a variable keeping track of USB transfer memory usage to a wider data type and allow for higher bandwidth transfers from a large number of USB devices connected to a single host. Signed-off-by: Mateusz Berezecki <mateuszb(a)fastmail.fm> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/usb/core/devio.c | 43 ++++++++++++++++--------------------------- 1 file changed, 16 insertions(+), 27 deletions(-) --- a/drivers/usb/core/devio.c +++ b/drivers/usb/core/devio.c @@ -134,42 +134,35 @@ enum snoop_when { #define USB_DEVICE_DEV MKDEV(USB_DEVICE_MAJOR, 0) /* Limit on the total amount of memory we can allocate for transfers */ -static unsigned usbfs_memory_mb = 16; +static u32 usbfs_memory_mb = 16; module_param(usbfs_memory_mb, uint, 0644); MODULE_PARM_DESC(usbfs_memory_mb, "maximum MB allowed for usbfs buffers (0 = no limit)"); -/* Hard limit, necessary to avoid arithmetic overflow */ -#define USBFS_XFER_MAX (UINT_MAX / 2 - 1000000) - -static atomic_t usbfs_memory_usage; /* Total memory currently allocated */ +static atomic64_t usbfs_memory_usage; /* Total memory currently allocated */ /* Check whether it's okay to allocate more memory for a transfer */ -static int usbfs_increase_memory_usage(unsigned amount) +static int usbfs_increase_memory_usage(u64 amount) { - unsigned lim; + u64 lim; - /* - * Convert usbfs_memory_mb to bytes, avoiding overflows. - * 0 means use the hard limit (effectively unlimited). - */ lim = ACCESS_ONCE(usbfs_memory_mb); - if (lim == 0 || lim > (USBFS_XFER_MAX >> 20)) - lim = USBFS_XFER_MAX; - else - lim <<= 20; + lim <<= 20; - atomic_add(amount, &usbfs_memory_usage); - if (atomic_read(&usbfs_memory_usage) <= lim) - return 0; - atomic_sub(amount, &usbfs_memory_usage); - return -ENOMEM; + atomic64_add(amount, &usbfs_memory_usage); + + if (lim > 0 && atomic64_read(&usbfs_memory_usage) > lim) { + atomic64_sub(amount, &usbfs_memory_usage); + return -ENOMEM; + } + + return 0; } /* Memory for a transfer is being deallocated */ -static void usbfs_decrease_memory_usage(unsigned amount) +static void usbfs_decrease_memory_usage(u64 amount) { - atomic_sub(amount, &usbfs_memory_usage); + atomic64_sub(amount, &usbfs_memory_usage); } static int connected(struct usb_dev_state *ps) @@ -1191,7 +1184,7 @@ static int proc_bulk(struct usb_dev_stat if (!usb_maxpacket(dev, pipe, !(bulk.ep & USB_DIR_IN))) return -EINVAL; len1 = bulk.len; - if (len1 >= USBFS_XFER_MAX) + if (len1 >= (INT_MAX - sizeof(struct urb))) return -EINVAL; ret = usbfs_increase_memory_usage(len1 + sizeof(struct urb)); if (ret) @@ -1584,10 +1577,6 @@ static int proc_do_submiturb(struct usb_ return -EINVAL; } - if (uurb->buffer_length >= USBFS_XFER_MAX) { - ret = -EINVAL; - goto error; - } if (uurb->buffer_length > 0 && !access_ok(is_in ? VERIFY_WRITE : VERIFY_READ, uurb->buffer, uurb->buffer_length)) { Patches currently in stable-queue which might be from mateuszb(a)fastmail.fm are queue-4.9/usb-increase-usbfs-transfer-limit.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "usb: hub: Cycle HUB power when initialization fails" has been added to the 4.9-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled usb: hub: Cycle HUB power when initialization fails to the 4.9-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: usb-hub-cycle-hub-power-when-initialization-fails.patch and it can be found in the queue-4.9 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 973593a960ddac0f14f0d8877d2d0abe0afda795 Mon Sep 17 00:00:00 2001 From: Mike Looijmans <mike.looijmans(a)topic.nl> Date: Thu, 9 Nov 2017 13:16:46 +0100 Subject: usb: hub: Cycle HUB power when initialization fails From: Mike Looijmans <mike.looijmans(a)topic.nl> commit 973593a960ddac0f14f0d8877d2d0abe0afda795 upstream. Sometimes the USB device gets confused about the state of the initialization and the connection fails. In particular, the device thinks that it's already set up and running while the host thinks the device still needs to be configured. To work around this issue, power-cycle the hub's output to issue a sort of "reset" to the device. This makes the device restart its state machine and then the initialization succeeds. This fixes problems where the kernel reports a list of errors like this: usb 1-1.3: device not accepting address 19, error -71 The end result is a non-functioning device. After this patch, the sequence becomes like this: usb 1-1.3: new high-speed USB device number 18 using ci_hdrc usb 1-1.3: device not accepting address 18, error -71 usb 1-1.3: new high-speed USB device number 19 using ci_hdrc usb 1-1.3: device not accepting address 19, error -71 usb 1-1-port3: attempt power cycle usb 1-1.3: new high-speed USB device number 21 using ci_hdrc usb-storage 1-1.3:1.2: USB Mass Storage device detected Signed-off-by: Mike Looijmans <mike.looijmans(a)topic.nl> Acked-by: Alan Stern <stern(a)rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/usb/core/hub.c | 9 +++++++++ 1 file changed, 9 insertions(+) --- a/drivers/usb/core/hub.c +++ b/drivers/usb/core/hub.c @@ -4925,6 +4925,15 @@ loop: usb_put_dev(udev); if ((status == -ENOTCONN) || (status == -ENOTSUPP)) break; + + /* When halfway through our retry count, power-cycle the port */ + if (i == (SET_CONFIG_TRIES / 2) - 1) { + dev_info(&port_dev->dev, "attempt power cycle\n"); + usb_hub_set_port_power(hdev, hub, port1, false); + msleep(2 * hub_power_on_good_delay(hub)); + usb_hub_set_port_power(hdev, hub, port1, true); + msleep(hub_power_on_good_delay(hub)); + } } if (hub->hdev->parent || !hcd->driver->port_handed_over || Patches currently in stable-queue which might be from mike.looijmans(a)topic.nl are queue-4.9/i2c-i2c-cadence-initialize-configuration-before-probing-devices.patch queue-4.9/usb-hub-cycle-hub-power-when-initialization-fails.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "usb: host: fix incorrect updating of offset" has been added to the 4.9-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled usb: host: fix incorrect updating of offset to the 4.9-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: usb-host-fix-incorrect-updating-of-offset.patch and it can be found in the queue-4.9 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 1d5a31582ef046d3b233f0da1a68ae26519b2f0a Mon Sep 17 00:00:00 2001 From: Colin Ian King <colin.king(a)canonical.com> Date: Tue, 7 Nov 2017 16:45:04 +0000 Subject: usb: host: fix incorrect updating of offset From: Colin Ian King <colin.king(a)canonical.com> commit 1d5a31582ef046d3b233f0da1a68ae26519b2f0a upstream. The variable temp is incorrectly being updated, instead it should be offset otherwise the loop just reads the same capability value and loops forever. Thanks to Alan Stern for pointing out the correct fix to my original fix. Fix also cleans up clang warning: drivers/usb/host/ehci-dbg.c:840:4: warning: Value stored to 'temp' is never read Fixes: d49d43174400 ("USB: misc ehci updates") Signed-off-by: Colin Ian King <colin.king(a)canonical.com> Acked-by: Alan Stern <stern(a)rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/usb/host/ehci-dbg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/usb/host/ehci-dbg.c +++ b/drivers/usb/host/ehci-dbg.c @@ -837,7 +837,7 @@ static ssize_t fill_registers_buffer(str default: /* unknown */ break; } - temp = (cap >> 8) & 0xff; + offset = (cap >> 8) & 0xff; } } #endif Patches currently in stable-queue which might be from colin.king(a)canonical.com are queue-4.9/staging-rtl8188eu-avoid-a-null-dereference-on-pmlmepriv.patch queue-4.9/usb-host-fix-incorrect-updating-of-offset.patch queue-4.9/net-sctp-fix-array-overrun-read-on-sctp_timer_tbl.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "USB: devio: Prevent integer overflow in proc_do_submiturb()" has been added to the 4.9-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled USB: devio: Prevent integer overflow in proc_do_submiturb() to the 4.9-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: usb-devio-prevent-integer-overflow-in-proc_do_submiturb.patch and it can be found in the queue-4.9 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 57999d1107c1e60c2ca7088f2ac0f819e2f554b3 Mon Sep 17 00:00:00 2001 From: Dan Carpenter <dan.carpenter(a)oracle.com> Date: Fri, 22 Sep 2017 23:43:25 +0300 Subject: USB: devio: Prevent integer overflow in proc_do_submiturb() From: Dan Carpenter <dan.carpenter(a)oracle.com> commit 57999d1107c1e60c2ca7088f2ac0f819e2f554b3 upstream. There used to be an integer overflow check in proc_do_submiturb() but we removed it. It turns out that it's still required. The uurb->buffer_length variable is a signed integer and it's controlled by the user. It can lead to an integer overflow when we do: num_sgs = DIV_ROUND_UP(uurb->buffer_length, USB_SG_SIZE); If we strip away the macro then that line looks like this: num_sgs = (uurb->buffer_length + USB_SG_SIZE - 1) / USB_SG_SIZE; ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ It's the first addition which can overflow. Fixes: 1129d270cbfb ("USB: Increase usbfs transfer limit") Signed-off-by: Dan Carpenter <dan.carpenter(a)oracle.com> Acked-by: Alan Stern <stern(a)rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/usb/core/devio.c | 5 +++++ 1 file changed, 5 insertions(+) --- a/drivers/usb/core/devio.c +++ b/drivers/usb/core/devio.c @@ -139,6 +139,9 @@ module_param(usbfs_memory_mb, uint, 0644 MODULE_PARM_DESC(usbfs_memory_mb, "maximum MB allowed for usbfs buffers (0 = no limit)"); +/* Hard limit, necessary to avoid arithmetic overflow */ +#define USBFS_XFER_MAX (UINT_MAX / 2 - 1000000) + static atomic64_t usbfs_memory_usage; /* Total memory currently allocated */ /* Check whether it's okay to allocate more memory for a transfer */ @@ -1459,6 +1462,8 @@ static int proc_do_submiturb(struct usb_ USBDEVFS_URB_ZERO_PACKET | USBDEVFS_URB_NO_INTERRUPT)) return -EINVAL; + if ((unsigned int)uurb->buffer_length >= USBFS_XFER_MAX) + return -EINVAL; if (uurb->buffer_length > 0 && !uurb->buffer) return -EINVAL; if (!(uurb->type == USBDEVFS_URB_TYPE_CONTROL && Patches currently in stable-queue which might be from dan.carpenter(a)oracle.com are queue-4.9/usb-devio-prevent-integer-overflow-in-proc_do_submiturb.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "USB: core: Add type-specific length check of BOS descriptors" has been added to the 4.9-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled USB: core: Add type-specific length check of BOS descriptors to the 4.9-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: usb-core-add-type-specific-length-check-of-bos-descriptors.patch and it can be found in the queue-4.9 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 81cf4a45360f70528f1f64ba018d61cb5767249a Mon Sep 17 00:00:00 2001 From: Masakazu Mokuno <masakazu.mokuno(a)gmail.com> Date: Fri, 10 Nov 2017 01:25:50 +0900 Subject: USB: core: Add type-specific length check of BOS descriptors From: Masakazu Mokuno <masakazu.mokuno(a)gmail.com> commit 81cf4a45360f70528f1f64ba018d61cb5767249a upstream. As most of BOS descriptors are longer in length than their header 'struct usb_dev_cap_header', comparing solely with it is not sufficient to avoid out-of-bounds access to BOS descriptors. This patch adds descriptor type specific length check in usb_get_bos_descriptor() to fix the issue. Signed-off-by: Masakazu Mokuno <masakazu.mokuno(a)gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/usb/core/config.c | 28 ++++++++++++++++++++++++---- include/uapi/linux/usb/ch9.h | 3 +++ 2 files changed, 27 insertions(+), 4 deletions(-) --- a/drivers/usb/core/config.c +++ b/drivers/usb/core/config.c @@ -900,14 +900,25 @@ void usb_release_bos_descriptor(struct u } } +static const __u8 bos_desc_len[256] = { + [USB_CAP_TYPE_WIRELESS_USB] = USB_DT_USB_WIRELESS_CAP_SIZE, + [USB_CAP_TYPE_EXT] = USB_DT_USB_EXT_CAP_SIZE, + [USB_SS_CAP_TYPE] = USB_DT_USB_SS_CAP_SIZE, + [USB_SSP_CAP_TYPE] = USB_DT_USB_SSP_CAP_SIZE(1), + [CONTAINER_ID_TYPE] = USB_DT_USB_SS_CONTN_ID_SIZE, + [USB_PTM_CAP_TYPE] = USB_DT_USB_PTM_ID_SIZE, +}; + /* Get BOS descriptor set */ int usb_get_bos_descriptor(struct usb_device *dev) { struct device *ddev = &dev->dev; struct usb_bos_descriptor *bos; struct usb_dev_cap_header *cap; + struct usb_ssp_cap_descriptor *ssp_cap; unsigned char *buffer; - int length, total_len, num, i; + int length, total_len, num, i, ssac; + __u8 cap_type; int ret; bos = kzalloc(sizeof(struct usb_bos_descriptor), GFP_KERNEL); @@ -960,7 +971,13 @@ int usb_get_bos_descriptor(struct usb_de dev->bos->desc->bNumDeviceCaps = i; break; } + cap_type = cap->bDevCapabilityType; length = cap->bLength; + if (bos_desc_len[cap_type] && length < bos_desc_len[cap_type]) { + dev->bos->desc->bNumDeviceCaps = i; + break; + } + total_len -= length; if (cap->bDescriptorType != USB_DT_DEVICE_CAPABILITY) { @@ -968,7 +985,7 @@ int usb_get_bos_descriptor(struct usb_de continue; } - switch (cap->bDevCapabilityType) { + switch (cap_type) { case USB_CAP_TYPE_WIRELESS_USB: /* Wireless USB cap descriptor is handled by wusb */ break; @@ -981,8 +998,11 @@ int usb_get_bos_descriptor(struct usb_de (struct usb_ss_cap_descriptor *)buffer; break; case USB_SSP_CAP_TYPE: - dev->bos->ssp_cap = - (struct usb_ssp_cap_descriptor *)buffer; + ssp_cap = (struct usb_ssp_cap_descriptor *)buffer; + ssac = (le32_to_cpu(ssp_cap->bmAttributes) & + USB_SSP_SUBLINK_SPEED_ATTRIBS) + 1; + if (length >= USB_DT_USB_SSP_CAP_SIZE(ssac)) + dev->bos->ssp_cap = ssp_cap; break; case CONTAINER_ID_TYPE: dev->bos->ss_id = --- a/include/uapi/linux/usb/ch9.h +++ b/include/uapi/linux/usb/ch9.h @@ -854,6 +854,8 @@ struct usb_wireless_cap_descriptor { /* __u8 bReserved; } __attribute__((packed)); +#define USB_DT_USB_WIRELESS_CAP_SIZE 11 + /* USB 2.0 Extension descriptor */ #define USB_CAP_TYPE_EXT 2 @@ -1046,6 +1048,7 @@ struct usb_ptm_cap_descriptor { __u8 bDevCapabilityType; } __attribute__((packed)); +#define USB_DT_USB_PTM_ID_SIZE 3 /* * The size of the descriptor for the Sublink Speed Attribute Count * (SSAC) specified in bmAttributes[4:0]. Patches currently in stable-queue which might be from masakazu.mokuno(a)gmail.com are queue-4.9/usb-core-add-type-specific-length-check-of-bos-descriptors.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "usb: xhci: fix panic in xhci_free_virt_devices_depth_first" has been added to the 4.4-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled usb: xhci: fix panic in xhci_free_virt_devices_depth_first to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: usb-xhci-fix-panic-in-xhci_free_virt_devices_depth_first.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 80e457699a8dbdd70f2d26911e46f538645c55fc Mon Sep 17 00:00:00 2001 From: Yu Chen <chenyu56(a)huawei.com> Date: Fri, 1 Dec 2017 13:41:20 +0200 Subject: usb: xhci: fix panic in xhci_free_virt_devices_depth_first From: Yu Chen <chenyu56(a)huawei.com> commit 80e457699a8dbdd70f2d26911e46f538645c55fc upstream. Check vdev->real_port 0 to avoid panic [ 9.261347] [<ffffff800884a390>] xhci_free_virt_devices_depth_first+0x58/0x108 [ 9.261352] [<ffffff800884a814>] xhci_mem_cleanup+0x1bc/0x570 [ 9.261355] [<ffffff8008842de8>] xhci_stop+0x140/0x1c8 [ 9.261365] [<ffffff80087ed304>] usb_remove_hcd+0xfc/0x1d0 [ 9.261369] [<ffffff80088551c4>] xhci_plat_remove+0x6c/0xa8 [ 9.261377] [<ffffff80086e928c>] platform_drv_remove+0x2c/0x70 [ 9.261384] [<ffffff80086e6ea0>] __device_release_driver+0x80/0x108 [ 9.261387] [<ffffff80086e7a1c>] device_release_driver+0x2c/0x40 [ 9.261392] [<ffffff80086e5f28>] bus_remove_device+0xe0/0x120 [ 9.261396] [<ffffff80086e2e34>] device_del+0x114/0x210 [ 9.261399] [<ffffff80086e9e00>] platform_device_del+0x30/0xa0 [ 9.261403] [<ffffff8008810bdc>] dwc3_otg_work+0x204/0x488 [ 9.261407] [<ffffff80088133fc>] event_work+0x304/0x5b8 [ 9.261414] [<ffffff80080e31b0>] process_one_work+0x148/0x490 [ 9.261417] [<ffffff80080e3548>] worker_thread+0x50/0x4a0 [ 9.261421] [<ffffff80080e9ea0>] kthread+0xe8/0x100 [ 9.261427] [<ffffff8008083680>] ret_from_fork+0x10/0x50 The problem can occur if xhci_plat_remove() is called shortly after xhci_plat_probe(). While xhci_free_virt_devices_depth_first been called before the device has been setup and get real_port initialized. The problem occurred on Hikey960 and was reproduced by Guenter Roeck on Kevin with chromeos-4.4. Fixes: ee8665e28e8d ("xhci: free xhci virtual devices with leaf nodes first") Cc: Guenter Roeck <groeck(a)google.com> Reviewed-by: Guenter Roeck <groeck(a)chromium.org> Tested-by: Guenter Roeck <linux(a)roeck-us.net> Signed-off-by: Fan Ning <fanning4(a)hisilicon.com> Signed-off-by: Li Rui <lirui39(a)hisilicon.com> Signed-off-by: yangdi <yangdi10(a)hisilicon.com> Signed-off-by: Yu Chen <chenyu56(a)huawei.com> Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/usb/host/xhci-mem.c | 7 +++++++ 1 file changed, 7 insertions(+) --- a/drivers/usb/host/xhci-mem.c +++ b/drivers/usb/host/xhci-mem.c @@ -981,6 +981,12 @@ void xhci_free_virt_devices_depth_first( if (!vdev) return; + if (vdev->real_port == 0 || + vdev->real_port > HCS_MAX_PORTS(xhci->hcs_params1)) { + xhci_dbg(xhci, "Bad vdev->real_port.\n"); + goto out; + } + tt_list_head = &(xhci->rh_bw[vdev->real_port - 1].tts); list_for_each_entry_safe(tt_info, next, tt_list_head, tt_list) { /* is this a hub device that added a tt_info to the tts list */ @@ -994,6 +1000,7 @@ void xhci_free_virt_devices_depth_first( } } } +out: /* we are now at a leaf device */ xhci_free_virt_device(xhci, slot_id); } Patches currently in stable-queue which might be from chenyu56(a)huawei.com are queue-4.4/usb-xhci-fix-panic-in-xhci_free_virt_devices_depth_first.patch queue-4.4/usb-dwc2-error-out-of-dwc2_hsotg_ep_disable-if-we-re-in-host-mode.patch queue-4.4/usb-dwc2-fix-udc-state-tracking.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "USB: usbfs: Filter flags passed in from user space" has been added to the 4.4-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled USB: usbfs: Filter flags passed in from user space to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: usb-usbfs-filter-flags-passed-in-from-user-space.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 446f666da9f019ce2ffd03800995487e79a91462 Mon Sep 17 00:00:00 2001 From: Oliver Neukum <oneukum(a)suse.com> Date: Thu, 23 Nov 2017 16:39:52 +0100 Subject: USB: usbfs: Filter flags passed in from user space From: Oliver Neukum <oneukum(a)suse.com> commit 446f666da9f019ce2ffd03800995487e79a91462 upstream. USBDEVFS_URB_ISO_ASAP must be accepted only for ISO endpoints. Improve sanity checking. Reported-by: Andrey Konovalov <andreyknvl(a)google.com> Signed-off-by: Oliver Neukum <oneukum(a)suse.com> Acked-by: Alan Stern <stern(a)rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/usb/core/devio.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) --- a/drivers/usb/core/devio.c +++ b/drivers/usb/core/devio.c @@ -1293,14 +1293,18 @@ static int proc_do_submiturb(struct usb_ int number_of_packets = 0; unsigned int stream_id = 0; void *buf; - - if (uurb->flags & ~(USBDEVFS_URB_ISO_ASAP | - USBDEVFS_URB_SHORT_NOT_OK | + unsigned long mask = USBDEVFS_URB_SHORT_NOT_OK | USBDEVFS_URB_BULK_CONTINUATION | USBDEVFS_URB_NO_FSBR | USBDEVFS_URB_ZERO_PACKET | - USBDEVFS_URB_NO_INTERRUPT)) - return -EINVAL; + USBDEVFS_URB_NO_INTERRUPT; + /* USBDEVFS_URB_ISO_ASAP is a special case */ + if (uurb->type == USBDEVFS_URB_TYPE_ISO) + mask |= USBDEVFS_URB_ISO_ASAP; + + if (uurb->flags & ~mask) + return -EINVAL; + if ((unsigned int)uurb->buffer_length >= USBFS_XFER_MAX) return -EINVAL; if (uurb->buffer_length > 0 && !uurb->buffer) Patches currently in stable-queue which might be from oneukum(a)suse.com are queue-4.4/usb-usbfs-filter-flags-passed-in-from-user-space.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "USB: Increase usbfs transfer limit" has been added to the 4.4-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled USB: Increase usbfs transfer limit to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: usb-increase-usbfs-transfer-limit.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 1129d270cbfbb7e2b1ec3dede4a13930bdd10e41 Mon Sep 17 00:00:00 2001 From: Mateusz Berezecki <mateuszb(a)fastmail.fm> Date: Wed, 21 Dec 2016 09:19:14 -0800 Subject: USB: Increase usbfs transfer limit From: Mateusz Berezecki <mateuszb(a)fastmail.fm> commit 1129d270cbfbb7e2b1ec3dede4a13930bdd10e41 upstream. Promote a variable keeping track of USB transfer memory usage to a wider data type and allow for higher bandwidth transfers from a large number of USB devices connected to a single host. Signed-off-by: Mateusz Berezecki <mateuszb(a)fastmail.fm> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/usb/core/devio.c | 43 ++++++++++++++++--------------------------- 1 file changed, 16 insertions(+), 27 deletions(-) --- a/drivers/usb/core/devio.c +++ b/drivers/usb/core/devio.c @@ -113,42 +113,35 @@ enum snoop_when { #define USB_DEVICE_DEV MKDEV(USB_DEVICE_MAJOR, 0) /* Limit on the total amount of memory we can allocate for transfers */ -static unsigned usbfs_memory_mb = 16; +static u32 usbfs_memory_mb = 16; module_param(usbfs_memory_mb, uint, 0644); MODULE_PARM_DESC(usbfs_memory_mb, "maximum MB allowed for usbfs buffers (0 = no limit)"); -/* Hard limit, necessary to avoid arithmetic overflow */ -#define USBFS_XFER_MAX (UINT_MAX / 2 - 1000000) - -static atomic_t usbfs_memory_usage; /* Total memory currently allocated */ +static atomic64_t usbfs_memory_usage; /* Total memory currently allocated */ /* Check whether it's okay to allocate more memory for a transfer */ -static int usbfs_increase_memory_usage(unsigned amount) +static int usbfs_increase_memory_usage(u64 amount) { - unsigned lim; + u64 lim; - /* - * Convert usbfs_memory_mb to bytes, avoiding overflows. - * 0 means use the hard limit (effectively unlimited). - */ lim = ACCESS_ONCE(usbfs_memory_mb); - if (lim == 0 || lim > (USBFS_XFER_MAX >> 20)) - lim = USBFS_XFER_MAX; - else - lim <<= 20; + lim <<= 20; - atomic_add(amount, &usbfs_memory_usage); - if (atomic_read(&usbfs_memory_usage) <= lim) - return 0; - atomic_sub(amount, &usbfs_memory_usage); - return -ENOMEM; + atomic64_add(amount, &usbfs_memory_usage); + + if (lim > 0 && atomic64_read(&usbfs_memory_usage) > lim) { + atomic64_sub(amount, &usbfs_memory_usage); + return -ENOMEM; + } + + return 0; } /* Memory for a transfer is being deallocated */ -static void usbfs_decrease_memory_usage(unsigned amount) +static void usbfs_decrease_memory_usage(u64 amount) { - atomic_sub(amount, &usbfs_memory_usage); + atomic64_sub(amount, &usbfs_memory_usage); } static int connected(struct usb_dev_state *ps) @@ -1077,7 +1070,7 @@ static int proc_bulk(struct usb_dev_stat if (!usb_maxpacket(dev, pipe, !(bulk.ep & USB_DIR_IN))) return -EINVAL; len1 = bulk.len; - if (len1 >= USBFS_XFER_MAX) + if (len1 >= (INT_MAX - sizeof(struct urb))) return -EINVAL; ret = usbfs_increase_memory_usage(len1 + sizeof(struct urb)); if (ret) @@ -1424,10 +1417,6 @@ static int proc_do_submiturb(struct usb_ return -EINVAL; } - if (uurb->buffer_length >= USBFS_XFER_MAX) { - ret = -EINVAL; - goto error; - } if (uurb->buffer_length > 0 && !access_ok(is_in ? VERIFY_WRITE : VERIFY_READ, uurb->buffer, uurb->buffer_length)) { Patches currently in stable-queue which might be from mateuszb(a)fastmail.fm are queue-4.4/usb-increase-usbfs-transfer-limit.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "usb: hub: Cycle HUB power when initialization fails" has been added to the 4.4-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled usb: hub: Cycle HUB power when initialization fails to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: usb-hub-cycle-hub-power-when-initialization-fails.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 973593a960ddac0f14f0d8877d2d0abe0afda795 Mon Sep 17 00:00:00 2001 From: Mike Looijmans <mike.looijmans(a)topic.nl> Date: Thu, 9 Nov 2017 13:16:46 +0100 Subject: usb: hub: Cycle HUB power when initialization fails From: Mike Looijmans <mike.looijmans(a)topic.nl> commit 973593a960ddac0f14f0d8877d2d0abe0afda795 upstream. Sometimes the USB device gets confused about the state of the initialization and the connection fails. In particular, the device thinks that it's already set up and running while the host thinks the device still needs to be configured. To work around this issue, power-cycle the hub's output to issue a sort of "reset" to the device. This makes the device restart its state machine and then the initialization succeeds. This fixes problems where the kernel reports a list of errors like this: usb 1-1.3: device not accepting address 19, error -71 The end result is a non-functioning device. After this patch, the sequence becomes like this: usb 1-1.3: new high-speed USB device number 18 using ci_hdrc usb 1-1.3: device not accepting address 18, error -71 usb 1-1.3: new high-speed USB device number 19 using ci_hdrc usb 1-1.3: device not accepting address 19, error -71 usb 1-1-port3: attempt power cycle usb 1-1.3: new high-speed USB device number 21 using ci_hdrc usb-storage 1-1.3:1.2: USB Mass Storage device detected Signed-off-by: Mike Looijmans <mike.looijmans(a)topic.nl> Acked-by: Alan Stern <stern(a)rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/usb/core/hub.c | 9 +++++++++ 1 file changed, 9 insertions(+) --- a/drivers/usb/core/hub.c +++ b/drivers/usb/core/hub.c @@ -4858,6 +4858,15 @@ loop: usb_put_dev(udev); if ((status == -ENOTCONN) || (status == -ENOTSUPP)) break; + + /* When halfway through our retry count, power-cycle the port */ + if (i == (SET_CONFIG_TRIES / 2) - 1) { + dev_info(&port_dev->dev, "attempt power cycle\n"); + usb_hub_set_port_power(hdev, hub, port1, false); + msleep(2 * hub_power_on_good_delay(hub)); + usb_hub_set_port_power(hdev, hub, port1, true); + msleep(hub_power_on_good_delay(hub)); + } } if (hub->hdev->parent || !hcd->driver->port_handed_over || Patches currently in stable-queue which might be from mike.looijmans(a)topic.nl are queue-4.4/usb-hub-cycle-hub-power-when-initialization-fails.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "usb: host: fix incorrect updating of offset" has been added to the 4.4-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled usb: host: fix incorrect updating of offset to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: usb-host-fix-incorrect-updating-of-offset.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 1d5a31582ef046d3b233f0da1a68ae26519b2f0a Mon Sep 17 00:00:00 2001 From: Colin Ian King <colin.king(a)canonical.com> Date: Tue, 7 Nov 2017 16:45:04 +0000 Subject: usb: host: fix incorrect updating of offset From: Colin Ian King <colin.king(a)canonical.com> commit 1d5a31582ef046d3b233f0da1a68ae26519b2f0a upstream. The variable temp is incorrectly being updated, instead it should be offset otherwise the loop just reads the same capability value and loops forever. Thanks to Alan Stern for pointing out the correct fix to my original fix. Fix also cleans up clang warning: drivers/usb/host/ehci-dbg.c:840:4: warning: Value stored to 'temp' is never read Fixes: d49d43174400 ("USB: misc ehci updates") Signed-off-by: Colin Ian King <colin.king(a)canonical.com> Acked-by: Alan Stern <stern(a)rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/usb/host/ehci-dbg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/usb/host/ehci-dbg.c +++ b/drivers/usb/host/ehci-dbg.c @@ -851,7 +851,7 @@ static ssize_t fill_registers_buffer(str default: /* unknown */ break; } - temp = (cap >> 8) & 0xff; + offset = (cap >> 8) & 0xff; } } #endif Patches currently in stable-queue which might be from colin.king(a)canonical.com are queue-4.4/usb-host-fix-incorrect-updating-of-offset.patch queue-4.4/net-sctp-fix-array-overrun-read-on-sctp_timer_tbl.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "USB: devio: Prevent integer overflow in proc_do_submiturb()" has been added to the 4.4-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled USB: devio: Prevent integer overflow in proc_do_submiturb() to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: usb-devio-prevent-integer-overflow-in-proc_do_submiturb.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 57999d1107c1e60c2ca7088f2ac0f819e2f554b3 Mon Sep 17 00:00:00 2001 From: Dan Carpenter <dan.carpenter(a)oracle.com> Date: Fri, 22 Sep 2017 23:43:25 +0300 Subject: USB: devio: Prevent integer overflow in proc_do_submiturb() From: Dan Carpenter <dan.carpenter(a)oracle.com> commit 57999d1107c1e60c2ca7088f2ac0f819e2f554b3 upstream. There used to be an integer overflow check in proc_do_submiturb() but we removed it. It turns out that it's still required. The uurb->buffer_length variable is a signed integer and it's controlled by the user. It can lead to an integer overflow when we do: num_sgs = DIV_ROUND_UP(uurb->buffer_length, USB_SG_SIZE); If we strip away the macro then that line looks like this: num_sgs = (uurb->buffer_length + USB_SG_SIZE - 1) / USB_SG_SIZE; ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ It's the first addition which can overflow. Fixes: 1129d270cbfb ("USB: Increase usbfs transfer limit") Signed-off-by: Dan Carpenter <dan.carpenter(a)oracle.com> Acked-by: Alan Stern <stern(a)rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/usb/core/devio.c | 5 +++++ 1 file changed, 5 insertions(+) --- a/drivers/usb/core/devio.c +++ b/drivers/usb/core/devio.c @@ -118,6 +118,9 @@ module_param(usbfs_memory_mb, uint, 0644 MODULE_PARM_DESC(usbfs_memory_mb, "maximum MB allowed for usbfs buffers (0 = no limit)"); +/* Hard limit, necessary to avoid arithmetic overflow */ +#define USBFS_XFER_MAX (UINT_MAX / 2 - 1000000) + static atomic64_t usbfs_memory_usage; /* Total memory currently allocated */ /* Check whether it's okay to allocate more memory for a transfer */ @@ -1298,6 +1301,8 @@ static int proc_do_submiturb(struct usb_ USBDEVFS_URB_ZERO_PACKET | USBDEVFS_URB_NO_INTERRUPT)) return -EINVAL; + if ((unsigned int)uurb->buffer_length >= USBFS_XFER_MAX) + return -EINVAL; if (uurb->buffer_length > 0 && !uurb->buffer) return -EINVAL; if (!(uurb->type == USBDEVFS_URB_TYPE_CONTROL && Patches currently in stable-queue which might be from dan.carpenter(a)oracle.com are queue-4.4/usb-devio-prevent-integer-overflow-in-proc_do_submiturb.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "USB: core: Add type-specific length check of BOS descriptors" has been added to the 4.4-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled USB: core: Add type-specific length check of BOS descriptors to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: usb-core-add-type-specific-length-check-of-bos-descriptors.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 81cf4a45360f70528f1f64ba018d61cb5767249a Mon Sep 17 00:00:00 2001 From: Masakazu Mokuno <masakazu.mokuno(a)gmail.com> Date: Fri, 10 Nov 2017 01:25:50 +0900 Subject: USB: core: Add type-specific length check of BOS descriptors From: Masakazu Mokuno <masakazu.mokuno(a)gmail.com> commit 81cf4a45360f70528f1f64ba018d61cb5767249a upstream. As most of BOS descriptors are longer in length than their header 'struct usb_dev_cap_header', comparing solely with it is not sufficient to avoid out-of-bounds access to BOS descriptors. This patch adds descriptor type specific length check in usb_get_bos_descriptor() to fix the issue. Signed-off-by: Masakazu Mokuno <masakazu.mokuno(a)gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/usb/core/config.c | 28 ++++++++++++++++++++++++---- include/uapi/linux/usb/ch9.h | 3 +++ 2 files changed, 27 insertions(+), 4 deletions(-) --- a/drivers/usb/core/config.c +++ b/drivers/usb/core/config.c @@ -871,14 +871,25 @@ void usb_release_bos_descriptor(struct u } } +static const __u8 bos_desc_len[256] = { + [USB_CAP_TYPE_WIRELESS_USB] = USB_DT_USB_WIRELESS_CAP_SIZE, + [USB_CAP_TYPE_EXT] = USB_DT_USB_EXT_CAP_SIZE, + [USB_SS_CAP_TYPE] = USB_DT_USB_SS_CAP_SIZE, + [USB_SSP_CAP_TYPE] = USB_DT_USB_SSP_CAP_SIZE(1), + [CONTAINER_ID_TYPE] = USB_DT_USB_SS_CONTN_ID_SIZE, + [USB_PTM_CAP_TYPE] = USB_DT_USB_PTM_ID_SIZE, +}; + /* Get BOS descriptor set */ int usb_get_bos_descriptor(struct usb_device *dev) { struct device *ddev = &dev->dev; struct usb_bos_descriptor *bos; struct usb_dev_cap_header *cap; + struct usb_ssp_cap_descriptor *ssp_cap; unsigned char *buffer; - int length, total_len, num, i; + int length, total_len, num, i, ssac; + __u8 cap_type; int ret; bos = kzalloc(sizeof(struct usb_bos_descriptor), GFP_KERNEL); @@ -931,7 +942,13 @@ int usb_get_bos_descriptor(struct usb_de dev->bos->desc->bNumDeviceCaps = i; break; } + cap_type = cap->bDevCapabilityType; length = cap->bLength; + if (bos_desc_len[cap_type] && length < bos_desc_len[cap_type]) { + dev->bos->desc->bNumDeviceCaps = i; + break; + } + total_len -= length; if (cap->bDescriptorType != USB_DT_DEVICE_CAPABILITY) { @@ -939,7 +956,7 @@ int usb_get_bos_descriptor(struct usb_de continue; } - switch (cap->bDevCapabilityType) { + switch (cap_type) { case USB_CAP_TYPE_WIRELESS_USB: /* Wireless USB cap descriptor is handled by wusb */ break; @@ -952,8 +969,11 @@ int usb_get_bos_descriptor(struct usb_de (struct usb_ss_cap_descriptor *)buffer; break; case USB_SSP_CAP_TYPE: - dev->bos->ssp_cap = - (struct usb_ssp_cap_descriptor *)buffer; + ssp_cap = (struct usb_ssp_cap_descriptor *)buffer; + ssac = (le32_to_cpu(ssp_cap->bmAttributes) & + USB_SSP_SUBLINK_SPEED_ATTRIBS) + 1; + if (length >= USB_DT_USB_SSP_CAP_SIZE(ssac)) + dev->bos->ssp_cap = ssp_cap; break; case CONTAINER_ID_TYPE: dev->bos->ss_id = --- a/include/uapi/linux/usb/ch9.h +++ b/include/uapi/linux/usb/ch9.h @@ -812,6 +812,8 @@ struct usb_wireless_cap_descriptor { /* __u8 bReserved; } __attribute__((packed)); +#define USB_DT_USB_WIRELESS_CAP_SIZE 11 + /* USB 2.0 Extension descriptor */ #define USB_CAP_TYPE_EXT 2 @@ -991,6 +993,7 @@ enum usb3_link_state { USB3_LPM_U3 }; +#define USB_DT_USB_PTM_ID_SIZE 3 /* * A U1 timeout of 0x0 means the parent hub will reject any transitions to U1. * 0xff means the parent hub will accept transitions to U1, but will not Patches currently in stable-queue which might be from masakazu.mokuno(a)gmail.com are queue-4.4/usb-core-add-type-specific-length-check-of-bos-descriptors.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "xhci: Don't show incorrect WARN message about events for empty rings" has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled xhci: Don't show incorrect WARN message about events for empty rings to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: xhci-don-t-show-incorrect-warn-message-about-events-for-empty-rings.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From e4ec40ec4b260efcca15089de4285a0a3411259b Mon Sep 17 00:00:00 2001 From: Mathias Nyman <mathias.nyman(a)linux.intel.com> Date: Fri, 1 Dec 2017 13:41:19 +0200 Subject: xhci: Don't show incorrect WARN message about events for empty rings From: Mathias Nyman <mathias.nyman(a)linux.intel.com> commit e4ec40ec4b260efcca15089de4285a0a3411259b upstream. xHC can generate two events for a short transfer if the short TRB and last TRB in the TD are not the same TRB. The driver will handle the TD after the first short event, and remove it from its internal list. Driver then incorrectly prints a warning for the second event: "WARN Event TRB for slot x ep y with no TDs queued" Fix this by not printing a warning if we get a event on a empty list if the previous event was a short event. Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/usb/host/xhci-ring.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) --- a/drivers/usb/host/xhci-ring.c +++ b/drivers/usb/host/xhci-ring.c @@ -2486,12 +2486,16 @@ static int handle_tx_event(struct xhci_h */ if (list_empty(&ep_ring->td_list)) { /* - * A stopped endpoint may generate an extra completion - * event if the device was suspended. Don't print - * warnings. + * Don't print wanings if it's due to a stopped endpoint + * generating an extra completion event if the device + * was suspended. Or, a event for the last TRB of a + * short TD we already got a short event for. + * The short TD is already removed from the TD list. */ + if (!(trb_comp_code == COMP_STOPPED || - trb_comp_code == COMP_STOPPED_LENGTH_INVALID)) { + trb_comp_code == COMP_STOPPED_LENGTH_INVALID || + ep_ring->last_td_was_short)) { xhci_warn(xhci, "WARN Event TRB for slot %d ep %d with no TDs queued?\n", TRB_TO_SLOT_ID(le32_to_cpu(event->flags)), ep_index); Patches currently in stable-queue which might be from mathias.nyman(a)linux.intel.com are queue-4.14/usb-xhci-return-error-when-host-is-dead-in-xhci_disable_slot.patch queue-4.14/usb-xhci-fix-panic-in-xhci_free_virt_devices_depth_first.patch queue-4.14/xhci-don-t-show-incorrect-warn-message-about-events-for-empty-rings.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "usb: xhci: fix panic in xhci_free_virt_devices_depth_first" has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled usb: xhci: fix panic in xhci_free_virt_devices_depth_first to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: usb-xhci-fix-panic-in-xhci_free_virt_devices_depth_first.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 80e457699a8dbdd70f2d26911e46f538645c55fc Mon Sep 17 00:00:00 2001 From: Yu Chen <chenyu56(a)huawei.com> Date: Fri, 1 Dec 2017 13:41:20 +0200 Subject: usb: xhci: fix panic in xhci_free_virt_devices_depth_first From: Yu Chen <chenyu56(a)huawei.com> commit 80e457699a8dbdd70f2d26911e46f538645c55fc upstream. Check vdev->real_port 0 to avoid panic [ 9.261347] [<ffffff800884a390>] xhci_free_virt_devices_depth_first+0x58/0x108 [ 9.261352] [<ffffff800884a814>] xhci_mem_cleanup+0x1bc/0x570 [ 9.261355] [<ffffff8008842de8>] xhci_stop+0x140/0x1c8 [ 9.261365] [<ffffff80087ed304>] usb_remove_hcd+0xfc/0x1d0 [ 9.261369] [<ffffff80088551c4>] xhci_plat_remove+0x6c/0xa8 [ 9.261377] [<ffffff80086e928c>] platform_drv_remove+0x2c/0x70 [ 9.261384] [<ffffff80086e6ea0>] __device_release_driver+0x80/0x108 [ 9.261387] [<ffffff80086e7a1c>] device_release_driver+0x2c/0x40 [ 9.261392] [<ffffff80086e5f28>] bus_remove_device+0xe0/0x120 [ 9.261396] [<ffffff80086e2e34>] device_del+0x114/0x210 [ 9.261399] [<ffffff80086e9e00>] platform_device_del+0x30/0xa0 [ 9.261403] [<ffffff8008810bdc>] dwc3_otg_work+0x204/0x488 [ 9.261407] [<ffffff80088133fc>] event_work+0x304/0x5b8 [ 9.261414] [<ffffff80080e31b0>] process_one_work+0x148/0x490 [ 9.261417] [<ffffff80080e3548>] worker_thread+0x50/0x4a0 [ 9.261421] [<ffffff80080e9ea0>] kthread+0xe8/0x100 [ 9.261427] [<ffffff8008083680>] ret_from_fork+0x10/0x50 The problem can occur if xhci_plat_remove() is called shortly after xhci_plat_probe(). While xhci_free_virt_devices_depth_first been called before the device has been setup and get real_port initialized. The problem occurred on Hikey960 and was reproduced by Guenter Roeck on Kevin with chromeos-4.4. Fixes: ee8665e28e8d ("xhci: free xhci virtual devices with leaf nodes first") Cc: Guenter Roeck <groeck(a)google.com> Reviewed-by: Guenter Roeck <groeck(a)chromium.org> Tested-by: Guenter Roeck <linux(a)roeck-us.net> Signed-off-by: Fan Ning <fanning4(a)hisilicon.com> Signed-off-by: Li Rui <lirui39(a)hisilicon.com> Signed-off-by: yangdi <yangdi10(a)hisilicon.com> Signed-off-by: Yu Chen <chenyu56(a)huawei.com> Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/usb/host/xhci-mem.c | 7 +++++++ 1 file changed, 7 insertions(+) --- a/drivers/usb/host/xhci-mem.c +++ b/drivers/usb/host/xhci-mem.c @@ -947,6 +947,12 @@ void xhci_free_virt_devices_depth_first( if (!vdev) return; + if (vdev->real_port == 0 || + vdev->real_port > HCS_MAX_PORTS(xhci->hcs_params1)) { + xhci_dbg(xhci, "Bad vdev->real_port.\n"); + goto out; + } + tt_list_head = &(xhci->rh_bw[vdev->real_port - 1].tts); list_for_each_entry_safe(tt_info, next, tt_list_head, tt_list) { /* is this a hub device that added a tt_info to the tts list */ @@ -960,6 +966,7 @@ void xhci_free_virt_devices_depth_first( } } } +out: /* we are now at a leaf device */ xhci_free_virt_device(xhci, slot_id); } Patches currently in stable-queue which might be from chenyu56(a)huawei.com are queue-4.14/usb-xhci-fix-panic-in-xhci_free_virt_devices_depth_first.patch queue-4.14/usb-dwc2-error-out-of-dwc2_hsotg_ep_disable-if-we-re-in-host-mode.patch queue-4.14/usb-dwc2-fix-udc-state-tracking.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "USB: usbfs: Filter flags passed in from user space" has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled USB: usbfs: Filter flags passed in from user space to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: usb-usbfs-filter-flags-passed-in-from-user-space.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 446f666da9f019ce2ffd03800995487e79a91462 Mon Sep 17 00:00:00 2001 From: Oliver Neukum <oneukum(a)suse.com> Date: Thu, 23 Nov 2017 16:39:52 +0100 Subject: USB: usbfs: Filter flags passed in from user space From: Oliver Neukum <oneukum(a)suse.com> commit 446f666da9f019ce2ffd03800995487e79a91462 upstream. USBDEVFS_URB_ISO_ASAP must be accepted only for ISO endpoints. Improve sanity checking. Reported-by: Andrey Konovalov <andreyknvl(a)google.com> Signed-off-by: Oliver Neukum <oneukum(a)suse.com> Acked-by: Alan Stern <stern(a)rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/usb/core/devio.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) --- a/drivers/usb/core/devio.c +++ b/drivers/usb/core/devio.c @@ -1455,14 +1455,18 @@ static int proc_do_submiturb(struct usb_ int number_of_packets = 0; unsigned int stream_id = 0; void *buf; - - if (uurb->flags & ~(USBDEVFS_URB_ISO_ASAP | - USBDEVFS_URB_SHORT_NOT_OK | + unsigned long mask = USBDEVFS_URB_SHORT_NOT_OK | USBDEVFS_URB_BULK_CONTINUATION | USBDEVFS_URB_NO_FSBR | USBDEVFS_URB_ZERO_PACKET | - USBDEVFS_URB_NO_INTERRUPT)) - return -EINVAL; + USBDEVFS_URB_NO_INTERRUPT; + /* USBDEVFS_URB_ISO_ASAP is a special case */ + if (uurb->type == USBDEVFS_URB_TYPE_ISO) + mask |= USBDEVFS_URB_ISO_ASAP; + + if (uurb->flags & ~mask) + return -EINVAL; + if ((unsigned int)uurb->buffer_length >= USBFS_XFER_MAX) return -EINVAL; if (uurb->buffer_length > 0 && !uurb->buffer) Patches currently in stable-queue which might be from oneukum(a)suse.com are queue-4.14/usb-usbfs-filter-flags-passed-in-from-user-space.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "USB: ulpi: fix bus-node lookup" has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled USB: ulpi: fix bus-node lookup to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: usb-ulpi-fix-bus-node-lookup.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 33c309ebc797b908029fd3a0851aefe697e9b598 Mon Sep 17 00:00:00 2001 From: Johan Hovold <johan(a)kernel.org> Date: Sat, 11 Nov 2017 16:31:18 +0100 Subject: USB: ulpi: fix bus-node lookup From: Johan Hovold <johan(a)kernel.org> commit 33c309ebc797b908029fd3a0851aefe697e9b598 upstream. Fix bus-node lookup during registration, which ended up searching the whole device tree depth-first starting at the parent (or grand parent) rather than just matching on its children. To make things worse, the parent (or grand-parent) node could end being prematurely freed as well. Fixes: ef6a7bcfb01c ("usb: ulpi: Support device discovery via DT") Reported-by: Peter Robinson <pbrobinson(a)gmail.com> Reported-by: Stephen Boyd <sboyd(a)codeaurora.org> Signed-off-by: Johan Hovold <johan(a)kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/usb/common/ulpi.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/drivers/usb/common/ulpi.c +++ b/drivers/usb/common/ulpi.c @@ -183,9 +183,9 @@ static int ulpi_of_register(struct ulpi /* Find a ulpi bus underneath the parent or the grandparent */ parent = ulpi->dev.parent; if (parent->of_node) - np = of_find_node_by_name(parent->of_node, "ulpi"); + np = of_get_child_by_name(parent->of_node, "ulpi"); else if (parent->parent && parent->parent->of_node) - np = of_find_node_by_name(parent->parent->of_node, "ulpi"); + np = of_get_child_by_name(parent->parent->of_node, "ulpi"); if (!np) return 0; Patches currently in stable-queue which might be from johan(a)kernel.org are queue-4.14/staging-greybus-loopback-fix-iteration-count-on-async-path.patch queue-4.14/usb-serial-usb_debug-add-new-usb-device-id.patch queue-4.14/spi-spi-axi-fix-potential-use-after-free-after-deregistration.patch queue-4.14/usb-ulpi-fix-bus-node-lookup.patch queue-4.14/usb-serial-option-add-quectel-bg96-id.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "usb: hub: Cycle HUB power when initialization fails" has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled usb: hub: Cycle HUB power when initialization fails to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: usb-hub-cycle-hub-power-when-initialization-fails.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 973593a960ddac0f14f0d8877d2d0abe0afda795 Mon Sep 17 00:00:00 2001 From: Mike Looijmans <mike.looijmans(a)topic.nl> Date: Thu, 9 Nov 2017 13:16:46 +0100 Subject: usb: hub: Cycle HUB power when initialization fails From: Mike Looijmans <mike.looijmans(a)topic.nl> commit 973593a960ddac0f14f0d8877d2d0abe0afda795 upstream. Sometimes the USB device gets confused about the state of the initialization and the connection fails. In particular, the device thinks that it's already set up and running while the host thinks the device still needs to be configured. To work around this issue, power-cycle the hub's output to issue a sort of "reset" to the device. This makes the device restart its state machine and then the initialization succeeds. This fixes problems where the kernel reports a list of errors like this: usb 1-1.3: device not accepting address 19, error -71 The end result is a non-functioning device. After this patch, the sequence becomes like this: usb 1-1.3: new high-speed USB device number 18 using ci_hdrc usb 1-1.3: device not accepting address 18, error -71 usb 1-1.3: new high-speed USB device number 19 using ci_hdrc usb 1-1.3: device not accepting address 19, error -71 usb 1-1-port3: attempt power cycle usb 1-1.3: new high-speed USB device number 21 using ci_hdrc usb-storage 1-1.3:1.2: USB Mass Storage device detected Signed-off-by: Mike Looijmans <mike.looijmans(a)topic.nl> Acked-by: Alan Stern <stern(a)rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/usb/core/hub.c | 9 +++++++++ 1 file changed, 9 insertions(+) --- a/drivers/usb/core/hub.c +++ b/drivers/usb/core/hub.c @@ -4935,6 +4935,15 @@ loop: usb_put_dev(udev); if ((status == -ENOTCONN) || (status == -ENOTSUPP)) break; + + /* When halfway through our retry count, power-cycle the port */ + if (i == (SET_CONFIG_TRIES / 2) - 1) { + dev_info(&port_dev->dev, "attempt power cycle\n"); + usb_hub_set_port_power(hdev, hub, port1, false); + msleep(2 * hub_power_on_good_delay(hub)); + usb_hub_set_port_power(hdev, hub, port1, true); + msleep(hub_power_on_good_delay(hub)); + } } if (hub->hdev->parent || !hcd->driver->port_handed_over || Patches currently in stable-queue which might be from mike.looijmans(a)topic.nl are queue-4.14/usb-hub-cycle-hub-power-when-initialization-fails.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "usb: host: fix incorrect updating of offset" has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled usb: host: fix incorrect updating of offset to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: usb-host-fix-incorrect-updating-of-offset.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 1d5a31582ef046d3b233f0da1a68ae26519b2f0a Mon Sep 17 00:00:00 2001 From: Colin Ian King <colin.king(a)canonical.com> Date: Tue, 7 Nov 2017 16:45:04 +0000 Subject: usb: host: fix incorrect updating of offset From: Colin Ian King <colin.king(a)canonical.com> commit 1d5a31582ef046d3b233f0da1a68ae26519b2f0a upstream. The variable temp is incorrectly being updated, instead it should be offset otherwise the loop just reads the same capability value and loops forever. Thanks to Alan Stern for pointing out the correct fix to my original fix. Fix also cleans up clang warning: drivers/usb/host/ehci-dbg.c:840:4: warning: Value stored to 'temp' is never read Fixes: d49d43174400 ("USB: misc ehci updates") Signed-off-by: Colin Ian King <colin.king(a)canonical.com> Acked-by: Alan Stern <stern(a)rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/usb/host/ehci-dbg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/usb/host/ehci-dbg.c +++ b/drivers/usb/host/ehci-dbg.c @@ -837,7 +837,7 @@ static ssize_t fill_registers_buffer(str default: /* unknown */ break; } - temp = (cap >> 8) & 0xff; + offset = (cap >> 8) & 0xff; } } #endif Patches currently in stable-queue which might be from colin.king(a)canonical.com are queue-4.14/staging-rtl8188eu-avoid-a-null-dereference-on-pmlmepriv.patch queue-4.14/usb-host-fix-incorrect-updating-of-offset.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "USB: core: Add type-specific length check of BOS descriptors" has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled USB: core: Add type-specific length check of BOS descriptors to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: usb-core-add-type-specific-length-check-of-bos-descriptors.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 81cf4a45360f70528f1f64ba018d61cb5767249a Mon Sep 17 00:00:00 2001 From: Masakazu Mokuno <masakazu.mokuno(a)gmail.com> Date: Fri, 10 Nov 2017 01:25:50 +0900 Subject: USB: core: Add type-specific length check of BOS descriptors From: Masakazu Mokuno <masakazu.mokuno(a)gmail.com> commit 81cf4a45360f70528f1f64ba018d61cb5767249a upstream. As most of BOS descriptors are longer in length than their header 'struct usb_dev_cap_header', comparing solely with it is not sufficient to avoid out-of-bounds access to BOS descriptors. This patch adds descriptor type specific length check in usb_get_bos_descriptor() to fix the issue. Signed-off-by: Masakazu Mokuno <masakazu.mokuno(a)gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/usb/core/config.c | 28 ++++++++++++++++++++++++---- include/uapi/linux/usb/ch9.h | 3 +++ 2 files changed, 27 insertions(+), 4 deletions(-) --- a/drivers/usb/core/config.c +++ b/drivers/usb/core/config.c @@ -905,14 +905,25 @@ void usb_release_bos_descriptor(struct u } } +static const __u8 bos_desc_len[256] = { + [USB_CAP_TYPE_WIRELESS_USB] = USB_DT_USB_WIRELESS_CAP_SIZE, + [USB_CAP_TYPE_EXT] = USB_DT_USB_EXT_CAP_SIZE, + [USB_SS_CAP_TYPE] = USB_DT_USB_SS_CAP_SIZE, + [USB_SSP_CAP_TYPE] = USB_DT_USB_SSP_CAP_SIZE(1), + [CONTAINER_ID_TYPE] = USB_DT_USB_SS_CONTN_ID_SIZE, + [USB_PTM_CAP_TYPE] = USB_DT_USB_PTM_ID_SIZE, +}; + /* Get BOS descriptor set */ int usb_get_bos_descriptor(struct usb_device *dev) { struct device *ddev = &dev->dev; struct usb_bos_descriptor *bos; struct usb_dev_cap_header *cap; + struct usb_ssp_cap_descriptor *ssp_cap; unsigned char *buffer; - int length, total_len, num, i; + int length, total_len, num, i, ssac; + __u8 cap_type; int ret; bos = kzalloc(sizeof(struct usb_bos_descriptor), GFP_KERNEL); @@ -965,7 +976,13 @@ int usb_get_bos_descriptor(struct usb_de dev->bos->desc->bNumDeviceCaps = i; break; } + cap_type = cap->bDevCapabilityType; length = cap->bLength; + if (bos_desc_len[cap_type] && length < bos_desc_len[cap_type]) { + dev->bos->desc->bNumDeviceCaps = i; + break; + } + total_len -= length; if (cap->bDescriptorType != USB_DT_DEVICE_CAPABILITY) { @@ -973,7 +990,7 @@ int usb_get_bos_descriptor(struct usb_de continue; } - switch (cap->bDevCapabilityType) { + switch (cap_type) { case USB_CAP_TYPE_WIRELESS_USB: /* Wireless USB cap descriptor is handled by wusb */ break; @@ -986,8 +1003,11 @@ int usb_get_bos_descriptor(struct usb_de (struct usb_ss_cap_descriptor *)buffer; break; case USB_SSP_CAP_TYPE: - dev->bos->ssp_cap = - (struct usb_ssp_cap_descriptor *)buffer; + ssp_cap = (struct usb_ssp_cap_descriptor *)buffer; + ssac = (le32_to_cpu(ssp_cap->bmAttributes) & + USB_SSP_SUBLINK_SPEED_ATTRIBS) + 1; + if (length >= USB_DT_USB_SSP_CAP_SIZE(ssac)) + dev->bos->ssp_cap = ssp_cap; break; case CONTAINER_ID_TYPE: dev->bos->ss_id = --- a/include/uapi/linux/usb/ch9.h +++ b/include/uapi/linux/usb/ch9.h @@ -876,6 +876,8 @@ struct usb_wireless_cap_descriptor { /* __u8 bReserved; } __attribute__((packed)); +#define USB_DT_USB_WIRELESS_CAP_SIZE 11 + /* USB 2.0 Extension descriptor */ #define USB_CAP_TYPE_EXT 2 @@ -1068,6 +1070,7 @@ struct usb_ptm_cap_descriptor { __u8 bDevCapabilityType; } __attribute__((packed)); +#define USB_DT_USB_PTM_ID_SIZE 3 /* * The size of the descriptor for the Sublink Speed Attribute Count * (SSAC) specified in bmAttributes[4:0]. Patches currently in stable-queue which might be from masakazu.mokuno(a)gmail.com are queue-4.14/usb-core-add-type-specific-length-check-of-bos-descriptors.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "staging: ccree: fix leak of import() after init()" has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled staging: ccree: fix leak of import() after init() to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: staging-ccree-fix-leak-of-import-after-init.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From c5f39d07860c35e5e4c63188139465af790f86ce Mon Sep 17 00:00:00 2001 From: Gilad Ben-Yossef <gilad(a)benyossef.com> Date: Thu, 9 Nov 2017 09:16:09 +0000 Subject: staging: ccree: fix leak of import() after init() From: Gilad Ben-Yossef <gilad(a)benyossef.com> commit c5f39d07860c35e5e4c63188139465af790f86ce upstream. crypto_ahash_import() may be called either after crypto_ahash_init() or without such call. Right now we always internally call init() as part of import(), thus leaking memory and mappings if the user has already called init() herself. Fix this by only calling init() internally if the state is not already initialized. Fixes: commit 454527d0d94f ("staging: ccree: fix hash import/export") Signed-off-by: Gilad Ben-Yossef <gilad(a)benyossef.com> Reviewed-by: Dan Carpenter <dan.carpenter(a)oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/staging/ccree/ssi_hash.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) --- a/drivers/staging/ccree/ssi_hash.c +++ b/drivers/staging/ccree/ssi_hash.c @@ -1790,9 +1790,12 @@ static int ssi_ahash_import(struct ahash } in += sizeof(u32); - rc = ssi_hash_init(state, ctx); - if (rc) - goto out; + /* call init() to allocate bufs if the user hasn't */ + if (!state->digest_buff) { + rc = ssi_hash_init(state, ctx); + if (rc) + goto out; + } dma_sync_single_for_cpu(dev, state->digest_buff_dma_addr, ctx->inter_digestsize, DMA_BIDIRECTIONAL); Patches currently in stable-queue which might be from gilad(a)benyossef.com are queue-4.14/staging-ccree-fix-leak-of-import-after-init.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "USB: usbfs: Filter flags passed in from user space" has been added to the 3.18-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled USB: usbfs: Filter flags passed in from user space to the 3.18-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: usb-usbfs-filter-flags-passed-in-from-user-space.patch and it can be found in the queue-3.18 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 446f666da9f019ce2ffd03800995487e79a91462 Mon Sep 17 00:00:00 2001 From: Oliver Neukum <oneukum(a)suse.com> Date: Thu, 23 Nov 2017 16:39:52 +0100 Subject: USB: usbfs: Filter flags passed in from user space From: Oliver Neukum <oneukum(a)suse.com> commit 446f666da9f019ce2ffd03800995487e79a91462 upstream. USBDEVFS_URB_ISO_ASAP must be accepted only for ISO endpoints. Improve sanity checking. Reported-by: Andrey Konovalov <andreyknvl(a)google.com> Signed-off-by: Oliver Neukum <oneukum(a)suse.com> Acked-by: Alan Stern <stern(a)rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/usb/core/devio.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) --- a/drivers/usb/core/devio.c +++ b/drivers/usb/core/devio.c @@ -1290,14 +1290,18 @@ static int proc_do_submiturb(struct usb_ int number_of_packets = 0; unsigned int stream_id = 0; void *buf; - - if (uurb->flags & ~(USBDEVFS_URB_ISO_ASAP | - USBDEVFS_URB_SHORT_NOT_OK | + unsigned long mask = USBDEVFS_URB_SHORT_NOT_OK | USBDEVFS_URB_BULK_CONTINUATION | USBDEVFS_URB_NO_FSBR | USBDEVFS_URB_ZERO_PACKET | - USBDEVFS_URB_NO_INTERRUPT)) - return -EINVAL; + USBDEVFS_URB_NO_INTERRUPT; + /* USBDEVFS_URB_ISO_ASAP is a special case */ + if (uurb->type == USBDEVFS_URB_TYPE_ISO) + mask |= USBDEVFS_URB_ISO_ASAP; + + if (uurb->flags & ~mask) + return -EINVAL; + if ((unsigned int)uurb->buffer_length >= USBFS_XFER_MAX) return -EINVAL; if (uurb->buffer_length > 0 && !uurb->buffer) Patches currently in stable-queue which might be from oneukum(a)suse.com are queue-3.18/usb-usbfs-filter-flags-passed-in-from-user-space.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "USB: Increase usbfs transfer limit" has been added to the 3.18-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled USB: Increase usbfs transfer limit to the 3.18-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: usb-increase-usbfs-transfer-limit.patch and it can be found in the queue-3.18 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 1129d270cbfbb7e2b1ec3dede4a13930bdd10e41 Mon Sep 17 00:00:00 2001 From: Mateusz Berezecki <mateuszb(a)fastmail.fm> Date: Wed, 21 Dec 2016 09:19:14 -0800 Subject: USB: Increase usbfs transfer limit From: Mateusz Berezecki <mateuszb(a)fastmail.fm> commit 1129d270cbfbb7e2b1ec3dede4a13930bdd10e41 upstream. Promote a variable keeping track of USB transfer memory usage to a wider data type and allow for higher bandwidth transfers from a large number of USB devices connected to a single host. Signed-off-by: Mateusz Berezecki <mateuszb(a)fastmail.fm> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/usb/core/devio.c | 43 ++++++++++++++++--------------------------- 1 file changed, 16 insertions(+), 27 deletions(-) --- a/drivers/usb/core/devio.c +++ b/drivers/usb/core/devio.c @@ -113,42 +113,35 @@ enum snoop_when { #define USB_DEVICE_DEV MKDEV(USB_DEVICE_MAJOR, 0) /* Limit on the total amount of memory we can allocate for transfers */ -static unsigned usbfs_memory_mb = 16; +static u32 usbfs_memory_mb = 16; module_param(usbfs_memory_mb, uint, 0644); MODULE_PARM_DESC(usbfs_memory_mb, "maximum MB allowed for usbfs buffers (0 = no limit)"); -/* Hard limit, necessary to avoid arithmetic overflow */ -#define USBFS_XFER_MAX (UINT_MAX / 2 - 1000000) - -static atomic_t usbfs_memory_usage; /* Total memory currently allocated */ +static atomic64_t usbfs_memory_usage; /* Total memory currently allocated */ /* Check whether it's okay to allocate more memory for a transfer */ -static int usbfs_increase_memory_usage(unsigned amount) +static int usbfs_increase_memory_usage(u64 amount) { - unsigned lim; + u64 lim; - /* - * Convert usbfs_memory_mb to bytes, avoiding overflows. - * 0 means use the hard limit (effectively unlimited). - */ lim = ACCESS_ONCE(usbfs_memory_mb); - if (lim == 0 || lim > (USBFS_XFER_MAX >> 20)) - lim = USBFS_XFER_MAX; - else - lim <<= 20; + lim <<= 20; - atomic_add(amount, &usbfs_memory_usage); - if (atomic_read(&usbfs_memory_usage) <= lim) - return 0; - atomic_sub(amount, &usbfs_memory_usage); - return -ENOMEM; + atomic64_add(amount, &usbfs_memory_usage); + + if (lim > 0 && atomic64_read(&usbfs_memory_usage) > lim) { + atomic64_sub(amount, &usbfs_memory_usage); + return -ENOMEM; + } + + return 0; } /* Memory for a transfer is being deallocated */ -static void usbfs_decrease_memory_usage(unsigned amount) +static void usbfs_decrease_memory_usage(u64 amount) { - atomic_sub(amount, &usbfs_memory_usage); + atomic64_sub(amount, &usbfs_memory_usage); } static int connected(struct usb_dev_state *ps) @@ -1077,7 +1070,7 @@ static int proc_bulk(struct usb_dev_stat if (!usb_maxpacket(dev, pipe, !(bulk.ep & USB_DIR_IN))) return -EINVAL; len1 = bulk.len; - if (len1 >= USBFS_XFER_MAX) + if (len1 >= (INT_MAX - sizeof(struct urb))) return -EINVAL; ret = usbfs_increase_memory_usage(len1 + sizeof(struct urb)); if (ret) @@ -1420,10 +1413,6 @@ static int proc_do_submiturb(struct usb_ return -EINVAL; } - if (uurb->buffer_length >= USBFS_XFER_MAX) { - ret = -EINVAL; - goto error; - } if (uurb->buffer_length > 0 && !access_ok(is_in ? VERIFY_WRITE : VERIFY_READ, uurb->buffer, uurb->buffer_length)) { Patches currently in stable-queue which might be from mateuszb(a)fastmail.fm are queue-3.18/usb-increase-usbfs-transfer-limit.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "usb: hub: Cycle HUB power when initialization fails" has been added to the 3.18-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled usb: hub: Cycle HUB power when initialization fails to the 3.18-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: usb-hub-cycle-hub-power-when-initialization-fails.patch and it can be found in the queue-3.18 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 973593a960ddac0f14f0d8877d2d0abe0afda795 Mon Sep 17 00:00:00 2001 From: Mike Looijmans <mike.looijmans(a)topic.nl> Date: Thu, 9 Nov 2017 13:16:46 +0100 Subject: usb: hub: Cycle HUB power when initialization fails From: Mike Looijmans <mike.looijmans(a)topic.nl> commit 973593a960ddac0f14f0d8877d2d0abe0afda795 upstream. Sometimes the USB device gets confused about the state of the initialization and the connection fails. In particular, the device thinks that it's already set up and running while the host thinks the device still needs to be configured. To work around this issue, power-cycle the hub's output to issue a sort of "reset" to the device. This makes the device restart its state machine and then the initialization succeeds. This fixes problems where the kernel reports a list of errors like this: usb 1-1.3: device not accepting address 19, error -71 The end result is a non-functioning device. After this patch, the sequence becomes like this: usb 1-1.3: new high-speed USB device number 18 using ci_hdrc usb 1-1.3: device not accepting address 18, error -71 usb 1-1.3: new high-speed USB device number 19 using ci_hdrc usb 1-1.3: device not accepting address 19, error -71 usb 1-1-port3: attempt power cycle usb 1-1.3: new high-speed USB device number 21 using ci_hdrc usb-storage 1-1.3:1.2: USB Mass Storage device detected Signed-off-by: Mike Looijmans <mike.looijmans(a)topic.nl> Acked-by: Alan Stern <stern(a)rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/usb/core/hub.c | 9 +++++++++ 1 file changed, 9 insertions(+) --- a/drivers/usb/core/hub.c +++ b/drivers/usb/core/hub.c @@ -4816,6 +4816,15 @@ loop: usb_put_dev(udev); if ((status == -ENOTCONN) || (status == -ENOTSUPP)) break; + + /* When halfway through our retry count, power-cycle the port */ + if (i == (SET_CONFIG_TRIES / 2) - 1) { + dev_info(&port_dev->dev, "attempt power cycle\n"); + usb_hub_set_port_power(hdev, hub, port1, false); + msleep(2 * hub_power_on_good_delay(hub)); + usb_hub_set_port_power(hdev, hub, port1, true); + msleep(hub_power_on_good_delay(hub)); + } } if (hub->hdev->parent || !hcd->driver->port_handed_over || Patches currently in stable-queue which might be from mike.looijmans(a)topic.nl are queue-3.18/usb-hub-cycle-hub-power-when-initialization-fails.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "usb: host: fix incorrect updating of offset" has been added to the 3.18-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled usb: host: fix incorrect updating of offset to the 3.18-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: usb-host-fix-incorrect-updating-of-offset.patch and it can be found in the queue-3.18 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 1d5a31582ef046d3b233f0da1a68ae26519b2f0a Mon Sep 17 00:00:00 2001 From: Colin Ian King <colin.king(a)canonical.com> Date: Tue, 7 Nov 2017 16:45:04 +0000 Subject: usb: host: fix incorrect updating of offset From: Colin Ian King <colin.king(a)canonical.com> commit 1d5a31582ef046d3b233f0da1a68ae26519b2f0a upstream. The variable temp is incorrectly being updated, instead it should be offset otherwise the loop just reads the same capability value and loops forever. Thanks to Alan Stern for pointing out the correct fix to my original fix. Fix also cleans up clang warning: drivers/usb/host/ehci-dbg.c:840:4: warning: Value stored to 'temp' is never read Fixes: d49d43174400 ("USB: misc ehci updates") Signed-off-by: Colin Ian King <colin.king(a)canonical.com> Acked-by: Alan Stern <stern(a)rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/usb/host/ehci-dbg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/usb/host/ehci-dbg.c +++ b/drivers/usb/host/ehci-dbg.c @@ -850,7 +850,7 @@ static ssize_t fill_registers_buffer(str default: /* unknown */ break; } - temp = (cap >> 8) & 0xff; + offset = (cap >> 8) & 0xff; } } #endif Patches currently in stable-queue which might be from colin.king(a)canonical.com are queue-3.18/usb-host-fix-incorrect-updating-of-offset.patch queue-3.18/net-sctp-fix-array-overrun-read-on-sctp_timer_tbl.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "USB: devio: Prevent integer overflow in proc_do_submiturb()" has been added to the 3.18-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled USB: devio: Prevent integer overflow in proc_do_submiturb() to the 3.18-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: usb-devio-prevent-integer-overflow-in-proc_do_submiturb.patch and it can be found in the queue-3.18 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 57999d1107c1e60c2ca7088f2ac0f819e2f554b3 Mon Sep 17 00:00:00 2001 From: Dan Carpenter <dan.carpenter(a)oracle.com> Date: Fri, 22 Sep 2017 23:43:25 +0300 Subject: USB: devio: Prevent integer overflow in proc_do_submiturb() From: Dan Carpenter <dan.carpenter(a)oracle.com> commit 57999d1107c1e60c2ca7088f2ac0f819e2f554b3 upstream. There used to be an integer overflow check in proc_do_submiturb() but we removed it. It turns out that it's still required. The uurb->buffer_length variable is a signed integer and it's controlled by the user. It can lead to an integer overflow when we do: num_sgs = DIV_ROUND_UP(uurb->buffer_length, USB_SG_SIZE); If we strip away the macro then that line looks like this: num_sgs = (uurb->buffer_length + USB_SG_SIZE - 1) / USB_SG_SIZE; ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ It's the first addition which can overflow. Fixes: 1129d270cbfb ("USB: Increase usbfs transfer limit") Signed-off-by: Dan Carpenter <dan.carpenter(a)oracle.com> Acked-by: Alan Stern <stern(a)rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/usb/core/devio.c | 5 +++++ 1 file changed, 5 insertions(+) --- a/drivers/usb/core/devio.c +++ b/drivers/usb/core/devio.c @@ -118,6 +118,9 @@ module_param(usbfs_memory_mb, uint, 0644 MODULE_PARM_DESC(usbfs_memory_mb, "maximum MB allowed for usbfs buffers (0 = no limit)"); +/* Hard limit, necessary to avoid arithmetic overflow */ +#define USBFS_XFER_MAX (UINT_MAX / 2 - 1000000) + static atomic64_t usbfs_memory_usage; /* Total memory currently allocated */ /* Check whether it's okay to allocate more memory for a transfer */ @@ -1295,6 +1298,8 @@ static int proc_do_submiturb(struct usb_ USBDEVFS_URB_ZERO_PACKET | USBDEVFS_URB_NO_INTERRUPT)) return -EINVAL; + if ((unsigned int)uurb->buffer_length >= USBFS_XFER_MAX) + return -EINVAL; if (uurb->buffer_length > 0 && !uurb->buffer) return -EINVAL; if (!(uurb->type == USBDEVFS_URB_TYPE_CONTROL && Patches currently in stable-queue which might be from dan.carpenter(a)oracle.com are queue-3.18/usb-devio-prevent-integer-overflow-in-proc_do_submiturb.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "dma-buf: Update kerneldoc for sync_file_create" has been added to the 4.9-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled dma-buf: Update kerneldoc for sync_file_create to the 4.9-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: dma-buf-update-kerneldoc-for-sync_file_create.patch and it can be found in the queue-4.9 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 24a367348a017555f982a9ee137070a7a821fa97 Mon Sep 17 00:00:00 2001 From: Daniel Vetter <daniel.vetter(a)ffwll.ch> Date: Fri, 9 Dec 2016 19:53:06 +0100 Subject: dma-buf: Update kerneldoc for sync_file_create From: Daniel Vetter <daniel.vetter(a)ffwll.ch> commit 24a367348a017555f982a9ee137070a7a821fa97 upstream. This was missed when adding a dma_fence_get call. While at it also remove the kerneldoc for the static inline helper - no point documenting internals down to every detail. Fixes: 30cd85dd6edc ("dma-buf/sync_file: hold reference to fence when creating sync_file") Cc: Gustavo Padovan <gustavo.padovan(a)collabora.co.uk> Cc: Sean Paul <seanpaul(a)chromium.org> Cc: linux-doc(a)vger.kernel.org Cc: Jonathan Corbet <corbet(a)lwn.net> Cc: Sumit Semwal <sumit.semwal(a)linaro.org> Signed-off-by: Daniel Vetter <daniel.vetter(a)intel.com> Reviewed-by: Gustavo Padovan <gustavo.padovan(a)collabora.co.uk> Signed-off-by: Sumit Semwal <sumit.semwal(a)linaro.org> Link: http://patchwork.freedesktop.org/patch/msgid/20161209185309.1682-3-daniel.v… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/dma-buf/sync_file.c | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) --- a/drivers/dma-buf/sync_file.c +++ b/drivers/dma-buf/sync_file.c @@ -67,9 +67,10 @@ static void fence_check_cb_func(struct f * sync_file_create() - creates a sync file * @fence: fence to add to the sync_fence * - * Creates a sync_file containg @fence. Once this is called, the sync_file - * takes ownership of @fence. The sync_file can be released with - * fput(sync_file->file). Returns the sync_file or NULL in case of error. + * Creates a sync_file containg @fence. This function acquires and additional + * reference of @fence for the newly-created &sync_file, if it succeeds. The + * sync_file can be released with fput(sync_file->file). Returns the + * sync_file or NULL in case of error. */ struct sync_file *sync_file_create(struct fence *fence) { @@ -90,13 +91,6 @@ struct sync_file *sync_file_create(struc } EXPORT_SYMBOL(sync_file_create); -/** - * sync_file_fdget() - get a sync_file from an fd - * @fd: fd referencing a fence - * - * Ensures @fd references a valid sync_file, increments the refcount of the - * backing file. Returns the sync_file or NULL in case of error. - */ static struct sync_file *sync_file_fdget(int fd) { struct file *file = fget(fd); Patches currently in stable-queue which might be from daniel.vetter(a)ffwll.ch are queue-4.9/dma-fence-clear-fence-status-during-dma_fence_init.patch queue-4.9/dma-fence-wrap-querying-the-fence-status.patch queue-4.9/dma-fence-introduce-drm_fence_set_error-helper.patch queue-4.9/dma-buf-update-kerneldoc-for-sync_file_create.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "dma-buf/sync_file: hold reference to fence when creating sync_file" has been added to the 4.9-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled dma-buf/sync_file: hold reference to fence when creating sync_file to the 4.9-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: dma-buf-sync_file-hold-reference-to-fence-when-creating-sync_file.patch and it can be found in the queue-4.9 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 30cd85dd6edc86ea8d8589efb813f1fad41ef233 Mon Sep 17 00:00:00 2001 From: Gustavo Padovan <gustavo.padovan(a)collabora.co.uk> Date: Wed, 19 Oct 2016 15:48:32 -0200 Subject: dma-buf/sync_file: hold reference to fence when creating sync_file From: Gustavo Padovan <gustavo.padovan(a)collabora.co.uk> commit 30cd85dd6edc86ea8d8589efb813f1fad41ef233 upstream. fence referencing was out of balance. It was not taking any ref to the fence at creating time, but it was putting a reference when freeing the sync file. This patch fixes the balancing issue by getting a reference for the fence when creating the sync_file. Signed-off-by: Gustavo Padovan <gustavo.padovan(a)collabora.co.uk> Signed-off-by: Sean Paul <seanpaul(a)chromium.org> Link: http://patchwork.freedesktop.org/patch/msgid/1476899313-22241-1-git-send-em… Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/dma-buf/sync_file.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/dma-buf/sync_file.c +++ b/drivers/dma-buf/sync_file.c @@ -79,7 +79,7 @@ struct sync_file *sync_file_create(struc if (!sync_file) return NULL; - sync_file->fence = fence; + sync_file->fence = fence_get(fence); snprintf(sync_file->name, sizeof(sync_file->name), "%s-%s%llu-%d", fence->ops->get_driver_name(fence), Patches currently in stable-queue which might be from gustavo.padovan(a)collabora.co.uk are queue-4.9/dma-buf-sync_file-hold-reference-to-fence-when-creating-sync_file.patch queue-4.9/dma-buf-update-kerneldoc-for-sync_file_create.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "dma-fence: Wrap querying the fence->status" has been added to the 4.9-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled dma-fence: Wrap querying the fence->status to the 4.9-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: dma-fence-wrap-querying-the-fence-status.patch and it can be found in the queue-4.9 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From d6c99f4bf093a58d3ab47caaec74b81f18bc4e3f Mon Sep 17 00:00:00 2001 From: Chris Wilson <chris(a)chris-wilson.co.uk> Date: Wed, 4 Jan 2017 14:12:21 +0000 Subject: dma-fence: Wrap querying the fence->status From: Chris Wilson <chris(a)chris-wilson.co.uk> commit d6c99f4bf093a58d3ab47caaec74b81f18bc4e3f upstream. The fence->status is an optional field that is only valid once the fence has been signaled. (Driver may fill the fence->status with an error code prior to calling dma_fence_signal().) Given the restriction upon its validity, wrap querying of the fence->status into a helper dma_fence_get_status(). Signed-off-by: Chris Wilson <chris(a)chris-wilson.co.uk> Reviewed-by: Daniel Vetter <daniel.vetter(a)ffwll.ch> Reviewed-by: Sumit Semwal <sumit.semwal(a)linaro.org> Signed-off-by: Sumit Semwal <sumit.semwal(a)linaro.org> Link: http://patchwork.freedesktop.org/patch/msgid/20170104141222.6992-2-chris@ch… [s/dma_fence/fence/g - gregkh] Cc: Jisheng Zhang <Jisheng.Zhang(a)synaptics.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/dma-buf/fence.c | 25 +++++++++++++++++++++++++ drivers/dma-buf/sync_debug.c | 20 ++++++++++---------- drivers/dma-buf/sync_file.c | 6 ++---- include/linux/fence.h | 24 ++++++++++++++++++++++++ 4 files changed, 61 insertions(+), 14 deletions(-) --- a/drivers/dma-buf/fence.c +++ b/drivers/dma-buf/fence.c @@ -281,6 +281,31 @@ int fence_add_callback(struct fence *fen EXPORT_SYMBOL(fence_add_callback); /** + * fence_get_status - returns the status upon completion + * @fence: [in] the fence to query + * + * This wraps fence_get_status_locked() to return the error status + * condition on a signaled fence. See fence_get_status_locked() for more + * details. + * + * Returns 0 if the fence has not yet been signaled, 1 if the fence has + * been signaled without an error condition, or a negative error code + * if the fence has been completed in err. + */ +int fence_get_status(struct fence *fence) +{ + unsigned long flags; + int status; + + spin_lock_irqsave(fence->lock, flags); + status = fence_get_status_locked(fence); + spin_unlock_irqrestore(fence->lock, flags); + + return status; +} +EXPORT_SYMBOL(fence_get_status); + +/** * fence_remove_callback - remove a callback from the signaling list * @fence: [in] the fence to wait on * @cb: [in] the callback to remove --- a/drivers/dma-buf/sync_debug.c +++ b/drivers/dma-buf/sync_debug.c @@ -62,29 +62,29 @@ void sync_file_debug_remove(struct sync_ static const char *sync_status_str(int status) { - if (status == 0) - return "signaled"; + if (status < 0) + return "error"; if (status > 0) - return "active"; + return "signaled"; - return "error"; + return "active"; } -static void sync_print_fence(struct seq_file *s, struct fence *fence, bool show) +static void sync_print_fence(struct seq_file *s, + struct fence *fence, bool show) { - int status = 1; struct sync_timeline *parent = fence_parent(fence); + int status; - if (fence_is_signaled_locked(fence)) - status = fence->status; + status = fence_get_status_locked(fence); seq_printf(s, " %s%sfence %s", show ? parent->name : "", show ? "_" : "", sync_status_str(status)); - if (status <= 0) { + if (status) { struct timespec64 ts64 = ktime_to_timespec64(fence->timestamp); @@ -133,7 +133,7 @@ static void sync_print_sync_file(struct int i; seq_printf(s, "[%p] %s: %s\n", sync_file, sync_file->name, - sync_status_str(!fence_is_signaled(sync_file->fence))); + sync_status_str(fence_get_status(sync_file->fence))); if (fence_is_array(sync_file->fence)) { struct fence_array *array = to_fence_array(sync_file->fence); --- a/drivers/dma-buf/sync_file.c +++ b/drivers/dma-buf/sync_file.c @@ -377,10 +377,8 @@ static void sync_fill_fence_info(struct sizeof(info->obj_name)); strlcpy(info->driver_name, fence->ops->get_driver_name(fence), sizeof(info->driver_name)); - if (fence_is_signaled(fence)) - info->status = fence->status >= 0 ? 1 : fence->status; - else - info->status = 0; + + info->status = fence_get_status(fence); info->timestamp_ns = ktime_to_ns(fence->timestamp); } --- a/include/linux/fence.h +++ b/include/linux/fence.h @@ -334,6 +334,30 @@ static inline struct fence *fence_later( return fence_is_signaled(f2) ? NULL : f2; } +/** + * fence_get_status_locked - returns the status upon completion + * @fence: [in] the fence to query + * + * Drivers can supply an optional error status condition before they signal + * the fence (to indicate whether the fence was completed due to an error + * rather than success). The value of the status condition is only valid + * if the fence has been signaled, fence_get_status_locked() first checks + * the signal state before reporting the error status. + * + * Returns 0 if the fence has not yet been signaled, 1 if the fence has + * been signaled without an error condition, or a negative error code + * if the fence has been completed in err. + */ +static inline int fence_get_status_locked(struct fence *fence) +{ + if (fence_is_signaled_locked(fence)) + return fence->status < 0 ? fence->status : 1; + else + return 0; +} + +int fence_get_status(struct fence *fence); + signed long fence_wait_timeout(struct fence *, bool intr, signed long timeout); signed long fence_wait_any_timeout(struct fence **fences, uint32_t count, bool intr, signed long timeout); Patches currently in stable-queue which might be from chris(a)chris-wilson.co.uk are queue-4.9/dma-buf-sw-sync-fix-the-is-signaled-test-to-handle-u32-wraparound.patch queue-4.9/dma-fence-clear-fence-status-during-dma_fence_init.patch queue-4.9/dma-buf-sw-sync-fix-locking-around-sync_timeline-lists.patch queue-4.9/dma-fence-wrap-querying-the-fence-status.patch queue-4.9/dma-buf-sw_sync-clean-up-list-before-signaling-the-fence.patch queue-4.9/dma-buf-sw-sync-reduce-irqsave-irqrestore-from-known-context.patch queue-4.9/dma-buf-sw_sync-move-timeline_fence_ops-around.patch queue-4.9/dma-buf-sw-sync-prevent-user-overflow-on-timeline-advance.patch queue-4.9/dma-fence-introduce-drm_fence_set_error-helper.patch queue-4.9/dma-buf-sw_sync-force-signal-all-unsignaled-fences-on-dying-timeline.patch queue-4.9/dma-buf-sw-sync-use-an-rbtree-to-sort-fences-in-the-timeline.patch queue-4.9/dma-buf-sw-sync-sync_pt-is-private-and-of-fixed-size.patch queue-4.9/dma-buf-dma-fence-extract-__dma_fence_is_later.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "dma-fence: Introduce drm_fence_set_error() helper" has been added to the 4.9-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled dma-fence: Introduce drm_fence_set_error() helper to the 4.9-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: dma-fence-introduce-drm_fence_set_error-helper.patch and it can be found in the queue-4.9 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From a009e975da5c7d42a7f5eaadc54946eb5f76c9af Mon Sep 17 00:00:00 2001 From: Chris Wilson <chris(a)chris-wilson.co.uk> Date: Wed, 4 Jan 2017 14:12:22 +0000 Subject: dma-fence: Introduce drm_fence_set_error() helper From: Chris Wilson <chris(a)chris-wilson.co.uk> commit a009e975da5c7d42a7f5eaadc54946eb5f76c9af upstream. The dma_fence.error field (formerly known as dma_fence.status) is an optional field that may be set by drivers before calling dma_fence_signal(). The field can be used to indicate that the fence was completed in err rather than with success, and is visible to other consumers of the fence and to userspace via sync_file. This patch renames the field from status to error so that its meaning is hopefully more clear (and distinct from dma_fence_get_status() which is a composite between the error state and signal state) and adds a helper that validates the preconditions of when it is suitable to adjust the error field. Signed-off-by: Chris Wilson <chris(a)chris-wilson.co.uk> Reviewed-by: Daniel Vetter <daniel.vetter(a)ffwll.ch> Reviewed-by: Sumit Semwal <sumit.semwal(a)linaro.org> Signed-off-by: Sumit Semwal <sumit.semwal(a)linaro.org> Link: http://patchwork.freedesktop.org/patch/msgid/20170104141222.6992-3-chris@ch… [s/dma_fence/fence/g - gregkh] Cc: Jisheng Zhang <Jisheng.Zhang(a)synaptics.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/dma-buf/fence.c | 2 +- include/linux/fence.h | 30 +++++++++++++++++++++++++----- 2 files changed, 26 insertions(+), 6 deletions(-) --- a/drivers/dma-buf/fence.c +++ b/drivers/dma-buf/fence.c @@ -551,7 +551,7 @@ fence_init(struct fence *fence, const st fence->context = context; fence->seqno = seqno; fence->flags = 0UL; - fence->status = 0; + fence->error = 0; trace_fence_init(fence); } --- a/include/linux/fence.h +++ b/include/linux/fence.h @@ -47,7 +47,7 @@ struct fence_cb; * can be compared to decide which fence would be signaled later. * @flags: A mask of FENCE_FLAG_* defined below * @timestamp: Timestamp when the fence was signaled. - * @status: Optional, only valid if < 0, must be set before calling + * @error: Optional, only valid if < 0, must be set before calling * fence_signal, indicates that the fence has completed with an error. * * the flags member must be manipulated and read using the appropriate @@ -79,7 +79,7 @@ struct fence { unsigned seqno; unsigned long flags; ktime_t timestamp; - int status; + int error; }; enum fence_flag_bits { @@ -132,7 +132,7 @@ struct fence_cb { * or some failure occurred that made it impossible to enable * signaling. True indicates successful enabling. * - * fence->status may be set in enable_signaling, but only when false is + * fence->error may be set in enable_signaling, but only when false is * returned. * * Calling fence_signal before enable_signaling is called allows @@ -144,7 +144,7 @@ struct fence_cb { * the second time will be a noop since it was already signaled. * * Notes on signaled: - * May set fence->status if returning true. + * May set fence->error if returning true. * * Notes on wait: * Must not be NULL, set to fence_default_wait for default implementation. @@ -351,13 +351,33 @@ static inline struct fence *fence_later( static inline int fence_get_status_locked(struct fence *fence) { if (fence_is_signaled_locked(fence)) - return fence->status < 0 ? fence->status : 1; + return fence->error ?: 1; else return 0; } int fence_get_status(struct fence *fence); +/** + * fence_set_error - flag an error condition on the fence + * @fence: [in] the fence + * @error: [in] the error to store + * + * Drivers can supply an optional error status condition before they signal + * the fence, to indicate that the fence was completed due to an error + * rather than success. This must be set before signaling (so that the value + * is visible before any waiters on the signal callback are woken). This + * helper exists to help catching erroneous setting of #fence.error. + */ +static inline void fence_set_error(struct fence *fence, + int error) +{ + BUG_ON(test_bit(FENCE_FLAG_SIGNALED_BIT, &fence->flags)); + BUG_ON(error >= 0 || error < -MAX_ERRNO); + + fence->error = error; +} + signed long fence_wait_timeout(struct fence *, bool intr, signed long timeout); signed long fence_wait_any_timeout(struct fence **fences, uint32_t count, bool intr, signed long timeout); Patches currently in stable-queue which might be from chris(a)chris-wilson.co.uk are queue-4.9/dma-buf-sw-sync-fix-the-is-signaled-test-to-handle-u32-wraparound.patch queue-4.9/dma-fence-clear-fence-status-during-dma_fence_init.patch queue-4.9/dma-buf-sw-sync-fix-locking-around-sync_timeline-lists.patch queue-4.9/dma-fence-wrap-querying-the-fence-status.patch queue-4.9/dma-buf-sw_sync-clean-up-list-before-signaling-the-fence.patch queue-4.9/dma-buf-sw-sync-reduce-irqsave-irqrestore-from-known-context.patch queue-4.9/dma-buf-sw_sync-move-timeline_fence_ops-around.patch queue-4.9/dma-buf-sw-sync-prevent-user-overflow-on-timeline-advance.patch queue-4.9/dma-fence-introduce-drm_fence_set_error-helper.patch queue-4.9/dma-buf-sw_sync-force-signal-all-unsignaled-fences-on-dying-timeline.patch queue-4.9/dma-buf-sw-sync-use-an-rbtree-to-sort-fences-in-the-timeline.patch queue-4.9/dma-buf-sw-sync-sync_pt-is-private-and-of-fixed-size.patch queue-4.9/dma-buf-dma-fence-extract-__dma_fence_is_later.patch

7 years, 9 months

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror