- Linux-stable-mirror - lists.linaro.org

[patch 18/22] drivers/block/zram/zram_drv.c: fix idle/writeback string compare

by akpm＠linux-foundation.org

From: Minchan Kim <minchan(a)kernel.org> Subject: drivers/block/zram/zram_drv.c: fix idle/writeback string compare Makoto report a below KASAN error: zram does out-of-bounds read. Because strscpy copies from source up to count bytes unconditionally. It could cause out-of-bounds read on next object in slab To prevent it, use strlcpy which checks source's length automatically. [ 280.626730] c0 1314 ================================================================== [ 280.626855] c0 1314 BUG: KASAN: slab-out-of-bounds in strscpy+0x68/0x154 [ 280.626896] c0 1314 Read of size 8 at addr ffffffc0c3495a00 by task system_server/1314 [ 280.626921] c0 1314 .. [ 280.627041] c0 1314 Call trace: [ 280.627097] c0 1314 [<ffffff90080902b8>] dump_backtrace+0x0/0x6bc [ 280.627142] c0 1314 [<ffffff90080902ac>] show_stack+0x20/0x2c [ 280.627193] c0 1314 [<ffffff900871fa90>] dump_stack+0xfc/0x140 [ 280.627250] c0 1314 [<ffffff90083364ec>] print_address_description+0x80/0x2d8 [ 280.627294] c0 1314 [<ffffff9008336b48>] kasan_report_error+0x198/0x1fc [ 280.627335] c0 1314 [<ffffff90083369b0>] kasan_report_error+0x0/0x1fc [ 280.627376] c0 1314 [<ffffff9008335c1c>] __asan_load8+0x1b0/0x1b8 [ 280.627415] c0 1314 [<ffffff900872fb6c>] strscpy+0x68/0x154 [ 280.627465] c0 1314 [<ffffff9008ceca44>] idle_store+0xc4/0x34c [ 280.627511] c0 1314 [<ffffff9008c91a98>] dev_attr_store+0x50/0x6c [ 280.627558] c0 1314 [<ffffff900845602c>] sysfs_kf_write+0x98/0xb4 [ 280.627596] c0 1314 [<ffffff9008453d20>] kernfs_fop_write+0x198/0x260 [ 280.627642] c0 1314 [<ffffff90083578b4>] __vfs_write+0x10c/0x338 [ 280.627684] c0 1314 [<ffffff9008357dac>] vfs_write+0x114/0x238 [ 280.627726] c0 1314 [<ffffff9008358100>] SyS_write+0xc8/0x168 [ 280.627767] c0 1314 [<ffffff900808425c>] __sys_trace_return+0x0/0x4 [ 280.627791] c0 1314 [ 280.627824] c0 1314 Allocated by task 1314: [ 280.627866] c0 1314 kasan_kmalloc+0xe0/0x1ac [ 280.627903] c0 1314 __kmalloc+0x280/0x318 [ 280.627938] c0 1314 kernfs_fop_write+0xac/0x260 [ 280.627980] c0 1314 __vfs_write+0x10c/0x338 [ 280.628020] c0 1314 vfs_write+0x114/0x238 [ 280.628061] c0 1314 SyS_write+0xc8/0x168 [ 280.628098] c0 1314 __sys_trace_return+0x0/0x4 [ 280.628125] c0 1314 [ 280.628154] c0 1314 Freed by task 2855: [ 280.628194] c0 1314 kasan_slab_free+0xb8/0x194 [ 280.628229] c0 1314 kfree+0x138/0x630 [ 280.628266] c0 1314 kernfs_put_open_node+0x10c/0x124 [ 280.628302] c0 1314 kernfs_fop_release+0xd8/0x114 [ 280.628336] c0 1314 __fput+0x130/0x2a4 [ 280.628370] c0 1314 ____fput+0x1c/0x28 [ 280.628410] c0 1314 task_work_run+0x16c/0x1c8 [ 280.628449] c0 1314 do_notify_resume+0x2bc/0x107c [ 280.628483] c0 1314 work_pending+0x8/0x10 [ 280.628506] c0 1314 [ 280.628542] c0 1314 The buggy address belongs to the object at ffffffc0c3495a00 [ 280.628542] c0 1314 which belongs to the cache kmalloc-128 of size 128 [ 280.628597] c0 1314 The buggy address is located 0 bytes inside of [ 280.628597] c0 1314 128-byte region [ffffffc0c3495a00, ffffffc0c3495a80) [ 280.628642] c0 1314 The buggy address belongs to the page: [ 280.628680] c0 1314 page:ffffffbf030d2500 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 280.628721] c0 1314 flags: 0x4000000000010200(slab|head) [ 280.628748] c0 1314 page dumped because: kasan: bad access detected [ 280.628772] c0 1314 [ 280.628797] c0 1314 Memory state around the buggy address: [ 280.628840] c0 1314 ffffffc0c3495900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 280.628874] c0 1314 ffffffc0c3495980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 280.628909] c0 1314 >ffffffc0c3495a00: 04 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 280.628935] c0 1314 ^ [ 280.628969] c0 1314 ffffffc0c3495a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 280.629005] c0 1314 ffffffc0c3495b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Link: http://lkml.kernel.org/r/20190319231911.145968-1-minchan@kernel.org Cc: <stable(a)vger.kernel.org> [5.0] Signed-off-by: Minchan Kim <minchan(a)kernel.org> Reported-by: Makoto Wu <makotowu(a)google.com> Reviewed-by: Sergey Senozhatsky <sergey.senozhatsky(a)gmail.com> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- drivers/block/zram/zram_drv.c | 32 ++++++-------------------------- 1 file changed, 6 insertions(+), 26 deletions(-) --- a/drivers/block/zram/zram_drv.c~zram-fix-idle-writeback-string-compare +++ a/drivers/block/zram/zram_drv.c @@ -290,18 +290,8 @@ static ssize_t idle_store(struct device struct zram *zram = dev_to_zram(dev); unsigned long nr_pages = zram->disksize >> PAGE_SHIFT; int index; - char mode_buf[8]; - ssize_t sz; - sz = strscpy(mode_buf, buf, sizeof(mode_buf)); - if (sz <= 0) - return -EINVAL; - - /* ignore trailing new line */ - if (mode_buf[sz - 1] == '\n') - mode_buf[sz - 1] = 0x00; - - if (strcmp(mode_buf, "all")) + if (!sysfs_streq(buf, "all")) return -EINVAL; down_read(&zram->init_lock); @@ -635,25 +625,15 @@ static ssize_t writeback_store(struct de struct bio bio; struct bio_vec bio_vec; struct page *page; - ssize_t ret, sz; - char mode_buf[8]; - int mode = -1; + ssize_t ret; + int mode; unsigned long blk_idx = 0; - sz = strscpy(mode_buf, buf, sizeof(mode_buf)); - if (sz <= 0) - return -EINVAL; - - /* ignore trailing newline */ - if (mode_buf[sz - 1] == '\n') - mode_buf[sz - 1] = 0x00; - - if (!strcmp(mode_buf, "idle")) + if (sysfs_streq(buf, "idle")) mode = IDLE_WRITEBACK; - else if (!strcmp(mode_buf, "huge")) + else if (sysfs_streq(buf, "huge")) mode = HUGE_WRITEBACK; - - if (mode == -1) + else return -EINVAL; down_read(&zram->init_lock); _

6 years, 5 months

1
0
0 0

[patch 17/22] mm/page_isolation.c: fix a wrong flag in set_migratetype_isolate()

by akpm＠linux-foundation.org

From: Qian Cai <cai(a)lca.pw> Subject: mm/page_isolation.c: fix a wrong flag in set_migratetype_isolate() Due to has_unmovable_pages() taking an incorrect irqsave flag instead of the isolation flag in set_migratetype_isolate(), there are issues with HWPOSION and error reporting where dump_page() is not called when there is an unmovable page. Link: http://lkml.kernel.org/r/20190320204941.53731-1-cai@lca.pw Fixes: d381c54760dc ("mm: only report isolation failures when offlining memory") Acked-by: Michal Hocko <mhocko(a)suse.com> Reviewed-by: Oscar Salvador <osalvador(a)suse.de> Signed-off-by: Qian Cai <cai(a)lca.pw> Cc: <stable(a)vger.kernel.org> [5.0.x] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/page_isolation.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/mm/page_isolation.c~mm-fix-a-wrong-flag-in-set_migratetype_isolate +++ a/mm/page_isolation.c @@ -59,7 +59,8 @@ static int set_migratetype_isolate(struc * FIXME: Now, memory hotplug doesn't call shrink_slab() by itself. * We just check MOVABLE pages. */ - if (!has_unmovable_pages(zone, page, arg.pages_found, migratetype, flags)) + if (!has_unmovable_pages(zone, page, arg.pages_found, migratetype, + isol_flags)) ret = 0; /* _

6 years, 5 months

1
0
0 0

[patch 16/22] mm/memory_hotplug.c: fix notification in offline error path

by akpm＠linux-foundation.org

From: Qian Cai <cai(a)lca.pw> Subject: mm/memory_hotplug.c: fix notification in offline error path When start_isolate_page_range() returned -EBUSY in __offline_pages(), it calls memory_notify(MEM_CANCEL_OFFLINE, &arg) with an uninitialized "arg". As the result, it triggers warnings below. Also, it is only necessary to notify MEM_CANCEL_OFFLINE after MEM_GOING_OFFLINE. page:ffffea0001200000 count:1 mapcount:0 mapping:0000000000000000 index:0x0 flags: 0x3fffe000001000(reserved) raw: 003fffe000001000 ffffea0001200008 ffffea0001200008 0000000000000000 raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 page dumped because: unmovable page WARNING: CPU: 25 PID: 1665 at mm/kasan/common.c:665 kasan_mem_notifier+0x34/0x23b CPU: 25 PID: 1665 Comm: bash Tainted: G W 5.0.0+ #94 Hardware name: HP ProLiant DL180 Gen9/ProLiant DL180 Gen9, BIOS U20 10/25/2017 RIP: 0010:kasan_mem_notifier+0x34/0x23b RSP: 0018:ffff8883ec737890 EFLAGS: 00010206 RAX: 0000000000000246 RBX: ff10f0f4435f1000 RCX: f887a7a21af88000 RDX: dffffc0000000000 RSI: 0000000000000020 RDI: ffff8881f221af88 RBP: ffff8883ec737898 R08: ffff888000000000 R09: ffffffffb0bddcd0 R10: ffffed103e857088 R11: ffff8881f42b8443 R12: dffffc0000000000 R13: 00000000fffffff9 R14: dffffc0000000000 R15: 0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000560fbd31d730 CR3: 00000004049c6003 CR4: 00000000001606a0 Call Trace: notifier_call_chain+0xbf/0x130 __blocking_notifier_call_chain+0x76/0xc0 blocking_notifier_call_chain+0x16/0x20 memory_notify+0x1b/0x20 __offline_pages+0x3e2/0x1210 offline_pages+0x11/0x20 memory_block_action+0x144/0x300 memory_subsys_offline+0xe5/0x170 device_offline+0x13f/0x1e0 state_store+0xeb/0x110 dev_attr_store+0x3f/0x70 sysfs_kf_write+0x104/0x150 kernfs_fop_write+0x25c/0x410 __vfs_write+0x66/0x120 vfs_write+0x15a/0x4f0 ksys_write+0xd2/0x1b0 __x64_sys_write+0x73/0xb0 do_syscall_64+0xeb/0xb78 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7f14f75cc3b8 RSP: 002b:00007ffe84d01d68 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000000008 RCX: 00007f14f75cc3b8 RDX: 0000000000000008 RSI: 0000563f8e433d70 RDI: 0000000000000001 RBP: 0000563f8e433d70 R08: 000000000000000a R09: 00007ffe84d018f0 R10: 000000000000000a R11: 0000000000000246 R12: 00007f14f789e780 R13: 0000000000000008 R14: 00007f14f7899740 R15: 0000000000000008 Link: http://lkml.kernel.org/r/20190320204255.53571-1-cai@lca.pw Fixes: 7960509329c2 ("mm, memory_hotplug: print reason for the offlining failure") Reviewed-by: Oscar Salvador <osalvador(a)suse.de> Acked-by: Michal Hocko <mhocko(a)suse.com> Signed-off-by: Qian Cai <cai(a)lca.pw> Reviewed-by: Andrew Morton <akpm(a)linux-foundation.org> Cc: <stable(a)vger.kernel.org> [5.0.x] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/memory_hotplug.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/mm/memory_hotplug.c~mm-hotplug-fix-notification-in-offline-error-path +++ a/mm/memory_hotplug.c @@ -1699,12 +1699,12 @@ static int __ref __offline_pages(unsigne failed_removal_isolated: undo_isolate_page_range(start_pfn, end_pfn, MIGRATE_MOVABLE); + memory_notify(MEM_CANCEL_OFFLINE, &arg); failed_removal: pr_debug("memory offlining [mem %#010llx-%#010llx] failed due to %s\n", (unsigned long long) start_pfn << PAGE_SHIFT, ((unsigned long long) end_pfn << PAGE_SHIFT) - 1, reason); - memory_notify(MEM_CANCEL_OFFLINE, &arg); /* pushback to free area */ mem_hotplug_done(); return ret; _

6 years, 5 months

1
0
0 0

[patch 12/22] mm/debug.c: fix __dump_page when mapping->host is not set

by akpm＠linux-foundation.org

From: Oscar Salvador <osalvador(a)suse.de> Subject: mm/debug.c: fix __dump_page when mapping->host is not set While debugging something, I added a dump_page() into do_swap_page(), and I got the splat from below. The issue happens when dereferencing mapping->host in __dump_page(): ... else if (mapping) { pr_warn("%ps ", mapping->a_ops); if (mapping->host->i_dentry.first) { struct dentry *dentry; dentry = container_of(mapping->host->i_dentry.first, struct dentry, d_u.d_alias); pr_warn("name:\"%pd\" ", dentry); } } ... Swap address space does not contain an inode information, and so mapping->host equals NULL. Although the dump_page() call was added artificially into do_swap_page(), I am not sure if we can hit this from any other path, so it looks worth fixing it. We can easily do that by checking mapping->host first. Link: http://lkml.kernel.org/r/20190318072931.29094-1-osalvador@suse.de Fixes: 1c6fb1d89e73c ("mm: print more information about mapping in __dump_page") Signed-off-by: Oscar Salvador <osalvador(a)suse.de> Acked-by: Michal Hocko <mhocko(a)suse.com> Acked-by: Hugh Dickins <hughd(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/debug.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/mm/debug.c~mm-fix-__dump_page-when-mapping-host-is-not-set +++ a/mm/debug.c @@ -79,7 +79,7 @@ void __dump_page(struct page *page, cons pr_warn("ksm "); else if (mapping) { pr_warn("%ps ", mapping->a_ops); - if (mapping->host->i_dentry.first) { + if (mapping->host && mapping->host->i_dentry.first) { struct dentry *dentry; dentry = container_of(mapping->host->i_dentry.first, struct dentry, d_u.d_alias); pr_warn("name:\"%pd\" ", dentry); _

6 years, 5 months

1
0
0 0

[patch 11/22] mm: mempolicy: make mbind() return -EIO when MPOL_MF_STRICT is specified

by akpm＠linux-foundation.org

From: Yang Shi <yang.shi(a)linux.alibaba.com> Subject: mm: mempolicy: make mbind() return -EIO when MPOL_MF_STRICT is specified When MPOL_MF_STRICT was specified and an existing page was already on a node that does not follow the policy, mbind() should return -EIO. But 6f4576e3687b ("mempolicy: apply page table walker on queue_pages_range()") broke the rule. And c8633798497c ("mm: mempolicy: mbind and migrate_pages support thp migration") didn't return the correct value for THP mbind() too. If MPOL_MF_STRICT is set, ignore vma_migratable() to make sure it reaches queue_pages_to_pte_range() or queue_pages_pmd() to check if an existing page was already on a node that does not follow the policy. And, non-migratable vma may be used, return -EIO too if MPOL_MF_MOVE or MPOL_MF_MOVE_ALL was specified. Tested with https://github.com/metan-ucw/ltp/blob/master/testcases/kernel/syscalls/mbin… [akpm(a)linux-foundation.org: tweak code comment] Link: http://lkml.kernel.org/r/1553020556-38583-1-git-send-email-yang.shi@linux.a… Fixes: 6f4576e3687b ("mempolicy: apply page table walker on queue_pages_range()") Signed-off-by: Yang Shi <yang.shi(a)linux.alibaba.com> Signed-off-by: Oscar Salvador <osalvador(a)suse.de> Reported-by: Cyril Hrubis <chrubis(a)suse.cz> Suggested-by: Kirill A. Shutemov <kirill(a)shutemov.name> Acked-by: Rafael Aquini <aquini(a)redhat.com> Reviewed-by: Oscar Salvador <osalvador(a)suse.de> Acked-by: David Rientjes <rientjes(a)google.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/mempolicy.c | 40 +++++++++++++++++++++++++++++++++------- 1 file changed, 33 insertions(+), 7 deletions(-) --- a/mm/mempolicy.c~mm-mempolicy-make-mbind-return-eio-when-mpol_mf_strict-is-specified +++ a/mm/mempolicy.c @@ -428,6 +428,13 @@ static inline bool queue_pages_required( return node_isset(nid, *qp->nmask) == !(flags & MPOL_MF_INVERT); } +/* + * queue_pages_pmd() has three possible return values: + * 1 - pages are placed on the right node or queued successfully. + * 0 - THP was split. + * -EIO - is migration entry or MPOL_MF_STRICT was specified and an existing + * page was already on a node that does not follow the policy. + */ static int queue_pages_pmd(pmd_t *pmd, spinlock_t *ptl, unsigned long addr, unsigned long end, struct mm_walk *walk) { @@ -437,7 +444,7 @@ static int queue_pages_pmd(pmd_t *pmd, s unsigned long flags; if (unlikely(is_pmd_migration_entry(*pmd))) { - ret = 1; + ret = -EIO; goto unlock; } page = pmd_page(*pmd); @@ -454,8 +461,15 @@ static int queue_pages_pmd(pmd_t *pmd, s ret = 1; flags = qp->flags; /* go to thp migration */ - if (flags & (MPOL_MF_MOVE | MPOL_MF_MOVE_ALL)) + if (flags & (MPOL_MF_MOVE | MPOL_MF_MOVE_ALL)) { + if (!vma_migratable(walk->vma)) { + ret = -EIO; + goto unlock; + } + migrate_page_add(page, qp->pagelist, flags); + } else + ret = -EIO; unlock: spin_unlock(ptl); out: @@ -480,8 +494,10 @@ static int queue_pages_pte_range(pmd_t * ptl = pmd_trans_huge_lock(pmd, vma); if (ptl) { ret = queue_pages_pmd(pmd, ptl, addr, end, walk); - if (ret) + if (ret > 0) return 0; + else if (ret < 0) + return ret; } if (pmd_trans_unstable(pmd)) @@ -502,11 +518,16 @@ static int queue_pages_pte_range(pmd_t * continue; if (!queue_pages_required(page, qp)) continue; - migrate_page_add(page, qp->pagelist, flags); + if (flags & (MPOL_MF_MOVE | MPOL_MF_MOVE_ALL)) { + if (!vma_migratable(vma)) + break; + migrate_page_add(page, qp->pagelist, flags); + } else + break; } pte_unmap_unlock(pte - 1, ptl); cond_resched(); - return 0; + return addr != end ? -EIO : 0; } static int queue_pages_hugetlb(pte_t *pte, unsigned long hmask, @@ -576,7 +597,12 @@ static int queue_pages_test_walk(unsigne unsigned long endvma = vma->vm_end; unsigned long flags = qp->flags; - if (!vma_migratable(vma)) + /* + * Need check MPOL_MF_STRICT to return -EIO if possible + * regardless of vma_migratable + */ + if (!vma_migratable(vma) && + !(flags & MPOL_MF_STRICT)) return 1; if (endvma > end) @@ -603,7 +629,7 @@ static int queue_pages_test_walk(unsigne } /* queue pages from current vma */ - if (flags & (MPOL_MF_MOVE | MPOL_MF_MOVE_ALL)) + if (flags & MPOL_MF_VALID) return 0; return 1; } _

6 years, 5 months

1
0
0 0

[patch 09/22] iommu/io-pgtable-arm-v7s: request DMA32 memory, and improve debugging

by akpm＠linux-foundation.org

From: Nicolas Boichat <drinkcat(a)chromium.org> Subject: iommu/io-pgtable-arm-v7s: request DMA32 memory, and improve debugging IOMMUs using ARMv7 short-descriptor format require page tables (level 1 and 2) to be allocated within the first 4GB of RAM, even on 64-bit systems. For level 1/2 pages, ensure GFP_DMA32 is used if CONFIG_ZONE_DMA32 is defined (e.g. on arm64 platforms). For level 2 pages, allocate a slab cache in SLAB_CACHE_DMA32. Note that we do not explicitly pass GFP_DMA[32] to kmem_cache_zalloc, as this is not strictly necessary, and would cause a warning in mm/sl*b.c, as we did not update GFP_SLAB_BUG_MASK. Also, print an error when the physical address does not fit in 32-bit, to make debugging easier in the future. Link: http://lkml.kernel.org/r/20181210011504.122604-3-drinkcat@chromium.org Fixes: ad67f5a6545f ("arm64: replace ZONE_DMA with ZONE_DMA32") Signed-off-by: Nicolas Boichat <drinkcat(a)chromium.org> Acked-by: Will Deacon <will.deacon(a)arm.com> Cc: Christoph Hellwig <hch(a)infradead.org> Cc: Christoph Lameter <cl(a)linux.com> Cc: David Rientjes <rientjes(a)google.com> Cc: Hsin-Yi Wang <hsinyi(a)chromium.org> Cc: Huaisheng Ye <yehs1(a)lenovo.com> Cc: Joerg Roedel <joro(a)8bytes.org> Cc: Joonsoo Kim <iamjoonsoo.kim(a)lge.com> Cc: Matthew Wilcox <willy(a)infradead.org> Cc: Matthias Brugger <matthias.bgg(a)gmail.com> Cc: Mel Gorman <mgorman(a)techsingularity.net> Cc: Michal Hocko <mhocko(a)suse.com> Cc: Mike Rapoport <rppt(a)linux.vnet.ibm.com> Cc: Pekka Enberg <penberg(a)kernel.org> Cc: Robin Murphy <robin.murphy(a)arm.com> Cc: Sasha Levin <Alexander.Levin(a)microsoft.com> Cc: Tomasz Figa <tfiga(a)google.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Yingjoe Chen <yingjoe.chen(a)mediatek.com> Cc: Yong Wu <yong.wu(a)mediatek.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- drivers/iommu/io-pgtable-arm-v7s.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) --- a/drivers/iommu/io-pgtable-arm-v7s.c~iommu-io-pgtable-arm-v7s-request-dma32-memory-and-improve-debugging +++ a/drivers/iommu/io-pgtable-arm-v7s.c @@ -160,6 +160,14 @@ #define ARM_V7S_TCR_PD1 BIT(5) +#ifdef CONFIG_ZONE_DMA32 +#define ARM_V7S_TABLE_GFP_DMA GFP_DMA32 +#define ARM_V7S_TABLE_SLAB_FLAGS SLAB_CACHE_DMA32 +#else +#define ARM_V7S_TABLE_GFP_DMA GFP_DMA +#define ARM_V7S_TABLE_SLAB_FLAGS SLAB_CACHE_DMA +#endif + typedef u32 arm_v7s_iopte; static bool selftest_running; @@ -197,13 +205,16 @@ static void *__arm_v7s_alloc_table(int l void *table = NULL; if (lvl == 1) - table = (void *)__get_dma_pages(__GFP_ZERO, get_order(size)); + table = (void *)__get_free_pages( + __GFP_ZERO | ARM_V7S_TABLE_GFP_DMA, get_order(size)); else if (lvl == 2) - table = kmem_cache_zalloc(data->l2_tables, gfp | GFP_DMA); + table = kmem_cache_zalloc(data->l2_tables, gfp); phys = virt_to_phys(table); - if (phys != (arm_v7s_iopte)phys) + if (phys != (arm_v7s_iopte)phys) { /* Doesn't fit in PTE */ + dev_err(dev, "Page table does not fit in PTE: %pa", &phys); goto out_free; + } if (table && !(cfg->quirks & IO_PGTABLE_QUIRK_NO_DMA)) { dma = dma_map_single(dev, table, size, DMA_TO_DEVICE); if (dma_mapping_error(dev, dma)) @@ -733,7 +744,7 @@ static struct io_pgtable *arm_v7s_alloc_ data->l2_tables = kmem_cache_create("io-pgtable_armv7s_l2", ARM_V7S_TABLE_SIZE(2), ARM_V7S_TABLE_SIZE(2), - SLAB_CACHE_DMA, NULL); + ARM_V7S_TABLE_SLAB_FLAGS, NULL); if (!data->l2_tables) goto out_free_data; _

6 years, 5 months

1
0
0 0

[patch 07/22] ocfs2: fix inode bh swapping mixup in ocfs2_reflink_inodes_lock

by akpm＠linux-foundation.org

From: Darrick J. Wong <darrick.wong(a)oracle.com> Subject: ocfs2: fix inode bh swapping mixup in ocfs2_reflink_inodes_lock ocfs2_reflink_inodes_lock() can swap the inode1/inode2 variables so that we always grab cluster locks in order of increasing inode number. Unfortunately, we forget to swap the inode record buffer head pointers when we've done this, which leads to incorrect bookkeepping when we're trying to make the two inodes have the same refcount tree. This has the effect of causing filesystem shutdowns if you're trying to reflink data from inode 100 into inode 97, where inode 100 already has a refcount tree attached and inode 97 doesn't. The reflink code decides to copy the refcount tree pointer from 100 to 97, but uses inode 97's inode record to open the tree root (which it doesn't have) and blows up. This issue causes filesystem shutdowns and metadata corruption! Link: http://lkml.kernel.org/r/20190312214910.GK20533@magnolia Fixes: 29ac8e856cb369 ("ocfs2: implement the VFS clone_range, copy_range, and dedupe_range features") Signed-off-by: Darrick J. Wong <darrick.wong(a)oracle.com> Reviewed-by: Joseph Qi <jiangqi903(a)gmail.com> Cc: Mark Fasheh <mfasheh(a)versity.com> Cc: Joel Becker <jlbec(a)evilplan.org> Cc: Junxiao Bi <junxiao.bi(a)oracle.com> Cc: Joseph Qi <joseph.qi(a)huawei.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/ocfs2/refcounttree.c | 42 +++++++++++++++++++++----------------- 1 file changed, 24 insertions(+), 18 deletions(-) --- a/fs/ocfs2/refcounttree.c~ocfs2-fix-inode-bh-swapping-mixup-in-ocfs2_reflink_inodes_lock +++ a/fs/ocfs2/refcounttree.c @@ -4719,22 +4719,23 @@ out: /* Lock an inode and grab a bh pointing to the inode. */ int ocfs2_reflink_inodes_lock(struct inode *s_inode, - struct buffer_head **bh1, + struct buffer_head **bh_s, struct inode *t_inode, - struct buffer_head **bh2) + struct buffer_head **bh_t) { - struct inode *inode1; - struct inode *inode2; + struct inode *inode1 = s_inode; + struct inode *inode2 = t_inode; struct ocfs2_inode_info *oi1; struct ocfs2_inode_info *oi2; + struct buffer_head *bh1 = NULL; + struct buffer_head *bh2 = NULL; bool same_inode = (s_inode == t_inode); + bool need_swap = (inode1->i_ino > inode2->i_ino); int status; /* First grab the VFS and rw locks. */ lock_two_nondirectories(s_inode, t_inode); - inode1 = s_inode; - inode2 = t_inode; - if (inode1->i_ino > inode2->i_ino) + if (need_swap) swap(inode1, inode2); status = ocfs2_rw_lock(inode1, 1); @@ -4757,17 +4758,13 @@ int ocfs2_reflink_inodes_lock(struct ino trace_ocfs2_double_lock((unsigned long long)oi1->ip_blkno, (unsigned long long)oi2->ip_blkno); - if (*bh1) - *bh1 = NULL; - if (*bh2) - *bh2 = NULL; - /* We always want to lock the one with the lower lockid first. */ if (oi1->ip_blkno > oi2->ip_blkno) mlog_errno(-ENOLCK); /* lock id1 */ - status = ocfs2_inode_lock_nested(inode1, bh1, 1, OI_LS_REFLINK_TARGET); + status = ocfs2_inode_lock_nested(inode1, &bh1, 1, + OI_LS_REFLINK_TARGET); if (status < 0) { if (status != -ENOENT) mlog_errno(status); @@ -4776,15 +4773,25 @@ int ocfs2_reflink_inodes_lock(struct ino /* lock id2 */ if (!same_inode) { - status = ocfs2_inode_lock_nested(inode2, bh2, 1, + status = ocfs2_inode_lock_nested(inode2, &bh2, 1, OI_LS_REFLINK_TARGET); if (status < 0) { if (status != -ENOENT) mlog_errno(status); goto out_cl1; } - } else - *bh2 = *bh1; + } else { + bh2 = bh1; + } + + /* + * If we swapped inode order above, we have to swap the buffer heads + * before passing them back to the caller. + */ + if (need_swap) + swap(bh1, bh2); + *bh_s = bh1; + *bh_t = bh2; trace_ocfs2_double_lock_end( (unsigned long long)oi1->ip_blkno, @@ -4794,8 +4801,7 @@ int ocfs2_reflink_inodes_lock(struct ino out_cl1: ocfs2_inode_unlock(inode1, 1); - brelse(*bh1); - *bh1 = NULL; + brelse(bh1); out_rw2: ocfs2_rw_unlock(inode2, 1); out_i2: _

6 years, 5 months

1
0
0 0

[patch 06/22] mm/hotplug: fix offline undo_isolate_page_range()

by akpm＠linux-foundation.org

From: Qian Cai <cai(a)lca.pw> Subject: mm/hotplug: fix offline undo_isolate_page_range() f1dd2cd13c4b ("mm, memory_hotplug: do not associate hotadded memory to zones until online") introduced move_pfn_range_to_zone() which calls memmap_init_zone() during onlining a memory block. memmap_init_zone() will reset pagetype flags and makes migrate type to be MOVABLE. However, in __offline_pages(), it also call undo_isolate_page_range() after offline_isolated_pages() to do the same thing. Due to 2ce13640b3f4 ("mm: __first_valid_page skip over offline pages") changed __first_valid_page() to skip offline pages, undo_isolate_page_range() here just waste CPU cycles looping around the offlining PFN range while doing nothing, because __first_valid_page() will return NULL as offline_isolated_pages() has already marked all memory sections within the pfn range as offline via offline_mem_sections(). Also, after calling the "useless" undo_isolate_page_range() here, it reaches the point of no returning by notifying MEM_OFFLINE. Those pages will be marked as MIGRATE_MOVABLE again once onlining. The only thing left to do is to decrease the number of isolated pageblocks zone counter which would make some paths of the page allocation slower that the above commit introduced. Even if alloc_contig_range() can be used to isolate 16GB-hugetlb pages on ppc64, an "int" should still be enough to represent the number of pageblocks there. Fix an incorrect comment along the way. [cai(a)lca.pw: v4] Link: http://lkml.kernel.org/r/20190314150641.59358-1-cai@lca.pw Link: http://lkml.kernel.org/r/20190313143133.46200-1-cai@lca.pw Fixes: 2ce13640b3f4 ("mm: __first_valid_page skip over offline pages") Signed-off-by: Qian Cai <cai(a)lca.pw> Acked-by: Michal Hocko <mhocko(a)suse.com> Reviewed-by: Oscar Salvador <osalvador(a)suse.de> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: <stable(a)vger.kernel.org> [4.13+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/page-isolation.h | 10 ------ mm/memory_hotplug.c | 17 ++++++++-- mm/page_alloc.c | 2 - mm/page_isolation.c | 48 +++++++++++++++++++------------ mm/sparse.c | 2 - 5 files changed, 45 insertions(+), 34 deletions(-) --- a/include/linux/page-isolation.h~mm-hotplug-fix-offline-undo_isolate_page_range +++ a/include/linux/page-isolation.h @@ -41,16 +41,6 @@ int move_freepages_block(struct zone *zo /* * Changes migrate type in [start_pfn, end_pfn) to be MIGRATE_ISOLATE. - * If specified range includes migrate types other than MOVABLE or CMA, - * this will fail with -EBUSY. - * - * For isolating all pages in the range finally, the caller have to - * free all pages in the range. test_page_isolated() can be used for - * test it. - * - * The following flags are allowed (they can be combined in a bit mask) - * SKIP_HWPOISON - ignore hwpoison pages - * REPORT_FAILURE - report details about the failure to isolate the range */ int start_isolate_page_range(unsigned long start_pfn, unsigned long end_pfn, --- a/mm/memory_hotplug.c~mm-hotplug-fix-offline-undo_isolate_page_range +++ a/mm/memory_hotplug.c @@ -1576,7 +1576,7 @@ static int __ref __offline_pages(unsigne { unsigned long pfn, nr_pages; long offlined_pages; - int ret, node; + int ret, node, nr_isolate_pageblock; unsigned long flags; unsigned long valid_start, valid_end; struct zone *zone; @@ -1602,10 +1602,11 @@ static int __ref __offline_pages(unsigne ret = start_isolate_page_range(start_pfn, end_pfn, MIGRATE_MOVABLE, SKIP_HWPOISON | REPORT_FAILURE); - if (ret) { + if (ret < 0) { reason = "failure to isolate range"; goto failed_removal; } + nr_isolate_pageblock = ret; arg.start_pfn = start_pfn; arg.nr_pages = nr_pages; @@ -1657,8 +1658,16 @@ static int __ref __offline_pages(unsigne /* Ok, all of our target is isolated. We cannot do rollback at this point. */ offline_isolated_pages(start_pfn, end_pfn); - /* reset pagetype flags and makes migrate type to be MOVABLE */ - undo_isolate_page_range(start_pfn, end_pfn, MIGRATE_MOVABLE); + + /* + * Onlining will reset pagetype flags and makes migrate type + * MOVABLE, so just need to decrease the number of isolated + * pageblocks zone counter here. + */ + spin_lock_irqsave(&zone->lock, flags); + zone->nr_isolate_pageblock -= nr_isolate_pageblock; + spin_unlock_irqrestore(&zone->lock, flags); + /* removal success */ adjust_managed_page_count(pfn_to_page(start_pfn), -offlined_pages); zone->present_pages -= offlined_pages; --- a/mm/page_alloc.c~mm-hotplug-fix-offline-undo_isolate_page_range +++ a/mm/page_alloc.c @@ -8233,7 +8233,7 @@ int alloc_contig_range(unsigned long sta ret = start_isolate_page_range(pfn_max_align_down(start), pfn_max_align_up(end), migratetype, 0); - if (ret) + if (ret < 0) return ret; /* --- a/mm/page_isolation.c~mm-hotplug-fix-offline-undo_isolate_page_range +++ a/mm/page_isolation.c @@ -160,27 +160,36 @@ __first_valid_page(unsigned long pfn, un return NULL; } -/* - * start_isolate_page_range() -- make page-allocation-type of range of pages - * to be MIGRATE_ISOLATE. - * @start_pfn: The lower PFN of the range to be isolated. - * @end_pfn: The upper PFN of the range to be isolated. - * @migratetype: migrate type to set in error recovery. +/** + * start_isolate_page_range() - make page-allocation-type of range of pages to + * be MIGRATE_ISOLATE. + * @start_pfn: The lower PFN of the range to be isolated. + * @end_pfn: The upper PFN of the range to be isolated. + * start_pfn/end_pfn must be aligned to pageblock_order. + * @migratetype: Migrate type to set in error recovery. + * @flags: The following flags are allowed (they can be combined in + * a bit mask) + * SKIP_HWPOISON - ignore hwpoison pages + * REPORT_FAILURE - report details about the failure to + * isolate the range * * Making page-allocation-type to be MIGRATE_ISOLATE means free pages in * the range will never be allocated. Any free pages and pages freed in the - * future will not be allocated again. - * - * start_pfn/end_pfn must be aligned to pageblock_order. - * Return 0 on success and -EBUSY if any part of range cannot be isolated. + * future will not be allocated again. If specified range includes migrate types + * other than MOVABLE or CMA, this will fail with -EBUSY. For isolating all + * pages in the range finally, the caller have to free all pages in the range. + * test_page_isolated() can be used for test it. * * There is no high level synchronization mechanism that prevents two threads - * from trying to isolate overlapping ranges. If this happens, one thread + * from trying to isolate overlapping ranges. If this happens, one thread * will notice pageblocks in the overlapping range already set to isolate. * This happens in set_migratetype_isolate, and set_migratetype_isolate - * returns an error. We then clean up by restoring the migration type on - * pageblocks we may have modified and return -EBUSY to caller. This + * returns an error. We then clean up by restoring the migration type on + * pageblocks we may have modified and return -EBUSY to caller. This * prevents two threads from simultaneously working on overlapping ranges. + * + * Return: the number of isolated pageblocks on success and -EBUSY if any part + * of range cannot be isolated. */ int start_isolate_page_range(unsigned long start_pfn, unsigned long end_pfn, unsigned migratetype, int flags) @@ -188,6 +197,7 @@ int start_isolate_page_range(unsigned lo unsigned long pfn; unsigned long undo_pfn; struct page *page; + int nr_isolate_pageblock = 0; BUG_ON(!IS_ALIGNED(start_pfn, pageblock_nr_pages)); BUG_ON(!IS_ALIGNED(end_pfn, pageblock_nr_pages)); @@ -196,13 +206,15 @@ int start_isolate_page_range(unsigned lo pfn < end_pfn; pfn += pageblock_nr_pages) { page = __first_valid_page(pfn, pageblock_nr_pages); - if (page && - set_migratetype_isolate(page, migratetype, flags)) { - undo_pfn = pfn; - goto undo; + if (page) { + if (set_migratetype_isolate(page, migratetype, flags)) { + undo_pfn = pfn; + goto undo; + } + nr_isolate_pageblock++; } } - return 0; + return nr_isolate_pageblock; undo: for (pfn = start_pfn; pfn < undo_pfn; --- a/mm/sparse.c~mm-hotplug-fix-offline-undo_isolate_page_range +++ a/mm/sparse.c @@ -567,7 +567,7 @@ void online_mem_sections(unsigned long s } #ifdef CONFIG_MEMORY_HOTREMOVE -/* Mark all memory sections within the pfn range as online */ +/* Mark all memory sections within the pfn range as offline */ void offline_mem_sections(unsigned long start_pfn, unsigned long end_pfn) { unsigned long pfn; _

6 years, 5 months

1
0
0 0

[patch 05/22] fs/open.c: allow opening only regular files during execve()

by akpm＠linux-foundation.org

From: Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> Subject: fs/open.c: allow opening only regular files during execve() syzbot is hitting lockdep warning [1] due to trying to open a fifo during an execve() operation. But we don't need to open non regular files during an execve() operation, for all files which we will need are the executable file itself and the interpreter programs like /bin/sh and ld-linux.so.2 . Since the manpage for execve(2) says that execve() returns EACCES when the file or a script interpreter is not a regular file, and the manpage for uselib(2) says that uselib() can return EACCES, and we use FMODE_EXEC when opening for execve()/uselib(), we can bail out if a non regular file is requested with FMODE_EXEC set. Since this deadlock followed by khungtaskd warnings is trivially reproducible by a local unprivileged user, and syzbot's frequent crash due to this deadlock defers finding other bugs, let's workaround this deadlock until we get a chance to find a better solution. [1] https://syzkaller.appspot.com/bug?id=b5095bfec44ec84213bac54742a82483aad578… Link: http://lkml.kernel.org/r/1552044017-7890-1-git-send-email-penguin-kernel@I-… Reported-by: syzbot <syzbot+e93a80c1bb7c5c56e522461c149f8bf55eab1b2b(a)syzkaller.appspotmail.com> Fixes: 8924feff66f35fe2 ("splice: lift pipe_lock out of splice_to_pipe()") Signed-off-by: Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> Acked-by: Kees Cook <keescook(a)chromium.org> Cc: Al Viro <viro(a)zeniv.linux.org.uk> Cc: Eric Biggers <ebiggers3(a)gmail.com> Cc: Dmitry Vyukov <dvyukov(a)google.com> Cc: <stable(a)vger.kernel.org> [4.9+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/open.c | 6 ++++++ 1 file changed, 6 insertions(+) --- a/fs/open.c~fs-allow-opening-only-regular-files-during-execve +++ a/fs/open.c @@ -733,6 +733,12 @@ static int do_dentry_open(struct file *f return 0; } + /* Any file opened for execve()/uselib() has to be a regular file. */ + if (unlikely(f->f_flags & FMODE_EXEC && !S_ISREG(inode->i_mode))) { + error = -EACCES; + goto cleanup_file; + } + if (f->f_mode & FMODE_WRITE && !special_file(inode->i_mode)) { error = get_write_access(inode); if (unlikely(error)) _

6 years, 5 months

1
0
0 0

[patch 02/22] mm/memory.c: fix modifying of page protection by insert_pfn()

by akpm＠linux-foundation.org

From: Jan Kara <jack(a)suse.cz> Subject: mm/memory.c: fix modifying of page protection by insert_pfn() Aneesh has reported that PPC triggers the following warning when excercising DAX code: [c00000000007610c] set_pte_at+0x3c/0x190 LR [c000000000378628] insert_pfn+0x208/0x280 Call Trace: [c0000002125df980] [8000000000000104] 0x8000000000000104 (unreliable) [c0000002125df9c0] [c000000000378488] insert_pfn+0x68/0x280 [c0000002125dfa30] [c0000000004a5494] dax_iomap_pte_fault.isra.7+0x734/0xa40 [c0000002125dfb50] [c000000000627250] __xfs_filemap_fault+0x280/0x2d0 [c0000002125dfbb0] [c000000000373abc] do_wp_page+0x48c/0xa40 [c0000002125dfc00] [c000000000379170] __handle_mm_fault+0x8d0/0x1fd0 [c0000002125dfd00] [c00000000037a9b0] handle_mm_fault+0x140/0x250 [c0000002125dfd40] [c000000000074bb0] __do_page_fault+0x300/0xd60 [c0000002125dfe20] [c00000000000acf4] handle_page_fault+0x18 Now that is WARN_ON in set_pte_at which is VM_WARN_ON(pte_hw_valid(*ptep) && !pte_protnone(*ptep)); The problem is that on some architectures set_pte_at() cannot cope with a situation where there is already some (different) valid entry present. Use ptep_set_access_flags() instead to modify the pfn which is built to deal with modifying existing PTE. Link: http://lkml.kernel.org/r/20190311084537.16029-1-jack@suse.cz Fixes: b2770da64254 "mm: add vm_insert_mixed_mkwrite()" Signed-off-by: Jan Kara <jack(a)suse.cz> Reported-by: "Aneesh Kumar K.V" <aneesh.kumar(a)linux.ibm.com> Reviewed-by: Aneesh Kumar K.V <aneesh.kumar(a)linux.ibm.com> Acked-by: Dan Williams <dan.j.williams(a)intel.com> Cc: Chandan Rajendra <chandan(a)linux.ibm.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/memory.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) --- a/mm/memory.c~mm-fix-modifying-of-page-protection-by-insert_pfn +++ a/mm/memory.c @@ -1549,10 +1549,12 @@ static vm_fault_t insert_pfn(struct vm_a WARN_ON_ONCE(!is_zero_pfn(pte_pfn(*pte))); goto out_unlock; } - entry = *pte; - goto out_mkwrite; - } else - goto out_unlock; + entry = pte_mkyoung(*pte); + entry = maybe_mkwrite(pte_mkdirty(entry), vma); + if (ptep_set_access_flags(vma, addr, pte, entry, 1)) + update_mmu_cache(vma, addr, pte); + } + goto out_unlock; } /* Ok, finally just insert the thing.. */ @@ -1561,7 +1563,6 @@ static vm_fault_t insert_pfn(struct vm_a else entry = pte_mkspecial(pfn_t_pte(pfn, prot)); -out_mkwrite: if (mkwrite) { entry = pte_mkyoung(entry); entry = maybe_mkwrite(pte_mkdirty(entry), vma); _

6 years, 5 months

1
0
0 0

[PATCH v2 1/2] mtd: maps: physmap: Store gpio_values correctly

by Chris Packham

When the gpio-addr-flash.c driver was merged with physmap-core.c the code to store the current gpio_values was lost. This meant that once a gpio was asserted it was never de-asserted. Fix this by storing the current offset in gpio_values like the old driver used to. Fixes: commit ba32ce95cbd9 ("mtd: maps: Merge gpio-addr-flash.c into physmap-core.c") Cc: <stable(a)vger.kernel.org> Signed-off-by: Chris Packham <chris.packham(a)alliedtelesis.co.nz> Reviewed-by: Boris Brezillon <boris.brezillon(a)collabora.com> --- Changes in v2: - Cc stable, add Boris' review drivers/mtd/maps/physmap-core.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/mtd/maps/physmap-core.c b/drivers/mtd/maps/physmap-core.c index d9a3e4bebe5d..21b556afc305 100644 --- a/drivers/mtd/maps/physmap-core.c +++ b/drivers/mtd/maps/physmap-core.c @@ -132,6 +132,8 @@ static void physmap_set_addr_gpios(struct physmap_flash_info *info, gpiod_set_value(info->gpios->desc[i], !!(BIT(i) & ofs)); } + + info->gpio_values = ofs; } #define win_mask(order) (BIT(order) - 1) -- 2.21.0

6 years, 5 months

1
0
0 0

✅ PASS: Stable queue: queue-5.0

by CKI Project

Hello, We ran automated tests on a patchset that was proposed for merging into this kernel tree. The patches were applied to: Kernel repo: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git Commit: 1f6f316a537d - Linux 5.0.5 The results of these automated tests are provided below. Overall result: PASSED Merge: OK Compile: OK Tests: OK Please reply to this email if you have any questions about the tests that we ran or if you have any suggestions on how to make future tests more effective. ,-. ,-. ( C ) ( K ) Continuous `-',-.`-' Kernel ( I ) Integration `-' ______________________________________________________________________________ Merge testing ------------- We cloned this repository and checked out a ref: Repo: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git Ref: 1f6f316a537d - Linux 5.0.5 We then merged the patchset with `git am`: bluetooth-check-l2cap-option-sizes-returned-from-l2cap_get_conf_opt.patch bluetooth-verify-that-l2cap_get_conf_opt-provides-large-enough-buffer.patch netfilter-nf_tables-fix-set-double-free-in-abort-pat.patch dccp-do-not-use-ipv6-header-for-ipv4-flow.patch genetlink-fix-a-memory-leak-on-error-path.patch gtp-change-net_udp_tunnel-dependency-to-select.patch ipv6-make-ip6_create_rt_rcu-return-ip6_null_entry-instead-of-null.patch mac8390-fix-mmio-access-size-probe.patch misdn-hfcpci-test-both-vendor-device-id-for-digium-hfc4s.patch net-aquantia-fix-rx-checksum-offload-for-udp-tcp-over-ipv6.patch net-datagram-fix-unbounded-loop-in-__skb_try_recv_datagram.patch net-packet-set-__gfp_nowarn-upon-allocation-in-alloc_pg_vec.patch net-phy-meson-gxl-fix-interrupt-support.patch net-rose-fix-a-possible-stack-overflow.patch net-stmmac-fix-memory-corruption-with-large-mtus.patch net-sysfs-call-dev_hold-if-kobject_init_and_add-success.patch net-sysfs-fix-memory-leak-in-netdev_register_kobject.patch net-usb-aqc111-extend-hwid-table-by-qnap-device.patch packets-always-register-packet-sk-in-the-same-order.patch rhashtable-still-do-rehash-when-we-get-eexist.patch sctp-get-sctphdr-by-offset-in-sctp_compute_cksum.patch sctp-use-memdup_user-instead-of-vmemdup_user.patch tcp-do-not-use-ipv6-header-for-ipv4-flow.patch tipc-allow-service-ranges-to-be-connect-ed-on-rdm-dgram.patch tipc-change-to-check-tipc_own_id-to-return-in-tipc_net_stop.patch tipc-fix-cancellation-of-topology-subscriptions.patch tun-properly-test-for-iff_up.patch vrf-prevent-adding-upper-devices.patch vxlan-don-t-call-gro_cells_destroy-before-device-is-unregistered.patch thunderx-enable-page-recycling-for-non-xdp-case.patch thunderx-eliminate-extra-calls-to-put_page-for-pages-held-for-recycling.patch net-dsa-mv88e6xxx-fix-few-issues-in-mv88e6390x_port_set_cmode.patch net-mii-fix-pause-cap-advertisement-from-linkmode_adv_to_lcl_adv_t-helper.patch net-phy-don-t-clear-bmcr-in-genphy_soft_reset.patch r8169-fix-cable-re-plugging-issue.patch ila-fix-rhashtable-walker-list-corruption.patch Compile testing --------------- We compiled the kernel for 3 architectures: aarch64: make options: make INSTALL_MOD_STRIP=1 -j64 targz-pkg -j64 configuration: https://artifacts.cki-project.org/builds/aarch64/61675e3017f8384e70a9d7c03e… kernel build: https://artifacts.cki-project.org/builds/aarch64/61675e3017f8384e70a9d7c03e… ppc64le: make options: make INSTALL_MOD_STRIP=1 -j64 targz-pkg -j64 configuration: https://artifacts.cki-project.org/builds/ppc64le/24fcf0140e877669a1a30e5961… kernel build: https://artifacts.cki-project.org/builds/ppc64le/24fcf0140e877669a1a30e5961… x86_64: make options: make INSTALL_MOD_STRIP=1 -j64 targz-pkg -j64 configuration: https://artifacts.cki-project.org/builds/x86_64/151946f5db94e46f223b5566ab4… kernel build: https://artifacts.cki-project.org/builds/x86_64/151946f5db94e46f223b5566ab4… Hardware testing ---------------- We booted each kernel and ran the following tests: aarch64: ✅ Boot test [0] ✅ LTP lite - release 20190115 [1] ✅ AMTU (Abstract Machine Test Utility) [2] 🚧 ✅ Networking route: pmtu [3] 🚧 ❎ audit: audit testsuite test [4] ✅ httpd: mod_ssl smoke sanity [5] ✅ httpd: php sanity [6] 🚧 ✅ iotop: sanity [7] 🚧 ✅ /CoreOS/net-snmp/Regression/bz251332-tcp-transport 🚧 ✅ tuned: tune-processes-through-perf [8] ppc64le: ✅ Boot test [0] ✅ LTP lite - release 20190115 [1] ✅ AMTU (Abstract Machine Test Utility) [2] 🚧 ✅ Networking route: pmtu [3] 🚧 ❎ audit: audit testsuite test [4] ✅ httpd: mod_ssl smoke sanity [5] ✅ httpd: php sanity [6] 🚧 ✅ iotop: sanity [7] 🚧 ✅ /CoreOS/net-snmp/Regression/bz251332-tcp-transport 🚧 ✅ selinux-policy: serge-testsuite [9] 🚧 ✅ tuned: tune-processes-through-perf [8] x86_64: ✅ Boot test [0] ✅ LTP lite - release 20190115 [1] ✅ AMTU (Abstract Machine Test Utility) [2] 🚧 ✅ Networking route: pmtu [3] 🚧 ❎ audit: audit testsuite test [4] ✅ httpd: mod_ssl smoke sanity [5] ✅ httpd: php sanity [6] 🚧 ✅ iotop: sanity [7] 🚧 ✅ /CoreOS/net-snmp/Regression/bz251332-tcp-transport 🚧 ✅ selinux-policy: serge-testsuite [9] 🚧 ✅ tuned: tune-processes-through-perf [8] Test source: [0]: https://github.com/CKI-project/tests-beaker/archive/master.zip#distribution… [1]: https://github.com/CKI-project/tests-beaker/archive/master.zip#distribution… [2]: https://github.com/CKI-project/tests-beaker/archive/master.zip#misc/amtu [3]: https://github.com/CKI-project/tests-beaker/archive/master.zip#/networking/… [4]: https://github.com/CKI-project/tests-beaker/archive/master.zip#packages/aud… [5]: https://github.com/CKI-project/tests-beaker/archive/master.zip#packages/htt… [6]: https://github.com/CKI-project/tests-beaker/archive/master.zip#packages/htt… [7]: https://github.com/CKI-project/tests-beaker/archive/master.zip#packages/iot… [8]: https://github.com/CKI-project/tests-beaker/archive/master.zip#packages/tun… [9]: https://github.com/CKI-project/tests-beaker/archive/master.zip#/packages/se… Waived tests (marked with 🚧) ----------------------------- This test run included waived tests. Such tests are executed but their results are not taken into account. Tests are waived when their results are not reliable enough, e.g. when they're just introduced or are being fixed.

6 years, 5 months

1
0
0 0

[PATCH] usb: typec: mux: Store module handle

by Heikki Krogerus

It is possible that the driver of the mux device has been unbind by the time typec_mux_put() or typec_switch_put() is called. To prevent the NULL Pointer Dereference from happening in this case when decrementing the reference count of the module by using dev->driver->owner, storing the module handle to the mux and switch data structures, and using the stored value instead. Fixes: ("3e3b81965cbf usb: typec: mux: Take care of driver module reference counting") Cc: stable(a)vger.kernel.org Signed-off-by: Heikki Krogerus <heikki.krogerus(a)linux.intel.com> --- drivers/usb/typec/mux.c | 10 ++++++---- include/linux/usb/typec_mux.h | 2 ++ 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/drivers/usb/typec/mux.c b/drivers/usb/typec/mux.c index 2ce54f3fc79c..617687c4eb20 100644 --- a/drivers/usb/typec/mux.c +++ b/drivers/usb/typec/mux.c @@ -63,7 +63,8 @@ struct typec_switch *typec_switch_get(struct device *dev) sw = device_connection_find_match(dev, "orientation-switch", NULL, typec_switch_match); if (!IS_ERR_OR_NULL(sw)) { - WARN_ON(!try_module_get(sw->dev->driver->owner)); + sw->module = sw->dev->driver->owner; + WARN_ON(!try_module_get(sw->module)); get_device(sw->dev); } mutex_unlock(&switch_lock); @@ -81,7 +82,7 @@ EXPORT_SYMBOL_GPL(typec_switch_get); void typec_switch_put(struct typec_switch *sw) { if (!IS_ERR_OR_NULL(sw)) { - module_put(sw->dev->driver->owner); + module_put(sw->module); put_device(sw->dev); } } @@ -206,7 +207,8 @@ struct typec_mux *typec_mux_get(struct device *dev, mux = device_connection_find_match(dev, "mode-switch", (void *)desc, typec_mux_match); if (!IS_ERR_OR_NULL(mux)) { - WARN_ON(!try_module_get(mux->dev->driver->owner)); + mux->module = mux->dev->driver->owner; + WARN_ON(!try_module_get(mux->module)); get_device(mux->dev); } mutex_unlock(&mux_lock); @@ -224,7 +226,7 @@ EXPORT_SYMBOL_GPL(typec_mux_get); void typec_mux_put(struct typec_mux *mux) { if (!IS_ERR_OR_NULL(mux)) { - module_put(mux->dev->driver->owner); + module_put(mux->module); put_device(mux->dev); } } diff --git a/include/linux/usb/typec_mux.h b/include/linux/usb/typec_mux.h index 43f40685e53c..b31498020bf3 100644 --- a/include/linux/usb/typec_mux.h +++ b/include/linux/usb/typec_mux.h @@ -20,6 +20,7 @@ struct device; */ struct typec_switch { struct device *dev; + struct module *module; struct list_head entry; int (*set)(struct typec_switch *sw, enum typec_orientation orientation); @@ -37,6 +38,7 @@ struct typec_switch { */ struct typec_mux { struct device *dev; + struct module *module; struct list_head entry; int (*set)(struct typec_mux *mux, int state); -- 2.20.1

6 years, 5 months

2
2
0 0

[PATCH] perf pmu: Fix parser error for uncore event alias

by kan.liang＠linux.intel.com

From: Kan Liang <kan.liang(a)linux.intel.com> Perf fails to parse uncore event alias, for example: #perf stat -e unc_m_clockticks -a --no-merge sleep 1 event syntax error: 'unc_m_clockticks' \___ parser error Current code assumes that the event alias is from one specific PMU. To find the PMU, perf strcmp the pmu name of event alias with the real pmu name on the system. However, the uncore event alias may be from multiple PMUs with common prefix. The pmu name of uncore event alias is the common prefix. For example, UNC_M_CLOCKTICKS is clock event for iMC, which include 6 PMUs with the same prefix "uncore_imc" on a skylake server. The real pmu names on the system for iMC are uncore_imc_0 ... uncore_imc_5. The strncmp is used to only check the common prefix for uncore event alias. With the patch, #perf stat -e unc_m_clockticks -a --no-merge sleep 1 Performance counter stats for 'system wide': 723,594,722 unc_m_clockticks [uncore_imc_5] 724,001,954 unc_m_clockticks [uncore_imc_3] 724,042,655 unc_m_clockticks [uncore_imc_1] 724,161,001 unc_m_clockticks [uncore_imc_4] 724,293,713 unc_m_clockticks [uncore_imc_2] 724,340,901 unc_m_clockticks [uncore_imc_0] 1.002090060 seconds time elapsed Signed-off-by: Kan Liang <kan.liang(a)linux.intel.com> Cc: Thomas Richter <tmricht(a)linux.ibm.com> Cc: stable(a)vger.kernel.org Fixes: ea1fa48c055f ("perf stat: Handle different PMU names with common prefix") --- tools/perf/util/pmu.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/tools/perf/util/pmu.c b/tools/perf/util/pmu.c index 51d437f..395308f 100644 --- a/tools/perf/util/pmu.c +++ b/tools/perf/util/pmu.c @@ -732,10 +732,20 @@ static void pmu_add_cpu_aliases(struct list_head *head, struct perf_pmu *pmu) if (!is_arm_pmu_core(name)) { pname = pe->pmu ? pe->pmu : "cpu"; + + /* + * uncore alias may be from different PMU + * with common prefix + */ + if (pmu_is_uncore(name) && + !strncmp(pname, name, strlen(pname))) + goto new_alias; + if (strcmp(pname, name)) continue; } +new_alias: /* need type casts to override 'const' */ __perf_pmu__new_alias(head, NULL, (char *)pe->name, (char *)pe->desc, (char *)pe->event, -- 2.7.4

6 years, 5 months

4
3
0 0

[PATCH 3.18 000/134] 3.18.137-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 3.18.137 release. There are 134 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sun Mar 24 11:10:54 UTC 2019. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v3.x/stable-review/patch-3.18.137-r… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-3.18.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 3.18.137-rc1 Gustavo A. R. Silva <gustavo(a)embeddedor.com> drm/radeon/evergreen_cs: fix missing break in switch statement Sakari Ailus <sakari.ailus(a)linux.intel.com> media: uvcvideo: Avoid NULL pointer dereference at the end of streaming Zhang, Jun <jun.zhang(a)intel.com> rcu: Do RCU GP kthread self-wakeup from softirq and interrupt Aditya Pakki <pakki001(a)umn.edu> md: Fix failed allocation of md_register_thread Yihao Wu <wuyihao(a)linux.alibaba.com> nfsd: fix wrong check in write_v4_end_grace() NeilBrown <neilb(a)suse.com> nfsd: fix memory corruption caused by readdir Gustavo A. R. Silva <gustavo(a)embeddedor.com> ARM: s3c24xx: Fix boolean expressions in osiris_dvs_notify Christophe Leroy <christophe.leroy(a)c-s.fr> powerpc/83xx: Also save/restore SPRG4-7 during suspend Jordan Niethe <jniethe5(a)gmail.com> powerpc/powernv: Make opal log only readable by root Christophe Leroy <christophe.leroy(a)c-s.fr> powerpc/wii: properly disable use of BATs when requested. Christophe Leroy <christophe.leroy(a)c-s.fr> powerpc/32: Clear on-stack exception marker upon exception return zhangyi (F) <yi.zhang(a)huawei.com> jbd2: clear dirty flag when revoking a buffer from an older transaction QiaoChong <qiaochong(a)loongson.cn> parport_pc: fix find_superio io compare code, should use equal test. Zev Weiss <zev(a)bewilderbeest.net> kernel/sysctl.c: add missing range check in do_proc_dointvec_minmax_conv Roman Penyaev <rpenyaev(a)suse.de> mm/vmalloc: fix size check for remap_vmalloc_range_partial() Jan Kara <jack(a)suse.cz> ext2: Fix underflow in ext2_max_size() Jan Kara <jack(a)suse.cz> ext4: fix crash during online resizing Arnd Bergmann <arnd(a)arndb.de> cpufreq: pxa2xx: remove incorrect __init annotation Eric Biggers <ebiggers(a)google.com> crypto: pcbc - remove bogus memcpy()s with src == dest Filipe Manana <fdmanana(a)suse.com> Btrfs: fix corruption reading shared and compressed extents after hole punching Finn Thain <fthain(a)telegraphics.com.au> m68k: Add -ffreestanding to CFLAGS Bart Van Assche <bvanassche(a)acm.org> scsi: target/iscsi: Avoid iscsit_release_commands_from_conn() deadlock Felipe Franciosi <felipe(a)nutanix.com> scsi: virtio_scsi: don't send sc payload with tmfs Stuart Menefy <stuart.menefy(a)mathembedded.com> regulator: s2mpa01: Fix step values for some LDOs Krzysztof Kozlowski <krzk(a)kernel.org> regulator: s2mps11: Fix steps for buck7, buck8 and LDO35 Pavel Shilovsky <piastryyy(a)gmail.com> CIFS: Fix read after write for files with read caching Mao Wenan <maowenan(a)huawei.com> net: set static variable an initial value in atl2_probe() Darrick J. Wong <darrick.wong(a)oracle.com> tmpfs: fix link accounting when a tmpfile is linked in Vladimir Murzin <vladimir.murzin(a)arm.com> arm64: Relax GIC version check during early boot Alexey Khoroshilov <khoroshilov(a)ispras.ru> net: mv643xx_eth: disable clk on error path in mv643xx_eth_shared_probe() Florian Fainelli <f.fainelli(a)gmail.com> net: systemport: Fix reception of BPDUs Anoob Soman <anoob.soman(a)citrix.com> scsi: libiscsi: Fix race between iscsi_xmit_task and iscsi_complete_task David Howells <dhowells(a)redhat.com> assoc_array: Fix shortcut creation Gabriel Fernandez <gabriel.fernandez(a)st.com> Input: st-keyscan - fix potential zalloc NULL dereference Shubhrajyoti Datta <shubhrajyoti.datta(a)xilinx.com> i2c: cadence: Fix the hold bit setting Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Input: matrix_keypad - use flush_delayed_work() Stefan Haberland <sth(a)linux.ibm.com> s390/dasd: fix using offset into zero size array error Eric Biggers <ebiggers(a)google.com> crypto: ahash - fix another early termination in hash walk S.j. Wang <shengjiu.wang(a)nxp.com> ASoC: fsl_esai: fix register setting issue in RIGHT_J mode zhengbin <zhengbin13(a)huawei.com> 9p/net: fix memory leak in p9_client_create Xiao Ni <xni(a)redhat.com> It's wrong to add len to sector_nr in raid10 reshape twice Takashi Sakamoto <o-takashi(a)sakamocchi.jp> ALSA: bebob: use more identical mod_alias for Saffire Pro 10 I/O against Liquid Saffire 56 Eric Dumazet <edumazet(a)google.com> gro_cells: make sure device is up in gro_cells_receive() Eric Dumazet <edumazet(a)google.com> net/hsr: fix possible crash in add_timer() Eric Dumazet <edumazet(a)google.com> vxlan: test dev->flags & IFF_UP before calling gro_cells_receive() Al Viro <viro(a)zeniv.linux.org.uk> missing barriers in some of unix_sock ->addr and ->path accesses Kalash Nainwal <kalash(a)arista.com> net: Set rtm_table to RT_TABLE_COMPAT for ipv6 for tables > 255 YueHaibing <yuehaibing(a)huawei.com> mdio_bus: Fix use-after-free on device_register fails Eric Dumazet <edumazet(a)google.com> net/x25: fix a race in x25_bind() Jack Morgenstein <jackm(a)dev.mellanox.co.il> net/mlx4_core: Fix qp mtt size calculation Xin Long <lucien.xin(a)gmail.com> pptp: dst_release sk_dst_cache in pptp_sock_destruct Eric Dumazet <edumazet(a)google.com> net/x25: reset state in x25_connect() Eric Dumazet <edumazet(a)google.com> net/x25: fix use-after-free in x25_device_event() Miaohe Lin <linmiaohe(a)huawei.com> net: sit: fix UBSAN Undefined behaviour in check_6rd Mao Wenan <maowenan(a)huawei.com> net: hsr: fix memory leak in hsr_dev_finalize() Eric Dumazet <edumazet(a)google.com> l2tp: fix infoleak in l2tp_ip6_recvmsg() Gustavo A. R. Silva <gustavo(a)embeddedor.com> iscsi_ibft: Fix missing break in switch statement Jason Gerecke <jason.gerecke(a)wacom.com> Input: wacom_serial4 - add support for Wacom ArtPad II tablet Jiri Olsa <jolsa(a)redhat.com> perf symbols: Filter out hidden symbols from labels Julian Wiedmann <jwi(a)linux.ibm.com> s390/qeth: fix use-after-free in error path Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> dmaengine: dmatest: Abort test in case of mapping error Lubomir Rintel <lkundrak(a)v3.sk> irqchip/mmp: Only touch the PJ4 IRQ & FIQ bits on enable/disable Peng Hao <peng.hao2(a)zte.com.cn> ARM: pxa: ssp: unneeded to free devm_ allocated data Ian Kent <raven(a)themaw.net> autofs: fix error return in autofs_fill_super() Pan Bian <bianpan2016(a)163.com> autofs: drop dentry reference only when it is never used Michal Hocko <mhocko(a)suse.com> mm, memory_hotplug: is_mem_section_removable do not pass the end of a zone Kairui Song <kasong(a)redhat.com> x86/kexec: Don't setup EFI info if EFI runtime is not enabled Ronnie Sahlberg <lsahlber(a)redhat.com> cifs: fix computation for MAX_SMB2_HDR_SIZE Sinan Kaya <okaya(a)kernel.org> platform/x86: Fix unmet dependency warning for SAMSUNG_Q10 Ming Lu <ming.lu(a)citrix.com> scsi: libfc: free skb when receiving invalid flogi resp Yao Liu <yotta.liu(a)ucloud.cn> nfs: Fix NULL pointer dereference of dev_name Tomonori Sakita <tomonori.sakita(a)sord.co.jp> net: altera_tse: fix msgdma_tx_completion on non-zero fill_level case Max Filippov <jcmvbkbc(a)gmail.com> xtensa: SMP: limit number of possible CPUs by NR_CPUS Max Filippov <jcmvbkbc(a)gmail.com> xtensa: SMP: mark each possible CPU as present Max Filippov <jcmvbkbc(a)gmail.com> xtensa: smp_lx200_defconfig: fix vectors clash Max Filippov <jcmvbkbc(a)gmail.com> xtensa: SMP: fix secondary CPU initialization Suravee Suthikulpanit <suravee.suthikulpanit(a)amd.com> iommu/amd: Fix IOMMU page flush when detach device from a domain ZhangXiaoxu <zhangxiaoxu5(a)huawei.com> ipvs: Fix signed integer overflow when setsockopt timeout Stephane Eranian <eranian(a)google.com> perf tools: Handle TOPOLOGY headers with no CPU Su Yanjun <suyj.fnst(a)cn.fujitsu.com> vti4: Fix a ipip packet processing bug in 'IPCOMP' virtual tunnel Alistair Strachan <astrachan(a)google.com> media: uvcvideo: Fix 'type' check leading to overflow Mike Kravetz <mike.kravetz(a)oracle.com> hugetlbfs: fix races and page leaks during migration Ido Schimmel <idosch(a)mellanox.com> ip6mr: Do not call __IP6_INC_STATS() from preemptible context Paul Moore <paul(a)paul-moore.com> netlabel: fix out-of-bounds memory accesses Rajasingh Thavamani <T.Rajasingh(a)landisgyr.com> net: phy: Micrel KSZ8061: link failure after cable connect Nazarov Sergey <s-nazarov(a)yandex.ru> net: avoid use IPCB in cipso_v4_error Nazarov Sergey <s-nazarov(a)yandex.ru> net: Add __icmp_send helper. YueHaibing <yuehaibing(a)huawei.com> net: nfc: Fix NULL dereference on nfc_llcp_build_tlv fails Ido Schimmel <idosch(a)mellanox.com> team: Free BPF filter when unregistering netdev Kai-Heng Feng <kai.heng.feng(a)canonical.com> sky2: Disable MSI on Dell Inspiron 1545 and Gateway P-79 YueHaibing <yuehaibing(a)huawei.com> net-sysfs: Fix mem leak in netdev_register_kobject Ivan Mironov <mironov.ivan(a)gmail.com> USB: serial: cp210x: add ID for Ingenico 3070 Jann Horn <jannh(a)google.com> mm: enforce min addr even if capable() in expand_downwards() Jonathan Neuschäfer <j.neuschaefer(a)gmx.net> mmc: spi: Fix card detection during probe Vitaly Kuznetsov <vkuznets(a)redhat.com> KVM: nSVM: clear events pending from svm_complete_interrupts() when exiting to L1 Chaitanya Tata <chaitanya.tata(a)bluwirelesstechnology.com> cfg80211: extend range deviation for DMG Balaji Pothunoori <bpothuno(a)codeaurora.org> mac80211: don't initiate TDLS connection if station is not associated to AP Thomas Falcon <tlfalcon(a)linux.ibm.com> ibmveth: Do not process frames after calling napi_reschedule Atsushi Nemoto <atsushi.nemoto(a)sord.co.jp> net: altera_tse: fix connect_local_phy error path Varun Prakash <varun(a)chelsio.com> scsi: csiostor: fix NULL pointer dereference in csio_vport_set_state() Tomonori Sakita <tomonori.sakita(a)sord.co.jp> serial: fsl_lpuart: fix maximum acceptable baud rate with over-sampling Bob Copeland <me(a)bobcopeland.com> mac80211: fix miscounting of ttl-dropped frames Silvio Cesare <silvio.cesare(a)gmail.com> ASoC: imx-audmux: change snprintf to scnprintf for possible overflow Dan Carpenter <dan.carpenter(a)oracle.com> usb: gadget: Potential NULL dereference on allocation error Zeng Tao <prime.zeng(a)hisilicon.com> usb: dwc3: gadget: Fix the uninitialized link_state when udc starts Dan Carpenter <dan.carpenter(a)oracle.com> ALSA: compress: prevent potential divide by zero bugs Rander Wang <rander.wang(a)linux.intel.com> ASoC: Intel: Haswell/Broadwell: fix setting for .dynamic field Kristian H. Kristensen <hoegsberg(a)gmail.com> drm/msm: Unblock writer if reader closes file John Garry <john.garry(a)huawei.com> scsi: libsas: Fix rphy phy_identifier for PHYs with end devices attached Ilya Dryomov <idryomov(a)gmail.com> libceph: handle an empty authorize reply Arad, Ronen <ronen.arad(a)intel.com> netlink: Trim skb to alloc size to avoid MSG_TRUNC Hangbin Liu <liuhangbin(a)gmail.com> sit: check if IPv6 enabled before calling ip6_err_gen_icmpv6_unreach() Cong Wang <xiyou.wangcong(a)gmail.com> team: avoid complex list operations in team_nl_cmd_options_set() Kal Conley <kal.conley(a)dectris.com> net/packet: fix 4gb buffer limit due to overflow check Eric Dumazet <edumazet(a)google.com> batman-adv: fix uninit-value in batadv_interface_tx() Eric Biggers <ebiggers(a)google.com> KEYS: always initialize keyring_index_key::desc_len Eric Biggers <ebiggers(a)google.com> KEYS: user: Align the payload buffer Nathan Chancellor <natechancellor(a)gmail.com> isdn: avm: Fix string plus integer warning from Clang Kangjie Lu <kjlu(a)umn.edu> leds: lp5523: fix a missing check of return value of lp55xx_read Colin Ian King <colin.king(a)canonical.com> atm: he: fix sign-extension overflow on large shift Jia-Ju Bai <baijiaju1990(a)gmail.com> isdn: i4l: isdn_tty: Fix some concurrency double-free bugs Thomas Bogendoerfer <tbogendoerfer(a)suse.de> MIPS: jazz: fix 64bit build Logan Gunthorpe <logang(a)deltatee.com> scsi: isci: initialize shost fully before calling scsi_add_host() YueHaibing <yuehaibing(a)huawei.com> scsi: qla4xxx: check return code of qla4xxx_copy_from_fwddb_param Alban Bedel <albeu(a)free.fr> MIPS: ath79: Enable OF serial ports in the default config Kangjie Lu <kjlu(a)umn.edu> mfd: mc13xxx: Fix a missing check of a register-read failure Charles Keepax <ckeepax(a)opensource.cirrus.com> mfd: wm5110: Add missing ASRC rate register Dan Carpenter <dan.carpenter(a)oracle.com> mfd: ab8500-core: Return zero in get_register_interruptible() Nathan Chancellor <natechancellor(a)gmail.com> mfd: db8500-prcmu: Fix some section annotations Nathan Chancellor <natechancellor(a)gmail.com> mfd: twl-core: Fix section annotations on {,un}protect_pm_master Vignesh R <vigneshr(a)ti.com> mfd: ti_am335x_tscadc: Use PLATFORM_DEVID_AUTO while registering mfd cells Eric Biggers <ebiggers(a)google.com> KEYS: allow reaching the keys quotas exactly Ralph Campbell <rcampbell(a)nvidia.com> numa: change get_mempolicy() to use nr_node_ids instead of MAX_NUMNODES Yan, Zheng <zyan(a)redhat.com> ceph: avoid repeatedly adding inode to mdsc->snap_flush_list ------------- Diffstat: Makefile | 4 +- arch/arm/mach-s3c24xx/mach-osiris-dvs.c | 8 ++-- arch/arm/plat-pxa/ssp.c | 3 -- arch/arm64/kernel/head.S | 3 +- arch/m68k/Makefile | 5 ++- arch/mips/configs/ath79_defconfig | 1 + arch/mips/jazz/jazzdma.c | 5 ++- arch/powerpc/kernel/entry_32.S | 9 ++++ arch/powerpc/platforms/83xx/suspend-asm.S | 34 ++++++++++++--- arch/powerpc/platforms/embedded6xx/wii.c | 4 ++ arch/powerpc/platforms/powernv/opal-msglog.c | 2 +- arch/x86/kernel/kexec-bzimage64.c | 3 ++ arch/x86/kvm/svm.c | 8 ++++ arch/xtensa/configs/smp_lx200_defconfig | 1 + arch/xtensa/kernel/head.S | 5 ++- arch/xtensa/kernel/smp.c | 41 ++++++++++++------ crypto/ahash.c | 14 +++--- crypto/pcbc.c | 14 ++---- drivers/atm/he.c | 2 +- drivers/cpufreq/pxa2xx-cpufreq.c | 4 +- drivers/dma/dmatest.c | 28 ++++++------ drivers/firmware/iscsi_ibft.c | 1 + drivers/gpu/drm/msm/msm_rd.c | 7 ++- drivers/gpu/drm/radeon/evergreen_cs.c | 1 + drivers/i2c/busses/i2c-cadence.c | 9 +++- drivers/input/keyboard/matrix_keypad.c | 2 +- drivers/input/keyboard/st-keyscan.c | 4 +- drivers/input/tablet/wacom_serial4.c | 2 + drivers/iommu/amd_iommu.c | 15 +++++-- drivers/irqchip/irq-mmp.c | 6 ++- drivers/isdn/hardware/avm/b1.c | 2 +- drivers/isdn/i4l/isdn_tty.c | 6 ++- drivers/leds/leds-lp5523.c | 4 +- drivers/md/raid10.c | 3 +- drivers/md/raid5.c | 2 + drivers/media/usb/uvc/uvc_driver.c | 14 ++++-- drivers/media/usb/uvc/uvc_video.c | 8 ++++ drivers/mfd/ab8500-core.c | 2 +- drivers/mfd/db8500-prcmu.c | 4 +- drivers/mfd/mc13xxx-core.c | 4 +- drivers/mfd/ti_am335x_tscadc.c | 5 ++- drivers/mfd/twl-core.c | 4 +- drivers/mfd/wm5110-tables.c | 2 + drivers/mmc/host/mmc_spi.c | 1 + drivers/net/ethernet/altera/altera_msgdma.c | 3 +- drivers/net/ethernet/altera/altera_tse_main.c | 4 +- drivers/net/ethernet/atheros/atlx/atl2.c | 4 +- drivers/net/ethernet/broadcom/bcmsysport.c | 4 ++ drivers/net/ethernet/ibm/ibmveth.c | 2 - drivers/net/ethernet/marvell/mv643xx_eth.c | 7 ++- drivers/net/ethernet/marvell/sky2.c | 24 ++++++++++- .../net/ethernet/mellanox/mlx4/resource_tracker.c | 6 +-- drivers/net/phy/mdio_bus.c | 1 - drivers/net/phy/micrel.c | 14 +++++- drivers/net/ppp/pptp.c | 1 + drivers/net/team/team.c | 27 +++--------- drivers/net/team/team_mode_loadbalance.c | 15 +++++++ drivers/net/vxlan.c | 10 +++++ drivers/parport/parport_pc.c | 2 +- drivers/platform/x86/Kconfig | 1 + drivers/regulator/s2mpa01.c | 10 ++--- drivers/regulator/s2mps11.c | 6 +-- drivers/s390/block/dasd_eckd.c | 8 ++++ drivers/s390/net/qeth_core_main.c | 15 +++---- drivers/scsi/csiostor/csio_attr.c | 2 +- drivers/scsi/isci/init.c | 14 +++--- drivers/scsi/libfc/fc_lport.c | 6 +-- drivers/scsi/libiscsi.c | 6 +++ drivers/scsi/libsas/sas_expander.c | 2 + drivers/scsi/qla4xxx/ql4_os.c | 2 + drivers/scsi/virtio_scsi.c | 2 - drivers/target/iscsi/iscsi_target.c | 4 +- drivers/tty/serial/fsl_lpuart.c | 2 +- drivers/usb/dwc3/gadget.c | 1 + drivers/usb/gadget/function/f_sourcesink.c | 2 +- drivers/usb/serial/cp210x.c | 1 + fs/autofs4/expire.c | 3 +- fs/autofs4/inode.c | 4 +- fs/btrfs/extent_io.c | 4 +- fs/ceph/snap.c | 3 +- fs/cifs/file.c | 12 +++--- fs/cifs/smb2pdu.h | 4 +- fs/ext2/super.c | 39 +++++++++++------ fs/ext4/resize.c | 3 +- fs/hugetlbfs/inode.c | 12 ++++++ fs/jbd2/transaction.c | 17 +++++--- fs/nfs/super.c | 5 +++ fs/nfsd/nfs3proc.c | 16 ++++++- fs/nfsd/nfs3xdr.c | 1 + fs/nfsd/nfsctl.c | 2 +- include/keys/user-type.h | 2 +- include/net/gro_cells.h | 12 +++++- include/net/icmp.h | 9 +++- include/net/ip.h | 2 + kernel/rcu/tree.c | 20 ++++++--- kernel/sysctl.c | 11 ++++- lib/assoc_array.c | 8 ++-- mm/hugetlb.c | 14 +++++- mm/memory_hotplug.c | 3 +- mm/mempolicy.c | 6 +-- mm/migrate.c | 11 +++++ mm/mmap.c | 7 ++- mm/shmem.c | 10 +++-- mm/vmalloc.c | 2 +- net/9p/client.c | 2 +- net/batman-adv/soft-interface.c | 2 + net/ceph/messenger.c | 12 ++++-- net/core/net-sysfs.c | 3 ++ net/hsr/hsr_device.c | 18 ++++---- net/hsr/hsr_framereg.c | 12 ++++++ net/hsr/hsr_framereg.h | 1 + net/ipv4/cipso_ipv4.c | 23 ++++++++-- net/ipv4/icmp.c | 7 +-- net/ipv4/ip_options.c | 22 +++++++--- net/ipv4/ip_vti.c | 50 ++++++++++++++++++++++ net/ipv6/ip6mr.c | 8 ++-- net/ipv6/route.c | 2 +- net/ipv6/sit.c | 7 +-- net/l2tp/l2tp_ip6.c | 4 +- net/mac80211/cfg.c | 4 ++ net/mac80211/rx.c | 4 +- net/netfilter/ipvs/ip_vs_ctl.c | 12 ++++++ net/netlink/af_netlink.c | 34 +++++++++------ net/nfc/llcp_commands.c | 20 +++++++++ net/nfc/llcp_core.c | 24 +++++++++-- net/packet/af_packet.c | 2 +- net/unix/af_unix.c | 48 +++++++++++++-------- net/unix/diag.c | 3 +- net/wireless/reg.c | 4 +- net/x25/af_x25.c | 20 ++++++--- security/keys/key.c | 4 +- security/keys/keyring.c | 4 +- security/keys/proc.c | 3 +- security/keys/request_key.c | 1 + security/keys/request_key_auth.c | 2 +- security/lsm_audit.c | 10 +++-- sound/core/compress_offload.c | 3 +- sound/firewire/bebob/bebob.c | 14 +++++- sound/soc/fsl/fsl_esai.c | 7 +-- sound/soc/fsl/imx-audmux.c | 24 +++++------ sound/soc/intel/broadwell.c | 2 +- sound/soc/intel/haswell.c | 2 +- tools/perf/util/cpumap.c | 11 ++++- tools/perf/util/symbol-elf.c | 9 +++- 144 files changed, 850 insertions(+), 350 deletions(-)

6 years, 5 months

7
148
0 0

Re: [PATCH v3] usb: typec: fix bug in typec_register_port call

by Heikki Krogerus

On Fri, Mar 15, 2019 at 03:43:21PM -0700, anil.kumar.k(a)intel.com wrote: > From: Anil Kumar <anil.kumar.k(a)intel.com> > > typec_register_port function used variable port->id without > initializing it. This patch fixes the issue by using the local > instance for the error case > > Issue is not observed in the mainline tree (5.x) > > Signed-off-by: Anil Kumar <anil.kumar.k(a)intel.com> > Fixes: bdecb33af34f ("usb: typec: API for controlling USB Type-C Multiplexers") > Cc: stable(a)vger.kernel.org #4.19.x You have the tag, but I don't see stable(a)vger.kernel.org on your CC line? I'm adding it there now. The patch is otherwise OK. Acked-by: Heikki Krogerus <heikki.krogerus(a)linux.intel.com> > --- > drivers/usb/typec/class.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/usb/typec/class.c b/drivers/usb/typec/class.c > index e61dffb..5a442e4 100644 > --- a/drivers/usb/typec/class.c > +++ b/drivers/usb/typec/class.c > @@ -1611,7 +1611,7 @@ struct typec_port *typec_register_port(struct device *parent, > typec_switch_put(port->sw); > > err_switch: > - ida_simple_remove(&typec_index_ida, port->id); > + ida_simple_remove(&typec_index_ida, id); > kfree(port); > > return ERR_PTR(ret); > -- > 2.7.4 thanks, -- heikki

6 years, 5 months

2
3
0 0

[PATCH] mm: Fix modifying of page protection by insert_pfn()

by Jan Kara

Aneesh has reported that PPC triggers the following warning when excercising DAX code: [c00000000007610c] set_pte_at+0x3c/0x190 LR [c000000000378628] insert_pfn+0x208/0x280 Call Trace: [c0000002125df980] [8000000000000104] 0x8000000000000104 (unreliable) [c0000002125df9c0] [c000000000378488] insert_pfn+0x68/0x280 [c0000002125dfa30] [c0000000004a5494] dax_iomap_pte_fault.isra.7+0x734/0xa40 [c0000002125dfb50] [c000000000627250] __xfs_filemap_fault+0x280/0x2d0 [c0000002125dfbb0] [c000000000373abc] do_wp_page+0x48c/0xa40 [c0000002125dfc00] [c000000000379170] __handle_mm_fault+0x8d0/0x1fd0 [c0000002125dfd00] [c00000000037a9b0] handle_mm_fault+0x140/0x250 [c0000002125dfd40] [c000000000074bb0] __do_page_fault+0x300/0xd60 [c0000002125dfe20] [c00000000000acf4] handle_page_fault+0x18 Now that is WARN_ON in set_pte_at which is VM_WARN_ON(pte_hw_valid(*ptep) && !pte_protnone(*ptep)); The problem is that on some architectures set_pte_at() cannot cope with a situation where there is already some (different) valid entry present. Use ptep_set_access_flags() instead to modify the pfn which is built to deal with modifying existing PTE. CC: stable(a)vger.kernel.org Fixes: b2770da64254 "mm: add vm_insert_mixed_mkwrite()" Reported-by: "Aneesh Kumar K.V" <aneesh.kumar(a)linux.ibm.com> Signed-off-by: Jan Kara <jack(a)suse.cz> --- mm/memory.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/mm/memory.c b/mm/memory.c index 47fe250307c7..ab650c21bccd 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -1549,10 +1549,12 @@ static vm_fault_t insert_pfn(struct vm_area_struct *vma, unsigned long addr, WARN_ON_ONCE(!is_zero_pfn(pte_pfn(*pte))); goto out_unlock; } - entry = *pte; - goto out_mkwrite; - } else - goto out_unlock; + entry = pte_mkyoung(*pte); + entry = maybe_mkwrite(pte_mkdirty(entry), vma); + if (ptep_set_access_flags(vma, addr, pte, entry, 1)) + update_mmu_cache(vma, addr, pte); + } + goto out_unlock; } /* Ok, finally just insert the thing.. */ @@ -1561,7 +1563,6 @@ static vm_fault_t insert_pfn(struct vm_area_struct *vma, unsigned long addr, else entry = pte_mkspecial(pfn_t_pte(pfn, prot)); -out_mkwrite: if (mkwrite) { entry = pte_mkyoung(entry); entry = maybe_mkwrite(pte_mkdirty(entry), vma); -- 2.16.4

6 years, 5 months

4
7
0 0

[PATCH] USB: serial: option: add Olicard 600

by Bjørn Mork

This is a Qualcomm based device with a QMI function on interface 4. It is mode switched from 2020:2030 using a standard eject message. T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 6 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=2020 ProdID=2031 Rev= 2.32 S: Manufacturer=Mobile Connect S: Product=Mobile Connect S: SerialNumber=0123456789ABCDEF C:* #Ifs= 6 Cfg#= 1 Atr=80 MxPwr=500mA I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) E: Ad=85(I) Atr=03(Int.) MxPS= 10 Ivl=32ms E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) E: Ad=87(I) Atr=03(Int.) MxPS= 10 Ivl=32ms E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) E: Ad=89(I) Atr=03(Int.) MxPS= 8 Ivl=32ms E: Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 5 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=(none) E: Ad=8a(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=125us Cc: stable(a)vger.kernel.org Signed-off-by: Bjørn Mork <bjorn(a)mork.no> --- drivers/usb/serial/option.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c index 11b21d9410f3..02ee5b707de2 100644 --- a/drivers/usb/serial/option.c +++ b/drivers/usb/serial/option.c @@ -1943,6 +1943,8 @@ static const struct usb_device_id option_ids[] = { { USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e01, 0xff, 0xff, 0xff) }, /* D-Link DWM-152/C1 */ { USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e02, 0xff, 0xff, 0xff) }, /* D-Link DWM-156/C1 */ { USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x7e11, 0xff, 0xff, 0xff) }, /* D-Link DWM-156/A3 */ + { USB_DEVICE_INTERFACE_CLASS(0x2020, 0x2031, 0xff), /* Olicard 600 */ + .driver_info = RSVD(4) }, { USB_DEVICE_INTERFACE_CLASS(0x2020, 0x4000, 0xff) }, /* OLICARD300 - MT6225 */ { USB_DEVICE(INOVIA_VENDOR_ID, INOVIA_SEW858) }, { USB_DEVICE(VIATELECOM_VENDOR_ID, VIATELECOM_PRODUCT_CDS7) }, -- 2.11.0

6 years, 5 months

2
1
0 0

Spende an dich

by official＠att.net

4.800.000 € wurden Ihnen von Mavis Wanczyck gespendet, der im Juli 2017 den Powerball-Jackpot in Höhe von 758.700.000 $ gewonnen hat. Wenden Sie sich per E-Mail an mich, um weitere Informationen zur Rücknahme des Fonds zu erhalten--- [wanczykmavis107(a)gmail.com] --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus

6 years, 5 months

1
0
0 0

patch "tty: pty: Fix race condition between release_one_tty and pty_write" added to tty-next

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled tty: pty: Fix race condition between release_one_tty and pty_write to my tty git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty.git in the tty-next branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will also be merged in the next major kernel release during the merge window. If you have any questions about this process, please let me know. >From b9ca5f8560af244489b4a1bc1ae88b341f24bc95 Mon Sep 17 00:00:00 2001 From: Sahara <keun-o.park(a)darkmatter.ae> Date: Mon, 11 Feb 2019 11:09:15 +0400 Subject: tty: pty: Fix race condition between release_one_tty and pty_write Especially when a linked tty is used such as pty, the linked tty port's buf works have not been cancelled while master tty port's buf work has been cancelled. Since release_one_tty and flush_to_ldisc run in workqueue threads separately, when pty_cleanup happens and link tty port is freed, flush_to_ldisc tries to access freed port and port->itty, eventually it causes a panic. This patch utilizes the magic value with holding the tty_mutex to check if the tty->link is valid. Fixes: 2b022ab7542d ("pty: cancel pty slave port buf's work in tty_release") Signed-off-by: Sahara <keun-o.park(a)darkmatter.ae> Cc: stable <stable(a)vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/tty/pty.c | 7 +++++++ drivers/tty/tty_io.c | 3 +++ 2 files changed, 10 insertions(+) diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c index 00099a8439d2..ef72031ab5b9 100644 --- a/drivers/tty/pty.c +++ b/drivers/tty/pty.c @@ -116,6 +116,12 @@ static int pty_write(struct tty_struct *tty, const unsigned char *buf, int c) if (tty->stopped) return 0; + mutex_lock(&tty_mutex); + if (to->magic != TTY_MAGIC) { + mutex_unlock(&tty_mutex); + return -EIO; + } + if (c > 0) { spin_lock_irqsave(&to->port->lock, flags); /* Stuff the data into the input queue of the other end */ @@ -125,6 +131,7 @@ static int pty_write(struct tty_struct *tty, const unsigned char *buf, int c) tty_flip_buffer_push(to->port); spin_unlock_irqrestore(&to->port->lock, flags); } + mutex_unlock(&tty_mutex); return c; } diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c index 5fa250157025..c27777f3b8c4 100644 --- a/drivers/tty/tty_io.c +++ b/drivers/tty/tty_io.c @@ -1448,10 +1448,13 @@ static void release_one_tty(struct work_struct *work) struct tty_driver *driver = tty->driver; struct module *owner = driver->owner; + mutex_lock(&tty_mutex); if (tty->ops->cleanup) tty->ops->cleanup(tty); tty->magic = 0; + mutex_unlock(&tty_mutex); + tty_driver_kref_put(driver); module_put(owner); -- 2.21.0

6 years, 5 months

1
0
0 0

patch "tty: vt.c: Fix TIOCL_BLANKSCREEN console blanking if blankinterval ==" added to tty-next

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled tty: vt.c: Fix TIOCL_BLANKSCREEN console blanking if blankinterval == to my tty git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty.git in the tty-next branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will also be merged in the next major kernel release during the merge window. If you have any questions about this process, please let me know. >From 75ddbc1fb11efac87b611d48e9802f6fe2bb2163 Mon Sep 17 00:00:00 2001 From: Yifeng Li <tomli(a)tomli.me> Date: Tue, 5 Mar 2019 07:02:49 +0800 Subject: tty: vt.c: Fix TIOCL_BLANKSCREEN console blanking if blankinterval == 0 Previously, in the userspace, it was possible to use the "setterm" command from util-linux to blank the VT console by default, using the following command. According to the man page, > The force option keeps the screen blank even if a key is pressed. It was implemented by calling TIOCL_BLANKSCREEN. case BLANKSCREEN: ioctlarg = TIOCL_BLANKSCREEN; if (ioctl(STDIN_FILENO, TIOCLINUX, &ioctlarg)) warn(_("cannot force blank")); break; However, after Linux 4.12, this command ceased to work anymore, which is unexpected. By inspecting the kernel source, it shows that the issue was triggered by the side-effect from commit a4199f5eb809 ("tty: Disable default console blanking interval"). The console blanking is implemented by function do_blank_screen() in vt.c: "blank_state" will be initialized to "blank_normal_wait" in con_init() if AND ONLY IF ("blankinterval" > 0). If "blankinterval" is 0, "blank_state" will be "blank_off" (== 0), and a call to do_blank_screen() will always abort, even if a forced blanking is required from the user by calling TIOCL_BLANKSCREEN, the console won't be blanked. This behavior is unexpected from a user's point-of-view, since it's not mentioned in any documentation. The setterm man page suggests it will always work, and the kernel comments in uapi/linux/tiocl.h says > /* keep screen blank even if a key is pressed */ > #define TIOCL_BLANKSCREEN 14 To fix it, we simply remove the "blank_state != blank_off" check, as pointed out by Nicolas Pitre, this check doesn't logically make sense and it's safe to remove. Suggested-by: Nicolas Pitre <nicolas.pitre(a)linaro.org> Fixes: a4199f5eb809 ("tty: Disable default console blanking interval") Signed-off-by: Yifeng Li <tomli(a)tomli.me> Cc: stable <stable(a)vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/tty/vt/vt.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c index d34984aa646d..721edee50234 100644 --- a/drivers/tty/vt/vt.c +++ b/drivers/tty/vt/vt.c @@ -4178,8 +4178,6 @@ void do_blank_screen(int entering_gfx) return; } - if (blank_state != blank_normal_wait) - return; blank_state = blank_off; /* don't blank graphics */ -- 2.21.0

6 years, 5 months

1
0
0 0

patch "tty/vt: fix write/write race in ioctl(KDSKBSENT) handler" added to tty-next

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled tty/vt: fix write/write race in ioctl(KDSKBSENT) handler to my tty git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty.git in the tty-next branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will also be merged in the next major kernel release during the merge window. If you have any questions about this process, please let me know. >From 46ca3f735f345c9d87383dd3a09fa5d43870770e Mon Sep 17 00:00:00 2001 From: Sergei Trofimovich <slyfox(a)gentoo.org> Date: Sun, 10 Mar 2019 21:24:15 +0000 Subject: tty/vt: fix write/write race in ioctl(KDSKBSENT) handler The bug manifests as an attempt to access deallocated memory: BUG: unable to handle kernel paging request at ffff9c8735448000 #PF error: [PROT] [WRITE] PGD 288a05067 P4D 288a05067 PUD 288a07067 PMD 7f60c2063 PTE 80000007f5448161 Oops: 0003 [#1] PREEMPT SMP CPU: 6 PID: 388 Comm: loadkeys Tainted: G C 5.0.0-rc6-00153-g5ded5871030e #91 Hardware name: Gigabyte Technology Co., Ltd. To be filled by O.E.M./H77M-D3H, BIOS F12 11/14/2013 RIP: 0010:__memmove+0x81/0x1a0 Code: 4c 89 4f 10 4c 89 47 18 48 8d 7f 20 73 d4 48 83 c2 20 e9 a2 00 00 00 66 90 48 89 d1 4c 8b 5c 16 f8 4c 8d 54 17 f8 48 c1 e9 03 <f3> 48 a5 4d 89 1a e9 0c 01 00 00 0f 1f 40 00 48 89 d1 4c 8b 1e 49 RSP: 0018:ffffa1b9002d7d08 EFLAGS: 00010203 RAX: ffff9c873541af43 RBX: ffff9c873541af43 RCX: 00000c6f105cd6bf RDX: 0000637882e986b6 RSI: ffff9c8735447ffb RDI: ffff9c8735447ffb RBP: ffff9c8739cd3800 R08: ffff9c873b802f00 R09: 00000000fffff73b R10: ffffffffb82b35f1 R11: 00505b1b004d5b1b R12: 0000000000000000 R13: ffff9c873541af3d R14: 000000000000000b R15: 000000000000000c FS: 00007f450c390580(0000) GS:ffff9c873f180000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff9c8735448000 CR3: 00000007e213c002 CR4: 00000000000606e0 Call Trace: vt_do_kdgkb_ioctl+0x34d/0x440 vt_ioctl+0xba3/0x1190 ? __bpf_prog_run32+0x39/0x60 ? mem_cgroup_commit_charge+0x7b/0x4e0 tty_ioctl+0x23f/0x920 ? preempt_count_sub+0x98/0xe0 ? __seccomp_filter+0x67/0x600 do_vfs_ioctl+0xa2/0x6a0 ? syscall_trace_enter+0x192/0x2d0 ksys_ioctl+0x3a/0x70 __x64_sys_ioctl+0x16/0x20 do_syscall_64+0x54/0xe0 entry_SYSCALL_64_after_hwframe+0x49/0xbe The bug manifests on systemd systems with multiple vtcon devices: # cat /sys/devices/virtual/vtconsole/vtcon0/name (S) dummy device # cat /sys/devices/virtual/vtconsole/vtcon1/name (M) frame buffer device There systemd runs 'loadkeys' tool in tapallel for each vtcon instance. This causes two parallel ioctl(KDSKBSENT) calls to race into adding the same entry into 'func_table' array at: drivers/tty/vt/keyboard.c:vt_do_kdgkb_ioctl() The function has no locking around writes to 'func_table'. The simplest reproducer is to have initrams with the following init on a 8-CPU machine x86_64: #!/bin/sh loadkeys -q windowkeys ru4 & loadkeys -q windowkeys ru4 & loadkeys -q windowkeys ru4 & loadkeys -q windowkeys ru4 & loadkeys -q windowkeys ru4 & loadkeys -q windowkeys ru4 & loadkeys -q windowkeys ru4 & loadkeys -q windowkeys ru4 & wait The change adds lock on write path only. Reads are still racy. CC: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> CC: Jiri Slaby <jslaby(a)suse.com> Link: https://lkml.org/lkml/2019/2/17/256 Signed-off-by: Sergei Trofimovich <slyfox(a)gentoo.org> Cc: stable <stable(a)vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/tty/vt/keyboard.c | 33 +++++++++++++++++++++++++++------ 1 file changed, 27 insertions(+), 6 deletions(-) diff --git a/drivers/tty/vt/keyboard.c b/drivers/tty/vt/keyboard.c index 88312c6c92cc..0617e87ab343 100644 --- a/drivers/tty/vt/keyboard.c +++ b/drivers/tty/vt/keyboard.c @@ -123,6 +123,7 @@ static const int NR_TYPES = ARRAY_SIZE(max_vals); static struct input_handler kbd_handler; static DEFINE_SPINLOCK(kbd_event_lock); static DEFINE_SPINLOCK(led_lock); +static DEFINE_SPINLOCK(func_buf_lock); /* guard 'func_buf' and friends */ static unsigned long key_down[BITS_TO_LONGS(KEY_CNT)]; /* keyboard key bitmap */ static unsigned char shift_down[NR_SHIFT]; /* shift state counters.. */ static bool dead_key_next; @@ -1990,11 +1991,12 @@ int vt_do_kdgkb_ioctl(int cmd, struct kbsentry __user *user_kdgkb, int perm) char *p; u_char *q; u_char __user *up; - int sz; + int sz, fnw_sz; int delta; char *first_free, *fj, *fnw; int i, j, k; int ret; + unsigned long flags; if (!capable(CAP_SYS_TTY_CONFIG)) perm = 0; @@ -2037,7 +2039,14 @@ int vt_do_kdgkb_ioctl(int cmd, struct kbsentry __user *user_kdgkb, int perm) goto reterr; } + fnw = NULL; + fnw_sz = 0; + /* race aginst other writers */ + again: + spin_lock_irqsave(&func_buf_lock, flags); q = func_table[i]; + + /* fj pointer to next entry after 'q' */ first_free = funcbufptr + (funcbufsize - funcbufleft); for (j = i+1; j < MAX_NR_FUNC && !func_table[j]; j++) ; @@ -2045,10 +2054,12 @@ int vt_do_kdgkb_ioctl(int cmd, struct kbsentry __user *user_kdgkb, int perm) fj = func_table[j]; else fj = first_free; - + /* buffer usage increase by new entry */ delta = (q ? -strlen(q) : 1) + strlen(kbs->kb_string); + if (delta <= funcbufleft) { /* it fits in current buf */ if (j < MAX_NR_FUNC) { + /* make enough space for new entry at 'fj' */ memmove(fj + delta, fj, first_free - fj); for (k = j; k < MAX_NR_FUNC; k++) if (func_table[k]) @@ -2061,20 +2072,28 @@ int vt_do_kdgkb_ioctl(int cmd, struct kbsentry __user *user_kdgkb, int perm) sz = 256; while (sz < funcbufsize - funcbufleft + delta) sz <<= 1; - fnw = kmalloc(sz, GFP_KERNEL); - if(!fnw) { - ret = -ENOMEM; - goto reterr; + if (fnw_sz != sz) { + spin_unlock_irqrestore(&func_buf_lock, flags); + kfree(fnw); + fnw = kmalloc(sz, GFP_KERNEL); + fnw_sz = sz; + if (!fnw) { + ret = -ENOMEM; + goto reterr; + } + goto again; } if (!q) func_table[i] = fj; + /* copy data before insertion point to new location */ if (fj > funcbufptr) memmove(fnw, funcbufptr, fj - funcbufptr); for (k = 0; k < j; k++) if (func_table[k]) func_table[k] = fnw + (func_table[k] - funcbufptr); + /* copy data after insertion point to new location */ if (first_free > fj) { memmove(fnw + (fj - funcbufptr) + delta, fj, first_free - fj); for (k = j; k < MAX_NR_FUNC; k++) @@ -2087,7 +2106,9 @@ int vt_do_kdgkb_ioctl(int cmd, struct kbsentry __user *user_kdgkb, int perm) funcbufleft = funcbufleft - delta + sz - funcbufsize; funcbufsize = sz; } + /* finally insert item itself */ strcpy(func_table[i], kbs->kb_string); + spin_unlock_irqrestore(&func_buf_lock, flags); break; } ret = 0; -- 2.21.0

6 years, 5 months

1
0
0 0

[PATCH] sd: Fix a race between closing an sd device and sd I/O

by Bart Van Assche

The scsi_end_request() function calls scsi_cmd_to_driver() indirectly and hence needs the disk->private_data pointer. Avoid that that pointer is cleared before all affected I/O requests have finished. This patch avoids that the following crash occurs: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Call trace: scsi_mq_uninit_cmd+0x1c/0x30 scsi_end_request+0x7c/0x1b8 scsi_io_completion+0x464/0x668 scsi_finish_command+0xbc/0x160 scsi_eh_flush_done_q+0x10c/0x170 sas_scsi_recover_host+0x84c/0xa98 [libsas] scsi_error_handler+0x140/0x5b0 kthread+0x100/0x12c ret_from_fork+0x10/0x18 Cc: Christoph Hellwig <hch(a)lst.de> Cc: Ming Lei <ming.lei(a)redhat.com> Cc: Hannes Reinecke <hare(a)suse.com> Cc: Johannes Thumshirn <jthumshirn(a)suse.de> Cc: Jason Yan <yanaijie(a)huawei.com> Cc: <stable(a)vger.kernel.org> Reported-by: Jason Yan <yanaijie(a)huawei.com> Signed-off-by: Bart Van Assche <bvanassche(a)acm.org> --- drivers/scsi/sd.c | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c index ed34bfbc3844..0077880c0cc8 100644 --- a/drivers/scsi/sd.c +++ b/drivers/scsi/sd.c @@ -1416,11 +1416,6 @@ static void sd_release(struct gendisk *disk, fmode_t mode) scsi_set_medium_removal(sdev, SCSI_REMOVAL_ALLOW); } - /* - * XXX and what if there are packets in flight and this close() - * XXX is followed by a "rmmod sd_mod"? - */ - scsi_disk_put(sdkp); } @@ -3483,9 +3478,21 @@ static void scsi_disk_release(struct device *dev) { struct scsi_disk *sdkp = to_scsi_disk(dev); struct gendisk *disk = sdkp->disk; - + struct request_queue *q = disk->queue; + ida_free(&sd_index_ida, sdkp->index); + /* + * Wait until all requests that are in progress have completed. + * This is necessary to avoid that e.g. scsi_end_request() crashes + * due to clearing the disk->private_data pointer. Wait from inside + * scsi_disk_release() instead of from sd_release() to avoid that + * freezing and unfreezing the request queue affects user space I/O + * in case multiple processes open a /dev/sd... node concurrently. + */ + blk_mq_freeze_queue(q); + blk_mq_unfreeze_queue(q); + disk->private_data = NULL; put_disk(disk); put_device(&sdkp->device->sdev_gendev); -- 2.21.0.196.g041f5ea1cf98

6 years, 5 months

4
5
0 0

✅ PASS: Stable queue: queue-5.0

by CKI Project

Hello, We ran automated tests on a patchset that was proposed for merging into this kernel tree. The patches were applied to: Kernel repo: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git Commit: 1f6f316a537d - Linux 5.0.5 The results of these automated tests are provided below. Overall result: PASSED Merge: OK Compile: OK Tests: OK Please reply to this email if you have any questions about the tests that we ran or if you have any suggestions on how to make future tests more effective. ,-. ,-. ( C ) ( K ) Continuous `-',-.`-' Kernel ( I ) Integration `-' ______________________________________________________________________________ Merge testing ------------- We cloned this repository and checked out a ref: Repo: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git Ref: 1f6f316a537d - Linux 5.0.5 We then merged the patchset with `git am`: bluetooth-check-l2cap-option-sizes-returned-from-l2cap_get_conf_opt.patch bluetooth-verify-that-l2cap_get_conf_opt-provides-large-enough-buffer.patch netfilter-nf_tables-fix-set-double-free-in-abort-pat.patch Compile testing --------------- We compiled the kernel for 3 architectures: aarch64: make options: make INSTALL_MOD_STRIP=1 -j64 targz-pkg -j64 configuration: https://artifacts.cki-project.org/builds/aarch64/1b3aa9443966f4dde5954923ea… ppc64le: make options: make INSTALL_MOD_STRIP=1 -j64 targz-pkg -j64 configuration: https://artifacts.cki-project.org/builds/ppc64le/c9b872bfb215d8b8911fbd3006… x86_64: make options: make INSTALL_MOD_STRIP=1 -j64 targz-pkg -j64 configuration: https://artifacts.cki-project.org/builds/x86_64/8fcfdc0722ef7ac68d53951173c… Hardware testing ---------------- We booted each kernel and ran the following tests: aarch64: ✅ Boot test [0] ✅ LTP lite - release 20190115 [1] ✅ AMTU (Abstract Machine Test Utility) [2] 🚧 ✅ audit: audit testsuite test [3] ✅ httpd: mod_ssl smoke sanity [4] ✅ httpd: php sanity [5] 🚧 ✅ iotop: sanity [6] 🚧 ✅ /CoreOS/net-snmp/Regression/bz251332-tcp-transport 🚧 ✅ tuned: tune-processes-through-perf [7] ppc64le: ✅ Boot test [0] ✅ LTP lite - release 20190115 [1] ✅ AMTU (Abstract Machine Test Utility) [2] 🚧 ✅ audit: audit testsuite test [3] ✅ httpd: mod_ssl smoke sanity [4] ✅ httpd: php sanity [5] 🚧 ✅ iotop: sanity [6] 🚧 ✅ /CoreOS/net-snmp/Regression/bz251332-tcp-transport 🚧 ✅ tuned: tune-processes-through-perf [7] x86_64: ✅ Boot test [0] ✅ LTP lite - release 20190115 [1] ✅ AMTU (Abstract Machine Test Utility) [2] 🚧 ✅ audit: audit testsuite test [3] ✅ httpd: mod_ssl smoke sanity [4] ✅ httpd: php sanity [5] 🚧 ✅ iotop: sanity [6] 🚧 ✅ /CoreOS/net-snmp/Regression/bz251332-tcp-transport 🚧 ✅ tuned: tune-processes-through-perf [7] Test source: [0]: https://github.com/CKI-project/tests-beaker/archive/master.zip#distribution… [1]: https://github.com/CKI-project/tests-beaker/archive/master.zip#distribution… [2]: https://github.com/CKI-project/tests-beaker/archive/master.zip#misc/amtu [3]: https://github.com/CKI-project/tests-beaker/archive/master.zip#packages/aud… [4]: https://github.com/CKI-project/tests-beaker/archive/master.zip#packages/htt… [5]: https://github.com/CKI-project/tests-beaker/archive/master.zip#packages/htt… [6]: https://github.com/CKI-project/tests-beaker/archive/master.zip#packages/iot… [7]: https://github.com/CKI-project/tests-beaker/archive/master.zip#packages/tun… Waived tests (marked with 🚧) ----------------------------- This test run included waived tests. Such tests are executed but their results are not taken into account. Tests are waived when their results are not reliable enough, e.g. when they're just introduced or are being fixed.

6 years, 5 months

1
0
0 0

✅ PASS: Stable queue: queue-5.0

by CKI Project

Hello, We ran automated tests on a patchset that was proposed for merging into this kernel tree. The patches were applied to: Kernel repo: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git Commit: 1f6f316a537d - Linux 5.0.5 The results of these automated tests are provided below. Overall result: PASSED Merge: OK Compile: OK Tests: OK Please reply to this email if you have any questions about the tests that we ran or if you have any suggestions on how to make future tests more effective. ,-. ,-. ( C ) ( K ) Continuous `-',-.`-' Kernel ( I ) Integration `-' ______________________________________________________________________________ Merge testing ------------- We cloned this repository and checked out a ref: Repo: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git Ref: 1f6f316a537d - Linux 5.0.5 We then merged the patchset with `git am`: bluetooth-check-l2cap-option-sizes-returned-from-l2cap_get_conf_opt.patch bluetooth-verify-that-l2cap_get_conf_opt-provides-large-enough-buffer.patch Compile testing --------------- We compiled the kernel for 3 architectures: aarch64: make options: make INSTALL_MOD_STRIP=1 -j64 targz-pkg -j64 configuration: https://artifacts.cki-project.org/builds/aarch64/b51cb9919d3c8c593dd25aa7d9… ppc64le: make options: make INSTALL_MOD_STRIP=1 -j64 targz-pkg -j64 configuration: https://artifacts.cki-project.org/builds/ppc64le/31ed8777bab1f795aaee6a28ed… x86_64: make options: make INSTALL_MOD_STRIP=1 -j64 targz-pkg -j64 configuration: https://artifacts.cki-project.org/builds/x86_64/b955dc622cd40b0ed35b3efb4aa… Hardware testing ---------------- We booted each kernel and ran the following tests: aarch64: ✅ Boot test [0] ✅ LTP lite - release 20190115 [1] ✅ AMTU (Abstract Machine Test Utility) [2] 🚧 ✅ audit: audit testsuite test [3] ✅ httpd: mod_ssl smoke sanity [4] ✅ httpd: php sanity [5] 🚧 ✅ iotop: sanity [6] 🚧 ✅ /CoreOS/net-snmp/Regression/bz251332-tcp-transport 🚧 ✅ tuned: tune-processes-through-perf [7] ppc64le: ✅ Boot test [0] ✅ LTP lite - release 20190115 [1] ✅ AMTU (Abstract Machine Test Utility) [2] 🚧 ✅ audit: audit testsuite test [3] ✅ httpd: mod_ssl smoke sanity [4] ✅ httpd: php sanity [5] 🚧 ✅ iotop: sanity [6] 🚧 ✅ /CoreOS/net-snmp/Regression/bz251332-tcp-transport 🚧 ✅ tuned: tune-processes-through-perf [7] x86_64: ✅ Boot test [0] ✅ LTP lite - release 20190115 [1] ✅ AMTU (Abstract Machine Test Utility) [2] 🚧 ✅ audit: audit testsuite test [3] ✅ httpd: mod_ssl smoke sanity [4] ✅ httpd: php sanity [5] 🚧 ✅ iotop: sanity [6] 🚧 ✅ /CoreOS/net-snmp/Regression/bz251332-tcp-transport 🚧 ✅ tuned: tune-processes-through-perf [7] Test source: [0]: https://github.com/CKI-project/tests-beaker/archive/master.zip#distribution… [1]: https://github.com/CKI-project/tests-beaker/archive/master.zip#distribution… [2]: https://github.com/CKI-project/tests-beaker/archive/master.zip#misc/amtu [3]: https://github.com/CKI-project/tests-beaker/archive/master.zip#packages/aud… [4]: https://github.com/CKI-project/tests-beaker/archive/master.zip#packages/htt… [5]: https://github.com/CKI-project/tests-beaker/archive/master.zip#packages/htt… [6]: https://github.com/CKI-project/tests-beaker/archive/master.zip#packages/iot… [7]: https://github.com/CKI-project/tests-beaker/archive/master.zip#packages/tun… Waived tests (marked with 🚧) ----------------------------- This test run included waived tests. Such tests are executed but their results are not taken into account. Tests are waived when their results are not reliable enough, e.g. when they're just introduced or are being fixed.

6 years, 5 months

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror